diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 72018ee..6adc2cb 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -5182,7 +5182,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..6f8cc7f 100644
+index 4edc40d..17a4eab 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5384,7 +5384,7 @@ index 4edc40d..6f8cc7f 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,24 +220,32 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,26 +220,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5418,8 +5418,11 @@ index 4edc40d..6f8cc7f 100644
+network_port(pki_ra, tcp,12888-12889,s0)
+network_port(pki_tps, tcp,7888-7889,s0)
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
- network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
+-network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
++network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0, tcp,10993,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
+ network_port(postfix_policyd, tcp,10031,s0)
+ network_port(postgresql, tcp,5432,s0)
@@ -214,38 +257,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
@@ -16759,10 +16762,10 @@ index 234a940..d340f20 100644
########################################
##
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..28cfc6a 100644
+index 5da7870..93ac27a 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,68 @@ policy_module(staff, 2.3.1)
+@@ -8,12 +8,70 @@ policy_module(staff, 2.3.1)
role staff_r;
userdom_unpriv_user_template(staff)
@@ -16789,6 +16792,7 @@ index 5da7870..28cfc6a 100644
+kernel_write_numa_state(staff_t)
+
+fs_read_hugetlbfs_files(staff_t)
++files_dontaudit_read_all_symlinks(staff_t)
+
+dev_read_cpuid(staff_t)
+dev_read_kmsg(staff_t)
@@ -16802,6 +16806,7 @@ index 5da7870..28cfc6a 100644
+
+seutil_read_module_store(staff_t)
+seutil_run_newrole(staff_t, staff_r)
++seutil_dbus_chat_semanage(staff_t)
+
+storage_read_scsi_generic(staff_t)
+storage_write_scsi_generic(staff_t)
@@ -16831,7 +16836,7 @@ index 5da7870..28cfc6a 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +79,106 @@ optional_policy(`
+@@ -23,11 +81,106 @@ optional_policy(`
')
optional_policy(`
@@ -16939,7 +16944,7 @@ index 5da7870..28cfc6a 100644
')
optional_policy(`
-@@ -35,15 +186,31 @@ optional_policy(`
+@@ -35,15 +188,31 @@ optional_policy(`
')
optional_policy(`
@@ -16973,7 +16978,7 @@ index 5da7870..28cfc6a 100644
')
optional_policy(`
-@@ -52,10 +219,55 @@ optional_policy(`
+@@ -52,10 +221,55 @@ optional_policy(`
')
optional_policy(`
@@ -17029,7 +17034,7 @@ index 5da7870..28cfc6a 100644
xserver_role(staff_r, staff_t)
')
-@@ -65,10 +277,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +279,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17040,7 +17045,7 @@ index 5da7870..28cfc6a 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -78,10 +286,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +288,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@@ -17051,7 +17056,7 @@ index 5da7870..28cfc6a 100644
')
optional_policy(`
-@@ -101,10 +305,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +307,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17062,7 +17067,7 @@ index 5da7870..28cfc6a 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +325,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +327,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17073,7 +17078,7 @@ index 5da7870..28cfc6a 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +337,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +339,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17084,7 +17089,7 @@ index 5da7870..28cfc6a 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +368,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +370,22 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -17136,7 +17141,7 @@ index ff92430..36740ea 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..0459d20 100644
+index 88d0028..98d1e34 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1)
@@ -17495,7 +17500,7 @@ index 88d0028..0459d20 100644
')
optional_policy(`
-@@ -319,12 +416,18 @@ optional_policy(`
+@@ -319,12 +416,19 @@ optional_policy(`
')
optional_policy(`
@@ -17507,6 +17512,7 @@ index 88d0028..0459d20 100644
+optional_policy(`
seutil_run_setfiles(sysadm_t, sysadm_r)
seutil_run_runinit(sysadm_t, sysadm_r)
++ seutil_dbus_chat_semanage(sysadm_t)
')
optional_policy(`
@@ -17515,7 +17521,7 @@ index 88d0028..0459d20 100644
')
optional_policy(`
-@@ -349,7 +452,18 @@ optional_policy(`
+@@ -349,7 +453,18 @@ optional_policy(`
')
optional_policy(`
@@ -17535,7 +17541,7 @@ index 88d0028..0459d20 100644
')
optional_policy(`
-@@ -360,19 +474,15 @@ optional_policy(`
+@@ -360,19 +475,15 @@ optional_policy(`
')
optional_policy(`
@@ -17557,7 +17563,7 @@ index 88d0028..0459d20 100644
')
optional_policy(`
-@@ -384,10 +494,6 @@ optional_policy(`
+@@ -384,10 +495,6 @@ optional_policy(`
')
optional_policy(`
@@ -17568,7 +17574,7 @@ index 88d0028..0459d20 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +501,9 @@ optional_policy(`
+@@ -395,6 +502,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -17578,7 +17584,7 @@ index 88d0028..0459d20 100644
')
optional_policy(`
-@@ -402,31 +511,34 @@ optional_policy(`
+@@ -402,31 +512,34 @@ optional_policy(`
')
optional_policy(`
@@ -17619,7 +17625,7 @@ index 88d0028..0459d20 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +551,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +552,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17630,7 +17636,7 @@ index 88d0028..0459d20 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +571,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +572,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20960,7 +20966,7 @@ index d1f64a0..8f50bb9 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..d740738 100644
+index 6bf0ecc..ba9536c 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@@ -21844,7 +21850,7 @@ index 6bf0ecc..d740738 100644
+ type xdm_t;
+ ')
+
-+ dontaudit $1 xdm_t:unix_stream_socket { getattr ioctl read write };
++ dontaudit $1 xdm_t:unix_stream_socket { append getattr ioctl read write };
+')
+
+########################################
@@ -22539,7 +22545,7 @@ index 6bf0ecc..d740738 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..0426df3 100644
+index 2696452..027e384 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -23005,17 +23011,19 @@ index 2696452..0426df3 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +519,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +519,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
+manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t)
+manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
++manage_lnk_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
+manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
+logging_log_filetrans(xdm_t, xdm_log_t, { dir file })
+
manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
++manage_lnk_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
-logging_log_filetrans(xdm_t, xserver_log_t, file)
@@ -23035,7 +23043,7 @@ index 2696452..0426df3 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +549,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +551,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -23088,7 +23096,7 @@ index 2696452..0426df3 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +601,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +603,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -23117,7 +23125,7 @@ index 2696452..0426df3 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +631,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +633,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23166,7 +23174,7 @@ index 2696452..0426df3 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +678,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +680,144 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -23317,7 +23325,7 @@ index 2696452..0426df3 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +829,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +831,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -23344,7 +23352,7 @@ index 2696452..0426df3 100644
')
optional_policy(`
-@@ -514,12 +856,56 @@ optional_policy(`
+@@ -514,12 +858,56 @@ optional_policy(`
')
optional_policy(`
@@ -23401,7 +23409,7 @@ index 2696452..0426df3 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +923,78 @@ optional_policy(`
+@@ -537,28 +925,78 @@ optional_policy(`
')
optional_policy(`
@@ -23489,7 +23497,7 @@ index 2696452..0426df3 100644
')
optional_policy(`
-@@ -570,6 +1006,14 @@ optional_policy(`
+@@ -570,6 +1008,14 @@ optional_policy(`
')
optional_policy(`
@@ -23504,7 +23512,7 @@ index 2696452..0426df3 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +1038,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1040,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23517,7 +23525,7 @@ index 2696452..0426df3 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1055,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1057,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23533,7 +23541,7 @@ index 2696452..0426df3 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1071,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1073,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -23544,7 +23552,7 @@ index 2696452..0426df3 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1086,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1088,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23566,7 +23574,7 @@ index 2696452..0426df3 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1106,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1108,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -23580,7 +23588,7 @@ index 2696452..0426df3 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1132,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1134,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -23612,7 +23620,7 @@ index 2696452..0426df3 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1164,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1166,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23630,7 +23638,7 @@ index 2696452..0426df3 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1187,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1189,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -23654,7 +23662,7 @@ index 2696452..0426df3 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1206,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1208,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -23663,7 +23671,7 @@ index 2696452..0426df3 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1250,44 @@ optional_policy(`
+@@ -775,16 +1252,44 @@ optional_policy(`
')
optional_policy(`
@@ -23709,7 +23717,7 @@ index 2696452..0426df3 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1296,10 @@ optional_policy(`
+@@ -793,6 +1298,10 @@ optional_policy(`
')
optional_policy(`
@@ -23720,7 +23728,7 @@ index 2696452..0426df3 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1315,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1317,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -23734,7 +23742,7 @@ index 2696452..0426df3 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1326,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1328,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -23743,7 +23751,7 @@ index 2696452..0426df3 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1339,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1341,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23778,7 +23786,7 @@ index 2696452..0426df3 100644
')
optional_policy(`
-@@ -902,7 +1404,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1406,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23787,7 +23795,7 @@ index 2696452..0426df3 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1458,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1460,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -23819,7 +23827,7 @@ index 2696452..0426df3 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1504,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1506,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -24992,7 +25000,7 @@ index 3efd5b6..2f6ba05 100644
+')
+
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..28dbe0b 100644
+index 104037e..f263075 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -25298,7 +25306,7 @@ index 104037e..28dbe0b 100644
')
optional_policy(`
-@@ -463,3 +502,132 @@ optional_policy(`
+@@ -463,3 +502,133 @@ optional_policy(`
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@@ -25389,6 +25397,7 @@ index 104037e..28dbe0b 100644
+userdom_manage_user_tmp_files(login_pgm)
+
+optional_policy(`
++ afs_read_config(login_pgm)
+ afs_rw_udp_sockets(login_pgm)
+')
+
@@ -27318,7 +27327,7 @@ index 24e7804..c4155c7 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..6ad72c0 100644
+index dd3be8d..df6af48 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -28238,22 +28247,22 @@ index dd3be8d..6ad72c0 100644
')
optional_policy(`
-@@ -742,7 +1146,14 @@ optional_policy(`
+@@ -742,7 +1146,13 @@ optional_policy(`
')
optional_policy(`
+- mta_read_config(initrc_t)
+ milter_delete_dkim_pid_files(initrc_t)
+ milter_setattr_all_dirs(initrc_t)
+')
+
+optional_policy(`
+ mta_manage_aliases(initrc_t)
- mta_read_config(initrc_t)
-+ mta_write_config(initrc_t)
++ mta_manage_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1176,10 @@ optional_policy(`
+@@ -765,6 +1175,10 @@ optional_policy(`
')
optional_policy(`
@@ -28264,7 +28273,7 @@ index dd3be8d..6ad72c0 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1189,20 @@ optional_policy(`
+@@ -774,10 +1188,20 @@ optional_policy(`
')
optional_policy(`
@@ -28285,7 +28294,7 @@ index dd3be8d..6ad72c0 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1211,10 @@ optional_policy(`
+@@ -786,6 +1210,10 @@ optional_policy(`
')
optional_policy(`
@@ -28296,7 +28305,7 @@ index dd3be8d..6ad72c0 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1236,6 @@ optional_policy(`
+@@ -807,8 +1235,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -28305,7 +28314,7 @@ index dd3be8d..6ad72c0 100644
')
optional_policy(`
-@@ -817,6 +1244,10 @@ optional_policy(`
+@@ -817,6 +1243,10 @@ optional_policy(`
')
optional_policy(`
@@ -28316,7 +28325,7 @@ index dd3be8d..6ad72c0 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1257,12 @@ optional_policy(`
+@@ -826,10 +1256,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -28329,7 +28338,7 @@ index dd3be8d..6ad72c0 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1289,28 @@ optional_policy(`
+@@ -856,12 +1288,28 @@ optional_policy(`
')
optional_policy(`
@@ -28359,7 +28368,7 @@ index dd3be8d..6ad72c0 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1320,18 @@ optional_policy(`
+@@ -871,6 +1319,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -28378,7 +28387,7 @@ index dd3be8d..6ad72c0 100644
')
optional_policy(`
-@@ -886,6 +1347,10 @@ optional_policy(`
+@@ -886,6 +1346,10 @@ optional_policy(`
')
optional_policy(`
@@ -28389,7 +28398,7 @@ index dd3be8d..6ad72c0 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1361,196 @@ optional_policy(`
+@@ -896,3 +1360,196 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -33020,19 +33029,45 @@ index 6a50270..4e5bf09 100644
+
+auth_use_nsswitch(mount_ecryptfs_t)
diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
-index b263a8a..9348c8c 100644
+index b263a8a..15576ab 100644
--- a/policy/modules/system/netlabel.fc
+++ b/policy/modules/system/netlabel.fc
-@@ -1 +1,3 @@
+@@ -1 +1,6 @@
/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
+
++/usr/lib/systemd/system/netlabel.* -- gen_context(system_u:object_r:netlabel_mgmt_unit_file_t,s0)
++
+/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
++/usr/sbin/netlabel-config -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
-index cbbda4a..8dcc346 100644
+index cbbda4a..1136c7b 100644
--- a/policy/modules/system/netlabel.te
+++ b/policy/modules/system/netlabel.te
-@@ -23,6 +23,11 @@ kernel_read_network_state(netlabel_mgmt_t)
+@@ -7,9 +7,13 @@ policy_module(netlabel, 1.3.0)
+
+ type netlabel_mgmt_t;
+ type netlabel_mgmt_exec_t;
++init_daemon_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t)
+ application_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t)
+ role system_r types netlabel_mgmt_t;
+
++type netlabel_mgmt_unit_file_t;
++systemd_unit_file(netlabel_mgmt_unit_file_t)
++
+ ########################################
+ #
+ # NetLabel Management Tools Local policy
+@@ -19,10 +23,20 @@ role system_r types netlabel_mgmt_t;
+ allow netlabel_mgmt_t self:capability net_admin;
+ allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
+
++can_exec(netlabel_mgmt_t, netlabel_mgmt_t)
++
+ kernel_read_network_state(netlabel_mgmt_t)
++corecmd_exec_bin(netlabel_mgmt_t)
++corecmd_exec_shell(netlabel_mgmt_t)
++
files_read_etc_files(netlabel_mgmt_t)
+term_use_all_inherited_terms(netlabel_mgmt_t)
@@ -33045,7 +33080,7 @@ index cbbda4a..8dcc346 100644
+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
+
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
-index d43f3b1..f958391 100644
+index d43f3b1..870bc36 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -6,13 +6,14 @@
@@ -33066,7 +33101,7 @@ index d43f3b1..f958391 100644
#
# /root
-@@ -35,19 +36,26 @@
+@@ -35,19 +36,27 @@
/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
@@ -33079,6 +33114,7 @@ index d43f3b1..f958391 100644
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/share/system-config-selinux/system-config-selinux-dbus\.py -- gen_context(system_u:object_r:semanage_exec_t,s0)
++/usr/share/system-config-selinux/selinux_server\.py -- gen_context(system_u:object_r:semanage_exec_t,s0)
#
# /var/lib
@@ -33095,7 +33131,7 @@ index d43f3b1..f958391 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..1029e3b 100644
+index 3822072..ec95692 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
@@ -33580,7 +33616,7 @@ index 3822072..1029e3b 100644
')
#######################################
-@@ -1137,3 +1488,98 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1488,122 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -33612,6 +33648,7 @@ index 3822072..1029e3b 100644
+ mls_file_read_all_levels($1)
+
+ selinux_get_enforce_mode($1)
++ selinux_set_enforce_mode($1)
+
+ seutil_manage_bin_policy($1)
+
@@ -33679,8 +33716,31 @@ index 3822072..1029e3b 100644
+ filetrans_pattern($1, default_context_t, file_context_t, dir, "files")
+ userdom_admin_home_dir_filetrans($1, default_context_t, file, ".default_context")
+')
++
++########################################
++##
++## Send and receive messages from
++## semanage dbus server over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`seutil_dbus_chat_semanage',`
++ gen_require(`
++ type semanage_t;
++ class dbus send_msg;
++ ')
++
++ ps_process_pattern(semanage_t, $1)
++
++ allow $1 semanage_t:dbus send_msg;
++ allow semanage_t $1:dbus send_msg;
++')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..e2b829b 100644
+index ec01d0b..063ef61 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -34208,7 +34268,7 @@ index ec01d0b..e2b829b 100644
')
########################################
-@@ -522,108 +598,181 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +598,189 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -34294,10 +34354,10 @@ index ec01d0b..e2b829b 100644
+optional_policy(`
+ xserver_append_xdm_tmp_files(setfiles_t)
+')
++
++ifdef(`hide_broken_symptoms',`
-seutil_libselinux_linked(setfiles_t)
-+ifdef(`hide_broken_symptoms',`
-+
+ optional_policy(`
+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
@@ -34413,25 +34473,26 @@ index ec01d0b..e2b829b 100644
- optional_policy(`
- udev_dontaudit_rw_dgram_sockets(setfiles_t)
- ')
+-
+- # cjp: cover up stray file descriptors.
