diff --git a/policy-F16.patch b/policy-F16.patch
index 791b917..93056ad 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -264,6 +264,30 @@ index e66c296..993a1e9 100644
 +
 +	dontaudit $1 acct_data_t:dir list_dir_perms;	
 +')
+diff --git a/policy/modules/admin/acct.te b/policy/modules/admin/acct.te
+index 63ef90e..a535b31 100644
+--- a/policy/modules/admin/acct.te
++++ b/policy/modules/admin/acct.te
+@@ -55,6 +55,8 @@ files_list_usr(acct_t)
+ # for nscd
+ files_dontaudit_search_pids(acct_t)
+ 
++auth_use_nsswitch(acct_t)
++
+ init_use_fds(acct_t)
+ init_use_script_ptys(acct_t)
+ init_exec_script_files(acct_t)
+@@ -77,10 +79,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nscd_socket_use(acct_t)
+-')
+-
+-optional_policy(`
+ 	seutil_sigchld_newrole(acct_t)
+ ')
+ 
 diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
 index e3e0701..3fd0282 100644
 --- a/policy/modules/admin/amanda.fc
@@ -422,7 +446,7 @@ index 63eb96b..17a9f6d 100644
  ## <summary>
  ##	Execute bootloader interactively and do
 diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index d3da8f2..eeb1b1a 100644
+index d3da8f2..559bc9b 100644
 --- a/policy/modules/admin/bootloader.te
 +++ b/policy/modules/admin/bootloader.te
 @@ -23,7 +23,7 @@ role system_r types bootloader_t;
@@ -434,7 +458,14 @@ index d3da8f2..eeb1b1a 100644
  
  #
  # The temp file is used for initrd creation;
-@@ -121,13 +121,11 @@ logging_rw_generic_logs(bootloader_t)
+@@ -116,18 +116,18 @@ init_rw_script_pipes(bootloader_t)
+ libs_read_lib_files(bootloader_t)
+ libs_exec_lib_files(bootloader_t)
+ 
++auth_use_nsswitch(bootloader_t)
++
+ logging_send_syslog_msg(bootloader_t)
+ logging_rw_generic_logs(bootloader_t)
  
  miscfiles_read_localization(bootloader_t)
  
@@ -449,7 +480,7 @@ index d3da8f2..eeb1b1a 100644
  userdom_dontaudit_search_user_home_dirs(bootloader_t)
  
  ifdef(`distro_debian',`
-@@ -162,12 +160,18 @@ ifdef(`distro_redhat',`
+@@ -162,12 +162,18 @@ ifdef(`distro_redhat',`
  	files_manage_isid_type_blk_files(bootloader_t)
  	files_manage_isid_type_chr_files(bootloader_t)
  
@@ -472,10 +503,14 @@ index d3da8f2..eeb1b1a 100644
  ')
  
  optional_policy(`
-@@ -197,6 +201,7 @@ optional_policy(`
+@@ -197,10 +203,7 @@ optional_policy(`
  	modutils_exec_insmod(bootloader_t)
  	modutils_exec_depmod(bootloader_t)
  	modutils_exec_update_mods(bootloader_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(bootloader_t)
 +	modutils_domtrans_insmod_uncond(bootloader_t)
  ')
  
@@ -528,6 +563,21 @@ index 6b02433..1e28e62 100644
  
  optional_policy(`
  	apache_exec_modules(certwatch_t)
+diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
+index 0f57d3b..655d07f 100644
+--- a/policy/modules/admin/consoletype.if
++++ b/policy/modules/admin/consoletype.if
+@@ -19,10 +19,6 @@ interface(`consoletype_domtrans',`
+ 
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, consoletype_exec_t, consoletype_t)
+-
+-	ifdef(`hide_broken_symptoms', `
+-		dontaudit consoletype_t $1:socket_class_set { read write };
+-	')
+ ')
+ 
+ ########################################
 diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
 index cd5e005..50e9ee4 100644
 --- a/policy/modules/admin/consoletype.te
@@ -890,7 +940,7 @@ index 9dd6880..4b7fa27 100644
  
  optional_policy(`
 diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
-index 4f7bd3c..b5c346f 100644
+index 4f7bd3c..6c420a4 100644
 --- a/policy/modules/admin/kudzu.te
 +++ b/policy/modules/admin/kudzu.te
 @@ -111,15 +111,10 @@ logging_send_syslog_msg(kudzu_t)
@@ -910,22 +960,20 @@ index 4f7bd3c..b5c346f 100644
  userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
  userdom_search_user_home_dirs(kudzu_t)
  
-@@ -128,6 +123,14 @@ optional_policy(`
+@@ -128,7 +123,11 @@ optional_policy(`
  ')
  
  optional_policy(`
+-	nscd_socket_use(kudzu_t)
 +	modutils_read_module_config(kudzu_t)
 +	modutils_read_module_deps(kudzu_t)
 +	modutils_rename_module_config(kudzu_t)
 +	modutils_delete_module_config(kudzu_t)
 +	modutils_domtrans_insmod(kudzu_t)
-+')
-+
-+optional_policy(`
- 	nscd_socket_use(kudzu_t)
  ')
  
-@@ -141,5 +144,5 @@ optional_policy(`
+ optional_policy(`
+@@ -141,5 +140,5 @@ optional_policy(`
  
  optional_policy(`
  	unconfined_domtrans(kudzu_t)
@@ -1559,6 +1607,18 @@ index 7f1d18e..a68d519 100644
  userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
  
  ifdef(`hide_broken_symptoms',`
+diff --git a/policy/modules/admin/prelink.if b/policy/modules/admin/prelink.if
+index 93ec175..0e42018 100644
+--- a/policy/modules/admin/prelink.if
++++ b/policy/modules/admin/prelink.if
+@@ -19,7 +19,6 @@ interface(`prelink_domtrans',`
+ 	domtrans_pattern($1, prelink_exec_t, prelink_t)
+ 
+ 	ifdef(`hide_broken_symptoms', `
+-		dontaudit prelink_t $1:socket_class_set { read write };
+ 		dontaudit prelink_t $1:fifo_file setattr;
+ 	')
+ ')
 diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
 index af55369..5ede07b 100644
 --- a/policy/modules/admin/prelink.te
@@ -2109,7 +2169,7 @@ index d33daa8..8ba0f86 100644
 +	allow rpm_script_t $1:process sigchld;
 +')
 diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 47a8f7d..0b100a8 100644
+index 47a8f7d..fdbf07c 100644
 --- a/policy/modules/admin/rpm.te
 +++ b/policy/modules/admin/rpm.te
 @@ -1,10 +1,11 @@
@@ -2171,6 +2231,17 @@ index 47a8f7d..0b100a8 100644
  
  fs_getattr_all_dirs(rpm_t)
  fs_list_inotifyfs(rpm_t)
+@@ -154,8 +172,8 @@ storage_raw_read_fixed_disk(rpm_t)
+ 
+ term_list_ptys(rpm_t)
+ 
+-auth_relabel_all_files_except_shadow(rpm_t)
+-auth_manage_all_files_except_shadow(rpm_t)
++files_relabel_all_files(rpm_t)
++files_manage_all_files(rpm_t)
+ auth_dontaudit_read_shadow(rpm_t)
+ auth_use_nsswitch(rpm_t)
+ 
 @@ -173,11 +191,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
  domain_dontaudit_getattr_all_raw_sockets(rpm_t)
  domain_dontaudit_getattr_all_stream_sockets(rpm_t)
@@ -2219,7 +2290,7 @@ index 47a8f7d..0b100a8 100644
  kernel_read_software_raid_state(rpm_script_t)
  
  dev_list_sysfs(rpm_script_t)
-@@ -299,7 +321,7 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -299,15 +321,17 @@ storage_raw_write_fixed_disk(rpm_script_t)
  
  term_getattr_unallocated_ttys(rpm_script_t)
  term_list_ptys(rpm_script_t)
@@ -2228,8 +2299,11 @@ index 47a8f7d..0b100a8 100644
  
  auth_dontaudit_getattr_shadow(rpm_script_t)
  auth_use_nsswitch(rpm_script_t)
-@@ -308,6 +330,8 @@ auth_manage_all_files_except_shadow(rpm_script_t)
- auth_relabel_shadow(rpm_script_t)
+ # ideally we would not need this
+-auth_manage_all_files_except_shadow(rpm_script_t)
+-auth_relabel_shadow(rpm_script_t)
++files_manage_all_files(rpm_script_t)
++files_relabel_all_files(rpm_script_t)
  
  corecmd_exec_all_executables(rpm_script_t)
 +can_exec(rpm_script_t, rpm_script_tmp_t)
@@ -2436,10 +2510,10 @@ index 95bce88..d1edd79 100644
  optional_policy(`
  	hostname_exec(shorewall_t)
 diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
-index d0604cf..3089f30 100644
+index d0604cf..15311b4 100644
 --- a/policy/modules/admin/shutdown.if
 +++ b/policy/modules/admin/shutdown.if
-@@ -18,9 +18,13 @@ interface(`shutdown_domtrans',`
+@@ -18,9 +18,12 @@ interface(`shutdown_domtrans',`
  	corecmd_search_bin($1)
  	domtrans_pattern($1, shutdown_exec_t, shutdown_t)
  
@@ -2448,13 +2522,13 @@ index d0604cf..3089f30 100644
 +	')
 +
  	ifdef(`hide_broken_symptoms', `
- 		dontaudit shutdown_t $1:socket_class_set { read write };
+-		dontaudit shutdown_t $1:socket_class_set { read write };
 -		dontaudit shutdown_t $1:fifo_file { read write };
 +		dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms;
  	')
  ')
  
-@@ -51,6 +55,73 @@ interface(`shutdown_run',`
+@@ -51,6 +54,73 @@ interface(`shutdown_run',`
  
  ########################################
  ## <summary>
@@ -2661,9 +2735,18 @@ index 94c01b5..f64bd93 100644
  
  ########################################
 diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
-index fe1c377..7660180 100644
+index fe1c377..557e37f 100644
 --- a/policy/modules/admin/sosreport.te
 +++ b/policy/modules/admin/sosreport.te
+@@ -80,7 +80,7 @@ fs_list_inotifyfs(sosreport_t)
+ 
+ # some config files do not have configfile attribute
+ # sosreport needs to read various files on system
+-auth_read_all_files_except_shadow(sosreport_t)
++files_read_non_security_files(sosreport_t)
+ auth_use_nsswitch(sosreport_t)
+ 
+ init_domtrans_script(sosreport_t)
 @@ -92,9 +92,6 @@ logging_send_syslog_msg(sosreport_t)
  
  miscfiles_read_localization(sosreport_t)
@@ -2687,10 +2770,22 @@ index fe1c377..7660180 100644
  ')
  
 diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 8c5fa3c..1a46f56 100644
+index 8c5fa3c..ce3d33a 100644
 --- a/policy/modules/admin/su.if
 +++ b/policy/modules/admin/su.if
-@@ -210,7 +210,7 @@ template(`su_role_template',`
+@@ -119,11 +119,6 @@ template(`su_restricted_domain_template', `
+ 		userdom_spec_domtrans_unpriv_users($1_su_t)
+ 	')
+ 
+-	ifdef(`hide_broken_symptoms',`
+-		# dontaudit leaked sockets from parent
+-		dontaudit $1_su_t $2:socket_class_set { read write };
+-	')
+-
+ 	optional_policy(`
+ 		cron_read_pipes($1_su_t)
+ 	')
+@@ -210,7 +205,7 @@ template(`su_role_template',`
  
  	auth_domtrans_chk_passwd($1_su_t)
  	auth_dontaudit_read_shadow($1_su_t)
@@ -2699,7 +2794,7 @@ index 8c5fa3c..1a46f56 100644
  	auth_rw_faillog($1_su_t)
  
  	corecmd_search_bin($1_su_t)
-@@ -234,6 +234,7 @@ template(`su_role_template',`
+@@ -234,6 +229,7 @@ template(`su_role_template',`
  
  	userdom_use_user_terminals($1_su_t)
  	userdom_search_user_home_dirs($1_su_t)
@@ -2707,6 +2802,18 @@ index 8c5fa3c..1a46f56 100644
  
  	ifdef(`distro_redhat',`
  		# RHEL5 and possibly newer releases incl. Fedora
+@@ -279,11 +275,6 @@ template(`su_role_template',`
+ 		')
+ 	')
+ 
+-	ifdef(`hide_broken_symptoms',`
+-		# dontaudit leaked sockets from parent
+-		dontaudit $1_su_t $3:socket_class_set { read write };
+-	')
+-
+ 	tunable_policy(`allow_polyinstantiation',`
+ 		fs_mount_xattr_fs($1_su_t)
+ 		fs_unmount_xattr_fs($1_su_t)
 diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
 index 7bddc02..2b59ed0 100644
 --- a/policy/modules/admin/sudo.fc
@@ -2717,7 +2824,7 @@ index 7bddc02..2b59ed0 100644
 +
 +/var/db/sudo(/.*)?		gen_context(system_u:object_r:sudo_db_t,s0)
 diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 975af1a..f220623 100644
+index 975af1a..bcc4481 100644
 --- a/policy/modules/admin/sudo.if
 +++ b/policy/modules/admin/sudo.if
 @@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -2781,7 +2888,7 @@ index 975af1a..f220623 100644
  	seutil_libselinux_linked($1_sudo_t)
  
  	userdom_spec_domtrans_all_users($1_sudo_t)
-@@ -135,13 +153,18 @@ template(`sudo_role_template',`
+@@ -135,12 +153,13 @@ template(`sudo_role_template',`
  	userdom_manage_user_tmp_files($1_sudo_t)
  	userdom_manage_user_tmp_symlinks($1_sudo_t)
  	userdom_use_user_terminals($1_sudo_t)
@@ -2792,15 +2899,13 @@ index 975af1a..f220623 100644
 +	userdom_search_admin_dir($1_sudo_t)
 +	userdom_manage_all_users_keys($1_sudo_t)
  
- 	ifdef(`hide_broken_symptoms', `
- 		dontaudit $1_sudo_t $3:socket_class_set { read write };
- 	')
- 
+-	ifdef(`hide_broken_symptoms', `
+-		dontaudit $1_sudo_t $3:socket_class_set { read write };
+-	')
 +	mta_role($2, $1_sudo_t)
-+
+ 
  	tunable_policy(`use_nfs_home_dirs',`
  		fs_manage_nfs_files($1_sudo_t)
- 	')
 diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
 index 2731fa1..3443ba2 100644
 --- a/policy/modules/admin/sudo.te
@@ -2814,9 +2919,18 @@ index 2731fa1..3443ba2 100644
 +files_type(sudo_db_t)
 +
 diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
-index d5aaf0e..689b2fd 100644
+index d5aaf0e..6b16aef 100644
 --- a/policy/modules/admin/sxid.te
 +++ b/policy/modules/admin/sxid.te
+@@ -66,7 +66,7 @@ fs_list_all(sxid_t)
+ 
+ term_dontaudit_use_console(sxid_t)
+ 
+-auth_read_all_files_except_shadow(sxid_t)
++files_read_non_security_files(sxid_t)
+ auth_dontaudit_getattr_shadow(sxid_t)
+ 
+ init_use_fds(sxid_t)
 @@ -76,13 +76,17 @@ logging_send_syslog_msg(sxid_t)
  
  miscfiles_read_localization(sxid_t)
@@ -2978,6 +3092,33 @@ index d0f2a64..834a56d 100644
  
  # tzdata looks for /var/spool/postfix/etc/localtime.
  optional_policy(`
+diff --git a/policy/modules/admin/updfstab.te b/policy/modules/admin/updfstab.te
+index ef12ed5..2c013c4 100644
+--- a/policy/modules/admin/updfstab.te
++++ b/policy/modules/admin/updfstab.te
+@@ -78,9 +78,8 @@ seutil_read_file_contexts(updfstab_t)
+ userdom_dontaudit_search_user_home_content(updfstab_t)
+ userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
+ 
+-optional_policy(`
+-	auth_domtrans_pam_console(updfstab_t)
+-')
++auth_use_nsswitch(updfstab_t)
++auth_domtrans_pam_console(updfstab_t)
+ 
+ optional_policy(`
+ 	init_dbus_chat_script(updfstab_t)
+@@ -104,10 +103,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nscd_socket_use(updfstab_t)
+-')
+-
+-optional_policy(`
+ 	seutil_sigchld_newrole(updfstab_t)
+ ')
+ 
 diff --git a/policy/modules/admin/usbmodules.te b/policy/modules/admin/usbmodules.te
 index 74354da..f04565f 100644
 --- a/policy/modules/admin/usbmodules.te
@@ -3015,13 +3156,30 @@ index c467144..fb794f9 100644
  /usr/sbin/crack_[a-z]*	--	gen_context(system_u:object_r:crack_exec_t,s0)
  /usr/sbin/cracklib-[a-z]* --	gen_context(system_u:object_r:crack_exec_t,s0)
 diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
-index 81fb26f..adce466 100644
+index 81fb26f..66cf96c 100644
 --- a/policy/modules/admin/usermanage.if
 +++ b/policy/modules/admin/usermanage.if
-@@ -73,6 +73,25 @@ interface(`usermanage_domtrans_groupadd',`
+@@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',`
+ 
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, chfn_exec_t, chfn_t)
+-
+-	ifdef(`hide_broken_symptoms',`
+-		dontaudit chfn_t $1:socket_class_set { read write };
+-	')
+ ')
  
  ########################################
- ## <summary>
+@@ -65,10 +61,25 @@ interface(`usermanage_domtrans_groupadd',`
+ 
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, groupadd_exec_t, groupadd_t)
++')
+ 
+-	ifdef(`hide_broken_symptoms',`
+-		dontaudit groupadd_t $1:socket_class_set { read write };
++########################################
++## <summary>
 +##	Check access to the groupadd executable.
 +## </summary>
 +## <param name="domain">
@@ -3033,18 +3191,25 @@ index 81fb26f..adce466 100644
 +interface(`usermanage_access_check_groupadd',`
 +	gen_require(`
 +		type groupadd_exec_t;
-+	')
+ 	')
 +
 +	corecmd_search_bin($1)
 +	allow $1 groupadd_exec_t:file { getattr_file_perms execute };
-+')
-+
-+########################################
-+## <summary>
- ##	Execute groupadd in the groupadd domain, and
- ##	allow the specified role the groupadd domain.
- ## </summary>
-@@ -170,6 +189,25 @@ interface(`usermanage_run_passwd',`
+ ')
+ 
+ ########################################
+@@ -118,10 +129,6 @@ interface(`usermanage_domtrans_passwd',`
+ 
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, passwd_exec_t, passwd_t)
+-
+-	ifdef(`hide_broken_symptoms',`
+-		dontaudit passwd_t $1:socket_class_set { read write };
+-	')
+ ')
+ 
+ ########################################
+@@ -170,6 +177,25 @@ interface(`usermanage_run_passwd',`
  
  ########################################
  ## <summary>
@@ -3070,7 +3235,18 @@ index 81fb26f..adce466 100644
  ##	Execute password admin functions in
  ##	the admin passwd domain.
  ## </summary>
-@@ -285,6 +323,9 @@ interface(`usermanage_run_useradd',`
+@@ -254,10 +280,6 @@ interface(`usermanage_domtrans_useradd',`
+ 
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, useradd_exec_t, useradd_t)
+-
+-	ifdef(`hide_broken_symptoms',`
+-		dontaudit useradd_t $1:socket_class_set { read write };
+-	')
+ ')
+ 
+ ########################################
+@@ -285,6 +307,9 @@ interface(`usermanage_run_useradd',`
  	usermanage_domtrans_useradd($1)
  	role $2 types useradd_t;
  
@@ -3080,7 +3256,7 @@ index 81fb26f..adce466 100644
  	seutil_run_semanage(useradd_t, $2)
  
  	optional_policy(`
-@@ -294,6 +335,25 @@ interface(`usermanage_run_useradd',`
+@@ -294,6 +319,25 @@ interface(`usermanage_run_useradd',`
  
  ########################################
  ## <summary>
@@ -3356,10 +3532,10 @@ index 0000000..1f468aa
 +/usr/lib/chromium-browser/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
 diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
 new file mode 100644
-index 0000000..bbbba63
+index 0000000..bacc639
 --- /dev/null
 +++ b/policy/modules/apps/chrome.if
-@@ -0,0 +1,128 @@
+@@ -0,0 +1,127 @@
 +
 +## <summary>policy for chrome</summary>
 +
@@ -3384,7 +3560,6 @@ index 0000000..bbbba63
 +	allow $1 chrome_sandbox_t:fd use;
 +
 +	ifdef(`hide_broken_symptoms',`
-+		dontaudit chrome_sandbox_t $1:socket_class_set { read write };
 +		fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
 +	')
 +')
@@ -3646,10 +3821,19 @@ index 37475dd..7db4a01 100644
 +	xserver_dbus_chat_xdm(cpufreqselector_t)
 +')
 diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
-index cd70958..126d7ea 100644
+index cd70958..e8c94b1 100644
 --- a/policy/modules/apps/evolution.te
 +++ b/policy/modules/apps/evolution.te
-@@ -215,7 +215,7 @@ userdom_rw_user_tmp_files(evolution_t)
+@@ -202,6 +202,8 @@ files_read_var_files(evolution_t)
+ 
+ fs_search_auto_mountpoints(evolution_t)
+ 
++auth_use_nsswitch(evolution_t)
++
+ logging_send_syslog_msg(evolution_t)
+ 
+ miscfiles_read_localization(evolution_t)
+@@ -215,7 +217,7 @@ userdom_rw_user_tmp_files(evolution_t)
  userdom_manage_user_tmp_dirs(evolution_t)
  userdom_manage_user_tmp_sockets(evolution_t)
  userdom_manage_user_tmp_files(evolution_t)
@@ -3658,6 +3842,99 @@ index cd70958..126d7ea 100644
  # FIXME: suppress access to .local/.icons/.themes until properly implemented
  # FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
  # until properly implemented
+@@ -319,15 +321,6 @@ optional_policy(`
+ 	mozilla_domtrans(evolution_t)
+ ')
+ 
+-# Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
+-optional_policy(`
+-	nis_use_ypbind(evolution_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(evolution_t)
+-')
+-
+ ### Junk mail filtering (start spamd)
+ optional_policy(`
+ 	spamassassin_exec_spamd(evolution_t)
+@@ -376,6 +369,8 @@ files_read_usr_files(evolution_alarm_t)
+ 
+ fs_search_auto_mountpoints(evolution_alarm_t)
+ 
++auth_use_nsswitch(evolution_alarm_t)
++
+ miscfiles_read_localization(evolution_alarm_t)
+ 
+ # Access evolution home
+@@ -404,10 +399,6 @@ optional_policy(`
+ 	gnome_stream_connect_gconf(evolution_alarm_t)
+ ')
+ 
+-optional_policy(`
+-	nscd_socket_use(evolution_alarm_t)
+-')
+-
+ ########################################
+ #
+ # Evolution exchange connector local policy
+@@ -459,6 +450,8 @@ files_read_usr_files(evolution_exchange_t)
+ # Access evolution home
+ fs_search_auto_mountpoints(evolution_exchange_t)
+ 
++auth_use_nsswitch(evolution_exchange_t)
++
+ miscfiles_read_localization(evolution_exchange_t)
+ 
+ userdom_write_user_tmp_sockets(evolution_exchange_t)
+@@ -484,10 +477,6 @@ optional_policy(`
+ 	gnome_stream_connect_gconf(evolution_exchange_t)
+ ')
+ 
+-optional_policy(`
+-	nscd_socket_use(evolution_exchange_t)
+-')
+-
+ ########################################
+ #
+ # Evolution data server local policy
+@@ -539,6 +528,8 @@ files_read_usr_files(evolution_server_t)
+ 
+ fs_search_auto_mountpoints(evolution_server_t)
+ 
++auth_use_nsswitch(evolution_server_t)
++
+ miscfiles_read_localization(evolution_server_t)
+ # Look in /etc/pki
+ miscfiles_read_generic_certs(evolution_server_t)
+@@ -568,10 +559,6 @@ optional_policy(`
+ 	gnome_stream_connect_gconf(evolution_server_t)
+ ')
+ 
+-optional_policy(`
+-	nscd_socket_use(evolution_server_t)
+-')
+-
+ ########################################
+ #
+ # Evolution webcal local policy
+@@ -600,6 +587,8 @@ corenet_tcp_connect_http_port(evolution_webcal_t)
+ corenet_sendrecv_http_client_packets(evolution_webcal_t)
+ corenet_sendrecv_http_cache_client_packets(evolution_webcal_t)
+ 
++auth_use_nsswitch(evolution_webcal_t)
++
+ # Networking capability - connect to website and handle ics link
+ sysnet_read_config(evolution_webcal_t)
+ sysnet_dns_name_resolve(evolution_webcal_t)
+@@ -612,7 +601,3 @@ userdom_search_user_home_dirs(evolution_webcal_t)
+ userdom_dontaudit_read_user_home_content_files(evolution_webcal_t)
+ 
+ xserver_user_x_domain_template(evolution_webcal, evolution_webcal_t, evolution_webcal_tmpfs_t)
+-
+-optional_policy(`
+-	nscd_socket_use(evolution_webcal_t)
+-')
 diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
 new file mode 100644
 index 0000000..6f3570a
@@ -3714,10 +3991,10 @@ index 0000000..6f3570a
 +/usr/local/Wolfram/Mathematica(/.*)?MathKernel	  -- gen_context(system_u:object_r:execmem_exec_t,s0)
 diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
 new file mode 100644
-index 0000000..34d913e
+index 0000000..6c038c8
 --- /dev/null
 +++ b/policy/modules/apps/execmem.if
-@@ -0,0 +1,112 @@
+@@ -0,0 +1,110 @@
 +## <summary>execmem domain</summary>
 +
 +########################################
@@ -3783,9 +4060,7 @@ index 0000000..34d913e
 +	allow $1_execmem_t self:process { execmem execstack };
 +	allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
 +	domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
-+ifdef(`hide_broken_symptoms', `
-+	dontaudit $1_execmem_t $3:socket_class_set { read write };
-+')
++
 +	files_execmod_tmp($1_execmem_t)
 +
 +	# needed by plasma-desktop
@@ -3904,10 +4179,10 @@ index 0000000..2bd5790
 +')
 diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
 new file mode 100644
-index 0000000..f4c2d3f
+index 0000000..5e96d3d
 --- /dev/null
 +++ b/policy/modules/apps/firewallgui.te
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,71 @@
 +policy_module(firewallgui,1.0.0)
 +
 +########################################
@@ -3953,6 +4228,8 @@ index 0000000..f4c2d3f
 +files_search_kernel_modules(firewallgui_t)
 +files_list_kernel_modules(firewallgui_t)
 +
++auth_use_nsswitch(firewallgui_t)
++
 +miscfiles_read_localization(firewallgui_t)
 +
 +userdom_dontaudit_search_user_home_dirs(firewallgui_t)
@@ -3975,11 +4252,6 @@ index 0000000..f4c2d3f
 +')
 +
 +optional_policy(`
-+	nscd_dontaudit_search_pid(firewallgui_t)
-+	nscd_socket_use(firewallgui_t)
-+')
-+
-+optional_policy(`
 +	policykit_dbus_chat(firewallgui_t)
 +')
 diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
@@ -4046,10 +4318,10 @@ index 00a19e3..d5acf98 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..d428376 100644
+index f5afe78..940c1c4 100644
 --- a/policy/modules/apps/gnome.if
 +++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,729 @@
+@@ -1,44 +1,731 @@
  ## <summary>GNU network object model environment (GNOME)</summary>
  
 -############################################################
@@ -4142,6 +4414,8 @@ index f5afe78..d428376 100644
 +
 +	ps_process_pattern($1_gkeyringd_t, $3)
 +
++	auth_use_nsswitch($1_gkeyringd_t)
++
 +	ps_process_pattern($3, $1_gkeyringd_t)
 +	allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
 +
@@ -4797,7 +5071,7 @@ index f5afe78..d428376 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -46,37 +731,36 @@ interface(`gnome_role',`
+@@ -46,37 +733,36 @@ interface(`gnome_role',`
  ##	</summary>
  ## </param>
  #
@@ -4846,7 +5120,7 @@ index f5afe78..d428376 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -84,37 +768,42 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +770,42 @@ template(`gnome_read_gconf_config',`
  ##	</summary>
  ## </param>
  #
@@ -4900,7 +5174,7 @@ index f5afe78..d428376 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -122,17 +811,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +813,17 @@ interface(`gnome_stream_connect_gconf',`
  ##	</summary>
  ## </param>
  #
@@ -4922,7 +5196,7 @@ index f5afe78..d428376 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -140,51 +829,354 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +831,354 @@ interface(`gnome_domtrans_gconfd',`
  ##	</summary>
  ## </param>
  #
@@ -5293,7 +5567,7 @@ index f5afe78..d428376 100644
 +    type_transition $1 gkeyringd_exec_t:process $2;
 +')
 diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..5b18879 100644
+index 2505654..0c8361a 100644
 --- a/policy/modules/apps/gnome.te
 +++ b/policy/modules/apps/gnome.te
 @@ -5,12 +5,29 @@ policy_module(gnome, 2.1.0)
@@ -5371,7 +5645,7 @@ index 2505654..5b18879 100644
  ##############################
  #
  # Local Policy
-@@ -75,3 +113,169 @@ optional_policy(`
+@@ -75,3 +113,167 @@ optional_policy(`
  	xserver_use_xdm_fds(gconfd_t)
  	xserver_rw_xdm_pipes(gconfd_t)
  ')
@@ -5505,8 +5779,6 @@ index 2505654..5b18879 100644
 +
 +selinux_getattr_fs(gkeyringd_domain)
 +
-+auth_use_nsswitch(gkeyringd_domain)
-+
 +logging_send_syslog_msg(gkeyringd_domain)
 +
 +miscfiles_read_localization(gkeyringd_domain)
@@ -5559,10 +5831,10 @@ index e9853d4..6864b58 100644
 +/usr/lib/gnupg/.*	--	gen_context(system_u:object_r:gpg_exec_t,s0)
 +/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
 diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
-index 40e0a2a..f4a103c 100644
+index 40e0a2a..93d212c 100644
 --- a/policy/modules/apps/gpg.if
 +++ b/policy/modules/apps/gpg.if
-@@ -54,10 +54,13 @@ interface(`gpg_role',`
+@@ -54,15 +54,16 @@ interface(`gpg_role',`
  	manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
  	relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
  
@@ -5575,8 +5847,13 @@ index 40e0a2a..f4a103c 100644
 +	allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
  	ifdef(`hide_broken_symptoms',`
  		#Leaked File Descriptors
- 		dontaudit gpg_t $2:socket_class_set { getattr read write };
-@@ -85,6 +88,43 @@ interface(`gpg_domtrans',`
+-		dontaudit gpg_t $2:socket_class_set { getattr read write };
+ 		dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
+-		dontaudit gpg_agent_t $2:socket_class_set { getattr read write };
+ 		dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
+ 	')
+ ')
+@@ -85,6 +86,43 @@ interface(`gpg_domtrans',`
  	domtrans_pattern($1, gpg_exec_t, gpg_t)
  ')
  
@@ -6022,7 +6299,7 @@ index 86c1768..5d2130c 100644
  /usr/java/eclipse[^/]*/eclipse	--	gen_context(system_u:object_r:java_exec_t,s0)
  ')
 diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
-index e6d84e8..b10bbbc 100644
+index e6d84e8..7c398c0 100644
 --- a/policy/modules/apps/java.if
 +++ b/policy/modules/apps/java.if
 @@ -72,7 +72,8 @@ template(`java_role_template',`
@@ -6035,19 +6312,16 @@ index e6d84e8..b10bbbc 100644
  
  	allow $1_java_t self:process { ptrace signal getsched execmem execstack };
  
-@@ -82,7 +83,10 @@ template(`java_role_template',`
+@@ -82,7 +83,7 @@ template(`java_role_template',`
  
  	domtrans_pattern($3, java_exec_t, $1_java_t)
  
 -	corecmd_bin_domtrans($1_java_t, $3)
 +	corecmd_bin_domtrans($1_java_t, $1_t)
-+	ifdef(`hide_broken_symptoms', `
-+		dontaudit $1_t $1_java_t:socket_class_set { read write };
-+	')
  
  	dev_dontaudit_append_rand($1_java_t)
  
-@@ -105,7 +109,7 @@ template(`java_role_template',`
+@@ -105,7 +106,7 @@ template(`java_role_template',`
  ##	</summary>
  ## </param>
  #
@@ -6056,7 +6330,7 @@ index e6d84e8..b10bbbc 100644
  	gen_require(`
  		type java_t, java_exec_t;
  	')
-@@ -179,6 +183,10 @@ interface(`java_run_unconfined',`
+@@ -179,6 +180,10 @@ interface(`java_run_unconfined',`
  
  	java_domtrans_unconfined($1)
  	role $2 types unconfined_java_t;
@@ -6068,10 +6342,10 @@ index e6d84e8..b10bbbc 100644
  
  ########################################
 diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
-index 167950d..ef63b20 100644
+index 167950d..27d37b0 100644
 --- a/policy/modules/apps/java.te
 +++ b/policy/modules/apps/java.te
-@@ -82,12 +82,12 @@ dev_read_urand(java_t)
+@@ -82,18 +82,20 @@ dev_read_urand(java_t)
  dev_read_rand(java_t)
  dev_dontaudit_append_rand(java_t)
  
@@ -6085,7 +6359,30 @@ index 167950d..ef63b20 100644
  
  fs_getattr_xattr_fs(java_t)
  fs_dontaudit_rw_tmpfs_files(java_t)
-@@ -143,14 +143,21 @@ optional_policy(`
+ 
+ logging_send_syslog_msg(java_t)
+ 
++auth_use_nsswitch(java_t)
++
+ miscfiles_read_localization(java_t)
+ # Read global fonts and font config
+ miscfiles_read_fonts(java_t)
+@@ -123,14 +125,6 @@ tunable_policy(`allow_java_execstack',`
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(java_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(java_t)
+-')
+-
+-optional_policy(`
+ 	xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
+ ')
+ 
+@@ -143,14 +137,21 @@ optional_policy(`
  	# execheap is needed for itanium/BEA jrocket
  	allow unconfined_java_t self:process { execstack execmem execheap };
  
@@ -6261,6 +6558,21 @@ index a0be4ef..ae36a3f 100644
  ')
  
  optional_policy(`
+diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if
+index b55edd0..7b8d952 100644
+--- a/policy/modules/apps/loadkeys.if
++++ b/policy/modules/apps/loadkeys.if
+@@ -17,10 +17,6 @@ interface(`loadkeys_domtrans',`
+ 
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
+-
+-	ifdef(`hide_broken_symptoms',`
+-		dontaudit loadkeys_t $1:socket_class_set { read write };
+-	')
+ ')
+ 
+ ########################################
 diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
 index 2523758..50629a8 100644
 --- a/policy/modules/apps/loadkeys.te
@@ -6296,10 +6608,10 @@ index 0bac996..ca2388d 100644
 +userdom_use_inherited_user_terminals(lockdev_t)
  
 diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
-index 7b08e13..515a88a 100644
+index 7b08e13..1fa8573 100644
 --- a/policy/modules/apps/mono.if
 +++ b/policy/modules/apps/mono.if
-@@ -41,15 +41,22 @@ template(`mono_role_template',`
+@@ -41,7 +41,6 @@ template(`mono_role_template',`
  	application_type($1_mono_t)
  
  	allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
@@ -6307,20 +6619,13 @@ index 7b08e13..515a88a 100644
  	allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
  
  	domtrans_pattern($3, mono_exec_t, $1_mono_t)
- 
+@@ -49,7 +48,8 @@ template(`mono_role_template',`
  	fs_dontaudit_rw_tmpfs_files($1_mono_t)
  	corecmd_bin_domtrans($1_mono_t, $1_t)
-+	ifdef(`hide_broken_symptoms', `
-+		dontaudit $1_t $1_mono_t:socket_class_set { read write };
-+	')
  
