diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 3cd546e..ce44aa4 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -62010,7 +62010,7 @@ index 3a45f23..f4754f0 100644
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index f462e95..20fb556 100644
+index 28802c5..7ee62e0 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -329,6 +329,7 @@ class process
@@ -62032,16 +62032,15 @@ index f462e95..20fb556 100644
}
#
-@@ -445,6 +450,8 @@ class capability2
- mac_override # unused by SELinux
+@@ -446,6 +451,7 @@ class capability2
mac_admin # unused by SELinux
syslog
-+ wake_alarm
+ wake_alarm
+ epollwakeup
+ block_suspend
}
- #
-@@ -860,3 +867,20 @@ inherits database
+@@ -862,3 +868,20 @@ inherits database
implement
execute
}
@@ -63156,7 +63155,7 @@ index 0960199..6c2e521 100644
+ can_exec($1, sudo_exec_t)
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index 1bd7d84..4f57935 100644
+index d9fce57..0424852 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -7,3 +7,104 @@ attribute sudodomain;
@@ -63488,10 +63487,10 @@ index 98b8b2d..da75471 100644
########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 81b6608..c8252ac 100644
+index 673180c..1187de6 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
-@@ -5,18 +5,18 @@ policy_module(usermanage, 1.17.3)
+@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.0)
# Declarations
#
@@ -64523,7 +64522,7 @@ index 9e9263a..c4dc1b6 100644
manage_lnk_files_pattern($1, bin_t, bin_t)
')
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
-index b4f7bc7..481ae66 100644
+index 1dd0427..a4ba874 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -13,7 +13,7 @@ attribute exec_type;
@@ -65959,7 +65958,7 @@ index 8e0f9cd..da3b374 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 97978e3..0cc85e4 100644
+index fe2ee5e..8db5e47 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -14,12 +14,14 @@ attribute node_type;
@@ -66210,7 +66209,8 @@ index 97978e3..0cc85e4 100644
+network_port(snmp, tcp,161-162,s0, udp,161-162,s0, tcp,199,s0, tcp, 1161, s0)
+type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
- network_port(spamd, tcp,783,s0)
+-network_port(spamd, tcp,783,s0)
++network_port(spamd, tcp,783,s0, tcp, 10026, s0, tcp, 10027, s0)
network_port(speech, tcp,8036,s0)
-network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
+network_port(squid, tcp,3128,s0, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
@@ -68030,7 +68030,7 @@ index d820975..21a21e4 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
+')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 74894d7..94d5f10 100644
+index 06eda45..7fa1559 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -20,6 +20,7 @@ files_mountpoint(device_t)
@@ -68604,7 +68604,7 @@ index cf04cb5..e43701b 100644
+
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 4429d30..38dcaf6 100644
+index 8796ca3..38dcaf6 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -68615,11 +68615,13 @@ index 4429d30..38dcaf6 100644
')
ifdef(`distro_suse',`
-@@ -53,10 +54,16 @@ ifdef(`distro_suse',`
+@@ -53,12 +54,16 @@ ifdef(`distro_suse',`
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
-/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+-/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+-/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -68634,7 +68636,7 @@ index 4429d30..38dcaf6 100644
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
-@@ -68,7 +75,10 @@ ifdef(`distro_suse',`
+@@ -70,7 +75,10 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -68646,7 +68648,7 @@ index 4429d30..38dcaf6 100644
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -102,7 +112,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -104,7 +112,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/initrd -d gen_context(system_u:object_r:root_t,s0)
#
@@ -68655,7 +68657,7 @@ index 4429d30..38dcaf6 100644
#
/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-@@ -127,6 +137,8 @@ ifdef(`distro_debian',`
+@@ -129,6 +137,8 @@ ifdef(`distro_debian',`
/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
/media/[^/]*/.* <<none>>
/media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
@@ -68664,7 +68666,7 @@ index 4429d30..38dcaf6 100644
#
# /misc
-@@ -151,7 +163,7 @@ ifdef(`distro_debian',`
+@@ -153,7 +163,7 @@ ifdef(`distro_debian',`
/opt -d gen_context(system_u:object_r:usr_t,s0)
/opt/.* gen_context(system_u:object_r:usr_t,s0)
@@ -68673,7 +68675,7 @@ index 4429d30..38dcaf6 100644
#
# /proc
-@@ -159,6 +171,12 @@ ifdef(`distro_debian',`
+@@ -161,6 +171,12 @@ ifdef(`distro_debian',`
/proc -d <<none>>
/proc/.* <<none>>
@@ -68686,7 +68688,7 @@ index 4429d30..38dcaf6 100644
#
# /run
#
-@@ -195,6 +213,7 @@ ifdef(`distro_debian',`
+@@ -197,6 +213,7 @@ ifdef(`distro_debian',`
/usr -d gen_context(system_u:object_r:usr_t,s0)
/usr/.* gen_context(system_u:object_r:usr_t,s0)
/usr/\.journal <<none>>
@@ -68694,7 +68696,7 @@ index 4429d30..38dcaf6 100644
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-@@ -202,15 +221,9 @@ ifdef(`distro_debian',`
+@@ -204,15 +221,9 @@ ifdef(`distro_debian',`
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
@@ -68711,7 +68713,7 @@ index 4429d30..38dcaf6 100644
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-@@ -218,8 +231,6 @@ ifdef(`distro_debian',`
+@@ -220,8 +231,6 @@ ifdef(`distro_debian',`
/usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
@@ -68720,7 +68722,7 @@ index 4429d30..38dcaf6 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -235,11 +246,14 @@ ifndef(`distro_redhat',`
+@@ -237,11 +246,14 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -68735,14 +68737,14 @@ index 4429d30..38dcaf6 100644
/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/lost\+found/.* <<none>>
-@@ -262,3 +276,5 @@ ifndef(`distro_redhat',`
+@@ -264,3 +276,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 41346fb..002fe16 100644
+index e1e814d..89379cc 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -69606,33 +69608,32 @@ index 41346fb..002fe16 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5550,6 +6094,25 @@ interface(`files_manage_mounttab',`
+@@ -5550,7 +6094,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
+-## Set the attributes of the generic lock directories.
+## List generic lock directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -5558,12 +6102,13 @@ interface(`files_manage_mounttab',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_setattr_lock_dirs',`
+interface(`files_list_locks',`
-+ gen_require(`
-+ type var_t, var_lock_t;
-+ ')
-+
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+- setattr_dirs_pattern($1, var_t, var_lock_t)
+ files_search_locks($1)
+ list_dirs_pattern($1, var_t, var_lock_t)
-+')
-+
-+########################################
-+## <summary>
- ## Search the locks directory (/var/lock).
- ## </summary>
- ## <param name="domain">
-@@ -5563,6 +6126,7 @@ interface(`files_search_locks',`
+ ')
+
+ ########################################
+@@ -5581,6 +6126,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -69640,51 +69641,33 @@ index 41346fb..002fe16 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5589,7 +6153,8 @@ interface(`files_dontaudit_search_locks',`
+@@ -5607,7 +6153,7 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
-## List generic lock directories.
-+## create a directory in the /var/lock
-+## directories.
++## Set the attributes of the /var/lock directory.
## </summary>
## <param name="domain">
## <summary>
-@@ -5597,13 +6162,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5615,13 +6161,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
-interface(`files_list_locks',`
-+interface(`files_create_lock_dirs',`
++interface(`files_setattr_lock_dirs',`
gen_require(`
- type var_t, var_lock_t;
+- type var_t, var_lock_t;
++ type var_lock_t;
')
-+ files_search_locks($1)
-+ allow $1 var_lock_t:dir create_dir_perms;
-+')
- allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, var_lock_t)
-+########################################
-+## <summary>
-+## Set the attributes of the /var/lock directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_setattr_lock_dirs',`
-+ gen_require(`
-+ type var_lock_t;
-+ ')
-+
+ allow $1 var_lock_t:dir setattr;
')
########################################
-@@ -5622,7 +6204,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5640,7 +6185,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -69693,7 +69676,7 @@ index 41346fb..002fe16 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5635,7 +6217,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5673,7 +6218,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -69701,7 +69684,7 @@ index 41346fb..002fe16 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5663,8 +6244,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5701,8 +6245,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -69711,7 +69694,7 @@ index 41346fb..002fe16 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5680,13 +6260,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5718,13 +6261,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -69729,7 +69712,7 @@ index 41346fb..002fe16 100644
')
########################################
-@@ -5705,8 +6284,7 @@ interface(`files_manage_generic_locks',`
+@@ -5743,8 +6285,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -69739,7 +69722,7 @@ index 41346fb..002fe16 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5748,8 +6326,7 @@ interface(`files_read_all_locks',`
+@@ -5786,8 +6327,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -69749,7 +69732,7 @@ index 41346fb..002fe16 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5771,8 +6348,7 @@ interface(`files_manage_all_locks',`
+@@ -5809,8 +6349,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -69759,7 +69742,7 @@ index 41346fb..002fe16 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5809,8 +6385,7 @@ interface(`files_lock_filetrans',`
+@@ -5847,8 +6386,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -69769,7 +69752,7 @@ index 41346fb..002fe16 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5873,6 +6448,43 @@ interface(`files_search_pids',`
+@@ -5911,6 +6449,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -69813,7 +69796,7 @@ index 41346fb..002fe16 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5895,6 +6507,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5933,6 +6508,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -69839,7 +69822,7 @@ index 41346fb..002fe16 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6010,7 +6641,6 @@ interface(`files_pid_filetrans',`
+@@ -6048,7 +6642,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -69847,11 +69830,89 @@ index 41346fb..002fe16 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6096,6 +6726,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6157,30 +6750,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
+-## Read all process ID files.
+## Relable all pid directories
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_read_all_pids',`
++interface(`files_relabel_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- list_dirs_pattern($1, var_t, pidfile)
+- read_files_pattern($1, pidfile, pidfile)
++ relabel_dirs_pattern($1, pidfile, pidfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Mount filesystems on all polyinstantiation
+-## member directories.
++## Delete all pid sockets
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6188,43 +6776,213 @@ interface(`files_read_all_pids',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
++interface(`files_delete_all_pid_sockets',`
+ gen_require(`
+- attribute polymember;
++ attribute pidfile;
+ ')
+
+- allow $1 polymember:dir mounton;
++ allow $1 pidfile:sock_file delete_sock_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process IDs.
++## Create all pid sockets
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_delete_all_pids',`
++interface(`files_create_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++ allow $1 pidfile:sock_file create_sock_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Delete all process ID directories.
++## Create all pid named pipes
+## </summary>
+## <param name="domain">
+## <summary>
@@ -69859,17 +69920,17 @@ index 41346fb..002fe16 100644
+## </summary>
+## </param>
+#
-+interface(`files_relabel_all_pid_dirs',`
++interface(`files_create_all_pid_pipes',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
-+ relabel_dirs_pattern($1, pidfile, pidfile)
++ allow $1 pidfile:fifo_file create_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Delete all pid sockets
++## Delete all pid named pipes
+## </summary>
+## <param name="domain">
+## <summary>
@@ -69877,17 +69938,18 @@ index 41346fb..002fe16 100644
+## </summary>
+## </param>
+#
-+interface(`files_delete_all_pid_sockets',`
++interface(`files_delete_all_pid_pipes',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
-+ allow $1 pidfile:sock_file delete_sock_file_perms;
++ allow $1 pidfile:fifo_file delete_fifo_file_perms;
+')
+
+########################################
+## <summary>
-+## Create all pid sockets
++## manage all pidfile directories
++## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -69895,35 +69957,40 @@ index 41346fb..002fe16 100644
+## </summary>
+## </param>
+#
-+interface(`files_create_all_pid_sockets',`
++interface(`files_manage_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
-+ allow $1 pidfile:sock_file create_sock_file_perms;
++ manage_dirs_pattern($1,pidfile,pidfile)
+')
+
++
+########################################
+## <summary>
-+## Create all pid named pipes
++## Read all process ID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`files_create_all_pid_pipes',`
++interface(`files_read_all_pids',`
+ gen_require(`
+ attribute pidfile;
++ type var_t;
+ ')
+
-+ allow $1 pidfile:fifo_file create_fifo_file_perms;
++ list_dirs_pattern($1, var_t, pidfile)
++ read_files_pattern($1, pidfile, pidfile)
++ read_lnk_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
-+## Delete all pid named pipes
++## Relable all pid files
+## </summary>
+## <param name="domain">
+## <summary>
@@ -69931,18 +69998,17 @@ index 41346fb..002fe16 100644
+## </summary>
+## </param>
+#
-+interface(`files_delete_all_pid_pipes',`
++interface(`files_relabel_all_pid_files',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
-+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
++ relabel_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
-+## manage all pidfile directories
-+## in the /var/run directory.
++## Execute generic programs in /var/run in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -69950,37 +70016,18 @@ index 41346fb..002fe16 100644
+## </summary>
+## </param>
+#
-+interface(`files_manage_all_pid_dirs',`
++interface(`files_exec_generic_pid_files',`
+ gen_require(`
-+ attribute pidfile;
++ type var_run_t;
+ ')
+
-+ manage_dirs_pattern($1,pidfile,pidfile)
-+')
-+
-+
-+########################################
-+## <summary>
- ## Read all process ID files.
- ## </summary>
- ## <param name="domain">
-@@ -6108,12 +6848,67 @@ interface(`files_dontaudit_ioctl_all_pids',`
- interface(`files_read_all_pids',`
- gen_require(`
- attribute pidfile;
-- type var_t, var_run_t;
-+ type var_t;
- ')
-
-- allow $1 var_run_t:lnk_file read_lnk_file_perms;
- list_dirs_pattern($1, var_t, pidfile)
- read_files_pattern($1, pidfile, pidfile)
-+ read_lnk_files_pattern($1, pidfile, pidfile)
++ exec_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
-+## Relable all pid files
++## manage all pidfiles
++## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -69988,17 +70035,18 @@ index 41346fb..002fe16 100644
+## </summary>
+## </param>
+#
-+interface(`files_relabel_all_pid_files',`
++interface(`files_manage_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
-+ relabel_files_pattern($1, pidfile, pidfile)
++ manage_files_pattern($1,pidfile,pidfile)
+')
+
+########################################
+## <summary>
-+## Execute generic programs in /var/run in the caller domain.
++## Mount filesystems on all polyinstantiation
++## member directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -70006,35 +70054,47 @@ index 41346fb..002fe16 100644
+## </summary>
+## </param>
+#
-+interface(`files_exec_generic_pid_files',`
++interface(`files_mounton_all_poly_members',`
+ gen_require(`
-+ type var_run_t;
++ attribute polymember;
+ ')
+
-+ exec_files_pattern($1, var_run_t, var_run_t)
++ allow $1 polymember:dir mounton;
+')
+
+########################################
+## <summary>
-+## manage all pidfiles
-+## in the /var/run directory.
++## Delete all process IDs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
++## <rolecap/>
+#
-+interface(`files_manage_all_pids',`
++interface(`files_delete_all_pids',`
+ gen_require(`
+ attribute pidfile;
++ type var_t, var_run_t;
+ ')
+
-+ manage_files_pattern($1,pidfile,pidfile)
- ')
-
- ########################################
-@@ -6184,6 +6979,90 @@ interface(`files_delete_all_pid_dirs',`
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:lnk_file read_lnk_file_perms;
++ allow $1 var_run_t:dir rmdir;
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++')
++
++########################################
++## <summary>
++## Delete all process ID directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -6245,6 +7003,90 @@ interface(`files_delete_all_pid_dirs',`
########################################
## <summary>
@@ -70125,7 +70185,7 @@ index 41346fb..002fe16 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6406,3 +7285,343 @@ interface(`files_unconfined',`
+@@ -6467,3 +7309,343 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -70470,7 +70530,7 @@ index 41346fb..002fe16 100644
+ files_etc_filetrans_etc_runtime($1, file, "iptables.save")
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 1ce8aa0..24dfed0 100644
+index 52ef84e..14fabe2 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -10,7 +10,9 @@ attribute files_unconfined_type;
@@ -70514,7 +70574,15 @@ index 1ce8aa0..24dfed0 100644
genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
#
-@@ -167,12 +179,14 @@ files_mountpoint(var_t)
+@@ -149,6 +161,7 @@ files_tmp_file(tmp_t)
+ files_mountpoint(tmp_t)
+ files_poly(tmp_t)
+ files_poly_parent(tmp_t)
++typealias tmp_t alias firstboot_tmp_t;
+
+ #
+ # usr_t is the type for /usr.
+@@ -167,12 +180,14 @@ files_mountpoint(var_t)
#
type var_lib_t;
files_mountpoint(var_lib_t)
@@ -70529,7 +70597,7 @@ index 1ce8aa0..24dfed0 100644
#
# var_run_t is the type of /var/run, usually
-@@ -187,6 +201,7 @@ files_mountpoint(var_run_t)
+@@ -187,6 +202,7 @@ files_mountpoint(var_run_t)
#
type var_spool_t;
files_tmp_file(var_spool_t)
@@ -70537,7 +70605,7 @@ index 1ce8aa0..24dfed0 100644
########################################
#
-@@ -229,6 +244,6 @@ allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_fil
+@@ -229,6 +245,6 @@ allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_fil
# Mount/unmount any filesystem with the context= option.
allow files_unconfined_type file_type:filesystem *;
@@ -70567,7 +70635,7 @@ index cda5588..91d1e25 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 7c6b791..1be0007 100644
+index 7c6b791..aad6319 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -71064,40 +71132,10 @@ index 7c6b791..1be0007 100644
########################################
## <summary>
## Mount a FUSE filesystem.
-@@ -1996,17 +2358,99 @@ interface(`fs_manage_fusefs_files',`
- ## </summary>
- ## </param>
- #
--interface(`fs_dontaudit_manage_fusefs_files',`
-+interface(`fs_dontaudit_manage_fusefs_files',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ dontaudit $1 fusefs_t:file manage_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Read symbolic links on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_read_fusefs_symlinks',`
-+ gen_require(`
-+ type fusefs_t;
-+ ')
-+
-+ allow $1 fusefs_t:dir list_dir_perms;
-+ read_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+## <summary>
+@@ -2025,6 +2387,68 @@ interface(`fs_read_fusefs_symlinks',`
+
+ ########################################
+ ## <summary>
+## Manage symbolic links on a FUSEFS filesystem.
+## </summary>
+## <param name="domain">
@@ -71150,104 +71188,44 @@ index 7c6b791..1be0007 100644
+## </param>
+#
+interface(`fs_fusefs_domtrans',`
- gen_require(`
- type fusefs_t;
- ')
-
-- dontaudit $1 fusefs_t:file manage_file_perms;
++ gen_require(`
++ type fusefs_t;
++ ')
++
+ allow $1 fusefs_t:dir search_dir_perms;
+ domain_auto_transition_pattern($1, fusefs_t, $2)
- ')
-
- ########################################
- ## <summary>
--## Read symbolic links on a FUSEFS filesystem.