+- optional_policy(`
+- unconfined_dontaudit_read_pipes(setfiles_t)
+- unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
+- ')
++optional_policy(`
++ dbus_read_pid_files(setfiles_domain)
+ ')
+
+allow policy_manager_domain self:capability { dac_override sys_nice sys_resource };
+dontaudit policy_manager_domain self:capability sys_tty_config;
+allow policy_manager_domain self:process { signal setsched };
+allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms;
+allow policy_manager_domain self:unix_dgram_socket create_socket_perms;
+allow policy_manager_domain self:fifo_file rw_fifo_file_perms;
-
-- # cjp: cover up stray file descriptors.
-- optional_policy(`
-- unconfined_dontaudit_read_pipes(setfiles_t)
-- unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
-- ')
--')
++
+dev_read_rand(policy_manager_domain)
+dev_read_urand(policy_manager_domain)
-
--optional_policy(`
-- hotplug_use_fds(setfiles_t)
--')
++
+logging_send_audit_msgs(policy_manager_domain)
+
+# Domains that will manage policy
@@ -34475,6 +34536,11 @@ index ec01d0b..e2b829b 100644
+
+files_rw_inherited_generic_pid_files(setfiles_domain)
+files_rw_inherited_generic_pid_files(policy_manager_domain)
++
+ optional_policy(`
+- hotplug_use_fds(setfiles_t)
++ policykit_dbus_chat(policy_manager_domain)
+ ')
diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
index bea4629..06e2834 100644
--- a/policy/modules/system/setrans.fc
@@ -38651,7 +38717,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..3fdbb55 100644
+index 3c5dba7..2bf0cab 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -40376,58 +40442,73 @@ index 3c5dba7..3fdbb55 100644
')
########################################
-@@ -1772,7 +2246,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2246,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
-## Delete all user home content directories.
+## Delete directories in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_user_home_content_dirs',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:dir delete_dir_perms;
++')
++
++########################################
++##
++## Delete all directories in a user home subdirectory.
##
##
##
-@@ -1780,19 +2254,17 @@ interface(`userdom_manage_user_home_content_dirs',`
- ##
- ##
+@@ -1782,53 +2274,70 @@ interface(`userdom_manage_user_home_content_dirs',`
#
--interface(`userdom_delete_all_user_home_content_dirs',`
-+interface(`userdom_delete_user_home_content_dirs',`
+ interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
- attribute user_home_content_type;
- type user_home_dir_t;
-+ type user_home_t;
++ attribute user_home_type;
')
- userdom_search_user_home_dirs($1)
- delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
-+ allow $1 user_home_t:dir delete_dir_perms;
++ allow $1 user_home_type:dir delete_dir_perms;
')
########################################
##
-## Delete directories in a user home subdirectory.
-+## Delete all directories in a user home subdirectory.
++## Set the attributes of user home files.
##
##
##
-@@ -1800,31 +2272,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+ ## Domain allowed access.
##
##
++##
#
-interface(`userdom_delete_user_home_content_dirs',`
-+interface(`userdom_delete_all_user_home_content_dirs',`
++interface(`userdom_setattr_user_home_content_files',`
gen_require(`
-- type user_home_t;
-+ attribute user_home_type;
+ type user_home_t;
')
- allow $1 user_home_t:dir delete_dir_perms;
-+ allow $1 user_home_type:dir delete_dir_perms;
++ allow $1 user_home_t:file setattr;
')
########################################
##
-## Set attributes of all user home content directories.
-+## Set the attributes of user home files.
++## Set the attributes of user tmp files.
##
##
##
@@ -40437,19 +40518,41 @@ index 3c5dba7..3fdbb55 100644
+##
#
-interface(`userdom_setattr_all_user_home_content_dirs',`
-+interface(`userdom_setattr_user_home_content_files',`
++interface(`userdom_setattr_user_tmp_files',`
gen_require(`
- attribute user_home_content_type;
-+ type user_home_t;
++ type user_tmp_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 user_home_content_type:dir setattr_dir_perms;
-+ allow $1 user_home_t:file setattr;
++ allow $1 user_tmp_t:file setattr;
')
########################################
-@@ -1848,6 +2320,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+ ##
++## Relabel user tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_relabel_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file relabel_file_perms;
++')
++########################################
++##
+ ## Do not audit attempts to set the
+ ## attributes of user home files.
+ ##
+@@ -1848,6 +2357,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
##
@@ -40475,7 +40578,7 @@ index 3c5dba7..3fdbb55 100644
## Mmap user home files.
##
##
-@@ -1878,14 +2369,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2406,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -40513,7 +40616,7 @@ index 3c5dba7..3fdbb55 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1896,11 +2409,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2446,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -40531,7 +40634,7 @@ index 3c5dba7..3fdbb55 100644
')
########################################
-@@ -1941,7 +2457,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2494,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
##
@@ -40558,7 +40661,7 @@ index 3c5dba7..3fdbb55 100644
##
##
##
-@@ -1951,17 +2485,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2522,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
#
interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
@@ -40579,7 +40682,7 @@ index 3c5dba7..3fdbb55 100644
##
##
##
-@@ -1969,12 +2501,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2538,48 @@ interface(`userdom_delete_all_user_home_content_files',`
##
##
#
@@ -40630,7 +40733,7 @@ index 3c5dba7..3fdbb55 100644
')
########################################
-@@ -2010,8 +2578,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2615,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -40640,7 +40743,7 @@ index 3c5dba7..3fdbb55 100644
')
########################################
-@@ -2027,20 +2594,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,21 +2631,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -40654,18 +40757,19 @@ index 3c5dba7..3fdbb55 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
##
-@@ -2123,7 +2684,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+ ## Do not audit attempts to execute user home files.
+@@ -2123,7 +2721,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -40674,7 +40778,7 @@ index 3c5dba7..3fdbb55 100644
##
##
##
-@@ -2131,19 +2692,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2729,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -40698,7 +40802,7 @@ index 3c5dba7..3fdbb55 100644
##
##
##
-@@ -2151,12 +2710,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2747,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -40714,7 +40818,7 @@ index 3c5dba7..3fdbb55 100644
')
########################################
-@@ -2393,11 +2952,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2989,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -40729,7 +40833,7 @@ index 3c5dba7..3fdbb55 100644
files_search_tmp($1)
')
-@@ -2417,7 +2976,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3013,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -40738,7 +40842,7 @@ index 3c5dba7..3fdbb55 100644
')
########################################
-@@ -2664,6 +3223,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3260,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -40764,7 +40868,7 @@ index 3c5dba7..3fdbb55 100644
########################################
##
## Read user tmpfs files.
-@@ -2680,13 +3258,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3295,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -40780,7 +40884,7 @@ index 3c5dba7..3fdbb55 100644
##
##
##
-@@ -2707,7 +3286,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3323,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -40789,7 +40893,7 @@ index 3c5dba7..3fdbb55 100644
##
##
##
-@@ -2715,19 +3294,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3331,30 @@ interface(`userdom_rw_user_tmpfs_files',`
##
##
#
@@ -40803,66 +40907,28 @@ index 3c5dba7..3fdbb55 100644
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
+ allow $1 user_tmpfs_t:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of a user domain tty.
-+## Execute user tmpfs files.
- ##
- ##
- ##
-@@ -2735,25 +3312,43 @@ interface(`userdom_manage_user_tmpfs_files',`
- ##
- ##
- #
--interface(`userdom_getattr_user_ttys',`
-+interface(`userdom_execute_user_tmpfs_files',`
- gen_require(`
-- type user_tty_device_t;
-+ type user_tmpfs_t;
- ')
-
-- allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
-+ allow $1 user_tmpfs_t:file execute;
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes of a user domain tty.
-+## Get the attributes of a user domain tty.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`userdom_dontaudit_getattr_user_ttys',`
-+interface(`userdom_getattr_user_ttys',`
-+ gen_require(`
-+ type user_tty_device_t;
-+ ')
-+
-+ allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to get the attributes of a user domain tty.
++## Execute user tmpfs files.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`userdom_dontaudit_getattr_user_ttys',`
- gen_require(`
- type user_tty_device_t;
- ')
-@@ -2817,6 +3412,24 @@ interface(`userdom_use_user_ttys',`
++interface(`userdom_execute_user_tmpfs_files',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ allow $1 user_tmpfs_t:file execute;
+ ')
+
+ ########################################
+@@ -2817,6 +3449,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -40887,7 +40953,7 @@ index 3c5dba7..3fdbb55 100644
## Read and write a user domain pty.
##
##
-@@ -2835,22 +3448,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3485,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -40930,7 +40996,7 @@ index 3c5dba7..3fdbb55 100644
##
##
##
-@@ -2859,14 +3484,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3521,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -40968,7 +41034,7 @@ index 3c5dba7..3fdbb55 100644
')
########################################
-@@ -2885,8 +3529,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3566,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -40998,7 +41064,7 @@ index 3c5dba7..3fdbb55 100644
')
########################################
-@@ -2958,69 +3621,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3658,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -41099,7 +41165,7 @@ index 3c5dba7..3fdbb55 100644
##
##
##
-@@ -3028,12 +3690,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3727,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -41114,7 +41180,7 @@ index 3c5dba7..3fdbb55 100644
')
########################################
-@@ -3097,7 +3759,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3796,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -41123,7 +41189,7 @@ index 3c5dba7..3fdbb55 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3775,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3812,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -41157,7 +41223,7 @@ index 3c5dba7..3fdbb55 100644
')
########################################
-@@ -3217,7 +3863,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3900,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -41184,7 +41250,7 @@ index 3c5dba7..3fdbb55 100644
')
########################################
-@@ -3272,7 +3936,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3973,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -41250,7 +41316,7 @@ index 3c5dba7..3fdbb55 100644
')
########################################
-@@ -3290,7 +4011,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +4048,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -41259,7 +41325,7 @@ index 3c5dba7..3fdbb55 100644
')
########################################
-@@ -3309,6 +4030,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4067,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -41267,7 +41333,7 @@ index 3c5dba7..3fdbb55 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4107,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4144,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -41310,11 +41376,54 @@ index 3c5dba7..3fdbb55 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4163,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,7 +4200,7 @@ interface(`userdom_sigchld_all_users',`
########################################
##
+-## Create keys for all user domains.
+## Read keys for all user domains.
+ ##
+ ##
+ ##
+@@ -3413,17 +4208,17 @@ interface(`userdom_sigchld_all_users',`
+ ##
+ ##
+ #
+-interface(`userdom_create_all_users_keys',`
++interface(`userdom_read_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+- allow $1 userdomain:key create;
++ allow $1 userdomain:key read;
+ ')
+
+ ########################################
+ ##
+-## Send a dbus message to all user domains.
++## Create keys for all user domains.
+ ##
+ ##
+ ##
+@@ -3431,11 +4226,1516 @@ interface(`userdom_create_all_users_keys',`
+ ##
+ ##
+ #
+-interface(`userdom_dbus_send_all_users',`
++interface(`userdom_create_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+- class dbus send_msg;
+ ')
+
+- allow $1 userdomain:dbus send_msg;
++ allow $1 userdomain:key create;
++')
++
++########################################
++##
++## Send a dbus message to all user domains.