 -	userdom_manage_user_tmpfs_files($1_mono_t)
 +	userdom_unpriv_usertype($1, $1_mono_t)
 +	userdom_manage_tmpfs_role($2, $1_mono_t)
-+
-+	ifdef(`hide_broken_symptoms', `
-+		dontaudit $1_t $1_mono_t:socket_class_set { read write };
-+	')
  
  	optional_policy(`
  		xserver_role($1_r, $1_mono_t)
@@ -6497,7 +6802,7 @@ index fbb5c5a..170963f 100644
 +	dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
  ')
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..456b38e 100644
+index 2e9318b..d4c78ac 100644
 --- a/policy/modules/apps/mozilla.te
 +++ b/policy/modules/apps/mozilla.te
 @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -6529,7 +6834,16 @@ index 2e9318b..456b38e 100644
  corenet_tcp_sendrecv_ftp_port(mozilla_t)
  corenet_tcp_sendrecv_ipp_port(mozilla_t)
  corenet_tcp_connect_http_port(mozilla_t)
-@@ -165,7 +169,7 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+@@ -156,6 +160,8 @@ fs_rw_tmpfs_files(mozilla_t)
+ 
+ term_dontaudit_getattr_pty_dirs(mozilla_t)
+ 
++auth_use_nsswitch(mozilla_t)
++
+ logging_send_syslog_msg(mozilla_t)
+ 
+ miscfiles_read_fonts(mozilla_t)
+@@ -165,7 +171,7 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
  # Browse the web, connect to printer
  sysnet_dns_name_resolve(mozilla_t)
  
@@ -6538,7 +6852,7 @@ index 2e9318b..456b38e 100644
  
  xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
  xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
-@@ -262,6 +266,7 @@ optional_policy(`
+@@ -262,6 +268,7 @@ optional_policy(`
  optional_policy(`
  	gnome_stream_connect_gconf(mozilla_t)
  	gnome_manage_config(mozilla_t)
@@ -6546,19 +6860,17 @@ index 2e9318b..456b38e 100644
  ')
  
  optional_policy(`
-@@ -282,6 +287,11 @@ optional_policy(`
+@@ -278,7 +285,8 @@ optional_policy(`
  ')
  
  optional_policy(`
+-	nscd_socket_use(mozilla_t)
 +	nsplugin_manage_rw(mozilla_t)
 +	nsplugin_manage_home_files(mozilla_t)
-+')
-+
-+optional_policy(`
- 	pulseaudio_exec(mozilla_t)
- 	pulseaudio_stream_connect(mozilla_t)
- 	pulseaudio_manage_home_files(mozilla_t)
-@@ -297,15 +307,18 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+@@ -297,15 +305,18 @@ optional_policy(`
  #
  
  dontaudit mozilla_plugin_t self:capability { sys_ptrace };
@@ -6580,7 +6892,7 @@ index 2e9318b..456b38e 100644
  
  can_exec(mozilla_plugin_t, mozilla_home_t)
  read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
-@@ -313,8 +326,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+@@ -313,8 +324,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
  manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
  manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
  manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -6593,7 +6905,7 @@ index 2e9318b..456b38e 100644
  
  manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
  manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -332,11 +347,9 @@ kernel_request_load_module(mozilla_plugin_t)
+@@ -332,11 +345,9 @@ kernel_request_load_module(mozilla_plugin_t)
  corecmd_exec_bin(mozilla_plugin_t)
  corecmd_exec_shell(mozilla_plugin_t)
  
@@ -6607,7 +6919,7 @@ index 2e9318b..456b38e 100644
  corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
  corenet_tcp_connect_http_port(mozilla_plugin_t)
  corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-@@ -344,6 +357,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
+@@ -344,6 +355,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
  corenet_tcp_connect_ipp_port(mozilla_plugin_t)
  corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
  corenet_tcp_connect_speech_port(mozilla_plugin_t)
@@ -6617,7 +6929,7 @@ index 2e9318b..456b38e 100644
  
  dev_read_rand(mozilla_plugin_t)
  dev_read_urand(mozilla_plugin_t)
-@@ -385,13 +401,19 @@ term_getattr_all_ttys(mozilla_plugin_t)
+@@ -385,13 +399,19 @@ term_getattr_all_ttys(mozilla_plugin_t)
  term_getattr_all_ptys(mozilla_plugin_t)
  
  userdom_rw_user_tmpfs_files(mozilla_plugin_t)
@@ -6637,7 +6949,7 @@ index 2e9318b..456b38e 100644
  
  tunable_policy(`allow_execmem',`
  	allow mozilla_plugin_t self:process { execmem execstack };
-@@ -425,6 +447,11 @@ optional_policy(`
+@@ -425,6 +445,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6649,7 +6961,7 @@ index 2e9318b..456b38e 100644
  	gnome_manage_config(mozilla_plugin_t)
  ')
  
-@@ -438,7 +465,14 @@ optional_policy(`
+@@ -438,7 +463,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6665,7 +6977,7 @@ index 2e9318b..456b38e 100644
  ')
  
  optional_policy(`
-@@ -446,10 +480,27 @@ optional_policy(`
+@@ -446,10 +478,27 @@ optional_policy(`
  	pulseaudio_stream_connect(mozilla_plugin_t)
  	pulseaudio_setattr_home_dir(mozilla_plugin_t)
  	pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -6738,7 +7050,7 @@ index d8ea41d..8bdc526 100644
 +	domtrans_pattern($1, mplayer_exec_t, $2)
 +')
 diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
-index 072a210..7986b0b 100644
+index 072a210..16ce654 100644
 --- a/policy/modules/apps/mplayer.te
 +++ b/policy/modules/apps/mplayer.te
 @@ -32,6 +32,7 @@ files_config_file(mplayer_etc_t)
@@ -6766,10 +7078,12 @@ index 072a210..7986b0b 100644
  
  manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
  manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
-@@ -225,10 +227,12 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
+@@ -225,10 +227,14 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
  fs_search_auto_mountpoints(mplayer_t)
  fs_list_inotifyfs(mplayer_t)
  
++auth_use_nsswitch(mplayer_t)
++
 +logging_send_syslog_msg(mplayer_t)
 +
  miscfiles_read_localization(mplayer_t)
@@ -6780,17 +7094,15 @@ index 072a210..7986b0b 100644
  # Read media files
  userdom_list_user_tmp(mplayer_t)
  userdom_read_user_tmp_files(mplayer_t)
-@@ -305,6 +309,10 @@ optional_policy(`
+@@ -305,7 +311,7 @@ optional_policy(`
  ')
  
  optional_policy(`
+-	nscd_socket_use(mplayer_t)
 +	gnome_setattr_config_dirs(mplayer_t)
-+')
-+
-+optional_policy(`
- 	nscd_socket_use(mplayer_t)
  ')
  
+ optional_policy(`
 diff --git a/policy/modules/apps/namespace.fc b/policy/modules/apps/namespace.fc
 new file mode 100644
 index 0000000..ce51c8d
@@ -6917,10 +7229,10 @@ index 0000000..22e6c96
 +/usr/lib/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
 diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
 new file mode 100644
-index 0000000..044c613
+index 0000000..1925bd9
 --- /dev/null
 +++ b/policy/modules/apps/nsplugin.if
-@@ -0,0 +1,474 @@
+@@ -0,0 +1,472 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@@ -7006,9 +7318,7 @@ index 0000000..044c613
 +
 +	#Leaked File Descriptors
 +ifdef(`hide_broken_symptoms', `
-+	dontaudit nsplugin_t $2:socket_class_set { read write };
 +	dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms;
-+	dontaudit nsplugin_config_t $2:socket_class_set { read write };
 +	dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms;
 +')
 +	allow nsplugin_t $2:unix_stream_socket connectto;
@@ -8320,10 +8630,10 @@ index 0000000..6caef63
 +/usr/share/sandbox/start --	gen_context(system_u:object_r:sandbox_exec_t,s0)
 diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
 new file mode 100644
-index 0000000..6efdeca
+index 0000000..809784d
 --- /dev/null
 +++ b/policy/modules/apps/sandbox.if
-@@ -0,0 +1,362 @@
+@@ -0,0 +1,364 @@
 +
 +## <summary>policy for sandbox</summary>
 +
@@ -8446,6 +8756,8 @@ index 0000000..6efdeca
 +	application_type($1_t)
 +	mcs_untrusted_proc($1_t)
 +
++	auth_use_nsswitch($1_t)
++
 +	# window manager
 +	miscfiles_setattr_fonts_cache_dirs($1_t)
 +	allow $1_t self:capability setuid;
@@ -8688,10 +9000,10 @@ index 0000000..6efdeca
 +')
 diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
 new file mode 100644
-index 0000000..cb552f5
+index 0000000..31c02d2
 --- /dev/null
 +++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,486 @@
+@@ -0,0 +1,483 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@@ -8916,7 +9228,6 @@ index 0000000..cb552f5
 +
 +auth_dontaudit_read_login_records(sandbox_x_domain)
 +auth_dontaudit_write_login_records(sandbox_x_domain)
-+auth_use_nsswitch(sandbox_x_domain)
 +auth_search_pam_console_data(sandbox_x_domain)
 +
 +init_read_utmp(sandbox_x_domain)
@@ -9101,8 +9412,6 @@ index 0000000..cb552f5
 +
 +storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
 +
-+auth_use_nsswitch(sandbox_web_type)
-+
 +dbus_system_bus_client(sandbox_web_type)
 +dbus_read_config(sandbox_web_type)
 +selinux_get_fs_mount(sandbox_web_type)
@@ -9242,10 +9551,20 @@ index a57e81e..57519a4 100644
  
  	files_search_tmp($1_screen_t)
 diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
-index 1dc7a85..9342572 100644
+index 1dc7a85..a01511f 100644
 --- a/policy/modules/apps/seunshare.if
 +++ b/policy/modules/apps/seunshare.if
-@@ -53,8 +53,14 @@ interface(`seunshare_run',`
+@@ -43,18 +43,18 @@ interface(`seunshare_run',`
+ 	role $2 types seunshare_t;
+ 
+ 	allow $1 seunshare_t:process signal_perms;
+-
+-	ifdef(`hide_broken_symptoms', `
+-		dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
+-		dontaudit seunshare_t $1:udp_socket rw_socket_perms;
+-		dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
+-	')
+ ')
  
  ########################################
  ## <summary>
@@ -9261,7 +9580,7 @@ index 1dc7a85..9342572 100644
  ## <param name="role">
  ##	<summary>
  ##	Role allowed access.
-@@ -66,15 +72,32 @@ interface(`seunshare_run',`
+@@ -66,15 +66,30 @@ interface(`seunshare_run',`
  ##	</summary>
  ## </param>
  #
@@ -9279,10 +9598,10 @@ index 1dc7a85..9342572 100644
 +	role $2 types $1_seunshare_t;
  
 -	seunshare_domtrans($1)
++	auth_use_nsswitch($1_seunshare_t)
++	
 +	mls_process_set_level($1_seunshare_t)
- 
--	ps_process_pattern($2, seunshare_t)
--	allow $2 seunshare_t:process signal;
++
 +	domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
 +	sandbox_transition($1_seunshare_t, $2)
 +
@@ -9292,19 +9611,17 @@ index 1dc7a85..9342572 100644
 +
 +	allow $1_seunshare_t $3:process transition;
 +	dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
-+
+ 
+-	ps_process_pattern($2, seunshare_t)
+-	allow $2 seunshare_t:process signal;
 +	corecmd_bin_domtrans($1_seunshare_t, $1_t)
 +	corecmd_shell_domtrans($1_seunshare_t, $1_t)
-+
-+	ifdef(`hide_broken_symptoms', `
-+		dontaudit $1_seunshare_t $3:socket_class_set { read write };
-+	')
  ')
 diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..9a7ebe5 100644
+index 7590165..7e6f53c 100644
 --- a/policy/modules/apps/seunshare.te
 +++ b/policy/modules/apps/seunshare.te
-@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0)
+@@ -5,40 +5,59 @@ policy_module(seunshare, 1.1.0)
  # Declarations
  #
  
@@ -9351,13 +9668,11 @@ index 7590165..9a7ebe5 100644
 +fs_manage_cgroup_files(seunshare_domain)
  
 -miscfiles_read_localization(seunshare_t)
-+auth_use_nsswitch(seunshare_domain)
- 
--userdom_use_user_terminals(seunshare_t)
 +logging_send_syslog_msg(seunshare_domain)
  
+-userdom_use_user_terminals(seunshare_t)
 +miscfiles_read_localization(seunshare_domain)
-+
+ 
 +userdom_use_inherited_user_terminals(seunshare_domain)
 +userdom_list_user_home_content(seunshare_domain)
  ifdef(`hide_broken_symptoms', `
@@ -9384,7 +9699,7 @@ index 7590165..9a7ebe5 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
-index 3cfb128..e9bfed0 100644
+index 3cfb128..609921d 100644
 --- a/policy/modules/apps/telepathy.if
 +++ b/policy/modules/apps/telepathy.if
 @@ -11,7 +11,6 @@
@@ -9395,7 +9710,18 @@ index 3cfb128..e9bfed0 100644
  template(`telepathy_domain_template',`
  
  	gen_require(`
-@@ -32,7 +31,7 @@ template(`telepathy_domain_template',`
+@@ -23,16 +22,18 @@ template(`telepathy_domain_template',`
+ 	type telepathy_$1_exec_t, telepathy_executable;
+ 	application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+ 	ubac_constrained(telepathy_$1_t)
++	auth_use_nsswitch(telepathy_$1_t)
+ 
+ 	type telepathy_$1_tmp_t;
+ 	files_tmp_file(telepathy_$1_tmp_t)
+ 	ubac_constrained(telepathy_$1_tmp_t)
++
+ ')
+ 
  #######################################
  ## <summary>
  ##		Role access for telepathy domains
@@ -9404,7 +9730,7 @@ index 3cfb128..e9bfed0 100644
  ## </summary>
  ## <param name="user_role">
  ##	<summary>
-@@ -44,8 +43,13 @@ template(`telepathy_domain_template',`
+@@ -44,8 +45,13 @@ template(`telepathy_domain_template',`
  ##	The type of the user domain.
  ##	</summary>
  ## </param>
@@ -9419,7 +9745,7 @@ index 3cfb128..e9bfed0 100644
  	gen_require(`
  		attribute telepathy_domain;
  		type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
-@@ -76,6 +80,8 @@ template(`telepathy_role', `
+@@ -76,6 +82,8 @@ template(`telepathy_role', `
  	dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
  	dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
  	dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
@@ -9428,7 +9754,7 @@ index 3cfb128..e9bfed0 100644
  ')
  
  ########################################
-@@ -122,11 +128,6 @@ interface(`telepathy_gabble_dbus_chat', `
+@@ -122,11 +130,6 @@ interface(`telepathy_gabble_dbus_chat', `
  ## <summary>
  ##	Read telepathy mission control state.
  ## </summary>
@@ -9440,7 +9766,7 @@ index 3cfb128..e9bfed0 100644
  ## <param name="domain">
  ## 	<summary>
  ##	Domain allowed access.
-@@ -179,3 +180,75 @@ interface(`telepathy_salut_stream_connect', `
+@@ -179,3 +182,75 @@ interface(`telepathy_salut_stream_connect', `
  	stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
  	files_search_tmp($1)
  ')
@@ -9517,7 +9843,7 @@ index 3cfb128..e9bfed0 100644
 +    ')
 +')
 diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..9f6298c 100644
+index 2533ea0..e6e956f 100644
 --- a/policy/modules/apps/telepathy.te
 +++ b/policy/modules/apps/telepathy.te
 @@ -32,6 +32,8 @@ userdom_user_home_content(telepathy_gabble_cache_home_t)
@@ -9627,15 +9953,19 @@ index 2533ea0..9f6298c 100644
  	dbus_system_bus_client(telepathy_msn_t)
  
  	optional_policy(`
-@@ -365,6 +404,7 @@ dev_read_urand(telepathy_domain)
+@@ -365,10 +404,9 @@ dev_read_urand(telepathy_domain)
  
  kernel_read_system_state(telepathy_domain)
  
 +fs_getattr_all_fs(telepathy_domain)
  fs_search_auto_mountpoints(telepathy_domain)
  
- auth_use_nsswitch(telepathy_domain)
-@@ -376,5 +416,23 @@ optional_policy(`
+-auth_use_nsswitch(telepathy_domain)
+-
+ miscfiles_read_localization(telepathy_domain)
+ 
+ optional_policy(`
+@@ -376,5 +414,23 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -9695,7 +10025,7 @@ index e70b0e8..cd83b89 100644
  /usr/sbin/userhelper		--	gen_context(system_u:object_r:userhelper_exec_t,s0)
 +/usr/bin/consolehelper		--	gen_context(system_u:object_r:consolehelper_exec_t,s0)
 diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
-index ced285a..3d2073a 100644
+index ced285a..ff11b08 100644
 --- a/policy/modules/apps/userhelper.if
 +++ b/policy/modules/apps/userhelper.if
 @@ -25,6 +25,7 @@ template(`userhelper_role_template',`
@@ -9706,7 +10036,36 @@ index ced285a..3d2073a 100644
  	')
  
  	########################################
-@@ -256,3 +257,65 @@ interface(`userhelper_exec',`
+@@ -122,6 +123,9 @@ template(`userhelper_role_template',`
+ 	auth_manage_pam_pid($1_userhelper_t)
+ 	auth_manage_var_auth($1_userhelper_t)
+ 	auth_search_pam_console_data($1_userhelper_t)
++	auth_use_nsswitch($1_userhelper_t)
++
++	logging_send_syslog_msg($1_userhelper_t)
+ 
+ 	# Inherit descriptors from the current session.
+ 	init_use_fds($1_userhelper_t)
+@@ -146,18 +150,6 @@ template(`userhelper_role_template',`
+ 	')
+ 
+ 	optional_policy(`
+-		logging_send_syslog_msg($1_userhelper_t)
+-	')
+-
+-	optional_policy(`
+-		nis_use_ypbind($1_userhelper_t)
+-	')
+-
+-	optional_policy(`
+-		nscd_socket_use($1_userhelper_t)
+-	')
+-
+-	optional_policy(`
+ 		tunable_policy(`! secure_mode',`
+ 			#if we are not in secure mode then we can transition to sysadm_t
+ 			sysadm_bin_spec_domtrans($1_userhelper_t)
+@@ -256,3 +248,65 @@ interface(`userhelper_exec',`
  
  	can_exec($1, userhelper_exec_t)
  ')
@@ -9946,10 +10305,18 @@ index 23066a1..6aff330 100644
  # cjp: why?
  userdom_read_user_home_content_files(vmware_t)
 diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
-index b11941a..dc37e57 100644
+index b11941a..93ec570 100644
 --- a/policy/modules/apps/webalizer.te
 +++ b/policy/modules/apps/webalizer.te
-@@ -81,7 +81,7 @@ miscfiles_read_public_files(webalizer_t)
+@@ -75,13 +75,15 @@ files_read_etc_runtime_files(webalizer_t)
+ logging_list_logs(webalizer_t)
+ logging_send_syslog_msg(webalizer_t)
+ 
++auth_use_nsswitch(webalizer_t)
++
+ miscfiles_read_localization(webalizer_t)
+ miscfiles_read_public_files(webalizer_t)
+ 
  sysnet_dns_name_resolve(webalizer_t)
  sysnet_read_config(webalizer_t)
  
@@ -9958,6 +10325,20 @@ index b11941a..dc37e57 100644
  userdom_use_unpriv_users_fds(webalizer_t)
  userdom_dontaudit_search_user_home_content(webalizer_t)
  
+@@ -97,13 +99,5 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(webalizer_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(webalizer_t)
+-')
+-
+-optional_policy(`
+ 	squid_read_log(webalizer_t)
+ ')
 diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
 index 9d24449..2666317 100644
 --- a/policy/modules/apps/wine.fc
@@ -9979,7 +10360,7 @@ index 9d24449..2666317 100644
  /opt/picasa/wine/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
  
 diff --git a/policy/modules/apps/wine.if b/policy/modules/apps/wine.if
-index f9a73d0..4b055c1 100644
+index f9a73d0..e10101a 100644
 --- a/policy/modules/apps/wine.if
 +++ b/policy/modules/apps/wine.if
 @@ -29,12 +29,16 @@
@@ -10017,13 +10398,8 @@ index f9a73d0..4b055c1 100644
  		type wine_exec_t;
  	')
  
-@@ -99,9 +103,12 @@ template(`wine_role_template',`
- 	allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
- 	domtrans_pattern($3, wine_exec_t, $1_wine_t)
+@@ -101,7 +105,7 @@ template(`wine_role_template',`
  	corecmd_bin_domtrans($1_wine_t, $1_t)
-+	ifdef(`hide_broken_symptoms', `
-+		dontaudit $1_t $1_wine_t:socket_class_set { read write };
-+	')
  
  	userdom_unpriv_usertype($1, $1_wine_t)
 -	userdom_manage_user_tmpfs_files($1_wine_t)
@@ -10031,7 +10407,7 @@ index f9a73d0..4b055c1 100644
  
  	domain_mmap_low($1_wine_t)
  
-@@ -109,6 +116,10 @@ template(`wine_role_template',`
+@@ -109,6 +113,10 @@ template(`wine_role_template',`
  		dontaudit $1_wine_t self:memprotect mmap_zero;
  	')
  
@@ -10056,7 +10432,7 @@ index be9246b..e3de8fa 100644
  tunable_policy(`wine_mmap_zero_ignore',`
  	dontaudit wine_t self:memprotect mmap_zero;
 diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
-index 8bfe97d..6bba1a8 100644
+index 8bfe97d..9e4ad2c 100644
 --- a/policy/modules/apps/wireshark.te
 +++ b/policy/modules/apps/wireshark.te
 @@ -15,6 +15,7 @@ ubac_constrained(wireshark_t)
@@ -10067,6 +10443,26 @@ index 8bfe97d..6bba1a8 100644
  userdom_user_home_content(wireshark_home_t)
  
  type wireshark_tmp_t;
+@@ -85,6 +86,8 @@ fs_search_auto_mountpoints(wireshark_t)
+ 
+ libs_read_lib_files(wireshark_t)
+ 
++auth_use_nsswitch(wireshark_t)
++
+ miscfiles_read_fonts(wireshark_t)
+ miscfiles_read_localization(wireshark_t)
+ 
+@@ -106,10 +109,6 @@ tunable_policy(`use_samba_home_dirs',`
+ 	fs_manage_cifs_symlinks(wireshark_t)
+ ')
+ 
+-optional_policy(`
+-	nscd_socket_use(wireshark_t)
+-')
+-
+ # Manual transition from userhelper
+ optional_policy(`
+ 	userhelper_use_fd(wireshark_t)
 diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
 index b3efef7..50c1a74 100644
 --- a/policy/modules/apps/wm.if
@@ -10097,10 +10493,19 @@ index 1bdeb16..775f788 100644
  userdom_read_user_home_content_files(xscreensaver_t)
  
 diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te
-index 223ad43..d400ef6 100644
+index 223ad43..d95e720 100644
 --- a/policy/modules/apps/yam.te
 +++ b/policy/modules/apps/yam.te
-@@ -92,7 +92,7 @@ seutil_read_config(yam_t)
+@@ -83,6 +83,8 @@ fs_search_auto_mountpoints(yam_t)
+ # Content can also be on ISO image files.
+ fs_read_iso9660_files(yam_t)
+ 
++auth_use_nsswitch(yam_t)
++
+ logging_send_syslog_msg(yam_t)
+ 
+ miscfiles_read_localization(yam_t)
+@@ -92,7 +94,7 @@ seutil_read_config(yam_t)
  sysnet_dns_name_resolve(yam_t)
  sysnet_read_config(yam_t)
  
@@ -10109,6 +10514,20 @@ index 223ad43..d400ef6 100644
  userdom_use_unpriv_users_fds(yam_t)
  # Reading dotfiles...
  # cjp: ?
+@@ -112,13 +114,5 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(yam_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(yam_t)
+-')
+-
+-optional_policy(`
+ 	rsync_exec(yam_t)
+ ')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
 index 3fae11a..c8607de 100644
 --- a/policy/modules/kernel/corecommands.fc
@@ -10368,7 +10787,7 @@ index 9e9263a..59c2125 100644
  	manage_lnk_files_pattern($1, bin_t, bin_t)
  ')
 diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 4f3b542..4581434 100644
+index 4f3b542..5a41e58 100644
 --- a/policy/modules/kernel/corenetwork.if.in
 +++ b/policy/modules/kernel/corenetwork.if.in
 @@ -615,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',`
@@ -10538,11 +10957,11 @@ index 4f3b542..4581434 100644
 +interface(`corenet_dccp_bind_generic_port',`
 +	gen_require(`
 +		type port_t;
-+		attribute port_type;
++		attribute defined_port_type;
 +	')
 +
 +	allow $1 port_t:dccp_socket name_bind;
-+	dontaudit $1 { port_type -port_t }:dccp_socket name_bind;
++	dontaudit $1 defined_port_type:dccp_socket name_bind;
 +')
 +
 +########################################
@@ -10550,10 +10969,21 @@ index 4f3b542..4581434 100644
  ##	Bind TCP sockets to generic ports.
  ## </summary>
  ## <param name="domain">
-@@ -1264,6 +1394,25 @@ interface(`corenet_tcp_bind_generic_port',`
+@@ -1255,11 +1385,30 @@ interface(`corenet_udp_sendrecv_generic_port',`
+ interface(`corenet_tcp_bind_generic_port',`
+ 	gen_require(`
+ 		type port_t;
+-		attribute port_type;
++		attribute defined_port_type;
+ 	')
  
- ########################################
- ## <summary>
+ 	allow $1 port_t:tcp_socket name_bind;
+-	dontaudit $1 { port_type -port_t }:tcp_socket name_bind;
++	dontaudit $1 defined_port_type:tcp_socket name_bind;
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to bind DCCP
 +##	sockets to generic ports.
 +## </summary>
@@ -10569,17 +10999,24 @@ index 4f3b542..4581434 100644
 +	')
 +
 +	dontaudit $1 port_t:dccp_socket name_bind;
+ ')
+ 
+ ########################################
+@@ -1293,11 +1442,29 @@ interface(`corenet_dontaudit_tcp_bind_generic_port',`
+ interface(`corenet_udp_bind_generic_port',`
+ 	gen_require(`
+ 		type port_t;
+-		attribute port_type;
++		attribute defined_port_type;
+ 	')
+ 
+ 	allow $1 port_t:udp_socket name_bind;
+-	dontaudit $1 { port_type -port_t }:udp_socket name_bind;
++	dontaudit $1 defined_port_type:udp_socket name_bind;
 +')
 +
 +########################################
 +## <summary>
- ##	Do not audit bind TCP sockets to generic ports.
- ## </summary>
- ## <param name="domain">
-@@ -1302,6 +1451,24 @@ interface(`corenet_udp_bind_generic_port',`
- 
- ########################################
- ## <summary>
 +##	Connect DCCP sockets to generic ports.
 +## </summary>
 +## <param name="domain">
@@ -10594,13 +11031,9 @@ index 4f3b542..4581434 100644
 +	')
 +
 +	allow $1 port_t:dccp_socket name_connect;
-+')
-+
-+########################################
-+## <summary>
- ##	Connect TCP sockets to generic ports.
- ## </summary>
- ## <param name="domain">
+ ')
+ 
+ ########################################
 @@ -1320,6 +1487,24 @@ interface(`corenet_tcp_connect_generic_port',`
  
  ########################################
@@ -10753,80 +11186,119 @@ index 4f3b542..4581434 100644
  ##	Send and receive TCP network traffic on generic reserved ports.
  ## </summary>
  ## <param name="domain">
-@@ -1647,6 +1924,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
+@@ -1647,7 +1924,7 @@ interface(`corenet_udp_sendrecv_reserved_port',`
  
  ########################################
  ## <summary>
+-##	Bind TCP sockets to generic reserved ports.
 +##	Bind DCCP sockets to generic reserved ports.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1655,18 +1932,18 @@ interface(`corenet_udp_sendrecv_reserved_port',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`corenet_tcp_bind_reserved_port',`
 +interface(`corenet_dccp_bind_reserved_port',`
-+	gen_require(`
-+		type reserved_port_t;
-+	')
-+
+ 	gen_require(`
+ 		type reserved_port_t;
+ 	')
+ 
+-	allow $1 reserved_port_t:tcp_socket name_bind;
 +	allow $1 reserved_port_t:dccp_socket name_bind;
-+	allow $1 self:capability net_bind_service;
-+')
-+
-+########################################
-+## <summary>
- ##	Bind TCP sockets to generic reserved ports.
+ 	allow $1 self:capability net_bind_service;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Bind UDP sockets to generic reserved ports.
++##	Bind TCP sockets to generic reserved ports.
  ## </summary>
  ## <param name="domain">
-@@ -1685,7 +1981,7 @@ interface(`corenet_udp_bind_reserved_port',`
+ ##	<summary>
+@@ -1674,18 +1951,18 @@ interface(`corenet_tcp_bind_reserved_port',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`corenet_udp_bind_reserved_port',`
++interface(`corenet_tcp_bind_reserved_port',`
+ 	gen_require(`
+ 		type reserved_port_t;
+ 	')
+ 
+-	allow $1 reserved_port_t:udp_socket name_bind;
++	allow $1 reserved_port_t:tcp_socket name_bind;
+ 	allow $1 self:capability net_bind_service;
+ ')
  
  ########################################
  ## <summary>
 -##	Connect TCP sockets to generic reserved ports.
-+##	Connect DCCP sockets to generic reserved ports.
++##	Bind UDP sockets to generic reserved ports.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1693,17 +1989,17 @@ interface(`corenet_udp_bind_reserved_port',`
+@@ -1693,17 +1970,18 @@ interface(`corenet_udp_bind_reserved_port',`
  ##	</summary>
  ## </param>
  #
 -interface(`corenet_tcp_connect_reserved_port',`
-+interface(`corenet_dccp_connect_reserved_port',`
++interface(`corenet_udp_bind_reserved_port',`
  	gen_require(`
  		type reserved_port_t;
  	')
  
 -	allow $1 reserved_port_t:tcp_socket name_connect;
-+	allow $1 reserved_port_t:dccp_socket name_connect;
++	allow $1 reserved_port_t:udp_socket name_bind;
++	allow $1 self:capability net_bind_service;
  ')
  
  ########################################
  ## <summary>
 -##	Send and receive TCP network traffic on all reserved ports.
-+##	Connect TCP sockets to generic reserved ports.
++##	Connect DCCP sockets to generic reserved ports.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1711,17 +2007,53 @@ interface(`corenet_tcp_connect_reserved_port',`
+@@ -1711,17 +1989,17 @@ interface(`corenet_tcp_connect_reserved_port',`
  ##	</summary>
  ## </param>
  #
 -interface(`corenet_tcp_sendrecv_all_reserved_ports',`
-+interface(`corenet_tcp_connect_reserved_port',`
++interface(`corenet_dccp_connect_reserved_port',`
  	gen_require(`
 -		attribute reserved_port_type;
 +		type reserved_port_t;
  	')
  
 -	allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
-+	allow $1 reserved_port_t:tcp_socket name_connect;
++	allow $1 reserved_port_t:dccp_socket name_connect;
  ')
  
  ########################################
  ## <summary>
 -##	Send UDP network traffic on all reserved ports.
++##	Connect TCP sockets to generic reserved ports.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1729,9 +2007,63 @@ interface(`corenet_tcp_sendrecv_all_reserved_ports',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`corenet_udp_send_all_reserved_ports',`
++interface(`corenet_tcp_connect_reserved_port',`
+ 	gen_require(`
+-		attribute reserved_port_type;
++		type reserved_port_t;
++	')
++
++	allow $1 reserved_port_t:tcp_socket name_connect;
++')
++
++########################################
++## <summary>
 +##	Send and receive DCCP network traffic on all reserved ports.
 +## </summary>
 +## <param name="domain">
@@ -10864,9 +11336,19 @@ index 4f3b542..4581434 100644
 +########################################
 +## <summary>
 +##	Send UDP network traffic on all reserved ports.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_udp_send_all_reserved_ports',`
++	gen_require(`
++		attribute reserved_port_type;
+ 	')
+ 
+ 	allow $1 reserved_port_type:udp_socket send_msg;
 @@ -1772,6 +2104,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
  
  ########################################
@@ -10932,10 +11414,10 @@ index 4f3b542..4581434 100644
 +#
 +interface(`corenet_dccp_bind_all_unreserved_ports',`
 +	gen_require(`
-+		attribute port_type, reserved_port_type;
++		attribute unreserved_port_type;
 +	')
 +
-+	allow $1 { port_type -reserved_port_type }:dccp_socket name_bind;
++	allow $1 unreserved_port_type:dccp_socket name_bind;
 +')
 +
 +########################################
@@ -10943,10 +11425,32 @@ index 4f3b542..4581434 100644
  ##	Bind TCP sockets to all ports > 1024.
  ## </summary>
  ## <param name="domain">
-@@ -1882,6 +2269,24 @@ interface(`corenet_udp_bind_all_unreserved_ports',`
+@@ -1856,10 +2243,10 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+ #
+ interface(`corenet_tcp_bind_all_unreserved_ports',`
+ 	gen_require(`
+-		attribute port_type, reserved_port_type;
++		attribute unreserved_port_type;
+ 	')
+ 
+-	allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
++	allow $1 unreserved_port_type:tcp_socket name_bind;
+ ')
  
  ########################################
- ## <summary>
+@@ -1874,10 +2261,28 @@ interface(`corenet_tcp_bind_all_unreserved_ports',`
+ #
+ interface(`corenet_udp_bind_all_unreserved_ports',`
+ 	gen_require(`
+-		attribute port_type, reserved_port_type;
++		attribute unreserved_port_type;
++	')
++
++	allow $1 unreserved_port_type:udp_socket name_bind;
++')
++
++########################################
++## <summary>
 +##	Connect DCCP sockets to reserved ports.
 +## </summary>
 +## <param name="domain">
@@ -10958,16 +11462,13 @@ index 4f3b542..4581434 100644
 +interface(`corenet_dccp_connect_all_reserved_ports',`
 +	gen_require(`
 +		attribute reserved_port_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
 +	allow $1 reserved_port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+## <summary>
- ##	Connect TCP sockets to reserved ports.
- ## </summary>
- ## <param name="domain">
+ ')
+ 
+ ########################################
 @@ -1900,6 +2305,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
  
  ########################################
@@ -10982,10 +11483,10 @@ index 4f3b542..4581434 100644
 +#
 +interface(`corenet_dccp_connect_all_unreserved_ports',`
 +	gen_require(`
-+		attribute port_type, reserved_port_type;
++		attribute unreserved_port_type;
 +	')
 +
-+	allow $1 { port_type -reserved_port_type }:dccp_socket name_connect;
++	allow $1 unreserved_port_type:dccp_socket name_connect;
 +')
 +
 +########################################
@@ -10993,10 +11494,20 @@ index 4f3b542..4581434 100644
  ##	Connect TCP sockets to all ports > 1024.
  ## </summary>
  ## <param name="domain">
-@@ -1918,6 +2341,25 @@ interface(`corenet_tcp_connect_all_unreserved_ports',`
+@@ -1910,10 +2333,29 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
+ #
+ interface(`corenet_tcp_connect_all_unreserved_ports',`
+ 	gen_require(`
+-		attribute port_type, reserved_port_type;
++		attribute unreserved_port_type;
+ 	')
  
- ########################################
- ## <summary>
+-	allow $1 { port_type -reserved_port_type }:tcp_socket name_connect;
++	allow $1 unreserved_port_type:tcp_socket name_connect;
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to connect DCCP sockets
 +##	all reserved ports.
 +## </summary>
@@ -11012,13 +11523,9 @@ index 4f3b542..4581434 100644
 +	')
 +
 +	dontaudit $1 reserved_port_type:dccp_socket name_connect;
-+')
-+
-+########################################
-+## <summary>
- ##	Do not audit attempts to connect TCP sockets
- ##	all reserved ports.
- ## </summary>
+ ')
+ 
+ ########################################
 @@ -1937,6 +2379,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
  
