diff --git a/modules-targeted.conf b/modules-targeted.conf
index d730c9f..ceebf5a 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -985,6 +985,14 @@ lvm = module
#
mailman = module
+
+# Layer: services
+# Module: mailman
+#
+# Policy for mailscanner
+#
+mailscanner = module
+
# Layer: services
# Module: matahari
#
diff --git a/policy-F16.patch b/policy-F16.patch
index 9de84fb..fc0458a 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -3380,10 +3380,10 @@ index 0000000..1f468aa
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644
-index 0000000..ae9c0c5
+index 0000000..7b1047f
--- /dev/null
+++ b/policy/modules/apps/chrome.if
-@@ -0,0 +1,107 @@
+@@ -0,0 +1,126 @@
+
+## <summary>policy for chrome</summary>
+
@@ -3402,12 +3402,13 @@ index 0000000..ae9c0c5
+ type chrome_sandbox_t, chrome_sandbox_exec_t;
+ ')
+
-+ domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t)
++ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
+ ps_process_pattern(chrome_sandbox_t, $1)
-+ifdef(`hide_broken_symptoms', `
-+ dontaudit chrome_sandbox_t $1:socket_class_set { read write };
-+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
-+')
++
++ ifdef(`hide_broken_symptoms',`
++ dontaudit chrome_sandbox_t $1:socket_class_set { read write };
++ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
++ ')
+')
+
+
@@ -3451,16 +3452,14 @@ index 0000000..ae9c0c5
+## </summary>
+## </param>
+#
-+interface(`chrome_role',`
++interface(`chrome_role_notrans',`
+ gen_require(`
-+ type chrome_sandbox_t;
-+ type chrome_sandbox_tmpfs_t;
++ type chrome_sandbox_t;
++ type chrome_sandbox_tmpfs_t;
+ ')
+
+ role $1 types chrome_sandbox_t;
+
-+ chrome_domtrans_sandbox($2)
-+
+ ps_process_pattern($2, chrome_sandbox_t)
+ allow $2 chrome_sandbox_t:process signal_perms;
+
@@ -3476,6 +3475,26 @@ index 0000000..ae9c0c5
+
+########################################
+## <summary>
++## Role access for chrome sandbox
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role
++## </summary>
++## </param>
++#
++interface(`chrome_role',`
++ chrome_role_notrans($1, $2)
++ chrome_domtrans_sandbox($2)
++')
++
++########################################
++## <summary>
+## Dontaudit read/write to a chrome_sandbox leaks
+## </summary>
+## <param name="domain">
@@ -3707,10 +3726,10 @@ index 0000000..6f3570a
+/usr/local/Wolfram/Mathematica(/.*)?MathKernel -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
new file mode 100644
-index 0000000..1bc60f7
+index 0000000..34d913e
--- /dev/null
+++ b/policy/modules/apps/execmem.if
-@@ -0,0 +1,116 @@
+@@ -0,0 +1,112 @@
+## <summary>execmem domain</summary>
+
+########################################
@@ -3781,10 +3800,6 @@ index 0000000..1bc60f7
+')
+ files_execmod_tmp($1_execmem_t)
+
-+ optional_policy(`
-+ chrome_role($2, $1_execmem_t)
-+ ')
-+
+ # needed by plasma-desktop
+ optional_policy(`
+ gnome_read_usr_config($1_execmem_t)
@@ -3993,12 +4008,13 @@ index 6e4add5..10a2ce4 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(giftd_t)
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
-index 00a19e3..55075f9 100644
+index 00a19e3..d5acf98 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
-@@ -1,9 +1,36 @@
+@@ -1,9 +1,43 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
++HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
@@ -4006,18 +4022,24 @@ index 00a19e3..55075f9 100644
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
-+HOME_DIR/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0)
-+/HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
-+/HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
++HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
++HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
++HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
++HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+
++/root/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
++/root/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
-+/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
++/root/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
+/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
++/root/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
+/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
+/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
-+/root/\.local/share(.*)? gen_context(system_u:object_r:data_home_t,s0)
++/root/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
++/root/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
+/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
++/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
@@ -4036,10 +4058,10 @@ index 00a19e3..55075f9 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..93aa20f 100644
+index f5afe78..6a38eaf 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,699 @@
+@@ -1,44 +1,739 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -4517,6 +4539,46 @@ index f5afe78..93aa20f 100644
+
+########################################
+## <summary>
++## Read icc data home content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_read_home_icc_data_content',`
++ gen_require(`
++ type icc_data_home_t, gconf_home_t, data_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
++ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
++ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
++ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
++')
++
++########################################
++## <summary>
++## Read inherited icc data home files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`gnome_read_inherited_home_icc_data_files',`
++ gen_require(`
++ type icc_data_home_t;
++ ')
++
++ allow $1 icc_data_home_t:file read_inherited_file_perms;
++')
++
++########################################
++## <summary>
+## Create gconf_home_t objects in the /root directory
+## </summary>
+## <param name="domain">
@@ -4757,7 +4819,7 @@ index f5afe78..93aa20f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +701,36 @@ interface(`gnome_role',`
+@@ -46,37 +741,36 @@ interface(`gnome_role',`
## </summary>
## </param>
#
@@ -4806,7 +4868,7 @@ index f5afe78..93aa20f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +738,42 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +778,42 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -4860,7 +4922,7 @@ index f5afe78..93aa20f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +781,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +821,17 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -4882,7 +4944,7 @@ index f5afe78..93aa20f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +799,353 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +839,358 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -5157,7 +5219,7 @@ index f5afe78..93aa20f 100644
+ type gstreamer_home_t;
+ type gconf_home_t;
+ type gnome_home_t;
-+ type data_home_t;
++ type data_home_t, icc_data_home_t;
+ type gkeyringd_gnome_home_t;
+')
+
@@ -5171,8 +5233,11 @@ index f5afe78..93aa20f 100644
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
++ # ~/.color/icc: legacy
++ userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
+ filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
+ filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
++ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
+')
+
+########################################
@@ -5194,7 +5259,7 @@ index f5afe78..93aa20f 100644
+ type gstreamer_home_t;
+ type gconf_home_t;
+ type gnome_home_t;
-+ type data_home_t;
++ type icc_data_home_t;
+')
+
+ userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
@@ -5207,6 +5272,8 @@ index f5afe78..93aa20f 100644
+ userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
+ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
+ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
++ # /root/.color/icc: legacy
++ userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
+')
+######################################
+## <summary>
@@ -5252,10 +5319,10 @@ index f5afe78..93aa20f 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..bb2e8e8 100644
+index 2505654..9c3e9f6 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
-@@ -5,12 +5,26 @@ policy_module(gnome, 2.1.0)
+@@ -5,12 +5,29 @@ policy_module(gnome, 2.1.0)
# Declarations
#
@@ -5280,11 +5347,14 @@ index 2505654..bb2e8e8 100644
+type gstreamer_home_t, gnome_home_type;
+userdom_user_home_content(gstreamer_home_t)
+
++type icc_data_home_t, gnome_home_type;
++userdom_user_home_content(icc_data_home_t)
++
+type gconf_home_t, gnome_home_type;
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -23,19 +37,40 @@ typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
+@@ -23,19 +40,40 @@ typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
files_tmp_file(gconf_tmp_t)
ubac_constrained(gconf_tmp_t)
@@ -5327,7 +5397,7 @@ index 2505654..bb2e8e8 100644
##############################
#
# Local Policy
-@@ -75,3 +110,168 @@ optional_policy(`
+@@ -75,3 +113,168 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -6454,7 +6524,7 @@ index 93ac529..35b51ab 100644
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..aa29dee 100644
+index 9a6d67d..9c59afd 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -6513,7 +6583,7 @@ index 9a6d67d..aa29dee 100644
## Execmod mozilla home directory content.
## </summary>
## <param name="domain">
-@@ -168,6 +194,80 @@ interface(`mozilla_domtrans',`
+@@ -168,6 +194,84 @@ interface(`mozilla_domtrans',`
########################################
## <summary>
@@ -6527,17 +6597,22 @@ index 9a6d67d..aa29dee 100644
+#
+interface(`mozilla_domtrans_plugin',`
+ gen_require(`
-+ type mozilla_plugin_t, mozilla_plugin_exec_t;
++ type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t;
+ class dbus send_msg;
+ ')
+
+ domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
+ allow mozilla_plugin_t $1:process signull;
+
++ ps_process_pattern($1, mozilla_plugin_t)
++ allow $1 mozilla_plugin_t:process { ptrace signal_perms };
++
+ allow $1 mozilla_plugin_t:dbus send_msg;
+ allow mozilla_plugin_t $1:dbus send_msg;
+
+ allow $1 mozilla_plugin_t:fd use;
++
++ allow $1 mozilla_plugin_tmpfs_t:file { delete_file_perms read_file_perms };
+')
+
+
@@ -6564,9 +6639,8 @@ index 9a6d67d..aa29dee 100644
+
+ mozilla_domtrans_plugin($1)
+ role $2 types mozilla_plugin_t;
++
+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
-+ allow $1 mozilla_plugin_t:process { ptrace signal sigkill };
-+ allow $1 mozilla_plugin_t:fd use;
+
+ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
+')