+##
+##
+##
@@ -41322,23 +41431,13 @@ index 3c5dba7..3fdbb55 100644
+##
+##
+#
-+interface(`userdom_read_all_users_keys',`
++interface(`userdom_dbus_send_all_users',`
+ gen_require(`
+ attribute userdomain;
++ class dbus send_msg;
+ ')
+
-+ allow $1 userdomain:key read;
-+')
-+
-+########################################
-+##
- ## Create keys for all user domains.
- ##
- ##
-@@ -3438,4 +4214,1472 @@ interface(`userdom_dbus_send_all_users',`
- ')
-
- allow $1 userdomain:dbus send_msg;
++ allow $1 userdomain:dbus send_msg;
+ ps_process_pattern($1, userdomain)
+')
+
@@ -42807,6 +42906,25 @@ index 3c5dba7..3fdbb55 100644
+ ')
+
+ allow $1 userdomain:process transition;
++')
++
++########################################
++##
++## Do not audit attempts to check the
++## access on user content files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_access_check_user_content',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ dontaudit $1 user_home_type:dir_file_class_set audit_access;
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index e2b538b..211263f 100644
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index e8b95e6..8d0452b 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -518,7 +518,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..b4c749b 100644
+index cc43d25..da5b191 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -630,12 +630,12 @@ index cc43d25..b4c749b 100644
+
+#
+# Support for ABRT retrace server
-+#
-type abrt_retrace_worker_t, abrt_domain;
-type abrt_retrace_worker_exec_t;
-domain_type(abrt_retrace_worker_t)
-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
++#
+abrt_basic_types_template(abrt_retrace_worker)
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
role system_r types abrt_retrace_worker_t;
@@ -795,10 +795,14 @@ index cc43d25..b4c749b 100644
')
optional_policy(`
-@@ -209,6 +224,12 @@ optional_policy(`
+@@ -209,6 +224,16 @@ optional_policy(`
')
optional_policy(`
++ kdump_read_crash(abrt_t)
++')
++
++optional_policy(`
+ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
+ mozilla_plugin_read_rw_files(abrt_t)
+')
@@ -808,7 +812,7 @@ index cc43d25..b4c749b 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +241,7 @@ optional_policy(`
+@@ -220,6 +245,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -816,7 +820,7 @@ index cc43d25..b4c749b 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +252,7 @@ optional_policy(`
+@@ -230,6 +256,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -824,7 +828,7 @@ index cc43d25..b4c749b 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +263,17 @@ optional_policy(`
+@@ -240,9 +267,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -843,7 +847,7 @@ index cc43d25..b4c749b 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +284,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +288,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -858,7 +862,7 @@ index cc43d25..b4c749b 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +303,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +307,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -866,7 +870,7 @@ index cc43d25..b4c749b 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +312,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +316,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -887,7 +891,7 @@ index cc43d25..b4c749b 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +333,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +337,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -914,7 +918,7 @@ index cc43d25..b4c749b 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +369,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +373,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -928,7 +932,7 @@ index cc43d25..b4c749b 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +387,11 @@ optional_policy(`
+@@ -330,10 +391,11 @@ optional_policy(`
#######################################
#
@@ -942,7 +946,7 @@ index cc43d25..b4c749b 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +410,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +414,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1004,7 +1008,7 @@ index cc43d25..b4c749b 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +468,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +472,18 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1021,8 +1025,10 @@ index cc43d25..b4c749b 100644
#
-kernel_read_system_state(abrt_domain)
--
--files_read_etc_files(abrt_domain)
++allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
++allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
+
+ files_read_etc_files(abrt_domain)
-
-logging_send_syslog_msg(abrt_domain)
-
@@ -1253,10 +1259,35 @@ index 8b5ad06..8ce8f26 100644
optional_policy(`
unconfined_domain(ada_t)
diff --git a/afs.if b/afs.if
-index 3b41be6..188db36 100644
+index 3b41be6..97d99f9 100644
--- a/afs.if
+++ b/afs.if
-@@ -95,13 +95,17 @@ interface(`afs_initrc_domtrans',`
+@@ -40,6 +40,24 @@ interface(`afs_rw_udp_sockets',`
+
+ ########################################
+ ##
++## Read AFS config data
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`afs_read_config',`
++ gen_require(`
++ type afs_config_t;
++ ')
++
++ read_files_pattern($1, afs_config_t, afs_config_t)
++')
++
++########################################
++##
+ ## Read and write afs cache files.
+ ##
+ ##
+@@ -95,13 +113,17 @@ interface(`afs_initrc_domtrans',`
interface(`afs_admin',`
gen_require(`
attribute afs_domain;
@@ -1278,7 +1309,7 @@ index 3b41be6..188db36 100644
afs_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/afs.te b/afs.te
-index 6690cdf..baf390f 100644
+index 6690cdf..7726644 100644
--- a/afs.te
+++ b/afs.te
@@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
@@ -1328,7 +1359,17 @@ index 6690cdf..baf390f 100644
seutil_read_config(afs_bosserver_t)
-@@ -175,12 +187,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t)
+@@ -151,9 +163,6 @@ allow afs_fsserver_t self:process { setsched signal_perms };
+ allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
+ allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
+
+-read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
+-allow afs_fsserver_t afs_config_t:dir list_dir_perms;
+-
+ manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
+ manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
+
+@@ -175,12 +184,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t)
corenet_all_recvfrom_unlabeled(afs_fsserver_t)
corenet_all_recvfrom_netlabel(afs_fsserver_t)
@@ -1345,7 +1386,7 @@ index 6690cdf..baf390f 100644
corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
-@@ -190,7 +204,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
+@@ -190,7 +201,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
files_read_etc_runtime_files(afs_fsserver_t)
files_list_home(afs_fsserver_t)
@@ -1353,7 +1394,7 @@ index 6690cdf..baf390f 100644
files_list_pids(afs_fsserver_t)
files_dontaudit_search_mnt(afs_fsserver_t)
-@@ -224,7 +237,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
+@@ -224,7 +234,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
kernel_read_kernel_sysctls(afs_kaserver_t)
@@ -1361,7 +1402,7 @@ index 6690cdf..baf390f 100644
corenet_all_recvfrom_netlabel(afs_kaserver_t)
corenet_udp_sendrecv_generic_if(afs_kaserver_t)
corenet_udp_sendrecv_generic_node(afs_kaserver_t)
-@@ -239,7 +251,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t)
+@@ -239,7 +248,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t)
corenet_udp_sendrecv_kerberos_port(afs_kaserver_t)
files_list_home(afs_kaserver_t)
@@ -1369,7 +1410,16 @@ index 6690cdf..baf390f 100644
seutil_read_config(afs_kaserver_t)
-@@ -262,7 +273,6 @@ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+@@ -253,16 +261,12 @@ userdom_dontaudit_use_user_terminals(afs_kaserver_t)
+ allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
+ allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
+
+-read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t)
+-allow afs_ptserver_t afs_config_t:dir list_dir_perms;
+-
+ manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+
manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
@@ -1377,7 +1427,7 @@ index 6690cdf..baf390f 100644
corenet_all_recvfrom_netlabel(afs_ptserver_t)
corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
corenet_udp_sendrecv_generic_if(afs_ptserver_t)
-@@ -274,6 +284,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
+@@ -274,6 +278,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
corenet_udp_bind_afs_pt_port(afs_ptserver_t)
corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
@@ -1386,7 +1436,16 @@ index 6690cdf..baf390f 100644
userdom_dontaudit_use_user_terminals(afs_ptserver_t)
########################################
-@@ -293,7 +305,6 @@ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+@@ -284,16 +290,12 @@ userdom_dontaudit_use_user_terminals(afs_ptserver_t)
+ allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
+ allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
+
+-read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t)
+-allow afs_vlserver_t afs_config_t:dir list_dir_perms;
+-
+ manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+
manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
@@ -1394,15 +1453,18 @@ index 6690cdf..baf390f 100644
corenet_all_recvfrom_netlabel(afs_vlserver_t)
corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
corenet_udp_sendrecv_generic_if(afs_vlserver_t)
-@@ -314,8 +325,4 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
+@@ -314,8 +316,8 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
allow afs_domain self:udp_socket create_socket_perms;
-files_read_etc_files(afs_domain)
-
-miscfiles_read_localization(afs_domain)
--
++read_files_pattern(afs_domain, afs_config_t, afs_config_t)
++allow afs_domain afs_config_t:dir list_dir_perms;
+
sysnet_read_config(afs_domain)
++
diff --git a/aiccu.if b/aiccu.if
index 3b5dcb9..fbe187f 100644
--- a/aiccu.if
@@ -4534,7 +4596,7 @@ index 83e899c..c5be77c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..2becd8b 100644
+index 1a82e29..12b3640 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5513,33 +5575,38 @@ index 1a82e29..2becd8b 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +772,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +772,43 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_t)
+-')
+-
+-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+tunable_policy(`httpd_use_nfs',`
-+ fs_list_auto_mountpoints(httpd_t)
+ fs_list_auto_mountpoints(httpd_t)
+- fs_read_cifs_files(httpd_t)
+- fs_read_cifs_symlinks(httpd_t)
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
')
- tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-- fs_list_auto_mountpoints(httpd_t)
- fs_read_cifs_files(httpd_t)
- fs_read_cifs_symlinks(httpd_t)
- ')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
--')
--
++
++tunable_policy(`httpd_use_nfs',`
++ automount_search_tmp_dirs(httpd_t)
+ ')
+
-tunable_policy(`httpd_execmem',`
- allow httpd_t self:process { execmem execstack };
--')
--
++tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
++ fs_read_cifs_files(httpd_t)
++ fs_read_cifs_symlinks(httpd_t)
+ ')
+
tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_t)
+ # allow httpd to connect to mail servers
@@ -5559,12 +5626,8 @@ index 1a82e29..2becd8b 100644
- tunable_policy(`httpd_can_network_connect_zabbix',`
- zabbix_tcp_connect(httpd_t)
- ')
-+tunable_policy(`httpd_use_cifs',`
-+ fs_manage_cifs_dirs(httpd_t)
-+ fs_manage_cifs_files(httpd_t)
-+ fs_manage_cifs_symlinks(httpd_t)
- ')
-
+-')
+-
-optional_policy(`
- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
- spamassassin_domtrans_client(httpd_t)
@@ -5587,8 +5650,12 @@ index 1a82e29..2becd8b 100644
- tunable_policy(`httpd_mod_auth_ntlm_winbind',`
- samba_domtrans_winbind_helper(httpd_t)
- ')
--')
--
++tunable_policy(`httpd_use_cifs',`
++ fs_manage_cifs_dirs(httpd_t)
++ fs_manage_cifs_files(httpd_t)
++ fs_manage_cifs_symlinks(httpd_t)
+ ')
+
-tunable_policy(`httpd_read_user_content',`
- userdom_read_user_home_content_files(httpd_t)
+tunable_policy(`httpd_use_fusefs',`
@@ -5598,7 +5665,7 @@ index 1a82e29..2becd8b 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +813,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +818,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5679,7 +5746,7 @@ index 1a82e29..2becd8b 100644
')
optional_policy(`
-@@ -743,14 +865,6 @@ optional_policy(`
+@@ -743,14 +870,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5694,7 +5761,7 @@ index 1a82e29..2becd8b 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +879,23 @@ optional_policy(`
+@@ -765,6 +884,23 @@ optional_policy(`
')
optional_policy(`
@@ -5718,7 +5785,7 @@ index 1a82e29..2becd8b 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +912,42 @@ optional_policy(`
+@@ -781,34 +917,42 @@ optional_policy(`
')
optional_policy(`
@@ -5772,7 +5839,7 @@ index 1a82e29..2becd8b 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +955,18 @@ optional_policy(`
+@@ -816,8 +960,18 @@ optional_policy(`
')
optional_policy(`
@@ -5791,7 +5858,7 @@ index 1a82e29..2becd8b 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +975,7 @@ optional_policy(`
+@@ -826,6 +980,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5799,7 +5866,7 @@ index 1a82e29..2becd8b 100644
')
optional_policy(`
-@@ -836,20 +986,39 @@ optional_policy(`
+@@ -836,20 +991,39 @@ optional_policy(`
')
optional_policy(`
@@ -5833,19 +5900,19 @@ index 1a82e29..2becd8b 100644
- ')
+optional_policy(`
+ puppet_read_lib(httpd_t)
-+')
-+
-+optional_policy(`
-+ pwauth_domtrans(httpd_t)
')
optional_policy(`
- puppet_read_lib_files(httpd_t)
++ pwauth_domtrans(httpd_t)
++')
++
++optional_policy(`
+ rpm_dontaudit_read_db(httpd_t)
')
optional_policy(`
-@@ -857,19 +1026,35 @@ optional_policy(`
+@@ -857,19 +1031,35 @@ optional_policy(`
')
optional_policy(`
@@ -5881,7 +5948,7 @@ index 1a82e29..2becd8b 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1062,170 @@ optional_policy(`
+@@ -877,65 +1067,170 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -5951,10 +6018,11 @@ index 1a82e29..2becd8b 100644
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
+# Apache PHP script local policy
+#
+
@@ -6013,11 +6081,10 @@ index 1a82e29..2becd8b 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
- ')
-
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
+# Apache suexec local policy
#
@@ -6074,7 +6141,7 @@ index 1a82e29..2becd8b 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1234,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1239,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6229,7 +6296,7 @@ index 1a82e29..2becd8b 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1318,104 @@ optional_policy(`
+@@ -1077,172 +1323,104 @@ optional_policy(`
')
')
@@ -6254,7 +6321,8 @@ index 1a82e29..2becd8b 100644
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--
++allow httpd_sys_script_t self:process getsched;
+
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
@@ -6262,8 +6330,7 @@ index 1a82e29..2becd8b 100644
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
-+allow httpd_sys_script_t self:process getsched;
-
+-
-corecmd_exec_all_executables(httpd_script_domains)
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
@@ -6465,7 +6532,7 @@ index 1a82e29..2becd8b 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1423,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1428,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6562,7 +6629,7 @@ index 1a82e29..2becd8b 100644
########################################
#
-@@ -1315,8 +1498,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1503,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6579,14 +6646,15 @@ index 1a82e29..2becd8b 100644
')
########################################
-@@ -1324,49 +1514,36 @@ optional_policy(`
+@@ -1324,49 +1519,38 @@ optional_policy(`
# User content local policy
#
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_user_script_t)
-')
--
++auth_use_nsswitch(httpd_user_script_t)
+
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_list_auto_mountpoints(httpd_user_script_t)
- fs_read_cifs_files(httpd_user_script_t)
@@ -6643,7 +6711,7 @@ index 1a82e29..2becd8b 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1553,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1560,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -7374,10 +7442,10 @@ index 0000000..4579cfe
+/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0)
diff --git a/authconfig.if b/authconfig.if
new file mode 100644
-index 0000000..98ab9ed
+index 0000000..316c324
--- /dev/null
+++ b/authconfig.if
-@@ -0,0 +1,132 @@
+@@ -0,0 +1,127 @@
+
+## policy for authconfig
+
@@ -7487,12 +7555,6 @@ index 0000000..98ab9ed
+## Domain allowed access.
