++##
++## Allow syslogd daemon to send mail
++##
++##
++gen_tunable(logging_syslogd_can_sendmail, false)
++
+ attribute logfile;
+
+ type auditctl_t;
+@@ -20,6 +27,7 @@ files_security_file(auditd_log_t)
files_security_mountpoint(auditd_log_t)
type audit_spool_t;
@@ -64789,7 +65396,7 @@ index b6ec597..0c27f81 100644
files_security_file(audit_spool_t)
files_security_mountpoint(audit_spool_t)
-@@ -64,6 +65,7 @@ files_config_file(syslog_conf_t)
+@@ -64,6 +72,7 @@ files_config_file(syslog_conf_t)
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
@@ -64797,7 +65404,7 @@ index b6ec597..0c27f81 100644
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
-@@ -111,7 +113,7 @@ domain_use_interactive_fds(auditctl_t)
+@@ -111,7 +120,7 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t)
@@ -64806,7 +65413,7 @@ index b6ec597..0c27f81 100644
init_dontaudit_use_fds(auditctl_t)
-@@ -183,16 +185,19 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +192,19 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -64827,7 +65434,7 @@ index b6ec597..0c27f81 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -237,10 +242,17 @@ corecmd_exec_shell(audisp_t)
+@@ -237,10 +249,17 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
@@ -64845,7 +65452,7 @@ index b6ec597..0c27f81 100644
logging_send_syslog_msg(audisp_t)
-@@ -250,6 +262,10 @@ sysnet_dns_name_resolve(audisp_t)
+@@ -250,6 +269,10 @@ sysnet_dns_name_resolve(audisp_t)
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -64856,7 +65463,7 @@ index b6ec597..0c27f81 100644
')
########################################
-@@ -280,11 +296,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,11 +303,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -64877,7 +65484,7 @@ index b6ec597..0c27f81 100644
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -354,11 +379,12 @@ optional_policy(`
+@@ -354,11 +386,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
@@ -64892,7 +65499,7 @@ index b6ec597..0c27f81 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -376,6 +402,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -376,6 +409,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -64900,7 +65507,7 @@ index b6ec597..0c27f81 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -385,9 +412,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -385,9 +419,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -64916,8 +65523,15 @@ index b6ec597..0c27f81 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -428,8 +461,13 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
+@@ -426,10 +466,20 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+ corenet_sendrecv_postgresql_client_packets(syslogd_t)
+ corenet_sendrecv_mysqld_client_packets(syslogd_t)
++tunable_policy(`logging_syslogd_can_sendmail',`
++ # support for ommail module to send logs via mail
++ corenet_tcp_connect_smtp_port(syslogd_t)
++')
++
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
+dev_read_rand(syslogd_t)
@@ -64930,7 +65544,7 @@ index b6ec597..0c27f81 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -448,6 +486,7 @@ term_write_console(syslogd_t)
+@@ -448,6 +498,7 @@ term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -64938,7 +65552,7 @@ index b6ec597..0c27f81 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -459,6 +498,7 @@ init_use_fds(syslogd_t)
+@@ -459,6 +510,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -64946,7 +65560,7 @@ index b6ec597..0c27f81 100644
miscfiles_read_localization(syslogd_t)
-@@ -496,11 +536,20 @@ optional_policy(`
+@@ -496,11 +548,20 @@ optional_policy(`
')
optional_policy(`
@@ -66947,7 +67561,7 @@ index 170e2c7..b85fc73 100644
+ ')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..4e8cb38 100644
+index 7ed9819..f2b7643 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -67218,17 +67832,17 @@ index 7ed9819..4e8cb38 100644
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+-
+-allow semanage_t policy_config_t:file rw_file_perms;
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
--allow semanage_t policy_config_t:file rw_file_perms;
-+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
--
++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-
@@ -67257,13 +67871,13 @@ index 7ed9819..4e8cb38 100644
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
-+# Admins are creating pp files in random locations
-+files_read_non_security_files(semanage_t)
-
+-
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
--
++# Admins are creating pp files in random locations
++files_read_non_security_files(semanage_t)
+
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
@@ -67280,7 +67894,20 @@ index 7ed9819..4e8cb38 100644
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -487,118 +498,72 @@ ifdef(`distro_debian',`
+@@ -482,123 +493,85 @@ seutil_manage_default_contexts(semanage_t)
+ userdom_read_user_home_content_files(semanage_t)
+ userdom_read_user_tmp_files(semanage_t)
+
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(semanage_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(semanage_t)
++')
++
+ ifdef(`distro_debian',`
+ files_read_var_lib_files(semanage_t)
files_read_var_lib_symlinks(semanage_t)
')
@@ -67345,23 +67972,23 @@ index 7ed9819..4e8cb38 100644
-mls_file_write_all_levels(setfiles_t)
-mls_file_upgrade(setfiles_t)
-mls_file_downgrade(setfiles_t)
--
++init_dontaudit_use_fds(setsebool_t)
+
-selinux_validate_context(setfiles_t)
-selinux_compute_access_vector(setfiles_t)
-selinux_compute_create_context(setfiles_t)
-selinux_compute_relabel_context(setfiles_t)
-selinux_compute_user_contexts(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
-
--term_use_all_ttys(setfiles_t)
--term_use_all_ptys(setfiles_t)
--term_use_unallocated_ttys(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
+-term_use_all_ttys(setfiles_t)
+-term_use_all_ptys(setfiles_t)
+-term_use_unallocated_ttys(setfiles_t)
+-
-# this is to satisfy the assertion:
-auth_relabelto_shadow(setfiles_t)
-
@@ -68033,10 +68660,10 @@ index 0000000..9eaa38e
+/var/run/initramfs(/.*)? <