@@ -6594,7 +6668,7 @@ index 9a6d67d..aa29dee 100644
## Send and receive messages from
## mozilla over dbus.
## </summary>
-@@ -204,3 +304,57 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -204,3 +308,57 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -6627,12 +6701,12 @@ index 9a6d67d..aa29dee 100644
+## </summary>
+## </param>
+#
-+interface(`mozilla_plugin_read_inherited_tmpfs_files',`
++interface(`mozilla_plugin_read_tmpfs_files',`
+ gen_require(`
+ type mozilla_plugin_tmpfs_t;
+ ')
+
-+ allow $1 mozilla_plugin_tmpfs_t:file read_inherited_file_perms;
++ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
+')
+
+########################################
@@ -8214,7 +8288,7 @@ index 2ba7787..9f12b51 100644
')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
-index c2d20a2..77178ab 100644
+index c2d20a2..e5d85d1 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -8272,7 +8346,7 @@ index c2d20a2..77178ab 100644
')
optional_policy(`
-+ mozilla_plugin_read_inherited_tmpfs_files(pulseaudio_t)
++ mozilla_plugin_read_tmpfs_files(pulseaudio_t)
+')
+
+optional_policy(`
@@ -11016,7 +11090,7 @@ index 223ad43..d400ef6 100644
# Reading dotfiles...
# cjp: ?
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..1240d65 100644
+index 34c9d01..ddb1528 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -11069,7 +11143,7 @@ index 34c9d01..1240d65 100644
#
# /usr
#
-@@ -196,47 +195,50 @@ ifdef(`distro_gentoo',`
+@@ -196,47 +195,51 @@ ifdef(`distro_gentoo',`
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0)
@@ -11115,9 +11189,9 @@ index 34c9d01..1240d65 100644
-
-/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ConsoleKit/run-session\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -11127,6 +11201,7 @@ index 34c9d01..1240d65 100644
+/usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/MailScanner(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -11161,12 +11236,12 @@ index 34c9d01..1240d65 100644
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -244,9 +246,13 @@ ifdef(`distro_gentoo',`
+@@ -244,9 +247,13 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/xfce4(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/local/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -11176,7 +11251,7 @@ index 34c9d01..1240d65 100644
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -283,6 +289,7 @@ ifdef(`distro_gentoo',`
+@@ -283,6 +290,7 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -11184,7 +11259,7 @@ index 34c9d01..1240d65 100644
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -291,7 +298,7 @@ ifdef(`distro_gentoo',`
+@@ -291,7 +299,7 @@ ifdef(`distro_gentoo',`
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -11193,7 +11268,7 @@ index 34c9d01..1240d65 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -304,9 +311,8 @@ ifdef(`distro_redhat', `
+@@ -304,9 +312,8 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -11204,7 +11279,7 @@ index 34c9d01..1240d65 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -316,9 +322,11 @@ ifdef(`distro_redhat', `
+@@ -316,9 +323,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -11216,7 +11291,7 @@ index 34c9d01..1240d65 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -360,7 +368,7 @@ ifdef(`distro_redhat', `
+@@ -360,7 +369,7 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -11225,7 +11300,7 @@ index 34c9d01..1240d65 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -372,8 +380,9 @@ ifdef(`distro_suse', `
+@@ -372,8 +381,9 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -12364,7 +12439,7 @@ index 5a07a43..eb5f76e 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..599c3e6 100644
+index 0757523..1bec39a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -12442,7 +12517,7 @@ index 0757523..599c3e6 100644
network_port(dbskkd, tcp,1178,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dccm, tcp,5679,s0, udp,5679,s0)
-@@ -96,9 +118,13 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -96,9 +118,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -12453,10 +12528,11 @@ index 0757523..599c3e6 100644
network_port(fingerd, tcp,79,s0)
+network_port(firebird, tcp,3050,s0, udp,3050,s0)
+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
++network_port(fprot, tcp,10200,s0)
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -112,7 +138,7 @@ network_port(hddtemp, tcp,7634,s0)
+@@ -112,7 +139,7 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -12465,7 +12541,7 @@ index 0757523..599c3e6 100644
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -126,43 +152,59 @@ network_port(iscsi, tcp,3260,s0)
+@@ -126,43 +153,59 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -12531,7 +12607,7 @@ index 0757523..599c3e6 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -177,24 +219,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -177,24 +220,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -12565,7 +12641,7 @@ index 0757523..599c3e6 100644
network_port(syslogd, udp,514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
-@@ -205,20 +252,22 @@ network_port(transproxy, tcp,8081,s0)
+@@ -205,20 +253,22 @@ network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -12591,7 +12667,7 @@ index 0757523..599c3e6 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -272,9 +321,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -272,9 +322,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -14223,7 +14299,7 @@ index bc534c1..6190297 100644
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 16108f6..de3c68f 100644
+index 16108f6..d993f7e 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -14358,16 +14434,14 @@ index 16108f6..de3c68f 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -252,3 +270,7 @@ ifndef(`distro_redhat',`
+@@ -252,3 +270,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-+
-+/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..811174e 100644
+index 958ca84..473eacc 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -14663,7 +14737,15 @@ index 958ca84..811174e 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -3104,6 +3290,7 @@ interface(`files_getattr_home_dir',`
+@@ -2660,6 +2846,7 @@ interface(`files_rw_etc_runtime_files',`
+
+ allow $1 etc_t:dir list_dir_perms;
+ rw_files_pattern($1, etc_t, etc_runtime_t)
++ read_lnk_files_pattern($1, etc_t, etc_t)
+ ')
+
+ ########################################
+@@ -3104,6 +3291,7 @@ interface(`files_getattr_home_dir',`
')
allow $1 home_root_t:dir getattr;
@@ -14671,7 +14753,7 @@ index 958ca84..811174e 100644
')
########################################
-@@ -3124,6 +3311,7 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3124,6 +3312,7 @@ interface(`files_dontaudit_getattr_home_dir',`
')
dontaudit $1 home_root_t:dir getattr;
@@ -14679,7 +14761,7 @@ index 958ca84..811174e 100644
')
########################################
-@@ -3247,7 +3435,7 @@ interface(`files_home_filetrans',`
+@@ -3247,7 +3436,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
@@ -14688,7 +14770,7 @@ index 958ca84..811174e 100644
')
########################################
-@@ -3287,6 +3475,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',`
+@@ -3287,6 +3476,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',`
dontaudit $1 lost_found_t:dir getattr;
')
@@ -14713,7 +14795,7 @@ index 958ca84..811174e 100644
########################################
## <summary>
## Create, read, write, and delete objects in
-@@ -3365,6 +3571,43 @@ interface(`files_list_mnt',`
+@@ -3365,6 +3572,43 @@ interface(`files_list_mnt',`
allow $1 mnt_t:dir list_dir_perms;
')
@@ -14757,7 +14839,7 @@ index 958ca84..811174e 100644
########################################
## <summary>
## Mount a filesystem on /mnt.
-@@ -3438,6 +3681,24 @@ interface(`files_read_mnt_files',`
+@@ -3438,6 +3682,24 @@ interface(`files_read_mnt_files',`
read_files_pattern($1, mnt_t, mnt_t)
')