  ########################################
@@ -11369,10 +11876,17 @@ index 4f3b542..4581434 100644
  	corenet_udp_recvfrom_labeled($1, $2)
  	corenet_raw_recvfrom_labeled($1, $2)
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..b49e084 100644
+index 99b71cb..7345e5f 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
-@@ -16,6 +16,7 @@ attribute rpc_port_type;
+@@ -11,11 +11,14 @@ attribute netif_type;
+ attribute node_type;
+ attribute packet_type;
+ attribute port_type;
++attribute defined_port_type;
+ attribute reserved_port_type;
++attribute unreserved_port_type;
+ attribute rpc_port_type;
  attribute server_packet_type;
  
  attribute corenet_unconfined_type;
@@ -11380,7 +11894,7 @@ index 99b71cb..b49e084 100644
  
  type ppp_device_t;
  dev_node(ppp_device_t)
-@@ -25,6 +26,7 @@ dev_node(ppp_device_t)
+@@ -25,6 +28,7 @@ dev_node(ppp_device_t)
  #
  type tun_tap_device_t;
  dev_node(tun_tap_device_t)
@@ -11388,7 +11902,7 @@ index 99b71cb..b49e084 100644
  
  ########################################
  #
-@@ -34,6 +36,18 @@ dev_node(tun_tap_device_t)
+@@ -34,6 +38,18 @@ dev_node(tun_tap_device_t)
  #
  # client_packet_t is the default type of IPv4 and IPv6 client packets.
  #
@@ -11407,7 +11921,7 @@ index 99b71cb..b49e084 100644
  type client_packet_t, packet_type, client_packet_type;
  
  #
-@@ -65,22 +79,26 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+@@ -65,22 +81,26 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
  type server_packet_t, packet_type, server_packet_type;
  
  network_port(afs_bos, udp,7007,s0)
@@ -11435,7 +11949,7 @@ index 99b71cb..b49e084 100644
  type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
  network_port(certmaster, tcp,51235,s0)
  network_port(chronyd, udp,323,s0)
-@@ -88,7 +106,9 @@ network_port(clamd, tcp,3310,s0)
+@@ -88,7 +108,9 @@ network_port(clamd, tcp,3310,s0)
  network_port(clockspeed, udp,4041,s0)
  network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
  network_port(cobbler, tcp,25151,s0)
@@ -11445,7 +11959,7 @@ index 99b71cb..b49e084 100644
  network_port(cvs, tcp,2401,s0, udp,2401,s0)
  network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
  network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -99,9 +119,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -99,9 +121,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
  network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
  network_port(dict, tcp,2628,s0)
  network_port(distccd, tcp,3632,s0)
@@ -11460,7 +11974,7 @@ index 99b71cb..b49e084 100644
  network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
  network_port(ftp_data, tcp,20,s0)
  network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -129,20 +154,25 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +156,25 @@ network_port(iscsi, tcp,3260,s0)
  network_port(isns, tcp,3205,s0, udp,3205,s0)
  network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
  network_port(jabber_interserver, tcp,5269,s0)
@@ -11489,7 +12003,7 @@ index 99b71cb..b49e084 100644
  network_port(mpd, tcp,6600,s0)
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
  network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -155,13 +185,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
+@@ -155,13 +187,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
  network_port(nmbd, udp,137,s0, udp,138,s0)
  network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
  network_port(ntp, udp,123,s0)
@@ -11512,7 +12026,7 @@ index 99b71cb..b49e084 100644
  network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
  network_port(portmap, udp,111,s0, tcp,111,s0)
  network_port(postfix_policyd, tcp,10031,s0)
-@@ -183,25 +221,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -183,25 +223,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
  network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
  network_port(rlogind, tcp,513,s0)
  network_port(rndc, tcp,953,s0)
@@ -11545,7 +12059,7 @@ index 99b71cb..b49e084 100644
  network_port(syslogd, udp,514,s0)
  network_port(tcs, tcp, 30003, s0)
  network_port(telnetd, tcp,23,s0)
-@@ -215,7 +257,7 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,7 +259,7 @@ network_port(uucpd, tcp,540,s0)
  network_port(varnishd, tcp,6081-6082,s0)
  network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
  network_port(virt_migration, tcp,49152-49216,s0)
@@ -11554,7 +12068,7 @@ index 99b71cb..b49e084 100644
  network_port(wccp, udp,2048,s0)
  network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
  network_port(xdmcp, udp,177,s0, tcp,177,s0)
-@@ -229,6 +271,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +273,7 @@ network_port(zookeeper_client, tcp,2181,s0)
  network_port(zookeeper_election, tcp,3888,s0)
  network_port(zookeeper_leader, tcp,2888,s0)
  network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -11562,7 +12076,7 @@ index 99b71cb..b49e084 100644
  network_port(zope, tcp,8021,s0)
  
  # Defaults for reserved ports.	Earlier portcon entries take precedence;
-@@ -282,9 +325,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +327,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -11575,6 +12089,28 @@ index 99b71cb..b49e084 100644
 -allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 +allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind;
 +allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind;
+diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
+index 35fed4f..49f27ca 100644
+--- a/policy/modules/kernel/corenetwork.te.m4
++++ b/policy/modules/kernel/corenetwork.te.m4
+@@ -81,7 +81,7 @@ declare_nodes($1_node_t,shift($*))
+ define(`declare_ports',`dnl
+ ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
+ ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
+-',`dnl')
++',`typeattribute $1 unreserved_port_type;')
+ portcon $2 $3 gen_context(system_u:object_r:$1,$4)
+ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
+ ')
+@@ -90,7 +90,7 @@ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
+ # network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
+ #
+ define(`network_port',`
+-type $1_port_t, port_type;
++type $1_port_t, port_type, defined_port_type;
+ type $1_client_packet_t, packet_type, client_packet_type;
+ type $1_server_packet_t, packet_type, server_packet_type;
+ declare_ports($1_port_t,shift($*))dnl
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
 index 6cf8784..5b25039 100644
 --- a/policy/modules/kernel/devices.fc
@@ -12930,7 +13466,7 @@ index 6a1e4d1..cf3d50b 100644
 +	dontaudit $1 domain:socket_class_set { read write };
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..1f0b08f 100644
+index fae1ab1..da927bb 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -13023,7 +13559,7 @@ index fae1ab1..1f0b08f 100644
  # Act upon any other process.
  allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
  
-@@ -160,3 +197,88 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +197,90 @@ allow unconfined_domain_type domain:key *;
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -13085,6 +13621,7 @@ index fae1ab1..1f0b08f 100644
 +ifdef(`hide_broken_symptoms',`
 +	dontaudit domain self:udp_socket listen;
 +	allow domain domain:key { link search };
++	dontaudit domain domain:socket_class_set { read write };
 +')
 +
 +optional_policy(`
@@ -13112,6 +13649,7 @@ index fae1ab1..1f0b08f 100644
 +
 +# broken kernel
 +dontaudit can_change_object_identity can_change_object_identity:key link;
++
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
 index c19518a..ba08cfe 100644
 --- a/policy/modules/kernel/files.fc
@@ -13221,7 +13759,7 @@ index c19518a..ba08cfe 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..9097e58 100644
+index ff006ea..a049775 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -55,6 +55,7 @@
@@ -13232,7 +13770,71 @@ index ff006ea..9097e58 100644
  ##		<li>files_tmp_file()</li>
  ##		<li>files_tmpfs_file()</li>
  ##		<li>logging_log_file()</li>
-@@ -1053,10 +1054,8 @@ interface(`files_relabel_all_files',`
+@@ -663,12 +664,63 @@ interface(`files_read_non_security_files',`
+ 		attribute non_security_file_type;
+ 	')
+ 
++	list_dirs_pattern($1, non_security_file_type, non_security_file_type)
+ 	read_files_pattern($1, non_security_file_type, non_security_file_type)
+ 	read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+ ')
+ 
+ ########################################
+ ## <summary>
++##	Manage all non-security files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_manage_non_security_files',`
++	gen_require(`
++		attribute non_security_file_type;
++	')
++
++	manage_files_pattern($1, non_security_file_type, non_security_file_type)
++	read_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
++')
++
++########################################
++## <summary>
++##	Relabel all non-security files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_relabel_non_security_files',`
++	gen_require(`
++		attribute non_security_file_type;
++	')
++
++	relabel_files_pattern($1, non_security_file_type, non_security_file_type)
++	allow $1 { non_security_file_type }:dir list_dir_perms;
++	relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
++	relabel_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++	relabel_lnk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++	relabel_fifo_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++	relabel_sock_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++	relabel_blk_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++	relabel_chr_files_pattern($1, { non_security_file_type }, { non_security_file_type })
++
++	# satisfy the assertions:
++	seutil_relabelto_bin_policy($1)
++')
++
++########################################
++## <summary>
+ ##	Read all directories on the filesystem, except
+ ##	the listed exceptions.
+ ## </summary>
+@@ -1053,10 +1105,8 @@ interface(`files_relabel_all_files',`
  	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -13245,7 +13847,7 @@ index ff006ea..9097e58 100644
  
  	# satisfy the assertions:
  	seutil_relabelto_bin_policy($1)
-@@ -1482,6 +1481,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1482,6 +1532,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
  
  ########################################
  ## <summary>
@@ -13288,7 +13890,7 @@ index ff006ea..9097e58 100644
  ##	List the contents of the root directory.
  ## </summary>
  ## <param name="domain">
-@@ -1562,7 +1597,7 @@ interface(`files_root_filetrans',`
+@@ -1562,7 +1648,7 @@ interface(`files_root_filetrans',`
  		type root_t;
  	')
  
@@ -13297,7 +13899,7 @@ index ff006ea..9097e58 100644
  ')
  
  ########################################
-@@ -1848,7 +1883,7 @@ interface(`files_boot_filetrans',`
+@@ -1848,7 +1934,7 @@ interface(`files_boot_filetrans',`
  		type boot_t;
  	')
  
@@ -13306,7 +13908,7 @@ index ff006ea..9097e58 100644
  ')
  
  ########################################
-@@ -2372,6 +2407,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2372,6 +2458,24 @@ interface(`files_rw_etc_dirs',`
  	allow $1 etc_t:dir rw_dir_perms;
  ')
  
@@ -13331,7 +13933,7 @@ index ff006ea..9097e58 100644
  ##########################################
  ## <summary>
  ## 	Manage generic directories in /etc
-@@ -2451,7 +2504,7 @@ interface(`files_read_etc_files',`
+@@ -2451,7 +2555,7 @@ interface(`files_read_etc_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13340,7 +13942,7 @@ index ff006ea..9097e58 100644
  ##	</summary>
  ## </param>
  #
-@@ -2525,6 +2578,24 @@ interface(`files_delete_etc_files',`
+@@ -2525,6 +2629,24 @@ interface(`files_delete_etc_files',`
  
  ########################################
  ## <summary>
@@ -13365,7 +13967,7 @@ index ff006ea..9097e58 100644
  ##	Execute generic files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2624,7 +2695,7 @@ interface(`files_etc_filetrans',`
+@@ -2624,7 +2746,7 @@ interface(`files_etc_filetrans',`
  		type etc_t;
  	')
  
@@ -13374,7 +13976,7 @@ index ff006ea..9097e58 100644
  ')
  
  ########################################
-@@ -2680,24 +2751,6 @@ interface(`files_delete_boot_flag',`
+@@ -2680,24 +2802,6 @@ interface(`files_delete_boot_flag',`
  
  ########################################
  ## <summary>
@@ -13399,7 +14001,7 @@ index ff006ea..9097e58 100644
  ##	Read files in /etc that are dynamically
  ##	created on boot, such as mtab.
  ## </summary>
-@@ -2738,6 +2791,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2738,6 +2842,24 @@ interface(`files_read_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -13424,7 +14026,7 @@ index ff006ea..9097e58 100644
  ##	Do not audit attempts to read files
  ##	in /etc that are dynamically
  ##	created on boot, such as mtab.
-@@ -2775,6 +2846,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2775,6 +2897,7 @@ interface(`files_rw_etc_runtime_files',`
  
  	allow $1 etc_t:dir list_dir_perms;
  	rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -13432,7 +14034,7 @@ index ff006ea..9097e58 100644
  ')
  
  ########################################
-@@ -3364,7 +3436,7 @@ interface(`files_home_filetrans',`
+@@ -3364,7 +3487,7 @@ interface(`files_home_filetrans',`
  		type home_root_t;
  	')
  
@@ -13441,7 +14043,7 @@ index ff006ea..9097e58 100644
  ')
  
  ########################################
-@@ -3502,20 +3574,38 @@ interface(`files_list_mnt',`
+@@ -3502,20 +3625,38 @@ interface(`files_list_mnt',`
  
  ######################################
  ## <summary>
@@ -13485,7 +14087,7 @@ index ff006ea..9097e58 100644
  ')
  
  ########################################
-@@ -3900,6 +3990,99 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,6 +4041,99 @@ interface(`files_read_world_readable_sockets',`
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
@@ -13585,7 +14187,7 @@ index ff006ea..9097e58 100644
  ########################################
  ## <summary>
  ##	Allow the specified type to associate
-@@ -3945,7 +4128,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -3945,7 +4179,7 @@ interface(`files_getattr_tmp_dirs',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13594,7 +14196,7 @@ index ff006ea..9097e58 100644
  ##	</summary>
  ## </param>
  #
-@@ -4017,7 +4200,7 @@ interface(`files_list_tmp',`
+@@ -4017,7 +4251,7 @@ interface(`files_list_tmp',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13603,7 +14205,7 @@ index ff006ea..9097e58 100644
  ##	</summary>
  ## </param>
  #
-@@ -4029,6 +4212,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4263,24 @@ interface(`files_dontaudit_list_tmp',`
  	dontaudit $1 tmp_t:dir list_dir_perms;
  ')
  
@@ -13628,7 +14230,7 @@ index ff006ea..9097e58 100644
  ########################################
  ## <summary>
  ##	Remove entries from the tmp directory.
-@@ -4085,6 +4286,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4085,6 +4337,32 @@ interface(`files_manage_generic_tmp_dirs',`
  
  ########################################
  ## <summary>
@@ -13661,7 +14263,7 @@ index ff006ea..9097e58 100644
  ##	Manage temporary files and directories in /tmp.
  ## </summary>
  ## <param name="domain">
-@@ -4139,6 +4366,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4139,6 +4417,42 @@ interface(`files_rw_generic_tmp_sockets',`
  
  ########################################
  ## <summary>
@@ -13704,7 +14306,7 @@ index ff006ea..9097e58 100644
  ##	Set the attributes of all tmp directories.
  ## </summary>
  ## <param name="domain">
-@@ -4202,7 +4465,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4202,7 +4516,7 @@ interface(`files_relabel_all_tmp_dirs',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13713,7 +14315,7 @@ index ff006ea..9097e58 100644
  ##	</summary>
  ## </param>
  #
-@@ -4262,7 +4525,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4576,7 @@ interface(`files_relabel_all_tmp_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13722,7 +14324,7 @@ index ff006ea..9097e58 100644
  ##	</summary>
  ## </param>
  #
-@@ -4318,7 +4581,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4632,7 @@ interface(`files_tmp_filetrans',`
  		type tmp_t;
  	')
  
@@ -13731,7 +14333,7 @@ index ff006ea..9097e58 100644
  ')
  
  ########################################
-@@ -4342,6 +4605,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4656,16 @@ interface(`files_purge_tmp',`
  	delete_lnk_files_pattern($1, tmpfile, tmpfile)
  	delete_fifo_files_pattern($1, tmpfile, tmpfile)
  	delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -13748,7 +14350,7 @@ index ff006ea..9097e58 100644
  ')
  
  ########################################
-@@ -4681,7 +4954,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5005,7 @@ interface(`files_usr_filetrans',`
  		type usr_t;
  	')
  
@@ -13757,7 +14359,7 @@ index ff006ea..9097e58 100644
  ')
  
  ########################################
-@@ -5084,7 +5357,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5408,7 @@ interface(`files_var_filetrans',`
  		type var_t;
  	')
  
@@ -13766,7 +14368,7 @@ index ff006ea..9097e58 100644
  ')
  
  ########################################
-@@ -5219,7 +5492,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5543,7 @@ interface(`files_var_lib_filetrans',`
  	')
  
  	allow $1 var_t:dir search_dir_perms;
@@ -13775,10 +14377,11 @@ index ff006ea..9097e58 100644
  ')
  
  ########################################
-@@ -5304,6 +5577,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,7 +5628,26 @@ interface(`files_manage_mounttab',`
  
  ########################################
  ## <summary>
+-##	Search the locks directory (/var/lock).
 +##	List generic lock directories.
 +## </summary>
 +## <param name="domain">
@@ -13798,10 +14401,11 @@ index ff006ea..9097e58 100644
 +
 +########################################
 +## <summary>
- ##	Search the locks directory (/var/lock).
++##	Search the locks directory (/var/lock).
  ## </summary>
  ## <param name="domain">
-@@ -5317,6 +5609,8 @@ interface(`files_search_locks',`
+ ##	<summary>
+@@ -5317,6 +5660,8 @@ interface(`files_search_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -13810,7 +14414,7 @@ index ff006ea..9097e58 100644
  	search_dirs_pattern($1, var_t, var_lock_t)
  ')
  
-@@ -5336,12 +5630,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5681,14 @@ interface(`files_dontaudit_search_locks',`
  		type var_lock_t;
  	')
  
@@ -13826,7 +14430,7 @@ index ff006ea..9097e58 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5349,12 +5645,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5696,30 @@ interface(`files_dontaudit_search_locks',`
  ##	</summary>
  ## </param>
  #
@@ -13838,7 +14442,8 @@ index ff006ea..9097e58 100644
 +	files_search_locks($1)
 +	allow $1 var_lock_t:dir create_dir_perms;
 +')
-+
+ 
+-	list_dirs_pattern($1, var_t, var_lock_t)
 +########################################
 +## <summary>
 +##	Set the attributes of the /var/lock directory.
@@ -13853,13 +14458,12 @@ index ff006ea..9097e58 100644
 +	gen_require(`
 +		type var_lock_t;
 +	')
- 
--	list_dirs_pattern($1, var_t, var_lock_t)
++
 +	allow $1 var_lock_t:dir setattr;
  ')
  
  ########################################
-@@ -5373,6 +5687,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5738,7 @@ interface(`files_rw_lock_dirs',`
  		type var_t, var_lock_t;
  	')
  
@@ -13867,7 +14471,7 @@ index ff006ea..9097e58 100644
  	rw_dirs_pattern($1, var_t, var_lock_t)
  ')
  
-@@ -5385,7 +5700,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5751,6 @@ interface(`files_rw_lock_dirs',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -13875,7 +14479,7 @@ index ff006ea..9097e58 100644
  #
  interface(`files_relabel_all_lock_dirs',`
  	gen_require(`
-@@ -5412,7 +5726,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5777,7 @@ interface(`files_getattr_generic_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -13884,7 +14488,7 @@ index ff006ea..9097e58 100644
  	allow $1 var_lock_t:dir list_dir_perms;
  	getattr_files_pattern($1, var_lock_t, var_lock_t)
  ')
-@@ -5428,12 +5742,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5793,12 @@ interface(`files_getattr_generic_locks',`
  ## </param>
  #
  interface(`files_delete_generic_locks',`
@@ -13901,7 +14505,7 @@ index ff006ea..9097e58 100644
  ')
  
  ########################################
-@@ -5452,7 +5766,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5817,7 @@ interface(`files_manage_generic_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -13910,7 +14514,7 @@ index ff006ea..9097e58 100644
  	manage_files_pattern($1, var_lock_t, var_lock_t)
  ')
  
-@@ -5493,7 +5807,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +5858,7 @@ interface(`files_read_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -13919,7 +14523,7 @@ index ff006ea..9097e58 100644
  	allow $1 lockfile:dir list_dir_perms;
  	read_files_pattern($1, lockfile, lockfile)
  	read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +5829,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +5880,7 @@ interface(`files_manage_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -13928,7 +14532,7 @@ index ff006ea..9097e58 100644
  	manage_dirs_pattern($1, lockfile, lockfile)
  	manage_files_pattern($1, lockfile, lockfile)
  	manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +5861,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +5912,8 @@ interface(`files_lock_filetrans',`
  		type var_t, var_lock_t;
  	')
  
@@ -13939,7 +14543,7 @@ index ff006ea..9097e58 100644
  ')
  
  ########################################
-@@ -5608,6 +5922,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +5973,43 @@ interface(`files_search_pids',`
  	search_dirs_pattern($1, var_t, var_run_t)
  ')
  
@@ -13983,7 +14587,7 @@ index ff006ea..9097e58 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to search
-@@ -5736,7 +6087,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6138,7 @@ interface(`files_pid_filetrans',`
  	')
  
  	allow $1 var_t:dir search_dir_perms;
@@ -13992,7 +14596,7 @@ index ff006ea..9097e58 100644
  ')
  
  ########################################
-@@ -5815,6 +6166,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,6 +6217,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
  
  ########################################
  ## <summary>
@@ -14109,7 +14713,7 @@ index ff006ea..9097e58 100644
  ##	Read all process ID files.
  ## </summary>
  ## <param name="domain">
-@@ -5832,6 +6293,44 @@ interface(`files_read_all_pids',`
+@@ -5832,6 +6344,44 @@ interface(`files_read_all_pids',`
  
  	list_dirs_pattern($1, var_t, pidfile)
  	read_files_pattern($1, pidfile, pidfile)
@@ -14154,7 +14758,7 @@ index ff006ea..9097e58 100644
  ')
  
  ########################################
-@@ -5900,6 +6399,90 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5900,6 +6450,90 @@ interface(`files_delete_all_pid_dirs',`
  
  ########################################
  ## <summary>
@@ -14245,7 +14849,7 @@ index ff006ea..9097e58 100644
  ##	Search the contents of generic spool
  ##	directories (/var/spool).
  ## </summary>
-@@ -6042,7 +6625,7 @@ interface(`files_spool_filetrans',`
+@@ -6042,7 +6676,7 @@ interface(`files_spool_filetrans',`
  	')
  
  	allow $1 var_t:dir search_dir_perms;
@@ -14254,7 +14858,7 @@ index ff006ea..9097e58 100644
  ')
  
  ########################################
-@@ -6117,3 +6700,284 @@ interface(`files_unconfined',`
+@@ -6117,3 +6751,284 @@ interface(`files_unconfined',`
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -15337,7 +15941,7 @@ index 6346378..edbe041 100644
 +')
 +
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index d91c62f..30d03e3 100644
+index d91c62f..2860a62 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
 @@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -15438,7 +16042,27 @@ index d91c62f..30d03e3 100644
  ')
  
  optional_policy(`
-@@ -358,6 +399,15 @@ optional_policy(`
+@@ -334,9 +375,7 @@ optional_policy(`
+ 		fs_read_noxattr_fs_files(kernel_t)
+ 		fs_read_noxattr_fs_symlinks(kernel_t)
+ 
+-		auth_read_all_dirs_except_shadow(kernel_t)
+-		auth_read_all_files_except_shadow(kernel_t)
+-		auth_read_all_symlinks_except_shadow(kernel_t)
++		files_read_non_security_files(kernel_t)
+ 	')
+ 
+ 	tunable_policy(`nfs_export_all_rw',`
+@@ -345,7 +384,7 @@ optional_policy(`
+ 		fs_read_noxattr_fs_files(kernel_t)
+ 		fs_read_noxattr_fs_symlinks(kernel_t)
+ 
+-		auth_manage_all_files_except_shadow(kernel_t)
++		files_manage_non_security_files(kernel_t)
+ 	')
+ ')
+ 
+@@ -358,6 +397,15 @@ optional_policy(`
  	unconfined_domain_noaudit(kernel_t)
  ')
  
@@ -16873,7 +17497,7 @@ index 1cb7311..1de82b2 100644
 +
 +gen_user(guest_u, user, guest_r, s0, s0)
 diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
-index be4de58..cce681a 100644
+index be4de58..7e8b6ec 100644
 --- a/policy/modules/roles/secadm.te
 +++ b/policy/modules/roles/secadm.te
 @@ -9,6 +9,8 @@ role secadm_r;
@@ -16885,6 +17509,16 @@ index be4de58..cce681a 100644
  
  ########################################
  #
+@@ -30,8 +32,7 @@ mls_file_upgrade(secadm_t)
+ mls_file_downgrade(secadm_t)
+ 
+ auth_role(secadm_r, secadm_t)
+-auth_relabel_all_files_except_shadow(secadm_t)
+-auth_relabel_shadow(secadm_t)
++files_relabel_all_files(secadm_t)
+ 
+ init_exec(secadm_t)
+ 
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
 index 2be17d2..1a6d9d1 100644
 --- a/policy/modules/roles/staff.te
@@ -18260,10 +18894,10 @@ index 0000000..8b2cdf3
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..99f35d5
+index 0000000..f35e36b
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,545 @@
+@@ -0,0 +1,549 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -18610,6 +19244,10 @@ index 0000000..99f35d5
 +')
 +
 +optional_policy(`
++	dnsmasq_filetrans_named_content(unconfined_t)
++')
++
++optional_policy(`
 +	firstboot_run(unconfined_t, unconfined_r)
 +')
 +
@@ -19165,7 +19803,7 @@ index 1bd5812..b3631d6 100644
 +/var/cache/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
 +/var/spool/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
 diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..7382308 100644
+index 0b827c5..e03a970 100644
 --- a/policy/modules/services/abrt.if
 +++ b/policy/modules/services/abrt.if
 @@ -71,6 +71,7 @@ interface(`abrt_read_state',`
@@ -19176,18 +19814,7 @@ index 0b827c5..7382308 100644
  	ps_process_pattern($1, abrt_t)
  ')
  
-@@ -130,6 +131,10 @@ interface(`abrt_domtrans_helper',`
- 	')
- 
- 	domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
-+
-+	ifdef(`hide_broken_symptoms', `
-+		dontaudit abrt_helper_t $1:socket_class_set { read write };
-+	')
- ')
- 
- ########################################
-@@ -160,8 +165,44 @@ interface(`abrt_run_helper',`
+@@ -160,8 +161,44 @@ interface(`abrt_run_helper',`
  
  ########################################
  ## <summary>
@@ -19234,7 +19861,7 @@ index 0b827c5..7382308 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -253,6 +294,24 @@ interface(`abrt_manage_pid_files',`
+@@ -253,6 +290,24 @@ interface(`abrt_manage_pid_files',`
  	manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
  ')
  
@@ -19259,7 +19886,7 @@ index 0b827c5..7382308 100644
  #####################################
  ## <summary>
  ##	All of the rules required to administrate
-@@ -286,18 +345,98 @@ interface(`abrt_admin',`
+@@ -286,18 +341,98 @@ interface(`abrt_admin',`
  	role_transition $2 abrt_initrc_exec_t system_r;
  	allow $2 system_r;
  
@@ -21952,7 +22579,7 @@ index 1ea99b2..9427dd5 100644
 +	stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
  ')
 diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..64ed1bb 100644
+index 1c8c27e..4ae8a51 100644
 --- a/policy/modules/services/apm.te
 +++ b/policy/modules/services/apm.te
 @@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -22037,16 +22664,17 @@ index 1c8c27e..64ed1bb 100644
  ',`
  	# for ifconfig which is run all the time
  	kernel_dontaudit_search_sysctl(apmd_t)
-@@ -205,12 +217,18 @@ optional_policy(`
+@@ -201,7 +213,8 @@ optional_policy(`
  ')
  
  optional_policy(`
+-	nscd_socket_use(apmd_t)
 +	modutils_domtrans_insmod(apmd_t)
 +	modutils_read_module_config(apmd_t)
-+')
-+
-+optional_policy(`
- 	pcmcia_domtrans_cardmgr(apmd_t)
+ ')
+ 
+ optional_policy(`
+@@ -209,8 +222,9 @@ optional_policy(`
  	pcmcia_domtrans_cardctl(apmd_t)
  ')
  
@@ -22057,7 +22685,7 @@ index 1c8c27e..64ed1bb 100644
  ')
  
  optional_policy(`
-@@ -218,9 +236,9 @@ optional_policy(`
+@@ -218,9 +232,9 @@ optional_policy(`
  	udev_read_state(apmd_t) #necessary?
  ')
  
@@ -22397,7 +23025,7 @@ index 44a1e3d..7e9d2fb 100644
  	files_list_pids($1)
  	admin_pattern($1, named_var_run_t)
 diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
-index 4deca04..be16209 100644
+index 4deca04..991629d 100644
 --- a/policy/modules/services/bind.te
 +++ b/policy/modules/services/bind.te
 @@ -6,16 +6,24 @@ policy_module(bind, 1.11.0)
@@ -22461,8 +23089,11 @@ index 4deca04..be16209 100644
  tunable_policy(`named_write_master_zones',`
  	manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
  	manage_files_pattern(named_t, named_zone_t, named_zone_t)
-@@ -201,12 +214,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
- allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -198,15 +211,14 @@ allow ndc_t self:process { fork signal_perms };
+ allow ndc_t self:fifo_file rw_fifo_file_perms;
+ allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
+ allow ndc_t self:tcp_socket create_socket_perms;
+-allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
  
  allow ndc_t dnssec_t:file read_file_perms;
 -allow ndc_t dnssec_t:lnk_file { getattr read };
@@ -22476,10 +23107,22 @@ index 4deca04..be16209 100644
  
  allow ndc_t named_zone_t:dir search_dir_perms;
  
-@@ -238,13 +251,13 @@ miscfiles_read_localization(ndc_t)
- sysnet_read_config(ndc_t)
- sysnet_dns_name_resolve(ndc_t)
+@@ -228,6 +240,8 @@ files_search_pids(ndc_t)
+ 
+ fs_getattr_xattr_fs(ndc_t)
+ 
++auth_use_nsswitch(ndc_t)
++
+ init_use_fds(ndc_t)
+ init_use_script_ptys(ndc_t)
+ 
+@@ -235,24 +249,13 @@ logging_send_syslog_msg(ndc_t)
  
+ miscfiles_read_localization(ndc_t)
+ 
+-sysnet_read_config(ndc_t)
+-sysnet_dns_name_resolve(ndc_t)
+-
 -userdom_use_user_terminals(ndc_t)
 +userdom_use_inherited_user_terminals(ndc_t)
  
@@ -22488,6 +23131,14 @@ index 4deca04..be16209 100644
  # for /etc/rndc.key
  ifdef(`distro_redhat',`
 -	allow ndc_t named_conf_t:dir search;
+-')
+-
+-optional_policy(`
+-	nis_use_ypbind(ndc_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(ndc_t)
 +	allow ndc_t named_conf_t:dir search_dir_perms;
  ')
  
@@ -22660,7 +23311,7 @@ index 3e45431..4aa8fb1 100644
  	admin_pattern($1, bluetooth_var_lib_t)
  
 diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
-index 215b86b..4a3569f 100644
+index 215b86b..619518f 100644
 --- a/policy/modules/services/bluetooth.te
 +++ b/policy/modules/services/bluetooth.te
 @@ -4,12 +4,13 @@ policy_module(bluetooth, 3.3.0)
@@ -22701,6 +23352,33 @@ index 215b86b..4a3569f 100644
  	dbus_system_bus_client(bluetooth_t)
  	dbus_connect_system_bus(bluetooth_t)
  
+@@ -190,7 +200,6 @@ allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
+ allow bluetooth_helper_t self:shm create_shm_perms;
+ allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow bluetooth_helper_t self:tcp_socket create_socket_perms;
+-allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms;
+ 
+ allow bluetooth_helper_t bluetooth_t:socket { read write };
+ 
+@@ -220,6 +229,8 @@ files_read_etc_runtime_files(bluetooth_helper_t)
+ files_read_usr_files(bluetooth_helper_t)
+ files_dontaudit_list_default(bluetooth_helper_t)
+ 
++auth_use_nsswitch(bluetooth_helper_t)
++
+ locallogin_dontaudit_use_fds(bluetooth_helper_t)
+ 
+ logging_send_syslog_msg(bluetooth_helper_t)
+@@ -236,9 +247,5 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nscd_socket_use(bluetooth_helper_t)
+-')
+-
+-optional_policy(`
+ 	xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
+ ')
 diff --git a/policy/modules/services/boinc.fc b/policy/modules/services/boinc.fc
 new file mode 100644
 index 0000000..c095160
@@ -25902,7 +26580,7 @@ index 838dec7..59d0f96 100644
  miscfiles_read_localization(courier_pop_t)
  
 diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te
-index 13d2f63..a048c53 100644
+index 13d2f63..861fad7 100644
 --- a/policy/modules/services/cpucontrol.te
 +++ b/policy/modules/services/cpucontrol.te
 @@ -10,7 +10,7 @@ type cpucontrol_exec_t;
@@ -25914,6 +26592,28 @@ index 13d2f63..a048c53 100644
  
  type cpuspeed_t;
  type cpuspeed_exec_t;
+@@ -55,10 +55,6 @@ logging_send_syslog_msg(cpucontrol_t)
+ userdom_dontaudit_use_unpriv_user_fds(cpucontrol_t)
+ 
+ optional_policy(`
+-	nscd_socket_use(cpucontrol_t)
+-')
+-
+-optional_policy(`
+ 	rhgb_use_ptys(cpucontrol_t)
+ ')
+ 
+@@ -110,10 +106,6 @@ miscfiles_read_localization(cpuspeed_t)
+ userdom_dontaudit_use_unpriv_user_fds(cpuspeed_t)
+ 
+ optional_policy(`
+-	nscd_socket_use(cpuspeed_t)
+-')
+-
+-optional_policy(`
+ 	seutil_sigchld_newrole(cpuspeed_t)
+ ')
+ 
 diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
 index 2eefc08..34ab5ce 100644
 --- a/policy/modules/services/cron.fc
@@ -25937,7 +26637,7 @@ index 2eefc08..34ab5ce 100644
 +
 +/var/lib/glpi/files(/.*)?		gen_context(system_u:object_r:cron_var_lib_t,s0)
 diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..2976df7 100644
+index 35241ed..074392b 100644
 --- a/policy/modules/services/cron.if
 +++ b/policy/modules/services/cron.if
 @@ -12,6 +12,11 @@
@@ -25989,11 +26689,12 @@ index 35241ed..2976df7 100644
  
  	domain_use_interactive_fds($1_t)
  
-@@ -59,12 +70,15 @@ template(`cron_common_crontab_template',`
+@@ -59,12 +70,16 @@ template(`cron_common_crontab_template',`
  	files_dontaudit_search_pids($1_t)
  
  	auth_domtrans_chk_passwd($1_t)
 +	auth_rw_var_auth($1_t)
++	auth_use_nsswitch($1_t)
  
  	logging_send_syslog_msg($1_t)
  	logging_send_audit_msgs($1_t)
@@ -26005,7 +26706,7 @@ index 35241ed..2976df7 100644
  
  	miscfiles_read_localization($1_t)
  
-@@ -73,9 +87,10 @@ template(`cron_common_crontab_template',`
+@@ -73,9 +88,10 @@ template(`cron_common_crontab_template',`
  	userdom_manage_user_tmp_dirs($1_t)
  	userdom_manage_user_tmp_files($1_t)
  	# Access terminals.
@@ -26017,7 +26718,17 @@ index 35241ed..2976df7 100644
  
  	tunable_policy(`fcron_crond',`
  		# fcron wants an instant update of a crontab change for the administrator
-@@ -102,10 +117,12 @@ template(`cron_common_crontab_template',`
+@@ -83,9 +99,6 @@ template(`cron_common_crontab_template',`
+ 		dontaudit $1_t crond_t:process signal;
+ 	')
+ 
+-	optional_policy(`
+-		nscd_socket_use($1_t)
+-	')
+ ')
+ 
+ ########################################
+@@ -102,10 +115,12 @@ template(`cron_common_crontab_template',`
  ##	User domain for the role
  ##	</summary>
  ## </param>
@@ -26030,7 +26741,7 @@ index 35241ed..2976df7 100644
  	')
  
  	role $1 types { cronjob_t crontab_t };
-@@ -116,9 +133,16 @@ interface(`cron_role',`
+@@ -116,9 +131,16 @@ interface(`cron_role',`
  	# Transition from the user domain to the derived domain.
  	domtrans_pattern($2, crontab_exec_t, crontab_t)
  
@@ -26048,7 +26759,7 @@ index 35241ed..2976df7 100644
  
  	# Run helper programs as the user domain
  	#corecmd_bin_domtrans(crontab_t, $2)
-@@ -132,9 +156,8 @@ interface(`cron_role',`
+@@ -132,9 +154,8 @@ interface(`cron_role',`
  		')
  
  		dbus_stub(cronjob_t)
@@ -26059,7 +26770,7 @@ index 35241ed..2976df7 100644
  ')
  