-+## Get the attributes of an hugetlbfs
-+## filesystem.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2014,19 +2458,17 @@ interface(`fs_dontaudit_manage_fusefs_files',`
- ## </summary>
- ## </param>
- #
--interface(`fs_read_fusefs_symlinks',`
-+interface(`fs_getattr_hugetlbfs',`
- gen_require(`
-- type fusefs_t;
-+ type hugetlbfs_t;
- ')
-
-- allow $1 fusefs_t:dir list_dir_perms;
-- read_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+ allow $1 hugetlbfs_t:filesystem getattr;
- ')
-
- ########################################
- ## <summary>
--## Get the attributes of an hugetlbfs
--## filesystem.
-+## List hugetlbfs.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2034,17 +2476,17 @@ interface(`fs_read_fusefs_symlinks',`
- ## </summary>
- ## </param>
- #
--interface(`fs_getattr_hugetlbfs',`
-+interface(`fs_list_hugetlbfs',`
- gen_require(`
- type hugetlbfs_t;
- ')
-
-- allow $1 hugetlbfs_t:filesystem getattr;
-+ allow $1 hugetlbfs_t:dir list_dir_perms;
- ')
-
- ########################################
- ## <summary>
--## List hugetlbfs.
-+## Manage hugetlbfs dirs.
++')
++
++########################################
++## <summary>
+ ## Get the attributes of an hugetlbfs
+ ## filesystem.
## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2052,17 +2494,17 @@ interface(`fs_getattr_hugetlbfs',`
- ## </summary>
- ## </param>
- #
--interface(`fs_list_hugetlbfs',`
-+interface(`fs_manage_hugetlbfs_dirs',`
- gen_require(`
- type hugetlbfs_t;
- ')
-
-- allow $1 hugetlbfs_t:dir list_dir_perms;
-+ manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
- ')
+@@ -2080,6 +2504,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
## <summary>
--## Manage hugetlbfs dirs.
+## Read hugetlbfs files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -2070,12 +2512,12 @@ interface(`fs_list_hugetlbfs',`
- ## </summary>
- ## </param>
- #
--interface(`fs_manage_hugetlbfs_dirs',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`fs_read_hugetlbfs_files',`
- gen_require(`
- type hugetlbfs_t;
- ')
-
-- manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
++ gen_require(`
++ type hugetlbfs_t;
++ ')
++
+ read_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
- ')
-
- ########################################
++')
++
++########################################
++## <summary>
+ ## Read and write hugetlbfs files.
+ ## </summary>
+ ## <param name="domain">
@@ -2148,11 +2590,12 @@ interface(`fs_list_inotifyfs',`
')
@@ -71735,7 +71713,7 @@ index 7c6b791..1be0007 100644
## Example attributes:
## </p>
## <ul>
-@@ -4876,3 +5581,24 @@ interface(`fs_unconfined',`
+@@ -4876,3 +5581,43 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -71760,8 +71738,27 @@ index 7c6b791..1be0007 100644
+ dontaudit $1 filesystem_type:lnk_file { read };
+')
+
++
++########################################
++## <summary>
++## Transition named content in tmpfs_t directory
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_tmpfs_filetrans_named_content',`
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu")
++ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
++')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index f1ab8c6..9ae349a 100644
+index 376bae8..7c84405 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -33,6 +33,8 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
@@ -71844,7 +71841,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 4bf45cb..30e39df 100644
+index 4bf45cb..e9855e0 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -267,7 +267,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -72068,7 +72065,7 @@ index 4bf45cb..30e39df 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
-@@ -2956,5 +3092,79 @@ interface(`kernel_unconfined',`
+@@ -2956,5 +3092,98 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -72114,6 +72111,25 @@ index 4bf45cb..30e39df 100644
+ allow $1 kernel_t:unix_stream_socket { read getattr };
+')
+
++#######################################
++## <summary>
++## Allow the specified domain to write on
++## the kernel with a unix socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_stream_write',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:unix_stream_socket { write getattr };
++')
++
+########################################
+## <summary>
+## Make the specified type usable for regular entries in proc
@@ -72150,7 +72166,7 @@ index 4bf45cb..30e39df 100644
+ dontaudit $1 sysctl_type:file getattr;
')
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index b285b90..129a0ec 100644
+index ab9b6cd..0665979 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -58,6 +58,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -72727,7 +72743,7 @@ index 81440c5..0383653 100644
')
+
diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
-index b63601a..f3eb48a 100644
+index 522ab32..443f4a0 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false)
@@ -74066,7 +74082,7 @@ index 3a45a3e..6b08160 100644
+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
logging_admin(logadm_t, logadm_r)
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
-index 110d48a..1eebd22 100644
+index da11120..34f3a61 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
@@ -9,6 +9,8 @@ role secadm_r;
@@ -74439,10 +74455,10 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index bd5a2ea..7905181 100644
+index 44c198a..82eb9e5 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,69 @@ policy_module(sysadm, 2.4.2)
+@@ -5,39 +5,73 @@ policy_module(sysadm, 2.5.0)
# Declarations
#
@@ -74476,11 +74492,15 @@ index bd5a2ea..7905181 100644
+files_read_kernel_modules(sysadm_t)
+files_filetrans_named_content(sysadm_t)
+
++fs_mount_fusefs(sysadm_t)
++
+storage_filetrans_all_named_dev(sysadm_t)
+
+term_filetrans_all_named_dev(sysadm_t)
+
mls_process_read_up(sysadm_t)
++mls_file_read_all_levels(sysadm_t)
++mls_file_write_all_levels(sysadm_t)
+mls_file_read_to_clearance(sysadm_t)
+mls_process_write_to_clearance(sysadm_t)
+
@@ -74523,7 +74543,7 @@ index bd5a2ea..7905181 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,13 +85,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +89,7 @@ ifdef(`distro_gentoo',`
init_exec_rc(sysadm_t)
')
@@ -74538,7 +74558,7 @@ index bd5a2ea..7905181 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -71,9 +95,9 @@ optional_policy(`
+@@ -71,9 +99,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -74549,7 +74569,7 @@ index bd5a2ea..7905181 100644
')
optional_policy(`
-@@ -110,6 +134,10 @@ optional_policy(`
+@@ -110,6 +138,10 @@ optional_policy(`
')
optional_policy(`
@@ -74560,7 +74580,7 @@ index bd5a2ea..7905181 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -122,11 +150,20 @@ optional_policy(`
+@@ -122,11 +154,20 @@ optional_policy(`
')
optional_policy(`
@@ -74571,19 +74591,19 @@ index bd5a2ea..7905181 100644
+
+optional_policy(`
+ consoletype_exec(sysadm_t)
-+')
-+
-+optional_policy(`
-+ daemonstools_run_start(sysadm_t, sysadm_r)
')
optional_policy(`
- cvs_exec(sysadm_t)
++ daemonstools_run_start(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
optional_policy(`
-@@ -140,6 +177,10 @@ optional_policy(`
+@@ -140,6 +181,10 @@ optional_policy(`
')
optional_policy(`
@@ -74594,7 +74614,7 @@ index bd5a2ea..7905181 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +197,15 @@ optional_policy(`
+@@ -156,11 +201,15 @@ optional_policy(`
')
optional_policy(`
@@ -74611,7 +74631,7 @@ index bd5a2ea..7905181 100644
')
optional_policy(`
-@@ -179,6 +224,13 @@ optional_policy(`
+@@ -179,6 +228,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -74625,7 +74645,7 @@ index bd5a2ea..7905181 100644
')
optional_policy(`
-@@ -186,15 +238,20 @@ optional_policy(`
+@@ -186,15 +242,20 @@ optional_policy(`
')
optional_policy(`
@@ -74637,19 +74657,19 @@ index bd5a2ea..7905181 100644
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
+ kerberos_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
-+ kudzu_run(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
optional_policy(`
-@@ -214,22 +271,20 @@ optional_policy(`
+@@ -214,22 +275,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -74678,7 +74698,7 @@ index bd5a2ea..7905181 100644
')
optional_policy(`
-@@ -241,25 +296,47 @@ optional_policy(`
+@@ -241,25 +300,47 @@ optional_policy(`
')
optional_policy(`
@@ -74726,7 +74746,7 @@ index bd5a2ea..7905181 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +347,32 @@ optional_policy(`
+@@ -270,31 +351,32 @@ optional_policy(`
')
optional_policy(`
@@ -74766,7 +74786,7 @@ index bd5a2ea..7905181 100644
')
optional_policy(`
-@@ -319,12 +397,18 @@ optional_policy(`
+@@ -319,12 +401,18 @@ optional_policy(`
')
optional_policy(`
@@ -74786,7 +74806,7 @@ index bd5a2ea..7905181 100644
')
optional_policy(`
-@@ -349,7 +433,18 @@ optional_policy(`
+@@ -349,7 +437,18 @@ optional_policy(`
')
optional_policy(`
@@ -74806,7 +74826,7 @@ index bd5a2ea..7905181 100644
')
optional_policy(`
-@@ -360,19 +455,15 @@ optional_policy(`
+@@ -360,19 +459,15 @@ optional_policy(`
')
optional_policy(`
@@ -74828,7 +74848,7 @@ index bd5a2ea..7905181 100644
')
optional_policy(`
-@@ -384,10 +475,6 @@ optional_policy(`
+@@ -384,10 +479,6 @@ optional_policy(`
')
optional_policy(`
@@ -74839,16 +74859,17 @@ index bd5a2ea..7905181 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +482,8 @@ optional_policy(`
+@@ -395,6 +486,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
+ virt_filetrans_home_content(sysadm_t)
+ virt_manage_pid_dirs(sysadm_t)
++ virt_transition_svirt_lxc(sysadm_t, sysadm_r)
')
optional_policy(`
-@@ -402,31 +491,34 @@ optional_policy(`
+@@ -402,31 +496,34 @@ optional_policy(`
')
optional_policy(`
@@ -74889,7 +74910,7 @@ index bd5a2ea..7905181 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +531,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +536,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -74900,7 +74921,7 @@ index bd5a2ea..7905181 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -460,6 +548,7 @@ ifndef(`distro_redhat',`
+@@ -460,6 +553,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -74908,7 +74929,7 @@ index bd5a2ea..7905181 100644
')
optional_policy(`
-@@ -467,11 +556,66 @@ ifndef(`distro_redhat',`
+@@ -467,11 +561,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -75638,7 +75659,7 @@ index 0000000..bac0dc0
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..2a0c726
+index 0000000..35fc04a
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,376 @@
@@ -76001,6 +76022,7 @@ index 0000000..2a0c726
+
+optional_policy(`
+ virt_transition_svirt(unconfined_t, unconfined_r)
++ virt_transition_svirt_lxc(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
@@ -76017,7 +76039,6 @@ index 0000000..2a0c726
+')
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+
diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if
index 3835596..fbca2be 100644
--- a/policy/modules/roles/unprivuser.if
@@ -76377,7 +76398,7 @@ index ecef19f..fcbc25a 100644
postgresql_tcp_connect($1)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 6b336e7..236e7c7 100644
+index 4318f73..90f98a2 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,9 +19,9 @@ gen_require(`
@@ -78982,7 +79003,7 @@ index 130ced9..1b31c76 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index c4f7c35..6efbf14 100644
+index d40f750..c7e6040 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -80354,7 +80375,7 @@ index 28ad538..47fdb65 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 6ce867a..25def3e 100644
+index f416ce9..25def3e 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -80479,7 +80500,7 @@ index 6ce867a..25def3e 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,13 +198,93 @@ interface(`auth_login_pgm_domain',`
+@@ -155,9 +198,89 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -80530,11 +80551,11 @@ index 6ce867a..25def3e 100644
+ optional_policy(`
+ ssh_agent_exec($1)
+ ssh_read_user_home_files($1)
- ')
- ')
-
- ########################################
- ## <summary>
++ ')
++')
++
++########################################
++## <summary>
+## Read authlogin state files.
+## </summary>
+## <param name="domain">
@@ -80546,7 +80567,7 @@ index 6ce867a..25def3e 100644
+interface(`authlogin_read_state',`
+ gen_require(`
+ attribute polydomain;
-+ ')
+ ')
+
+ kernel_search_proc($1)
+ ps_process_pattern($1, polydomain)
@@ -80568,13 +80589,9 @@ index 6ce867a..25def3e 100644
+ ')
+
+ allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ## Use the login program as an entry point program.
- ## </summary>
- ## <param name="domain">
+ ')
+
+ ########################################
@@ -231,6 +354,25 @@ interface(`auth_domtrans_login_program',`
########################################
@@ -80794,90 +80811,50 @@ index 6ce867a..25def3e 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1676,37 +1930,49 @@ interface(`auth_manage_login_records',`
+@@ -1676,24 +1930,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
-+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
- ')
-
- ########################################
- ## <summary>
+-')
+-
+-########################################
+-## <summary>
-## Relabel login record files.
-+## Use nsswitch to look up user, password, group, or
-+## host information.
- ## </summary>
-+## <desc>
-+## <p>
-+## Allow the specified domain to look up user, password,
-+## group, or host information using the name service.
-+## The most common use of this interface is for services
-+## that do host name resolution (usually DNS resolution).
-+## </p>
-+## </desc>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
-+## <infoflow type="both" weight="10"/>
- #
+-## </summary>
+-## <param name="domain">
+-## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-#
-interface(`auth_relabel_login_records',`
-+interface(`auth_use_nsswitch',`
- gen_require(`
+- gen_require(`
- type wtmp_t;
-+ attribute nsswitch_domain;
- ')
-
+- ')
+-
- allow $1 wtmp_t:file relabel_file_perms;
-+ typeattribute $1 nsswitch_domain;
++ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
')
########################################
- ## <summary>
--## Use nsswitch to look up user, password, group, or
--## host information.
-+## Unconfined access to the authlogin module.
- ## </summary>
- ## <desc>
- ## <p>
--## Allow the specified domain to look up user, password,
--## group, or host information using the name service.
--## The most common use of this interface is for services
--## that do host name resolution (usually DNS resolution).
-+## Unconfined access to the authlogin module.
-+## </p>
-+## <p>
-+## Currently, this only allows assertions for
-+## the shadow passwords file (/etc/shadow) to
-+## be passed. No access is granted yet.
- ## </p>
- ## </desc>
- ## <param name="domain">
-@@ -1714,87 +1980,206 @@ interface(`auth_relabel_login_records',`
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <infoflow type="both" weight="10"/>
+@@ -1717,9 +1954,9 @@ interface(`auth_relabel_login_records',`
+ ## <infoflow type="both" weight="10"/>
#
--interface(`auth_use_nsswitch',`
--
-- files_list_var_lib($1)
-+interface(`auth_unconfined',`
+ interface(`auth_use_nsswitch',`
+- gen_require(`
+- attribute nsswitch_domain;
+- ')
+ gen_require(`
-+ attribute can_read_shadow_passwords;
-+ attribute can_write_shadow_passwords;
-+ attribute can_relabelto_shadow_passwords;
++ attribute nsswitch_domain;
+ ')
-- # read /etc/nsswitch.conf
-- files_read_etc_files($1)
-+ typeattribute $1 can_read_shadow_passwords;
-+ typeattribute $1 can_write_shadow_passwords;
-+ typeattribute $1 can_relabelto_shadow_passwords;
-+')
-
-- miscfiles_read_generic_certs($1)
+ typeattribute $1 nsswitch_domain;
+ ')
+@@ -1755,3 +1992,194 @@ interface(`auth_unconfined',`
+ typeattribute $1 can_write_shadow_passwords;
+ typeattribute $1 can_relabelto_shadow_passwords;
+ ')
++
+########################################
+## <summary>
+## Transition to authlogin named content
@@ -80898,9 +80875,7 @@ index 6ce867a..25def3e 100644
+ type pam_var_console_t;
+ type pam_var_run_t;
+ ')
-
-- sysnet_dns_name_resolve($1)
-- sysnet_use_ldap($1)
++
+ files_etc_filetrans($1, passwd_file_t, file, "group")
+ files_etc_filetrans($1, passwd_file_t, file, "group-")
+ #files_etc_filetrans($1, passwd_file_t, file, "group+")
@@ -80929,9 +80904,7 @@ index 6ce867a..25def3e 100644
+ files_pid_filetrans($1, pam_var_run_t, dir, "sudo")
+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
+')
-
-- optional_policy(`
-- avahi_stream_connect($1)
++
+########################################
+## <summary>
+## Get the attributes of the passwd passwords file.
@@ -80945,17 +80918,12 @@ index 6ce867a..25def3e 100644
+interface(`auth_getattr_passwd',`
+ gen_require(`
+ type passwd_file_t;
- ')
-
-- optional_policy(`
-- ldap_stream_connect($1)
-- ')
++ ')
++
+ files_search_etc($1)
+ allow $1 passwd_file_t:file getattr;
+')
-
-- optional_policy(`
-- likewise_stream_connect_lsassd($1)
++
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
@@ -80970,16 +80938,11 @@ index 6ce867a..25def3e 100644
+interface(`auth_dontaudit_getattr_passwd',`
+ gen_require(`
+ type passwd_file_t;
- ')
-
-- optional_policy(`
-- kerberos_use($1)
-- ')
++ ')
++
+ dontaudit $1 passwd_file_t:file getattr;
+')
-
-- optional_policy(`
-- nis_use_ypbind($1)
++
+########################################
+## <summary>
+## Read the passwd passwords file (/etc/passwd)
@@ -80993,16 +80956,11 @@ index 6ce867a..25def3e 100644
+interface(`auth_read_passwd',`
+ gen_require(`
+ type passwd_file_t;
- ')
-
-- optional_policy(`
-- nscd_socket_use($1)
-- ')
++ ')
++
+ allow $1 passwd_file_t:file read_file_perms;
+')
-
-- optional_policy(`
-- nslcd_stream_connect($1)
++
+########################################
+## <summary>
+## Do not audit attempts to read the passwd
@@ -81017,10 +80975,8 @@ index 6ce867a..25def3e 100644
+interface(`auth_dontaudit_read_passwd',`
+ gen_require(`
+ type passwd_file_t;
- ')
-
-- optional_policy(`
-- sssd_stream_connect($1)
++ ')
++
+ dontaudit $1 passwd_file_t:file read_file_perms;
+')
+
@@ -81038,12 +80994,8 @@ index 6ce867a..25def3e 100644
+interface(`auth_manage_passwd',`
+ gen_require(`
+ type passwd_file_t;
- ')
-
-- optional_policy(`
-- samba_stream_connect_winbind($1)
-- samba_read_var_files($1)
-- samba_dontaudit_write_var_files($1)
++ ')
++
+ files_rw_etc_dirs($1)
+ allow $1 passwd_file_t:file manage_file_perms;
+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
@@ -81067,55 +81019,37 @@ index 6ce867a..25def3e 100644
+interface(`auth_filetrans_admin_home_content',`
+ gen_require(`
+ type auth_home_t;
- ')
++ ')
+
+ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
+ userdom_admin_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
- ')
-
- ########################################
- ## <summary>
--## Unconfined access to the authlogin module.