@@ -14782,7 +14864,7 @@ index 958ca84..811174e 100644
########################################
## <summary>
## Create, read, write, and delete symbolic links in /mnt.
-@@ -3729,6 +3990,99 @@ interface(`files_read_world_readable_sockets',`
+@@ -3729,6 +3991,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -14882,7 +14964,7 @@ index 958ca84..811174e 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3774,7 +4128,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -3774,7 +4129,7 @@ interface(`files_getattr_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -14891,7 +14973,7 @@ index 958ca84..811174e 100644
## </summary>
## </param>
#
-@@ -3846,7 +4200,7 @@ interface(`files_list_tmp',`
+@@ -3846,7 +4201,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -14900,7 +14982,7 @@ index 958ca84..811174e 100644
## </summary>
## </param>
#
-@@ -3858,6 +4212,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -3858,6 +4213,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -14925,7 +15007,7 @@ index 958ca84..811174e 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -3914,25 +4286,33 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3914,25 +4287,33 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -14964,7 +15046,7 @@ index 958ca84..811174e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3940,17 +4320,35 @@ interface(`files_manage_generic_tmp_files',`
+@@ -3940,17 +4321,35 @@ interface(`files_manage_generic_tmp_files',`
## </summary>
## </param>
#
@@ -15003,7 +15085,7 @@ index 958ca84..811174e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3968,6 +4366,84 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3968,6 +4367,84 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -15088,7 +15170,7 @@ index 958ca84..811174e 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4009,7 +4485,7 @@ interface(`files_list_all_tmp',`
+@@ -4009,7 +4486,7 @@ interface(`files_list_all_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -15097,7 +15179,7 @@ index 958ca84..811174e 100644
## </summary>
## </param>
#
-@@ -4047,7 +4523,7 @@ interface(`files_getattr_all_tmp_files',`
+@@ -4047,7 +4524,7 @@ interface(`files_getattr_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -15106,7 +15188,7 @@ index 958ca84..811174e 100644
## </summary>
## </param>
#
-@@ -4103,7 +4579,7 @@ interface(`files_tmp_filetrans',`
+@@ -4103,7 +4580,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -15115,7 +15197,7 @@ index 958ca84..811174e 100644
')
########################################
-@@ -4127,6 +4603,15 @@ interface(`files_purge_tmp',`
+@@ -4127,6 +4604,15 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -15131,7 +15213,7 @@ index 958ca84..811174e 100644
')
########################################
-@@ -4466,7 +4951,7 @@ interface(`files_usr_filetrans',`
+@@ -4466,7 +4952,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -15140,7 +15222,7 @@ index 958ca84..811174e 100644
')
########################################
-@@ -4736,6 +5221,24 @@ interface(`files_read_var_files',`
+@@ -4736,6 +5222,24 @@ interface(`files_read_var_files',`
########################################
## <summary>
@@ -15165,7 +15247,7 @@ index 958ca84..811174e 100644
## Read and write files in the /var directory.
## </summary>
## <param name="domain">
-@@ -4851,7 +5354,7 @@ interface(`files_var_filetrans',`
+@@ -4851,7 +5355,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -15174,7 +15256,7 @@ index 958ca84..811174e 100644
')
########################################
-@@ -4986,7 +5489,7 @@ interface(`files_var_lib_filetrans',`
+@@ -4986,7 +5490,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -15183,7 +15265,7 @@ index 958ca84..811174e 100644
')
########################################
-@@ -5071,6 +5574,25 @@ interface(`files_manage_mounttab',`
+@@ -5071,6 +5575,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -15209,7 +15291,7 @@ index 958ca84..811174e 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5084,6 +5606,8 @@ interface(`files_search_locks',`
+@@ -5084,6 +5607,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -15218,7 +15300,7 @@ index 958ca84..811174e 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5103,11 +5627,50 @@ interface(`files_dontaudit_search_locks',`
+@@ -5103,11 +5628,50 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -15269,7 +15351,7 @@ index 958ca84..811174e 100644
## Add and remove entries in the /var/lock
## directories.
## </summary>
-@@ -5122,6 +5685,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5122,6 +5686,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -15277,7 +15359,7 @@ index 958ca84..811174e 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5140,7 +5704,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5140,7 +5705,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -15286,7 +15368,7 @@ index 958ca84..811174e 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5156,12 +5720,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5156,12 +5721,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -15303,7 +15385,7 @@ index 958ca84..811174e 100644
')
########################################
-@@ -5180,7 +5744,7 @@ interface(`files_manage_generic_locks',`
+@@ -5180,7 +5745,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -15312,7 +15394,7 @@ index 958ca84..811174e 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5207,6 +5771,27 @@ interface(`files_delete_all_locks',`
+@@ -5207,6 +5772,27 @@ interface(`files_delete_all_locks',`
########################################
## <summary>
@@ -15340,7 +15422,7 @@ index 958ca84..811174e 100644
## Read all lock files.
## </summary>
## <param name="domain">
-@@ -5221,7 +5806,7 @@ interface(`files_read_all_locks',`
+@@ -5221,7 +5807,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -15349,7 +15431,7 @@ index 958ca84..811174e 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5243,7 +5828,7 @@ interface(`files_manage_all_locks',`
+@@ -5243,7 +5829,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -15358,7 +15440,7 @@ index 958ca84..811174e 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5275,8 +5860,8 @@ interface(`files_lock_filetrans',`
+@@ -5275,8 +5861,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -15369,7 +15451,7 @@ index 958ca84..811174e 100644
')
########################################
-@@ -5332,9 +5917,47 @@ interface(`files_search_pids',`
+@@ -5332,9 +5918,47 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -15417,7 +15499,7 @@ index 958ca84..811174e 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5463,7 +6086,7 @@ interface(`files_pid_filetrans',`
+@@ -5463,7 +6087,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -15426,7 +15508,7 @@ index 958ca84..811174e 100644
')
########################################
-@@ -5542,6 +6165,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6166,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -15489,7 +15571,7 @@ index 958ca84..811174e 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5559,6 +6238,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6239,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -15534,7 +15616,7 @@ index 958ca84..811174e 100644
')
########################################
-@@ -5769,7 +6486,7 @@ interface(`files_spool_filetrans',`
+@@ -5769,7 +6487,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -15543,7 +15625,7 @@ index 958ca84..811174e 100644
')
########################################
-@@ -5844,3 +6561,284 @@ interface(`files_unconfined',`
+@@ -5844,3 +6562,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -17155,7 +17237,7 @@ index 0e5b661..3168d72 100644
+attribute mcsuntrustedproc;
+attribute mcsnetwrite;
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
-index 786449a..e8ebc76 100644
+index 786449a..c0ecbd5 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
@@ -17167,7 +17249,33 @@ index 786449a..e8ebc76 100644
')
########################################
-@@ -257,6 +257,7 @@ interface(`selinux_dontaudit_read_fs',`
+@@ -243,6 +243,25 @@ interface(`selinux_dontaudit_search_fs',`
+
+ ########################################
+ ## <summary>
++## Mount on selinuxfs directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`selinux_mounton_fs',`
++ gen_require(`
++ type security_t;
++ ')
++
++ allow $1 security_t:dir mounton;
++')
++
++
++########################################
++## <summary>
+ ## Do not audit attempts to read
+ ## generic selinuxfs entries
+ ## </summary>
+@@ -257,6 +276,7 @@ interface(`selinux_dontaudit_read_fs',`
type security_t;
')
@@ -17175,7 +17283,7 @@ index 786449a..e8ebc76 100644
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file read_file_perms;
')
-@@ -278,6 +279,7 @@ interface(`selinux_get_enforce_mode',`
+@@ -278,6 +298,7 @@ interface(`selinux_get_enforce_mode',`
type security_t;
')
@@ -17183,7 +17291,7 @@ index 786449a..e8ebc76 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
')
-@@ -358,6 +360,26 @@ interface(`selinux_load_policy',`
+@@ -358,6 +379,26 @@ interface(`selinux_load_policy',`
########################################
## <summary>
@@ -17210,7 +17318,7 @@ index 786449a..e8ebc76 100644
## Allow caller to set the state of Booleans to
## enable or disable conditional portions of the policy. (Deprecated)
## </summary>
-@@ -459,6 +481,7 @@ interface(`selinux_set_all_booleans',`
+@@ -459,6 +500,7 @@ interface(`selinux_set_all_booleans',`
')
allow $1 security_t:dir list_dir_perms;
@@ -17218,7 +17326,7 @@ index 786449a..e8ebc76 100644
allow $1 boolean_type:file rw_file_perms;
if(!secure_mode_policyload) {
-@@ -677,3 +700,24 @@ interface(`selinux_unconfined',`
+@@ -677,3 +719,24 @@ interface(`selinux_unconfined',`
typeattribute $1 selinux_unconfined_type;
')
@@ -18449,7 +18557,7 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..3664943 100644
+index 2be17d2..4f2f20d 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,53 @@ policy_module(staff, 2.2.0)
@@ -18506,7 +18614,7 @@ index 2be17d2..3664943 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,19 +68,95 @@ optional_policy(`
+@@ -27,19 +68,99 @@ optional_policy(`
')
optional_policy(`
@@ -18515,6 +18623,10 @@ index 2be17d2..3664943 100644
+')
+
+optional_policy(`
++ chrome_role(staff_r, staff_t)
++')
++
++optional_policy(`
+ colord_dbus_chat(staff_t)
+')
+
@@ -18604,7 +18716,7 @@ index 2be17d2..3664943 100644
')
optional_policy(`
-@@ -48,10 +165,48 @@ optional_policy(`
+@@ -48,10 +169,48 @@ optional_policy(`
')
optional_policy(`
@@ -18653,7 +18765,7 @@ index 2be17d2..3664943 100644
xserver_role(staff_r, staff_t)
')
-@@ -89,10 +244,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +248,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -18664,7 +18776,7 @@ index 2be17d2..3664943 100644
gpg_role(staff_r, staff_t)
')
-@@ -137,10 +288,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +292,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -18675,7 +18787,7 @@ index 2be17d2..3664943 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +319,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +323,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -19801,10 +19913,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..168668b
+index 0000000..3be35bb
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,528 @@
+@@ -0,0 +1,539 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -19822,6 +19934,13 @@ index 0000000..168668b
+
+## <desc>
+## <p>
++## allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbox
++## </p>
++## </desc>
++gen_tunable(unconfined_chrome_sandbox_transition, false)
++
++## <desc>
++## <p>
+## Allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container.