+##
+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
+#
+interface(`authconfig_admin',`
+ gen_require(`
@@ -7505,6 +7567,7 @@ index 0000000..98ab9ed
+
+ files_search_var_lib($1)
+ admin_pattern($1, authconfig_var_lib_t)
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
@@ -7562,7 +7625,7 @@ index 92adb37..0a2ffc6 100644
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/automount.if b/automount.if
-index 089430a..7cd037b 100644
+index 089430a..b0bed70 100644
--- a/automount.if
+++ b/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
@@ -7573,7 +7636,33 @@ index 089430a..7cd037b 100644
interface(`automount_signal',`
gen_require(`
type automount_t;
-@@ -134,6 +133,29 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
+@@ -114,6 +113,25 @@ interface(`automount_dontaudit_write_pipes',`
+
+ ########################################
+ ##
++## Allow domain to search of automount temporary
++## directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`automount_search_tmp_dirs',`
++ gen_require(`
++ type automount_tmp_t;
++ ')
++
++ search_dirs_pattern($1, automount_tmp_t, automount_tmp_t)
++')
++
++########################################
++##
+ ## Do not audit attempts to get
+ ## attributes of automount temporary
+ ## directories.
+@@ -134,6 +152,29 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
########################################
##
@@ -7603,7 +7692,7 @@ index 089430a..7cd037b 100644
## All of the rules required to
## administrate an automount environment.
##
-@@ -153,11 +175,16 @@ interface(`automount_admin',`
+@@ -153,11 +194,16 @@ interface(`automount_admin',`
gen_require(`
type automount_t, automount_lock_t, automount_tmp_t;
type automount_var_run_t, automount_initrc_exec_t;
@@ -7621,7 +7710,7 @@ index 089430a..7cd037b 100644
init_labeled_script_domtrans($1, automount_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 automount_initrc_exec_t system_r;
-@@ -171,4 +198,8 @@ interface(`automount_admin',`
+@@ -171,4 +217,8 @@ interface(`automount_admin',`
files_list_pids($1)
admin_pattern($1, automount_var_run_t)
@@ -8268,7 +8357,7 @@ index 866a1e2..6c2dbe4 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 076ffee..9977c4d 100644
+index 076ffee..d4fb2a4 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -8317,7 +8406,7 @@ index 076ffee..9977c4d 100644
domain_use_interactive_fds(named_t)
-@@ -170,6 +174,11 @@ tunable_policy(`named_write_master_zones',`
+@@ -170,6 +174,15 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@@ -8326,10 +8415,14 @@ index 076ffee..9977c4d 100644
+')
+
+optional_policy(`
++ cron_system_entry(named_t, named_exec_t)
++')
++
++optional_policy(`
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -183,6 +192,7 @@ optional_policy(`
+@@ -183,6 +196,7 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(named, named_t)
@@ -8337,7 +8430,7 @@ index 076ffee..9977c4d 100644
')
optional_policy(`
-@@ -209,7 +219,8 @@ optional_policy(`
+@@ -209,7 +223,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -8347,7 +8440,7 @@ index 076ffee..9977c4d 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -223,10 +234,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -223,10 +238,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -8359,7 +8452,7 @@ index 076ffee..9977c4d 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -251,7 +261,7 @@ init_use_script_ptys(ndc_t)
+@@ -251,7 +265,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -8555,10 +8648,10 @@ index bc5c984..63a4b1d 100644
+ xserver_read_state_xdm(blueman_t)
+')
diff --git a/bluetooth.fc b/bluetooth.fc
-index 2b9c7f3..e1b7177 100644
+index 2b9c7f3..63e4860 100644
--- a/bluetooth.fc
+++ b/bluetooth.fc
-@@ -5,6 +5,8 @@
+@@ -5,10 +5,13 @@
/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
@@ -8567,6 +8660,11 @@ index 2b9c7f3..e1b7177 100644
/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+ /usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
++/usr/bin/pand -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+
+ /usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
+ /usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/bluetooth.if b/bluetooth.if
index c723a0a..3e8a553 100644
--- a/bluetooth.if
@@ -15291,7 +15389,7 @@ index 1303b30..058864e 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 28e1b86..bf91ba9 100644
+index 28e1b86..9436993 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
@@ -15635,7 +15733,7 @@ index 28e1b86..bf91ba9 100644
auth_use_nsswitch(crond_t)
logging_send_audit_msgs(crond_t)
-@@ -311,41 +249,42 @@ logging_set_loginuid(crond_t)
+@@ -311,41 +249,46 @@ logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
@@ -15672,6 +15770,10 @@ index 28e1b86..bf91ba9 100644
+
+optional_policy(`
+ logwatch_search_cache_dir(crond_t)
++')
++
++optional_policy(`
++ bind_read_config(crond_t)
')
ifdef(`distro_redhat',`
@@ -15694,7 +15796,7 @@ index 28e1b86..bf91ba9 100644
')
optional_policy(`
-@@ -353,102 +292,136 @@ optional_policy(`
+@@ -353,102 +296,136 @@ optional_policy(`
')
optional_policy(`
@@ -15862,7 +15964,7 @@ index 28e1b86..bf91ba9 100644
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
-@@ -457,11 +430,11 @@ kernel_read_network_state(system_cronjob_t)
+@@ -457,11 +434,11 @@ kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
@@ -15875,7 +15977,7 @@ index 28e1b86..bf91ba9 100644
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -481,6 +454,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -481,6 +458,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
@@ -15883,7 +15985,7 @@ index 28e1b86..bf91ba9 100644
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
-@@ -491,15 +465,19 @@ files_getattr_all_files(system_cronjob_t)
+@@ -491,15 +469,19 @@ files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t)
@@ -15906,7 +16008,7 @@ index 28e1b86..bf91ba9 100644
init_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
-@@ -511,20 +489,26 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -511,20 +493,26 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
@@ -15936,7 +16038,7 @@ index 28e1b86..bf91ba9 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -534,10 +518,17 @@ tunable_policy(`cron_can_relabel',`
+@@ -534,10 +522,17 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -15954,7 +16056,7 @@ index 28e1b86..bf91ba9 100644
')
optional_policy(`
-@@ -546,10 +537,6 @@ optional_policy(`
+@@ -546,10 +541,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
@@ -15965,7 +16067,7 @@ index 28e1b86..bf91ba9 100644
')
optional_policy(`
-@@ -581,6 +568,7 @@ optional_policy(`
+@@ -581,6 +572,7 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -15973,7 +16075,7 @@ index 28e1b86..bf91ba9 100644
')
optional_policy(`
-@@ -588,15 +576,19 @@ optional_policy(`
+@@ -588,15 +580,19 @@ optional_policy(`
')
optional_policy(`
@@ -15995,7 +16097,7 @@ index 28e1b86..bf91ba9 100644
')
optional_policy(`
-@@ -606,6 +598,7 @@ optional_policy(`
+@@ -606,6 +602,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -16003,7 +16105,7 @@ index 28e1b86..bf91ba9 100644
')
optional_policy(`
-@@ -613,12 +606,24 @@ optional_policy(`
+@@ -613,12 +610,24 @@ optional_policy(`
')
optional_policy(`
@@ -16030,7 +16132,7 @@ index 28e1b86..bf91ba9 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -626,12 +631,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -626,12 +635,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -16064,7 +16166,7 @@ index 28e1b86..bf91ba9 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -639,84 +664,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -639,84 +668,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -17918,7 +18020,7 @@ index dda905b..31f269b 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index afcf3a2..0730306 100644
+index afcf3a2..8c49f40 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -18160,7 +18262,7 @@ index afcf3a2..0730306 100644
- allow $1 session_bus_type:unix_stream_socket connectto;
- allow $1 session_bus_type:fd use;
-')
--
+
-#######################################
-##
-## Creating connections to specified
@@ -18186,7 +18288,7 @@ index afcf3a2..0730306 100644
- ')
-
- typeattribute $2 dbusd_session_bus_client;
-
+-
- allow $2 { $1_dbusd_t self }:dbus send_msg;
- allow $1_dbusd_t $2:dbus send_msg;
+ # For connecting to the bus
@@ -18474,7 +18576,7 @@ index afcf3a2..0730306 100644
##
##
##
-@@ -614,10 +448,72 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -614,10 +448,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
##
##
#
@@ -18492,6 +18594,25 @@ index afcf3a2..0730306 100644
+
+########################################
+##
++## Read all dbus pid files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dbus_read_pid_files',`
++ gen_require(`
++ type system_dbusd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
++')
++
++########################################
++##
+## Do not audit attempts to connect to
+## session bus types with a unix
+## stream socket.
@@ -19592,7 +19713,7 @@ index d294865..3b4f593 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index ff933af..d75b565 100644
+index ff933af..cd1d88d 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
@@ -19614,20 +19735,20 @@ index ff933af..d75b565 100644
type devicekit_tmp_t;
files_tmp_file(devicekit_tmp_t)
-@@ -45,11 +45,10 @@ kernel_read_system_state(devicekit_t)
+@@ -45,11 +45,8 @@ kernel_read_system_state(devicekit_t)
dev_read_sysfs(devicekit_t)
dev_read_urand(devicekit_t)
-files_read_etc_files(devicekit_t)
-
+-
-miscfiles_read_localization(devicekit_t)
-
+-
optional_policy(`
+ dbus_system_domain(devicekit_t, devicekit_exec_t)
dbus_system_bus_client(devicekit_t)
allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg;
-@@ -64,7 +63,8 @@ optional_policy(`
+@@ -64,7 +61,8 @@ optional_policy(`
# Disk local policy
#
@@ -19637,7 +19758,7 @@ index ff933af..d75b565 100644
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -81,10 +81,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
+@@ -81,10 +79,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
@@ -19650,15 +19771,16 @@ index ff933af..d75b565 100644
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
-@@ -98,6 +99,7 @@ corecmd_getattr_all_executables(devicekit_disk_t)
+@@ -98,6 +97,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
+dev_rw_generic_blk_files(devicekit_disk_t)
++dev_rw_loop_control(devicekit_disk_t)
dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
-@@ -116,8 +118,8 @@ files_getattr_all_pipes(devicekit_disk_t)
+@@ -116,8 +117,8 @@ files_getattr_all_pipes(devicekit_disk_t)
files_manage_boot_dirs(devicekit_disk_t)
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
@@ -19668,7 +19790,7 @@ index ff933af..d75b565 100644
fs_getattr_all_fs(devicekit_disk_t)
fs_list_inotifyfs(devicekit_disk_t)
-@@ -134,16 +136,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -134,16 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
@@ -19689,7 +19811,7 @@ index ff933af..d75b565 100644
dbus_system_bus_client(devicekit_disk_t)
allow devicekit_disk_t devicekit_t:dbus send_msg;
-@@ -167,6 +171,7 @@ optional_policy(`
+@@ -167,6 +170,7 @@ optional_policy(`
optional_policy(`
mount_domtrans(devicekit_disk_t)