++')
++
++########################################
++## <summary>
+## Create auth directory in the user home directory
+## with an correct label.
- ## </summary>
--## <desc>
--## <p>
--## Unconfined access to the authlogin module.
--## </p>
--## <p>
--## Currently, this only allows assertions for
--## the shadow passwords file (/etc/shadow) to
--## be passed. No access is granted yet.
--## </p>
--## </desc>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`auth_unconfined',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`auth_filetrans_home_content',`
+
- gen_require(`
-- attribute can_read_shadow_passwords;
-- attribute can_write_shadow_passwords;
-- attribute can_relabelto_shadow_passwords;
++ gen_require(`
+ type auth_home_t;
- ')
-
-- typeattribute $1 can_read_shadow_passwords;
-- typeattribute $1 can_write_shadow_passwords;
-- typeattribute $1 can_relabelto_shadow_passwords;
++ ')
++
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator")
+ userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
- ')
++')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index f12b8ff..3b80e52 100644
+index f145ccb..c0ed878 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
-@@ -5,22 +5,42 @@ policy_module(authlogin, 2.3.1)
+@@ -5,6 +5,12 @@ policy_module(authlogin, 2.4.0)
# Declarations
#
@@ -81125,19 +81059,15 @@ index f12b8ff..3b80e52 100644
+## </p>
+## </desc>
+gen_tunable(authlogin_radius, false)
-+
-+## <desc>
-+## <p>
-+## Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
-+## </p>
-+## </desc>
-+gen_tunable(authlogin_nsswitch_use_ldap, false)
-+
+
+ ## <desc>
+ ## <p>
+@@ -16,20 +22,25 @@ gen_tunable(authlogin_nsswitch_use_ldap, false)
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
+attribute polydomain;
-+attribute nsswitch_domain;
+ attribute nsswitch_domain;
type auth_cache_t;
logging_log_file(auth_cache_t)
@@ -81159,7 +81089,7 @@ index f12b8ff..3b80e52 100644
type lastlog_t;
logging_log_file(lastlog_t)
-@@ -55,6 +75,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
+@@ -64,6 +75,9 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
@@ -81169,7 +81099,7 @@ index f12b8ff..3b80e52 100644
type updpwd_t;
type updpwd_exec_t;
domain_type(updpwd_t)
-@@ -100,6 +123,8 @@ dev_read_urand(chkpwd_t)
+@@ -109,6 +123,8 @@ dev_read_urand(chkpwd_t)
files_read_etc_files(chkpwd_t)
# for nscd
files_dontaudit_search_var(chkpwd_t)
@@ -81178,7 +81108,7 @@ index f12b8ff..3b80e52 100644
fs_dontaudit_getattr_xattr_fs(chkpwd_t)
-@@ -118,7 +143,7 @@ miscfiles_read_localization(chkpwd_t)
+@@ -127,7 +143,7 @@ miscfiles_read_localization(chkpwd_t)
seutil_read_config(chkpwd_t)
seutil_dontaudit_use_newrole_fds(chkpwd_t)
@@ -81187,7 +81117,7 @@ index f12b8ff..3b80e52 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -332,6 +357,7 @@ kernel_read_system_state(updpwd_t)
+@@ -341,6 +357,7 @@ kernel_read_system_state(updpwd_t)
dev_read_urand(updpwd_t)
files_manage_etc_files(updpwd_t)
@@ -81195,7 +81125,7 @@ index f12b8ff..3b80e52 100644
term_dontaudit_use_console(updpwd_t)
term_dontaudit_use_unallocated_ttys(updpwd_t)
-@@ -343,7 +369,7 @@ logging_send_syslog_msg(updpwd_t)
+@@ -352,7 +369,7 @@ logging_send_syslog_msg(updpwd_t)
miscfiles_read_localization(updpwd_t)
@@ -81204,7 +81134,7 @@ index f12b8ff..3b80e52 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -371,13 +397,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+@@ -380,13 +397,15 @@ term_dontaudit_use_all_ttys(utempter_t)
term_dontaudit_use_all_ptys(utempter_t)
term_dontaudit_use_ptmx(utempter_t)
@@ -81221,7 +81151,7 @@ index f12b8ff..3b80e52 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -388,10 +416,79 @@ ifdef(`distro_ubuntu',`
+@@ -397,12 +416,81 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -81304,6 +81234,29 @@ index f12b8ff..3b80e52 100644
+ samba_read_var_files(nsswitch_domain)
+ samba_dontaudit_write_var_files(nsswitch_domain)
')
+
+ #######################################
+@@ -426,6 +514,12 @@ tunable_policy(`authlogin_nsswitch_use_ldap',`
+
+ optional_policy(`
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
++ dirsrv_stream_connect(nsswitch_domain)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`authlogin_nsswitch_use_ldap',`
+ ldap_stream_connect(nsswitch_domain)
+ ')
+ ')
+@@ -456,6 +550,7 @@ optional_policy(`
+
+ optional_policy(`
+ sssd_stream_connect(nsswitch_domain)
++ sssd_read_public_files(nsswitch_domain)
+ ')
+
+ optional_policy(`
diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
index c5e05ca..c9ddbee 100644
--- a/policy/modules/system/clock.fc
@@ -81584,7 +81537,7 @@ index 9dfecf7..6d00f5c 100644
+
+/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index ec82afa..df11774 100644
+index f6cbda9..9a75c1e 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -23,29 +23,34 @@ dontaudit hostname_t self:capability sys_tty_config;
@@ -82876,7 +82829,7 @@ index d26fe81..3f3a57f 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 5fb9683..13860f3 100644
+index 4a88fa1..2a13153 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -82956,7 +82909,7 @@ index 5fb9683..13860f3 100644
type initrc_devpts_t;
term_pty(initrc_devpts_t)
-@@ -92,7 +132,7 @@ ifdef(`enable_mls',`
+@@ -95,7 +135,7 @@ ifdef(`enable_mls',`
#
# Use capabilities. old rule:
@@ -82965,7 +82918,7 @@ index 5fb9683..13860f3 100644
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -104,12 +144,26 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -107,12 +147,26 @@ allow init_t self:fifo_file rw_fifo_file_perms;
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -82998,7 +82951,7 @@ index 5fb9683..13860f3 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -119,28 +173,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -122,28 +176,38 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -83038,7 +82991,7 @@ index 5fb9683..13860f3 100644
# file descriptors inherited from the rootfs:
files_dontaudit_rw_root_files(init_t)
files_dontaudit_rw_root_chr_files(init_t)
-@@ -149,6 +213,8 @@ fs_list_inotifyfs(init_t)
+@@ -152,6 +216,8 @@ fs_list_inotifyfs(init_t)
# cjp: this may be related to /dev/log
fs_write_ramfs_sockets(init_t)
@@ -83047,7 +83000,7 @@ index 5fb9683..13860f3 100644
mcs_process_set_categories(init_t)
mcs_killall(init_t)
-@@ -156,22 +222,41 @@ mls_file_read_all_levels(init_t)
+@@ -159,22 +225,41 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -83090,7 +83043,7 @@ index 5fb9683..13860f3 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -180,12 +265,18 @@ ifdef(`distro_gentoo',`
+@@ -183,12 +268,19 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -83100,6 +83053,7 @@ index 5fb9683..13860f3 100644
fs_read_tmpfs_symlinks(init_t)
fs_rw_tmpfs_chr_files(init_t)
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
++ fs_tmpfs_filetrans_named_content(init_t)
+
+ logging_stream_connect_syslog(init_t)
+ logging_relabel_syslog_pid_socket(init_t)
@@ -83110,7 +83064,7 @@ index 5fb9683..13860f3 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -193,16 +284,148 @@ tunable_policy(`init_upstart',`
+@@ -196,16 +288,148 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -83261,7 +83215,7 @@ index 5fb9683..13860f3 100644
')
optional_policy(`
-@@ -210,6 +433,18 @@ optional_policy(`
+@@ -213,6 +437,18 @@ optional_policy(`
')
optional_policy(`
@@ -83280,7 +83234,7 @@ index 5fb9683..13860f3 100644
unconfined_domain(init_t)
')
-@@ -219,8 +454,8 @@ optional_policy(`
+@@ -222,8 +458,8 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -83291,7 +83245,7 @@ index 5fb9683..13860f3 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -248,12 +483,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -251,12 +487,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -83305,9 +83259,9 @@ index 5fb9683..13860f3 100644
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
+allow initrc_t initrc_tmp_t:dir relabelfrom;
- init_write_initctl(initrc_t)
-
-@@ -265,20 +503,34 @@ kernel_change_ring_buffer_level(initrc_t)
+ manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
+ manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
+@@ -272,23 +511,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -83321,7 +83275,10 @@ index 5fb9683..13860f3 100644
+files_read_var_lib_symlinks(initrc_t)
+files_setattr_pid_dirs(initrc_t)
+ files_create_lock_dirs(initrc_t)
+ files_pid_filetrans_lock_dir(initrc_t, "lock")
files_read_kernel_symbol_table(initrc_t)
+-files_setattr_lock_dirs(initrc_t)
+files_exec_etc_files(initrc_t)
+files_manage_etc_symlinks(initrc_t)
+files_manage_system_conf_files(initrc_t)
@@ -83347,7 +83304,7 @@ index 5fb9683..13860f3 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -286,6 +538,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -296,6 +548,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -83355,7 +83312,7 @@ index 5fb9683..13860f3 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -296,8 +549,10 @@ dev_write_framebuffer(initrc_t)
+@@ -306,8 +559,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -83366,7 +83323,7 @@ index 5fb9683..13860f3 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -305,17 +560,16 @@ dev_manage_generic_files(initrc_t)
+@@ -315,17 +570,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -83386,7 +83343,7 @@ index 5fb9683..13860f3 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -323,6 +577,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -333,6 +587,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -83394,7 +83351,7 @@ index 5fb9683..13860f3 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -330,8 +585,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -340,8 +595,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -83406,7 +83363,7 @@ index 5fb9683..13860f3 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -347,8 +604,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -357,8 +614,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -83420,7 +83377,7 @@ index 5fb9683..13860f3 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -358,9 +619,12 @@ fs_mount_all_fs(initrc_t)
+@@ -368,9 +629,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -83434,7 +83391,7 @@ index 5fb9683..13860f3 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -370,6 +634,7 @@ mls_process_read_up(initrc_t)
+@@ -380,6 +644,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -83442,7 +83399,7 @@ index 5fb9683..13860f3 100644
selinux_get_enforce_mode(initrc_t)
-@@ -381,6 +646,7 @@ term_use_all_terms(initrc_t)
+@@ -391,6 +656,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -83450,7 +83407,7 @@ index 5fb9683..13860f3 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -401,18 +667,17 @@ logging_read_audit_config(initrc_t)
+@@ -411,18 +677,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -83472,7 +83429,7 @@ index 5fb9683..13860f3 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -465,6 +730,10 @@ ifdef(`distro_gentoo',`
+@@ -476,6 +741,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -83483,7 +83440,7 @@ index 5fb9683..13860f3 100644
alsa_read_lib(initrc_t)
')
-@@ -485,7 +754,7 @@ ifdef(`distro_redhat',`
+@@ -496,7 +765,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -83492,7 +83449,7 @@ index 5fb9683..13860f3 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -500,6 +769,7 @@ ifdef(`distro_redhat',`
+@@ -511,6 +780,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -83500,7 +83457,7 @@ index 5fb9683..13860f3 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -520,6 +790,7 @@ ifdef(`distro_redhat',`
+@@ -531,6 +801,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -83508,7 +83465,7 @@ index 5fb9683..13860f3 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -529,8 +800,35 @@ ifdef(`distro_redhat',`
+@@ -540,8 +811,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -83544,7 +83501,7 @@ index 5fb9683..13860f3 100644
')
optional_policy(`
-@@ -538,14 +836,27 @@ ifdef(`distro_redhat',`
+@@ -549,14 +847,27 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -83572,7 +83529,7 @@ index 5fb9683..13860f3 100644
')
')
-@@ -556,6 +867,39 @@ ifdef(`distro_suse',`
+@@ -567,6 +878,39 @@ ifdef(`distro_suse',`
')
')
@@ -83612,7 +83569,7 @@ index 5fb9683..13860f3 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -568,6 +912,8 @@ optional_policy(`
+@@ -579,6 +923,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -83621,7 +83578,7 @@ index 5fb9683..13860f3 100644
')
optional_policy(`
-@@ -589,6 +935,7 @@ optional_policy(`
+@@ -600,6 +946,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -83629,7 +83586,7 @@ index 5fb9683..13860f3 100644
')
optional_policy(`
-@@ -601,6 +948,17 @@ optional_policy(`
+@@ -612,6 +959,17 @@ optional_policy(`
')
optional_policy(`
@@ -83647,7 +83604,7 @@ index 5fb9683..13860f3 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -617,9 +975,13 @@ optional_policy(`
+@@ -628,9 +986,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -83661,7 +83618,7 @@ index 5fb9683..13860f3 100644
')
optional_policy(`
-@@ -644,6 +1006,10 @@ optional_policy(`
+@@ -655,6 +1017,10 @@ optional_policy(`
')
optional_policy(`
@@ -83672,7 +83629,7 @@ index 5fb9683..13860f3 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -661,6 +1027,15 @@ optional_policy(`
+@@ -672,6 +1038,15 @@ optional_policy(`
')
optional_policy(`
@@ -83688,7 +83645,7 @@ index 5fb9683..13860f3 100644
inn_exec_config(initrc_t)
')
-@@ -701,6 +1076,7 @@ optional_policy(`
+@@ -712,6 +1087,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -83696,7 +83653,7 @@ index 5fb9683..13860f3 100644
')
optional_policy(`
-@@ -718,7 +1094,13 @@ optional_policy(`
+@@ -729,7 +1105,13 @@ optional_policy(`
')
optional_policy(`
@@ -83710,7 +83667,7 @@ index 5fb9683..13860f3 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -741,6 +1123,10 @@ optional_policy(`
+@@ -752,6 +1134,10 @@ optional_policy(`
')
optional_policy(`
@@ -83721,7 +83678,7 @@ index 5fb9683..13860f3 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -750,10 +1136,20 @@ optional_policy(`
+@@ -761,10 +1147,20 @@ optional_policy(`
')
optional_policy(`
@@ -83742,7 +83699,7 @@ index 5fb9683..13860f3 100644
quota_manage_flags(initrc_t)
')
-@@ -762,6 +1158,10 @@ optional_policy(`
+@@ -773,6 +1169,10 @@ optional_policy(`
')
optional_policy(`
@@ -83753,7 +83710,7 @@ index 5fb9683..13860f3 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -783,8 +1183,6 @@ optional_policy(`
+@@ -794,8 +1194,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -83762,7 +83719,7 @@ index 5fb9683..13860f3 100644
')
optional_policy(`
-@@ -793,6 +1191,10 @@ optional_policy(`
+@@ -804,6 +1202,10 @@ optional_policy(`
')
optional_policy(`
@@ -83773,7 +83730,7 @@ index 5fb9683..13860f3 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -802,10 +1204,12 @@ optional_policy(`
+@@ -813,10 +1215,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -83786,15 +83743,16 @@ index 5fb9683..13860f3 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -817,7 +1221,6 @@ optional_policy(`
+@@ -828,8 +1232,6 @@ optional_policy(`
')
optional_policy(`
- udev_rw_db(initrc_t)
+- udev_generic_pid_filetrans_run_dirs(initrc_t, "udev")
udev_manage_pid_files(initrc_t)
+ udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
- ')
-@@ -827,12 +1230,30 @@ optional_policy(`
+@@ -840,12 +1242,30 @@ optional_policy(`
')
optional_policy(`
@@ -83827,7 +83785,7 @@ index 5fb9683..13860f3 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -842,6 +1263,18 @@ optional_policy(`
+@@ -855,6 +1275,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -83846,7 +83804,7 @@ index 5fb9683..13860f3 100644
')
optional_policy(`
-@@ -857,6 +1290,10 @@ optional_policy(`
+@@ -870,6 +1302,10 @@ optional_policy(`
')
optional_policy(`
@@ -83857,7 +83815,7 @@ index 5fb9683..13860f3 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -867,3 +1304,165 @@ optional_policy(`
+@@ -880,3 +1316,165 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -84076,7 +84034,7 @@ index 0d4c8d3..9d66bf7 100644
########################################
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index fac0a01..481ef57 100644
+index a30840c..1035cf4 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -73,13 +73,15 @@ role system_r types setkey_t;
@@ -84923,7 +84881,7 @@ index 808ba93..f94b80a 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 992d105..e412258 100644
+index ad01883..1166ff5 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -59,9 +59,11 @@ optional_policy(`
@@ -85713,10 +85671,10 @@ index 321bb13..e7fd936 100644
+ init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 92555db..bec9a0b 100644
+index 0034021..ca33705 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -5,6 +5,20 @@ policy_module(logging, 1.18.2)
+@@ -5,6 +5,20 @@ policy_module(logging, 1.19.0)
# Declarations
#
@@ -85900,7 +85858,7 @@ index 92555db..bec9a0b 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,13 +430,20 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -386,13 +430,21 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -85918,10 +85876,11 @@ index 92555db..bec9a0b 100644
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
+kernel_stream_read(syslogd_t)
++kernel_stream_write(syslogd_t)
kernel_read_system_state(syslogd_t)
kernel_read_kernel_sysctls(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
-@@ -401,7 +452,10 @@ kernel_read_messages(syslogd_t)
+@@ -401,7 +453,10 @@ kernel_read_messages(syslogd_t)
kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t)
@@ -85933,7 +85892,7 @@ index 92555db..bec9a0b 100644
corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_generic_if(syslogd_t)
corenet_udp_sendrecv_generic_node(syslogd_t)
-@@ -427,10 +481,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,10 +482,27 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -85961,7 +85920,7 @@ index 92555db..bec9a0b 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -448,7 +519,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
+@@ -448,7 +520,9 @@ mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and
term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -85971,7 +85930,7 @@ index 92555db..bec9a0b 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -460,6 +533,7 @@ init_use_fds(syslogd_t)
+@@ -460,6 +534,7 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -85979,7 +85938,7 @@ index 92555db..bec9a0b 100644
miscfiles_read_localization(syslogd_t)
-@@ -493,15 +567,29 @@ optional_policy(`
+@@ -493,15 +568,29 @@ optional_policy(`
')
optional_policy(`
@@ -86220,7 +86179,7 @@ index 58bc27f..51e9872 100644
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 7b6bcb9..08b4b7e 100644
+index f8eeecd..310893f 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -86551,10 +86510,10 @@ index 926ba65..b2a1675 100644
+ files_var_filetrans($1, public_content_t, dir, "ftp")
+')
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
-index c885e4e..6d0881d 100644
+index 622fb4f..69b6fef 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
-@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.9.1)
+@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.0)
#
# Declarations
#
@@ -86688,10 +86647,10 @@ index 350c450..2debedc 100644
+ files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 560d5d9..3d8e252 100644
+index b4ff2f7..6555c9e 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
-@@ -5,7 +5,7 @@ policy_module(modutils, 1.12.1)
+@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.0)
# Declarations
#
@@ -87241,10 +87200,10 @@ index 4584457..5b041ee 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6d3b14b..31dac3e 100644
+index 63931f6..91137b6 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
-@@ -10,35 +10,60 @@ policy_module(mount, 1.14.2)
+@@ -10,35 +10,60 @@ policy_module(mount, 1.15.0)