+## </p>
+## </desc>
@@ -20069,7 +20188,11 @@ index 0000000..168668b
+')
+
+optional_policy(`
-+ chrome_role(unconfined_r, unconfined_usertype)
++ chrome_role_notrans(unconfined_r, unconfined_usertype)
++
++ tunable_policy(`unconfined_chrome_sandbox_transition',`
++ chrome_domtrans_sandbox(unconfined_usertype)
++ ')
+')
+
+optional_policy(`
@@ -20334,10 +20457,10 @@ index 0000000..168668b
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..425ea6f 100644
+index e5bfdd4..17b57ba 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,74 @@ role user_r;
+@@ -12,15 +12,78 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -20363,6 +20486,10 @@ index e5bfdd4..425ea6f 100644
+')
+
+optional_policy(`
++ chrome_role(user_r, user_t)
++')
++
++optional_policy(`
+ gnome_role(user_r, user_t)
+')
+
@@ -20412,7 +20539,7 @@ index e5bfdd4..425ea6f 100644
vlock_run(user_t, user_r)
')
-@@ -62,10 +121,6 @@ ifndef(`distro_redhat',`
+@@ -62,10 +125,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20423,7 +20550,7 @@ index e5bfdd4..425ea6f 100644
gpg_role(user_r, user_t)
')
-@@ -118,11 +173,7 @@ ifndef(`distro_redhat',`
+@@ -118,11 +177,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -20436,7 +20563,7 @@ index e5bfdd4..425ea6f 100644
')
optional_policy(`
-@@ -157,3 +208,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +212,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -26096,7 +26223,7 @@ index e8e9a21..89fc935 100644
/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
-index 1f11572..7f6a7ab 100644
+index 1f11572..101824b 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -33,6 +33,7 @@ interface(`clamav_stream_connect',`
@@ -26123,7 +26250,33 @@ index 1f11572..7f6a7ab 100644
')
########################################
-@@ -151,9 +152,8 @@ interface(`clamav_exec_clamscan',`
+@@ -133,6 +134,25 @@ interface(`clamav_exec_clamscan',`
+
+ ########################################
+ ## <summary>
++## Manage clamd pid content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`clamav_manage_clamd_pid',`
++ gen_require(`
++ type clamd_var_run_t;
++ ')
++
++ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
++ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an clamav environment
+ ## </summary>
+@@ -151,9 +171,8 @@ interface(`clamav_exec_clamscan',`
interface(`clamav_admin',`
gen_require(`
type clamd_t, clamd_etc_t, clamd_tmp_t;
@@ -26136,7 +26289,7 @@ index 1f11572..7f6a7ab 100644
')
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..a2e2d35 100644
+index f758323..4032a58 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,9 +1,9 @@
@@ -26273,7 +26426,18 @@ index f758323..a2e2d35 100644
########################################
#
# clamscam local policy
-@@ -248,9 +268,11 @@ corenet_tcp_sendrecv_generic_if(clamscan_t)
+@@ -242,15 +262,22 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+ manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
+ allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
+
++read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t)
++allow clamscan_t clamd_var_run_t:dir list_dir_perms;
++
++kernel_read_system_state(clamscan_t)
++
+ corenet_all_recvfrom_unlabeled(clamscan_t)
+ corenet_all_recvfrom_netlabel(clamscan_t)
+ corenet_tcp_sendrecv_generic_if(clamscan_t)
corenet_tcp_sendrecv_generic_node(clamscan_t)
corenet_tcp_sendrecv_all_ports(clamscan_t)
corenet_tcp_sendrecv_clamd_port(clamscan_t)
@@ -26285,7 +26449,7 @@ index f758323..a2e2d35 100644
files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +286,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +291,15 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
@@ -27085,10 +27249,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..9d0208a
+index 0000000..760d092
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,111 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -27173,8 +27337,6 @@ index 0000000..9d0208a
+
+sysnet_dns_name_resolve(colord_t)
+
-+userdom_read_inherited_user_home_content_files(colord_t)
-+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_getattr_nfs(colord_t)
+ fs_read_nfs_files(colord_t)
@@ -27193,10 +27355,6 @@ index 0000000..9d0208a
+')
+
+optional_policy(`
-+ gnome_read_gconf_home_files(colord_t)
-+')
-+
-+optional_policy(`
+ policykit_dbus_chat(colord_t)
+ policykit_domtrans_auth(colord_t)
+ policykit_read_lib(colord_t)
@@ -29100,7 +29258,7 @@ index 0d5711c..6e35cb2 100644
')
+
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 86d09b4..8e05351 100644
+index 86d09b4..e54a616 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -36,6 +36,7 @@ files_type(system_dbusd_var_lib_t)
@@ -29154,11 +29312,12 @@ index 86d09b4..8e05351 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -141,10 +147,18 @@ optional_policy(`
+@@ -141,10 +147,19 @@ optional_policy(`
')
optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
++ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
+')
+
+optional_policy(`
@@ -29173,7 +29332,7 @@ index 86d09b4..8e05351 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -162,5 +176,12 @@ optional_policy(`
+@@ -162,5 +177,12 @@ optional_policy(`
#
# Unconfined access to this module
#
@@ -29639,7 +29798,7 @@ index f706b99..f0c629f 100644
+ files_list_pids($1)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..7cc036b 100644
+index f231f17..44d8969 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
@@ -29758,7 +29917,7 @@ index f231f17..7cc036b 100644
domain_read_all_domains_state(devicekit_power_t)
dev_read_input(devicekit_power_t)
-@@ -212,21 +241,28 @@ dev_rw_generic_usb_dev(devicekit_power_t)
+@@ -212,21 +241,29 @@ dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
@@ -29769,6 +29928,7 @@ index f231f17..7cc036b 100644
files_read_etc_files(devicekit_power_t)
+files_read_etc_runtime_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
++files_dontaudit_list_mnt(devicekit_power_t)
fs_list_inotifyfs(devicekit_power_t)
+fs_getattr_all_fs(devicekit_power_t)
@@ -29788,7 +29948,7 @@ index f231f17..7cc036b 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,6 +271,10 @@ optional_policy(`
+@@ -235,6 +272,10 @@ optional_policy(`
')
optional_policy(`
@@ -29799,7 +29959,7 @@ index f231f17..7cc036b 100644
cron_initrc_domtrans(devicekit_power_t)
')
-@@ -261,14 +301,21 @@ optional_policy(`
+@@ -261,14 +302,21 @@ optional_policy(`
')
optional_policy(`
@@ -29822,7 +29982,7 @@ index f231f17..7cc036b 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +323,25 @@ optional_policy(`
+@@ -276,9 +324,25 @@ optional_policy(`
')
optional_policy(`
@@ -31512,7 +31672,7 @@ index f590a1f..338e5bf 100644
+ admin_pattern($1, fail2ban_tmp_t)
')
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..e6d2dd2 100644
+index 2a69e5e..7842387 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -23,12 +23,22 @@ files_type(fail2ban_var_lib_t)
@@ -31549,10 +31709,11 @@ index 2a69e5e..e6d2dd2 100644
manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
-@@ -50,6 +60,10 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+@@ -50,6 +60,11 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
++manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
+manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
+exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
+files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, file)
@@ -31560,7 +31721,7 @@ index 2a69e5e..e6d2dd2 100644
kernel_read_system_state(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
-@@ -66,6 +80,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t)
+@@ -66,6 +81,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t)
dev_read_urand(fail2ban_t)
domain_use_interactive_fds(fail2ban_t)
@@ -31568,7 +31729,7 @@ index 2a69e5e..e6d2dd2 100644
files_read_etc_files(fail2ban_t)
files_read_etc_runtime_files(fail2ban_t)
-@@ -94,5 +109,34 @@ optional_policy(`
+@@ -94,5 +110,34 @@ optional_policy(`
')
optional_policy(`
@@ -33616,17 +33777,20 @@ index df48e5e..6985546 100644
type inetd_t;
')
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
-index c51a7b2..de05a6f 100644
+index c51a7b2..5f71f35 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
-@@ -149,6 +149,7 @@ miscfiles_read_localization(inetd_t)
+@@ -149,7 +149,10 @@ miscfiles_read_localization(inetd_t)
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
+mls_net_outbound_all_levels(inetd_t)
mls_process_set_level(inetd_t)
++#706086
++mls_net_outbound_all_levels(inetd_t)
sysnet_read_config(inetd_t)
+
diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc
index 8ca038d..8507ee2 100644
--- a/policy/modules/services/inn.fc
@@ -33830,13 +33994,40 @@ index 4c9acec..deef4c7 100644
/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
diff --git a/policy/modules/services/jabber.if b/policy/modules/services/jabber.if
-index 9878499..9167dc9 100644
+index 9878499..b5d5c6d 100644
--- a/policy/modules/services/jabber.if
+++ b/policy/modules/services/jabber.if
-@@ -1,8 +1,82 @@
+@@ -1,8 +1,71 @@
## <summary>Jabber instant messaging server</summary>
-########################################
++#####################################
++## <summary>
++## Creates types and rules for a basic
++## jabber init daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`jabberd_domain_template',`
++ gen_require(`
++ attribute jabberd_domain;
++ ')
++
++ ##############################
++ #
++ # $1_t declarations
++ #
++
++ type jabberd_$1_t, jabberd_domain;
++ type jabberd_$1_exec_t;
++ init_daemon_domain(jabberd_$1_t, jabberd_$1_exec_t)
++
++')
++
+#######################################
+## <summary>
+## Execute a domain transition to run jabberd services
@@ -33856,7 +34047,8 @@ index 9878499..9167dc9 100644
+')
+
+######################################
-+## <summary>
+ ## <summary>
+-## Connect to jabber over a TCP socket (Deprecated)
+## Execute a domain transition to run jabberd router service
+## </summary>
+## <param name="domain">
@@ -33876,13 +34068,15 @@ index 9878499..9167dc9 100644
+#######################################
+## <summary>
+## Read jabberd lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -10,8 +73,51 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`jabber_tcp_connect',`
+- refpolicywarn(`$0($*) has been deprecated.')