@@ -19697,7 +19819,7 @@ index ff933af..d75b565 100644
')
optional_policy(`
-@@ -180,6 +185,11 @@ optional_policy(`
+@@ -180,6 +184,11 @@ optional_policy(`
')
optional_policy(`
@@ -19709,7 +19831,7 @@ index ff933af..d75b565 100644
udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t)
')
-@@ -188,12 +198,19 @@ optional_policy(`
+@@ -188,12 +197,19 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -19730,7 +19852,7 @@ index ff933af..d75b565 100644
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
-@@ -207,9 +224,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
@@ -19741,7 +19863,7 @@ index ff933af..d75b565 100644
logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-@@ -242,17 +257,16 @@ domain_read_all_domains_state(devicekit_power_t)
+@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_runtime_files(devicekit_power_t)
@@ -19761,7 +19883,7 @@ index ff933af..d75b565 100644
sysnet_domtrans_ifconfig(devicekit_power_t)
sysnet_domtrans_dhcpc(devicekit_power_t)
-@@ -269,9 +283,11 @@ optional_policy(`
+@@ -269,9 +282,11 @@ optional_policy(`
optional_policy(`
cron_initrc_domtrans(devicekit_power_t)
@@ -19773,7 +19895,7 @@ index ff933af..d75b565 100644
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -302,8 +318,11 @@ optional_policy(`
+@@ -302,8 +317,11 @@ optional_policy(`
')
optional_policy(`
@@ -19786,7 +19908,7 @@ index ff933af..d75b565 100644
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
')
-@@ -341,3 +360,9 @@ optional_policy(`
+@@ -341,3 +359,9 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
@@ -21662,7 +21784,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..4ebb0ad 100644
+index a7bfaf0..9a6a36e 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -21710,7 +21832,7 @@ index a7bfaf0..4ebb0ad 100644
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)
-@@ -56,20 +54,17 @@ logging_log_file(dovecot_var_log_t)
+@@ -56,20 +54,18 @@ logging_log_file(dovecot_var_log_t)
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
@@ -21732,10 +21854,11 @@ index a7bfaf0..4ebb0ad 100644
kernel_read_all_sysctls(dovecot_domain)
-kernel_read_system_state(dovecot_domain)
++kernel_read_network_state(dovecot_domain)
corecmd_exec_bin(dovecot_domain)
corecmd_exec_shell(dovecot_domain)
-@@ -78,37 +73,46 @@ dev_read_sysfs(dovecot_domain)
+@@ -78,37 +74,46 @@ dev_read_sysfs(dovecot_domain)
dev_read_rand(dovecot_domain)
dev_read_urand(dovecot_domain)
@@ -21795,7 +21918,7 @@ index a7bfaf0..4ebb0ad 100644
logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
-@@ -120,45 +124,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+@@ -120,45 +125,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
@@ -21852,7 +21975,7 @@ index a7bfaf0..4ebb0ad 100644
init_getattr_utmp(dovecot_t)
-@@ -166,44 +160,42 @@ auth_use_nsswitch(dovecot_t)
+@@ -166,44 +161,42 @@ auth_use_nsswitch(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
@@ -21915,7 +22038,7 @@ index a7bfaf0..4ebb0ad 100644
sendmail_domtrans(dovecot_t)
')
-@@ -221,46 +213,63 @@ optional_policy(`
+@@ -221,46 +214,63 @@ optional_policy(`
########################################
#
@@ -21988,7 +22111,7 @@ index a7bfaf0..4ebb0ad 100644
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
-@@ -271,15 +280,30 @@ optional_policy(`
+@@ -271,15 +281,30 @@ optional_policy(`
')
optional_policy(`
@@ -22020,7 +22143,7 @@ index a7bfaf0..4ebb0ad 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +313,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +314,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -22080,7 +22203,7 @@ index a7bfaf0..4ebb0ad 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -326,5 +357,6 @@ optional_policy(`
+@@ -326,5 +358,6 @@ optional_policy(`
')
optional_policy(`
@@ -23368,10 +23491,18 @@ index c3f7916..cab3954 100644
admin_pattern($1, fetchmail_etc_t)
diff --git a/fetchmail.te b/fetchmail.te
-index f0388cb..7d63acb 100644
+index f0388cb..df501ec 100644
--- a/fetchmail.te
+++ b/fetchmail.te
-@@ -39,8 +39,6 @@ allow fetchmail_t self:unix_stream_socket { accept listen };
+@@ -32,15 +32,13 @@ files_type(fetchmail_uidl_cache_t)
+ #
+ # Local policy
+ #
+-
++allow fetchmail_t self:capability setuid;
+ dontaudit fetchmail_t self:capability sys_tty_config;
+ allow fetchmail_t self:process { signal_perms setrlimit };
+ allow fetchmail_t self:unix_stream_socket { accept listen };
allow fetchmail_t fetchmail_etc_t:file read_file_perms;
@@ -25053,10 +25184,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..3156ad4
+index 0000000..7244e2c
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,166 @@
+@@ -0,0 +1,167 @@
+policy_module(glusterfs, 1.0.1)
+
+##
@@ -25187,6 +25318,7 @@ index 0000000..3156ad4
+
+domain_use_interactive_fds(glusterd_t)
+
++fs_mount_all_fs(glusterd_t)
+fs_getattr_all_fs(glusterd_t)
+
+files_mounton_mnt(glusterd_t)
@@ -31265,10 +31397,10 @@ index 0000000..dbe3f03
+')
+
diff --git a/kdump.fc b/kdump.fc
-index a49ae4e..1906ffe 100644
+index a49ae4e..913a0e3 100644
--- a/kdump.fc
+++ b/kdump.fc
-@@ -1,13 +1,13 @@
+@@ -1,13 +1,14 @@
/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
+/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
@@ -31289,8 +31421,9 @@ index a49ae4e..1906ffe 100644
-/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
-/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
++/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0)
diff --git a/kdump.if b/kdump.if
-index 3a00b3a..15d521b 100644
+index 3a00b3a..f6402dc 100644
--- a/kdump.if
+++ b/kdump.if
@@ -1,4 +1,4 @@
@@ -31361,12 +31494,50 @@ index 3a00b3a..15d521b 100644
##
##
##
-@@ -56,10 +100,27 @@ interface(`kdump_read_config',`
+@@ -56,10 +100,65 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
+#####################################
+##
++## Read kdump crash files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kdump_read_crash',`
++ gen_require(`
++ type kdump_crash_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, kdump_crash_t, kdump_crash_t)
++')
++
++#####################################
++##
++## Read kdump crash files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kdump_manage_crash',`
++ gen_require(`
++ type kdump_crash_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, kdump_crash_t, kdump_crash_t)
++')
++
++#####################################
++##
+## Dontaudit read kdump configuration file.
+##
+##
@@ -31391,7 +31562,7 @@ index 3a00b3a..15d521b 100644
##
##
##
-@@ -76,10 +137,31 @@ interface(`kdump_manage_config',`
+@@ -76,10 +175,31 @@ interface(`kdump_manage_config',`
allow $1 kdump_etc_t:file manage_file_perms;
')
@@ -31425,7 +31596,7 @@ index 3a00b3a..15d521b 100644
##
##
##
-@@ -88,19 +170,23 @@ interface(`kdump_manage_config',`
+@@ -88,19 +208,24 @@ interface(`kdump_manage_config',`
##
##
##
@@ -31442,6 +31613,7 @@ index 3a00b3a..15d521b 100644
+ type kdump_t, kdump_etc_t;
+ type kdump_initrc_exec_t;
+ type kdump_unit_file_t;
++ type kdump_crash_t
')
- allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms };
@@ -31454,18 +31626,21 @@ index 3a00b3a..15d521b 100644
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -110,6 +196,7 @@ interface(`kdump_admin',`
+@@ -110,6 +235,10 @@ interface(`kdump_admin',`
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
- files_search_tmp($1)
- admin_pattern($1, kdumpctl_tmp_t)
++ files_search_var($1)
++ admin_pattern($1, kdump_crash_t)
++
+ kdump_systemctl($1)
+ admin_pattern($1, kdump_unit_file_t)
+ allow $1 kdump_unit_file_t:service all_service_perms;
')
diff --git a/kdump.te b/kdump.te
-index 70f3007..bacefd5 100644
+index 70f3007..074a2ee 100644
--- a/kdump.te
+++ b/kdump.te
@@ -1,4 +1,4 @@
@@ -31474,7 +31649,13 @@ index 70f3007..bacefd5 100644
#######################################
#
-@@ -15,30 +15,33 @@ files_config_file(kdump_etc_t)
+@@ -12,35 +12,48 @@ init_system_domain(kdump_t, kdump_exec_t)
+ type kdump_etc_t;
+ files_config_file(kdump_etc_t)
+
++type kdump_crash_t;
++files_type(kdump_crash_t)
++
type kdump_initrc_exec_t;
init_script_file(kdump_initrc_exec_t)
@@ -31500,6 +31681,11 @@ index 70f3007..bacefd5 100644
+allow kdump_t self:capability2 compromise_kernel;
-allow kdump_t kdump_etc_t:file read_file_perms;
++manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
++manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
++manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
++files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash")
++
+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
-files_read_etc_files(kdump_t)
@@ -31512,8 +31698,12 @@ index 70f3007..bacefd5 100644
-kernel_read_system_state(kdump_t)
kernel_request_load_module(kdump_t)
++mls_file_read_all_levels(kdump_t)
++
dev_read_framebuffer(kdump_t)
-@@ -48,22 +51,27 @@ term_use_console(kdump_t)
+ dev_read_sysfs(kdump_t)
+
+@@ -48,22 +61,32 @@ term_use_console(kdump_t)
#######################################
#
@@ -31542,11 +31732,16 @@ index 70f3007..bacefd5 100644
+can_exec(kdumpctl_t, kdumpctl_tmp_t)
-domtrans_pattern(kdumpctl_t, kdump_exec_t, kdump_t)
++manage_dirs_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
++manage_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
++manage_lnk_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
++files_var_filetrans(kdumpctl_t, kdump_crash_t, dir, "crash")
++
+read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t)
kernel_read_system_state(kdumpctl_t)
-@@ -71,46 +79,56 @@ corecmd_exec_bin(kdumpctl_t)
+@@ -71,46 +94,56 @@ corecmd_exec_bin(kdumpctl_t)
corecmd_exec_shell(kdumpctl_t)
dev_read_sysfs(kdumpctl_t)
@@ -34709,7 +34904,7 @@ index dd8e01a..9cd6b0b 100644
##
##
diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..3baae66 100644
+index 7bab8e5..b88bbf3 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -1,20 +1,18 @@
@@ -34922,7 +35117,7 @@ index 7bab8e5..3baae66 100644
')
optional_policy(`
-@@ -198,21 +218,22 @@ optional_policy(`
+@@ -198,21 +218,26 @@ optional_policy(`
')
optional_policy(`
@@ -34936,11 +35131,15 @@ index 7bab8e5..3baae66 100644
- openvswitch_read_pid_files(logrotate_t)
- openvswitch_domtrans(logrotate_t)
+ polipo_named_filetrans_log_files(logrotate_t)
++')
++
++optional_policy(`
++ psad_domtrans(logrotate_t)
')
optional_policy(`
- polipo_log_filetrans_log(logrotate_t, file, "polipo")
-+ psad_domtrans(logrotate_t)
++ rabbitmq_domtrans_beam(logrotate_t)
')
optional_policy(`
@@ -34949,7 +35148,7 @@ index 7bab8e5..3baae66 100644
')
optional_policy(`
-@@ -228,10 +249,20 @@ optional_policy(`
+@@ -228,10 +253,20 @@ optional_policy(`
')
optional_policy(`
@@ -34970,7 +35169,7 @@ index 7bab8e5..3baae66 100644
su_exec(logrotate_t)
')
-@@ -241,13 +272,11 @@ optional_policy(`
+@@ -241,13 +276,11 @@ optional_policy(`
#######################################
#
@@ -36502,10 +36701,10 @@ index 0000000..821bf88
+/usr/libexec/mcollective/update_yaml\.rb -- gen_context(system_u:object_r:mcollective_exec_t,s0)
diff --git a/mcollective.if b/mcollective.if
new file mode 100644
-index 0000000..e76a9b5
+index 0000000..3f433f1
--- /dev/null
+++ b/mcollective.if
-@@ -0,0 +1,114 @@
+@@ -0,0 +1,109 @@
+
+## policy for mcollective
+
@@ -36597,12 +36796,6 @@ index 0000000..e76a9b5
+## Domain allowed access.
+##
+##
-+##
-+##
-+## Role allowed access.