  ########################################
-@@ -151,29 +174,18 @@ interface(`cron_role',`
+@@ -151,29 +172,18 @@ interface(`cron_role',`
  ##	User domain for the role
  ##	</summary>
  ## </param>
@@ -26093,7 +26804,7 @@ index 35241ed..2976df7 100644
  
  	optional_policy(`
  		gen_require(`
-@@ -181,9 +193,8 @@ interface(`cron_unconfined_role',`
+@@ -181,9 +191,8 @@ interface(`cron_unconfined_role',`
  		')
  
  		dbus_stub(unconfined_cronjob_t)
@@ -26104,7 +26815,7 @@ index 35241ed..2976df7 100644
  ')
  
  ########################################
-@@ -200,6 +211,7 @@ interface(`cron_unconfined_role',`
+@@ -200,6 +209,7 @@ interface(`cron_unconfined_role',`
  ##	User domain for the role
  ##	</summary>
  ## </param>
@@ -26112,7 +26823,7 @@ index 35241ed..2976df7 100644
  #
  interface(`cron_admin_role',`
  	gen_require(`
-@@ -220,7 +232,7 @@ interface(`cron_admin_role',`
+@@ -220,7 +230,7 @@ interface(`cron_admin_role',`
  
  	# crontab shows up in user ps
  	ps_process_pattern($2, admin_crontab_t)
@@ -26121,7 +26832,7 @@ index 35241ed..2976df7 100644
  
  	# Run helper programs as the user domain
  	#corecmd_bin_domtrans(admin_crontab_t, $2)
-@@ -234,9 +246,8 @@ interface(`cron_admin_role',`
+@@ -234,9 +244,8 @@ interface(`cron_admin_role',`
  		')
  
  		dbus_stub(admin_cronjob_t)
@@ -26132,7 +26843,7 @@ index 35241ed..2976df7 100644
  ')
  
  ########################################
-@@ -304,7 +315,7 @@ interface(`cron_exec',`
+@@ -304,7 +313,7 @@ interface(`cron_exec',`
  
  ########################################
  ## <summary>
@@ -26141,7 +26852,7 @@ index 35241ed..2976df7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -377,6 +388,47 @@ interface(`cron_read_pipes',`
+@@ -377,6 +386,47 @@ interface(`cron_read_pipes',`
  
  ########################################
  ## <summary>
@@ -26189,7 +26900,7 @@ index 35241ed..2976df7 100644
  ##	Do not audit attempts to write cron daemon unnamed pipes.
  ## </summary>
  ## <param name="domain">
-@@ -390,6 +442,7 @@ interface(`cron_dontaudit_write_pipes',`
+@@ -390,6 +440,7 @@ interface(`cron_dontaudit_write_pipes',`
  		type crond_t;
  	')
  
@@ -26197,7 +26908,7 @@ index 35241ed..2976df7 100644
  	dontaudit $1 crond_t:fifo_file write;
  ')
  
-@@ -408,7 +461,43 @@ interface(`cron_rw_pipes',`
+@@ -408,7 +459,43 @@ interface(`cron_rw_pipes',`
  		type crond_t;
  	')
  
@@ -26242,7 +26953,7 @@ index 35241ed..2976df7 100644
  ')
  
  ########################################
-@@ -481,6 +570,7 @@ interface(`cron_manage_pid_files',`
+@@ -481,6 +568,7 @@ interface(`cron_manage_pid_files',`
  		type crond_var_run_t;
  	')
  
@@ -26250,7 +26961,7 @@ index 35241ed..2976df7 100644
  	manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
  ')
  
-@@ -536,7 +626,7 @@ interface(`cron_write_system_job_pipes',`
+@@ -536,7 +624,7 @@ interface(`cron_write_system_job_pipes',`
  		type system_cronjob_t;
  	')
  
@@ -26259,7 +26970,7 @@ index 35241ed..2976df7 100644
  ')
  
  ########################################
-@@ -554,7 +644,7 @@ interface(`cron_rw_system_job_pipes',`
+@@ -554,7 +642,7 @@ interface(`cron_rw_system_job_pipes',`
  		type system_cronjob_t;
  	')
  
@@ -26268,7 +26979,7 @@ index 35241ed..2976df7 100644
  ')
  
  ########################################
-@@ -587,11 +677,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+@@ -587,11 +675,14 @@ interface(`cron_rw_system_job_stream_sockets',`
  #
  interface(`cron_read_system_job_tmp_files',`
  	gen_require(`
@@ -26284,7 +26995,7 @@ index 35241ed..2976df7 100644
  ')
  
  ########################################
-@@ -627,7 +720,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +718,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
  interface(`cron_dontaudit_write_system_job_tmp_files',`
  	gen_require(`
  		type system_cronjob_tmp_t;
@@ -27047,7 +27758,7 @@ index 0000000..9146ef1
 +
 diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te
 new file mode 100644
-index 0000000..09cb39f
+index 0000000..5e2a4bd
 --- /dev/null
 +++ b/policy/modules/services/ctdbd.te
 @@ -0,0 +1,114 @@
@@ -27139,10 +27850,10 @@ index 0000000..09cb39f
 +logging_send_syslog_msg(ctdbd_t)
 +
 +miscfiles_read_localization(ctdbd_t)
++miscfiles_read_public_files(ctdbd_t)
 +
-+
-+# corenet_tcp_bind_ctdbd_cache_port(traffic_manager_t)
-+# corenet_tcp_connect_ctdbd_cache_port(traffic_manager_t)
++#corenet_tcp_bind_ctdbd_cache_port(traffic_manager_t)
++#corenet_tcp_connect_ctdbd_cache_port(traffic_manager_t)
 +
 +optional_policy(`
 +	consoletype_exec(ctdbd_t)
@@ -27644,7 +28355,7 @@ index 81eba14..d0ab56c 100644
  /usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:dbusd_exec_t,s0)
  /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
 diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 1a1becd..7dbd8f6 100644
+index 1a1becd..d4357ec 100644
 --- a/policy/modules/services/dbus.if
 +++ b/policy/modules/services/dbus.if
 @@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -27669,18 +28380,21 @@ index 1a1becd..7dbd8f6 100644
  	ubac_constrained($1_dbusd_t)
  	role $2 types $1_dbusd_t;
  
-@@ -62,8 +61,9 @@ template(`dbus_role_template',`
+@@ -62,107 +61,26 @@ template(`dbus_role_template',`
  	# Local policy
  	#
  
-+	dontaudit $1_dbusd_t self:capability sys_resource;
- 	allow $1_dbusd_t self:process { getattr sigkill signal };
+-	allow $1_dbusd_t self:process { getattr sigkill signal };
 -	dontaudit $1_dbusd_t self:process ptrace;
-+	dontaudit $1_dbusd_t self:process { ptrace setrlimit };
- 	allow $1_dbusd_t self:file { getattr read write };
- 	allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
- 	allow $1_dbusd_t self:dbus { send_msg acquire_svc };
-@@ -76,7 +76,7 @@ template(`dbus_role_template',`
+-	allow $1_dbusd_t self:file { getattr read write };
+-	allow $1_dbusd_t self:fifo_file rw_fifo_file_perms;
+-	allow $1_dbusd_t self:dbus { send_msg acquire_svc };
+-	allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
+-	allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
+-	allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
+-	allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
+-
+ 	# For connecting to the bus
  	allow $3 $1_dbusd_t:unix_stream_socket connectto;
  
  	# SE-DBus specific permissions
@@ -27688,10 +28402,14 @@ index 1a1becd..7dbd8f6 100644
 +	allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
  	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
  
- 	allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
-@@ -88,14 +88,16 @@ template(`dbus_role_template',`
- 	files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
- 
+-	allow $1_dbusd_t dbusd_etc_t:dir list_dir_perms;
+-	read_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+-	read_lnk_files_pattern($1_dbusd_t, dbusd_etc_t, dbusd_etc_t)
+-
+-	manage_dirs_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+-	manage_files_pattern($1_dbusd_t, session_dbusd_tmp_t, session_dbusd_tmp_t)
+-	files_tmp_filetrans($1_dbusd_t, session_dbusd_tmp_t, { file dir })
+-
  	domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
 -	allow $3 $1_dbusd_t:process { signull sigkill signal };
 +
@@ -27706,50 +28424,78 @@ index 1a1becd..7dbd8f6 100644
  	allow $3 $1_dbusd_t:fd use;
  	allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
 -	allow $3 $1_dbusd_t:process sigchld;
- 
- 	kernel_read_system_state($1_dbusd_t)
- 	kernel_read_kernel_sysctls($1_dbusd_t)
-@@ -116,7 +118,7 @@ template(`dbus_role_template',`
- 
- 	dev_read_urand($1_dbusd_t)
- 
+-
+-	kernel_read_system_state($1_dbusd_t)
+-	kernel_read_kernel_sysctls($1_dbusd_t)
+-
+-	corecmd_list_bin($1_dbusd_t)
+-	corecmd_read_bin_symlinks($1_dbusd_t)
+-	corecmd_read_bin_files($1_dbusd_t)
+-	corecmd_read_bin_pipes($1_dbusd_t)
+-	corecmd_read_bin_sockets($1_dbusd_t)
+-
+-	corenet_all_recvfrom_unlabeled($1_dbusd_t)
+-	corenet_all_recvfrom_netlabel($1_dbusd_t)
+-	corenet_tcp_sendrecv_generic_if($1_dbusd_t)
+-	corenet_tcp_sendrecv_generic_node($1_dbusd_t)
+-	corenet_tcp_sendrecv_all_ports($1_dbusd_t)
+-	corenet_tcp_bind_generic_node($1_dbusd_t)
+-	corenet_tcp_bind_reserved_port($1_dbusd_t)
+-
+-	dev_read_urand($1_dbusd_t)
+-
 - 	domain_use_interactive_fds($1_dbusd_t)
-+	domain_use_interactive_fds($1_dbusd_t)
- 	domain_read_all_domains_state($1_dbusd_t)
- 
- 	files_read_etc_files($1_dbusd_t)
-@@ -147,19 +149,27 @@ template(`dbus_role_template',`
- 	seutil_read_config($1_dbusd_t)
- 	seutil_read_default_contexts($1_dbusd_t)
- 
+-	domain_read_all_domains_state($1_dbusd_t)
+-
+-	files_read_etc_files($1_dbusd_t)
+-	files_list_home($1_dbusd_t)
+-	files_read_usr_files($1_dbusd_t)
+-	files_dontaudit_search_var($1_dbusd_t)
+-
+-	fs_getattr_romfs($1_dbusd_t)
+-	fs_getattr_xattr_fs($1_dbusd_t)
+-	fs_list_inotifyfs($1_dbusd_t)
+-	fs_dontaudit_list_nfs($1_dbusd_t)
+-
+-	selinux_get_fs_mount($1_dbusd_t)
+-	selinux_validate_context($1_dbusd_t)
+-	selinux_compute_access_vector($1_dbusd_t)
+-	selinux_compute_create_context($1_dbusd_t)
+-	selinux_compute_relabel_context($1_dbusd_t)
+-	selinux_compute_user_contexts($1_dbusd_t)
+-
+-	auth_read_pam_console_data($1_dbusd_t)
+-	auth_use_nsswitch($1_dbusd_t)
+-
+-	logging_send_audit_msgs($1_dbusd_t)
+-	logging_send_syslog_msg($1_dbusd_t)
+-
+-	miscfiles_read_localization($1_dbusd_t)
+-
+-	seutil_read_config($1_dbusd_t)
+-	seutil_read_default_contexts($1_dbusd_t)
+-
 -	term_use_all_terms($1_dbusd_t)
-+	term_use_all_inherited_terms($1_dbusd_t)
- 
+-
 -	userdom_read_user_home_content_files($1_dbusd_t)
-+	userdom_dontaudit_search_admin_dir($1_dbusd_t)
-+	userdom_manage_user_home_content_dirs($1_dbusd_t)
-+	userdom_manage_user_home_content_files($1_dbusd_t)
-+	userdom_user_home_dir_filetrans_user_home_content($1_dbusd_t, { dir file })
- 
+-
 -	ifdef(`hide_broken_symptoms', `
-+	ifdef(`hide_broken_symptoms',`
- 		dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
- 	')
+-		dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
+-	')
+-
+-	optional_policy(`
+-		hal_dbus_chat($1_dbusd_t)
+-	')
  
- 	optional_policy(`
-+		gnome_read_gconf_home_files($1_dbusd_t)
-+	')
-+
-+	optional_policy(`
- 		hal_dbus_chat($1_dbusd_t)
- 	')
+-	optional_policy(`
+-		xserver_use_xdm_fds($1_dbusd_t)
+-		xserver_rw_xdm_pipes($1_dbusd_t)
+-	')
++	auth_use_nsswitch($1_dbusd_t)
+ ')
  
- 	optional_policy(`
-+		xserver_search_xdm_lib($1_dbusd_t)
- 		xserver_use_xdm_fds($1_dbusd_t)
- 		xserver_rw_xdm_pipes($1_dbusd_t)
- 	')
-@@ -181,11 +191,12 @@ interface(`dbus_system_bus_client',`
+ #######################################
+@@ -181,11 +99,12 @@ interface(`dbus_system_bus_client',`
  		type system_dbusd_t, system_dbusd_t;
  		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
  		class dbus send_msg;
@@ -27763,7 +28509,7 @@ index 1a1becd..7dbd8f6 100644
  
  	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
  	files_search_var_lib($1)
-@@ -198,6 +209,34 @@ interface(`dbus_system_bus_client',`
+@@ -198,6 +117,34 @@ interface(`dbus_system_bus_client',`
  
  #######################################
  ## <summary>
@@ -27798,7 +28544,7 @@ index 1a1becd..7dbd8f6 100644
  ##	Template for creating connections to
  ##	a user DBUS.
  ## </summary>
-@@ -218,6 +257,8 @@ interface(`dbus_session_bus_client',`
+@@ -218,6 +165,8 @@ interface(`dbus_session_bus_client',`
  
  	# For connecting to the bus
  	allow $1 session_bus_type:unix_stream_socket connectto;
@@ -27807,7 +28553,7 @@ index 1a1becd..7dbd8f6 100644
  ')
  
  ########################################
-@@ -322,6 +363,11 @@ interface(`dbus_connect_session_bus',`
+@@ -322,6 +271,11 @@ interface(`dbus_connect_session_bus',`
  ##	Allow a application domain to be started
  ##	by the session dbus.
  ## </summary>
@@ -27819,7 +28565,7 @@ index 1a1becd..7dbd8f6 100644
  ## <param name="domain">
  ##	<summary>
  ##	Type to be used as a domain.
-@@ -336,13 +382,13 @@ interface(`dbus_connect_session_bus',`
+@@ -336,13 +290,13 @@ interface(`dbus_connect_session_bus',`
  #
  interface(`dbus_session_domain',`
  	gen_require(`
@@ -27837,42 +28583,37 @@ index 1a1becd..7dbd8f6 100644
  ')
  
  ########################################
-@@ -432,14 +478,33 @@ interface(`dbus_system_domain',`
- 
- 	domtrans_pattern(system_dbusd_t, $2, $1)
- 
-+	fs_search_all($1)
-+
- 	dbus_system_bus_client($1)
- 	dbus_connect_system_bus($1)
- 
-+	init_stream_connect($1)
-+	init_dgram_send($1)
-+	init_use_fds($1)
-+
- 	ps_process_pattern(system_dbusd_t, $1)
+@@ -421,27 +375,16 @@ interface(`dbus_system_bus_unconfined',`
+ #
+ interface(`dbus_system_domain',`
+ 	gen_require(`
++		attribute system_bus_type;
+ 		type system_dbusd_t;
+ 		role system_r;
+ 	')
++	typeattribute $1  system_bus_type;
  
-+	userdom_dontaudit_search_admin_dir($1)
- 	userdom_read_all_users_state($1)
+ 	domain_type($1)
+ 	domain_entry_file($1, $2)
  
+-	role system_r types $1;
+-
+ 	domtrans_pattern(system_dbusd_t, $2, $1)
+-
+-	dbus_system_bus_client($1)
+-	dbus_connect_system_bus($1)
+-
+-	ps_process_pattern(system_dbusd_t, $1)
+-
+-	userdom_read_all_users_state($1)
+-
 -	ifdef(`hide_broken_symptoms', `
-+	optional_policy(`
-+		abrt_stream_connect($1)
-+	')
-+
-+	optional_policy(`
-+		rpm_script_dbus_chat($1)
-+	')
-+
-+	optional_policy(`
-+		unconfined_dbus_send($1)
-+	')
-+
-+	ifdef(`hide_broken_symptoms',`
- 		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
- 	')
+-		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
+-	')
  ')
-@@ -464,26 +529,25 @@ interface(`dbus_use_system_bus_fds',`
+ 
+ ########################################
+@@ -464,26 +407,25 @@ interface(`dbus_use_system_bus_fds',`
  
  ########################################
  ## <summary>
@@ -27905,7 +28646,7 @@ index 1a1becd..7dbd8f6 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -491,10 +555,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -491,10 +433,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
  ##	</summary>
  ## </param>
  #
@@ -27922,10 +28663,18 @@ index 1a1becd..7dbd8f6 100644
  ')
 +
 diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..0909589 100644
+index 1bff6ee..3136cb7 100644
 --- a/policy/modules/services/dbus.te
 +++ b/policy/modules/services/dbus.te
-@@ -36,6 +36,7 @@ files_type(system_dbusd_var_lib_t)
+@@ -10,6 +10,7 @@ gen_require(`
+ #
+ 
+ attribute dbusd_unconfined;
++attribute system_bus_type;
+ attribute session_bus_type;
+ 
+ type dbusd_etc_t;
+@@ -36,6 +37,7 @@ files_type(system_dbusd_var_lib_t)
  
  type system_dbusd_var_run_t;
  files_pid_file(system_dbusd_var_run_t)
@@ -27933,7 +28682,7 @@ index 1bff6ee..0909589 100644
  
  ifdef(`enable_mcs',`
  	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -52,9 +53,9 @@ ifdef(`enable_mls',`
+@@ -52,9 +54,9 @@ ifdef(`enable_mls',`
  
  # dac_override: /var/run/dbus is owned by messagebus on Debian
  # cjp: dac_override should probably go in a distro_debian
@@ -27945,7 +28694,7 @@ index 1bff6ee..0909589 100644
  allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
  allow system_dbusd_t self:dbus { send_msg acquire_svc };
  allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
-@@ -74,9 +75,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
+@@ -74,9 +76,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
  
  read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
  
@@ -27957,7 +28706,7 @@ index 1bff6ee..0909589 100644
  
  kernel_read_system_state(system_dbusd_t)
  kernel_read_kernel_sysctls(system_dbusd_t)
-@@ -111,6 +113,8 @@ auth_read_pam_console_data(system_dbusd_t)
+@@ -111,6 +114,8 @@ auth_read_pam_console_data(system_dbusd_t)
  corecmd_list_bin(system_dbusd_t)
  corecmd_read_bin_pipes(system_dbusd_t)
  corecmd_read_bin_sockets(system_dbusd_t)
@@ -27966,7 +28715,7 @@ index 1bff6ee..0909589 100644
  
  domain_use_interactive_fds(system_dbusd_t)
  domain_read_all_domains_state(system_dbusd_t)
-@@ -121,7 +125,9 @@ files_read_usr_files(system_dbusd_t)
+@@ -121,7 +126,9 @@ files_read_usr_files(system_dbusd_t)
  
  init_use_fds(system_dbusd_t)
  init_use_script_ptys(system_dbusd_t)
@@ -27976,7 +28725,7 @@ index 1bff6ee..0909589 100644
  
  logging_send_audit_msgs(system_dbusd_t)
  logging_send_syslog_msg(system_dbusd_t)
-@@ -141,6 +147,19 @@ optional_policy(`
+@@ -141,6 +148,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -27996,7 +28745,7 @@ index 1bff6ee..0909589 100644
  	policykit_dbus_chat(system_dbusd_t)
  	policykit_domtrans_auth(system_dbusd_t)
  	policykit_search_lib(system_dbusd_t)
-@@ -151,12 +170,29 @@ optional_policy(`
+@@ -151,12 +171,155 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28015,18 +28764,144 @@ index 1bff6ee..0909589 100644
 +
  ########################################
  #
- # Unconfined access to this module
+-# Unconfined access to this module
++# system_bus_type rules
  #
--
- allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
-+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
-+allow session_bus_type dbusd_unconfined:dbus send_msg;
++role system_r types system_bus_type;
++
++fs_search_all(system_bus_type)
++
++dbus_system_bus_client(system_bus_type)
++dbus_connect_system_bus(system_bus_type)
++
++init_stream_connect(system_bus_type)
++init_dgram_send(system_bus_type)
++init_use_fds(system_bus_type)
+ 
++ps_process_pattern(system_dbusd_t, system_bus_type)
++
++userdom_dontaudit_search_admin_dir(system_bus_type)
++userdom_read_all_users_state(system_bus_type)
 +
 +optional_policy(`
++	abrt_stream_connect(system_bus_type)
++')
++
++optional_policy(`
++	rpm_script_dbus_chat(system_bus_type)
++')
++
++optional_policy(`
++	unconfined_dbus_send(system_bus_type)
++')
++
++ifdef(`hide_broken_symptoms',`
++	dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
++')
++
++########################################
++#
++# session_bus_type rules
++#
++dontaudit session_bus_type self:capability sys_resource;
++allow session_bus_type self:process { getattr sigkill signal };
++dontaudit session_bus_type self:process { ptrace setrlimit };
++allow session_bus_type self:file { getattr read write };
++allow session_bus_type self:fifo_file rw_fifo_file_perms;
++allow session_bus_type self:dbus { send_msg acquire_svc };
++allow session_bus_type self:unix_stream_socket create_stream_socket_perms;
++allow session_bus_type self:unix_dgram_socket create_socket_perms;
++allow session_bus_type self:tcp_socket create_stream_socket_perms;
++allow session_bus_type self:netlink_selinux_socket create_socket_perms;
++
++allow session_bus_type dbusd_etc_t:dir list_dir_perms;
++read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
++read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
++
++manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
++manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
++files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir })
++
++kernel_read_system_state(session_bus_type)
++kernel_read_kernel_sysctls(session_bus_type)
++
++corecmd_list_bin(session_bus_type)
++corecmd_read_bin_symlinks(session_bus_type)
++corecmd_read_bin_files(session_bus_type)
++corecmd_read_bin_pipes(session_bus_type)
++corecmd_read_bin_sockets(session_bus_type)
++
++corenet_all_recvfrom_unlabeled(session_bus_type)
++corenet_all_recvfrom_netlabel(session_bus_type)
++corenet_tcp_sendrecv_generic_if(session_bus_type)
++corenet_tcp_sendrecv_generic_node(session_bus_type)
++corenet_tcp_sendrecv_all_ports(session_bus_type)
++corenet_tcp_bind_generic_node(session_bus_type)
++corenet_tcp_bind_reserved_port(session_bus_type)
++
++dev_read_urand(session_bus_type)
++
++domain_use_interactive_fds(session_bus_type)
++domain_read_all_domains_state(session_bus_type)
++
++files_read_etc_files(session_bus_type)
++files_list_home(session_bus_type)
++files_read_usr_files(session_bus_type)
++files_dontaudit_search_var(session_bus_type)
++
++fs_getattr_romfs(session_bus_type)
++fs_getattr_xattr_fs(session_bus_type)
++fs_list_inotifyfs(session_bus_type)
++fs_dontaudit_list_nfs(session_bus_type)
++
++selinux_get_fs_mount(session_bus_type)
++selinux_validate_context(session_bus_type)
++selinux_compute_access_vector(session_bus_type)
++selinux_compute_create_context(session_bus_type)
++selinux_compute_relabel_context(session_bus_type)
++selinux_compute_user_contexts(session_bus_type)
++
++auth_read_pam_console_data(session_bus_type)
++
++logging_send_audit_msgs(session_bus_type)
++logging_send_syslog_msg(session_bus_type)
++
++miscfiles_read_localization(session_bus_type)
++
++seutil_read_config(session_bus_type)
++seutil_read_default_contexts(session_bus_type)
++
++term_use_all_inherited_terms(session_bus_type)
++
++userdom_dontaudit_search_admin_dir(session_bus_type)
++userdom_manage_user_home_content_dirs(session_bus_type)
++userdom_manage_user_home_content_files(session_bus_type)
++userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
++
++optional_policy(`
++	gnome_read_gconf_home_files(session_bus_type)
++')
++
++optional_policy(`
++	hal_dbus_chat(session_bus_type)
++')
++
++optional_policy(`
++	xserver_search_xdm_lib(session_bus_type)
++	xserver_use_xdm_fds(session_bus_type)
++	xserver_rw_xdm_pipes(session_bus_type)
 +	xserver_use_xdm_fds(session_bus_type)
 +	xserver_rw_xdm_pipes(session_bus_type)
 +	xserver_append_xdm_home_files(session_bus_type)
 +')
++
++########################################
++#
++# Unconfined access to this module
++#
+ allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
++allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
++allow session_bus_type dbusd_unconfined:dbus send_msg;
 diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if
 index 784753e..bf65e7d 100644
 --- a/policy/modules/services/dcc.if
@@ -28780,6 +29655,36 @@ index d4424ad..a809e38 100644
  	dbus_system_bus_client(dhcpd_t)
  	dbus_connect_system_bus(dhcpd_t)
  ')
+diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te
+index d2d9359..ee10625 100644
+--- a/policy/modules/services/dictd.te
++++ b/policy/modules/services/dictd.te
+@@ -73,23 +73,15 @@ files_search_var_lib(dictd_t)
+ # for checking for nscd
+ files_dontaudit_search_pids(dictd_t)
+ 
++auth_use_nsswitch(dictd_t)
++
+ logging_send_syslog_msg(dictd_t)
+ 
+ miscfiles_read_localization(dictd_t)
+ 
+-sysnet_read_config(dictd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(dictd_t)
+ 
+ optional_policy(`
+-	nis_use_ypbind(dictd_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(dictd_t)
+-')
+-
+-optional_policy(`
+ 	seutil_sigchld_newrole(dictd_t)
+ ')
+ 
 diff --git a/policy/modules/services/dirsrv-admin.fc b/policy/modules/services/dirsrv-admin.fc
 new file mode 100644
 index 0000000..642e548
@@ -29110,10 +30015,10 @@ index 0000000..3aae725
 +/var/log/dirsrv/ldap-agent.log	gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
 diff --git a/policy/modules/services/dirsrv.if b/policy/modules/services/dirsrv.if
 new file mode 100644
-index 0000000..9d8f5de
+index 0000000..6fd8e9f
 --- /dev/null
 +++ b/policy/modules/services/dirsrv.if
-@@ -0,0 +1,212 @@
+@@ -0,0 +1,208 @@
 +## <summary>policy for dirsrv</summary>
 +
 +########################################
@@ -29132,10 +30037,6 @@ index 0000000..9d8f5de
 +	')
 +
 +	domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
-+
-+	ifdef(`hide_broken_symptoms', `
-+		dontaudit dirsrv_t $1:socket_class_set { read write };
-+	')
 +')
 +
 +
@@ -29564,7 +30465,7 @@ index b886676..ad3210e 100644
  /var/run/dnsmasq\.pid		--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
  /var/run/libvirt/network(/.*)?		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
 diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
-index 9bd812b..89a9426 100644
+index 9bd812b..c4abec3 100644
 --- a/policy/modules/services/dnsmasq.if
 +++ b/policy/modules/services/dnsmasq.if
 @@ -101,9 +101,9 @@ interface(`dnsmasq_kill',`
@@ -29605,7 +30506,7 @@ index 9bd812b..89a9426 100644
  	delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
  ')
  
-@@ -163,17 +163,59 @@ interface(`dnsmasq_delete_pid_files',`
+@@ -163,17 +163,79 @@ interface(`dnsmasq_delete_pid_files',`
  ##	</summary>
  ## </param>
  #
@@ -29647,18 +30548,38 @@ index 9bd812b..89a9426 100644
 +##      Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="private_type">
-+##  <summary>
-+##      The type of the object to be created.
-+##  </summary>
++## <param name="private type">
++##	<summary>
++##	The type of the directory for the object to be created.
++##	</summary>
 +## </param>
 +#
-+interface(`dnsmasq_filetrans_named_content',`
++interface(`dnsmasq_filetrans_named_content_fromdir',`
 +	gen_require(`
 +		type dnsmasq_var_run_t;
 +	')
 +
 +	filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network")
++	filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid")
++')
++
++########################################
++## <summary>
++##	Transition to dnsmasq named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dnsmasq_filetrans_named_content',`
++	gen_require(`
++		type dnsmasq_var_run_t;
++	')
++
++	files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
++	files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
 +')
 +
 +########################################
@@ -31220,6 +32141,42 @@ index 6537214..7d64c0a 100644
  	ps_process_pattern($1, fetchmail_t)
  
  	files_list_etc($1)
+diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
+index 9b7036a..4770f61 100644
+--- a/policy/modules/services/finger.te
++++ b/policy/modules/services/finger.te
+@@ -66,6 +66,7 @@ term_getattr_all_ttys(fingerd_t)
+ term_getattr_all_ptys(fingerd_t)
+ 
+ auth_read_lastlog(fingerd_t)
++auth_use_nsswitch(fingerd_t)
+ 
+ corecmd_exec_bin(fingerd_t)
+ corecmd_exec_shell(fingerd_t)
+@@ -83,8 +84,6 @@ logging_send_syslog_msg(fingerd_t)
+ 
+ mta_getattr_spool(fingerd_t)
+ 
+-sysnet_read_config(fingerd_t)
+-
+ miscfiles_read_localization(fingerd_t)
+ 
+ # stop it accessing sub-directories, prevents checking a Maildir for new mail,
+@@ -101,14 +100,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(fingerd_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(fingerd_t)
+-')
+-
+-optional_policy(`
+ 	seutil_sigchld_newrole(fingerd_t)
+ ')
+ 
 diff --git a/policy/modules/services/firewalld.fc b/policy/modules/services/firewalld.fc
 new file mode 100644
 index 0000000..ba9a7a9
@@ -31490,7 +32447,7 @@ index 9d3201b..748cac5 100644
  ## <summary>
  ##	Allow domain dyntransition to sftpd_anon domain.
 diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..4986fb9 100644
+index 8a74a83..3283e90 100644
 --- a/policy/modules/services/ftp.te
 +++ b/policy/modules/services/ftp.te
 @@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -31582,6 +32539,15 @@ index 8a74a83..4986fb9 100644
  
  init_rw_utmp(ftpd_t)
  
+@@ -261,7 +281,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+ 
+ tunable_policy(`allow_ftpd_full_access',`
+ 	allow ftpd_t self:capability { dac_override dac_read_search };
+-	auth_manage_all_files_except_shadow(ftpd_t)
++	files_manage_non_security_files(ftpd_t)
+ ')
+ 
+ tunable_policy(`ftp_home_dir',`
 @@ -270,10 +290,13 @@ tunable_policy(`ftp_home_dir',`
  	# allow access to /home
  	files_list_home(ftpd_t)
@@ -31671,7 +32637,7 @@ index 8a74a83..4986fb9 100644
 +tunable_policy(`sftpd_full_access',`
 +	allow sftpd_t self:capability { dac_override dac_read_search };
 +	fs_read_noxattr_fs_files(sftpd_t)
-+	auth_manage_all_files_except_shadow(sftpd_t)
++	files_manage_non_security_files(sftpd_t)
 +')
 +
 +tunable_policy(`sftpd_write_ssh_home',`
@@ -31694,6 +32660,15 @@ index 8a74a83..4986fb9 100644
  ')
  
  tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -394,7 +456,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+ tunable_policy(`sftpd_full_access',`
+ 	allow sftpd_t self:capability { dac_override dac_read_search };
+ 	fs_read_noxattr_fs_files(sftpd_t)
+-	auth_manage_all_files_except_shadow(sftpd_t)
++	files_manage_non_security_files(sftpd_t)
+ ')
+ 
+ tunable_policy(`use_samba_home_dirs',`
 diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
 index 99a94de..6dbc203 100644
 --- a/policy/modules/services/gatekeeper.te
@@ -32272,10 +33247,10 @@ index 458aac6..8e83609 100644
 +	userdom_search_user_home_dirs($1)
 +')
 diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
-index 7382f85..0b39a8b 100644
+index 7382f85..deb5bff 100644
 --- a/policy/modules/services/git.te
 +++ b/policy/modules/services/git.te
-@@ -1,8 +1,192 @@
+@@ -1,8 +1,194 @@
 -policy_module(git, 1.0)
 +policy_module(git, 1.0.3)
 +
@@ -32374,8 +33349,6 @@ index 7382f85..0b39a8b 100644
 +
 +kernel_read_system_state(git_domains)
 +
-+auth_use_nsswitch(git_domains)
-+
 +logging_send_syslog_msg(git_domains)
 +
 +miscfiles_read_localization(git_domains)
@@ -32399,6 +33372,8 @@ index 7382f85..0b39a8b 100644
 +read_files_pattern(git_system_t, git_content, git_content)
 +files_search_var_lib(git_system_t)
 +
++auth_use_nsswitch(git_system_t)
++
 +tunable_policy(`git_system_enable_homedirs',`
 +	userdom_search_user_home_dirs(git_system_t)
 +')
@@ -32430,6 +33405,8 @@ index 7382f85..0b39a8b 100644
 +
 +allow git_session_t self:tcp_socket { accept listen };
 +
++auth_use_nsswitch(git_session_t)
++
 +list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
 +read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
 +userdom_search_user_home_dirs(git_session_t)
@@ -32693,7 +33670,7 @@ index 03742d8..c65263e 100644
  ')
  
 diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
-index 2d0b4e1..e268ede 100644
+index 2d0b4e1..1e40c00 100644
 --- a/policy/modules/services/hadoop.if
 +++ b/policy/modules/services/hadoop.if
 @@ -91,7 +91,7 @@ template(`hadoop_domain_template',`
@@ -32705,7 +33682,26 @@ index 2d0b4e1..e268ede 100644
  	corenet_tcp_sendrecv_generic_if(hadoop_$1_t)
  	corenet_udp_sendrecv_generic_if(hadoop_$1_t)
  	corenet_tcp_sendrecv_generic_node(hadoop_$1_t)
-@@ -175,8 +175,6 @@ template(`hadoop_domain_template',`
+@@ -109,6 +109,7 @@ template(`hadoop_domain_template',`
+ 	files_read_etc_files(hadoop_$1_t)
+ 
+ 	auth_domtrans_chkpwd(hadoop_$1_t)
++	auth_use_nsswitch(hadoop_$1_t)
+ 
+ 	hadoop_match_lan_spd(hadoop_$1_t)
+ 
+@@ -132,10 +133,6 @@ template(`hadoop_domain_template',`
+ 
+ 	su_exec(hadoop_$1_t)
+ 
+-	optional_policy(`
+-		nscd_socket_use(hadoop_$1_t)
+-	')
+-
+ 	####################################
+ 	#
+ 	# Shared hadoop_$1 initrc policy.
+@@ -175,8 +172,6 @@ template(`hadoop_domain_template',`
  	files_read_etc_files(hadoop_$1_initrc_t)
  	files_read_usr_files(hadoop_$1_initrc_t)
  
@@ -32714,31 +33710,65 @@ index 2d0b4e1..e268ede 100644
  	fs_getattr_xattr_fs(hadoop_$1_initrc_t)
  	fs_search_cgroup_dirs(hadoop_$1_initrc_t)
  