+interface(`jabberd_read_lib_files',`
+ gen_require(`
+ type jabberd_var_lib_t;
@@ -33893,8 +34087,7 @@ index 9878499..9167dc9 100644
+')
+
+#######################################
- ## <summary>
--## Connect to jabber over a TCP socket (Deprecated)
++## <summary>
+## Dontaudit inherited read jabberd lib files.
+## </summary>
+## <param name="domain">
@@ -33915,15 +34108,13 @@ index 9878499..9167dc9 100644
+## <summary>
+## Create, read, write, and delete
+## jabberd lib files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -10,8 +84,13 @@
- ## </summary>
- ## </param>
- #
--interface(`jabber_tcp_connect',`
-- refpolicywarn(`$0($*) has been deprecated.')
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`jabberd_manage_lib_files',`
+ gen_require(`
+ type jabberd_var_lib_t;
@@ -33934,7 +34125,7 @@ index 9878499..9167dc9 100644
')
########################################
-@@ -34,12 +113,15 @@ interface(`jabber_tcp_connect',`
+@@ -34,12 +140,15 @@ interface(`jabber_tcp_connect',`
interface(`jabber_admin',`
gen_require(`
type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
@@ -33952,10 +34143,10 @@ index 9878499..9167dc9 100644
domain_system_change_exemption($1)
role_transition $2 jabberd_initrc_exec_t system_r;
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
-index da2127e..ae77997 100644
+index da2127e..085ad45 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
-@@ -5,13 +5,19 @@ policy_module(jabber, 1.8.0)
+@@ -5,13 +5,17 @@ policy_module(jabber, 1.8.0)
# Declarations
#
@@ -33969,14 +34160,12 @@ index da2127e..ae77997 100644
type jabberd_initrc_exec_t;
init_script_file(jabberd_initrc_exec_t)
-+type jabberd_router_t, jabberd_domain;
-+type jabberd_router_exec_t;
-+init_daemon_domain(jabberd_router_t, jabberd_router_exec_t)
++jabberd_domain_template(router)
+
type jabberd_log_t;
logging_log_file(jabberd_log_t)
-@@ -21,74 +27,91 @@ files_type(jabberd_var_lib_t)
+@@ -21,74 +25,91 @@ files_type(jabberd_var_lib_t)
type jabberd_var_run_t;
files_pid_file(jabberd_var_run_t)
@@ -35246,6 +35435,183 @@ index af4d572..999384c 100644
-')
\ No newline at end of file
+')
+diff --git a/policy/modules/services/mailscanner.fc b/policy/modules/services/mailscanner.fc
+new file mode 100644
+index 0000000..827e22e
+--- /dev/null
++++ b/policy/modules/services/mailscanner.fc
+@@ -0,0 +1,11 @@
++/etc/MailScanner(/.*)? gen_context(system_u:object_r:mscan_etc_t,s0)
++
++/etc/rc\.d/init\.d/MailScanner -- gen_context(system_u:object_r:mscan_initrc_exec_t,s0)
++
++/etc/sysconfig/MailScanner -- gen_context(system_u:object_r:mscan_etc_t,s0)
++
++/etc/sysconfig/update_spamassassin -- gen_context(system_u:object_r:mscan_etc_t,s0)
++
++/usr/sbin/MailScanner -- gen_context(system_u:object_r:mscan_exec_t,s0)
++
++/var/run/MailScanner\.pid -- gen_context(system_u:object_r:mscan_var_run_t,s0)
+diff --git a/policy/modules/services/mailscanner.if b/policy/modules/services/mailscanner.if
+new file mode 100644
+index 0000000..39c12cb
+--- /dev/null
++++ b/policy/modules/services/mailscanner.if
+@@ -0,0 +1,58 @@
++## <summary>E-mail security and anti-spam package for e-mail gateway systems.</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run
++## MailScanner.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mailscanner_initrc_domtrans',`
++ gen_require(`
++ type mscan_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, mscan_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an mailscanner environment.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mailscanner_admin',`
++ gen_require(`
++ type mscan_t, mscan_var_run_t, mscan_etc_t;
++ type mscan_initrc_exec_t;
++ ')
++
++ mailscanner_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 mscan_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ allow $1 mscan_t:process { ptrace signal_perms };
++ ps_process_pattern($1, mscan_t)
++
++ admin_pattern($1, mscan_etc_t)
++ files_list_etc($1)
++
++ admin_pattern($1, mscan_var_run_t)
++ files_list_pids($1)
++')
+diff --git a/policy/modules/services/mailscanner.te b/policy/modules/services/mailscanner.te
+new file mode 100644
+index 0000000..b1cf109
+--- /dev/null
++++ b/policy/modules/services/mailscanner.te
+@@ -0,0 +1,90 @@
++policy_module(mailscanner, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mscan_t;
++type mscan_exec_t;
++init_daemon_domain(mscan_t, mscan_exec_t)
++
++type mscan_initrc_exec_t;
++init_script_file(mscan_initrc_exec_t)
++
++type mscan_etc_t;
++files_config_file(mscan_etc_t)
++
++type mscan_tmp_t;
++files_tmp_file(mscan_tmp_t)
++
++type mscan_var_run_t;
++files_pid_file(mscan_var_run_t)
++
++# New in F16
++permissive mscan_t;
++
++########################################
++#
++# Local policy
++#
++
++allow mscan_t self:capability { setuid chown setgid dac_override };
++allow mscan_t self:process signal;
++allow mscan_t self:fifo_file rw_fifo_file_perms;
++
++read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
++
++manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t)
++files_pid_filetrans(mscan_t, mscan_var_run_t, file)
++
++manage_dirs_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t)
++manage_files_pattern(mscan_t, mscan_tmp_t, mscan_tmp_t)
++files_tmp_filetrans(mscan_t, mscan_tmp_t, dir)
++
++can_exec(mscan_t, mscan_exec_t)
++
++kernel_read_system_state(mscan_t)
++
++corecmd_exec_bin(mscan_t)
++corecmd_exec_shell(mscan_t)
++
++corenet_tcp_connect_fprot_port(mscan_t)
++corenet_tcp_sendrecv_fprot_port(mscan_t)
++corenet_sendrecv_fprot_client_packets(mscan_t)
++corenet_udp_bind_generic_node(mscan_t)
++corenet_udp_bind_generic_port(mscan_t)
++corenet_udp_sendrecv_all_ports(mscan_t)
++corenet_sendrecv_generic_server_packets(mscan_t)
++
++dev_read_urand(mscan_t)
++
++files_read_usr_files(mscan_t)
++
++fs_getattr_xattr_fs(mscan_t)
++
++auth_dontaudit_read_shadow(mscan_t)
++auth_use_nsswitch(mscan_t)
++
++logging_send_syslog_msg(mscan_t)
++
++miscfiles_read_localization(mscan_t)
++
++optional_policy(`
++ clamav_domtrans_clamscan(mscan_t)
++ clamav_manage_clamd_pid(mscan_t)
++')
++
++optional_policy(`
++ mta_send_mail(mscan_t)
++ mta_manage_queue(mscan_t)
++')
++
++optional_policy(`
++ procmail_domtrans(mscan_t)
++')
++
++optional_policy(`
++ spamassassin_read_home_client(mscan_t)
++ spamassassin_read_lib_files(mscan_t)
++')
diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc
new file mode 100644
index 0000000..bce824e
@@ -36825,7 +37191,7 @@ index 0000000..0b9257a
+ xserver_dontaudit_read_xdm_pid(mpd_t)
+')
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
-index 256166a..df99841 100644
+index 256166a..6321a93 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
@@ -1,4 +1,5 @@
@@ -36835,7 +37201,7 @@ index 256166a..df99841 100644
/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-@@ -11,9 +12,12 @@ ifdef(`distro_redhat',`
+@@ -11,20 +12,24 @@ ifdef(`distro_redhat',`
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
')
@@ -36849,6 +37215,22 @@ index 256166a..df99841 100644
/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+ /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+
+ /var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+ /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+-/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
++/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
++/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
+ /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 343cee3..fe40cce 100644
--- a/policy/modules/services/mta.if
@@ -37217,7 +37599,7 @@ index 343cee3..fe40cce 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..24ab364 100644
+index 64268e4..5f0c71d 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
@@ -37396,11 +37778,15 @@ index 64268e4..24ab364 100644
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,16 +255,21 @@ optional_policy(`
+@@ -249,16 +255,25 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
+optional_policy(`
++ postfix_rw_master_pipes(mailserver_delivery)
++')
++
++optional_policy(`
+ uucp_domtrans_uux(mailserver_delivery)
+')
+
@@ -37420,7 +37806,7 @@ index 64268e4..24ab364 100644
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -292,3 +303,44 @@ optional_policy(`
+@@ -292,3 +307,44 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -41670,7 +42056,7 @@ index 46bee12..b90c902 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..4276415 100644
+index 06e37d4..c8e77f0 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
@@ -41860,11 +42246,12 @@ index 06e37d4..4276415 100644
########################################
#
# Postfix map local policy
-@@ -385,13 +424,15 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
+@@ -385,13 +424,16 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+mcs_file_read_all(postfix_pickup_t)
++mcs_file_write_all(postfix_pickup_t)
+
########################################
#
@@ -41877,7 +42264,7 @@ index 06e37d4..4276415 100644