## Allow the mount command to mount any directory or file.
## </p>
## </desc>
@@ -87392,7 +87351,7 @@ index 6d3b14b..31dac3e 100644
files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
-@@ -92,28 +147,39 @@ files_list_mnt(mount_t)
+@@ -92,28 +147,42 @@ files_list_mnt(mount_t)
files_dontaudit_write_all_mountpoints(mount_t)
files_dontaudit_setattr_all_mountpoints(mount_t)
@@ -87420,6 +87379,9 @@ index 6d3b14b..31dac3e 100644
-mls_file_read_all_levels(mount_t)
-mls_file_write_all_levels(mount_t)
++mcs_file_read_all(mount_t)
++mcs_file_write_all(mount_t)
++
+mls_file_read_to_clearance(mount_t)
+mls_file_write_to_clearance(mount_t)
+mls_process_write_to_clearance(mount_t)
@@ -87438,7 +87400,7 @@ index 6d3b14b..31dac3e 100644
term_dontaudit_manage_pty_dirs(mount_t)
auth_use_nsswitch(mount_t)
-@@ -121,6 +187,8 @@ auth_use_nsswitch(mount_t)
+@@ -121,6 +190,8 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -87447,7 +87409,7 @@ index 6d3b14b..31dac3e 100644
logging_send_syslog_msg(mount_t)
-@@ -131,6 +199,9 @@ sysnet_use_portmap(mount_t)
+@@ -131,6 +202,9 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -87457,7 +87419,7 @@ index 6d3b14b..31dac3e 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -146,26 +217,27 @@ ifdef(`distro_ubuntu',`
+@@ -146,26 +220,27 @@ ifdef(`distro_ubuntu',`
')
')
@@ -87497,7 +87459,7 @@ index 6d3b14b..31dac3e 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +251,8 @@ optional_policy(`
+@@ -179,6 +254,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -87506,7 +87468,7 @@ index 6d3b14b..31dac3e 100644
')
optional_policy(`
-@@ -186,6 +260,28 @@ optional_policy(`
+@@ -186,6 +263,28 @@ optional_policy(`
')
optional_policy(`
@@ -87535,7 +87497,7 @@ index 6d3b14b..31dac3e 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -193,21 +289,123 @@ optional_policy(`
+@@ -193,21 +292,123 @@ optional_policy(`
')
')
@@ -88088,7 +88050,7 @@ index 3822072..cac0b1e 100644
+ auth_relabelto_shadow($1)
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc0c03b..0472c89 100644
+index ec01d0b..98094ae 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,17 @@ gen_require(`
@@ -89227,10 +89189,10 @@ index 41a1853..32a502e 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 8aed9d0..fdabb76 100644
+index ed363e1..272215f 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
-@@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.13.2)
+@@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.14.0)
# Declarations
#
@@ -90845,7 +90807,7 @@ index 2575393..49fd32e 100644
ifdef(`distro_debian',`
/var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 025348a..d7b15a4 100644
+index 77a13a5..9a5a73f 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@@ -90866,7 +90828,7 @@ index 025348a..d7b15a4 100644
')
########################################
-@@ -160,10 +160,10 @@ interface(`udev_manage_rules_files',`
+@@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',`
#
interface(`udev_dontaudit_search_db',`
gen_require(`
@@ -90879,7 +90841,7 @@ index 025348a..d7b15a4 100644
')
########################################
-@@ -183,19 +183,32 @@ interface(`udev_dontaudit_search_db',`
+@@ -187,25 +187,70 @@ interface(`udev_dontaudit_search_db',`
## <infoflow type="read" weight="10"/>
#
interface(`udev_read_db',`
@@ -90902,35 +90864,35 @@ index 025348a..d7b15a4 100644
+ type udev_var_run_t;
')
-+ files_search_pids($1)
- dev_list_all_dev_nodes($1)
- allow $1 udev_tbl_t:dir list_dir_perms;
-- read_files_pattern($1, udev_tbl_t, udev_tbl_t)
-- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
++ files_search_pids($1)
++ dev_list_all_dev_nodes($1)
+ rw_files_pattern($1, udev_var_run_t, udev_var_run_t)
- ')
++')
- ########################################
- ## <summary>
--## Allow process to modify list of devices.
+- read_files_pattern($1, udev_tbl_t, udev_tbl_t)
+- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
++########################################
++## <summary>
+## Allow process to modify relabelto udev database
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -203,13 +216,54 @@ interface(`udev_read_db',`
- ## </summary>
- ## </param>
- #
--interface(`udev_rw_db',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`udev_relabelto_db',`
+ gen_require(`
+ type udev_var_run_t;
+ ')
-+
+
+- dev_list_all_dev_nodes($1)
+ files_search_pids($1)
+ allow $1 udev_var_run_t:file relabelto_file_perms;
+')
-+
+
+- files_search_etc($1)
+########################################
+## <summary>
+## Relabel the udev sock_file.
@@ -90942,27 +90904,30 @@ index 025348a..d7b15a4 100644
+## </param>
+#
+interface(`udev_relabel_pid_sockfile',`
- gen_require(`
-- type udev_tbl_t;
++ gen_require(`
+ type udev_var_run_t;
+ ')
-+
+
+- udev_search_pids($1)
+ allow $1 udev_var_run_t:sock_file relabel_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow process to modify list of devices.
+## Create, read, write, and delete
+## udev pid files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -213,13 +258,16 @@ interface(`udev_read_db',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`udev_rw_db',`
+interface(`udev_read_pid_files',`
-+ gen_require(`
+ gen_require(`
+- type udev_tbl_t;
+ type udev_var_run_t;
')
@@ -90975,7 +90940,7 @@ index 025348a..d7b15a4 100644
')
########################################
-@@ -228,6 +282,84 @@ interface(`udev_manage_pid_files',`
+@@ -300,6 +348,84 @@ interface(`udev_manage_pid_files',`
type udev_var_run_t;
')
@@ -91062,7 +91027,7 @@ index 025348a..d7b15a4 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index cf279df..44ade49 100644
+index 29075b3..6ee8c74 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -91864,14 +91829,10 @@ index db7aabb..4012a61 100644
+ refpolicywarn(`$0() has been deprecated.')
')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 4f60203..71e46b2 100644
+index 0280b32..61f19e9 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
-@@ -1,240 +1,7 @@
--policy_module(unconfined, 3.4.1)
-+policy_module(unconfined, 3.3.0)
-
- ########################################
+@@ -4,237 +4,4 @@ policy_module(unconfined, 3.5.0)
#
# Declarations
#
@@ -95922,10 +95883,10 @@ index e720dcd..7ce85d3 100644
+ typeattribute $1 userdom_home_manager_type;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 47efe9a..1fa68b1 100644
+index 6a4bd85..a1a8acb 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
-@@ -7,17 +7,17 @@ policy_module(userdomain, 4.7.2)
+@@ -7,17 +7,17 @@ policy_module(userdomain, 4.8.0)
## <desc>
## <p>
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index b4e5022..e9ed480 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -1520,7 +1520,7 @@ index dc1b088..d1f2a62 100644
term_dontaudit_use_console(alsa_t)
diff --git a/amanda.te b/amanda.te
-index bec220e..f0cf404 100644
+index d8b5abe..e12641f 100644
--- a/amanda.te
+++ b/amanda.te
@@ -58,7 +58,7 @@ optional_policy(`
@@ -1636,10 +1636,10 @@ index e31d92a..1aa0718 100644
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/amavis.te b/amavis.te
-index 5a9b451..94d9048 100644
+index 505309b..6cc4f4f 100644
--- a/amavis.te
+++ b/amavis.te
-@@ -5,6 +5,13 @@ policy_module(amavis, 1.13.1)
+@@ -5,6 +5,13 @@ policy_module(amavis, 1.14.0)
# Declarations
#
@@ -2722,10 +2722,10 @@ index 6480167..d30bdbf 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index a36a01d..8203991 100644
+index 0833afb..4664751 100644
--- a/apache.te
+++ b/apache.te
-@@ -18,6 +18,8 @@ policy_module(apache, 2.3.2)
+@@ -18,6 +18,8 @@ policy_module(apache, 2.4.0)
# Declarations
#
@@ -2734,7 +2734,7 @@ index a36a01d..8203991 100644
## <desc>
## <p>
## Allow Apache to modify public files
-@@ -25,14 +27,35 @@ policy_module(apache, 2.3.2)
+@@ -25,14 +27,35 @@ policy_module(apache, 2.4.0)
## be labeled public_content_rw_t.
## </p>
## </desc>
@@ -3398,7 +3398,7 @@ index a36a01d..8203991 100644
')
optional_policy(`
-@@ -568,7 +888,21 @@ optional_policy(`
+@@ -573,7 +893,21 @@ optional_policy(`
')
optional_policy(`
@@ -3420,7 +3420,7 @@ index a36a01d..8203991 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -579,6 +913,7 @@ optional_policy(`
+@@ -584,6 +918,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -3428,7 +3428,7 @@ index a36a01d..8203991 100644
')
optional_policy(`
-@@ -589,6 +924,33 @@ optional_policy(`
+@@ -594,6 +929,33 @@ optional_policy(`
')
optional_policy(`
@@ -3462,7 +3462,7 @@ index a36a01d..8203991 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -603,6 +965,11 @@ optional_policy(`
+@@ -608,6 +970,11 @@ optional_policy(`
')
optional_policy(`
@@ -3474,7 +3474,7 @@ index a36a01d..8203991 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -615,6 +982,12 @@ optional_policy(`
+@@ -620,6 +987,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -3487,7 +3487,7 @@ index a36a01d..8203991 100644
########################################
#
# Apache helper local policy
-@@ -628,7 +1001,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -633,7 +1006,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -3500,7 +3500,7 @@ index a36a01d..8203991 100644
########################################
#
-@@ -666,28 +1043,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -671,28 +1048,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -3544,7 +3544,7 @@ index a36a01d..8203991 100644
')
########################################
-@@ -697,6 +1076,7 @@ optional_policy(`
+@@ -702,6 +1081,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -3552,7 +3552,7 @@ index a36a01d..8203991 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -711,19 +1091,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -716,19 +1096,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -3581,7 +3581,7 @@ index a36a01d..8203991 100644
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -740,7 +1128,6 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -745,7 +1133,6 @@ tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
@@ -3589,7 +3589,7 @@ index a36a01d..8203991 100644
corenet_all_recvfrom_netlabel(httpd_suexec_t)
corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
corenet_udp_sendrecv_generic_if(httpd_suexec_t)
-@@ -752,13 +1139,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -757,13 +1144,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -3622,7 +3622,7 @@ index a36a01d..8203991 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -781,6 +1186,25 @@ optional_policy(`
+@@ -786,6 +1191,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -3648,7 +3648,7 @@ index a36a01d..8203991 100644
########################################
#
# Apache system script local policy
-@@ -801,12 +1225,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -806,12 +1230,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -3666,7 +3666,7 @@ index a36a01d..8203991 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -815,18 +1244,49 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -820,18 +1249,49 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -3723,7 +3723,7 @@ index a36a01d..8203991 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -834,14 +1294,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -839,14 +1299,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -3764,7 +3764,7 @@ index a36a01d..8203991 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -854,10 +1339,20 @@ optional_policy(`
+@@ -859,10 +1344,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -3785,7 +3785,7 @@ index a36a01d..8203991 100644
')
########################################
-@@ -873,7 +1368,6 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -878,7 +1373,6 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
@@ -3793,7 +3793,7 @@ index a36a01d..8203991 100644
logging_search_logs(httpd_rotatelogs_t)
-@@ -903,11 +1397,144 @@ optional_policy(`
+@@ -908,11 +1402,144 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -4433,7 +4433,7 @@ index b6168fd..313c6e4 100644
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/asterisk.te b/asterisk.te
-index 3b4613b..3ebeb4c 100644
+index 159610b..ae334b4 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -20,10 +20,11 @@ type asterisk_log_t;
@@ -4851,144 +4851,25 @@ index 0bfc958..81fc8bd 100644
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
diff --git a/bcfg2.fc b/bcfg2.fc
-new file mode 100644
-index 0000000..9e06a9d
---- /dev/null
+index f5413da..9e06a9d 100644
+--- a/bcfg2.fc
+++ b/bcfg2.fc
-@@ -0,0 +1,9 @@
-+/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
-+
+@@ -1,5 +1,7 @@
+ /etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/bcfg2-server.* -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
+
-+/usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
-+
-+/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
-+
-+/var/run/bcfg2-server\.pid -- gen_context(system_u:object_r:bcfg2_var_run_t,s0)
+ /usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
+
+ /var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
diff --git a/bcfg2.if b/bcfg2.if
-new file mode 100644
-index 0000000..9a1d5f5
---- /dev/null
+index b289d93..070f22b 100644
+--- a/bcfg2.if
+++ b/bcfg2.if
-@@ -0,0 +1,185 @@
-+
-+## <summary>bcfg2-server daemon which serves configurations to clients based on the data in its repository </summary>
-+
-+########################################
-+## <summary>
-+## Execute bcfg2 in the bcfg2 domain..
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`bcfg2_domtrans',`
-+ gen_require(`
-+ type bcfg2_t, bcfg2_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, bcfg2_exec_t, bcfg2_t)
-+')
-+
-+########################################
-+## <summary>
-+## Execute bcfg2 server in the bcfg2 domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`bcfg2_initrc_domtrans',`
-+ gen_require(`
-+ type bcfg2_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, bcfg2_initrc_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+## Search bcfg2 lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`bcfg2_search_lib',`
-+ gen_require(`
-+ type bcfg2_var_lib_t;
-+ ')
-+
-+ allow $1 bcfg2_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
-+## Read bcfg2 lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`bcfg2_read_lib_files',`
-+ gen_require(`
-+ type bcfg2_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage bcfg2 lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`bcfg2_manage_lib_files',`
-+ gen_require(`
-+ type bcfg2_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage bcfg2 lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`bcfg2_manage_lib_dirs',`
-+ gen_require(`
-+ type bcfg2_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
+@@ -115,6 +115,31 @@ interface(`bcfg2_manage_lib_dirs',`
+
+ ########################################
+ ## <summary>
+## Execute bcfg2 server in the bcfg2 domain.
+## </summary>
+## <param name="domain">
@@ -5014,108 +4895,45 @@ index 0000000..9a1d5f5
+
+########################################
+## <summary>
-+## All of the rules required to administrate
-+## an bcfg2 environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`bcfg2_admin',`
-+ gen_require(`
-+ type bcfg2_t;
-+ type bcfg2_initrc_exec_t;
-+ type bcfg2_var_lib_t;
+ ## All of the rules required to administrate
+ ## an bcfg2 environment
+ ## </summary>
+@@ -135,6 +160,7 @@ interface(`bcfg2_admin',`
+ type bcfg2_t;
+ type bcfg2_initrc_exec_t;
+ type bcfg2_var_lib_t;
+ type bcfg2_unit_file_t;
-+ ')
-+
-+ allow $1 bcfg2_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, bcfg2_t)
-+
-+ bcfg2_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 bcfg2_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, bcfg2_var_lib_t)
+ ')
+
+ allow $1 bcfg2_t:process { ptrace signal_perms };
+@@ -147,4 +173,13 @@ interface(`bcfg2_admin',`
+
+ files_search_var_lib($1)
+ admin_pattern($1, bcfg2_var_lib_t)
+
+ bcfg2_systemctl($1)
+ admin_pattern($1, bcfg2_unit_file_t)
+ allow $1 bcfg2_unit_file_t:service all_service_perms;
++
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
-+')
+ ')
diff --git a/bcfg2.te b/bcfg2.te
-new file mode 100644
-index 0000000..7b560ac
---- /dev/null
+index cf8e59f..4c6b5cf 100644
+--- a/bcfg2.te
+++ b/bcfg2.te
-@@ -0,0 +1,54 @@
-+policy_module(bcfg2, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type bcfg2_t;
-+type bcfg2_exec_t;
-+init_daemon_domain(bcfg2_t, bcfg2_exec_t)
-+
-+type bcfg2_initrc_exec_t;
-+init_script_file(bcfg2_initrc_exec_t)
-+
-+type bcfg2_var_lib_t;
-+files_type(bcfg2_var_lib_t)
-+
+@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
+ type bcfg2_var_lib_t;
+ files_type(bcfg2_var_lib_t)
+
+type bcfg2_unit_file_t;
+systemd_unit_file(bcfg2_unit_file_t)
+
-+type bcfg2_var_run_t;
-+files_pid_file(bcfg2_var_run_t)
-+
-+########################################
-+#
-+# bcfg2 local policy
-+#
-+
-+allow bcfg2_t self:fifo_file rw_fifo_file_perms;
-+allow bcfg2_t self:tcp_socket create_stream_socket_perms;
-+allow bcfg2_t self:unix_stream_socket { connectto create_stream_socket_perms };
-+
-+manage_dirs_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
-+manage_files_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
-+files_var_lib_filetrans(bcfg2_t, bcfg2_var_lib_t, dir )
-+
-+manage_files_pattern(bcfg2_t, bcfg2_var_run_t,bcfg2_var_run_t)
-+files_pid_filetrans(bcfg2_t,bcfg2_var_run_t, file )
-+
-+kernel_read_system_state(bcfg2_t)
-+
-+corecmd_exec_bin(bcfg2_t)
-+
-+dev_read_urand(bcfg2_t)
-+
-+domain_use_interactive_fds(bcfg2_t)
-+
-+files_read_usr_files(bcfg2_t)
-+
-+auth_use_nsswitch(bcfg2_t)
-+
-+logging_send_syslog_msg(bcfg2_t)
-+
-+miscfiles_read_localization(bcfg2_t)
+ type bcfg2_var_run_t;
+ files_pid_file(bcfg2_var_run_t)
+
diff --git a/bind.fc b/bind.fc
index 59aa54f..b01072c 100644
--- a/bind.fc
@@ -5296,7 +5114,7 @@ index 44a1e3d..9b50c13 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 4deca04..ecf98a1 100644
+index 0968cb4..398a7eb 100644
--- a/bind.te
+++ b/bind.te
@@ -6,6 +6,13 @@ policy_module(bind, 1.11.0)
@@ -5392,7 +5210,7 @@ index 4deca04..ecf98a1 100644
init_dbus_chat_script(named_t)
sysnet_dbus_chat_dhcpc(named_t)
-@@ -206,13 +226,13 @@ allow ndc_t dnssec_t:lnk_file { getattr read };
+@@ -211,13 +231,13 @@ allow ndc_t dnssec_t:lnk_file { getattr read };
stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
allow ndc_t named_conf_t:file read_file_perms;
@@ -5408,7 +5226,7 @@ index 4deca04..ecf98a1 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -223,11 +243,12 @@ corenet_sendrecv_rndc_client_packets(ndc_t)
+@@ -228,11 +248,12 @@ corenet_sendrecv_rndc_client_packets(ndc_t)
domain_use_interactive_fds(ndc_t)
@@ -5422,7 +5240,7 @@ index 4deca04..ecf98a1 100644
init_use_fds(ndc_t)
init_use_script_ptys(ndc_t)
-@@ -235,16 +256,15 @@ logging_send_syslog_msg(ndc_t)
+@@ -240,16 +261,15 @@ logging_send_syslog_msg(ndc_t)
miscfiles_read_localization(ndc_t)
@@ -5572,172 +5390,22 @@ index f4e7ad3..9aaf3f6 100644
# normally started from inetd using tcpwrappers, so use those entry points
tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
diff --git a/blueman.fc b/blueman.fc
-new file mode 100644
-index 0000000..98ba16a
---- /dev/null
+index 6355318..98ba16a 100644
+--- a/blueman.fc
+++ b/blueman.fc
-@@ -0,0 +1,4 @@
-+
-+/usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0)
-+
-+/var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
-diff --git a/blueman.if b/blueman.if
-new file mode 100644
-index 0000000..d941245
---- /dev/null
-+++ b/blueman.if
-@@ -0,0 +1,99 @@
-+## <summary>Blueman is a tool to use Bluetooth devices</summary>
-+
-+########################################
-+## <summary>
-+## Execute blueman in the blueman domain..