-@@ -196,6 +194,10 @@ template(`hadoop_domain_template',`
+@@ -184,6 +179,8 @@ template(`hadoop_domain_template',`
+ 
+ 	hadoop_exec_config(hadoop_$1_initrc_t)
+ 
++	auth_domtrans_chkpwd(hadoop_$1_initrc_t)
++
+ 	init_rw_utmp(hadoop_$1_initrc_t)
+ 	init_use_fds(hadoop_$1_initrc_t)
+ 	init_use_script_ptys(hadoop_$1_initrc_t)
+@@ -196,8 +193,9 @@ template(`hadoop_domain_template',`
  	userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t)
  
  	optional_policy(`
+-		nscd_socket_use(hadoop_$1_initrc_t)
 +		consoletype_exec(hadoop_$1_initrc_t)
-+	')
-+
-+	optional_policy(`
- 		nscd_socket_use(hadoop_$1_initrc_t)
  	')
++
  ')
+ 
+ ########################################
 diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
-index 7d3a469..5b1ec32 100644
+index 7d3a469..3889dc9 100644
 --- a/policy/modules/services/hadoop.te
 +++ b/policy/modules/services/hadoop.te
-@@ -165,7 +165,7 @@ miscfiles_read_localization(hadoop_t)
+@@ -161,24 +161,16 @@ files_read_usr_files(hadoop_t)
+ 
+ fs_getattr_xattr_fs(hadoop_t)
  
- sysnet_read_config(hadoop_t)
+-miscfiles_read_localization(hadoop_t)
++auth_use_nsswitch(hadoop_t)
+ 
+-sysnet_read_config(hadoop_t)
++miscfiles_read_localization(hadoop_t)
  
 -userdom_use_user_terminals(hadoop_t)
 +userdom_use_inherited_user_terminals(hadoop_t)
  
  java_exec(hadoop_t)
  
-@@ -345,7 +345,7 @@ miscfiles_read_localization(zookeeper_t)
+ kerberos_use(hadoop_t)
+ 
+-optional_policy(`
+-	nis_use_ypbind(hadoop_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(hadoop_t)
+-')
+-
+ ########################################
+ #
+ # Hadoop datanode policy.
+@@ -341,19 +333,17 @@ domain_use_interactive_fds(zookeeper_t)
+ files_read_etc_files(zookeeper_t)
+ files_read_usr_files(zookeeper_t)
+ 
++auth_use_nsswitch(zookeeper_t)
++
+ miscfiles_read_localization(zookeeper_t)
  
  sysnet_read_config(zookeeper_t)
  
@@ -32747,6 +33777,14 @@ index 7d3a469..5b1ec32 100644
  userdom_dontaudit_search_user_home_dirs(zookeeper_t)
  
  java_exec(zookeeper_t)
+ 
+-optional_policy(`
+-	nscd_socket_use(zookeeper_t)
+-')
+-
+ ########################################
+ #
+ # Hadoop zookeeper server policy.
 diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc
 index c98b0df..3b1a051 100644
 --- a/policy/modules/services/hal.fc
@@ -33209,7 +34247,7 @@ index dfb4232..7665429 100644
  
  	allow $1 ifplugd_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te
-index 978c32f..3b96342 100644
+index 978c32f..81c5ca2 100644
 --- a/policy/modules/services/ifplugd.te
 +++ b/policy/modules/services/ifplugd.te
 @@ -11,7 +11,7 @@ init_daemon_domain(ifplugd_t, ifplugd_exec_t)
@@ -33221,6 +34259,15 @@ index 978c32f..3b96342 100644
  
  type ifplugd_initrc_exec_t;
  init_script_file(ifplugd_initrc_exec_t)
+@@ -54,7 +54,7 @@ corecmd_exec_bin(ifplugd_t)
+ # reading of hardware information
+ dev_read_sysfs(ifplugd_t)
+ 
+-domain_read_confined_domains_state(ifplugd_t)
++domain_read_all_domains_state(ifplugd_t)
+ domain_dontaudit_read_all_domains_state(ifplugd_t)
+ 
+ auth_use_nsswitch(ifplugd_t)
 diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if
 index df48e5e..878d9df 100644
 --- a/policy/modules/services/inetd.if
@@ -36938,7 +37985,7 @@ index 256166a..6321a93 100644
 +/var/spool/mqueue\.in(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
  /var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..5e792cc 100644
+index 343cee3..f8c4fb6 100644
 --- a/policy/modules/services/mta.if
 +++ b/policy/modules/services/mta.if
 @@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -37035,18 +38082,7 @@ index 343cee3..5e792cc 100644
  	')
  
  	allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-@@ -362,6 +375,10 @@ interface(`mta_send_mail',`
- 	allow mta_user_agent $1:fd use;
- 	allow mta_user_agent $1:process sigchld;
- 	allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
-+
-+	ifdef(`hide_broken_symptoms',`
-+		dontaudit system_mail_t $1:socket_class_set { read write };
-+	')
- ')
- 
- ########################################
-@@ -391,12 +408,17 @@ interface(`mta_send_mail',`
+@@ -391,12 +404,17 @@ interface(`mta_send_mail',`
  #
  interface(`mta_sendmail_domtrans',`
  	gen_require(`
@@ -37066,7 +38102,7 @@ index 343cee3..5e792cc 100644
  ')
  
  ########################################
-@@ -409,7 +431,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -409,7 +427,6 @@ interface(`mta_sendmail_domtrans',`
  ##	</summary>
  ## </param>
  #
@@ -37074,7 +38110,7 @@ index 343cee3..5e792cc 100644
  interface(`mta_signal_system_mail',`
  	gen_require(`
  		type system_mail_t;
-@@ -420,6 +441,24 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +437,24 @@ interface(`mta_signal_system_mail',`
  
  ########################################
  ## <summary>
@@ -37099,7 +38135,7 @@ index 343cee3..5e792cc 100644
  ##	Execute sendmail in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -438,6 +477,26 @@ interface(`mta_sendmail_exec',`
+@@ -438,6 +473,26 @@ interface(`mta_sendmail_exec',`
  
  ########################################
  ## <summary>
@@ -37126,7 +38162,7 @@ index 343cee3..5e792cc 100644
  ##	Read mail server configuration.
  ## </summary>
  ## <param name="domain">
-@@ -474,7 +533,8 @@ interface(`mta_write_config',`
+@@ -474,7 +529,8 @@ interface(`mta_write_config',`
  		type etc_mail_t;
  	')
  
@@ -37136,7 +38172,7 @@ index 343cee3..5e792cc 100644
  ')
  
  ########################################
-@@ -494,6 +554,7 @@ interface(`mta_read_aliases',`
+@@ -494,6 +550,7 @@ interface(`mta_read_aliases',`
  
  	files_search_etc($1)
  	allow $1 etc_aliases_t:file read_file_perms;
@@ -37144,7 +38180,7 @@ index 343cee3..5e792cc 100644
  ')
  
  ########################################
-@@ -532,7 +593,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -532,7 +589,7 @@ interface(`mta_etc_filetrans_aliases',`
  		type etc_aliases_t;
  	')
  
@@ -37153,7 +38189,7 @@ index 343cee3..5e792cc 100644
  ')
  
  ########################################
-@@ -552,7 +613,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +609,7 @@ interface(`mta_rw_aliases',`
  	')
  
  	files_search_etc($1)
@@ -37162,7 +38198,7 @@ index 343cee3..5e792cc 100644
  ')
  
  #######################################
-@@ -646,8 +707,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +703,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
  
  	files_dontaudit_search_spool($1)
  	dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -37173,7 +38209,7 @@ index 343cee3..5e792cc 100644
  ')
  
  #######################################
-@@ -697,8 +758,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +754,8 @@ interface(`mta_rw_spool',`
  
  	files_search_spool($1)
  	allow $1 mail_spool_t:dir list_dir_perms;
@@ -37184,7 +38220,7 @@ index 343cee3..5e792cc 100644
  	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  ')
  
-@@ -838,7 +899,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +895,7 @@ interface(`mta_dontaudit_rw_queue',`
  	')
  
  	dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -37193,7 +38229,7 @@ index 343cee3..5e792cc 100644
  ')
  
  ########################################
-@@ -899,3 +960,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +956,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
  
  	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
  ')
@@ -37307,7 +38343,7 @@ index 343cee3..5e792cc 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..3bd4ceb 100644
+index 64268e4..cdcf4c7 100644
 --- a/policy/modules/services/mta.te
 +++ b/policy/modules/services/mta.te
 @@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@@ -37369,7 +38405,7 @@ index 64268e4..3bd4ceb 100644
  
  optional_policy(`
  	apache_read_squirrelmail_data(system_mail_t)
-@@ -92,17 +89,28 @@ optional_policy(`
+@@ -92,14 +89,21 @@ optional_policy(`
  	apache_dontaudit_rw_stream_sockets(system_mail_t)
  	apache_dontaudit_rw_tcp_sockets(system_mail_t)
  	apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -37383,23 +38419,18 @@ index 64268e4..3bd4ceb 100644
  
  optional_policy(`
  	arpwatch_manage_tmp_files(system_mail_t)
++')
  
 -	ifdef(`hide_broken_symptoms', `
-+	ifdef(`hide_broken_symptoms',`
- 		arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
- 	')
- ')
- 
- optional_policy(`
+-		arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
+-	')
++optional_policy(`
 +	bugzilla_search_content(system_mail_t)
 +	bugzilla_dontaudit_rw_stream_sockets(system_mail_t)
-+')
-+
-+optional_policy(`
- 	clamav_stream_connect(system_mail_t)
- 	clamav_append_log(system_mail_t)
  ')
-@@ -111,6 +119,8 @@ optional_policy(`
+ 
+ optional_policy(`
+@@ -111,6 +115,8 @@ optional_policy(`
  	cron_read_system_job_tmp_files(system_mail_t)
  	cron_dontaudit_write_pipes(system_mail_t)
  	cron_rw_system_job_stream_sockets(system_mail_t)
@@ -37408,7 +38439,7 @@ index 64268e4..3bd4ceb 100644
  ')
  
  optional_policy(`
-@@ -124,12 +134,9 @@ optional_policy(`
+@@ -124,12 +130,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37423,7 +38454,7 @@ index 64268e4..3bd4ceb 100644
  ')
  
  optional_policy(`
-@@ -146,6 +153,10 @@ optional_policy(`
+@@ -146,6 +149,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37434,7 +38465,7 @@ index 64268e4..3bd4ceb 100644
  	nagios_read_tmp_files(system_mail_t)
  ')
  
-@@ -158,18 +169,6 @@ optional_policy(`
+@@ -158,18 +165,6 @@ optional_policy(`
  	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
  
  	domain_use_interactive_fds(system_mail_t)
@@ -37453,7 +38484,7 @@ index 64268e4..3bd4ceb 100644
  ')
  
  optional_policy(`
-@@ -189,6 +188,10 @@ optional_policy(`
+@@ -189,6 +184,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37464,16 +38495,28 @@ index 64268e4..3bd4ceb 100644
  	smartmon_read_tmp_files(system_mail_t)
  ')
  
-@@ -199,7 +202,7 @@ optional_policy(`
+@@ -199,15 +198,16 @@ optional_policy(`
  	arpwatch_search_data(mailserver_delivery)
  	arpwatch_manage_tmp_files(mta_user_agent)
  
 -	ifdef(`hide_broken_symptoms', `
-+	ifdef(`hide_broken_symptoms',`
- 		arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
+-		arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
+-	')
+-
+ 	optional_policy(`
+ 		cron_read_system_job_tmp_files(mta_user_agent)
  	')
+ ')
  
-@@ -220,7 +223,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
++ifdef(`hide_broken_symptoms',`
++	domain_dontaudit_leaks(user_mail_domain)
++	domain_dontaudit_leaks(mta_user_agent)
++')
++
+ ########################################
+ #
+ # Mailserver delivery local policy
+@@ -220,7 +220,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  
@@ -37483,7 +38526,7 @@ index 64268e4..3bd4ceb 100644
  
  read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
  
-@@ -242,6 +246,10 @@ optional_policy(`
+@@ -242,6 +243,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37494,7 +38537,7 @@ index 64268e4..3bd4ceb 100644
  	# so MTA can access /var/lib/mailman/mail/wrapper
  	files_search_var_lib(mailserver_delivery)
  
-@@ -249,16 +257,25 @@ optional_policy(`
+@@ -249,16 +254,25 @@ optional_policy(`
  	mailman_read_data_symlinks(mailserver_delivery)
  ')
  
@@ -37522,7 +38565,7 @@ index 64268e4..3bd4ceb 100644
  # Create dead.letter in user home directories.
  userdom_manage_user_home_content_files(user_mail_t)
  userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -292,3 +309,44 @@ optional_policy(`
+@@ -292,3 +306,44 @@ optional_policy(`
  	postfix_read_config(user_mail_t)
  	postfix_list_spool(user_mail_t)
  ')
@@ -38655,7 +39698,7 @@ index 2324d9e..eebf5a7 100644
 +	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
 +')
 diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..863ba2d 100644
+index 0619395..79140e4 100644
 --- a/policy/modules/services/networkmanager.te
 +++ b/policy/modules/services/networkmanager.te
 @@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -38724,6 +39767,15 @@ index 0619395..863ba2d 100644
  
  fs_getattr_all_fs(NetworkManager_t)
  fs_search_auto_mountpoints(NetworkManager_t)
+@@ -113,7 +136,7 @@ corecmd_exec_shell(NetworkManager_t)
+ corecmd_exec_bin(NetworkManager_t)
+ 
+ domain_use_interactive_fds(NetworkManager_t)
+-domain_read_confined_domains_state(NetworkManager_t)
++domain_read_all_domains_state(NetworkManager_t)
+ 
+ files_read_etc_files(NetworkManager_t)
+ files_read_etc_runtime_files(NetworkManager_t)
 @@ -133,30 +156,37 @@ logging_send_syslog_msg(NetworkManager_t)
  miscfiles_read_localization(NetworkManager_t)
  miscfiles_read_generic_certs(NetworkManager_t)
@@ -41232,7 +42284,7 @@ index 1e7169d..05409ab 100644
  ')
 -
 diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
-index 333a1fe..dcca269 100644
+index 333a1fe..e599723 100644
 --- a/policy/modules/services/portmap.te
 +++ b/policy/modules/services/portmap.te
 @@ -12,7 +12,6 @@ init_daemon_domain(portmap_t, portmap_exec_t)
@@ -41243,7 +42295,31 @@ index 333a1fe..dcca269 100644
  
  type portmap_tmp_t;
  files_tmp_file(portmap_tmp_t)
-@@ -142,7 +141,7 @@ logging_send_syslog_msg(portmap_helper_t)
+@@ -75,6 +74,8 @@ domain_use_interactive_fds(portmap_t)
+ 
+ files_read_etc_files(portmap_t)
+ 
++auth_use_nsswitch(portmap_t)
++
+ logging_send_syslog_msg(portmap_t)
+ 
+ miscfiles_read_localization(portmap_t)
+@@ -85,14 +86,6 @@ userdom_dontaudit_use_unpriv_user_fds(portmap_t)
+ userdom_dontaudit_search_user_home_dirs(portmap_t)
+ 
+ optional_policy(`
+-	nis_use_ypbind(portmap_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(portmap_t)
+-')
+-
+-optional_policy(`
+ 	seutil_sigchld_newrole(portmap_t)
+ ')
+ 
+@@ -142,7 +135,7 @@ logging_send_syslog_msg(portmap_helper_t)
  
  sysnet_read_config(portmap_helper_t)
  
@@ -41356,7 +42432,7 @@ index a3e85c9..c0e0959 100644
  /var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
  /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
 diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..9e2714e 100644
+index 46bee12..c22af86 100644
 --- a/policy/modules/services/postfix.if
 +++ b/policy/modules/services/postfix.if
 @@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -41592,7 +42668,7 @@ index 46bee12..9e2714e 100644
  ')
  
  ########################################
-@@ -621,3 +701,107 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +701,103 @@ interface(`postfix_domtrans_user_mail_handler',`
  
  	typeattribute $1 postfix_user_domtrans;
  ')
@@ -41695,10 +42771,6 @@ index 46bee12..9e2714e 100644
 +
 +	postfix_domtrans_postdrop($1)
 +	role $2 types postfix_postdrop_t;
-+
-+	ifdef(`hide_broken_symptoms', `
-+		dontaudit postfix_postdrop_t $1:socket_class_set { getattr read write };
-+	')
 +')
 diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
 index a32c4b3..d60a654 100644
@@ -43152,7 +44224,7 @@ index 2855a44..c71fa1e 100644
  		type puppet_tmp_t;
  	')
 diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..cb7c5e2 100644
+index 64c5f95..81cc685 100644
 --- a/policy/modules/services/puppet.te
 +++ b/policy/modules/services/puppet.te
 @@ -5,13 +5,23 @@ policy_module(puppet, 1.0.0)
@@ -43203,6 +44275,15 @@ index 64c5f95..cb7c5e2 100644
  manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
  files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
  
+@@ -132,7 +147,7 @@ sysnet_dns_name_resolve(puppet_t)
+ sysnet_run_ifconfig(puppet_t, system_r)
+ 
+ tunable_policy(`puppet_manage_all_files',`
+-	auth_manage_all_files_except_shadow(puppet_t)
++	files_manage_non_security_files(puppet_t)
+ ')
+ 
+ optional_policy(`
 @@ -162,7 +177,60 @@ optional_policy(`
  
  ########################################
@@ -44201,10 +45282,10 @@ index f04a595..3203212 100644
 +	read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
 +')
 diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
-index 852840b..4427b21 100644
+index 852840b..cc1775e 100644
 --- a/policy/modules/services/razor.te
 +++ b/policy/modules/services/razor.te
-@@ -5,118 +5,139 @@ policy_module(razor, 2.2.0)
+@@ -5,118 +5,135 @@ policy_module(razor, 2.2.0)
  # Declarations
  #
  
@@ -44291,7 +45372,7 @@ index 852840b..4427b21 100644
 +	corenet_tcp_connect_razor_port(system_razor_t)
 +	corenet_sendrecv_razor_client_packets(system_razor_t)
 +
-+	sysnet_read_config(system_razor_t)
++	auth_use_nsswitch(system_razor_t)
 +
 +	# cjp: this shouldn't be needed
 +	userdom_use_unpriv_users_fds(system_razor_t)
@@ -44300,10 +45381,6 @@ index 852840b..4427b21 100644
 +		logging_send_syslog_msg(system_razor_t)
 +	')
 +
-+	optional_policy(`
-+		nscd_socket_use(system_razor_t)
-+	')
-+
 +	########################################
 +	#
 +	# User razor local policy
@@ -44326,30 +45403,32 @@ index 852840b..4427b21 100644
 +	auth_use_nsswitch(razor_t)
 +
 +	logging_send_syslog_msg(razor_t)
- 
--type razor_etc_t;
--files_config_file(razor_etc_t)
++
 +	userdom_search_user_home_dirs(razor_t)
 +	userdom_use_inherited_user_terminals(razor_t)
- 
--type razor_home_t;
--typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
--typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
--userdom_user_home_content(razor_home_t)
++
 +	tunable_policy(`use_nfs_home_dirs',`
 +		fs_manage_nfs_dirs(razor_t)
 +		fs_manage_nfs_files(razor_t)
 +		fs_manage_nfs_symlinks(razor_t)
 +	')
  
--type razor_log_t;
--logging_log_file(razor_log_t)
+-type razor_etc_t;
+-files_config_file(razor_etc_t)
 +	tunable_policy(`use_samba_home_dirs',`
 +		fs_manage_cifs_dirs(razor_t)
 +		fs_manage_cifs_files(razor_t)
 +		fs_manage_cifs_symlinks(razor_t)
 +	')
  
+-type razor_home_t;
+-typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
+-typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
+-userdom_user_home_content(razor_home_t)
+-
+-type razor_log_t;
+-logging_log_file(razor_log_t)
+-
 -type razor_tmp_t;
 -typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
 -typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
@@ -44635,7 +45714,7 @@ index 7dc38d1..9c2c963 100644
 +	admin_pattern($1, rgmanager_var_run_t)
 +')
 diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..9e237a7 100644
+index 00fa514..d95e136 100644
 --- a/policy/modules/services/rgmanager.te
 +++ b/policy/modules/services/rgmanager.te
 @@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0)
@@ -44719,7 +45798,8 @@ index 00fa514..9e237a7 100644
 -#term_use_ptmx(rgmanager_t)
  
  # needed by resources scripts
- auth_read_all_files_except_shadow(rgmanager_t)
+-auth_read_all_files_except_shadow(rgmanager_t)
++files_read_non_security_files(rgmanager_t)
  auth_dontaudit_getattr_shadow(rgmanager_t)
  auth_use_nsswitch(rgmanager_t)
  
@@ -46024,7 +47104,7 @@ index f7826f9..679d185 100644
 +	admin_pattern($1, ricci_var_run_t)
 +')
 diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
-index 33e72e8..a61bb94 100644
+index 33e72e8..ffc0c12 100644
 --- a/policy/modules/services/ricci.te
 +++ b/policy/modules/services/ricci.te
 @@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
@@ -46091,7 +47171,16 @@ index 33e72e8..a61bb94 100644
  
  domain_read_all_domains_state(ricci_modcluster_t)
  
-@@ -209,13 +219,9 @@ logging_send_syslog_msg(ricci_modcluster_t)
+@@ -202,6 +212,8 @@ files_read_etc_runtime_files(ricci_modcluster_t)
+ files_read_etc_files(ricci_modcluster_t)
+ files_search_usr(ricci_modcluster_t)
+ 
++auth_use_nsswitch(ricci_modcluster_t)
++
+ init_exec(ricci_modcluster_t)
+ init_domtrans_script(ricci_modcluster_t)
+ 
+@@ -209,13 +221,9 @@ logging_send_syslog_msg(ricci_modcluster_t)
  
  miscfiles_read_localization(ricci_modcluster_t)
  
@@ -46108,10 +47197,11 @@ index 33e72e8..a61bb94 100644
  
  optional_policy(`
  	aisexec_stream_connect(ricci_modcluster_t)
-@@ -233,6 +239,18 @@ optional_policy(`
+@@ -233,7 +241,15 @@ optional_policy(`
  ')
  
  optional_policy(`
+-	nscd_socket_use(ricci_modcluster_t)
 +	modutils_domtrans_insmod(ricci_modcluster_t)
 +')
 +
@@ -46121,13 +47211,10 @@ index 33e72e8..a61bb94 100644
 +
 +optional_policy(`
 +	consoletype_exec(ricci_modcluster_t)
-+')
-+
-+optional_policy(`
- 	nscd_socket_use(ricci_modcluster_t)
  ')
  
-@@ -241,8 +259,7 @@ optional_policy(`
+ optional_policy(`
+@@ -241,8 +257,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46137,7 +47224,7 @@ index 33e72e8..a61bb94 100644
  ')
  
  ########################################
-@@ -261,6 +278,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
+@@ -261,6 +276,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
  allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
  allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
  
@@ -46148,7 +47235,7 @@ index 33e72e8..a61bb94 100644
  allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
  manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
  manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-@@ -272,6 +293,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
+@@ -272,6 +291,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
  
  kernel_read_kernel_sysctls(ricci_modclusterd_t)
  kernel_read_system_state(ricci_modclusterd_t)
@@ -46156,7 +47243,7 @@ index 33e72e8..a61bb94 100644
  
  corecmd_exec_bin(ricci_modclusterd_t)
  
-@@ -394,8 +416,6 @@ files_search_usr(ricci_modservice_t)
+@@ -394,8 +414,6 @@ files_search_usr(ricci_modservice_t)
  # Needed for running chkconfig
  files_manage_etc_symlinks(ricci_modservice_t)
  
@@ -46165,7 +47252,7 @@ index 33e72e8..a61bb94 100644
  init_domtrans_script(ricci_modservice_t)
  
  miscfiles_read_localization(ricci_modservice_t)
-@@ -405,6 +425,10 @@ optional_policy(`
+@@ -405,6 +423,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46176,7 +47263,7 @@ index 33e72e8..a61bb94 100644
  	nscd_dontaudit_search_pid(ricci_modservice_t)
  ')
  
-@@ -444,22 +468,20 @@ files_read_etc_runtime_files(ricci_modstorage_t)
+@@ -444,22 +466,22 @@ files_read_etc_runtime_files(ricci_modstorage_t)
  files_read_usr_files(ricci_modstorage_t)
  files_read_kernel_modules(ricci_modstorage_t)
  
@@ -46191,7 +47278,8 @@ index 33e72e8..a61bb94 100644
  term_dontaudit_use_console(ricci_modstorage_t)
  
 -fstools_domtrans(ricci_modstorage_t)
--
++auth_use_nsswitch(ricci_modstorage_t)
+ 
  logging_send_syslog_msg(ricci_modstorage_t)
  
  miscfiles_read_localization(ricci_modstorage_t)
@@ -46205,7 +47293,7 @@ index 33e72e8..a61bb94 100644
  optional_policy(`
  	aisexec_stream_connect(ricci_modstorage_t)
  	corosync_stream_connect(ricci_modstorage_t)
-@@ -471,11 +493,27 @@ optional_policy(`
+@@ -471,12 +493,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46222,17 +47310,15 @@ index 33e72e8..a61bb94 100644
  ')
  
  optional_policy(`
+-	nscd_socket_use(ricci_modstorage_t)
 +	modutils_read_module_deps(ricci_modstorage_t)
 +')
 +
 +optional_policy(`
 +	mount_domtrans(ricci_modstorage_t)
-+')
-+
-+optional_policy(`
- 	nscd_socket_use(ricci_modstorage_t)
  ')
  
+ optional_policy(`
 diff --git a/policy/modules/services/rlogin.fc b/policy/modules/services/rlogin.fc
 index 2785337..d7f6b82 100644
 --- a/policy/modules/services/rlogin.fc
@@ -46448,7 +47534,7 @@ index cda37bb..484e552 100644
 +	allow $1 var_lib_nfs_t:file relabel_file_perms;
  ')
 diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..06e637c 100644
+index b1468ed..fb0f852 100644
 --- a/policy/modules/services/rpc.te
 +++ b/policy/modules/services/rpc.te
 @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -46545,7 +47631,25 @@ index b1468ed..06e637c 100644
  # Write access to public_content_t and public_content_rw_t
  tunable_policy(`allow_nfsd_anon_write',`
  	miscfiles_manage_public_files(nfsd_t)
-@@ -181,7 +199,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -158,7 +176,6 @@ tunable_policy(`nfs_export_all_rw',`
+ 	dev_getattr_all_chr_files(nfsd_t)
+ 
+ 	fs_read_noxattr_fs_files(nfsd_t)
+-	auth_manage_all_files_except_shadow(nfsd_t)
+ ')
+ 
+ tunable_policy(`nfs_export_all_ro',`
+@@ -170,8 +187,7 @@ tunable_policy(`nfs_export_all_ro',`
+ 
+ 	fs_read_noxattr_fs_files(nfsd_t)
+ 
+-	auth_read_all_dirs_except_shadow(nfsd_t)
+-	auth_read_all_files_except_shadow(nfsd_t)
++	files_read_non_security_files(nfsd_t)
+ ')
+ 
+ ########################################
+@@ -181,7 +197,7 @@ tunable_policy(`nfs_export_all_ro',`
  
  allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
  allow gssd_t self:process { getsched setsched };
@@ -46554,7 +47658,7 @@ index b1468ed..06e637c 100644
  
  manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -199,6 +217,7 @@ corecmd_exec_bin(gssd_t)
+@@ -199,6 +215,7 @@ corecmd_exec_bin(gssd_t)
  fs_list_rpc(gssd_t)
  fs_rw_rpc_sockets(gssd_t)
  fs_read_rpc_files(gssd_t)
@@ -46562,7 +47666,7 @@ index b1468ed..06e637c 100644
  
  fs_list_inotifyfs(gssd_t)
  files_list_tmp(gssd_t)
-@@ -210,14 +229,14 @@ auth_manage_cache(gssd_t)
+@@ -210,14 +227,14 @@ auth_manage_cache(gssd_t)
  
  miscfiles_read_generic_certs(gssd_t)
  
@@ -46579,7 +47683,7 @@ index b1468ed..06e637c 100644
  ')
  
  optional_policy(`
-@@ -229,6 +248,10 @@ optional_policy(`
+@@ -229,6 +246,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46791,7 +47895,7 @@ index 3386f29..b28cae5 100644
 +	files_etc_filetrans($1, rsync_etc_t, $2)
 +')
 diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
-index 39015ae..5e7b7cf 100644
+index 39015ae..967bebd 100644
 --- a/policy/modules/services/rsync.te
 +++ b/policy/modules/services/rsync.te
 @@ -7,6 +7,13 @@ policy_module(rsync, 1.10.0)
@@ -46825,7 +47929,7 @@ index 39015ae..5e7b7cf 100644
  
  allow rsync_t rsync_data_t:dir list_dir_perms;
  read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
-@@ -122,6 +128,7 @@ optional_policy(`
+@@ -122,12 +128,26 @@ optional_policy(`
  ')
  
  tunable_policy(`rsync_export_all_ro',`
@@ -46833,8 +47937,10 @@ index 39015ae..5e7b7cf 100644
  	fs_read_noxattr_fs_files(rsync_t) 
  	fs_read_nfs_files(rsync_t)
  	fs_read_cifs_files(rsync_t)
-@@ -130,4 +137,19 @@ tunable_policy(`rsync_export_all_ro',`
- 	auth_read_all_symlinks_except_shadow(rsync_t)
+-	auth_read_all_dirs_except_shadow(rsync_t)
+-	auth_read_all_files_except_shadow(rsync_t)
+-	auth_read_all_symlinks_except_shadow(rsync_t)
++	files_read_non_security_files(rsync_t)
  	auth_tunable_read_shadow(rsync_t)
  ')
 +
@@ -47207,7 +48313,7 @@ index 82cb169..9e72970 100644
 +	admin_pattern($1, samba_unconfined_script_exec_t)
  ')
 diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..fdfa9bf 100644
+index e30bb63..a23112b 100644
 --- a/policy/modules/services/samba.te
 +++ b/policy/modules/services/samba.te
 @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -47314,7 +48420,7 @@ index e30bb63..fdfa9bf 100644
  
  optional_policy(`
  	cups_read_rw_config(smbd_t)
-@@ -445,8 +445,8 @@ optional_policy(`
+@@ -445,26 +445,25 @@ optional_policy(`
  tunable_policy(`samba_create_home_dirs',`
  	allow smbd_t self:capability chown;
  	userdom_create_user_home_dirs(smbd_t)
@@ -47324,17 +48430,31 @@ index e30bb63..fdfa9bf 100644
  
  tunable_policy(`samba_export_all_ro',`
  	fs_read_noxattr_fs_files(smbd_t) 
-@@ -462,8 +462,8 @@ tunable_policy(`samba_export_all_rw',`
- 	auth_manage_all_files_except_shadow(smbd_t)
+-	auth_read_all_dirs_except_shadow(smbd_t)
+-	auth_read_all_files_except_shadow(smbd_t)
++	files_read_non_security_files(smbd_t) 
  	fs_read_noxattr_fs_files(nmbd_t) 
- 	auth_manage_all_files_except_shadow(nmbd_t)
+-	auth_read_all_dirs_except_shadow(nmbd_t)
+-	auth_read_all_files_except_shadow(nmbd_t)
++	files_read_non_security_files(nmbd_t) 
+ ')
+ 
+ tunable_policy(`samba_export_all_rw',`
+ 	fs_read_noxattr_fs_files(smbd_t) 
+-	auth_manage_all_files_except_shadow(smbd_t)
++	files_manage_non_security_files(smbd_t)
+ 	fs_read_noxattr_fs_files(nmbd_t) 
+-	auth_manage_all_files_except_shadow(nmbd_t)
 -	userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
++	files_manage_non_security_files(nmbd_t)
  ')
-+userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
  
++userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
++
  ########################################
  #
-@@ -484,8 +484,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
+ # nmbd Local policy
+@@ -484,8 +483,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
  allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
  allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
  
@@ -47345,7 +48465,7 @@ index e30bb63..fdfa9bf 100644
  
  read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -560,13 +561,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
+@@ -560,13 +560,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
  allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
  
  allow smbcontrol_t nmbd_t:process { signal signull };
@@ -47363,7 +48483,7 @@ index e30bb63..fdfa9bf 100644
  samba_read_config(smbcontrol_t)
  samba_rw_var_files(smbcontrol_t)
  samba_search_var(smbcontrol_t)
-@@ -578,7 +579,7 @@ files_read_etc_files(smbcontrol_t)
+@@ -578,7 +578,7 @@ files_read_etc_files(smbcontrol_t)
  
  miscfiles_read_localization(smbcontrol_t)
  
@@ -47372,7 +48492,7 @@ index e30bb63..fdfa9bf 100644
  
  ########################################
  #
-@@ -644,19 +645,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +644,21 @@ auth_use_nsswitch(smbmount_t)
  
  miscfiles_read_localization(smbmount_t)
  
@@ -47397,7 +48517,7 @@ index e30bb63..fdfa9bf 100644
  ########################################
  #
  # SWAT Local policy
-@@ -677,7 +680,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +679,7 @@ samba_domtrans_nmbd(swat_t)
  allow swat_t nmbd_t:process { signal signull };
  allow nmbd_t swat_t:process signal;
  
@@ -47406,7 +48526,7 @@ index e30bb63..fdfa9bf 100644
  
  allow swat_t smbd_port_t:tcp_socket name_bind;
  
-@@ -692,12 +695,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +694,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
  manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
  
  manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -47421,7 +48541,7 @@ index e30bb63..fdfa9bf 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +715,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +714,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
  domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
  allow swat_t winbind_t:process { signal signull };
  
@@ -47429,7 +48549,7 @@ index e30bb63..fdfa9bf 100644
  allow swat_t winbind_var_run_t:dir { write add_name remove_name };
  allow swat_t winbind_var_run_t:sock_file { create unlink };
  
-@@ -754,6 +760,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +759,8 @@ logging_search_logs(swat_t)
  
  miscfiles_read_localization(swat_t)
  
@@ -47438,7 +48558,7 @@ index e30bb63..fdfa9bf 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -806,15 +814,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +813,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  allow winbind_t winbind_log_t:file manage_file_perms;
  logging_log_filetrans(winbind_t, winbind_log_t, file)
  
@@ -47460,7 +48580,7 @@ index e30bb63..fdfa9bf 100644
  kernel_read_kernel_sysctls(winbind_t)
  kernel_read_system_state(winbind_t)
  
-@@ -833,6 +842,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +841,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
  corenet_tcp_bind_generic_node(winbind_t)
  corenet_udp_bind_generic_node(winbind_t)
  corenet_tcp_connect_smbd_port(winbind_t)
@@ -47468,7 +48588,7 @@ index e30bb63..fdfa9bf 100644
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
  
-@@ -904,7 +914,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +913,7 @@ logging_send_syslog_msg(winbind_helper_t)
  
  miscfiles_read_localization(winbind_helper_t) 
  
@@ -47477,7 +48597,7 @@ index e30bb63..fdfa9bf 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -922,6 +932,18 @@ optional_policy(`
+@@ -922,6 +931,18 @@ optional_policy(`
  #
  
  optional_policy(`
@@ -47496,7 +48616,7 @@ index e30bb63..fdfa9bf 100644
  	type samba_unconfined_script_t;
  	type samba_unconfined_script_exec_t;
  	domain_type(samba_unconfined_script_t)
-@@ -932,9 +954,12 @@ optional_policy(`
+@@ -932,9 +953,12 @@ optional_policy(`
  	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
  	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
  
@@ -48338,7 +49458,7 @@ index 275f9fb..4f4a192 100644
  
  	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
 diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
-index 3d8d1b3..5c0d25f 100644
+index 3d8d1b3..0c5769c 100644
 --- a/policy/modules/services/snmp.te
 +++ b/policy/modules/services/snmp.te
 @@ -4,6 +4,7 @@ policy_module(snmp, 1.11.0)
@@ -48379,14 +49499,18 @@ index 3d8d1b3..5c0d25f 100644
  
  kernel_read_device_sysctls(snmpd_t)
  kernel_read_kernel_sysctls(snmpd_t)
-@@ -97,6 +100,7 @@ fs_search_auto_mountpoints(snmpd_t)
+@@ -97,9 +100,10 @@ fs_search_auto_mountpoints(snmpd_t)
  
  storage_dontaudit_read_fixed_disk(snmpd_t)
  storage_dontaudit_read_removable_device(snmpd_t)
 +storage_dontaudit_write_removable_device(snmpd_t)
  
  auth_use_nsswitch(snmpd_t)
- auth_read_all_dirs_except_shadow(snmpd_t)
+-auth_read_all_dirs_except_shadow(snmpd_t)
++files_list_all(snmpd_t)
+ 
+ init_read_utmp(snmpd_t)
+ init_dontaudit_write_utmp(snmpd_t)
 @@ -115,7 +119,7 @@ sysnet_read_config(snmpd_t)
  userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
  userdom_dontaudit_search_user_home_dirs(snmpd_t)
@@ -49607,7 +50731,7 @@ index 22adaca..76e8829 100644
 +	userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..fcfc95b 100644
+index 2dad3c8..a85027d 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -49793,7 +50917,7 @@ index 2dad3c8..fcfc95b 100644
  ##############################
  #
  # ssh_keysign_t local policy
-@@ -209,8 +230,9 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,19 +230,14 @@ tunable_policy(`allow_ssh_keysign',`
  	allow ssh_keysign_t self:capability { setgid setuid };
  	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
  