-+##
-+##
-+##
+#
+interface(`mcollective_admin',`
+ gen_require(`
@@ -36615,6 +36808,7 @@ index 0000000..e76a9b5
+
+ files_search_etc($1)
+ admin_pattern($1, mcollective_etc_rw_t)
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
@@ -38214,7 +38408,7 @@ index 6ffaba2..154cade 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..35b2b47 100644
+index 6194b80..3209b1c 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -38381,10 +38575,10 @@ index 6194b80..35b2b47 100644
- allow $2 mozilla_plugin_rw_t:dir list_dir_perms;
- allow $2 mozilla_plugin_rw_t:file read_file_perms;
- allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+- can_exec($2, mozilla_plugin_rw_t)
+ mozilla_filetrans_home_content($2)
-- can_exec($2, mozilla_plugin_rw_t)
--
- optional_policy(`
- mozilla_dbus_chat_plugin($2)
- ')
@@ -38530,7 +38724,7 @@ index 6194b80..35b2b47 100644
')
########################################
-@@ -303,102 +195,103 @@ interface(`mozilla_domtrans',`
+@@ -303,102 +195,107 @@ interface(`mozilla_domtrans',`
type mozilla_t, mozilla_exec_t;
')
@@ -38638,9 +38832,12 @@ index 6194b80..35b2b47 100644
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mozilla_plugin_t:process ptrace;
')
--
+
- corecmd_search_bin($1)
- domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
++ optional_policy(`
++ lpd_run_lpr(mozilla_plugin_t, $2)
++ ')
')
-########################################
@@ -38683,7 +38880,7 @@ index 6194b80..35b2b47 100644
')
########################################
-@@ -424,8 +317,7 @@ interface(`mozilla_dbus_chat',`
+@@ -424,8 +321,7 @@ interface(`mozilla_dbus_chat',`
########################################
##
@@ -38693,7 +38890,7 @@ index 6194b80..35b2b47 100644
##
##
##
-@@ -433,76 +325,108 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +329,108 @@ interface(`mozilla_dbus_chat',`
##
##
#
@@ -38831,7 +39028,7 @@ index 6194b80..35b2b47 100644
##
##
##
-@@ -510,19 +434,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +438,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
##
##
#
@@ -38856,7 +39053,7 @@ index 6194b80..35b2b47 100644
##
##
##
-@@ -530,45 +453,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +457,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
##
##
#
@@ -38935,7 +39132,7 @@ index 6194b80..35b2b47 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..4440013 100644
+index 6a306ee..2288b0e 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -39206,11 +39403,11 @@ index 6a306ee..4440013 100644
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
--
--userdom_manage_user_tmp_dirs(mozilla_t)
--userdom_manage_user_tmp_files(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
+-userdom_manage_user_tmp_dirs(mozilla_t)
+-userdom_manage_user_tmp_files(mozilla_t)
+-
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
@@ -39462,12 +39659,12 @@ index 6a306ee..4440013 100644
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
@@ -39637,12 +39834,12 @@ index 6a306ee..4440013 100644
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
-
+-
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -39702,7 +39899,7 @@ index 6a306ee..4440013 100644
')
optional_policy(`
-@@ -523,36 +509,48 @@ optional_policy(`
+@@ -523,36 +509,44 @@ optional_policy(`
')
optional_policy(`
@@ -39717,6 +39914,13 @@ index 6a306ee..4440013 100644
+ dbus_session_bus_client(mozilla_plugin_t)
+ dbus_connect_session_bus(mozilla_plugin_t)
+ dbus_read_lib_files(mozilla_plugin_t)
++')
++
++optional_policy(`
++ gnome_manage_config(mozilla_plugin_t)
++ gnome_read_usr_config(mozilla_plugin_t)
++ gnome_filetrans_home_content(mozilla_plugin_t)
++ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
')
optional_policy(`
@@ -39724,13 +39928,6 @@ index 6a306ee..4440013 100644
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
-+ gnome_manage_config(mozilla_plugin_t)
-+ gnome_read_usr_config(mozilla_plugin_t)
-+ gnome_filetrans_home_content(mozilla_plugin_t)
-+ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
')
@@ -39742,10 +39939,6 @@ index 6a306ee..4440013 100644
optional_policy(`
- lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles)
-+ lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
-+')
-+
-+optional_policy(`
+ mplayer_exec(mozilla_plugin_t)
+ mplayer_manage_generic_home_content(mozilla_plugin_t)
+ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
@@ -39764,7 +39957,7 @@ index 6a306ee..4440013 100644
')
optional_policy(`
-@@ -560,7 +558,7 @@ optional_policy(`
+@@ -560,7 +554,7 @@ optional_policy(`
')
optional_policy(`
@@ -39773,7 +39966,7 @@ index 6a306ee..4440013 100644
')
optional_policy(`
-@@ -568,108 +566,124 @@ optional_policy(`
+@@ -568,108 +562,126 @@ optional_policy(`
')
optional_policy(`
@@ -39848,6 +40041,7 @@ index 6a306ee..4440013 100644
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
++mozilla_filetrans_home_content(mozilla_plugin_t)
-kernel_read_system_state(mozilla_plugin_config_t)
-kernel_request_load_module(mozilla_plugin_config_t)
@@ -39856,6 +40050,7 @@ index 6a306ee..4440013 100644
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+userdom_user_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file })
++mozilla_filetrans_home_content(mozilla_plugin_config_t)
corecmd_exec_bin(mozilla_plugin_config_t)
corecmd_exec_shell(mozilla_plugin_config_t)
@@ -43162,7 +43357,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..5f38792 100644
+index 9f6179e..0f6abcb 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -43343,7 +43538,8 @@ index 9f6179e..5f38792 100644
+# Local mysqld_safe policy
#
- allow mysqld_safe_t self:capability { chown dac_override fowner kill };
+-allow mysqld_safe_t self:capability { chown dac_override fowner kill };
++allow mysqld_safe_t self:capability { chown dac_override fowner kill sys_nice sys_resource };
allow mysqld_safe_t self:process { setsched getsched setrlimit };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
@@ -43360,7 +43556,7 @@ index 9f6179e..5f38792 100644
-allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
-+allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
++manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
-delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t)
@@ -44078,7 +44274,7 @@ index 0641e97..d7d9a79 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 44ad3b7..ce55650 100644
+index 44ad3b7..e5b268b 100644
--- a/nagios.te
+++ b/nagios.te
@@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -44160,7 +44356,7 @@ index 44ad3b7..ce55650 100644
manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
-files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
-+manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
++manage_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file})
manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
@@ -44209,15 +44405,17 @@ index 44ad3b7..ce55650 100644
corecmd_exec_bin(nrpe_t)
corecmd_exec_shell(nrpe_t)
-@@ -253,7 +258,6 @@ domain_use_interactive_fds(nrpe_t)
+@@ -252,8 +257,8 @@ dev_read_urand(nrpe_t)
+ domain_use_interactive_fds(nrpe_t)
domain_read_all_domains_state(nrpe_t)
++files_list_var(nrpe_t)
files_read_etc_runtime_files(nrpe_t)
-files_read_usr_files(nrpe_t)
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
-@@ -262,8 +266,6 @@ auth_use_nsswitch(nrpe_t)
+@@ -262,8 +267,6 @@ auth_use_nsswitch(nrpe_t)
logging_send_syslog_msg(nrpe_t)
@@ -44226,7 +44424,7 @@ index 44ad3b7..ce55650 100644
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
optional_policy(`
-@@ -310,15 +312,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -310,15 +313,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -44245,7 +44443,7 @@ index 44ad3b7..ce55650 100644
logging_send_syslog_msg(nagios_mail_plugin_t)
sysnet_dns_name_resolve(nagios_mail_plugin_t)
-@@ -345,6 +347,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+@@ -345,6 +348,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
@@ -44255,7 +44453,7 @@ index 44ad3b7..ce55650 100644
files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
-@@ -357,9 +362,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -357,9 +363,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
# Services local policy
#
@@ -44269,7 +44467,7 @@ index 44ad3b7..ce55650 100644
corecmd_exec_bin(nagios_services_plugin_t)
-@@ -391,6 +398,7 @@ optional_policy(`
+@@ -391,6 +399,7 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(nagios_services_plugin_t)
@@ -44277,7 +44475,7 @@ index 44ad3b7..ce55650 100644
')
optional_policy(`
-@@ -411,6 +419,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -411,6 +420,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@@ -44285,7 +44483,7 @@ index 44ad3b7..ce55650 100644
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
-@@ -420,10 +429,10 @@ dev_read_sysfs(nagios_system_plugin_t)
+@@ -420,10 +430,10 @@ dev_read_sysfs(nagios_system_plugin_t)
domain_read_all_domains_state(nagios_system_plugin_t)
@@ -44298,7 +44496,7 @@ index 44ad3b7..ce55650 100644
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
')
-@@ -442,11 +451,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+@@ -442,11 +452,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
init_domtrans_script(nagios_eventhandler_plugin_t)
@@ -51886,6 +52084,137 @@ index 508fedf..f025b03 100644
+optional_policy(`
+ plymouthd_exec_plymouth(openvswitch_t)
+')
+diff --git a/oracleasm.fc b/oracleasm.fc
+new file mode 100644
+index 0000000..80fb8c3
+--- /dev/null
++++ b/oracleasm.fc
+@@ -0,0 +1,4 @@
++
++/etc/rc\.d/init\.d/oracleasm -- gen_context(system_u:object_r:oracleasm_initrc_exec_t,s0)
++
++/usr/sbin/oracleasm -- gen_context(system_u:object_r:oracleasm_exec_t,s0)
+diff --git a/oracleasm.if b/oracleasm.if
+new file mode 100644
+index 0000000..6ae382c
+--- /dev/null
++++ b/oracleasm.if
+@@ -0,0 +1,75 @@
++
++## policy for oracleasm
++
++########################################
++##
++## Transition to oracleasm.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`oracleasm_domtrans',`
++ gen_require(`
++ type oracleasm_t, oracleasm_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, oracleasm_exec_t, oracleasm_t)
++')
++
++
++########################################
++##
++## Execute oracleasm server in the oracleasm domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`oracleasm_initrc_domtrans',`
++ gen_require(`
++ type oracleasm_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, oracleasm_initrc_exec_t)
++')
++
++
++########################################
++##
++## All of the rules required to administrate
++## an oracleasm environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`oracleasm_admin',`
++ gen_require(`
++ type oracleasm_t;
++ type oracleasm_initrc_exec_t;
++ ')
++
++ allow $1 oracleasm_t:process { ptrace signal_perms };
++ ps_process_pattern($1, oracleasm_t)
++
++ oracleasm_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 oracleasm_initrc_exec_t system_r;
++ allow $2 system_r;
++
++')
++
+diff --git a/oracleasm.te b/oracleasm.te
+new file mode 100644
+index 0000000..0493b99
+--- /dev/null
++++ b/oracleasm.te
+@@ -0,0 +1,34 @@
++policy_module(oracleasm, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type oracleasm_t;
++type oracleasm_exec_t;
++init_daemon_domain(oracleasm_t, oracleasm_exec_t)
++
++type oracleasm_initrc_exec_t;
++init_script_file(oracleasm_initrc_exec_t)
++
++########################################
++#
++# oracleasm local policy
++#
++
++allow oracleasm_t self:fifo_file rw_fifo_file_perms;
++allow oracleasm_t self:unix_stream_socket create_stream_socket_perms;
++
++domain_use_interactive_fds(oracleasm_t)
++
++corecmd_exec_shell(oracleasm_t)
++corecmd_exec_bin(oracleasm_t)
++
++optional_policy(`
++ mount_domtrans(oracleasm_t)
++')
++
++optional_policy(`
++ modutils_domtrans_insmod(oracleasm_t)
++')
diff --git a/pacemaker.fc b/pacemaker.fc
index 2f0ad56..d4da0b8 100644
--- a/pacemaker.fc
@@ -52643,10 +52972,10 @@ index 96db654..ff3aadd 100644
+ virt_rw_svirt_dev(pcscd_t)
+')
diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..2e04b85 100644
+index dfd46e4..31122bd 100644
--- a/pegasus.fc
+++ b/pegasus.fc
-@@ -1,15 +1,24 @@
+@@ -1,15 +1,26 @@
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
+
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
@@ -52655,17 +52984,21 @@ index dfd46e4..2e04b85 100644
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-+
-+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
-+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
++/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0)
-+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
++/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
++/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
+
+-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
++/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
+
+-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
+#openlmi agents
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
@@ -52674,10 +53007,8 @@ index dfd46e4..2e04b85 100644
+/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0)
+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
-
--/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
-
--/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
++
++
+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
diff --git a/pegasus.if b/pegasus.if
index d2fc677..ded726f 100644
@@ -52780,7 +53111,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..f36e1ae 100644
+index 7bcf327..ca01f2f 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -52804,7 +53135,7 @@ index 7bcf327..f36e1ae 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,213 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,237 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@@ -52820,6 +53151,9 @@ index 7bcf327..f36e1ae 100644
+type pegasus_openlmi_storage_tmp_t;
+files_tmp_file(pegasus_openlmi_storage_tmp_t)
+
++type pegasus_openlmi_storage_lib_t;
++files_type(pegasus_openlmi_storage_lib_t)
++
+pegasus_openlmi_domain_template(system)
+typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t;
+pegasus_openlmi_domain_template(unconfined)
@@ -52832,6 +53166,7 @@ index 7bcf327..f36e1ae 100644
+allow pegasus_openlmi_domain self:capability { setuid setgid };
+
+allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms;
++allow pegasus_openlmi_domain self:udp_socket create_socket_perms;
+
+list_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
+rw_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
@@ -52910,6 +53245,7 @@ index 7bcf327..f36e1ae 100644
+ # so we want to have unconfined_domain attribute for filename rules
+ unconfined_domain(pegasus_openlmi_logicalfile_t)
+')
++
+######################################
+#
+# pegasus openlmi networking local policy
@@ -52931,7 +53267,6 @@ index 7bcf327..f36e1ae 100644
+allow pegasus_openlmi_system_t self:capability { net_admin };
+
+allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;;
-+allow pegasus_openlmi_system_t self:udp_socket create_socket_perms;
+
+dev_rw_sysfs(pegasus_openlmi_system_t)
+dev_read_urand(pegasus_openlmi_system_t)
@@ -52969,17 +53304,37 @@ index 7bcf327..f36e1ae 100644
+# pegasus openlmi storage local policy
+#
+
++
++manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
++manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
++files_var_lib_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, file)
++
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
+files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir})
+
-+storage_rw_inherited_fixed_disk_dev(pegasus_openlmi_networking_t)
++kernel_read_all_sysctls(pegasus_openlmi_storage_t)
++
++dev_read_rand(pegasus_openlmi_storage_t)
++dev_read_urand(pegasus_openlmi_storage_t)
++
++dev_rw_lvm_control(pegasus_openlmi_storage_t)
++
++selinux_validate_context(pegasus_openlmi_storage_t)
++
++seutil_read_file_contexts(pegasus_openlmi_storage_t)
++
++storage_rw_inherited_fixed_disk_dev(pegasus_openlmi_storage_t)
+
+modutils_domtrans_insmod(pegasus_openlmi_storage_t)
+
+udev_domtrans(pegasus_openlmi_storage_t)
+
+optional_policy(`
++ dmidecode_domtrans(pegasus_openlmi_storage_t)
++')
++
++optional_policy(`
+ lvm_domtrans(pegasus_openlmi_storage_t)
+')
+
@@ -53023,7 +53378,7 @@ index 7bcf327..f36e1ae 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +246,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +270,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -53054,7 +53409,7 @@ index 7bcf327..f36e1ae 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +272,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +296,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -53087,7 +53442,7 @@ index 7bcf327..f36e1ae 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,6 +300,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +324,7 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -53095,7 +53450,7 @@ index 7bcf327..f36e1ae 100644
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +315,25 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +339,25 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -53113,21 +53468,21 @@ index 7bcf327..f36e1ae 100644
- dbus_connect_system_bus(pegasus_t)
+ dbus_system_bus_client(pegasus_t)