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`blueman_domtrans',`
-+ gen_require(`
-+ type blueman_t, blueman_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1, blueman_exec_t, blueman_t)
-+')
-+
-+########################################
-+## <summary>
-+## Send and receive messages from
-+## blueman over dbus.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`blueman_dbus_chat',`
-+ gen_require(`
-+ type blueman_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 blueman_t:dbus send_msg;
-+ allow blueman_t $1:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
-+## Search blueman lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`blueman_search_lib',`
-+ gen_require(`
-+ type blueman_var_lib_t;
-+ ')
-+
-+ allow $1 blueman_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
-+## Read blueman lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`blueman_read_lib_files',`
-+ gen_require(`
-+ type blueman_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete
-+## blueman lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`blueman_manage_lib_files',`
-+ gen_require(`
-+ type blueman_var_lib_t;
-+ ')
+@@ -1,3 +1,4 @@
+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, blueman_var_lib_t, blueman_var_lib_t)
-+')
+ /usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0)
+
+ /var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
diff --git a/blueman.te b/blueman.te
-new file mode 100644
-index 0000000..5d26a60
---- /dev/null
+index 70969fa..5d26a60 100644
+--- a/blueman.te
+++ b/blueman.te
-@@ -0,0 +1,54 @@
-+policy_module(blueman, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type blueman_t;
-+type blueman_exec_t;
-+dbus_system_domain(blueman_t, blueman_exec_t)
-+init_daemon_domain(blueman_t, blueman_exec_t)
-+
-+type blueman_var_lib_t;
-+files_type(blueman_var_lib_t)
-+
-+########################################
-+#
-+# blueman local policy
-+#
-+allow blueman_t self:fifo_file rw_fifo_file_perms;
-+
-+manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
-+manage_files_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
-+files_var_lib_filetrans(blueman_t, blueman_var_lib_t, dir)
-+
-+kernel_read_system_state(blueman_t)
-+
-+corecmd_exec_bin(blueman_t)
-+
-+dev_read_rand(blueman_t)
-+dev_read_urand(blueman_t)
-+dev_rw_wireless(blueman_t)
-+
-+domain_use_interactive_fds(blueman_t)
-+
-+files_read_usr_files(blueman_t)
-+
-+auth_use_nsswitch(blueman_t)
-+
-+logging_send_syslog_msg(blueman_t)
-+
-+miscfiles_read_localization(blueman_t)
-+
-+optional_policy(`
-+ avahi_domtrans(blueman_t)
-+')
+@@ -44,3 +44,11 @@ miscfiles_read_localization(blueman_t)
+ optional_policy(`
+ avahi_domtrans(blueman_t)
+ ')
+
+optional_policy(`
+ gnome_search_gconf(blueman_t)
@@ -8139,10 +7807,10 @@ index 0000000..efebae7
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..b3b6ffe
+index 0000000..dc13756
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,183 @@
+@@ -0,0 +1,182 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -8325,7 +7993,6 @@ index 0000000..b3b6ffe
+optional_policy(`
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
+')
-+
diff --git a/chronyd.fc b/chronyd.fc
index fd8cd0b..f33885f 100644
--- a/chronyd.fc
@@ -8776,11 +8443,11 @@ index bbac14a..99c5cca 100644
+
')
diff --git a/clamav.te b/clamav.te
-index 5b7a1d7..e75455f 100644
+index a10350e..47f77db 100644
--- a/clamav.te
+++ b/clamav.te
@@ -1,9 +1,23 @@
- policy_module(clamav, 1.9.1)
+ policy_module(clamav, 1.10.0)
## <desc>
-## <p>
@@ -12008,7 +11675,7 @@ index 9971337..476f1e2 100644
')
diff --git a/courier.te b/courier.te
-index 785088b..b6e2895 100644
+index d034450..8478094 100644
--- a/courier.te
+++ b/courier.te
@@ -15,7 +15,7 @@ courier_domain_template(pcp)
@@ -13725,7 +13392,7 @@ index 305ddf4..11d010a 100644
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
')
diff --git a/cups.te b/cups.te
-index 6e7f1b6..9f6cabb 100644
+index e5a8924..abb85c3 100644
--- a/cups.te
+++ b/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -14223,7 +13890,7 @@ index e4e86d0..7c30655 100644
domain_system_change_exemption($1)
role_transition $2 cyrus_initrc_exec_t system_r;
diff --git a/cyrus.te b/cyrus.te
-index a531e6f..323da45 100644
+index 097fdcc..373c8ca 100644
--- a/cyrus.te
+++ b/cyrus.te
@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
@@ -14775,7 +14442,7 @@ index fb4bf82..115133d 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 8e7ba54..edb1219 100644
+index 625cb32..ac27bd9 100644
--- a/dbus.te
+++ b/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -16104,7 +15771,7 @@ index 5e2cea8..2ab8a14 100644
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/dhcp.te b/dhcp.te
-index 54b794f..63eae1d 100644
+index ed07b26..624922d 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -19,6 +19,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -17965,10 +17632,10 @@ index 4d32b42..78736d8 100644
########################################
diff --git a/dpkg.te b/dpkg.te
-index a1b8f92..b362622 100644
+index 52725c4..c751c48 100644
--- a/dpkg.te
+++ b/dpkg.te
-@@ -5,8 +5,8 @@ policy_module(dpkg, 1.9.1)
+@@ -5,8 +5,8 @@ policy_module(dpkg, 1.10.0)
# Declarations
#
@@ -20203,10 +19870,10 @@ index 9d3201b..6e75e3d 100644
+ allow $1 ftpd_unit_file_t:service all_service_perms;
')
diff --git a/ftp.te b/ftp.te
-index 4285c83..4f2cd97 100644
+index 80026bb..3045d40 100644
--- a/ftp.te
+++ b/ftp.te
-@@ -12,7 +12,7 @@ policy_module(ftp, 1.13.1)
+@@ -12,7 +12,7 @@ policy_module(ftp, 1.14.0)
## public_content_rw_t.
## </p>
## </desc>
@@ -21206,7 +20873,7 @@ index b0242d9..5126181 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index 58c3c61..9595f7c 100644
+index 6e8e1f3..aa176c4 100644
--- a/git.te
+++ b/git.te
@@ -31,6 +31,15 @@ gen_tunable(git_cgi_use_nfs, false)
@@ -21264,12 +20931,8 @@ index 58c3c61..9595f7c 100644
corenet_tcp_bind_generic_node(git_session_t)
corenet_tcp_sendrecv_generic_if(git_session_t)
corenet_tcp_sendrecv_generic_node(git_session_t)
-@@ -108,8 +123,15 @@ corenet_tcp_bind_git_port(git_session_t)
- corenet_tcp_sendrecv_git_port(git_session_t)
- corenet_sendrecv_git_server_packets(git_session_t)
+@@ -112,6 +127,11 @@ auth_use_nsswitch(git_session_t)
-+auth_use_nsswitch(git_session_t)
-+
userdom_use_user_terminals(git_session_t)
+tunable_policy(`git_session_bind_all_unreserved_ports',`
@@ -21280,7 +20943,7 @@ index 58c3c61..9595f7c 100644
tunable_policy(`git_session_send_syslog_msg',`
logging_send_syslog_msg(git_session_t)
')
-@@ -131,10 +153,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -133,8 +153,8 @@ tunable_policy(`use_samba_home_dirs',`
# Git system policy
#
@@ -21290,12 +20953,8 @@ index 58c3c61..9595f7c 100644
+read_files_pattern(git_system_t, git_content, git_content)
files_search_var_lib(git_system_t)
-+auth_use_nsswitch(git_system_t)
-+
- logging_send_syslog_msg(git_system_t)
-
- tunable_policy(`git_system_enable_homedirs',`
-@@ -170,8 +194,8 @@ tunable_policy(`git_system_use_nfs',`
+ auth_use_nsswitch(git_system_t)
+@@ -174,8 +194,8 @@ tunable_policy(`git_system_use_nfs',`
# Git CGI policy
#
@@ -21306,12 +20965,9 @@ index 58c3c61..9595f7c 100644
files_search_var_lib(httpd_git_script_t)
files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
-@@ -221,6 +245,11 @@ files_read_usr_files(git_daemon)
-
+@@ -226,3 +246,10 @@ files_read_usr_files(git_daemon)
fs_search_auto_mountpoints(git_daemon)
--auth_use_nsswitch(git_daemon)
--
miscfiles_read_localization(git_daemon)
+
+########################################
@@ -23741,14 +23397,10 @@ index 6d50300..46cc164 100644
## <summary>
## Send generic signals to user gpg processes.
diff --git a/gpg.te b/gpg.te
-index 156820c..50c208c 100644
+index 72a113e..2af9ab1 100644
--- a/gpg.te
+++ b/gpg.te
-@@ -1,9 +1,10 @@
--policy_module(gpg, 2.5.1)
-+policy_module(gpg, 2.4.0)
-
- ########################################
+@@ -4,6 +4,7 @@ policy_module(gpg, 2.6.0)
#
# Declarations
#
@@ -23756,7 +23408,7 @@ index 156820c..50c208c 100644
## <desc>
## <p>
-@@ -13,23 +14,34 @@ policy_module(gpg, 2.5.1)
+@@ -13,23 +14,34 @@ policy_module(gpg, 2.6.0)
## </desc>
gen_tunable(gpg_agent_env_file, false)
@@ -24913,10 +24565,10 @@ index ebc9e0d..2c4b5da 100644
init_labeled_script_domtrans($1, innd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/inn.te b/inn.te
-index 22f449a..4d38202 100644
+index 7311364..0a5f8e0 100644
--- a/inn.te
+++ b/inn.te
-@@ -4,6 +4,7 @@ policy_module(inn, 1.9.1)
+@@ -4,6 +4,7 @@ policy_module(inn, 1.10.0)
#
# Declarations
#
@@ -25921,7 +25573,7 @@ index 53e53ca..92520eb 100644
+
+sysnet_read_config(jabberd_domain)
diff --git a/java.fc b/java.fc
-index 72f3df0..43b488f 100644
+index bc1a419..f630930 100644
--- a/java.fc
+++ b/java.fc
@@ -28,8 +28,6 @@
@@ -25934,10 +25586,10 @@ index 72f3df0..43b488f 100644
ifdef(`distro_redhat',`
diff --git a/java.te b/java.te
-index 95771f4..9d7f599 100644
+index ff52c16..22a761a 100644
--- a/java.te
+++ b/java.te
-@@ -10,7 +10,7 @@ policy_module(java, 2.5.1)
+@@ -10,7 +10,7 @@ policy_module(java, 2.6.0)
## Allow java executable stack
## </p>
## </desc>
@@ -27166,7 +26818,7 @@ index 604f67b..71b1df2 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
+')
diff --git a/kerberos.te b/kerberos.te
-index 8edc29b..9e9473d 100644
+index 6a95faf..9e9473d 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -10,7 +10,7 @@ policy_module(kerberos, 1.11.0)
@@ -27258,14 +26910,10 @@ index 8edc29b..9e9473d 100644
miscfiles_read_localization(kadmind_t)
seutil_read_file_contexts(kadmind_t)
-@@ -160,6 +164,14 @@ userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
- userdom_dontaudit_search_user_home_dirs(kadmind_t)
+@@ -164,6 +168,10 @@ optional_policy(`
+ ')
optional_policy(`
-+ ldap_stream_connect(kadmind_t)
-+')
-+
-+optional_policy(`
+ dirsrv_stream_connect(kadmind_t)
+')
+
@@ -27273,7 +26921,7 @@ index 8edc29b..9e9473d 100644
nis_use_ypbind(kadmind_t)
')
-@@ -193,13 +205,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
+@@ -197,13 +205,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
@@ -27289,7 +26937,7 @@ index 8edc29b..9e9473d 100644
manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
-@@ -217,7 +228,6 @@ kernel_search_network_sysctl(krb5kdc_t)
+@@ -221,7 +228,6 @@ kernel_search_network_sysctl(krb5kdc_t)
corecmd_exec_bin(krb5kdc_t)
@@ -27297,7 +26945,7 @@ index 8edc29b..9e9473d 100644
corenet_all_recvfrom_netlabel(krb5kdc_t)
corenet_tcp_sendrecv_generic_if(krb5kdc_t)
corenet_udp_sendrecv_generic_if(krb5kdc_t)
-@@ -249,6 +259,7 @@ selinux_validate_context(krb5kdc_t)
+@@ -253,6 +259,7 @@ selinux_validate_context(krb5kdc_t)
logging_send_syslog_msg(krb5kdc_t)
@@ -27305,14 +26953,10 @@ index 8edc29b..9e9473d 100644
miscfiles_read_localization(krb5kdc_t)
seutil_read_file_contexts(krb5kdc_t)
-@@ -260,6 +271,14 @@ userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
- userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
+@@ -268,6 +275,10 @@ optional_policy(`
+ ')
optional_policy(`
-+ ldap_stream_connect(krb5kdc_t)
-+')
-+
-+optional_policy(`
+ dirsrv_stream_connect(krb5kdc_t)
+')
+
@@ -27320,7 +26964,7 @@ index 8edc29b..9e9473d 100644
nis_use_ypbind(krb5kdc_t)
')
-@@ -300,7 +319,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -308,7 +319,6 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
corecmd_exec_bin(kpropd_t)