@@ -49804,7 +50928,18 @@ index 2dad3c8..fcfc95b 100644
  	dev_read_urand(ssh_keysign_t)
  
  	files_read_etc_files(ssh_keysign_t)
-@@ -232,33 +254,43 @@ optional_policy(`
+ ')
+ 
+-optional_policy(`
+-	tunable_policy(`allow_ssh_keysign',`
+-		nscd_socket_use(ssh_keysign_t)
+-	')
+-')
+-
+ #################################
+ #
+ # sshd local policy
+@@ -232,33 +248,43 @@ optional_policy(`
  # so a tunnel can point to another ssh tunnel
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
@@ -49857,7 +50992,7 @@ index 2dad3c8..fcfc95b 100644
  ')
  
  optional_policy(`
-@@ -266,11 +298,24 @@ optional_policy(`
+@@ -266,11 +292,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49883,7 +51018,7 @@ index 2dad3c8..fcfc95b 100644
  ')
  
  optional_policy(`
-@@ -284,6 +329,15 @@ optional_policy(`
+@@ -284,6 +323,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49899,7 +51034,7 @@ index 2dad3c8..fcfc95b 100644
  	unconfined_shell_domtrans(sshd_t)
  ')
  
-@@ -292,26 +346,26 @@ optional_policy(`
+@@ -292,26 +340,26 @@ optional_policy(`
  ')
  
  ifdef(`TODO',`
@@ -49945,7 +51080,7 @@ index 2dad3c8..fcfc95b 100644
  ') dnl endif TODO
  
  ########################################
-@@ -322,19 +376,25 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +370,25 @@ tunable_policy(`ssh_sysadm_login',`
  # ssh_keygen_t is the type of the ssh-keygen program when run at install time
  # and by sysadm_t
  
@@ -49972,18 +51107,18 @@ index 2dad3c8..fcfc95b 100644
  dev_read_urand(ssh_keygen_t)
  
  term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,9 +411,10 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,10 +405,7 @@ auth_use_nsswitch(ssh_keygen_t)
  logging_send_syslog_msg(ssh_keygen_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
-+userdom_use_user_terminals(ssh_keygen_t)
- 
- optional_policy(`
+-
+-optional_policy(`
 -	nscd_socket_use(ssh_keygen_t)
-+    nscd_socket_use(ssh_keygen_t)
- ')
+-')
++userdom_use_user_terminals(ssh_keygen_t)
  
  optional_policy(`
+ 	seutil_sigchld_newrole(ssh_keygen_t)
 diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
 index 941380a..6dbfc01 100644
 --- a/policy/modules/services/sssd.if
@@ -50216,7 +51351,7 @@ index 08d999c..bca4388 100644
  /var/log/atsar(/.*)?			gen_context(system_u:object_r:sysstat_log_t,s0)
  /var/log/sa(/.*)?			gen_context(system_u:object_r:sysstat_log_t,s0)
 diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
-index 52f0d6c..6bfbf45 100644
+index 52f0d6c..7ef2b18 100644
 --- a/policy/modules/services/sysstat.te
 +++ b/policy/modules/services/sysstat.te
 @@ -8,7 +8,6 @@ policy_module(sysstat, 1.6.0)
@@ -50237,7 +51372,7 @@ index 52f0d6c..6bfbf45 100644
  allow sysstat_t self:fifo_file rw_fifo_file_perms;
  
  can_exec(sysstat_t, sysstat_exec_t)
-@@ -51,7 +49,7 @@ fs_getattr_xattr_fs(sysstat_t)
+@@ -51,12 +49,16 @@ fs_getattr_xattr_fs(sysstat_t)
  fs_list_inotifyfs(sysstat_t)
  
  term_use_console(sysstat_t)
@@ -50246,14 +51381,23 @@ index 52f0d6c..6bfbf45 100644
  
  init_use_fds(sysstat_t)
  
-@@ -68,3 +66,7 @@ optional_policy(`
+ locallogin_use_fds(sysstat_t)
+ 
++auth_use_nsswitch(sysstat_t)
++
++logging_send_syslog_msg(sysstat_t)
++
+ miscfiles_read_localization(sysstat_t)
+ 
+ userdom_dontaudit_list_user_home_dirs(sysstat_t)
+@@ -64,7 +66,3 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
  optional_policy(`
- 	logging_send_syslog_msg(sysstat_t)
+ 	cron_system_entry(sysstat_t, sysstat_exec_t)
  ')
-+
-+optional_policy(`
-+	nscd_socket_use(sysstat_t)
-+')
+-
+-optional_policy(`
+-	logging_send_syslog_msg(sysstat_t)
+-')
 diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te
 index 7038b55..4e84f23 100644
 --- a/policy/modules/services/tcpd.te
@@ -50815,7 +51959,7 @@ index 4440aa6..34ffbfd 100644
 +	virt_dontaudit_read_chr_dev(usbmuxd_t)
 +')
 diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
-index d4349e9..5e7be4f 100644
+index d4349e9..f14d337 100644
 --- a/policy/modules/services/uucp.te
 +++ b/policy/modules/services/uucp.te
 @@ -24,7 +24,7 @@ type uucpd_ro_t;
@@ -50836,14 +51980,13 @@ index d4349e9..5e7be4f 100644
  uucp_append_log(uux_t)
  uucp_manage_spool(uux_t)
  
-@@ -147,3 +149,7 @@ optional_policy(`
- optional_policy(`
- 	nscd_socket_use(uux_t)
+@@ -145,5 +147,5 @@ optional_policy(`
  ')
-+
-+optional_policy(`
+ 
+ optional_policy(`
+-	nscd_socket_use(uux_t)
 +	postfix_rw_master_pipes(uux_t)
-+')
+ ')
 diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
 index f9310f3..064171e 100644
 --- a/policy/modules/services/varnishd.te
@@ -51187,10 +52330,10 @@ index 2124b6a..55b5012 100644
 +/var/lib/oz(/.*)?					gen_context(system_u:object_r:virt_var_lib_t,s0)
 +/var/lib/oz/isos(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
 diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..59ba27c 100644
+index 7c5d8d8..4feaf88 100644
 --- a/policy/modules/services/virt.if
 +++ b/policy/modules/services/virt.if
-@@ -13,39 +13,42 @@
+@@ -13,39 +13,44 @@
  #
  template(`virt_domain_template',`
  	gen_require(`
@@ -51227,7 +52370,8 @@ index 7c5d8d8..59ba27c 100644
  
 -	type $1_var_run_t;
 -	files_pid_file($1_var_run_t)
--
++	auth_use_nsswitch($1_t)
+ 
 -	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
 +	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
  	term_create_pty($1_t, $1_devpts_t)
@@ -51242,7 +52386,7 @@ index 7c5d8d8..59ba27c 100644
  
  	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
  	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +60,6 @@ template(`virt_domain_template',`
+@@ -57,18 +62,6 @@ template(`virt_domain_template',`
  	manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
  	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
  
@@ -51261,7 +52405,7 @@ index 7c5d8d8..59ba27c 100644
  	optional_policy(`
  		xserver_rw_shm($1_t)
  	')
-@@ -101,9 +92,9 @@ interface(`virt_image',`
+@@ -101,9 +94,9 @@ interface(`virt_image',`
  ##	Execute a domain transition to run virt.
  ## </summary>
  ## <param name="domain">
@@ -51273,7 +52417,7 @@ index 7c5d8d8..59ba27c 100644
  ## </param>
  #
  interface(`virt_domtrans',`
-@@ -164,13 +155,13 @@ interface(`virt_attach_tun_iface',`
+@@ -164,13 +157,13 @@ interface(`virt_attach_tun_iface',`
  #
  interface(`virt_read_config',`
  	gen_require(`
@@ -51289,7 +52433,7 @@ index 7c5d8d8..59ba27c 100644
  ')
  
  ########################################
-@@ -185,13 +176,13 @@ interface(`virt_read_config',`
+@@ -185,13 +178,13 @@ interface(`virt_read_config',`
  #
  interface(`virt_manage_config',`
  	gen_require(`
@@ -51305,7 +52449,7 @@ index 7c5d8d8..59ba27c 100644
  ')
  
  ########################################
-@@ -231,6 +222,24 @@ interface(`virt_read_content',`
+@@ -231,6 +224,24 @@ interface(`virt_read_content',`
  
  ########################################
  ## <summary>
@@ -51330,7 +52474,7 @@ index 7c5d8d8..59ba27c 100644
  ##	Read virt PID files.
  ## </summary>
  ## <param name="domain">
-@@ -269,6 +278,36 @@ interface(`virt_manage_pid_files',`
+@@ -269,6 +280,36 @@ interface(`virt_manage_pid_files',`
  
  ########################################
  ## <summary>
@@ -51367,7 +52511,7 @@ index 7c5d8d8..59ba27c 100644
  ##	Search virt lib directories.
  ## </summary>
  ## <param name="domain">
-@@ -308,6 +347,24 @@ interface(`virt_read_lib_files',`
+@@ -308,6 +349,24 @@ interface(`virt_read_lib_files',`
  
  ########################################
  ## <summary>
@@ -51392,7 +52536,7 @@ index 7c5d8d8..59ba27c 100644
  ##	Create, read, write, and delete
  ##	virt lib files.
  ## </summary>
-@@ -352,9 +409,9 @@ interface(`virt_read_log',`
+@@ -352,9 +411,9 @@ interface(`virt_read_log',`
  ##	virt log files.
  ## </summary>
  ## <param name="domain">
@@ -51404,7 +52548,7 @@ index 7c5d8d8..59ba27c 100644
  ## </param>
  #
  interface(`virt_append_log',`
-@@ -424,6 +481,24 @@ interface(`virt_read_images',`
+@@ -424,6 +483,24 @@ interface(`virt_read_images',`
  
  ########################################
  ## <summary>
@@ -51429,7 +52573,7 @@ index 7c5d8d8..59ba27c 100644
  ##	Create, read, write, and delete
  ##	svirt cache files.
  ## </summary>
-@@ -433,15 +508,15 @@ interface(`virt_read_images',`
+@@ -433,15 +510,15 @@ interface(`virt_read_images',`
  ##	</summary>
  ## </param>
  #
@@ -51450,7 +52594,7 @@ index 7c5d8d8..59ba27c 100644
  ')
  
  ########################################
-@@ -500,11 +575,16 @@ interface(`virt_manage_images',`
+@@ -500,11 +577,16 @@ interface(`virt_manage_images',`
  interface(`virt_admin',`
  	gen_require(`
  		type virtd_t, virtd_initrc_exec_t;
@@ -51467,7 +52611,7 @@ index 7c5d8d8..59ba27c 100644
  	init_labeled_script_domtrans($1, virtd_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 virtd_initrc_exec_t system_r;
-@@ -515,4 +595,188 @@ interface(`virt_admin',`
+@@ -515,4 +597,188 @@ interface(`virt_admin',`
  	virt_manage_lib_files($1)
  
  	virt_manage_log($1)
@@ -51657,7 +52801,7 @@ index 7c5d8d8..59ba27c 100644
 +	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
  ')
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..b2c36e4 100644
+index 3eca020..5a0c2ce 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
 @@ -5,56 +5,67 @@ policy_module(virt, 1.4.0)
@@ -52062,7 +53206,7 @@ index 3eca020..b2c36e4 100644
  	dnsmasq_read_pid_files(virtd_t)
  	dnsmasq_signull(virtd_t)
 +	dnsmasq_create_pid_dirs(virtd_t)
-+	dnsmasq_filetrans_named_content(virtd_t, virt_var_run_t);
++	dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
  ')
  
  optional_policy(`
@@ -52148,7 +53292,7 @@ index 3eca020..b2c36e4 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -440,8 +588,16 @@ files_search_all(virt_domain)
+@@ -440,14 +588,20 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -52166,7 +53310,13 @@ index 3eca020..b2c36e4 100644
  term_getattr_pty_fs(virt_domain)
  term_use_generic_ptys(virt_domain)
  term_use_ptmx(virt_domain)
-@@ -457,8 +613,176 @@ optional_policy(`
+ 
+-auth_use_nsswitch(virt_domain)
+-
+ logging_send_syslog_msg(virt_domain)
+ 
+ miscfiles_read_localization(virt_domain)
+@@ -457,8 +611,176 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -52763,7 +53913,7 @@ index 4966c94..cb2e1a3 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..10b57e0 100644
+index 130ced9..1772fa2 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -19,9 +19,10 @@
@@ -52848,17 +53998,13 @@ index 130ced9..10b57e0 100644
  	xserver_xsession_entry_type($2)
  	xserver_dontaudit_write_log($2)
  	xserver_stream_connect_xdm($2)
-@@ -106,12 +116,27 @@ interface(`xserver_restricted_role',`
+@@ -106,12 +116,23 @@ interface(`xserver_restricted_role',`
  	xserver_create_xdm_tmp_sockets($2)
  	# Needed for escd, remove if we get escd policy
  	xserver_manage_xdm_tmp_files($2)
 +	xserver_read_xdm_etc_files($2)
 +
 +	modutils_run_insmod(xserver_t, $1)
-+
-+	ifdef(`hide_broken_symptoms',`
-+		dontaudit iceauth_t $2:socket_class_set { read write };
-+	')
  
  	# Client write xserver shm
  	tunable_policy(`allow_write_xshm',`
@@ -52876,7 +54022,7 @@ index 130ced9..10b57e0 100644
  ')
  
  ########################################
-@@ -143,13 +168,15 @@ interface(`xserver_role',`
+@@ -143,13 +164,15 @@ interface(`xserver_role',`
  	allow $2 xserver_tmpfs_t:file rw_file_perms;
  
  	allow $2 iceauth_home_t:file manage_file_perms;
@@ -52894,7 +54040,7 @@ index 130ced9..10b57e0 100644
  	relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
  	relabel_files_pattern($2, user_fonts_t, user_fonts_t)
  
-@@ -162,7 +189,6 @@ interface(`xserver_role',`
+@@ -162,7 +185,6 @@ interface(`xserver_role',`
  	manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
  	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
  	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -52902,7 +54048,7 @@ index 130ced9..10b57e0 100644
  ')
  
  #######################################
-@@ -197,7 +223,7 @@ interface(`xserver_ro_session',`
+@@ -197,7 +219,7 @@ interface(`xserver_ro_session',`
  	allow $1 xserver_t:process signal;
  
  	# Read /tmp/.X0-lock
@@ -52911,7 +54057,7 @@ index 130ced9..10b57e0 100644
  
  	# Client read xserver shm
  	allow $1 xserver_t:fd use;
-@@ -227,7 +253,7 @@ interface(`xserver_rw_session',`
+@@ -227,7 +249,7 @@ interface(`xserver_rw_session',`
  		type xserver_t, xserver_tmpfs_t;
  	')
  
@@ -52920,7 +54066,7 @@ index 130ced9..10b57e0 100644
  	allow $1 xserver_t:shm rw_shm_perms;
  	allow $1 xserver_tmpfs_t:file rw_file_perms;
  ')
-@@ -255,7 +281,7 @@ interface(`xserver_non_drawing_client',`
+@@ -255,7 +277,7 @@ interface(`xserver_non_drawing_client',`
  
  	allow $1 self:x_gc { create setattr };
  
@@ -52929,7 +54075,7 @@ index 130ced9..10b57e0 100644
  	allow $1 xserver_t:unix_stream_socket connectto;
  
  	allow $1 xextension_t:x_extension { query use };
-@@ -291,13 +317,13 @@ interface(`xserver_user_client',`
+@@ -291,13 +313,13 @@ interface(`xserver_user_client',`
  	allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
  
  	# Read .Xauthority file
@@ -52947,7 +54093,7 @@ index 130ced9..10b57e0 100644
  	allow $1 xdm_tmp_t:sock_file { read write };
  	dontaudit $1 xdm_t:tcp_socket { read write };
  
-@@ -342,19 +368,23 @@ interface(`xserver_user_client',`
+@@ -342,19 +364,23 @@ interface(`xserver_user_client',`
  #
  template(`xserver_common_x_domain_template',`
  	gen_require(`
@@ -52974,7 +54120,7 @@ index 130ced9..10b57e0 100644
  	')
  
  	##############################
-@@ -386,6 +416,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +412,15 @@ template(`xserver_common_x_domain_template',`
  	allow $2 xevent_t:{ x_event x_synthetic_event } receive;
  	# dont audit send failures
  	dontaudit $2 input_xevent_type:x_event send;
@@ -52990,7 +54136,7 @@ index 130ced9..10b57e0 100644
  ')
  
  #######################################
-@@ -444,8 +483,9 @@ template(`xserver_object_types_template',`
+@@ -444,8 +479,9 @@ template(`xserver_object_types_template',`
  #
  template(`xserver_user_x_domain_template',`
  	gen_require(`
@@ -53002,7 +54148,7 @@ index 130ced9..10b57e0 100644
  	')
  
  	allow $2 self:shm create_shm_perms;
-@@ -456,11 +496,18 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +492,18 @@ template(`xserver_user_x_domain_template',`
  	allow $2 xauth_home_t:file read_file_perms;
  	allow $2 iceauth_home_t:file read_file_perms;
  
@@ -53023,7 +54169,7 @@ index 130ced9..10b57e0 100644
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
  	# Allow connections to X server.
-@@ -472,20 +519,25 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +515,26 @@ template(`xserver_user_x_domain_template',`
  	# for .xsession-errors
  	userdom_dontaudit_write_user_home_content_files($2)
  
@@ -53033,6 +54179,7 @@ index 130ced9..10b57e0 100644
  
  	xserver_read_xdm_tmp_files($2)
 +	xserver_read_xdm_pid($2)
++	xserver_xdm_append_log($2)
  
  	# X object manager
  	xserver_object_types_template($1)
@@ -53051,7 +54198,7 @@ index 130ced9..10b57e0 100644
  ')
  
  ########################################
-@@ -517,6 +569,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +566,7 @@ interface(`xserver_use_user_fonts',`
  	# Read per user fonts
  	allow $1 user_fonts_t:dir list_dir_perms;
  	allow $1 user_fonts_t:file read_file_perms;
@@ -53059,18 +54206,10 @@ index 130ced9..10b57e0 100644
  
  	# Manipulate the global font cache
  	manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -545,6 +598,28 @@ interface(`xserver_domtrans_xauth',`
- 	')
+@@ -549,6 +599,24 @@ interface(`xserver_domtrans_xauth',`
  
- 	domtrans_pattern($1, xauth_exec_t, xauth_t)
-+
-+	ifdef(`hide_broken_symptoms',`
-+		dontaudit xauth_t $1:socket_class_set { read write };
-+	')
-+')
-+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
 +##	Dontaudit exec of Xauthority program.
 +## </summary>
 +## <param name="domain">
@@ -53085,10 +54224,14 @@ index 130ced9..10b57e0 100644
 +	')
 +
 +	dontaudit $1 xauth_exec_t:file execute;
- ')
- 
- ########################################
-@@ -598,6 +673,7 @@ interface(`xserver_read_user_xauth',`
++')
++
++########################################
++## <summary>
+ ##	Create a Xauthority file in the user home directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -598,6 +666,7 @@ interface(`xserver_read_user_xauth',`
  
  	allow $1 xauth_home_t:file read_file_perms;
  	userdom_search_user_home_dirs($1)
@@ -53096,7 +54239,7 @@ index 130ced9..10b57e0 100644
  ')
  
  ########################################
-@@ -615,7 +691,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +684,7 @@ interface(`xserver_setattr_console_pipes',`
  		type xconsole_device_t;
  	')
  
@@ -53105,7 +54248,7 @@ index 130ced9..10b57e0 100644
  ')
  
  ########################################
-@@ -638,6 +714,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +707,25 @@ interface(`xserver_rw_console',`
  
  ########################################
  ## <summary>
@@ -53131,7 +54274,7 @@ index 130ced9..10b57e0 100644
  ##	Use file descriptors for xdm.
  ## </summary>
  ## <param name="domain">
-@@ -651,7 +746,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +739,7 @@ interface(`xserver_use_xdm_fds',`
  		type xdm_t;
  	')
  
@@ -53140,7 +54283,7 @@ index 130ced9..10b57e0 100644
  ')
  
  ########################################
-@@ -670,7 +765,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +758,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
  		type xdm_t;
  	')
  
@@ -53149,7 +54292,7 @@ index 130ced9..10b57e0 100644
  ')
  
  ########################################
-@@ -688,7 +783,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +776,7 @@ interface(`xserver_rw_xdm_pipes',`
  		type xdm_t;
  	')
  
@@ -53158,7 +54301,7 @@ index 130ced9..10b57e0 100644
  ')
  
  ########################################
-@@ -703,12 +798,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +791,11 @@ interface(`xserver_rw_xdm_pipes',`
  ## </param>
  #
  interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -53172,7 +54315,7 @@ index 130ced9..10b57e0 100644
  ')
  
  ########################################
-@@ -724,11 +818,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +811,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
  #
  interface(`xserver_stream_connect_xdm',`
  	gen_require(`
@@ -53206,7 +54349,7 @@ index 130ced9..10b57e0 100644
  ')
  
  ########################################
-@@ -752,6 +866,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -752,6 +859,25 @@ interface(`xserver_read_xdm_rw_config',`
  
  ########################################
  ## <summary>
@@ -53232,7 +54375,7 @@ index 130ced9..10b57e0 100644
  ##	Set the attributes of XDM temporary directories.
  ## </summary>
  ## <param name="domain">
-@@ -765,7 +898,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +891,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
  		type xdm_tmp_t;
  	')
  
@@ -53241,7 +54384,7 @@ index 130ced9..10b57e0 100644
  ')
  
  ########################################
-@@ -805,7 +938,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +931,26 @@ interface(`xserver_read_xdm_pid',`
  	')
  
  	files_search_pids($1)
@@ -53269,7 +54412,7 @@ index 130ced9..10b57e0 100644
  ')
  
  ########################################
-@@ -828,6 +980,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -828,6 +973,24 @@ interface(`xserver_read_xdm_lib_files',`
  
  ########################################
  ## <summary>
@@ -53294,7 +54437,7 @@ index 130ced9..10b57e0 100644
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -897,7 +1067,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1060,7 @@ interface(`xserver_getattr_log',`
  	')
  
  	logging_search_logs($1)
@@ -53303,7 +54446,7 @@ index 130ced9..10b57e0 100644
  ')
  
  ########################################
-@@ -916,7 +1086,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1079,7 @@ interface(`xserver_dontaudit_write_log',`
  		type xserver_log_t;
  	')
  
@@ -53312,7 +54455,7 @@ index 130ced9..10b57e0 100644
  ')
  
  ########################################
-@@ -963,6 +1133,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1126,45 @@ interface(`xserver_read_xkb_libs',`
  
  ########################################
  ## <summary>
@@ -53358,7 +54501,7 @@ index 130ced9..10b57e0 100644
  ##	Read xdm temporary files.
  ## </summary>
  ## <param name="domain">
-@@ -976,7 +1185,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1178,7 @@ interface(`xserver_read_xdm_tmp_files',`
  		type xdm_tmp_t;
  	')
  
@@ -53367,7 +54510,7 @@ index 130ced9..10b57e0 100644
  	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
  ')
  
-@@ -1038,6 +1247,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1240,42 @@ interface(`xserver_manage_xdm_tmp_files',`
  
  ########################################
  ## <summary>
@@ -53410,7 +54553,7 @@ index 130ced9..10b57e0 100644
  ##	Do not audit attempts to get the attributes of
  ##	xdm temporary named sockets.
  ## </summary>
-@@ -1052,7 +1297,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1290,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
  		type xdm_tmp_t;
  	')
  
@@ -53419,7 +54562,7 @@ index 130ced9..10b57e0 100644
  ')
  
  ########################################
-@@ -1070,8 +1315,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1308,10 @@ interface(`xserver_domtrans',`
  		type xserver_t, xserver_exec_t;
  	')
  
@@ -53431,7 +54574,7 @@ index 130ced9..10b57e0 100644
  ')
  
  ########################################
-@@ -1185,6 +1432,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1425,26 @@ interface(`xserver_stream_connect',`
  
  	files_search_tmp($1)
  	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -53458,7 +54601,7 @@ index 130ced9..10b57e0 100644
  ')
  
  ########################################
-@@ -1210,7 +1477,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1470,7 @@ interface(`xserver_read_tmp_files',`
  ## <summary>
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain permission to read the
@@ -53467,7 +54610,7 @@ index 130ced9..10b57e0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1220,13 +1487,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1480,23 @@ interface(`xserver_read_tmp_files',`
  #
  interface(`xserver_manage_core_devices',`
  	gen_require(`
@@ -53492,7 +54635,7 @@ index 130ced9..10b57e0 100644
  ')
  
  ########################################
-@@ -1243,10 +1520,458 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1513,458 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -53711,7 +54854,7 @@ index 130ced9..10b57e0 100644
 +	')
 +
 +	typeattribute $1 xdmhomewriter;
-+	append_files_pattern($1, xdm_log_t, xdm_log_t)
++	allow $1 xdm_log_t:file append_inherited_file_perms;
 +')
 +
 +########################################
@@ -55204,10 +56347,19 @@ index 3defaa1..2ad2488 100644
  /var/log/zarafa/gateway\.log	--	gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
  /var/log/zarafa/ical\.log	--	gen_context(system_u:object_r:zarafa_ical_log_t,s0)
 diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
-index 21ae664..fcc91a1 100644
+index 21ae664..3e448dd 100644
 --- a/policy/modules/services/zarafa.if
 +++ b/policy/modules/services/zarafa.if
-@@ -118,3 +118,24 @@ interface(`zarafa_stream_connect_server',`
+@@ -42,6 +42,8 @@ template(`zarafa_domain_template',`
+ 
+ 	manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
+ 	logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file })
++
++	auth_use_nsswitch(zarafa_$1_t)
+ ')
+ 
+ ######################################
+@@ -118,3 +120,24 @@ interface(`zarafa_stream_connect_server',`
  	files_search_var_lib($1)
  	stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
  ')
@@ -55233,7 +56385,7 @@ index 21ae664..fcc91a1 100644
 +    manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
 +')
 diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
-index 9fb4747..54abc7a 100644
+index 9fb4747..42a6067 100644
 --- a/policy/modules/services/zarafa.te
 +++ b/policy/modules/services/zarafa.te
 @@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@@ -55309,6 +56461,13 @@ index 9fb4747..54abc7a 100644
  # zarafa domains local policy
  #
  
+@@ -156,6 +201,4 @@ kernel_read_system_state(zarafa_domain)
+ 
+ files_read_etc_files(zarafa_domain)
+ 
+-auth_use_nsswitch(zarafa_domain)
+-
+ miscfiles_read_localization(zarafa_domain)
 diff --git a/policy/modules/services/zebra.if b/policy/modules/services/zebra.if
 index 6b87605..347f754 100644
 --- a/policy/modules/services/zebra.if
@@ -55462,8 +56621,18 @@ index c6fdab7..41198a4 100644
  optional_policy(`
  	cron_sigchld(application_domain_type)
  ')
+diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
+index 28ad538..5cae905 100644
+--- a/policy/modules/system/authlogin.fc
++++ b/policy/modules/system/authlogin.fc
+@@ -45,5 +45,4 @@ ifdef(`distro_gentoo', `
+ /var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
+ /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
+ /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
+-/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
+ /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..dedb917 100644
+index 73554ec..07e21e1 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -55805,64 +56974,69 @@ index 73554ec..dedb917 100644
  ##	Use nsswitch to look up user, password, group, or
  ##	host information.
  ## </summary>
-@@ -1579,28 +1758,36 @@ interface(`auth_relabel_login_records',`
+@@ -1578,54 +1757,11 @@ interface(`auth_relabel_login_records',`
+ ## <infoflow type="both" weight="10"/>
  #
  interface(`auth_use_nsswitch',`
- 
+-
 -	files_list_var_lib($1)
 -
- 	# read /etc/nsswitch.conf
- 	files_read_etc_files($1)
- 
+-	# read /etc/nsswitch.conf
+-	files_read_etc_files($1)
+-
 -	miscfiles_read_generic_certs($1)
 -
- 	sysnet_dns_name_resolve($1)
+-	sysnet_dns_name_resolve($1)
 -	sysnet_use_ldap($1)
-+
-+	tunable_policy(`authlogin_nsswitch_use_ldap',`
-+		files_list_var_lib($1)
-+
-+		miscfiles_read_generic_certs($1)
-+
-+		sysnet_use_ldap($1)
-+	')
- 
- 	optional_policy(`
+-
+-	optional_policy(`
 -		avahi_stream_connect($1)
-+		tunable_policy(`authlogin_nsswitch_use_ldap',`
-+			dirsrv_stream_connect($1)
-+		')
- 	')
- 
- 	optional_policy(`
+-	')
+-
+-	optional_policy(`
 -		ldap_stream_connect($1)
-+		tunable_policy(`authlogin_nsswitch_use_ldap',`
-+			ldap_stream_connect($1)
-+		')
- 	')
- 
-  	optional_policy(`
- 		likewise_stream_connect_lsassd($1)
- 	')
- 
-+	# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
- 	optional_policy(`
- 		kerberos_use($1)
- 	')
-@@ -1610,7 +1797,7 @@ interface(`auth_use_nsswitch',`
- 	')
- 
- 	optional_policy(`
+-	')
+-
+- 	optional_policy(`
+-		likewise_stream_connect_lsassd($1)
+-	')
+-
+-	optional_policy(`
+-		kerberos_use($1)
+-	')
+-
+-	optional_policy(`
+-		nis_use_ypbind($1)
+-	')
+-
+-	optional_policy(`
 -		nscd_socket_use($1)
-+		nscd_use($1)
+-	')
+-
+-	optional_policy(`
+-		nslcd_stream_connect($1)
+-	')
+-
+-	optional_policy(`
+-		sssd_stream_connect($1)
++	gen_require(`
++		attribute nsswitch_domain;
  	')
  
- 	optional_policy(`
+-	optional_policy(`
+-		samba_stream_connect_winbind($1)
+-		samba_read_var_files($1)
+-		samba_dontaudit_write_var_files($1)
+-	')
++	typeattribute $1 nsswitch_domain;
+ ')
+ 
+ ########################################
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index b7a5f00..335900f 100644
+index b7a5f00..a53db2b 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
-@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.1)
+@@ -5,9 +5,25 @@ policy_module(authlogin, 2.2.1)
  # Declarations
  #
  
@@ -55884,10 +57058,11 @@ index b7a5f00..335900f 100644
  attribute can_write_shadow_passwords;
  attribute can_relabelto_shadow_passwords;
 +attribute polydomain;
++attribute nsswitch_domain;
  
  type auth_cache_t;
  logging_log_file(auth_cache_t)
-@@ -100,6 +115,8 @@ dev_read_urand(chkpwd_t)
+@@ -100,6 +116,8 @@ dev_read_urand(chkpwd_t)
  files_read_etc_files(chkpwd_t)
  # for nscd
  files_dontaudit_search_var(chkpwd_t)
@@ -55896,7 +57071,7 @@ index b7a5f00..335900f 100644
  
  fs_dontaudit_getattr_xattr_fs(chkpwd_t)
  
-@@ -118,7 +135,7 @@ miscfiles_read_localization(chkpwd_t)
+@@ -118,7 +136,7 @@ miscfiles_read_localization(chkpwd_t)
  seutil_read_config(chkpwd_t)
  seutil_dontaudit_use_newrole_fds(chkpwd_t)
  
@@ -55905,7 +57080,7 @@ index b7a5f00..335900f 100644
  
  ifdef(`distro_ubuntu',`
  	optional_policy(`
-@@ -343,7 +360,7 @@ logging_send_syslog_msg(updpwd_t)
+@@ -343,7 +361,7 @@ logging_send_syslog_msg(updpwd_t)
  
  miscfiles_read_localization(updpwd_t)
  
@@ -55914,7 +57089,15 @@ index b7a5f00..335900f 100644
  
  ifdef(`distro_ubuntu',`
  	optional_policy(`
-@@ -377,7 +394,7 @@ domain_use_interactive_fds(utempter_t)
+@@ -371,13 +389,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+ term_dontaudit_use_all_ptys(utempter_t)
+ term_dontaudit_use_ptmx(utempter_t)
+ 
++auth_use_nsswitch(utempter_t)
++
+ init_rw_utmp(utempter_t)
+ 
+ domain_use_interactive_fds(utempter_t)
  
  logging_search_logs(utempter_t)
  
@@ -55923,20 +57106,81 @@ index b7a5f00..335900f 100644
  # Allow utemper to write to /tmp/.xses-*
  userdom_write_user_tmp_files(utempter_t)
  
-@@ -395,3 +412,13 @@ optional_policy(`
- 	xserver_use_xdm_fds(utempter_t)
- 	xserver_rw_xdm_pipes(utempter_t)
+@@ -388,10 +408,71 @@ ifdef(`distro_ubuntu',`
  ')
+ 
+ optional_policy(`
+-	nscd_socket_use(utempter_t)
++	xserver_use_xdm_fds(utempter_t)
++	xserver_rw_xdm_pipes(utempter_t)
++')
 +
 +tunable_policy(`allow_polyinstantiation',`
 +	files_polyinstantiate_all(polydomain)
+ ')
+ 
+ optional_policy(`
+-	xserver_use_xdm_fds(utempter_t)
+-	xserver_rw_xdm_pipes(utempter_t)
++	tunable_policy(`allow_polyinstantiation',`
++		namespace_init_domtrans(polydomain)
++	')
++')
++
++# read /etc/nsswitch.conf
++files_read_etc_files(nsswitch_domain)
++
++sysnet_dns_name_resolve(nsswitch_domain)
++
++tunable_policy(`authlogin_nsswitch_use_ldap',`
++	files_list_var_lib(nsswitch_domain)
++
++	miscfiles_read_generic_certs(nsswitch_domain)
++	sysnet_use_ldap(nsswitch_domain)
 +')
 +
 +optional_policy(`
-+	tunable_policy(`allow_polyinstantiation',`
-+		namespace_init_domtrans(polydomain)
++	tunable_policy(`authlogin_nsswitch_use_ldap',`
++		dirsrv_stream_connect(nsswitch_domain)
++	')
++')
++
++optional_policy(`
++	tunable_policy(`authlogin_nsswitch_use_ldap',`
++		ldap_stream_connect(nsswitch_domain)
 +	')
 +')
++
++optional_policy(`
++	likewise_stream_connect_lsassd(nsswitch_domain)
++')
++
++# can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
++optional_policy(`
++	kerberos_use(nsswitch_domain)
++')
++
++optional_policy(`
++	nis_use_ypbind(nsswitch_domain)
++')
++
++optional_policy(`
++	nscd_use(nsswitch_domain)
++')
++
++optional_policy(`
++	nslcd_stream_connect(nsswitch_domain)
++')
++
++optional_policy(`
++	sssd_stream_connect(nsswitch_domain)
++')
++
++optional_policy(`
++	samba_stream_connect_winbind(nsswitch_domain)
++	samba_read_var_files(nsswitch_domain)
++	samba_dontaudit_write_var_files(nsswitch_domain)
+ ')
 diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
 index e2f6d93..c78ccc6 100644
 --- a/policy/modules/system/clock.if
@@ -55968,10 +57212,10 @@ index e2f6d93..c78ccc6 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
-index b9ed25b..de3738c 100644
+index b9ed25b..39e1dc1 100644
 --- a/policy/modules/system/clock.te
 +++ b/policy/modules/system/clock.te
-@@ -46,8 +46,8 @@ fs_search_auto_mountpoints(hwclock_t)
+@@ -46,11 +46,13 @@ fs_search_auto_mountpoints(hwclock_t)
  
  term_dontaudit_use_console(hwclock_t)
  term_use_unallocated_ttys(hwclock_t)
@@ -55982,6 +57226,22 @@ index b9ed25b..de3738c 100644
  
  domain_use_interactive_fds(hwclock_t)
  