+ dbus_connect_system_bus(pegasus_t)
-+
-+ optional_policy(`
-+ networkmanager_dbus_chat(pegasus_t)
-+ ')
-+')
- optional_policy(`
- networkmanager_dbus_chat(pegasus_t)
- ')
++ optional_policy(`
++ networkmanager_dbus_chat(pegasus_t)
++ ')
++')
++
+optional_policy(`
+ rhcs_stream_connect_cluster(pegasus_t)
')
optional_policy(`
-@@ -151,16 +345,24 @@ optional_policy(`
+@@ -151,16 +369,24 @@ optional_policy(`
')
optional_policy(`
@@ -53156,7 +53511,7 @@ index 7bcf327..f36e1ae 100644
')
optional_policy(`
-@@ -168,7 +370,7 @@ optional_policy(`
+@@ -168,7 +394,7 @@ optional_policy(`
')
optional_policy(`
@@ -57626,7 +57981,7 @@ index 2e23946..e9ac366 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..cddce7d 100644
+index 191a66f..2177e93 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -57690,7 +58045,15 @@ index 191a66f..cddce7d 100644
mta_mailserver(postfix_t, postfix_master_exec_t)
type postfix_initrc_exec_t;
-@@ -80,13 +79,13 @@ mta_mailserver_sender(postfix_smtp_t)
+@@ -60,6 +59,7 @@ postfix_server_domain_template(pipe)
+
+ postfix_user_domain_template(postdrop)
+ mta_mailserver_user_agent(postfix_postdrop_t)
++mta_agent_executable(postfix_postdrop_t)
+
+ postfix_user_domain_template(postqueue)
+ mta_mailserver_user_agent(postfix_postqueue_t)
+@@ -80,13 +80,13 @@ mta_mailserver_sender(postfix_smtp_t)
postfix_server_domain_template(smtpd)
type postfix_spool_t, postfix_spool_type;
@@ -57707,7 +58070,7 @@ index 191a66f..cddce7d 100644
type postfix_public_t;
files_type(postfix_public_t)
-@@ -94,6 +93,7 @@ files_type(postfix_public_t)
+@@ -94,6 +94,7 @@ files_type(postfix_public_t)
type postfix_var_run_t;
files_pid_file(postfix_var_run_t)
@@ -57715,7 +58078,7 @@ index 191a66f..cddce7d 100644
type postfix_data_t;
files_type(postfix_data_t)
-@@ -102,160 +102,61 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -102,160 +103,61 @@ mta_mailserver_delivery(postfix_virtual_t)
########################################
#
@@ -57901,7 +58264,7 @@ index 191a66f..cddce7d 100644
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -263,50 +164,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -263,50 +165,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -57970,7 +58333,7 @@ index 191a66f..cddce7d 100644
optional_policy(`
cyrus_stream_connect(postfix_master_t)
')
-@@ -316,14 +211,11 @@ optional_policy(`
+@@ -316,14 +212,11 @@ optional_policy(`
')
optional_policy(`
@@ -57986,7 +58349,7 @@ index 191a66f..cddce7d 100644
postgrey_search_spool(postfix_master_t)
')
-@@ -333,12 +225,14 @@ optional_policy(`
+@@ -333,12 +226,14 @@ optional_policy(`
########################################
#
@@ -58003,7 +58366,7 @@ index 191a66f..cddce7d 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -355,37 +249,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -355,37 +250,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
########################################
#
@@ -58050,7 +58413,7 @@ index 191a66f..cddce7d 100644
optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
-@@ -393,36 +284,50 @@ optional_policy(`
+@@ -393,36 +285,50 @@ optional_policy(`
########################################
#
@@ -58110,7 +58473,7 @@ index 191a66f..cddce7d 100644
')
optional_policy(`
-@@ -434,6 +339,7 @@ optional_policy(`
+@@ -434,6 +340,7 @@ optional_policy(`
')
optional_policy(`
@@ -58118,7 +58481,7 @@ index 191a66f..cddce7d 100644
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
mailman_read_log(postfix_local_t)
-@@ -444,6 +350,10 @@ optional_policy(`
+@@ -444,6 +351,10 @@ optional_policy(`
')
optional_policy(`
@@ -58129,7 +58492,7 @@ index 191a66f..cddce7d 100644
procmail_domtrans(postfix_local_t)
')
-@@ -458,15 +368,17 @@ optional_policy(`
+@@ -458,15 +369,17 @@ optional_policy(`
########################################
#
@@ -58153,7 +58516,7 @@ index 191a66f..cddce7d 100644
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +388,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -476,14 +389,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -58173,7 +58536,7 @@ index 191a66f..cddce7d 100644
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
-@@ -492,7 +405,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -492,7 +406,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
@@ -58181,7 +58544,7 @@ index 191a66f..cddce7d 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -500,21 +412,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -500,21 +413,22 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -58207,7 +58570,7 @@ index 191a66f..cddce7d 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,16 +437,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -524,16 +438,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@@ -58227,7 +58590,7 @@ index 191a66f..cddce7d 100644
#
allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +488,26 @@ optional_policy(`
+@@ -576,19 +489,26 @@ optional_policy(`
########################################
#
@@ -58259,7 +58622,7 @@ index 191a66f..cddce7d 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +522,7 @@ optional_policy(`
+@@ -603,10 +523,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -58271,7 +58634,7 @@ index 191a66f..cddce7d 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -621,17 +537,24 @@ optional_policy(`
+@@ -621,17 +538,24 @@ optional_policy(`
#######################################
#
@@ -58299,7 +58662,7 @@ index 191a66f..cddce7d 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +570,77 @@ optional_policy(`
+@@ -647,67 +571,77 @@ optional_policy(`
########################################
#
@@ -58395,7 +58758,7 @@ index 191a66f..cddce7d 100644
')
optional_policy(`
-@@ -720,29 +653,30 @@ optional_policy(`
+@@ -720,29 +654,30 @@ optional_policy(`
########################################
#
@@ -58434,7 +58797,7 @@ index 191a66f..cddce7d 100644
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
dovecot_stream_connect(postfix_smtpd_t)
-@@ -754,6 +688,7 @@ optional_policy(`
+@@ -754,6 +689,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -58442,7 +58805,7 @@ index 191a66f..cddce7d 100644
')
optional_policy(`
-@@ -764,31 +699,99 @@ optional_policy(`
+@@ -764,31 +700,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -65655,24 +66018,78 @@ index 4b2c272..1aee969 100644
+ dbus_connect_system_bus(quota_nld_t)
')
diff --git a/rabbitmq.fc b/rabbitmq.fc
-index c5ad6de..c67dbef 100644
+index c5ad6de..a48c318 100644
--- a/rabbitmq.fc
+++ b/rabbitmq.fc
-@@ -4,7 +4,9 @@
+@@ -4,7 +4,11 @@
/usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
+/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
++
++/var/lock/ejabberdctl(/.*)? gen_context(system_u:object_r:rabbitmq_var_lock_t,s0)
/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
+/var/log/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
/var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0)
+diff --git a/rabbitmq.if b/rabbitmq.if
+index 2c3d338..cf3e5ad 100644
+--- a/rabbitmq.if
++++ b/rabbitmq.if
+@@ -10,13 +10,13 @@
+ ##
+ ##
+ #
+-interface(`rabbitmq_domtrans',`
++interface(`rabbitmq_domtrans_beam',`
+ gen_require(`
+- type rabbitmq_t, rabbitmq_exec_t;
++ type rabbitmq_beam_t, rabbitmq_beam_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+- domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
++ domtrans_pattern($1, rabbitmq_beam_exec_t, rabbitmq_beam_t)
+ ')
+
+ ########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..b0e67e8 100644
+index 3698b51..7054723 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
-@@ -45,6 +45,8 @@ setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
+ type rabbitmq_var_lib_t;
+ files_type(rabbitmq_var_lib_t)
+
++type rabbitmq_var_lock_t;
++files_lock_file(rabbitmq_var_lock_t)
++
+ type rabbitmq_var_log_t;
+ logging_log_file(rabbitmq_var_log_t)
+
+@@ -30,6 +33,8 @@ files_pid_file(rabbitmq_var_run_t)
+ # Beam local policy
+ #
+
++allow rabbitmq_beam_t self:capability setuid;
++
+ allow rabbitmq_beam_t self:process { setsched signal signull };
+ allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
+ allow rabbitmq_beam_t self:tcp_socket { accept listen };
+@@ -38,13 +43,17 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+ manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+
+ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+-append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+-create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+-setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++
++manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
++files_lock_filetrans(rabbitmq_beam_t, rabbitmq_var_lock_t, file)
+
manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
@@ -65681,7 +66098,7 @@ index 3698b51..b0e67e8 100644
can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-@@ -54,6 +56,8 @@ kernel_read_system_state(rabbitmq_beam_t)
+@@ -54,11 +63,14 @@ kernel_read_system_state(rabbitmq_beam_t)
corecmd_exec_bin(rabbitmq_beam_t)
corecmd_exec_shell(rabbitmq_beam_t)
@@ -65690,7 +66107,13 @@ index 3698b51..b0e67e8 100644
corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
-@@ -68,20 +72,35 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+ corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
+ corenet_tcp_bind_generic_node(rabbitmq_beam_t)
++corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
+
+ corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
+ corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
+@@ -68,20 +80,42 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
@@ -65701,6 +66124,7 @@ index 3698b51..b0e67e8 100644
+domain_read_all_domains_state(rabbitmq_beam_t)
+
+auth_read_passwd(rabbitmq_beam_t)
++auth_use_pam(rabbitmq_beam_t)
-files_read_etc_files(rabbitmq_beam_t)
+files_getattr_all_mountpoints(rabbitmq_beam_t)
@@ -65715,12 +66139,18 @@ index 3698b51..b0e67e8 100644
sysnet_dns_name_resolve(rabbitmq_beam_t)
++logging_send_syslog_msg(rabbitmq_beam_t)
++
+optional_policy(`
+ couchdb_read_conf_files(rabbitmq_beam_t)
+ couchdb_read_log_files(rabbitmq_beam_t)
+ couchdb_manage_lib_files(rabbitmq_beam_t)
+')
+
++optional_policy(`
++ dbus_system_bus_client(rabbitmq_beam_t)
++')
++
########################################
#
# Epmd local policy
@@ -65730,7 +66160,7 @@ index 3698b51..b0e67e8 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +118,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +133,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -68712,7 +69142,7 @@ index 56bc01f..4699b1b 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..a4a6d82 100644
+index 2c2de9a..6b7a0f6 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -69110,18 +69540,23 @@ index 2c2de9a..a4a6d82 100644
')
optional_policy(`
-@@ -190,10 +469,6 @@ optional_policy(`
+@@ -190,12 +469,12 @@ optional_policy(`
')
optional_policy(`
- gnome_read_generic_home_content(fenced_t)
--')
--
--optional_policy(`
- lvm_domtrans(fenced_t)
- lvm_read_config(fenced_t)
++ lvm_domtrans(fenced_t)
++ lvm_read_config(fenced_t)
+ ')
+
+ optional_policy(`
+- lvm_domtrans(fenced_t)
+- lvm_read_config(fenced_t)
++ sanlock_domtrans(fenced_t)
')
-@@ -203,6 +478,13 @@ optional_policy(`
+
+ optional_policy(`
+@@ -203,6 +482,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -69135,7 +69570,7 @@ index 2c2de9a..a4a6d82 100644
#######################################
#
# foghorn local policy
-@@ -221,16 +503,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +507,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@@ -69156,7 +69591,7 @@ index 2c2de9a..a4a6d82 100644
snmp_stream_connect(foghorn_t)
')
-@@ -257,6 +541,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +545,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -69165,7 +69600,7 @@ index 2c2de9a..a4a6d82 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +561,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +565,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -69207,7 +69642,7 @@ index 2c2de9a..a4a6d82 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +636,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +640,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -79357,10 +79792,21 @@ index 1aeef8a..d5ce40a 100644
admin_pattern($1, shorewall_etc_t)
diff --git a/shorewall.te b/shorewall.te
-index ca03de6..bac98d6 100644
+index ca03de6..c3b5559 100644
--- a/shorewall.te
+++ b/shorewall.te
-@@ -57,6 +57,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+@@ -44,9 +44,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
+ files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
+
+ manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
+-append_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
+-create_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
+-setattr_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
++manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
+ logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir })
+
+ manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
+@@ -57,6 +55,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
@@ -79370,7 +79816,7 @@ index ca03de6..bac98d6 100644
allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
-@@ -74,7 +77,6 @@ dev_read_urand(shorewall_t)
+@@ -74,7 +75,6 @@ dev_read_urand(shorewall_t)
domain_read_all_domains_state(shorewall_t)
files_getattr_kernel_modules(shorewall_t)
@@ -79378,7 +79824,7 @@ index ca03de6..bac98d6 100644
files_search_kernel_modules(shorewall_t)
fs_getattr_all_fs(shorewall_t)
-@@ -86,12 +88,11 @@ init_rw_utmp(shorewall_t)
+@@ -86,12 +86,11 @@ init_rw_utmp(shorewall_t)
logging_read_generic_logs(shorewall_t)
logging_send_syslog_msg(shorewall_t)
@@ -79834,10 +80280,18 @@ index 1fa51c1..82e111c 100644
smokeping_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/smokeping.te b/smokeping.te
-index a8b1aaf..a09f2fe 100644
+index a8b1aaf..fc0a2be 100644
--- a/smokeping.te
+++ b/smokeping.te
-@@ -39,7 +39,6 @@ corecmd_exec_bin(smokeping_t)
+@@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t)
+ #
+
+ dontaudit smokeping_t self:capability { dac_read_search dac_override };
++allow smokeping_t self:process signal_perms;
+ allow smokeping_t self:fifo_file rw_fifo_file_perms;
+ allow smokeping_t self:unix_stream_socket { accept listen };
+
+@@ -39,7 +40,6 @@ corecmd_exec_bin(smokeping_t)
dev_read_urand(smokeping_t)
@@ -79845,7 +80299,7 @@ index a8b1aaf..a09f2fe 100644
files_search_tmp(smokeping_t)
auth_use_nsswitch(smokeping_t)
-@@ -47,8 +46,6 @@ auth_dontaudit_read_shadow(smokeping_t)
+@@ -47,8 +47,6 @@ auth_dontaudit_read_shadow(smokeping_t)
logging_send_syslog_msg(smokeping_t)
@@ -79854,7 +80308,7 @@ index a8b1aaf..a09f2fe 100644
mta_send_mail(smokeping_t)
netutils_domtrans_ping(smokeping_t)
-@@ -70,6 +67,8 @@ optional_policy(`
+@@ -70,6 +68,8 @@ optional_policy(`
files_search_tmp(httpd_smokeping_cgi_script_t)
files_search_var_lib(httpd_smokeping_cgi_script_t)
@@ -85296,7 +85750,7 @@ index 9957e30..cf0b925 100644
+ tftp_manage_config($1)
')
diff --git a/tftp.te b/tftp.te
-index f455e70..d2778d3 100644
+index f455e70..a3b440c 100644
--- a/tftp.te
+++ b/tftp.te
@@ -1,4 +1,4 @@
@@ -85404,7 +85858,7 @@ index f455e70..d2778d3 100644
domain_use_interactive_fds(tftpd_t)
files_read_etc_runtime_files(tftpd_t)
-@@ -84,43 +88,44 @@ files_read_var_files(tftpd_t)
+@@ -84,43 +88,46 @@ files_read_var_files(tftpd_t)
files_read_var_symlinks(tftpd_t)
files_search_var(tftpd_t)
@@ -85422,6 +85876,8 @@ index f455e70..d2778d3 100644
userdom_dontaudit_use_user_terminals(tftpd_t)
-userdom_user_home_dir_filetrans_user_home_content(tftpd_t, { dir file lnk_file })
+userdom_dontaudit_search_user_home_dirs(tftpd_t)
++
++userdom_home_manager(tftpd_t)
tunable_policy(`tftp_anon_write',`
miscfiles_manage_public_files(tftpd_t)
@@ -85770,10 +86226,10 @@ index 0000000..92b6843
+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/thumb.if b/thumb.if
new file mode 100644
-index 0000000..74cd27c
+index 0000000..aa424d3
--- /dev/null
+++ b/thumb.if
-@@ -0,0 +1,129 @@
+@@ -0,0 +1,130 @@
+
+## policy for thumb
+
@@ -85825,9 +86281,10 @@ index 0000000..74cd27c
+
+ dontaudit thumb_t $1:dir list_dir_perms;
+ dontaudit thumb_t $1:file read_file_perms;
++ dontaudit thumb_t $1:unix_stream_socket rw_socket_perms;
+
-+ allow thumb_t $1:shm rw_shm_perms;
-+ allow thumb_t $1:sem create_sem_perms;
++ allow thumb_t $1:shm rw_shm_perms;
++ allow thumb_t $1:sem create_sem_perms;
+')
+
+########################################
@@ -85905,10 +86362,10 @@ index 0000000..74cd27c
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..07820b6
+index 0000000..bf58d50
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,145 @@
+@@ -0,0 +1,146 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -85956,6 +86413,7 @@ index 0000000..07820b6
+manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
++userdom_dontaudit_access_check_user_content(thumb_t)
+
+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
@@ -88699,7 +89157,7 @@ index c30da4c..898ce74 100644
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..378880d 100644
+index 9dec06c..bdba959 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -89205,16 +89663,16 @@ index 9dec06c..378880d 100644
########################################
##
-## Relabel virt content.