@@ -28307,7 +27951,7 @@ index c62f23e..04b74f0 100644
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
diff --git a/ldap.if b/ldap.if
-index 3aa8fa7..9539b76 100644
+index d6b7b2d..bc0ccb3 100644
--- a/ldap.if
+++ b/ldap.if
@@ -1,5 +1,64 @@
@@ -28401,17 +28045,7 @@ index 3aa8fa7..9539b76 100644
## Read the OpenLDAP configuration files.
## </summary>
## <param name="domain">
-@@ -69,8 +147,7 @@ interface(`ldap_stream_connect',`
- ')
-
- files_search_pids($1)
-- allow $1 slapd_var_run_t:sock_file write;
-- allow $1 slapd_t:unix_stream_socket connectto;
-+ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
- ')
-
- ########################################
-@@ -95,10 +172,14 @@ interface(`ldap_admin',`
+@@ -94,10 +172,14 @@ interface(`ldap_admin',`
type slapd_t, slapd_tmp_t, slapd_replog_t;
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
type slapd_initrc_exec_t;
@@ -28427,7 +28061,7 @@ index 3aa8fa7..9539b76 100644
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -110,6 +191,7 @@ interface(`ldap_admin',`
+@@ -109,6 +191,7 @@ interface(`ldap_admin',`
admin_pattern($1, slapd_lock_t)
@@ -28435,7 +28069,7 @@ index 3aa8fa7..9539b76 100644
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
-@@ -117,4 +199,8 @@ interface(`ldap_admin',`
+@@ -116,4 +199,8 @@ interface(`ldap_admin',`
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
@@ -29793,7 +29427,7 @@ index 67c7fdd..20fded2 100644
## <summary>
## Execute mailman CGI scripts in the
diff --git a/mailman.te b/mailman.te
-index afa7a2e..30bdd7a 100644
+index 22265f0..ad18986 100644
--- a/mailman.te
+++ b/mailman.te
@@ -19,6 +19,9 @@ logging_log_file(mailman_log_t)
@@ -32103,10 +31737,10 @@ index b397fde..25a03ce 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index 0724816..85fd964 100644
+index d4fcb75..b1d28b7 100644
--- a/mozilla.te
+++ b/mozilla.te
-@@ -12,14 +12,22 @@ policy_module(mozilla, 2.5.3)
+@@ -12,14 +12,22 @@ policy_module(mozilla, 2.6.0)
## </desc>
gen_tunable(mozilla_read_content, false)
@@ -33625,7 +33259,7 @@ index 4e2a5ba..c3643f0 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index 25151b4..507c17e 100644
+index 84a7d66..f887c9e 100644
--- a/mta.te
+++ b/mta.te
@@ -20,14 +20,19 @@ files_type(etc_aliases_t)
@@ -34168,7 +33802,7 @@ index c358d8f..7c097ec 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index f17583b..6fd4f42 100644
+index f17583b..a363924 100644
--- a/munin.te
+++ b/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -34289,26 +33923,29 @@ index f17583b..6fd4f42 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -221,30 +232,43 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -221,30 +232,47 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
dev_read_urand(mail_munin_plugin_t)
-files_read_etc_files(mail_munin_plugin_t)
--
++logging_read_generic_logs(mail_munin_plugin_t)
+
-fs_getattr_all_fs(mail_munin_plugin_t)
--
- logging_read_generic_logs(mail_munin_plugin_t)
++optional_policy(`
++ exim_read_log(mail_munin_plugin_t)
++')
--mta_read_config(mail_munin_plugin_t)
--mta_send_mail(mail_munin_plugin_t)
--mta_read_queue(mail_munin_plugin_t)
+-logging_read_generic_logs(mail_munin_plugin_t)
+optional_policy(`
+ mta_read_config(mail_munin_plugin_t)
+ mta_send_mail(mail_munin_plugin_t)
+ mta_list_queue(mail_munin_plugin_t)
+ mta_read_queue(mail_munin_plugin_t)
+')
-+
+
+-mta_read_config(mail_munin_plugin_t)
+-mta_send_mail(mail_munin_plugin_t)
+-mta_read_queue(mail_munin_plugin_t)
+optional_policy(`
+ nscd_socket_use(mail_munin_plugin_t)
+')
@@ -34340,7 +33977,7 @@ index f17583b..6fd4f42 100644
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -255,13 +279,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -255,13 +283,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
dev_read_urand(services_munin_plugin_t)
dev_read_rand(services_munin_plugin_t)
@@ -34355,7 +33992,7 @@ index f17583b..6fd4f42 100644
cups_stream_connect(services_munin_plugin_t)
')
-@@ -279,6 +300,10 @@ optional_policy(`
+@@ -279,6 +304,10 @@ optional_policy(`
')
optional_policy(`
@@ -34366,7 +34003,7 @@ index f17583b..6fd4f42 100644
postgresql_stream_connect(services_munin_plugin_t)
')
-@@ -286,6 +311,10 @@ optional_policy(`
+@@ -286,6 +315,10 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -34377,7 +34014,7 @@ index f17583b..6fd4f42 100644
##################################
#
# local policy for system plugins
-@@ -295,12 +324,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+@@ -295,12 +328,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -34393,7 +34030,7 @@ index f17583b..6fd4f42 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +340,36 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +344,36 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -35055,15 +34692,10 @@ index 8581040..7d8e93b 100644
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/nagios.te b/nagios.te
-index 1fadd94..b6eec03 100644
+index c3e2a2d..f5afc60 100644
--- a/nagios.te
+++ b/nagios.te
-@@ -1,10 +1,12 @@
--policy_module(nagios, 1.11.1)
-+policy_module(nagios, 1.10.0)
-
- ########################################
- #
+@@ -5,6 +5,8 @@ policy_module(nagios, 1.12.0)
# Declarations
#
@@ -35592,7 +35224,7 @@ index f19ca0b..dfc1ba2 100644
+ #netutils_run(ncftool_t, ncftool_roles)
')
diff --git a/nessus.te b/nessus.te
-index 4bfd50e..fcc4eba 100644
+index abf25da..16322b7 100644
--- a/nessus.te
+++ b/nessus.te
@@ -56,7 +56,6 @@ kernel_read_kernel_sysctls(nessusd_t)
@@ -36297,7 +35929,7 @@ index abe3f7f..6b31271 100644
+
')
diff --git a/nis.te b/nis.te
-index 4caa041..0c2c426 100644
+index f27899c..ba3f6a9 100644
--- a/nis.te
+++ b/nis.te
@@ -18,11 +18,14 @@ init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -37187,7 +36819,7 @@ index 23c769c..0398e70 100644
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/nslcd.te b/nslcd.te
-index 4e28d58..0551354 100644
+index 01594c8..fad9434 100644
--- a/nslcd.te
+++ b/nslcd.te
@@ -16,7 +16,7 @@ type nslcd_var_run_t;
@@ -37208,29 +36840,28 @@ index 4e28d58..0551354 100644
allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
allow nslcd_t nslcd_conf_t:file read_file_perms;
-@@ -36,10 +36,22 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
-
- kernel_read_system_state(nslcd_t)
+@@ -42,6 +42,8 @@ corenet_tcp_connect_ldap_port(nslcd_t)
+ corenet_sendrecv_ldap_client_packets(nslcd_t)
--files_read_etc_files(nslcd_t)
+ files_read_etc_files(nslcd_t)
+files_read_usr_symlinks(nslcd_t)
+files_list_tmp(nslcd_t)
auth_use_nsswitch(nslcd_t)
- logging_send_syslog_msg(nslcd_t)
+@@ -49,6 +51,13 @@ logging_send_syslog_msg(nslcd_t)
miscfiles_read_localization(nslcd_t)
-+
+
+userdom_read_user_tmp_files(nslcd_t)
+
+optional_policy(`
+ dirsrv_stream_connect(nslcd_t)
+')
+
-+optional_policy(`
-+ ldap_stream_connect(nslcd_t)
-+')
+ optional_policy(`
+ ldap_stream_connect(nslcd_t)
+ ')
+
diff --git a/nsplugin.fc b/nsplugin.fc
new file mode 100644
@@ -38767,7 +38398,7 @@ index bd76ec2..28c4f00 100644
## <summary>
## Execute a domain transition to run oddjob_mkhomedir.
diff --git a/oddjob.te b/oddjob.te
-index 36df5a2..2fee791 100644
+index a17ba31..9500f31 100644
--- a/oddjob.te
+++ b/oddjob.te
@@ -51,7 +51,8 @@ mcs_process_set_categories(oddjob_t)
@@ -41990,10 +41621,10 @@ index 0000000..00b432b
+
+userdom_home_manager(polipo_session_t)
diff --git a/portage.fc b/portage.fc
-index 1d5b4e5..a79acdd 100644
+index d9b2a90..5b0e6f8 100644
--- a/portage.fc
+++ b/portage.fc
-@@ -23,7 +23,7 @@
+@@ -25,7 +25,7 @@
/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
/var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
/var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0)
@@ -42003,7 +41634,7 @@ index 1d5b4e5..a79acdd 100644
/var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
/var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
diff --git a/portage.if b/portage.if
-index b4bb48a..b52100d 100644
+index 08ac5af..9c4aa3c 100644
--- a/portage.if
+++ b/portage.if
@@ -43,11 +43,15 @@ interface(`portage_domtrans',`
@@ -42034,10 +41665,10 @@ index b4bb48a..b52100d 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
diff --git a/portage.te b/portage.te
-index 2af04b9..7255594 100644
+index 630f16f..c49cdd9 100644
--- a/portage.te
+++ b/portage.te
-@@ -12,7 +12,7 @@ policy_module(portage, 1.12.4)
+@@ -12,7 +12,7 @@ policy_module(portage, 1.13.0)
## </desc>
gen_tunable(portage_use_nfs, false)
@@ -42109,7 +41740,7 @@ index 2af04b9..7255594 100644
ifdef(`distro_gentoo',`
init_exec_rc(gcc_config_t)
-@@ -194,33 +200,41 @@ auth_manage_shadow(portage_t)
+@@ -198,33 +204,41 @@ auth_manage_shadow(portage_t)
init_exec(portage_t)
# run setfiles -r
@@ -42164,7 +41795,7 @@ index 2af04b9..7255594 100644
ifdef(`TODO',`
# seems to work ok without these
-@@ -265,7 +279,6 @@ kernel_read_kernel_sysctls(portage_fetch_t)
+@@ -271,7 +285,6 @@ kernel_read_kernel_sysctls(portage_fetch_t)
corecmd_exec_bin(portage_fetch_t)
corecmd_exec_shell(portage_fetch_t)
@@ -42172,7 +41803,7 @@ index 2af04b9..7255594 100644
corenet_all_recvfrom_netlabel(portage_fetch_t)
corenet_tcp_sendrecv_generic_if(portage_fetch_t)
corenet_tcp_sendrecv_generic_node(portage_fetch_t)
-@@ -302,11 +315,9 @@ miscfiles_read_localization(portage_fetch_t)
+@@ -308,11 +321,9 @@ miscfiles_read_localization(portage_fetch_t)
sysnet_read_config(portage_fetch_t)
sysnet_dns_name_resolve(portage_fetch_t)
@@ -42185,7 +41816,7 @@ index 2af04b9..7255594 100644
ifdef(`hide_broken_symptoms',`
dontaudit portage_fetch_t portage_cache_t:file read;
')
-@@ -322,6 +333,10 @@ optional_policy(`
+@@ -328,6 +339,10 @@ optional_policy(`
gpg_exec(portage_fetch_t)
')
@@ -42842,15 +42473,10 @@ index 46bee12..61cc81a 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/postfix.te b/postfix.te
-index 69cbd06..fb3486f 100644
+index a1e0f60..4baf9a4 100644
--- a/postfix.te
+++ b/postfix.te
-@@ -1,10 +1,19 @@
--policy_module(postfix, 1.13.1)
-+policy_module(postfix, 1.12.1)
-
- ########################################
- #
+@@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
# Declarations
#
@@ -42978,7 +42604,16 @@ index 69cbd06..fb3486f 100644
corenet_tcp_bind_generic_node(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -167,6 +184,10 @@ corecmd_exec_bin(postfix_master_t)
+@@ -157,6 +174,8 @@ corenet_tcp_connect_all_ports(postfix_master_t)
+ corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
+ corenet_sendrecv_smtp_server_packets(postfix_master_t)
+ corenet_sendrecv_all_client_packets(postfix_master_t)
++# for spampd
++corenet_tcp_bind_spamd_port(postfix_master_t)
+
+ # for a find command
+ selinux_dontaudit_search_fs(postfix_master_t)
+@@ -167,6 +186,10 @@ corecmd_exec_bin(postfix_master_t)
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
@@ -42989,7 +42624,7 @@ index 69cbd06..fb3486f 100644
term_dontaudit_search_ptys(postfix_master_t)
-@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
+@@ -220,13 +243,17 @@ allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -43008,7 +42643,7 @@ index 69cbd06..fb3486f 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -237,18 +262,24 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -237,18 +264,24 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
#
allow postfix_cleanup_t self:process setrlimit;
@@ -43033,7 +42668,7 @@ index 69cbd06..fb3486f 100644
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
-@@ -264,7 +295,6 @@ optional_policy(`
+@@ -264,7 +297,6 @@ optional_policy(`
# Postfix local local policy
#
@@ -43041,7 +42676,7 @@ index 69cbd06..fb3486f 100644
allow postfix_local_t self:process { setsched setrlimit };
# connect to master process
-@@ -273,12 +303,13 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,12 +305,13 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -43056,7 +42691,7 @@ index 69cbd06..fb3486f 100644
logging_dontaudit_search_logs(postfix_local_t)
-@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +319,15 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -43075,7 +42710,7 @@ index 69cbd06..fb3486f 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -297,6 +333,14 @@ optional_policy(`
+@@ -297,6 +335,14 @@ optional_policy(`
')
optional_policy(`
@@ -43090,7 +42725,7 @@ index 69cbd06..fb3486f 100644
# for postalias
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
-@@ -304,9 +348,22 @@ optional_policy(`
+@@ -304,9 +350,22 @@ optional_policy(`
')
optional_policy(`
@@ -43113,7 +42748,7 @@ index 69cbd06..fb3486f 100644
########################################
#
# Postfix map local policy
-@@ -329,7 +386,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -329,7 +388,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -43121,7 +42756,7 @@ index 69cbd06..fb3486f 100644
corenet_all_recvfrom_netlabel(postfix_map_t)
corenet_tcp_sendrecv_generic_if(postfix_map_t)
corenet_udp_sendrecv_generic_if(postfix_map_t)
-@@ -348,7 +404,6 @@ corecmd_read_bin_sockets(postfix_map_t)
+@@ -348,7 +406,6 @@ corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
files_read_usr_files(postfix_map_t)
@@ -43129,7 +42764,7 @@ index 69cbd06..fb3486f 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -379,18 +434,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +436,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -43155,7 +42790,7 @@ index 69cbd06..fb3486f 100644
allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +462,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +464,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -43164,7 +42799,7 @@ index 69cbd06..fb3486f 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +483,7 @@ optional_policy(`
+@@ -420,6 +485,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -43172,7 +42807,7 @@ index 69cbd06..fb3486f 100644
')
optional_policy(`
-@@ -436,11 +500,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +502,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -43190,7 +42825,7 @@ index 69cbd06..fb3486f 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +557,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +559,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -43201,7 +42836,7 @@ index 69cbd06..fb3486f 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +589,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +591,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -43214,7 +42849,7 @@ index 69cbd06..fb3486f 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +613,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +615,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -43225,16 +42860,19 @@ index 69cbd06..fb3486f 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +634,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +636,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
+rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
++# for spampd
++corenet_tcp_connect_spamd_port(postfix_master_t)
++
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +643,14 @@ optional_policy(`
+@@ -565,6 +648,14 @@ optional_policy(`
')
optional_policy(`
@@ -43249,7 +42887,7 @@ index 69cbd06..fb3486f 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +667,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +672,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
# for prng_exch
@@ -43276,7 +42914,7 @@ index 69cbd06..fb3486f 100644
')
optional_policy(`
-@@ -599,6 +693,12 @@ optional_policy(`
+@@ -599,6 +698,12 @@ optional_policy(`
')
optional_policy(`
@@ -43289,7 +42927,7 @@ index 69cbd06..fb3486f 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +711,6 @@ optional_policy(`
+@@ -611,7 +716,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -43297,7 +42935,7 @@ index 69cbd06..fb3486f 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -622,7 +721,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
+@@ -622,7 +726,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
@@ -43305,7 +42943,7 @@ index 69cbd06..fb3486f 100644
files_read_usr_files(postfix_virtual_t)
mta_read_aliases(postfix_virtual_t)
-@@ -630,3 +728,75 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +733,75 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -45053,10 +44691,10 @@ index 2855a44..2f72e9a 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
+')
diff --git a/puppet.te b/puppet.te
-index d792d53..0f9c777 100644
+index baa88f6..f683a84 100644
--- a/puppet.te
+++ b/puppet.te
-@@ -13,6 +13,13 @@ policy_module(puppet, 1.2.1)
+@@ -13,6 +13,13 @@ policy_module(puppet, 1.3.0)
## </desc>
gen_tunable(puppet_manage_all_files, false)
@@ -46012,7 +45650,7 @@ index 268d691..8b40924 100644
+ domain_entry_file($1, qemu_exec_t)
+')
diff --git a/qemu.te b/qemu.te
-index 5014056..9505fce 100644
+index 9681d82..695c857 100644
--- a/qemu.te
+++ b/qemu.te
@@ -40,9 +40,7 @@ gen_tunable(qemu_use_nfs, true)
@@ -47549,7 +47187,7 @@ index b1a85b5..db0d815 100644
## </summary>
## <desc>
diff --git a/raid.te b/raid.te
-index 641f677..1e3cf4c 100644
+index a8a12b7..8543ebf 100644
--- a/raid.te
+++ b/raid.te
@@ -10,11 +10,9 @@ type mdadm_exec_t;
@@ -48456,7 +48094,7 @@ index 7dc38d1..808f9c6 100644
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/rgmanager.te b/rgmanager.te
-index 07333db..91ef567 100644
+index 3786c45..70bc902 100644
--- a/rgmanager.te
+++ b/rgmanager.te
@@ -14,9 +14,11 @@ gen_tunable(rgmanager_can_network_connect, false)
@@ -50060,7 +49698,7 @@ index 63e78c6..fdd8228 100644
type rlogind_home_t;
')
diff --git a/rlogin.te b/rlogin.te
-index d654552..998463f 100644
+index 16304ec..864f4b4 100644
--- a/rlogin.te
+++ b/rlogin.te
@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
@@ -50454,10 +50092,10 @@ index dddabcf..90b3b52 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index 19bb611..2719eee 100644
+index 330d01f..b80dad2 100644
--- a/rpc.te
+++ b/rpc.te
-@@ -10,7 +10,7 @@ policy_module(rpc, 1.13.1)
+@@ -10,7 +10,7 @@ policy_module(rpc, 1.14.0)
## Allow gssd to read temp directory. For access to kerberos tgt.
## </p>
## </desc>
@@ -50785,20 +50423,18 @@ index a63e9ee..b4e1f32 100644
+ nis_use_ypbind(rpcbind_t)
+')
diff --git a/rpm.fc b/rpm.fc
-index b206bf6..3d5caa1 100644
+index b2a0b6a..6167fe8 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -6,7 +6,9 @@
+@@ -6,6 +6,7 @@
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
- /usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -19,23 +21,31 @@
+@@ -20,12 +21,18 @@
/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
@@ -50816,10 +50452,8 @@ index b206bf6..3d5caa1 100644
+/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
-+/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
- /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
-
- /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+ /var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+@@ -36,9 +43,10 @@ ifdef(`distro_redhat', `
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
@@ -51038,11 +50672,11 @@ index 951d8f6..8ba0f86 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/rpm.te b/rpm.te
-index 1f95a33..31d9991 100644
+index 60149a5..aa590f5 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,12 +1,11 @@
- policy_module(rpm, 1.14.1)
+ policy_module(rpm, 1.15.0)
+attribute rpm_transition_domain;
+
@@ -51503,10 +51137,10 @@ index 3386f29..8d8f6c5 100644
+ files_etc_filetrans($1, rsync_etc_t, $2)
+')
diff --git a/rsync.te b/rsync.te
-index ba98794..1158d96 100644
+index 2834d86..d01aa87 100644
--- a/rsync.te
+++ b/rsync.te
-@@ -7,6 +7,27 @@ policy_module(rsync, 1.11.1)
+@@ -7,6 +7,27 @@ policy_module(rsync, 1.12.0)
## <desc>
## <p>
@@ -52080,10 +51714,10 @@ index 82cb169..987239e 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index fc22785..0a93fed 100644
+index 905883f..564240d 100644
--- a/samba.te
+++ b/samba.te
-@@ -12,7 +12,7 @@ policy_module(samba, 1.14.1)
+@@ -12,7 +12,7 @@ policy_module(samba, 1.15.0)