++auth_use_nsswitch(hwclock_t)
++
+ init_use_fds(hwclock_t)
+ init_use_script_ptys(hwclock_t)
+ 
+@@ -65,10 +67,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nscd_socket_use(hwclock_t)
+-')
+-
+-optional_policy(`
+ 	seutil_sigchld_newrole(hwclock_t)
+ ')
+ 
 diff --git a/policy/modules/system/daemontools.if b/policy/modules/system/daemontools.if
 index ce3e676..0158314 100644
 --- a/policy/modules/system/daemontools.if
@@ -56150,16 +57410,30 @@ index c28da1c..73883c4 100644
  	xen_rw_image_files(fsadm_t)
  ')
 diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index ede3231..6cdbda3 100644
+index ede3231..c8c15bd 100644
 --- a/policy/modules/system/getty.te
 +++ b/policy/modules/system/getty.te
-@@ -83,6 +83,7 @@ term_use_unallocated_ttys(getty_t)
+@@ -83,8 +83,10 @@ term_use_unallocated_ttys(getty_t)
  term_setattr_all_ttys(getty_t)
  term_setattr_unallocated_ttys(getty_t)
  term_setattr_console(getty_t)
 +term_use_console(getty_t)
  
  auth_rw_login_records(getty_t)
++auth_use_nsswitch(getty_t)
+ 
+ init_rw_utmp(getty_t)
+ init_use_script_ptys(getty_t)
+@@ -125,10 +127,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nscd_socket_use(getty_t)
+-')
+-
+-optional_policy(`
+ 	ppp_domtrans(getty_t)
+ ')
  
 diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
 index c310775..ec32c5e 100644
@@ -56209,6 +57483,34 @@ index 40eb10c..2a0a32c 100644
  	')
  
  	corecmd_search_bin($1)
+diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
+index 1a3d970..ba2f286 100644
+--- a/policy/modules/system/hotplug.te
++++ b/policy/modules/system/hotplug.te
+@@ -96,6 +96,8 @@ init_domtrans_script(hotplug_t)
+ # kernel threads inherit from shared descriptor table used by init
+ init_dontaudit_rw_initctl(hotplug_t)
+ 
++auth_use_nsswitch(hotplug_t)
++
+ logging_send_syslog_msg(hotplug_t)
+ logging_search_logs(hotplug_t)
+ 
+@@ -164,14 +166,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(hotplug_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(hotplug_t)
+-')
+-
+-optional_policy(`
+ 	seutil_sigchld_newrole(hotplug_t)
+ ')
+ 
 diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
 index 354ce93..b8b14b9 100644
 --- a/policy/modules/system/init.fc
@@ -56254,7 +57556,7 @@ index 354ce93..b8b14b9 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..26dcf18 100644
+index 94fd8dd..354e39c 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -79,6 +79,42 @@ interface(`init_script_domain',`
@@ -56292,7 +57594,7 @@ index 94fd8dd..26dcf18 100644
 +        domtrans_pattern(init_t,$2,$1)
 +        allow init_t $1:unix_stream_socket create_stream_socket_perms;
 +        allow init_t $1:unix_dgram_socket create_socket_perms;
-+		allow $1 init_t:unix_stream_socket ioctl;
++	allow $1 init_t:unix_stream_socket ioctl;
 +        allow $1 init_t:unix_dgram_socket sendto;
 +    ')
 +')
@@ -56324,42 +57626,52 @@ index 94fd8dd..26dcf18 100644
  	')
  
  	typeattribute $1 daemon;
-@@ -204,7 +246,24 @@ interface(`init_daemon_domain',`
- 
- 	role system_r types $1;
+@@ -202,39 +244,20 @@ interface(`init_daemon_domain',`
+ 	domain_type($1)
+ 	domain_entry_file($1, $2)
  
+-	role system_r types $1;
+-
 -	domtrans_pattern(initrc_t, $2, $1)
+-
+-	# daemons started from init will
+-	# inherit fds from init for the console
+-	init_dontaudit_use_fds($1)
+-	term_dontaudit_use_console($1)
+-
+-	# init script ptys are the stdin/out/err
+-	# when using run_init
+-	init_use_script_ptys($1)
 +	domtrans_pattern(initrc_t,$2,$1)
-+	allow initrc_t $1:process siginh;
-+	allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
-+	allow $1 initrc_transition_domain:fd use;
-+
-+	tunable_policy(`init_upstart || init_systemd',`
-+		# Handle upstart direct transition to a executable
-+		domtrans_pattern(init_t,$2,$1)
-+		allow init_t $1:process siginh;
-+	')
-+
-+	tunable_policy(`init_systemd',`
-+		allow init_t $1:unix_stream_socket create_stream_socket_perms;
-+		allow init_t $1:unix_dgram_socket create_socket_perms;
-+		allow init_t $1:tcp_socket create_stream_socket_perms;
-+		allow $1 init_t:unix_dgram_socket sendto;
-+		dontaudit $1 init_t:unix_stream_socket { read ioctl getattr };
-+	')
  
- 	# daemons started from init will
- 	# inherit fds from init for the console
-@@ -231,6 +290,8 @@ interface(`init_daemon_domain',`
- 		ifdef(`distro_rhel4',`
- 			kernel_dontaudit_use_fds($1)
- 		')
-+
-+		dontaudit $1 init_t:dir search_dir_perms;
+ 	ifdef(`direct_sysadm_daemon',`
+ 		domtrans_pattern(direct_run_init, $2, $1)
+-		allow direct_run_init $1:process { noatsecure siginh rlimitinh };
+ 
+ 		typeattribute $1 direct_init;
+ 		typeattribute $2 direct_init_entry;
+ 
+-		userdom_dontaudit_use_user_terminals($1)
++#		userdom_dontaudit_use_user_terminals($1)
  	')
  
- 	optional_policy(`
-@@ -283,17 +344,20 @@ interface(`init_daemon_domain',`
+-	ifdef(`hide_broken_symptoms',`
+-		# RHEL4 systems seem to have a stray
+-		# fds open from the initrd
+-		ifdef(`distro_rhel4',`
+-			kernel_dontaudit_use_fds($1)
+-		')
+-	')
+-
+-	optional_policy(`
+-		nscd_socket_use($1)
++	tunable_policy(`init_upstart || init_systemd',`
++	     # Handle upstart direct transition to a executable
++	     domtrans_pattern(init_t,$2,$1)
+ 	')
+ ')
+ 
+@@ -283,17 +306,20 @@ interface(`init_daemon_domain',`
  interface(`init_ranged_daemon_domain',`
  	gen_require(`
  		type initrc_t;
@@ -56381,7 +57693,7 @@ index 94fd8dd..26dcf18 100644
  	')
  ')
  
-@@ -336,15 +400,32 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,22 +362,23 @@ interface(`init_ranged_daemon_domain',`
  #
  interface(`init_system_domain',`
  	gen_require(`
@@ -56389,75 +57701,30 @@ index 94fd8dd..26dcf18 100644
  		type initrc_t;
  		role system_r;
 +		attribute initrc_transition_domain;
++		attribute systemprocess;
  	')
  
++	typeattribute $1 systemprocess;
  	application_domain($1, $2)
  
  	role system_r types $1;
  
 -	domtrans_pattern(initrc_t, $2, $1)
 +	domtrans_pattern(initrc_t,$2,$1)
-+	allow initrc_t $1:process siginh;
-+	allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
-+	allow $1 initrc_transition_domain:fd use;
-+
-+	dontaudit $1 init_t:unix_stream_socket getattr;
-+
+ 
+-	ifdef(`hide_broken_symptoms',`
+-		# RHEL4 systems seem to have a stray
+-		# fds open from the initrd
+-		ifdef(`distro_rhel4',`
+-			kernel_dontaudit_use_fds($1)
+-		')
 +	tunable_policy(`init_systemd',`
 +		# Handle upstart/systemd direct transition to a executable
 +		domtrans_pattern(init_t,$2,$1)
-+		allow init_t $1:process siginh;
-+		allow init_t $1:unix_stream_socket create_stream_socket_perms;
-+		allow init_t $1:unix_dgram_socket create_socket_perms;
-+		allow $1 init_t:unix_dgram_socket sendto;
-+		dontaudit $1 init_t:unix_stream_socket { read getattr ioctl };
-+	')
- 
- 	ifdef(`hide_broken_symptoms',`
- 		# RHEL4 systems seem to have a stray
-@@ -353,6 +434,41 @@ interface(`init_system_domain',`
- 			kernel_dontaudit_use_fds($1)
- 		')
  	')
-+
-+	userdom_dontaudit_search_user_home_dirs($1)
-+	userdom_dontaudit_rw_stream($1)
-+	userdom_dontaudit_write_user_tmp_files($1)
-+
-+	tunable_policy(`allow_daemons_use_tty',`
-+	   term_use_all_ttys($1)
-+	   term_use_all_ptys($1)
-+	',`
-+	   term_dontaudit_use_all_ttys($1)
-+	   term_dontaudit_use_all_ptys($1)
-+	')
-+
-+	# these apps are often redirect output to random log files
-+	logging_inherit_append_all_logs($1)
-+
-+	optional_policy(`
-+		abrt_stream_connect($1)
-+	')
-+
-+	optional_policy(`
-+		cron_rw_pipes($1)
-+	')
-+
-+	optional_policy(`
-+		xserver_dontaudit_append_xdm_home_files($1)
-+	')
-+
-+	optional_policy(`
-+		unconfined_dontaudit_rw_pipes($1)
-+		unconfined_dontaudit_rw_stream($1)
-+		userdom_dontaudit_read_user_tmp_files($1)
-+	')
-+
-+	init_rw_script_stream_sockets($1)
  ')
  
- ########################################
-@@ -401,16 +517,19 @@ interface(`init_system_domain',`
+@@ -401,16 +428,19 @@ interface(`init_system_domain',`
  interface(`init_ranged_system_domain',`
  	gen_require(`
  		type initrc_t;
@@ -56477,7 +57744,7 @@ index 94fd8dd..26dcf18 100644
  		mls_rangetrans_target($1)
  	')
  ')
-@@ -451,6 +570,10 @@ interface(`init_exec',`
+@@ -451,6 +481,10 @@ interface(`init_exec',`
  
  	corecmd_search_bin($1)
  	can_exec($1, init_exec_t)
@@ -56488,7 +57755,7 @@ index 94fd8dd..26dcf18 100644
  ')
  
  ########################################
-@@ -509,6 +632,24 @@ interface(`init_sigchld',`
+@@ -509,6 +543,24 @@ interface(`init_sigchld',`
  
  ########################################
  ## <summary>
@@ -56513,7 +57780,7 @@ index 94fd8dd..26dcf18 100644
  ##	Connect to init with a unix socket.
  ## </summary>
  ## <param name="domain">
-@@ -519,10 +660,29 @@ interface(`init_sigchld',`
+@@ -519,10 +571,29 @@ interface(`init_sigchld',`
  #
  interface(`init_stream_connect',`
  	gen_require(`
@@ -56545,7 +57812,7 @@ index 94fd8dd..26dcf18 100644
  ')
  
  ########################################
-@@ -688,19 +848,25 @@ interface(`init_telinit',`
+@@ -688,19 +759,25 @@ interface(`init_telinit',`
  		type initctl_t;
  	')
  
@@ -56572,7 +57839,7 @@ index 94fd8dd..26dcf18 100644
  	')
  ')
  
-@@ -730,7 +896,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +807,7 @@ interface(`init_rw_initctl',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -56581,7 +57848,7 @@ index 94fd8dd..26dcf18 100644
  ##	</summary>
  ## </param>
  #
-@@ -773,18 +939,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +850,19 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -56605,7 +57872,7 @@ index 94fd8dd..26dcf18 100644
  	')
  ')
  
-@@ -800,23 +967,45 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +878,41 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -56628,11 +57895,11 @@ index 94fd8dd..26dcf18 100644
  	ifdef(`enable_mls',`
 -		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
 +		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- 	')
- ')
- 
- ########################################
- ## <summary>
++	')
++')
++
++########################################
++## <summary>
 +##	Execute a file in a bin directory
 +##	in the initrc_t domain 
 +## </summary>
@@ -56645,17 +57912,13 @@ index 94fd8dd..26dcf18 100644
 +interface(`init_bin_domtrans_spec',`
 +	gen_require(`
 +		type initrc_t;
-+	')
+ 	')
 +
 +	corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Execute a init script in a specified domain.
- ## </summary>
- ## <desc>
-@@ -868,9 +1057,14 @@ interface(`init_script_file_domtrans',`
+ ')
+ 
+ ########################################
+@@ -868,9 +968,14 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -56670,7 +57933,7 @@ index 94fd8dd..26dcf18 100644
  	files_search_etc($1)
  ')
  
-@@ -1079,6 +1273,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1184,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -56695,7 +57958,7 @@ index 94fd8dd..26dcf18 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1130,12 +1342,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1253,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -56709,7 +57972,7 @@ index 94fd8dd..26dcf18 100644
  ')
  
  ########################################
-@@ -1375,6 +1582,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1493,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -56737,7 +58000,7 @@ index 94fd8dd..26dcf18 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1461,6 +1689,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1600,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -56763,7 +58026,7 @@ index 94fd8dd..26dcf18 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1519,6 +1766,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1677,24 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -56788,7 +58051,7 @@ index 94fd8dd..26dcf18 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1674,7 +1939,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1850,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -56797,7 +58060,7 @@ index 94fd8dd..26dcf18 100644
  ')
  
  ########################################
-@@ -1715,6 +1980,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1891,128 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file)
  ')
  
@@ -56926,7 +58189,7 @@ index 94fd8dd..26dcf18 100644
  ########################################
  ## <summary>
  ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2136,156 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2047,156 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -57084,7 +58347,7 @@ index 94fd8dd..26dcf18 100644
 +	read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..70532cc 100644
+index 29a9565..de6dda5 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -16,6 +16,34 @@ gen_require(`
@@ -57122,7 +58385,7 @@ index 29a9565..70532cc 100644
  # used for direct running of init scripts
  # by admin domains
  attribute direct_run_init;
-@@ -25,6 +53,9 @@ attribute direct_init_entry;
+@@ -25,14 +53,18 @@ attribute direct_init_entry;
  attribute init_script_domain_type;
  attribute init_script_file_type;
  attribute init_run_all_scripts_domain;
@@ -57132,7 +58395,8 @@ index 29a9565..70532cc 100644
  
  # Mark process types as daemons
  attribute daemon;
-@@ -32,7 +63,7 @@ attribute daemon;
++attribute systemprocess;
+ 
  #
  # init_t is the domain of the init process.
  #
@@ -57141,7 +58405,7 @@ index 29a9565..70532cc 100644
  type init_exec_t;
  domain_type(init_t)
  domain_entry_file(init_t, init_exec_t)
-@@ -63,6 +94,8 @@ role system_r types initrc_t;
+@@ -63,6 +95,8 @@ role system_r types initrc_t;
  # of the below init_upstart tunable
  # but this has a typeattribute in it
  corecmd_shell_entry_type(initrc_t)
@@ -57150,7 +58414,7 @@ index 29a9565..70532cc 100644
  
  type initrc_devpts_t;
  term_pty(initrc_devpts_t)
-@@ -87,7 +120,7 @@ ifdef(`enable_mls',`
+@@ -87,7 +121,7 @@ ifdef(`enable_mls',`
  #
  
  # Use capabilities. old rule:
@@ -57159,7 +58423,7 @@ index 29a9565..70532cc 100644
  # is ~sys_module really needed? observed:
  # sys_boot
  # sys_tty_config
-@@ -100,11 +133,15 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -100,11 +134,15 @@ allow init_t self:fifo_file rw_fifo_file_perms;
  # Re-exec itself
  can_exec(init_t, init_exec_t)
  
@@ -57179,7 +58443,7 @@ index 29a9565..70532cc 100644
  
  allow init_t initctl_t:fifo_file manage_fifo_file_perms;
  dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -114,25 +151,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -114,25 +152,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
  
  kernel_read_system_state(init_t)
  kernel_share_state(init_t)
@@ -57214,7 +58478,7 @@ index 29a9565..70532cc 100644
  files_etc_filetrans_etc_runtime(init_t, file)
  # Run /etc/X11/prefdm:
  files_exec_etc_files(init_t)
-@@ -151,10 +197,19 @@ mls_file_read_all_levels(init_t)
+@@ -151,10 +198,19 @@ mls_file_read_all_levels(init_t)
  mls_file_write_all_levels(init_t)
  mls_process_write_down(init_t)
  mls_fd_use_all_levels(init_t)
@@ -57235,7 +58499,7 @@ index 29a9565..70532cc 100644
  
  # Run init scripts.
  init_domtrans_script(init_t)
-@@ -162,12 +217,16 @@ init_domtrans_script(init_t)
+@@ -162,12 +218,16 @@ init_domtrans_script(init_t)
  libs_rw_ld_so_cache(init_t)
  
  logging_send_syslog_msg(init_t)
@@ -57252,7 +58516,7 @@ index 29a9565..70532cc 100644
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
  ')
-@@ -178,7 +237,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +238,7 @@ ifdef(`distro_redhat',`
  	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
  ')
  
@@ -57261,7 +58525,7 @@ index 29a9565..70532cc 100644
  	corecmd_shell_domtrans(init_t, initrc_t)
  ',`
  	# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +245,131 @@ tunable_policy(`init_upstart',`
+@@ -186,16 +246,135 @@ tunable_policy(`init_upstart',`
  	sysadm_shell_domtrans(init_t)
  ')
  
@@ -57370,15 +58634,15 @@ index 29a9565..70532cc 100644
 +
 +')
 +
++auth_use_nsswitch(init_t)
++auth_rw_login_records(init_t)
++
  optional_policy(`
- 	auth_rw_login_records(init_t)
+-	auth_rw_login_records(init_t)
++	consolekit_manage_log(init_t)
  ')
  
  optional_policy(`
-+	consolekit_manage_log(init_t)
-+')
-+
-+optional_policy(`
 +	dbus_connect_system_bus(init_t)
  	dbus_system_bus_client(init_t)
 +	dbus_delete_pid_files(init_t)
@@ -57393,16 +58657,13 @@ index 29a9565..70532cc 100644
  ')
  
  optional_policy(`
-@@ -199,10 +377,26 @@ optional_policy(`
+-	nscd_socket_use(init_t)
++	plymouthd_stream_connect(init_t)
++	plymouthd_exec_plymouth(init_t)
  ')
  
  optional_policy(`
-+	plymouthd_stream_connect(init_t)
-+	plymouthd_exec_plymouth(init_t)
-+')
-+
-+optional_policy(`
- 	sssd_stream_connect(init_t)
+@@ -203,6 +382,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57420,7 +58681,7 @@ index 29a9565..70532cc 100644
  	unconfined_domain(init_t)
  ')
  
-@@ -212,7 +406,7 @@ optional_policy(`
+@@ -212,7 +402,7 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -57429,7 +58690,7 @@ index 29a9565..70532cc 100644
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
-@@ -241,12 +435,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +431,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -57445,7 +58706,7 @@ index 29a9565..70532cc 100644
  
  init_write_initctl(initrc_t)
  
-@@ -258,20 +455,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +451,32 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -57482,7 +58743,7 @@ index 29a9565..70532cc 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +488,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +484,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -57490,7 +58751,7 @@ index 29a9565..70532cc 100644
  dev_write_kmsg(initrc_t)
  dev_write_rand(initrc_t)
  dev_write_urand(initrc_t)
-@@ -289,8 +499,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +495,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -57501,7 +58762,7 @@ index 29a9565..70532cc 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -298,13 +510,14 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +506,14 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -57518,7 +58779,7 @@ index 29a9565..70532cc 100644
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
-@@ -316,6 +529,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +525,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -57526,7 +58787,7 @@ index 29a9565..70532cc 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -323,8 +537,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +533,10 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -57538,7 +58799,7 @@ index 29a9565..70532cc 100644
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
-@@ -340,8 +556,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +552,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -57552,7 +58813,7 @@ index 29a9565..70532cc 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -351,6 +571,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +567,8 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -57561,7 +58822,7 @@ index 29a9565..70532cc 100644
  
  # initrc_t needs to do a pidof which requires ptrace
  mcs_ptrace_all(initrc_t)
-@@ -363,6 +585,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +581,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -57569,7 +58830,7 @@ index 29a9565..70532cc 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -374,6 +597,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +593,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -57577,7 +58838,7 @@ index 29a9565..70532cc 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -394,18 +618,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +614,17 @@ logging_read_audit_config(initrc_t)
  
  miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
@@ -57599,7 +58860,7 @@ index 29a9565..70532cc 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +681,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +677,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -57610,7 +58871,7 @@ index 29a9565..70532cc 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -478,7 +705,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +701,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -57619,7 +58880,7 @@ index 29a9565..70532cc 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -493,6 +720,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +716,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -57627,7 +58888,7 @@ index 29a9565..70532cc 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -522,8 +750,33 @@ ifdef(`distro_redhat',`
+@@ -522,8 +746,33 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -57661,7 +58922,7 @@ index 29a9565..70532cc 100644
  	')
  
  	optional_policy(`
-@@ -531,10 +784,26 @@ ifdef(`distro_redhat',`
+@@ -531,10 +780,26 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -57688,7 +58949,7 @@ index 29a9565..70532cc 100644
  	')
  
  	optional_policy(`
-@@ -549,6 +818,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +814,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -57728,7 +58989,7 @@ index 29a9565..70532cc 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +863,8 @@ optional_policy(`
+@@ -561,6 +859,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -57737,7 +58998,7 @@ index 29a9565..70532cc 100644
  ')
  
  optional_policy(`
-@@ -577,6 +881,7 @@ optional_policy(`
+@@ -577,6 +877,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -57745,7 +59006,7 @@ index 29a9565..70532cc 100644
  ')
  
  optional_policy(`
-@@ -589,6 +894,11 @@ optional_policy(`
+@@ -589,6 +890,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57757,7 +59018,7 @@ index 29a9565..70532cc 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -605,9 +915,13 @@ optional_policy(`
+@@ -605,9 +911,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -57771,7 +59032,7 @@ index 29a9565..70532cc 100644
  	')
  
  	optional_policy(`
-@@ -649,6 +963,11 @@ optional_policy(`
+@@ -649,6 +959,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57783,7 +59044,7 @@ index 29a9565..70532cc 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -689,6 +1008,7 @@ optional_policy(`
+@@ -689,6 +1004,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -57791,7 +59052,7 @@ index 29a9565..70532cc 100644
  ')
  
  optional_policy(`
-@@ -706,7 +1026,13 @@ optional_policy(`
+@@ -706,7 +1022,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57805,7 +59066,7 @@ index 29a9565..70532cc 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -729,6 +1055,10 @@ optional_policy(`
+@@ -729,6 +1051,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57816,7 +59077,7 @@ index 29a9565..70532cc 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -738,10 +1068,20 @@ optional_policy(`
+@@ -738,10 +1064,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57837,7 +59098,7 @@ index 29a9565..70532cc 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -750,6 +1090,10 @@ optional_policy(`
+@@ -750,6 +1086,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57848,7 +59109,7 @@ index 29a9565..70532cc 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -771,8 +1115,6 @@ optional_policy(`
+@@ -771,8 +1111,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -57857,7 +59118,7 @@ index 29a9565..70532cc 100644
  ')
  
  optional_policy(`
-@@ -790,10 +1132,12 @@ optional_policy(`
+@@ -790,10 +1128,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -57870,7 +59131,7 @@ index 29a9565..70532cc 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1149,6 @@ optional_policy(`
+@@ -805,7 +1145,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57878,7 +59139,7 @@ index 29a9565..70532cc 100644
  	udev_manage_pid_files(initrc_t)
  	udev_manage_rules_files(initrc_t)
  ')
-@@ -815,11 +1158,24 @@ optional_policy(`
+@@ -815,11 +1154,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57904,7 +59165,7 @@ index 29a9565..70532cc 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1185,25 @@ optional_policy(`
+@@ -829,6 +1181,25 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -57930,7 +59191,7 @@ index 29a9565..70532cc 100644
  ')
  
  optional_policy(`
-@@ -844,6 +1219,10 @@ optional_policy(`
+@@ -844,6 +1215,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57941,7 +59202,7 @@ index 29a9565..70532cc 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -854,3 +1233,45 @@ optional_policy(`
+@@ -854,3 +1229,149 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -57987,6 +59248,110 @@ index 29a9565..70532cc 100644
 +allow init_t var_run_t:dir relabelto;
 +
 +init_stream_connect(initrc_t)
++
++allow initrc_t daemon:process siginh;
++allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
++allow daemon initrc_transition_domain:fd use;
++
++tunable_policy(`init_systemd',`
++	allow init_t daemon:unix_stream_socket create_stream_socket_perms;
++	allow init_t daemon:unix_dgram_socket create_socket_perms;
++	allow init_t daemon:tcp_socket create_stream_socket_perms;
++	allow daemon init_t:unix_dgram_socket sendto;
++	dontaudit daemon init_t:unix_stream_socket { read ioctl getattr };
++')
++
++# daemons started from init will
++# inherit fds from init for the console
++init_dontaudit_use_fds(daemon)
++term_dontaudit_use_console(daemon)
++# init script ptys are the stdin/out/err
++# when using run_init
++init_use_script_ptys(daemon)
++
++allow init_t daemon:process siginh;
++
++ifdef(`hide_broken_symptoms',`
++	# RHEL4 systems seem to have a stray
++	# fds open from the initrd
++	ifdef(`distro_rhel4',`
++		kernel_dontaudit_use_fds(daemon)
++	')
++
++	dontaudit daemon init_t:dir search_dir_perms;
++')
++
++optional_policy(`
++	nscd_socket_use(daemon)
++')
++
++allow direct_run_init daemon:process { noatsecure siginh rlimitinh };
++
++allow initrc_t systemprocess:process siginh;
++allow systemprocess initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
++allow systemprocess initrc_transition_domain:fd use;
++
++dontaudit systemprocess init_t:unix_stream_socket getattr;
++
++
++tunable_policy(`init_systemd',`
++	# Handle upstart/systemd direct transition to a executable
++	allow init_t systemprocess:process siginh;
++	allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
++	allow init_t systemprocess:unix_dgram_socket create_socket_perms;
++	allow systemprocess init_t:unix_dgram_socket sendto;
++	dontaudit systemprocess init_t:unix_stream_socket { read getattr ioctl };
++')
++
++ifdef(`hide_broken_symptoms',`
++	# RHEL4 systems seem to have a stray
++	# fds open from the initrd
++	ifdef(`distro_rhel4',`
++		kernel_dontaudit_use_fds(systemprocess)
++	')
++')
++
++userdom_dontaudit_search_user_home_dirs(systemprocess)
++userdom_dontaudit_rw_stream(systemprocess)
++userdom_dontaudit_write_user_tmp_files(systemprocess)
++
++tunable_policy(`allow_daemons_use_tty',`
++   term_use_all_ttys(systemprocess)
++   term_use_all_ptys(systemprocess)
++',`
++   term_dontaudit_use_all_ttys(systemprocess)
++   term_dontaudit_use_all_ptys(systemprocess)
++')
++
++# these apps are often redirect output to random log files
++logging_inherit_append_all_logs(systemprocess)
++
++optional_policy(`
++	abrt_stream_connect(systemprocess)
++')
++
++optional_policy(`
++	cron_rw_pipes(systemprocess)
++')
++
++optional_policy(`
++	xserver_dontaudit_append_xdm_home_files(systemprocess)
++')
++
++optional_policy(`
++	unconfined_dontaudit_rw_pipes(systemprocess)
++	unconfined_dontaudit_rw_stream(systemprocess)
++	userdom_dontaudit_read_user_tmp_files(systemprocess)
++')
++
++init_rw_script_stream_sockets(systemprocess)
++
++role system_r types systemprocess;
++role system_r types daemon;
++
++#ifdef(`enable_mls',`
++#	mls_rangetrans_target(systemprocess)
++#')
 diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
 index fb09b9e..e25c6b6 100644
 --- a/policy/modules/system/ipsec.fc
@@ -58062,7 +59427,7 @@ index 0d4c8d3..9d66bf7 100644
  
  ########################################
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 55a6cd8..bec6385 100644
+index 55a6cd8..4bc226b 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
 @@ -128,13 +128,13 @@ corecmd_exec_bin(ipsec_t)
@@ -58112,7 +59477,7 @@ index 55a6cd8..bec6385 100644
  files_read_kernel_symbol_table(ipsec_mgmt_t)
  files_getattr_kernel_modules(ipsec_mgmt_t)
  
-@@ -277,7 +290,7 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -277,9 +290,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
  fs_list_tmpfs(ipsec_mgmt_t)
  
  term_use_console(ipsec_mgmt_t)
@@ -58120,8 +59485,11 @@ index 55a6cd8..bec6385 100644
 +term_use_all_inherited_terms(ipsec_mgmt_t)
  
  auth_dontaudit_read_login_records(ipsec_mgmt_t)
++auth_use_nsswitch(ipsec_mgmt_t)
  
-@@ -297,7 +310,7 @@ sysnet_manage_config(ipsec_mgmt_t)
+ init_read_utmp(ipsec_mgmt_t)
+ init_use_script_ptys(ipsec_mgmt_t)
+@@ -297,7 +311,7 @@ sysnet_manage_config(ipsec_mgmt_t)
  sysnet_domtrans_ifconfig(ipsec_mgmt_t)
  sysnet_etc_filetrans_config(ipsec_mgmt_t)
  
@@ -58130,7 +59498,18 @@ index 55a6cd8..bec6385 100644
  
  optional_policy(`
  	consoletype_exec(ipsec_mgmt_t)
-@@ -377,12 +390,12 @@ corecmd_exec_shell(racoon_t)
+@@ -324,10 +338,6 @@ optional_policy(`
+ 	modutils_domtrans_insmod(ipsec_mgmt_t)
+ ')
+ 
+-optional_policy(`
+-	nscd_socket_use(ipsec_mgmt_t)
+-')
+-
+ ifdef(`TODO',`
+ # ideally it would not need this.  It wants to write to /root/.rnd
+ file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
+@@ -377,12 +387,12 @@ corecmd_exec_shell(racoon_t)
  corecmd_exec_bin(racoon_t)
  
  corenet_all_recvfrom_unlabeled(racoon_t)
@@ -58149,7 +59528,7 @@ index 55a6cd8..bec6385 100644
  corenet_udp_bind_isakmp_port(racoon_t)
  corenet_udp_bind_ipsecnat_port(racoon_t)
  
-@@ -411,6 +424,8 @@ miscfiles_read_localization(racoon_t)
+@@ -411,6 +421,8 @@ miscfiles_read_localization(racoon_t)
  
  sysnet_exec_ifconfig(racoon_t)
  
@@ -58158,7 +59537,7 @@ index 55a6cd8..bec6385 100644
  auth_can_read_shadow_passwords(racoon_t)
  tunable_policy(`racoon_read_shadow',`
  	auth_tunable_read_shadow(racoon_t)
-@@ -448,5 +463,6 @@ miscfiles_read_localization(setkey_t)
+@@ -448,5 +460,6 @@ miscfiles_read_localization(setkey_t)
  
  seutil_read_config(setkey_t)
  
@@ -58189,6 +59568,21 @@ index 05fb364..6b895d1 100644
 -/usr/sbin/iptables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 -/usr/sbin/iptables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/sbin/xtables-multi	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
+index 7ba53db..5c94dfe 100644
+--- a/policy/modules/system/iptables.if
++++ b/policy/modules/system/iptables.if
+@@ -17,10 +17,6 @@ interface(`iptables_domtrans',`
+ 
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, iptables_exec_t, iptables_t)
+-
+-	ifdef(`hide_broken_symptoms', `
+-		dontaudit iptables_t $1:socket_class_set { read write };
+-	')
+ ')
+ 
+ ########################################
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
 index f3e1b57..d6a93ac 100644
 --- a/policy/modules/system/iptables.te
@@ -58912,7 +60306,7 @@ index e5836d3..b32b945 100644
 +#')
 +
 diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index a0b379d..77f0e09 100644
+index a0b379d..7d88511 100644
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
 @@ -32,9 +32,8 @@ role system_r types sulogin_t;
@@ -58936,15 +60330,18 @@ index a0b379d..77f0e09 100644
  dev_dontaudit_getattr_apm_bios_dev(local_login_t)
  dev_dontaudit_setattr_apm_bios_dev(local_login_t)
  dev_dontaudit_read_framebuffer(local_login_t)
-@@ -125,6 +126,7 @@ auth_manage_pam_console_data(local_login_t)
+@@ -123,8 +124,10 @@ auth_rw_faillog(local_login_t)
+ auth_manage_pam_pid(local_login_t)
+ auth_manage_pam_console_data(local_login_t)
  auth_domtrans_pam_console(local_login_t)
++auth_use_nsswitch(local_login_t)
  
  init_dontaudit_use_fds(local_login_t)
 +init_stream_connect(local_login_t)
  
  miscfiles_read_localization(local_login_t)
  
-@@ -156,6 +158,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -156,6 +159,12 @@ tunable_policy(`use_samba_home_dirs',`
  	fs_read_cifs_symlinks(local_login_t)
  ')
  
@@ -58957,7 +60354,22 @@ index a0b379d..77f0e09 100644
  optional_policy(`
  	alsa_domtrans(local_login_t)
  ')
-@@ -225,6 +233,7 @@ files_read_etc_files(sulogin_t)
+@@ -177,14 +186,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(local_login_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(local_login_t)
+-')
+-
+-optional_policy(`
+ 	unconfined_shell_domtrans(local_login_t)
+ ')
+ 
+@@ -225,6 +226,7 @@ files_read_etc_files(sulogin_t)
  files_dontaudit_search_isid_type_dirs(sulogin_t)
  
  auth_read_shadow(sulogin_t)
@@ -58965,7 +60377,7 @@ index a0b379d..77f0e09 100644
  
  init_getpgid_script(sulogin_t)
  
-@@ -238,14 +247,23 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -238,14 +240,23 @@ userdom_use_unpriv_users_fds(sulogin_t)
  userdom_search_user_home_dirs(sulogin_t)
  userdom_use_user_ptys(sulogin_t)
  
@@ -58991,7 +60403,7 @@ index a0b379d..77f0e09 100644
  	init_getpgid(sulogin_t)
  ', `
  	allow sulogin_t self:process setexec;
-@@ -256,11 +274,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +267,3 @@ ifdef(`sulogin_no_pam', `
  	selinux_compute_relabel_context(sulogin_t)
  	selinux_compute_user_contexts(sulogin_t)
  ')
@@ -59821,7 +61233,7 @@ index 9c0faab..dd6530e 100644
  ##	loading modules.
  ## </summary>
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index a0eef20..7a8241b 100644
+index a0eef20..223af54 100644
 --- a/policy/modules/system/modutils.te
 +++ b/policy/modules/system/modutils.te
 @@ -18,11 +18,12 @@ type insmod_t;
@@ -59931,12 +61343,14 @@ index a0eef20..7a8241b 100644
  
  domain_signal_all_domains(insmod_t)
  domain_use_interactive_fds(insmod_t)
-@@ -161,11 +175,15 @@ files_write_kernel_modules(insmod_t)
+@@ -161,11 +175,17 @@ files_write_kernel_modules(insmod_t)
  
  fs_getattr_xattr_fs(insmod_t)
  fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
 +fs_mount_rpc_pipefs(insmod_t)
 +fs_search_rpc(insmod_t)
++
++auth_use_nsswitch(insmod_t)
  
  init_rw_initctl(insmod_t)
  init_use_fds(insmod_t)
@@ -59947,7 +61361,7 @@ index a0eef20..7a8241b 100644
  
  logging_send_syslog_msg(insmod_t)
  logging_search_logs(insmod_t)
-@@ -174,8 +192,7 @@ miscfiles_read_localization(insmod_t)
+@@ -174,8 +194,7 @@ miscfiles_read_localization(insmod_t)
  
  seutil_read_file_contexts(insmod_t)
  
