diff --git a/policy-F16.patch b/policy-F16.patch
index ee7f839..23d0811 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -281,7 +281,7 @@ index 358ce7c..e5dc022 100644
+
') dnl end enable_mcs
diff --git a/policy/modules/admin/acct.if b/policy/modules/admin/acct.if
-index e66c296..61f738b 100644
+index e66c296..993a1e9 100644
--- a/policy/modules/admin/acct.if
+++ b/policy/modules/admin/acct.if
@@ -78,3 +78,21 @@ interface(`acct_manage_data',`
@@ -295,7 +295,7 @@ index e66c296..61f738b 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -1566,7 +1566,7 @@ index c633aea..d1e56f6 100644
ifdef(`hide_broken_symptoms',`
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..2718561 100644
+index af55369..6059aed 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
@@ -1625,17 +1625,17 @@ index af55369..2718561 100644
optional_policy(`
- rpm_manage_tmp_files(prelink_t)
+ gnome_dontaudit_read_config(prelink_t)
-+')
-+
-+optional_policy(`
-+ nsplugin_manage_rw_files(prelink_t)
')
optional_policy(`
- unconfined_domain(prelink_t)
-+ rpm_manage_tmp_files(prelink_t)
++ nsplugin_manage_rw_files(prelink_t)
')
++optional_policy(`
++ rpm_manage_tmp_files(prelink_t)
++')
++
+#optional_policy(`
+# unconfined_domain(prelink_t)
+#')
@@ -1651,11 +1651,13 @@ index af55369..2718561 100644
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -148,17 +163,26 @@ optional_policy(`
+@@ -148,17 +163,28 @@ optional_policy(`
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
- init_exec(prelink_cron_system_t)
++ fs_search_cgroup_dirs(prelink_cron_system_t)
++
+ init_telinit(prelink_cron_system_t)
libs_exec_ld_so(prelink_cron_system_t)
@@ -3217,7 +3219,7 @@ index 0000000..1f468aa
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644
-index 0000000..e921f24
+index 0000000..ae9c0c5
--- /dev/null
+++ b/policy/modules/apps/chrome.if
@@ -0,0 +1,107 @@
@@ -3317,7 +3319,7 @@ index 0000000..e921f24
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -3691,7 +3693,7 @@ index 0000000..ce498b3
+
diff --git a/policy/modules/apps/firewallgui.if b/policy/modules/apps/firewallgui.if
new file mode 100644
-index 0000000..7fe26f3
+index 0000000..2bd5790
--- /dev/null
+++ b/policy/modules/apps/firewallgui.if
@@ -0,0 +1,41 @@
@@ -3725,7 +3727,7 @@ index 0000000..7fe26f3
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -3873,10 +3875,10 @@ index 00a19e3..55075f9 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..3587c52 100644
+index f5afe78..3ca01ec 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,605 @@
+@@ -1,44 +1,623 @@
## <summary>GNU network object model environment (GNOME)</summary>
-############################################################
@@ -4085,7 +4087,7 @@ index f5afe78..3587c52 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -4103,7 +4105,7 @@ index f5afe78..3587c52 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -4263,6 +4265,24 @@ index f5afe78..3587c52 100644
+
+########################################
+## <summary>
++## Dontaudit read/write to generic cache home files (.cache)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`gnome_dontaudit_rw_generic_cache_files',`
++ gen_require(`
++ type cache_home_t;
++ ')
++
++ dontaudit $1 cache_home_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
+## read gnome homedir content (.config)
+## </summary>
+## <param name="domain">
@@ -4501,7 +4521,7 @@ index f5afe78..3587c52 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -46,37 +607,37 @@ interface(`gnome_role',`
+@@ -46,37 +625,37 @@ interface(`gnome_role',`
## </summary>
## </param>
#
@@ -4551,7 +4571,7 @@ index f5afe78..3587c52 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -84,37 +645,37 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +663,37 @@ template(`gnome_read_gconf_config',`
## </summary>
## </param>
#
@@ -4600,7 +4620,7 @@ index f5afe78..3587c52 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -122,17 +683,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +701,17 @@ interface(`gnome_stream_connect_gconf',`
## </summary>
## </param>
#
@@ -4622,7 +4642,7 @@ index f5afe78..3587c52 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -140,51 +701,335 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +719,335 @@ interface(`gnome_domtrans_gconfd',`
## </summary>
## </param>
#
@@ -4913,7 +4933,7 @@ index f5afe78..3587c52 100644
+## </summary>
+## </param>
+#
-+interface(`gnome_user_home_dir_filetrans',`
++interface(`gnome_filetrans_home_content',`
+
+gen_require(`
+ type config_home_t;
@@ -4950,7 +4970,7 @@ index f5afe78..3587c52 100644
+## </summary>
+## </param>
+#
-+interface(`gnome_admin_home_dir_filetrans',`
++interface(`gnome_filetrans_admin_home_content',`
+
+gen_require(`
+ type config_home_t;
@@ -5914,7 +5934,7 @@ index f63c4c2..bf59895 100644
policykit_dbus_chat(kdumpgui_t)
')
diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if
-index 12b772f..b67cf26 100644
+index 12b772f..1d203dc 100644
--- a/policy/modules/apps/livecd.if
+++ b/policy/modules/apps/livecd.if
@@ -41,6 +41,8 @@ interface(`livecd_run',`
@@ -5934,7 +5954,7 @@ index 12b772f..b67cf26 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -6172,7 +6192,7 @@ index 93ac529..35b51ab 100644
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..19de023 100644
+index 9a6d67d..c499e03 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -6338,7 +6358,7 @@ index 9a6d67d..19de023 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -9645,10 +9665,10 @@ index 0000000..6878d68
+
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..8791119
+index 0000000..a6cb11d
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,338 @@
+@@ -0,0 +1,336 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -9665,6 +9685,14 @@ index 0000000..8791119
+## </desc>
+gen_tunable(telepathy_tcp_connect_generic_network_ports, false)
+
++## <desc>
++## <p>
++## Allow the Telepathy connection managers
++## to connect to any network port.