## public_content_rw_t.
## </p>
## </desc>
@@ -52145,7 +51779,7 @@ index fc22785..0a93fed 100644
files_read_usr_symlinks(samba_net_t)
auth_use_nsswitch(samba_net_t)
-@@ -211,26 +218,35 @@ auth_manage_cache(samba_net_t)
+@@ -211,15 +218,18 @@ auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
@@ -52161,15 +51795,15 @@ index fc22785..0a93fed 100644
userdom_list_user_home_dirs(samba_net_t)
optional_policy(`
+- ldap_stream_connect(samba_net_t)
+ ldap_stream_connect(samba_net_t)
+ dirsrv_stream_connect(samba_net_t)
-+')
-+
-+optional_policy(`
- pcscd_read_pub_files(samba_net_t)
')
optional_policy(`
+@@ -228,13 +238,15 @@ optional_policy(`
+
+ optional_policy(`
kerberos_use(samba_net_t)
+ kerberos_etc_filetrans_keytab(samba_net_t)
')
@@ -52184,7 +51818,7 @@ index fc22785..0a93fed 100644
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -249,6 +265,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -253,6 +265,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow smbd_t nmbd_t:process { signal signull };
allow smbd_t nmbd_var_run_t:file rw_file_perms;
@@ -52192,7 +51826,7 @@ index fc22785..0a93fed 100644
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-@@ -263,12 +280,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+@@ -267,12 +280,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -52207,7 +51841,7 @@ index fc22785..0a93fed 100644
allow smbd_t smbcontrol_t:process { signal signull };
-@@ -279,7 +297,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+@@ -283,7 +297,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
@@ -52216,7 +51850,7 @@ index fc22785..0a93fed 100644
allow smbd_t swat_t:process signal;
-@@ -298,7 +316,6 @@ kernel_read_system_state(smbd_t)
+@@ -302,7 +316,6 @@ kernel_read_system_state(smbd_t)
corecmd_exec_shell(smbd_t)
corecmd_exec_bin(smbd_t)
@@ -52224,7 +51858,7 @@ index fc22785..0a93fed 100644
corenet_all_recvfrom_netlabel(smbd_t)
corenet_tcp_sendrecv_generic_if(smbd_t)
corenet_udp_sendrecv_generic_if(smbd_t)
-@@ -316,6 +333,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
+@@ -320,6 +333,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
dev_read_sysfs(smbd_t)
dev_read_urand(smbd_t)
@@ -52232,7 +51866,7 @@ index fc22785..0a93fed 100644
dev_getattr_mtrr_dev(smbd_t)
dev_dontaudit_getattr_usbfs_dirs(smbd_t)
# For redhat bug 566984
-@@ -323,26 +341,29 @@ dev_getattr_all_blk_files(smbd_t)
+@@ -327,26 +341,29 @@ dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
fs_getattr_all_fs(smbd_t)
@@ -52263,7 +51897,7 @@ index fc22785..0a93fed 100644
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -354,6 +375,8 @@ logging_send_syslog_msg(smbd_t)
+@@ -358,6 +375,8 @@ logging_send_syslog_msg(smbd_t)
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
@@ -52272,7 +51906,7 @@ index fc22785..0a93fed 100644
userdom_use_unpriv_users_fds(smbd_t)
userdom_search_user_home_content(smbd_t)
userdom_signal_all_users(smbd_t)
-@@ -368,8 +391,13 @@ ifdef(`hide_broken_symptoms', `
+@@ -372,8 +391,13 @@ ifdef(`hide_broken_symptoms', `
fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
')
@@ -52287,7 +51921,7 @@ index fc22785..0a93fed 100644
')
tunable_policy(`samba_domain_controller',`
-@@ -385,12 +413,7 @@ tunable_policy(`samba_domain_controller',`
+@@ -389,12 +413,7 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -52301,7 +51935,7 @@ index fc22785..0a93fed 100644
')
# Support Samba sharing of NFS mount points
-@@ -411,6 +434,15 @@ tunable_policy(`samba_share_fusefs',`
+@@ -415,6 +434,15 @@ tunable_policy(`samba_share_fusefs',`
')
optional_policy(`
@@ -52317,19 +51951,15 @@ index fc22785..0a93fed 100644
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
')
-@@ -421,6 +453,11 @@ optional_policy(`
- ')
+@@ -426,6 +454,7 @@ optional_policy(`
optional_policy(`
-+ ldap_stream_connect(smbd_t)
+ ldap_stream_connect(smbd_t)
+ dirsrv_stream_connect(smbd_t)
-+')
-+
-+optional_policy(`
- lpd_exec_lpr(smbd_t)
')
-@@ -444,26 +481,26 @@ optional_policy(`
+ optional_policy(`
+@@ -452,26 +481,26 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -52368,7 +51998,7 @@ index fc22785..0a93fed 100644
########################################
#
# nmbd Local policy
-@@ -483,8 +520,11 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -491,8 +520,11 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -52381,7 +52011,7 @@ index fc22785..0a93fed 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -496,8 +536,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+@@ -504,8 +536,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
allow nmbd_t smbcontrol_t:process signal;
@@ -52390,7 +52020,7 @@ index fc22785..0a93fed 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
-@@ -505,7 +543,6 @@ kernel_read_network_state(nmbd_t)
+@@ -513,7 +543,6 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -52398,7 +52028,7 @@ index fc22785..0a93fed 100644
corenet_all_recvfrom_netlabel(nmbd_t)
corenet_tcp_sendrecv_generic_if(nmbd_t)
corenet_udp_sendrecv_generic_if(nmbd_t)
-@@ -528,7 +565,6 @@ fs_search_auto_mountpoints(nmbd_t)
+@@ -536,7 +565,6 @@ fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
files_read_usr_files(nmbd_t)
@@ -52406,7 +52036,7 @@ index fc22785..0a93fed 100644
files_list_var_lib(nmbd_t)
auth_use_nsswitch(nmbd_t)
-@@ -554,18 +590,21 @@ optional_policy(`
+@@ -562,18 +590,21 @@ optional_policy(`
# smbcontrol local policy
#
@@ -52432,7 +52062,7 @@ index fc22785..0a93fed 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -573,11 +612,20 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -581,11 +612,20 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
@@ -52455,7 +52085,7 @@ index fc22785..0a93fed 100644
########################################
#
-@@ -596,7 +644,7 @@ allow smbmount_t samba_etc_t:file read_file_perms;
+@@ -604,7 +644,7 @@ allow smbmount_t samba_etc_t:file read_file_perms;
can_exec(smbmount_t, smbmount_exec_t)
@@ -52464,7 +52094,7 @@ index fc22785..0a93fed 100644
allow smbmount_t samba_log_t:file manage_file_perms;
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -607,7 +655,6 @@ files_list_var_lib(smbmount_t)
+@@ -615,7 +655,6 @@ files_list_var_lib(smbmount_t)
kernel_read_system_state(smbmount_t)
@@ -52472,7 +52102,7 @@ index fc22785..0a93fed 100644
corenet_all_recvfrom_netlabel(smbmount_t)
corenet_tcp_sendrecv_generic_if(smbmount_t)
corenet_raw_sendrecv_generic_if(smbmount_t)
-@@ -637,25 +684,26 @@ files_list_mnt(smbmount_t)
+@@ -645,25 +684,26 @@ files_list_mnt(smbmount_t)
files_mounton_mnt(smbmount_t)
files_manage_etc_runtime_files(smbmount_t)
files_etc_filetrans_etc_runtime(smbmount_t, file)
@@ -52503,7 +52133,7 @@ index fc22785..0a93fed 100644
########################################
#
# SWAT Local policy
-@@ -676,7 +724,8 @@ samba_domtrans_nmbd(swat_t)
+@@ -684,7 +724,8 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -52513,7 +52143,7 @@ index fc22785..0a93fed 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -691,12 +740,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -699,12 +740,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -52528,7 +52158,7 @@ index fc22785..0a93fed 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -709,6 +760,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -717,6 +760,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -52536,7 +52166,7 @@ index fc22785..0a93fed 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -718,7 +770,6 @@ kernel_read_network_state(swat_t)
+@@ -726,7 +770,6 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -52544,7 +52174,7 @@ index fc22785..0a93fed 100644
corenet_all_recvfrom_netlabel(swat_t)
corenet_tcp_sendrecv_generic_if(swat_t)
corenet_udp_sendrecv_generic_if(swat_t)
-@@ -736,7 +787,6 @@ corenet_sendrecv_ipp_client_packets(swat_t)
+@@ -744,7 +787,6 @@ corenet_sendrecv_ipp_client_packets(swat_t)
dev_read_urand(swat_t)
files_list_var_lib(swat_t)
@@ -52552,7 +52182,7 @@ index fc22785..0a93fed 100644
files_search_home(swat_t)
files_read_usr_files(swat_t)
fs_getattr_xattr_fs(swat_t)
-@@ -751,8 +801,12 @@ logging_send_syslog_msg(swat_t)
+@@ -759,8 +801,12 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -52565,7 +52195,7 @@ index fc22785..0a93fed 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -782,7 +836,8 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -790,7 +836,8 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
@@ -52575,7 +52205,7 @@ index fc22785..0a93fed 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -805,21 +860,24 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -813,21 +860,24 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -52606,7 +52236,7 @@ index fc22785..0a93fed 100644
corenet_all_recvfrom_netlabel(winbind_t)
corenet_tcp_sendrecv_generic_if(winbind_t)
corenet_udp_sendrecv_generic_if(winbind_t)
-@@ -832,6 +890,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -840,6 +890,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -52614,7 +52244,7 @@ index fc22785..0a93fed 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -847,12 +906,15 @@ auth_manage_cache(winbind_t)
+@@ -855,12 +906,15 @@ auth_manage_cache(winbind_t)
domain_use_interactive_fds(winbind_t)
@@ -52631,7 +52261,7 @@ index fc22785..0a93fed 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -863,6 +925,11 @@ userdom_manage_user_home_content_sockets(winbind_t)
+@@ -871,6 +925,11 @@ userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
@@ -52643,7 +52273,7 @@ index fc22785..0a93fed 100644
kerberos_use(winbind_t)
')
-@@ -901,9 +968,10 @@ auth_use_nsswitch(winbind_helper_t)
+@@ -909,9 +968,10 @@ auth_use_nsswitch(winbind_helper_t)
logging_send_syslog_msg(winbind_helper_t)
@@ -52656,7 +52286,7 @@ index fc22785..0a93fed 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -921,19 +989,34 @@ optional_policy(`
+@@ -929,19 +989,34 @@ optional_policy(`
#
optional_policy(`
@@ -52679,14 +52309,14 @@ index fc22785..0a93fed 100644
+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
+ userdom_use_inherited_user_terminals(samba_unconfined_net_t)
+')
-+
+
+type samba_unconfined_script_t;
+type samba_unconfined_script_exec_t;
+domain_type(samba_unconfined_script_t)
+domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
+corecmd_shell_entry_type(samba_unconfined_script_t)
+role system_r types samba_unconfined_script_t;
-
++
+allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+
@@ -55689,10 +55319,10 @@ index 275f9fb..f1343b7 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/snmp.te b/snmp.te
-index 595942d..74c5752 100644
+index 56f074c..e86e037 100644
--- a/snmp.te
+++ b/snmp.te
-@@ -4,6 +4,7 @@ policy_module(snmp, 1.12.1)
+@@ -4,6 +4,7 @@ policy_module(snmp, 1.13.0)
#
# Declarations
#
@@ -55886,7 +55516,7 @@ index 94c01b5..f64bd93 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index b66e657..9214bcc 100644
+index c6079a5..6c7b30a 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t)
@@ -55988,10 +55618,10 @@ index 3217605..14718f2 100644
corenet_tcp_sendrecv_generic_if(soundd_t)
corenet_udp_sendrecv_generic_if(soundd_t)
diff --git a/spamassassin.fc b/spamassassin.fc
-index 6b3abf9..c1f28eb 100644
+index 6b3abf9..3dfa27b 100644
--- a/spamassassin.fc
+++ b/spamassassin.fc
-@@ -1,15 +1,50 @@
+@@ -1,15 +1,53 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -56001,6 +55631,7 @@ index 6b3abf9..c1f28eb 100644
+/root/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+
+/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
@@ -56011,6 +55642,7 @@ index 6b3abf9..c1f28eb 100644
+/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0)
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
@@ -56024,6 +55656,7 @@ index 6b3abf9..c1f28eb 100644
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
++/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+
@@ -56261,7 +55894,7 @@ index c954f31..82fc7f6 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 1bbf73b..13cf9df 100644
+index 1bbf73b..eb40028 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -6,52 +6,41 @@ policy_module(spamassassin, 2.5.0)
@@ -56644,7 +56277,7 @@ index 1bbf73b..13cf9df 100644
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -310,16 +415,19 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -310,16 +415,21 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -56658,6 +56291,8 @@ index 1bbf73b..13cf9df 100644
+manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
+
++read_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
++
+can_exec(spamd_t, spamd_exec_t)
kernel_read_all_sysctls(spamd_t)
@@ -56667,7 +56302,7 @@ index 1bbf73b..13cf9df 100644
corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_generic_if(spamd_t)
corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -356,30 +464,29 @@ corecmd_exec_bin(spamd_t)
+@@ -356,30 +466,32 @@ corecmd_exec_bin(spamd_t)
domain_use_interactive_fds(spamd_t)
files_read_usr_files(spamd_t)
@@ -56680,6 +56315,9 @@ index 1bbf73b..13cf9df 100644
+auth_use_nsswitch(spamd_t)
+
++libs_use_ld_so(spamd_t)
++libs_use_shared_libs(spamd_t)
++
logging_send_syslog_msg(spamd_t)
miscfiles_read_localization(spamd_t)
@@ -56706,7 +56344,7 @@ index 1bbf73b..13cf9df 100644
')
optional_policy(`
-@@ -395,7 +502,9 @@ optional_policy(`
+@@ -395,7 +507,9 @@ optional_policy(`
')
optional_policy(`
@@ -56716,7 +56354,7 @@ index 1bbf73b..13cf9df 100644
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -404,25 +513,17 @@ optional_policy(`
+@@ -404,25 +518,17 @@ optional_policy(`
')
optional_policy(`
@@ -56744,7 +56382,7 @@ index 1bbf73b..13cf9df 100644
postgresql_stream_connect(spamd_t)
')
-@@ -433,6 +534,10 @@ optional_policy(`
+@@ -433,6 +539,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
@@ -56755,7 +56393,7 @@ index 1bbf73b..13cf9df 100644
')
optional_policy(`
-@@ -440,6 +545,7 @@ optional_policy(`
+@@ -440,6 +550,7 @@ optional_policy(`
')
optional_policy(`
@@ -56763,7 +56401,7 @@ index 1bbf73b..13cf9df 100644
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
')
-@@ -447,3 +553,50 @@ optional_policy(`
+@@ -447,3 +558,50 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -56854,7 +56492,7 @@ index d2496bd..c7614d7 100644
init_labeled_script_domtrans($1, squid_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/squid.te b/squid.te
-index d24bd07..25734c5 100644
+index c38de7a..a4aef18 100644
--- a/squid.te
+++ b/squid.te
@@ -29,7 +29,7 @@ type squid_cache_t;
@@ -57110,7 +56748,7 @@ index 941380a..ff89df6 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/sssd.te b/sssd.te
-index 8ffa257..706c52b 100644
+index a1b61bc..1df45e7 100644
--- a/sssd.te
+++ b/sssd.te
@@ -12,11 +12,15 @@ init_daemon_domain(sssd_t, sssd_exec_t)
@@ -57212,7 +56850,7 @@ index 8ffa257..706c52b 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,4 +113,19 @@ optional_policy(`
+@@ -87,8 +113,17 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
@@ -57222,16 +56860,14 @@ index 8ffa257..706c52b 100644
+
+optional_policy(`
+ dirsrv_stream_connect(sssd_t)
-+')
-+
-+optional_policy(`
-+ ldap_stream_connect(sssd_t)
+ ')
+
+ optional_policy(`
+ ldap_stream_connect(sssd_t)
')
+
+userdom_home_reader(sssd_t)
+
-+
-+
diff --git a/stapserver.fc b/stapserver.fc
new file mode 100644
index 0000000..0ccce59
@@ -57750,7 +57386,7 @@ index 0000000..df04e25
+sysnet_dns_name_resolve(svnserve_t)
+
diff --git a/sxid.te b/sxid.te
-index 32822ab..6b0a5d9 100644
+index 8296303..ae14531 100644
--- a/sxid.te
+++ b/sxid.te
@@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t)
@@ -57792,7 +57428,7 @@ index 32822ab..6b0a5d9 100644
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/sysstat.te b/sysstat.te
-index 200ea66..04e4828 100644
+index 0ecd8a7..58f7d76 100644
--- a/sysstat.te
+++ b/sysstat.te
@@ -18,8 +18,7 @@ logging_log_file(sysstat_log_t)
@@ -57917,7 +57553,7 @@ index b07ee19..a275bd6 100644
HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
diff --git a/telepathy.if b/telepathy.if
-index 6bf75ef..d49274d 100644
+index f09171e..18952a8 100644
--- a/telepathy.if
+++ b/telepathy.if
@@ -11,7 +11,6 @@
@@ -57928,20 +57564,19 @@ index 6bf75ef..d49274d 100644
template(`telepathy_domain_template',`
gen_require(`
attribute telepathy_domain;
-@@ -20,16 +19,20 @@ template(`telepathy_domain_template',`
+@@ -20,19 +19,19 @@ template(`telepathy_domain_template',`
type telepathy_$1_t, telepathy_domain;
type telepathy_$1_exec_t, telepathy_executable;
- userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+ application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+ ubac_constrained(telepathy_$1_t)
-+ auth_use_nsswitch(telepathy_$1_t)
type telepathy_$1_tmp_t;
-- userdom_user_tmp_file(telepathy_$1_tmp_t)
-+ files_tmp_file(telepathy_$1_tmp_t)
-+ ubac_constrained(telepathy_$1_tmp_t)
-+
+ userdom_user_tmp_file(telepathy_$1_tmp_t)
+
+ auth_use_nsswitch(telepathy_$1_t)
+-
')
#######################################
@@ -57953,7 +57588,7 @@ index 6bf75ef..d49274d 100644
## </summary>
## <param name="user_role">
## <summary>
-@@ -41,8 +44,13 @@ template(`telepathy_domain_template',`
+@@ -44,8 +43,13 @@ template(`telepathy_domain_template',`
## The type of the user domain.
## </summary>
## </param>
@@ -57968,7 +57603,7 @@ index 6bf75ef..d49274d 100644
gen_require(`
attribute telepathy_domain;
type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
-@@ -73,6 +81,8 @@ template(`telepathy_role', `
+@@ -76,6 +80,8 @@ template(`telepathy_role', `
dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
@@ -57977,7 +57612,7 @@ index 6bf75ef..d49274d 100644
')