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +442,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +443,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -41886,7 +42273,7 @@ index 06e37d4..4276415 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +463,7 @@ optional_policy(`
+@@ -420,6 +464,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -41894,7 +42281,7 @@ index 06e37d4..4276415 100644
')
optional_policy(`
-@@ -436,6 +480,9 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,6 +481,9 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -41904,7 +42291,7 @@ index 06e37d4..4276415 100644
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
postfix_list_spool(postfix_postdrop_t)
-@@ -487,8 +534,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +535,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -41915,7 +42302,7 @@ index 06e37d4..4276415 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -507,6 +554,8 @@ optional_policy(`
+@@ -507,6 +555,8 @@ optional_policy(`
# Postfix qmgr local policy
#
@@ -41924,7 +42311,7 @@ index 06e37d4..4276415 100644
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +568,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +569,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -41933,7 +42320,7 @@ index 06e37d4..4276415 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +588,7 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +589,7 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -41942,7 +42329,7 @@ index 06e37d4..4276415 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +637,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +638,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -41959,7 +42346,7 @@ index 06e37d4..4276415 100644
')
optional_policy(`
-@@ -611,8 +666,8 @@ optional_policy(`
+@@ -611,8 +667,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -41969,7 +42356,7 @@ index 06e37d4..4276415 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +685,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +686,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -42985,7 +43372,7 @@ index 2855a44..c71fa1e 100644
type puppet_tmp_t;
')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..7cdabb5 100644
+index 64c5f95..daa73d1 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -5,13 +5,23 @@ policy_module(puppet, 1.0.0)
@@ -43098,7 +43485,7 @@ index 64c5f95..7cdabb5 100644
#
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
-@@ -176,24 +244,29 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
+@@ -176,24 +244,30 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
@@ -43114,6 +43501,7 @@ index 64c5f95..7cdabb5 100644
+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
++create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
+allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
@@ -43130,7 +43518,7 @@ index 64c5f95..7cdabb5 100644
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -206,21 +279,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
+@@ -206,21 +280,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
@@ -43177,7 +43565,7 @@ index 64c5f95..7cdabb5 100644
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +329,9 @@ optional_policy(`
+@@ -231,3 +330,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -45100,10 +45488,10 @@ index 0000000..88f6a9e
+')
diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
new file mode 100644
-index 0000000..ccd9f84
+index 0000000..988f82c
--- /dev/null
+++ b/policy/modules/services/rhev.te
-@@ -0,0 +1,79 @@
+@@ -0,0 +1,81 @@
+policy_module(rhev,1.0)
+
+########################################
@@ -45146,6 +45534,7 @@ index 0000000..ccd9f84
+can_exec(rhev_agentd_t, rhev_agentd_tmp_t)
+
+kernel_read_system_state(rhev_agentd_t)
++kernel_read_kernel_sysctls(rhev_agentd_t)
+
+corecmd_exec_bin(rhev_agentd_t)
+corecmd_exec_shell(rhev_agentd_t)
@@ -45161,6 +45550,7 @@ index 0000000..ccd9f84
+init_read_utmp(rhev_agentd_t)
+
+libs_exec_ldconfig(rhev_agentd_t)
++logging_send_syslog_msg(rhev_agentd_t)
+
+miscfiles_read_localization(rhev_agentd_t)
+
@@ -46321,10 +46711,10 @@ index 71ea0ea..664e68e 100644
#
interface(`rwho_domtrans',`
diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
-index a07b2f4..d78daf4 100644
+index a07b2f4..0ba4495 100644
--- a/policy/modules/services/rwho.te
+++ b/policy/modules/services/rwho.te
-@@ -55,6 +55,9 @@ files_read_etc_files(rwho_t)
+@@ -55,6 +55,10 @@ files_read_etc_files(rwho_t)
init_read_utmp(rwho_t)
init_dontaudit_write_utmp(rwho_t)
@@ -46334,6 +46724,7 @@ index a07b2f4..d78daf4 100644
sysnet_dns_name_resolve(rwho_t)
+
++userdom_getattr_user_terminals(rwho_t)
diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
index 69a6074..73db5ba 100644
--- a/policy/modules/services/samba.fc
@@ -47816,7 +48207,7 @@ index 6b3abf9..d445f78 100644
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
-index c954f31..7f57f22 100644
+index c954f31..c7cadcb 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -14,6 +14,7 @@
@@ -47849,7 +48240,7 @@ index c954f31..7f57f22 100644
')
########################################
-@@ -111,6 +115,46 @@ interface(`spamassassin_domtrans_client',`
+@@ -111,6 +115,67 @@ interface(`spamassassin_domtrans_client',`
')
domtrans_pattern($1, spamc_exec_t, spamc_t)
@@ -47893,10 +48284,31 @@ index c954f31..7f57f22 100644
+ manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
+ manage_files_pattern($1, spamc_home_t, spamc_home_t)
+ manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
++')
++
++########################################
++## <summary>
++## Read spamc home files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`spamassassin_read_home_client',`
++ gen_require(`
++ type spamc_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ list_dirs_pattern($1, spamc_home_t, spamc_home_t)
++ read_files_pattern($1, spamc_home_t, spamc_home_t)
++ read_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
')
########################################
-@@ -166,7 +210,9 @@ interface(`spamassassin_read_lib_files',`
+@@ -166,7 +231,9 @@ interface(`spamassassin_read_lib_files',`
')
files_search_var_lib($1)
@@ -47906,7 +48318,7 @@ index c954f31..7f57f22 100644
')
########################################
-@@ -204,6 +250,7 @@ interface(`spamassassin_read_spamd_tmp_files',`
+@@ -204,6 +271,7 @@ interface(`spamassassin_read_spamd_tmp_files',`
type spamd_tmp_t;
')
@@ -47914,7 +48326,7 @@ index c954f31..7f57f22 100644
allow $1 spamd_tmp_t:file read_file_perms;
')
-@@ -223,5 +270,72 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+@@ -223,5 +291,72 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
type spamd_tmp_t;
')
@@ -48892,7 +49304,7 @@ index 22adaca..76e8829 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..c71bdb9 100644
+index 2dad3c8..fcfc95b 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -49168,10 +49580,14 @@ index 2dad3c8..c71bdb9 100644
')
optional_policy(`
-@@ -284,6 +329,11 @@ optional_policy(`
+@@ -284,6 +329,15 @@ optional_policy(`
')
optional_policy(`
++ systemd_exec_systemctl(sshd_t)
++')
++
++optional_policy(`
+ usermanage_domtrans_passwd(sshd_t)
+ usermanage_read_crack_db(sshd_t)
+')
@@ -49180,7 +49596,7 @@ index 2dad3c8..c71bdb9 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +342,26 @@ optional_policy(`
+@@ -292,26 +346,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -49226,7 +49642,7 @@ index 2dad3c8..c71bdb9 100644
') dnl endif TODO
########################################
-@@ -322,19 +372,25 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +376,25 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -49253,7 +49669,7 @@ index 2dad3c8..c71bdb9 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,9 +407,10 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,9 +411,10 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -50124,7 +50540,7 @@ index c2cf97e..037a1e8 100644
allow uptimed_t uptimed_etc_t:file read_file_perms;
files_search_etc(uptimed_t)
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
-index d4349e9..d9dbcc2 100644
+index d4349e9..4d112ba 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -125,6 +125,8 @@ optional_policy(`
@@ -50136,6 +50552,14 @@ index d4349e9..d9dbcc2 100644
uucp_append_log(uux_t)
uucp_manage_spool(uux_t)
+@@ -147,3 +149,7 @@ optional_policy(`
+ optional_policy(`
+ nscd_socket_use(uux_t)
+ ')
++
++optional_policy(`
++ postfix_rw_master_pipes(uux_t)
++')
diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
index f9310f3..064171e 100644
--- a/policy/modules/services/varnishd.te
@@ -54352,14 +54776,17 @@ index d77e631..4776863 100644
#
interface(`zabbix_append_log',`
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
-index c26ecf5..b906c48 100644
+index c26ecf5..49c7c50 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
-@@ -26,11 +26,11 @@ files_pid_file(zabbix_var_run_t)