-+## Read virt PID files.
++## Read virt PID symlinks files.
##
##
##
-@@ -495,53 +312,40 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +312,37 @@ interface(`virt_manage_virt_content',`
##
##
#
-interface(`virt_relabel_virt_content',`
-+interface(`virt_read_pid_files',`
++interface(`virt_read_pid_symlinks',`
gen_require(`
- type virt_content_t;
+ type virt_var_run_t;
@@ -89228,14 +89686,14 @@ index 9dec06c..378880d 100644
- allow $1 virt_content_t:sock_file relabel_sock_file_perms;
- allow $1 virt_content_t:blk_file relabel_blk_file_perms;
+ files_search_pids($1)
-+ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
++ read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
')
########################################
##
-## Create specified objects in user home
-## directories with the virt content type.
-+## Manage virt pid directories.
++## Read virt PID files.
##
##
##
@@ -89254,34 +89712,31 @@ index 9dec06c..378880d 100644
-##
#
-interface(`virt_home_filetrans_virt_content',`
-+interface(`virt_manage_pid_dirs',`
++interface(`virt_read_pid_files',`
gen_require(`
- type virt_content_t;
+ type virt_var_run_t;
-+ type virt_lxc_var_run_t;
')
- virt_home_filetrans($1, virt_content_t, $2, $3)
+ files_search_pids($1)
-+ manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t)
-+ manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+ virt_filetrans_named_content($1)
++ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
')
########################################
##
-## Create, read, write, and delete
-## svirt home content.
-+## Manage virt pid files.
++## Manage virt pid directories.
##
##
##
-@@ -549,67 +353,36 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,34 +350,21 @@ interface(`virt_home_filetrans_virt_content',`
##
##
#
-interface(`virt_manage_svirt_home_content',`
-+interface(`virt_manage_pid_files',`
++interface(`virt_manage_pid_dirs',`
gen_require(`
- type svirt_home_t;
- ')
@@ -89307,48 +89762,59 @@ index 9dec06c..378880d 100644
- fs_manage_cifs_symlinks($1)
- ')
+ files_search_pids($1)
-+ manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+ manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
++ manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t)
++ manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
++ virt_filetrans_named_content($1)
')
########################################
##
-## Relabel svirt home content.
-+## Create objects in the pid directory
-+## with a private type with a type transition.
++## Manage virt pid files.
##
##
##
- ## Domain allowed access.
+@@ -584,32 +372,36 @@ interface(`virt_manage_svirt_home_content',`
##
##
--#
+ #
-interface(`virt_relabel_svirt_home_content',`
-- gen_require(`
++interface(`virt_manage_pid_files',`
+ gen_require(`
- type svirt_home_t;
-- ')
--
++ type virt_var_run_t;
++ type virt_lxc_var_run_t;
+ ')
+
- userdom_search_user_home_dirs($1)
- allow $1 svirt_home_t:dir relabel_dir_perms;
- allow $1 svirt_home_t:file relabel_file_perms;
- allow $1 svirt_home_t:fifo_file relabel_fifo_file_perms;
- allow $1 svirt_home_t:lnk_file relabel_lnk_file_perms;
- allow $1 svirt_home_t:sock_file relabel_sock_file_perms;
--')
--
--########################################
--##
++ files_search_pids($1)
++ manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
++ manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
+ ')
+
+ ########################################
+ ##
-## Create specified objects in user home
-## directories with the svirt home type.
--##
--##
-+##
++## Create objects in the pid directory
++## with a private type with a type transition.
+ ##
+ ##
##
--## Domain allowed access.
-+## Type to which the created node will be transitioned.
+ ## Domain allowed access.
##
##
-##
++##
++##
++## Type to which the created node will be transitioned.
++##
++##
+##
##
-## Class of the object being created.
@@ -89357,7 +89823,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -618,54 +391,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +410,36 @@ interface(`virt_relabel_svirt_home_content',`
##
##
#
@@ -89421,7 +89887,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -673,54 +428,38 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +447,38 @@ interface(`virt_home_filetrans',`
##
##
#
@@ -89488,7 +89954,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -728,52 +467,39 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +486,39 @@ interface(`virt_manage_generic_virt_home_content',`
##
##
#
@@ -89553,7 +90019,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -781,19 +507,18 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +526,18 @@ interface(`virt_home_filetrans_virt_home',`
##
##
#
@@ -89578,7 +90044,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -801,18 +526,19 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +545,19 @@ interface(`virt_read_pid_files',`
##
##
#
@@ -89603,7 +90069,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -820,18 +546,18 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +565,18 @@ interface(`virt_manage_pid_files',`
##
##
#
@@ -89627,7 +90093,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -839,20 +565,73 @@ interface(`virt_search_lib',`
+@@ -839,20 +584,73 @@ interface(`virt_search_lib',`
##
##
#
@@ -89706,7 +90172,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -860,115 +639,245 @@ interface(`virt_read_lib_files',`
+@@ -860,115 +658,245 @@ interface(`virt_read_lib_files',`
##
##
#
@@ -89917,13 +90383,13 @@ index 9dec06c..378880d 100644
##
-## Domain allowed access.
+## Domain allowed access
- ##
- ##
++##
++##
+##
+##
+## The role to be allowed the sandbox domain.
-+##
-+##
+ ##
+ ##
+##
#
-interface(`virt_append_log',`
@@ -89989,7 +90455,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -976,18 +885,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +904,17 @@ interface(`virt_manage_log',`
##
##
#
@@ -90012,7 +90478,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -995,36 +903,35 @@ interface(`virt_search_images',`
+@@ -995,36 +922,35 @@ interface(`virt_search_images',`
##
##
#
@@ -90068,7 +90534,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -1032,58 +939,57 @@ interface(`virt_read_images',`
+@@ -1032,58 +958,57 @@ interface(`virt_read_images',`
##
##
#
@@ -90148,7 +90614,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -1091,95 +997,169 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,95 +1016,169 @@ interface(`virt_manage_virt_cache',`
##
##
#
@@ -90378,7 +90844,7 @@ index 9dec06c..378880d 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..fd31e1b 100644
+index 1f22fba..cd628f9 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,104 @@
@@ -91113,7 +91579,7 @@ index 1f22fba..fd31e1b 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +451,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +451,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -91137,6 +91603,8 @@ index 1f22fba..fd31e1b 100644
+userdom_list_user_home_content(virtd_t)
+userdom_read_all_users_state(virtd_t)
+userdom_read_user_home_content_files(virtd_t)
++userdom_relabel_user_tmp_files(virtd_t)
++userdom_setattr_user_tmp_files(virtd_t)
+userdom_relabel_user_home_files(virtd_t)
+userdom_setattr_user_home_content_files(virtd_t)
+manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
@@ -91148,7 +91616,7 @@ index 1f22fba..fd31e1b 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +477,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +479,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -91157,7 +91625,7 @@ index 1f22fba..fd31e1b 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,95 +502,325 @@ optional_policy(`
+@@ -658,95 +504,326 @@ optional_policy(`
')
optional_policy(`
@@ -91414,6 +91882,7 @@ index 1f22fba..fd31e1b 100644
+ virt_read_lib_files(virt_domain)
+ virt_read_content(virt_domain)
+ virt_stream_connect(virt_domain)
++ virt_read_pid_symlinks(virt_domain)
+ virt_domtrans_bridgehelper(virt_domain)
')
@@ -91528,7 +91997,7 @@ index 1f22fba..fd31e1b 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +832,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +835,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -91559,7 +92028,7 @@ index 1f22fba..fd31e1b 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +852,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +855,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -91586,7 +92055,7 @@ index 1f22fba..fd31e1b 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +872,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +875,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -91618,7 +92087,7 @@ index 1f22fba..fd31e1b 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +905,20 @@ optional_policy(`
+@@ -847,14 +908,20 @@ optional_policy(`
')
optional_policy(`
@@ -91640,7 +92109,7 @@ index 1f22fba..fd31e1b 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +943,45 @@ optional_policy(`
+@@ -879,34 +946,45 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -91695,7 +92164,7 @@ index 1f22fba..fd31e1b 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +991,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +994,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -91713,7 +92182,7 @@ index 1f22fba..fd31e1b 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +1013,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +1016,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -91724,7 +92193,7 @@ index 1f22fba..fd31e1b 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +1022,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +1025,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -91732,7 +92201,7 @@ index 1f22fba..fd31e1b 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1034,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1037,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -91751,7 +92220,7 @@ index 1f22fba..fd31e1b 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1048,39 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1051,39 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -91799,7 +92268,7 @@ index 1f22fba..fd31e1b 100644
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1088,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1091,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -91826,7 +92295,7 @@ index 1f22fba..fd31e1b 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1106,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1109,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -91846,7 +92315,7 @@ index 1f22fba..fd31e1b 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1125,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1128,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -91873,7 +92342,7 @@ index 1f22fba..fd31e1b 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1150,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1153,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -92013,7 +92482,7 @@ index 1f22fba..fd31e1b 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1249,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1252,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -92028,7 +92497,7 @@ index 1f22fba..fd31e1b 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1267,8 @@ optional_policy(`
+@@ -1183,9 +1270,8 @@ optional_policy(`
########################################
#
@@ -92039,7 +92508,7 @@ index 1f22fba..fd31e1b 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1281,121 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1284,121 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 17160b9..99833ee 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 69%{?dist}
+Release: 70%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -538,6 +538,53 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Aug 8 2013 Miroslav Grepl 3.12.1-70
+- selinux_set_enforce_mode needs to be used with type
+- Add append to the dontaudit for unix_stream_socket of xdm_t leak
+- Allow xdm_t to create symlinks in log direcotries
+- Allow login programs to read afs config
+- Label 10933 as a pop port, for dovecot
+- New policy to allow selinux_server.py to run as semanage_t as a dbus service
+- Add fixes to make netlabelctl working on MLS
+- AVC's required for running sepolicy gui as staff_t
+- Dontaudit attempts to read symlinks, sepolicy gui is likely to cause this type of AVC
+- New dbus server to be used with new gui
+- After modifying some files in /etc/mail, I saw this needed on the next boot
+- Loading a vm from /usr/tmp with virt-manager
+- Clean up oracleasm policy for Fedora
+- Add oracleasm policy written by rlopez@redhat.com
+- Make postfix_postdrop_t as mta_agent to allow domtrans to system mail if it is executed by apache
+- Add label for /var/crash
+- Allow fenced to domtrans to sanclok_t
+- Allow nagios to manage nagios spool files
+- Make tfptd as home_manager
+- Allow kdump to read kcore on MLS system
+- Allow mysqld-safe sys_nice/sys_resource caps
+- Allow apache to search automount tmp dirs if http_use_nfs is enabled
+- Allow crond to transition to named_t, for use with unbound
+- Allow crond to look at named_conf_t, for unbound
+- Allow mozilla_plugin_t to transition its home content
+- Allow dovecot_domain to read all system and network state
+- Allow httpd_user_script_t to call getpw
+- Allow semanage to read pid files
+- Dontaudit leaked file descriptors from user domain into thumb
+- Make PAM authentication working if it is enabled in ejabberd
+- Add fixes for rabbit to fix ##992920,#992931
+- Allow glusterd to mount filesystems
+- Loading a vm from /usr/tmp with virt-manager
+- Trying to load a VM I got an AVC from devicekit_disk for loopcontrol device
+- Add fix for pand service
+- shorewall touches own log
+- Allow nrpe to list /var
+- Mozilla_plugin_roles can not be passed into lpd_run_lpr
+- Allow afs domains to read afs_config files
+- Allow login programs to read afs config
+- Allow virt_domain to read virt_var_run_t symlinks
+- Allow smokeping to send its process signals
+- Allow fetchmail to setuid
+- Add kdump_manage_crash() interface
+- Allow abrt domain to write abrt.socket
+
* Wed Jul 31 2013 Miroslav Grepl 3.12.1-69
- Add more aliases in pegasus.te
- Add more fixes for *_admin interfaces