@@ -59957,21 +61371,41 @@ index a0eef20..7a8241b 100644
  userdom_dontaudit_search_user_home_dirs(insmod_t)
  
  if( ! secure_mode_insmod ) {
-@@ -187,8 +204,11 @@ optional_policy(`
+@@ -187,28 +206,23 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	firstboot_dontaudit_rw_pipes(insmod_t)
 -	firstboot_dontaudit_rw_stream_sockets(insmod_t)
 +	firstboot_dontaudit_leaks(insmod_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	hal_write_log(insmod_t)
 +	firewallgui_dontaudit_rw_pipes(insmod_t)
  ')
  
  optional_policy(`
-@@ -231,11 +251,15 @@ optional_policy(`
+-	hotplug_search_config(insmod_t)
+-')
+-
+-optional_policy(`
+-	mount_domtrans(insmod_t)
++	hal_write_log(insmod_t)
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(insmod_t)
++	hotplug_search_config(insmod_t)
+ ')
+ 
+ optional_policy(`
+-	nscd_socket_use(insmod_t)
++	mount_domtrans(insmod_t)
+ ')
+ 
+ optional_policy(`
+@@ -231,11 +245,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59988,7 +61422,7 @@ index a0eef20..7a8241b 100644
  	# cjp: why is this needed:
  	dev_rw_xserver_misc(insmod_t)
  
-@@ -296,7 +320,7 @@ logging_send_syslog_msg(update_modules_t)
+@@ -296,7 +314,7 @@ logging_send_syslog_msg(update_modules_t)
  
  miscfiles_read_localization(update_modules_t)
  
@@ -60020,10 +61454,10 @@ index 72c746e..704d2d7 100644
 +/var/run/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 +/var/run/mount(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 8b5c196..1ac1567 100644
+index 8b5c196..1be2768 100644
 --- a/policy/modules/system/mount.if
 +++ b/policy/modules/system/mount.if
-@@ -16,6 +16,18 @@ interface(`mount_domtrans',`
+@@ -16,6 +16,12 @@ interface(`mount_domtrans',`
  	')
  
  	domtrans_pattern($1, mount_exec_t, mount_t)
@@ -60033,16 +61467,10 @@ index 8b5c196..1ac1567 100644
 +	ps_process_pattern(mount_t, $1)
 +
 +	allow mount_t $1:unix_stream_socket { read write };
-+
-+ifdef(`hide_broken_symptoms', `
-+	dontaudit mount_t $1:tcp_socket  { read write };
-+	dontaudit mount_t $1:udp_socket { read write };
-+')
-+
  ')
  
  ########################################
-@@ -45,12 +57,77 @@ interface(`mount_run',`
+@@ -45,8 +51,73 @@ interface(`mount_run',`
  	role $2 types mount_t;
  
  	optional_policy(`
@@ -60065,11 +61493,11 @@ index 8b5c196..1ac1567 100644
 +
 +	optional_policy(`
 +		samba_run_smbmount(mount_t, $2)
- 	')
- ')
- 
- ########################################
- ## <summary>
++	')
++')
++
++########################################
++## <summary>
 +##	Execute fusermount in the mount domain, and
 +##	allow the specified role the mount domain,
 +##	and use the caller's terminal.
@@ -60089,7 +61517,7 @@ index 8b5c196..1ac1567 100644
 +interface(`mount_run_fusermount',`
 +	gen_require(`
 +		type mount_t;
-+	')
+ 	')
 +
 +	mount_domtrans_fusermount($1)
 +	role $2 types mount_t;
@@ -60114,14 +61542,10 @@ index 8b5c196..1ac1567 100644
 +
 +	allow $1 mount_var_run_t:file read_file_perms;
 +	files_search_pids($1)
-+')
-+
-+########################################
-+## <summary>
- ##	Execute mount in the caller domain.
- ## </summary>
- ## <param name="domain">
-@@ -84,9 +161,11 @@ interface(`mount_exec',`
+ ')
+ 
+ ########################################
+@@ -84,9 +155,11 @@ interface(`mount_exec',`
  interface(`mount_signal',`
  	gen_require(`
  		type mount_t;
@@ -60133,7 +61557,7 @@ index 8b5c196..1ac1567 100644
  ')
  
  ########################################
-@@ -95,7 +174,7 @@ interface(`mount_signal',`
+@@ -95,7 +168,7 @@ interface(`mount_signal',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -60142,7 +61566,7 @@ index 8b5c196..1ac1567 100644
  ##	</summary>
  ## </param>
  #
-@@ -135,6 +214,24 @@ interface(`mount_send_nfs_client_request',`
+@@ -135,6 +208,24 @@ interface(`mount_send_nfs_client_request',`
  
  ########################################
  ## <summary>
@@ -60167,7 +61591,7 @@ index 8b5c196..1ac1567 100644
  ##	Execute mount in the unconfined mount domain.
  ## </summary>
  ## <param name="domain">
-@@ -176,4 +273,113 @@ interface(`mount_run_unconfined',`
+@@ -176,4 +267,113 @@ interface(`mount_run_unconfined',`
  
  	mount_domtrans_unconfined($1)
  	role $2 types unconfined_mount_t;
@@ -60282,7 +61706,7 @@ index 8b5c196..1ac1567 100644
 +    role $2 types showmount_t;
  ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..ed497ff 100644
+index 15832c7..79bc8f4 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
 @@ -17,8 +17,15 @@ type mount_exec_t;
@@ -60475,15 +61899,16 @@ index 15832c7..ed497ff 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -141,26 +213,29 @@ ifdef(`distro_ubuntu',`
+@@ -141,26 +213,28 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
 +corecmd_exec_shell(mount_t)
 +
  tunable_policy(`allow_mount_anyfile',`
- 	auth_read_all_dirs_except_shadow(mount_t)
- 	auth_read_all_files_except_shadow(mount_t)
+-	auth_read_all_dirs_except_shadow(mount_t)
+-	auth_read_all_files_except_shadow(mount_t)
++	files_read_non_security_files(mount_t)
  	files_mounton_non_security(mount_t)
 +	files_rw_all_inherited_files(mount_t)
  ')
@@ -60513,7 +61938,7 @@ index 15832c7..ed497ff 100644
  	corenet_tcp_bind_generic_port(mount_t)
  	corenet_udp_bind_generic_port(mount_t)
  	corenet_tcp_bind_reserved_port(mount_t)
-@@ -174,6 +249,8 @@ optional_policy(`
+@@ -174,6 +248,8 @@ optional_policy(`
  	fs_search_rpc(mount_t)
  
  	rpc_stub(mount_t)
@@ -60522,7 +61947,7 @@ index 15832c7..ed497ff 100644
  ')
  
  optional_policy(`
-@@ -181,6 +258,28 @@ optional_policy(`
+@@ -181,6 +257,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -60551,7 +61976,7 @@ index 15832c7..ed497ff 100644
  	ifdef(`hide_broken_symptoms',`
  		# for a bug in the X server
  		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,13 +287,52 @@ optional_policy(`
+@@ -188,13 +286,52 @@ optional_policy(`
  	')
  ')
  
@@ -60604,7 +62029,7 @@ index 15832c7..ed497ff 100644
  ')
  
  ########################################
-@@ -203,6 +341,43 @@ optional_policy(`
+@@ -203,6 +340,43 @@ optional_policy(`
  #
  
  optional_policy(`
@@ -60667,10 +62092,22 @@ index cbbda4a..8dcc346 100644
 +userdom_use_inherited_user_terminals(netlabel_mgmt_t)
 +
 diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
-index 4d06ae3..ebd5ed4 100644
+index 4d06ae3..e81b7ac 100644
 --- a/policy/modules/system/pcmcia.te
 +++ b/policy/modules/system/pcmcia.te
-@@ -98,18 +98,20 @@ logging_send_syslog_msg(cardmgr_t)
+@@ -62,9 +62,8 @@ dev_read_urand(cardmgr_t)
+ 
+ domain_use_interactive_fds(cardmgr_t)
+ # Read /proc/PID directories for all domains (for fuser).
+-domain_read_confined_domains_state(cardmgr_t)
+-domain_getattr_confined_domains(cardmgr_t)
+-domain_dontaudit_ptrace_confined_domains(cardmgr_t)
++domain_read_all_domains_state(cardmgr_t)
++domain_dontaudit_ptrace_all_domains(cardmgr_t)
+ # cjp: these look excessive:
+ domain_dontaudit_getattr_all_pipes(cardmgr_t)
+ domain_dontaudit_getattr_all_sockets(cardmgr_t)
+@@ -98,18 +97,20 @@ logging_send_syslog_msg(cardmgr_t)
  
  miscfiles_read_localization(cardmgr_t)
  
@@ -60863,21 +62300,10 @@ index 2cc4bda..167c358 100644
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 170e2c7..beb818f 100644
+index 170e2c7..7b10445 100644
 --- a/policy/modules/system/selinuxutil.if
 +++ b/policy/modules/system/selinuxutil.if
-@@ -85,6 +85,10 @@ interface(`seutil_domtrans_loadpolicy',`
- 
- 	corecmd_search_bin($1)
- 	domtrans_pattern($1, load_policy_exec_t, load_policy_t)
-+
-+	ifdef(`hide_broken_symptoms', `
-+		dontaudit load_policy_t $1:socket_class_set { read write };
-+	')
- ')
- 
- ########################################
-@@ -199,6 +203,10 @@ interface(`seutil_run_newrole',`
+@@ -199,6 +199,10 @@ interface(`seutil_run_newrole',`
  	role $2 types newrole_t;
  
  	auth_run_upd_passwd(newrole_t, $2)
@@ -60888,7 +62314,7 @@ index 170e2c7..beb818f 100644
  ')
  
  ########################################
-@@ -361,6 +369,27 @@ interface(`seutil_exec_restorecon',`
+@@ -361,6 +365,27 @@ interface(`seutil_exec_restorecon',`
  
  ########################################
  ## <summary>
@@ -60916,18 +62342,7 @@ index 170e2c7..beb818f 100644
  ##	Execute run_init in the run_init domain.
  ## </summary>
  ## <param name="domain">
-@@ -514,6 +543,10 @@ interface(`seutil_domtrans_setfiles',`
- 	files_search_usr($1)
- 	corecmd_search_bin($1)
- 	domtrans_pattern($1, setfiles_exec_t, setfiles_t)
-+
-+	ifdef(`hide_broken_symptoms', `
-+		dontaudit setfiles_t $1:socket_class_set { read write };
-+	')
- ')
- 
- ########################################
-@@ -545,6 +578,53 @@ interface(`seutil_run_setfiles',`
+@@ -545,6 +570,53 @@ interface(`seutil_run_setfiles',`
  
  ########################################
  ## <summary>
@@ -60981,7 +62396,7 @@ index 170e2c7..beb818f 100644
  ##	Execute setfiles in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -690,6 +770,7 @@ interface(`seutil_manage_config',`
+@@ -690,6 +762,7 @@ interface(`seutil_manage_config',`
  	')
  
  	files_search_etc($1)
@@ -60989,7 +62404,7 @@ index 170e2c7..beb818f 100644
  	manage_files_pattern($1, selinux_config_t, selinux_config_t)
  	read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
  ')
-@@ -756,6 +837,29 @@ interface(`seutil_read_default_contexts',`
+@@ -756,6 +829,29 @@ interface(`seutil_read_default_contexts',`
  	read_files_pattern($1, default_context_t, default_context_t)
  ')
  
@@ -61019,18 +62434,10 @@ index 170e2c7..beb818f 100644
  ########################################
  ## <summary>
  ##	Create, read, write, and delete the default_contexts files.
-@@ -1005,6 +1109,30 @@ interface(`seutil_domtrans_semanage',`
- 	files_search_usr($1)
- 	corecmd_search_bin($1)
- 	domtrans_pattern($1, semanage_exec_t, semanage_t)
-+
-+	ifdef(`hide_broken_symptoms', `
-+		dontaudit semanage_t $1:socket_class_set { read write };
-+	')
-+')
-+
-+########################################
-+## <summary>
+@@ -1009,6 +1105,26 @@ interface(`seutil_domtrans_semanage',`
+ 
+ ########################################
+ ## <summary>
 +##	Execute a domain transition to run setsebool.
 +## </summary>
 +## <param name="domain">
@@ -61047,10 +62454,14 @@ index 170e2c7..beb818f 100644
 +	files_search_usr($1)
 +	corecmd_search_bin($1)
 +	domtrans_pattern($1, setsebool_exec_t, setsebool_t)
- ')
- 
- ########################################
-@@ -1038,6 +1166,54 @@ interface(`seutil_run_semanage',`
++')
++
++########################################
++## <summary>
+ ##	Execute semanage in the semanage domain, and
+ ##	allow the specified role the semanage domain,
+ ##	and use the caller's terminal.
+@@ -1038,6 +1154,54 @@ interface(`seutil_run_semanage',`
  
  ########################################
  ## <summary>
@@ -61105,7 +62516,7 @@ index 170e2c7..beb818f 100644
  ##	Full management of the semanage
  ##	module store.
  ## </summary>
-@@ -1149,3 +1325,199 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1149,3 +1313,199 @@ interface(`seutil_dontaudit_libselinux_linked',`
  	selinux_dontaudit_get_fs_mount($1)
  	seutil_dontaudit_read_config($1)
  ')
@@ -61306,7 +62717,7 @@ index 170e2c7..beb818f 100644
 +	')
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..96406b1 100644
+index 7ed9819..d74087e 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -61480,6 +62891,17 @@ index 7ed9819..96406b1 100644
  fs_relabelfrom_noxattr_fs(restorecond_t)
  fs_dontaudit_list_nfs(restorecond_t)
  fs_getattr_xattr_fs(restorecond_t)
+@@ -323,8 +350,8 @@ selinux_compute_create_context(restorecond_t)
+ selinux_compute_relabel_context(restorecond_t)
+ selinux_compute_user_contexts(restorecond_t)
+ 
+-auth_relabel_all_files_except_shadow(restorecond_t )
+-auth_read_all_files_except_shadow(restorecond_t)
++files_relabel_all_files(restorecond_t )
++files_read_non_security_files(restorecond_t)
+ auth_use_nsswitch(restorecond_t)
+ 
+ locallogin_dontaudit_use_fds(restorecond_t)
 @@ -335,6 +362,8 @@ miscfiles_read_localization(restorecond_t)
  
  seutil_libselinux_linked(restorecond_t)
@@ -61606,7 +63028,7 @@ index 7ed9819..96406b1 100644
 -
 -locallogin_use_fds(semanage_t)
 +# Admins are creating pp files in random locations
-+auth_read_all_files_except_shadow(semanage_t)
++files_read_non_security_files(semanage_t)
  
 -logging_send_syslog_msg(semanage_t)
 -
@@ -61825,7 +63247,7 @@ index 694fd94..334e80e 100644
 +
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index ff80d0a..95e705c 100644
+index ff80d0a..752e031 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
 @@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',`
@@ -61967,17 +63389,7 @@ index ff80d0a..95e705c 100644
  	allow $1 dhcpc_var_run_t:file unlink;
  ')
  
-@@ -484,6 +579,9 @@ interface(`sysnet_domtrans_ifconfig',`
- 
- 	corecmd_search_bin($1)
- 	domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
-+	ifdef(`hide_broken_symptoms', `
-+	        dontaudit ifconfig_t $1:socket_class_set { read write };
-+	')
- ')
- 
- ########################################
-@@ -554,6 +652,25 @@ interface(`sysnet_signal_ifconfig',`
+@@ -554,6 +649,25 @@ interface(`sysnet_signal_ifconfig',`
  
  ########################################
  ## <summary>
@@ -62003,7 +63415,7 @@ index ff80d0a..95e705c 100644
  ##	Read the DHCP configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -661,6 +778,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -661,6 +775,8 @@ interface(`sysnet_dns_name_resolve',`
  	corenet_tcp_connect_dns_port($1)
  	corenet_sendrecv_dns_client_packets($1)
  
@@ -62012,7 +63424,7 @@ index ff80d0a..95e705c 100644
  	sysnet_read_config($1)
  
  	optional_policy(`
-@@ -698,6 +817,9 @@ interface(`sysnet_use_ldap',`
+@@ -698,6 +814,9 @@ interface(`sysnet_use_ldap',`
  	corenet_sendrecv_ldap_client_packets($1)
  
  	sysnet_read_config($1)
@@ -62022,7 +63434,7 @@ index ff80d0a..95e705c 100644
  ')
  
  ########################################
-@@ -731,3 +853,49 @@ interface(`sysnet_use_portmap',`
+@@ -731,3 +850,49 @@ interface(`sysnet_use_portmap',`
  
  	sysnet_read_config($1)
  ')
@@ -62724,10 +64136,10 @@ index 0000000..11fbd0f
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..a0b79d5
+index 0000000..4936451
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,314 @@
+@@ -0,0 +1,317 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -62849,6 +64261,9 @@ index 0000000..a0b79d5
 +
 +userdom_read_all_users_state(systemd_logind_t)
 +userdom_use_user_ttys(systemd_logind_t)
++userdom_manage_user_tmp_dirs(systemd_logind_t)
++userdom_manage_user_tmp_files(systemd_logind_t)
++userdom_manage_user_tmp_symlinks(systemd_logind_t)
 +
 +optional_policy(`
 +	cron_dbus_chat_crond(systemd_logind_t)
@@ -64225,10 +65640,10 @@ index eae5001..71e46b2 100644
 -')
 +attribute unconfined_services;
 diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..392d1ee 100644
+index db75976..cca4cd1 100644
 --- a/policy/modules/system/userdomain.fc
 +++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,17 @@
+@@ -1,4 +1,19 @@
  HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 +HOME_DIR	-l	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
  HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
@@ -64240,15 +65655,17 @@ index db75976..392d1ee 100644
 +/dev/shm/pulse-shm.*	gen_context(system_u:object_r:user_tmpfs_t,s0)
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 +HOME_DIR/bin(/.*)?	gen_context(system_u:object_r:home_bin_t,s0)
-+HOME_DIR/local/bin(/.*)?	gen_context(system_u:object_r:home_bin_t,s0)
++HOME_DIR/\.local/bin(/.*)?	gen_context(system_u:object_r:home_bin_t,s0)
 +HOME_DIR/Audio(/.*)?    gen_context(system_u:object_r:audio_home_t,s0)
 +HOME_DIR/Music(/.*)?    gen_context(system_u:object_r:audio_home_t,s0)
 +HOME_DIR/\.cert(/.*)?	gen_context(system_u:object_r:home_cert_t,s0)
 +HOME_DIR/\.pki(/.*)?		gen_context(system_u:object_r:home_cert_t,s0)
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 +HOME_DIR/\.debug(/.*)?	<<none>>
++
++/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..fd5c0a5 100644
+index 4b2878a..31290e1 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -64393,16 +65810,16 @@ index 4b2878a..fd5c0a5 100644
 +
 +	storage_rw_fuse($1_usertype)
 +
-+	auth_use_nsswitch($1_usertype)
- 
--	libs_exec_ld_so($1_t)
++	auth_use_nsswitch($1_t)
++
 +	init_stream_connect($1_usertype)
 +	# The library functions always try to open read-write first,
 +	# then fall back to read-only if it fails. 
 +	init_dontaudit_rw_utmp($1_usertype)
 +
 +	libs_exec_ld_so($1_usertype)
-+
+ 
+-	libs_exec_ld_so($1_t)
 +	logging_send_audit_msgs($1_t)
  
  	miscfiles_read_localization($1_t)
@@ -64772,27 +66189,27 @@ index 4b2878a..fd5c0a5 100644
 +	kernel_get_sysvipc_info($1_usertype)
  	# Find CDROM devices:
 -	kernel_read_device_sysctls($1_t)
+-
+-	corecmd_exec_bin($1_t)
 +	kernel_read_device_sysctls($1_usertype)
 +	kernel_request_load_module($1_usertype)
  
--	corecmd_exec_bin($1_t)
+-	corenet_udp_bind_generic_node($1_t)
+-	corenet_udp_bind_generic_port($1_t)
 +	corenet_udp_bind_generic_node($1_usertype)
 +	corenet_udp_bind_generic_port($1_usertype)
  
--	corenet_udp_bind_generic_node($1_t)
--	corenet_udp_bind_generic_port($1_t)
+-	dev_read_rand($1_t)
+-	dev_write_sound($1_t)
+-	dev_read_sound($1_t)
+-	dev_read_sound_mixer($1_t)
+-	dev_write_sound_mixer($1_t)
 +	dev_read_rand($1_usertype)
 +	dev_write_sound($1_usertype)
 +	dev_read_sound($1_usertype)
 +	dev_read_sound_mixer($1_usertype)
 +	dev_write_sound_mixer($1_usertype)
  
--	dev_read_rand($1_t)
--	dev_write_sound($1_t)
--	dev_read_sound($1_t)
--	dev_read_sound_mixer($1_t)
--	dev_write_sound_mixer($1_t)
--
 -	files_exec_etc_files($1_t)
 -	files_search_locks($1_t)
 +	files_exec_etc_files($1_usertype)
@@ -64816,10 +66233,10 @@ index 4b2878a..fd5c0a5 100644
 +	fs_read_noxattr_fs_files($1_usertype)
 +	fs_read_noxattr_fs_symlinks($1_usertype)
 +	fs_rw_cgroup_files($1_usertype)
-+
-+	application_getattr_socket($1_usertype)
  
 -	fs_rw_cgroup_files($1_t)
++	application_getattr_socket($1_usertype)
++
 +	logging_send_syslog_msg($1_usertype)
 +	logging_send_audit_msgs($1_usertype)
 +	selinux_get_enforce_mode($1_usertype)
@@ -64912,89 +66329,89 @@ index 4b2878a..fd5c0a5 100644
 +		optional_policy(`
 +			avahi_dbus_chat($1_usertype)
 +		')
-+
-+		optional_policy(`
-+			policykit_dbus_chat($1_usertype)
-+		')
-+
-+		optional_policy(`
-+			bluetooth_dbus_chat($1_usertype)
-+		')
-+
-+		optional_policy(`
-+			consolekit_dbus_chat($1_usertype)
-+			consolekit_read_log($1_usertype)
-+		')
-+
-+		optional_policy(`
-+			devicekit_dbus_chat($1_usertype)
-+			devicekit_dbus_chat_power($1_usertype)
-+			devicekit_dbus_chat_disk($1_usertype)
-+		')
-+
-+		optional_policy(`
-+			evolution_dbus_chat($1_usertype)
-+			evolution_alarm_dbus_chat($1_usertype)
-+		')
-+
-+		optional_policy(`
-+			gnome_dbus_chat_gconfdefault($1_usertype)
-+		')
  
  		optional_policy(`
 -			bluetooth_dbus_chat($1_t)
-+			hal_dbus_chat($1_usertype)
++			policykit_dbus_chat($1_usertype)
  		')
  
  		optional_policy(`
 -			evolution_dbus_chat($1_t)
 -			evolution_alarm_dbus_chat($1_t)
-+			kde_dbus_chat_backlighthelper($1_usertype)
++			bluetooth_dbus_chat($1_usertype)
  		')
  
  		optional_policy(`
 -			cups_dbus_chat_config($1_t)
-+			modemmanager_dbus_chat($1_usertype)
++			consolekit_dbus_chat($1_usertype)
++			consolekit_read_log($1_usertype)
  		')
  
  		optional_policy(`
 -			hal_dbus_chat($1_t)
-+			networkmanager_dbus_chat($1_usertype)
-+			networkmanager_read_lib_files($1_usertype)
++			devicekit_dbus_chat($1_usertype)
++			devicekit_dbus_chat_power($1_usertype)
++			devicekit_dbus_chat_disk($1_usertype)
  		')
  
  		optional_policy(`
 -			networkmanager_dbus_chat($1_t)
-+			vpn_dbus_chat($1_usertype)
++			evolution_dbus_chat($1_usertype)
++			evolution_alarm_dbus_chat($1_usertype)
  		')
++
++		optional_policy(`
++			gnome_dbus_chat_gconfdefault($1_usertype)
++		')
++
++		optional_policy(`
++			hal_dbus_chat($1_usertype)
++		')
++
++		optional_policy(`
++			kde_dbus_chat_backlighthelper($1_usertype)
++		')
++
++		optional_policy(`
++			modemmanager_dbus_chat($1_usertype)
++		')
++
++		optional_policy(`
++			networkmanager_dbus_chat($1_usertype)
++			networkmanager_read_lib_files($1_usertype)
++		')
++
++		optional_policy(`
++			vpn_dbus_chat($1_usertype)
++		')
++	')
++
++	optional_policy(`
++		git_session_role($1_r, $1_usertype)
++	')
++
++	optional_policy(`
++		inetd_use_fds($1_usertype)
++		inetd_rw_tcp_sockets($1_usertype)
  	')
  
  	optional_policy(`
 -		inetd_use_fds($1_t)
 -		inetd_rw_tcp_sockets($1_t)
-+		git_session_role($1_r, $1_usertype)
++		inn_read_config($1_usertype)
++		inn_read_news_lib($1_usertype)
++		inn_read_news_spool($1_usertype)
  	')
  
  	optional_policy(`
 -		inn_read_config($1_t)
 -		inn_read_news_lib($1_t)
 -		inn_read_news_spool($1_t)
-+		inetd_use_fds($1_usertype)
-+		inetd_rw_tcp_sockets($1_usertype)
++		lircd_stream_connect($1_usertype)
  	')
  
  	optional_policy(`
 -		locate_read_lib_files($1_t)
-+		inn_read_config($1_usertype)
-+		inn_read_news_lib($1_usertype)
-+		inn_read_news_spool($1_usertype)
-+	')
-+
-+	optional_policy(`
-+		lircd_stream_connect($1_usertype)
-+	')
-+
-+	optional_policy(`
 +		locate_read_lib_files($1_usertype)
  	')
  
@@ -65002,16 +66419,16 @@ index 4b2878a..fd5c0a5 100644
  	optional_policy(`
 -		modutils_read_module_config($1_t)
 +		modutils_read_module_config($1_usertype)
-+	')
-+
-+	optional_policy(`
-+		mta_rw_spool($1_usertype)
-+		mta_manage_queue($1_usertype)
-+		mta_filetrans_home_content($1_usertype)
  	')
  
  	optional_policy(`
 -		mta_rw_spool($1_t)
++		mta_rw_spool($1_usertype)
++		mta_manage_queue($1_usertype)
++		mta_filetrans_home_content($1_usertype)
++	')
++
++	optional_policy(`
 +		nsplugin_role($1_r, $1_usertype)
  	')
  
@@ -65048,32 +66465,32 @@ index 4b2878a..fd5c0a5 100644
 +	optional_policy(`
 +		rpc_dontaudit_getattr_exports($1_usertype)
 +		rpc_manage_nfs_rw_content($1_usertype)
++	')
++
++	optional_policy(`
++		rpcbind_stream_connect($1_usertype)
  	')
  
  	optional_policy(`
 -		rpc_dontaudit_getattr_exports($1_t)
 -		rpc_manage_nfs_rw_content($1_t)
-+		rpcbind_stream_connect($1_usertype)
++		samba_stream_connect_winbind($1_usertype)
  	')
  
  	optional_policy(`
 -		samba_stream_connect_winbind($1_t)
-+		samba_stream_connect_winbind($1_usertype)
++		sandbox_transition($1_usertype, $1_r)
  	')
  
  	optional_policy(`
 -		slrnpull_search_spool($1_t)
-+		sandbox_transition($1_usertype, $1_r)
++		seunshare_role_template($1, $1_r, $1_t)
  	')
  
  	optional_policy(`
 -		usernetctl_run($1_t, $1_r)
-+		seunshare_role_template($1, $1_r, $1_t)
- 	')
-+
-+	optional_policy(`
 +		slrnpull_search_spool($1_usertype)
-+	')
+ 	')
 +
  ')
  
@@ -65084,17 +66501,15 @@ index 4b2878a..fd5c0a5 100644
  
 -	userdom_manage_home_role($1_r, $1_t)
 +	userdom_manage_home_role($1_r, $1_usertype)
- 
--	userdom_manage_tmp_role($1_r, $1_t)
--	userdom_manage_tmpfs_role($1_r, $1_t)
++
 +	userdom_manage_tmp_role($1_r, $1_usertype)
 +	userdom_manage_tmpfs_role($1_r, $1_usertype)
- 
--	userdom_exec_user_tmp_files($1_t)
--	userdom_exec_user_home_content_files($1_t)
++
 +	ifelse(`$1',`unconfined',`',`
 +		gen_tunable(allow_$1_exec_content, true)
-+
+ 
+-	userdom_manage_tmp_role($1_r, $1_t)
+-	userdom_manage_tmpfs_role($1_r, $1_t)
 +		tunable_policy(`allow_$1_exec_content',`
 +			userdom_exec_user_tmp_files($1_usertype)
 +			userdom_exec_user_home_content_files($1_usertype)
@@ -65102,7 +66517,9 @@ index 4b2878a..fd5c0a5 100644
 +		tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
 +                        fs_exec_nfs_files($1_usertype)
 +		')
-+
+ 
+-	userdom_exec_user_tmp_files($1_t)
+-	userdom_exec_user_home_content_files($1_t)
 +		tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
 +			fs_exec_cifs_files($1_usertype)
 +		')
@@ -65309,27 +66726,26 @@ index 4b2878a..fd5c0a5 100644
 +			consolekit_dontaudit_read_log($1_usertype)
 +			consolekit_dbus_chat($1_usertype)
 +		')
-+
-+		optional_policy(`
+ 
+ 		optional_policy(`
+-			consolekit_dbus_chat($1_t)
 +			cups_dbus_chat($1_usertype)
 +			cups_dbus_chat_config($1_usertype)
-+		')
+ 		')
  
  		optional_policy(`
--			consolekit_dbus_chat($1_t)
+-			cups_dbus_chat($1_t)
 +			devicekit_dbus_chat($1_usertype)
 +			devicekit_dbus_chat_disk($1_usertype)
 +			devicekit_dbus_chat_power($1_usertype)
  		')
- 
- 		optional_policy(`
--			cups_dbus_chat($1_t)
++
++		optional_policy(`
 +			fprintd_dbus_chat($1_t)
- 		')
- 	')
- 
- 	optional_policy(`
--		java_role($1_r, $1_t)
++		')
++	')
++
++	optional_policy(`
 +		openoffice_role_template($1, $1_r, $1_usertype)
 +	')
 +
@@ -65341,9 +66757,10 @@ index 4b2878a..fd5c0a5 100644
 +		pulseaudio_role($1_r, $1_usertype)
 +		pulseaudio_filetrans_admin_home_content($1_usertype)
 +		pulseaudio_filetrans_home_content($1_usertype)
-+	')
-+
-+	optional_policy(`
+ 	')
+ 
+ 	optional_policy(`
+-		java_role($1_r, $1_t)
 +		rtkit_scheduled($1_usertype)
  	')
  
@@ -65454,19 +66871,19 @@ index 4b2878a..fd5c0a5 100644
 +
 +	optional_policy(`
 +		mono_role_template($1, $1_r, $1_t)
-+	')
-+
-+	optional_policy(`
+ 	')
+ 
+ 	optional_policy(`
+-		setroubleshoot_stream_connect($1_t)
 +		mount_run_fusermount($1_t, $1_r)
 +		mount_read_pid_files($1_t)
 +	')
 +
 +	optional_policy(`
 +		wine_role_template($1, $1_r, $1_t)
- 	')
- 
- 	optional_policy(`
--		setroubleshoot_stream_connect($1_t)
++	')
++
++	optional_policy(`
 +		postfix_run_postdrop($1_t, $1_r)
 +	')
 +
@@ -65525,7 +66942,7 @@ index 4b2878a..fd5c0a5 100644
  	domain_dontaudit_ptrace_all_domains($1_t)
  	# signal all domains:
  	domain_kill_all_domains($1_t)
-@@ -1119,17 +1429,22 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1429,37 @@ template(`userdom_admin_user_template',`
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -65549,7 +66966,13 @@ index 4b2878a..fd5c0a5 100644
  
  	auth_getattr_shadow($1_t)
  	# Manage almost all files
-@@ -1141,7 +1456,10 @@ template(`userdom_admin_user_template',`
+-	auth_manage_all_files_except_shadow($1_t)
++	files_manage_non_security_files($1_t)
+ 	# Relabel almost all files
+-	auth_relabel_all_files_except_shadow($1_t)
++	files_relabel_non_security_files($1_t)
+ 
+ 	init_telinit($1_t)
  
  	logging_send_syslog_msg($1_t)
  
@@ -65579,14 +67002,17 @@ index 4b2878a..fd5c0a5 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1222,6 +1544,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1544,9 @@ template(`userdom_security_admin_template',`
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
 +	selinux_read_policy($1)
  
- 	auth_relabel_all_files_except_shadow($1)
+-	auth_relabel_all_files_except_shadow($1)
++	files_relabel_all_files($1)
  	auth_relabel_shadow($1)
+ 
+ 	init_exec($1)
 @@ -1234,13 +1557,24 @@ template(`userdom_security_admin_template',`
  	logging_read_audit_config($1)
  
@@ -65714,14 +67140,13 @@ index 4b2878a..fd5c0a5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1334,9 +1680,46 @@ interface(`userdom_setattr_user_ptys',`
+@@ -1334,7 +1680,44 @@ interface(`userdom_setattr_user_ptys',`
  ##	</summary>
  ## </param>
  #
 -interface(`userdom_create_user_pty',`
 +interface(`userdom_attach_admin_tun_iface',`
- 	gen_require(`
--		type user_devpts_t;
++	gen_require(`
 +		attribute admindomain;
 +	')
 +
@@ -65758,11 +67183,9 @@ index 4b2878a..fd5c0a5 100644
 +## </param>
 +#
 +interface(`userdom_create_user_pty',`
-+	gen_require(`
-+		type user_devpts_t;
+ 	gen_require(`
+ 		type user_devpts_t;
  	')
- 
- 	term_create_pty($1, user_devpts_t)
 @@ -1395,6 +1778,7 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
@@ -66528,7 +67951,7 @@ index 4b2878a..fd5c0a5 100644
  ##	Send a SIGCHLD signal to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3194,3 +3825,1075 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3825,1076 @@ interface(`userdom_dbus_send_all_users',`
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -66580,7 +68003,8 @@ index 4b2878a..fd5c0a5 100644
 +	typeattribute $2  $1_usertype;
 +	typeattribute $2  unpriv_userdomain;
 +	typeattribute $2  userdomain;
-+
++	
++	auth_use_nsswitch($2)
 +	ubac_constrained($2)
 +')
 +
@@ -68034,7 +69458,7 @@ index bdd500c..4719351 100644
  
  define(`admin_pattern',`
 diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
-index 22ca011..df6b5de 100644
+index 22ca011..823794e 100644
 --- a/policy/support/misc_patterns.spt
 +++ b/policy/support/misc_patterns.spt
 @@ -15,7 +15,7 @@ define(`spec_domtrans_pattern',`
@@ -68046,20 +69470,15 @@ index 22ca011..df6b5de 100644
  	allow $3 $1:process sigchld;
  ')
  
-@@ -34,8 +34,12 @@ define(`domtrans_pattern',`
+@@ -34,7 +34,7 @@ define(`domtrans_pattern',`
  	domain_auto_transition_pattern($1,$2,$3)
  
  	allow $3 $1:fd use;
 -	allow $3 $1:fifo_file rw_fifo_file_perms;
 +	allow $3 $1:fifo_file rw_inherited_fifo_file_perms;
  	allow $3 $1:process sigchld;
-+
-+	ifdef(`hide_broken_symptoms', `
-+		dontaudit $3 $1:socket_class_set { read write };
-+	')
  ')
  
- #
 diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
 index f7380b3..fb62555 100644
 --- a/policy/support/obj_perm_sets.spt
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cbff720..b498729 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -452,6 +452,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Jul 29 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-11
+- More fixes of rules which cause an explosion in rules by Dan Walsh
+
 * Tue Jul 26 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-10
 - Allow rcsmcertd to perform DNS name resolution
 - Add dirsrvadmin_unconfined_script_t domain type for 389-ds admin scripts