+@@ -25,12 +25,13 @@ files_pid_file(zabbix_var_run_t)
+ # zabbix local policy
#
- allow zabbix_t self:capability { setuid setgid };
+-allow zabbix_t self:capability { setuid setgid };
-allow zabbix_t self:fifo_file rw_file_perms;
++allow zabbix_t self:capability { dac_read_search dac_override setuid setgid };
++allow zabbix_t self:process setsched;
+allow zabbix_t self:fifo_file rw_fifo_file_perms;
allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
@@ -54369,6 +54796,15 @@ index c26ecf5..b906c48 100644
manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
logging_log_filetrans(zabbix_t, zabbix_log_t, file)
+@@ -39,6 +40,8 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+ files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
+
++kernel_read_kernel_sysctls(zabbix_t)
++
+ files_read_etc_files(zabbix_t)
+
+ miscfiles_read_localization(zabbix_t)
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
new file mode 100644
index 0000000..28cd477
@@ -56706,7 +57142,7 @@ index cc83689..48662f1 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..0eb1342 100644
+index ea29513..52e944d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -56834,7 +57270,7 @@ index ea29513..0eb1342 100644
files_manage_etc_runtime_files(init_t)
files_etc_filetrans_etc_runtime(init_t, file)
# Run /etc/X11/prefdm:
-@@ -151,10 +196,16 @@ mls_file_read_all_levels(init_t)
+@@ -151,10 +196,19 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -56844,6 +57280,9 @@ index ea29513..0eb1342 100644
+mls_rangetrans_source(initrc_t)
selinux_set_all_booleans(init_t)
++selinux_load_policy(init_t)
++selinux_mounton_fs(init_t)
++allow init_t security_t:security load_policy;
-term_use_all_terms(init_t)
+term_use_unallocated_ttys(init_t)
@@ -56852,7 +57291,7 @@ index ea29513..0eb1342 100644
# Run init scripts.
init_domtrans_script(init_t)
-@@ -162,12 +213,15 @@ init_domtrans_script(init_t)
+@@ -162,12 +216,16 @@ init_domtrans_script(init_t)
libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
@@ -56860,6 +57299,7 @@ index ea29513..0eb1342 100644
logging_rw_generic_logs(init_t)
seutil_read_config(init_t)
++seutil_read_module_store(init_t)
miscfiles_read_localization(init_t)
@@ -56868,7 +57308,7 @@ index ea29513..0eb1342 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -178,7 +232,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +236,7 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
@@ -56877,7 +57317,7 @@ index ea29513..0eb1342 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +240,121 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +244,121 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -56999,7 +57439,7 @@ index ea29513..0eb1342 100644
')
optional_policy(`
-@@ -199,10 +362,26 @@ optional_policy(`
+@@ -199,10 +366,26 @@ optional_policy(`
')
optional_policy(`
@@ -57026,7 +57466,7 @@ index ea29513..0eb1342 100644
unconfined_domain(init_t)
')
-@@ -212,7 +391,7 @@ optional_policy(`
+@@ -212,7 +395,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -57035,7 +57475,7 @@ index ea29513..0eb1342 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +420,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +424,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -57051,7 +57491,7 @@ index ea29513..0eb1342 100644
init_write_initctl(initrc_t)
-@@ -258,20 +440,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +444,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -57088,7 +57528,7 @@ index ea29513..0eb1342 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +473,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +477,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -57096,7 +57536,7 @@ index ea29513..0eb1342 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +484,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +488,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -57107,7 +57547,7 @@ index ea29513..0eb1342 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +495,14 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +499,14 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -57124,7 +57564,7 @@ index ea29513..0eb1342 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +514,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +518,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -57132,7 +57572,7 @@ index ea29513..0eb1342 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +522,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +526,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -57144,7 +57584,7 @@ index ea29513..0eb1342 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +541,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +545,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -57158,7 +57598,7 @@ index ea29513..0eb1342 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +556,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +560,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -57167,7 +57607,7 @@ index ea29513..0eb1342 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +570,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +574,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -57175,7 +57615,7 @@ index ea29513..0eb1342 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +582,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +586,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -57183,7 +57623,7 @@ index ea29513..0eb1342 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +603,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +607,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -57205,7 +57645,7 @@ index ea29513..0eb1342 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +666,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +670,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -57216,7 +57656,7 @@ index ea29513..0eb1342 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +690,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +694,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -57225,7 +57665,7 @@ index ea29513..0eb1342 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +705,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +709,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -57233,7 +57673,7 @@ index ea29513..0eb1342 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +735,29 @@ ifdef(`distro_redhat',`
+@@ -522,8 +739,29 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -57263,7 +57703,7 @@ index ea29513..0eb1342 100644
')
optional_policy(`
-@@ -531,10 +765,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +769,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -57286,7 +57726,7 @@ index ea29513..0eb1342 100644
')
optional_policy(`
-@@ -549,6 +795,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +799,39 @@ ifdef(`distro_suse',`
')
')
@@ -57326,7 +57766,7 @@ index ea29513..0eb1342 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +840,8 @@ optional_policy(`
+@@ -561,6 +844,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -57335,7 +57775,7 @@ index ea29513..0eb1342 100644
')
optional_policy(`
-@@ -577,6 +858,7 @@ optional_policy(`
+@@ -577,6 +862,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -57343,7 +57783,7 @@ index ea29513..0eb1342 100644
')
optional_policy(`
-@@ -589,6 +871,11 @@ optional_policy(`
+@@ -589,6 +875,11 @@ optional_policy(`
')
optional_policy(`
@@ -57355,7 +57795,7 @@ index ea29513..0eb1342 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +892,13 @@ optional_policy(`
+@@ -605,9 +896,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -57369,7 +57809,7 @@ index ea29513..0eb1342 100644
')
optional_policy(`
-@@ -649,6 +940,11 @@ optional_policy(`
+@@ -649,6 +944,11 @@ optional_policy(`
')
optional_policy(`
@@ -57381,7 +57821,7 @@ index ea29513..0eb1342 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +1002,13 @@ optional_policy(`
+@@ -706,7 +1006,13 @@ optional_policy(`
')
optional_policy(`
@@ -57395,7 +57835,7 @@ index ea29513..0eb1342 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1031,10 @@ optional_policy(`
+@@ -729,6 +1035,10 @@ optional_policy(`
')
optional_policy(`
@@ -57406,7 +57846,7 @@ index ea29513..0eb1342 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1044,20 @@ optional_policy(`
+@@ -738,10 +1048,20 @@ optional_policy(`
')
optional_policy(`
@@ -57427,7 +57867,7 @@ index ea29513..0eb1342 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1066,10 @@ optional_policy(`
+@@ -750,6 +1070,10 @@ optional_policy(`
')
optional_policy(`
@@ -57438,7 +57878,7 @@ index ea29513..0eb1342 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1091,6 @@ optional_policy(`
+@@ -771,8 +1095,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -57447,7 +57887,7 @@ index ea29513..0eb1342 100644
')
optional_policy(`
-@@ -781,14 +1099,21 @@ optional_policy(`
+@@ -781,14 +1103,21 @@ optional_policy(`
')
optional_policy(`