########################################
-@@ -119,11 +129,6 @@ interface(`telepathy_gabble_dbus_chat', `
+@@ -122,11 +128,6 @@ interface(`telepathy_gabble_dbus_chat', `
## <summary>
## Read telepathy mission control state.
## </summary>
@@ -57989,7 +57624,7 @@ index 6bf75ef..d49274d 100644
## <param name="domain">
## <summary>
## Domain allowed access.
-@@ -163,7 +168,7 @@ interface(`telepathy_msn_stream_connect', `
+@@ -166,7 +167,7 @@ interface(`telepathy_msn_stream_connect', `
## Stream connect to Telepathy Salut
## </summary>
## <param name="domain">
@@ -57998,7 +57633,7 @@ index 6bf75ef..d49274d 100644
## Domain allowed access.
## </summary>
## </param>
-@@ -176,3 +181,111 @@ interface(`telepathy_salut_stream_connect', `
+@@ -179,3 +180,111 @@ interface(`telepathy_salut_stream_connect', `
stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
files_search_tmp($1)
')
@@ -58111,10 +57746,10 @@ index 6bf75ef..d49274d 100644
+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
+')
diff --git a/telepathy.te b/telepathy.te
-index ad6a38d..cca6cff 100644
+index 964978b..b75b98c 100644
--- a/telepathy.te
+++ b/telepathy.te
-@@ -7,16 +7,16 @@ policy_module(telepathy, 1.2.0)
+@@ -7,16 +7,16 @@ policy_module(telepathy, 1.3.0)
## <desc>
## <p>
@@ -58350,7 +57985,7 @@ index ad6a38d..cca6cff 100644
corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t)
corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t)
corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t)
-@@ -361,14 +400,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+@@ -361,10 +400,14 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
allow telepathy_domain self:tcp_socket create_socket_perms;
allow telepathy_domain self:udp_socket create_socket_perms;
@@ -58364,12 +57999,8 @@ index ad6a38d..cca6cff 100644
+fs_getattr_all_fs(telepathy_domain)
fs_search_auto_mountpoints(telepathy_domain)
--auth_use_nsswitch(telepathy_domain)
--
miscfiles_read_localization(telepathy_domain)
-
- optional_policy(`
-@@ -376,5 +417,23 @@ optional_policy(`
+@@ -374,5 +417,23 @@ optional_policy(`
')
optional_policy(`
@@ -58418,7 +58049,7 @@ index 58e7ec0..e4119f7 100644
+ allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms;
+')
diff --git a/telnet.te b/telnet.te
-index f40e67b..ec3bb78 100644
+index 3858d35..ec3bb78 100644
--- a/telnet.te
+++ b/telnet.te
@@ -24,21 +24,20 @@ files_pid_file(telnetd_var_run_t)
@@ -58462,7 +58093,7 @@ index f40e67b..ec3bb78 100644
files_read_etc_runtime_files(telnetd_t)
# for identd; cjp: this should probably only be inetd_child rules?
files_search_home(telnetd_t)
-@@ -81,15 +78,10 @@ miscfiles_read_localization(telnetd_t)
+@@ -81,10 +78,10 @@ miscfiles_read_localization(telnetd_t)
seutil_read_config(telnetd_t)
@@ -58470,26 +58101,18 @@ index f40e67b..ec3bb78 100644
-
userdom_search_user_home_dirs(telnetd_t)
userdom_setattr_user_ptys(telnetd_t)
--
--optional_policy(`
-- kerberos_keytab_template(telnetd, telnetd_t)
-- kerberos_manage_host_rcache(telnetd_t)
--')
+userdom_manage_user_tmp_files(telnetd_t)
+userdom_tmp_filetrans_user_tmp(telnetd_t, file)
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(telnetd_t)
-@@ -98,3 +90,13 @@ tunable_policy(`use_nfs_home_dirs',`
- tunable_policy(`use_samba_home_dirs',`
- fs_search_cifs(telnetd_t)
- ')
-+
-+optional_policy(`
-+ kerberos_keytab_template(telnetd, telnetd_t)
+@@ -96,5 +93,10 @@ tunable_policy(`use_samba_home_dirs',`
+
+ optional_policy(`
+ kerberos_keytab_template(telnetd, telnetd_t)
+ kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0")
-+ kerberos_manage_host_rcache(telnetd_t)
-+')
+ kerberos_manage_host_rcache(telnetd_t)
+ ')
+
+optional_policy(`
+ remotelogin_domtrans(telnetd_t)
@@ -61312,7 +60935,7 @@ index 2124b6a..37e03e4 100644
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/virt.if b/virt.if
-index 7c5d8d8..9883b66 100644
+index 6f0736b..2d43a63 100644
--- a/virt.if
+++ b/virt.if
@@ -13,39 +13,45 @@
@@ -61370,7 +60993,7 @@ index 7c5d8d8..9883b66 100644
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +63,6 @@ template(`virt_domain_template',`
+@@ -57,20 +63,6 @@ template(`virt_domain_template',`
manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
@@ -61386,10 +61009,12 @@ index 7c5d8d8..9883b66 100644
- files_pid_filetrans($1_t, $1_var_run_t, { dir file })
- stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t)
-
+- auth_use_nsswitch($1_t)
+-
optional_policy(`
xserver_rw_shm($1_t)
')
-@@ -96,14 +90,32 @@ interface(`virt_image',`
+@@ -98,14 +90,32 @@ interface(`virt_image',`
dev_node($1)
')
@@ -61424,7 +61049,7 @@ index 7c5d8d8..9883b66 100644
## </param>
#
interface(`virt_domtrans',`
-@@ -114,9 +126,45 @@ interface(`virt_domtrans',`
+@@ -116,9 +126,45 @@ interface(`virt_domtrans',`
domtrans_pattern($1, virtd_exec_t, virtd_t)
')
@@ -61471,7 +61096,7 @@ index 7c5d8d8..9883b66 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -164,13 +212,13 @@ interface(`virt_attach_tun_iface',`
+@@ -166,13 +212,13 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
@@ -61487,7 +61112,7 @@ index 7c5d8d8..9883b66 100644
')
########################################
-@@ -185,13 +233,13 @@ interface(`virt_read_config',`
+@@ -187,13 +233,13 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
@@ -61503,7 +61128,7 @@ index 7c5d8d8..9883b66 100644
')
########################################
-@@ -231,6 +279,24 @@ interface(`virt_read_content',`
+@@ -233,6 +279,24 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -61528,7 +61153,7 @@ index 7c5d8d8..9883b66 100644
## Read virt PID files.
## </summary>
## <param name="domain">
-@@ -250,6 +316,28 @@ interface(`virt_read_pid_files',`
+@@ -252,6 +316,28 @@ interface(`virt_read_pid_files',`
########################################
## <summary>
@@ -61557,7 +61182,7 @@ index 7c5d8d8..9883b66 100644
## Manage virt pid files.
## </summary>
## <param name="domain">
-@@ -261,10 +349,42 @@ interface(`virt_read_pid_files',`
+@@ -263,10 +349,42 @@ interface(`virt_read_pid_files',`
interface(`virt_manage_pid_files',`
gen_require(`
type virt_var_run_t;
@@ -61600,7 +61225,7 @@ index 7c5d8d8..9883b66 100644
')
########################################
-@@ -308,6 +428,24 @@ interface(`virt_read_lib_files',`
+@@ -310,6 +428,24 @@ interface(`virt_read_lib_files',`
########################################
## <summary>
@@ -61625,7 +61250,7 @@ index 7c5d8d8..9883b66 100644
## Create, read, write, and delete
## virt lib files.
## </summary>
-@@ -352,9 +490,9 @@ interface(`virt_read_log',`
+@@ -354,9 +490,9 @@ interface(`virt_read_log',`
## virt log files.
## </summary>
## <param name="domain">
@@ -61637,7 +61262,7 @@ index 7c5d8d8..9883b66 100644
## </param>
#
interface(`virt_append_log',`
-@@ -388,6 +526,25 @@ interface(`virt_manage_log',`
+@@ -390,6 +526,25 @@ interface(`virt_manage_log',`
########################################
## <summary>
@@ -61663,7 +61288,7 @@ index 7c5d8d8..9883b66 100644
## Allow domain to read virt image files
## </summary>
## <param name="domain">
-@@ -408,6 +565,7 @@ interface(`virt_read_images',`
+@@ -410,6 +565,7 @@ interface(`virt_read_images',`
read_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
read_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -61671,7 +61296,7 @@ index 7c5d8d8..9883b66 100644
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
-@@ -424,6 +582,24 @@ interface(`virt_read_images',`
+@@ -426,6 +582,24 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -61696,7 +61321,7 @@ index 7c5d8d8..9883b66 100644
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -433,15 +609,15 @@ interface(`virt_read_images',`
+@@ -435,15 +609,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -61717,7 +61342,7 @@ index 7c5d8d8..9883b66 100644
')
########################################
-@@ -466,6 +642,7 @@ interface(`virt_manage_images',`
+@@ -468,6 +642,7 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -61725,7 +61350,7 @@ index 7c5d8d8..9883b66 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs($1)
-@@ -500,10 +677,19 @@ interface(`virt_manage_images',`
+@@ -502,10 +677,19 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -61746,7 +61371,7 @@ index 7c5d8d8..9883b66 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -515,4 +701,248 @@ interface(`virt_admin',`
+@@ -517,4 +701,278 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -61776,10 +61401,12 @@ index 7c5d8d8..9883b66 100644
+interface(`virt_transition_svirt',`
+ gen_require(`
+ type svirt_t;
++ type virt_bridgehelper_t;
+ ')
+
+ allow $1 svirt_t:process transition;
+ role $2 types svirt_t;
++ role $2 types virt_bridgehelper_t;
+
+ optional_policy(`
+ ptchown_run(svirt_t, $2)
@@ -61994,12 +61621,40 @@ index 7c5d8d8..9883b66 100644
+ ')
+
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
++')
++
++########################################
++## <summary>
++## Execute qemu in the svirt domain, and
++## allow the specified role the svirt domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the sandbox domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`virt_transition_svirt_lxc',`
++ gen_require(`
++ attribute svirt_lxc_domain;
++ ')
++
++ allow $1 svirt_lxc_domain:process transition;
++ role $2 types svirt_lxc_domain;
++
++ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index ad3068a..dcde4ba 100644
+index 947bbc6..b9f5601 100644
--- a/virt.te
+++ b/virt.te
-@@ -5,56 +5,87 @@ policy_module(virt, 1.4.2)
+@@ -5,56 +5,87 @@ policy_module(virt, 1.5.0)
# Declarations
#
@@ -62061,15 +61716,15 @@ index ad3068a..dcde4ba 100644
+gen_tunable(virt_use_sanlock, false)
+
+## <desc>
-+## <p>
+ ## <p>
+-## Allow virt to use usb devices
+## Allow confined virtual guests to interact with the xserver
+## </p>
+## </desc>
+gen_tunable(virt_use_xserver, false)
+
+## <desc>
- ## <p>
--## Allow virt to use usb devices
++## <p>
+## Allow confined virtual guests to use usb devices
## </p>
## </desc>
@@ -62617,7 +62272,7 @@ index ad3068a..dcde4ba 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -449,25 +662,441 @@ files_search_all(virt_domain)
+@@ -449,8 +662,16 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -62625,20 +62280,17 @@ index ad3068a..dcde4ba 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
term_use_ptmx(virt_domain)
-
--auth_use_nsswitch(virt_domain)
--
- logging_send_syslog_msg(virt_domain)
+@@ -459,13 +680,447 @@ logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
@@ -62671,7 +62323,7 @@ index ad3068a..dcde4ba 100644
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
+
-+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_tty_config };
++allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -62683,6 +62335,14 @@ index ad3068a..dcde4ba 100644
+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+
++manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
++virt_transition_svirt_lxc(virsh_t, system_r)
++
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
+
+kernel_read_system_state(virsh_t)
@@ -62704,8 +62364,10 @@ index ad3068a..dcde4ba 100644
+dev_read_sysfs(virsh_t)
+
+files_read_etc_runtime_files(virsh_t)
++files_read_etc_files(virsh_t)
+files_read_usr_files(virsh_t)
+files_list_mnt(virsh_t)
++files_list_tmp(virsh_t)
+# Some common macros (you might be able to remove some)
+
+fs_getattr_all_fs(virsh_t)
@@ -62728,6 +62390,14 @@ index ad3068a..dcde4ba 100644
+sysnet_dns_name_resolve(virsh_t)
+
+optional_policy(`
++ cron_system_entry(virsh_t, virsh_exec_t)
++')
++
++optional_policy(`
++ rpm_exec(virsh_t)
++')
++
++optional_policy(`
+ xen_manage_image_dirs(virsh_t)
+ xen_append_log(virsh_t)
+ xen_domtrans(virsh_t)
@@ -62776,7 +62446,7 @@ index ad3068a..dcde4ba 100644
+#
+# virt_lxc local policy
+#
-+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_resource };
++allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
+allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms };
+allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -62807,9 +62477,8 @@ index ad3068a..dcde4ba 100644
+
+storage_manage_fixed_disk(virtd_lxc_t)
+
++kernel_read_all_sysctls(virtd_lxc_t)
+kernel_read_network_state(virtd_lxc_t)
-+kernel_search_network_sysctl(virtd_lxc_t)
-+kernel_read_sysctl(virtd_lxc_t)
+kernel_read_system_state(virtd_lxc_t)
+
+corecmd_exec_bin(virtd_lxc_t)
@@ -63001,6 +62670,13 @@ index ad3068a..dcde4ba 100644
+
+rpm_read_db(svirt_lxc_net_t)
+
++userdom_use_inherited_user_ptys(svirt_lxc_net_t)
++
++fs_mount_cgroup(svirt_lxc_net_t)
++fs_manage_cgroup_dirs(svirt_lxc_net_t)
++fs_manage_cgroup_files(svirt_lxc_net_t)
++
++
+#######################################
+#
+# svirt_prot_exec local policy
@@ -63073,7 +62749,7 @@ index 2511093..9e5625e 100644
-userdom_use_user_terminals(vlock_t)
+userdom_use_inherited_user_terminals(vlock_t)
diff --git a/vmware.te b/vmware.te
-index f21389b..b8ed066 100644
+index 7d334c4..ac07e8b 100644
--- a/vmware.te
+++ b/vmware.te
@@ -68,7 +68,7 @@ ifdef(`enable_mcs',`
@@ -63978,10 +63654,10 @@ index 77d41b6..cc73c96 100644
files_search_pids($1)
diff --git a/xen.te b/xen.te
-index d995c70..a9a273a 100644
+index 07033bb..7d53822 100644
--- a/xen.te
+++ b/xen.te
-@@ -4,6 +4,7 @@ policy_module(xen, 1.11.1)
+@@ -4,6 +4,7 @@ policy_module(xen, 1.12.0)
#
# Declarations
#
@@ -64779,7 +64455,7 @@ index 21ae664..cb3a098 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+')
diff --git a/zarafa.te b/zarafa.te
-index 9fb4747..3879499 100644
+index 91267bc..5bce06b 100644
--- a/zarafa.te
+++ b/zarafa.te
@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@@ -64793,7 +64469,7 @@ index 9fb4747..3879499 100644
zarafa_domain_template(monitor)
zarafa_domain_template(server)
-@@ -49,7 +53,6 @@ files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
+@@ -51,7 +55,6 @@ auth_use_nsswitch(zarafa_deliver_t)
allow zarafa_gateway_t self:capability { chown kill };
allow zarafa_gateway_t self:process setrlimit;
@@ -64801,10 +64477,11 @@ index 9fb4747..3879499 100644
corenet_all_recvfrom_netlabel(zarafa_gateway_t)
corenet_tcp_sendrecv_generic_if(zarafa_gateway_t)
corenet_tcp_sendrecv_generic_node(zarafa_gateway_t)
-@@ -57,6 +60,21 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
+@@ -59,7 +62,22 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
corenet_tcp_bind_generic_node(zarafa_gateway_t)
corenet_tcp_bind_pop_port(zarafa_gateway_t)
+-auth_use_nsswitch(zarafa_gateway_t)
+######################################
+#
+# zarafa-indexer local policy
@@ -64820,10 +64497,11 @@ index 9fb4747..3879499 100644
+manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+
++auth_use_nsswitch(zarafa_indexer_t)
+
#######################################
#
- # zarafa-ical local policy
-@@ -64,7 +82,6 @@ corenet_tcp_bind_pop_port(zarafa_gateway_t)
+@@ -68,7 +86,6 @@ auth_use_nsswitch(zarafa_gateway_t)
allow zarafa_ical_t self:capability chown;
@@ -64831,7 +64509,7 @@ index 9fb4747..3879499 100644
corenet_all_recvfrom_netlabel(zarafa_ical_t)
corenet_tcp_sendrecv_generic_if(zarafa_ical_t)
corenet_tcp_sendrecv_generic_node(zarafa_ical_t)
-@@ -93,11 +110,11 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
+@@ -101,11 +118,11 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
@@ -64845,15 +64523,7 @@ index 9fb4747..3879499 100644
corenet_all_recvfrom_netlabel(zarafa_server_t)
corenet_tcp_sendrecv_generic_if(zarafa_server_t)
corenet_tcp_sendrecv_generic_node(zarafa_server_t)
-@@ -107,7 +124,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
-
- files_read_usr_files(zarafa_server_t)
-
--logging_send_syslog_msg(zarafa_server_t)
- logging_send_audit_msgs(zarafa_server_t)
-
- sysnet_dns_name_resolve(zarafa_server_t)
-@@ -129,7 +145,6 @@ allow zarafa_spooler_t self:capability { chown kill };
+@@ -139,7 +156,6 @@ allow zarafa_spooler_t self:capability { chown kill };
can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
@@ -64861,40 +64531,7 @@ index 9fb4747..3879499 100644
corenet_all_recvfrom_netlabel(zarafa_spooler_t)
corenet_tcp_sendrecv_generic_if(zarafa_spooler_t)
corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
-@@ -138,6 +153,32 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t)
-
- ########################################
- #
-+# zarafa_gateway local policy
-+#
-+
-+allow zarafa_gateway_t self:capability { chown kill };
-+allow zarafa_gateway_t self:process setrlimit;
-+
-+corenet_tcp_bind_pop_port(zarafa_gateway_t)
-+
-+#######################################
-+#
-+# zarafa-ical local policy
-+#
-+
-+allow zarafa_ical_t self:capability chown;
-+
-+corenet_tcp_bind_http_cache_port(zarafa_ical_t)
-+
-+######################################
-+#
-+# zarafa-monitor local policy
-+#
-+
-+allow zarafa_monitor_t self:capability chown;
-+
-+########################################
-+#
- # zarafa domains local policy
- #
-
-@@ -152,10 +193,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
+@@ -164,8 +180,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
@@ -64905,9 +64542,8 @@ index 9fb4747..3879499 100644
files_read_etc_files(zarafa_domain)
--auth_use_nsswitch(zarafa_domain)
+logging_send_syslog_msg(zarafa_domain)
-
++
miscfiles_read_localization(zarafa_domain)
diff --git a/zebra.if b/zebra.if
index 6b87605..ef64e73 100644
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8400726..c0b2f08 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -18,8 +18,8 @@
%define CHECKPOLICYVER 2.1.10-3
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.11.0
-Release: 15%{?dist}
+Version: 3.11.1
+Release: 0%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Aug 2 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-0
+- Update to upstream
+
* Mon Jul 30 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.0-15
- More fixes for systemd to make rawhide booting from Dan Walsh
diff --git a/sources b/sources
index 7c0230c..955e429 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-468f5688ae2b0c2c185d094c930957e0 serefpolicy-contrib-3.11.0.tgz
-766a3bb5686bc8b585f73935a2e39b1e serefpolicy-3.11.0.tgz
dbea318af516689d48155ba4677b5303 config.tgz
+ee1c09715a7b04a16aa2e7004703b72a serefpolicy-3.11.1.tgz
+8637c3e6add4e83a882c5cea26625257 serefpolicy-contrib-3.11.1.tgz