@@ -57469,7 +57909,7 @@ index ea29513..0eb1342 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1125,6 @@ optional_policy(`
+@@ -800,7 +1129,6 @@ optional_policy(`
')
optional_policy(`
@@ -57477,7 +57917,7 @@ index ea29513..0eb1342 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1134,24 @@ optional_policy(`
+@@ -810,11 +1138,24 @@ optional_policy(`
')
optional_policy(`
@@ -57503,7 +57943,7 @@ index ea29513..0eb1342 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1161,25 @@ optional_policy(`
+@@ -824,6 +1165,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -57529,7 +57969,7 @@ index ea29513..0eb1342 100644
')
optional_policy(`
-@@ -849,3 +1205,42 @@ optional_policy(`
+@@ -849,3 +1209,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -58174,7 +58614,7 @@ index 1d1c399..b8f623a 100644
+ tgtd_manage_semaphores(iscsid_t)
')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 9df8c4d..6b49c76 100644
+index 9df8c4d..4ea7422 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -37,17 +37,12 @@ ifdef(`distro_redhat',`
@@ -58476,7 +58916,7 @@ index 9df8c4d..6b49c76 100644
') dnl end distro_redhat
#
-@@ -316,17 +301,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -316,17 +301,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -58489,9 +58929,10 @@ index 9df8c4d..6b49c76 100644
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-+/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/xfce4/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+
ifdef(`distro_suse',`
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
@@ -63918,7 +64359,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..d7d8b53 100644
+index 28b88de..64d9bb7 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -65697,7 +66138,33 @@ index 28b88de..d7d8b53 100644
')
########################################
-@@ -2815,7 +3264,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2644,6 +3093,25 @@ interface(`userdom_dontaudit_use_user_terminals',`
+ dontaudit $1 user_devpts_t:chr_file rw_term_perms;
+ ')
+
++
++########################################
++## <summary>
++## Get attributes of user domain tty and pty.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_getattr_user_terminals',`
++ gen_require(`
++ type user_tty_device_t, user_devpts_t;
++ ')
++
++ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Execute a shell in all user domains. This
+@@ -2815,7 +3283,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -65706,7 +66173,7 @@ index 28b88de..d7d8b53 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3280,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3299,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -65722,7 +66189,7 @@ index 28b88de..d7d8b53 100644
')
########################################
-@@ -2917,7 +3368,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3387,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -65731,7 +66198,7 @@ index 28b88de..d7d8b53 100644
')
########################################
-@@ -2972,7 +3423,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3442,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -65778,7 +66245,7 @@ index 28b88de..d7d8b53 100644
')
########################################
-@@ -3009,6 +3498,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3517,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -65786,7 +66253,7 @@ index 28b88de..d7d8b53 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3577,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3596,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -65811,7 +66278,7 @@ index 28b88de..d7d8b53 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3139,3 +3647,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3666,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -67327,7 +67794,7 @@ index 22ca011..df6b5de 100644
#
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index f7380b3..5989a3c 100644
+index f7380b3..4dc179b 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -67349,7 +67816,7 @@ index f7380b3..5989a3c 100644
#
# Permissions for creating and using sockets.
-@@ -199,12 +198,14 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
+@@ -199,12 +198,15 @@ define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }')
#
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
@@ -67358,7 +67825,9 @@ index f7380b3..5989a3c 100644
+define(`read_file_perms',`{ open read_inherited_file_perms }')
define(`mmap_file_perms',`{ getattr open read execute ioctl }')
define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
- define(`append_file_perms',`{ getattr open append lock ioctl }')
+-define(`append_file_perms',`{ getattr open append lock ioctl }')
++define(`append_inherited_perms',`{ getattr append }')
++define(`append_file_perms',`{ open lock ioctl }')
define(`write_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
@@ -67366,7 +67835,7 @@ index f7380b3..5989a3c 100644
define(`create_file_perms',`{ getattr create open }')
define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')
-@@ -225,7 +226,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
+@@ -225,7 +227,7 @@ define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }')
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
define(`delete_lnk_file_perms',`{ getattr unlink }')
@@ -67375,7 +67844,7 @@ index f7380b3..5989a3c 100644
define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
-@@ -238,7 +239,8 @@ define(`setattr_fifo_file_perms',`{ setattr }')
+@@ -238,7 +240,8 @@ define(`setattr_fifo_file_perms',`{ setattr }')
define(`read_fifo_file_perms',`{ getattr open read lock ioctl }')
define(`append_fifo_file_perms',`{ getattr open append lock ioctl }')
define(`write_fifo_file_perms',`{ getattr open write append lock ioctl }')
@@ -67385,7 +67854,7 @@ index f7380b3..5989a3c 100644
define(`create_fifo_file_perms',`{ getattr create open }')
define(`rename_fifo_file_perms',`{ getattr rename }')
define(`delete_fifo_file_perms',`{ getattr unlink }')
-@@ -254,7 +256,8 @@ define(`getattr_sock_file_perms',`{ getattr }')
+@@ -254,7 +257,8 @@ define(`getattr_sock_file_perms',`{ getattr }')
define(`setattr_sock_file_perms',`{ setattr }')
define(`read_sock_file_perms',`{ getattr open read }')
define(`write_sock_file_perms',`{ getattr write open append }')
@@ -67395,7 +67864,7 @@ index f7380b3..5989a3c 100644
define(`create_sock_file_perms',`{ getattr create open }')
define(`rename_sock_file_perms',`{ getattr rename }')
define(`delete_sock_file_perms',`{ getattr unlink }')
-@@ -271,7 +274,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
+@@ -271,7 +275,8 @@ define(`setattr_blk_file_perms',`{ setattr }')
define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
@@ -67405,7 +67874,7 @@ index f7380b3..5989a3c 100644
define(`create_blk_file_perms',`{ getattr create }')
define(`rename_blk_file_perms',`{ getattr rename }')
define(`delete_blk_file_perms',`{ getattr unlink }')
-@@ -288,7 +292,8 @@ define(`setattr_chr_file_perms',`{ setattr }')
+@@ -288,7 +293,8 @@ define(`setattr_chr_file_perms',`{ setattr }')
define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
@@ -67415,7 +67884,7 @@ index f7380b3..5989a3c 100644
define(`create_chr_file_perms',`{ getattr create }')
define(`rename_chr_file_perms',`{ getattr rename }')
define(`delete_chr_file_perms',`{ getattr unlink }')
-@@ -305,7 +310,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
+@@ -305,7 +311,8 @@ define(`relabel_chr_file_perms',`{ getattr relabelfrom relabelto }')
#
# Use (read and write) terminals
#
@@ -67425,7 +67894,7 @@ index f7380b3..5989a3c 100644
#
# Sockets
-@@ -317,3 +323,14 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
+@@ -317,3 +324,14 @@ define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept
# Keys
#
define(`manage_key_perms', `{ create link read search setattr view write } ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ecbffdf..bcf6ec1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -18,7 +18,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 25.1%{?dist}
+Release: 26.1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -432,9 +432,18 @@ exit 0
%endif
%changelog
-* Thu Jun 2 2011 Dan Walsh <dwalsh@redhat.com> 3.9.16-25.1
+* Tue Jun 7 2011 Dan Walsh <dwalsh@redhat.com> 3.9.16-26.1
- Add policy.26 to the payload
+* Tue Jun 7 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-26
+- Add mailscanner policy from dgrift
+- Allow chrome to optionally be transitioned to
+- Zabbix needs these rules when starting the zabbix_server_mysql
+- Implement a type for freedesktop openicc standard (~/.local/share/icc)
+- Allow system_dbusd_t to read inherited icc_data_home_t files.
+- Allow colord_t to read icc_data_home_t content. #706975
+- Label stuff under /usr/lib/debug as if it was labeled under /
+
* Thu Jun 2 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-25
- Fixes for sanlock policy
- Fixes for colord policy