++## </p>
++## </desc>
++gen_tunable(telepathy_connect_all_ports, true)
++
+attribute telepathy_domain;
+attribute telepathy_executable;
+
@@ -9697,7 +9725,6 @@ index 0000000..8791119
+#
+
+allow telepathy_msn_t self:process setsched;
-+allow telepathy_msn_t self:netlink_route_socket create_netlink_socket_perms;
+allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+
+manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
@@ -9717,6 +9744,7 @@ index 0000000..8791119
+corenet_tcp_connect_msnp_port(telepathy_msn_t)
+corenet_tcp_connect_sametime_port(telepathy_msn_t)
+corenet_tcp_connect_ssdp_port(telepathy_msn_t)
++corenet_tcp_connect_sip_port(telepathy_msn_t)
+
+corecmd_exec_bin(telepathy_msn_t)
+corecmd_exec_shell(telepathy_msn_t)
@@ -9725,8 +9753,6 @@ index 0000000..8791119
+files_read_etc_files(telepathy_msn_t)
+files_read_usr_files(telepathy_msn_t)
+
-+auth_use_nsswitch(telepathy_msn_t)
-+
+init_read_state(telepathy_msn_t)
+
+libs_exec_ldconfig(telepathy_msn_t)
@@ -9735,8 +9761,6 @@ index 0000000..8791119
+
+miscfiles_read_all_certs(telepathy_msn_t)
+
-+sysnet_read_config(telepathy_msn_t)
-+
+userdom_read_all_users_state(telepathy_msn_t)
+
+optional_policy(`
@@ -9755,7 +9779,6 @@ index 0000000..8791119
+# Telepathy Gabble local policy.
+#
+
-+allow telepathy_gabble_t self:netlink_route_socket create_netlink_socket_perms;
+allow telepathy_gabble_t self:tcp_socket { listen accept };
+allow telepathy_gabble_t self:unix_dgram_socket { write read create getattr sendto };
+
@@ -9785,9 +9808,9 @@ index 0000000..8791119
+files_read_config_files(telepathy_gabble_t)
+files_read_usr_files(telepathy_gabble_t)
+
-+miscfiles_read_all_certs(telepathy_gabble_t)
++fs_getattr_all_fs(telepathy_gabble_t)
+
-+sysnet_read_config(telepathy_gabble_t)
++miscfiles_read_all_certs(telepathy_gabble_t)
+
+optional_policy(`
+ dbus_system_bus_client(telepathy_gabble_t)
@@ -9812,8 +9835,6 @@ index 0000000..8791119
+# Telepathy Idle local policy.
+#
+
-+allow telepathy_idle_t self:netlink_route_socket create_netlink_socket_perms;
-+
+corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
+corenet_tcp_connect_gatekeeper_port(telepathy_idle_t)
+corenet_tcp_connect_ircd_port(telepathy_idle_t)
@@ -9822,8 +9843,6 @@ index 0000000..8791119
+
+files_read_etc_files(telepathy_idle_t)
+
-+sysnet_read_config(telepathy_idle_t)
-+
+#######################################
+#
+# Telepathy Mission-Control local policy.
@@ -9851,8 +9870,6 @@ index 0000000..8791119
+ fs_manage_cifs_files(telepathy_mission_control_t)
+')
+
-+auth_use_nsswitch(telepathy_mission_control_t)
-+
+# ~/.cache/.mc_connections.
+optional_policy(`
+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
@@ -9870,8 +9887,6 @@ index 0000000..8791119
+#
+# Telepathy Salut local policy.
+#
-+
-+allow telepathy_salut_t self:netlink_route_socket create_netlink_socket_perms;
+allow telepathy_salut_t self:tcp_socket { accept listen };
+
+manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t)
@@ -9883,8 +9898,6 @@ index 0000000..8791119
+
+files_read_etc_files(telepathy_salut_t)
+
-+sysnet_read_config(telepathy_salut_t)
-+
+optional_policy(`
+ dbus_system_bus_client(telepathy_salut_t)
+
@@ -9897,19 +9910,17 @@ index 0000000..8791119
+#
+# Telepathy Sofiasip local policy.
+#
-+
-+allow telepathy_sofiasip_t self:netlink_route_socket create_netlink_socket_perms;
+allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen };
+allow telepathy_sofiasip_t self:tcp_socket { listen };
+
+corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
+corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
+corenet_udp_bind_all_ports(telepathy_sofiasip_t)
++corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t)
++corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t)
+
+kernel_request_load_module(telepathy_sofiasip_t)
+
-+sysnet_read_config(telepathy_sofiasip_t)
-+
+#######################################
+#
+# Telepathy Sunshine local policy.
@@ -9959,9 +9970,9 @@ index 0000000..8791119
+
+fs_search_auto_mountpoints(telepathy_domain)
+
-+miscfiles_read_localization(telepathy_domain)
++auth_use_nsswitch(telepathy_domain)
+
-+sysnet_dns_name_resolve(telepathy_domain)
++miscfiles_read_localization(telepathy_domain)
+
+# This interface does not facilitate files_search_tmp which appears to be a bug.
+userdom_stream_connect(telepathy_domain)
@@ -9972,12 +9983,19 @@ index 0000000..8791119
+ corenet_sendrecv_generic_client_packets(telepathy_domain)
+')
+
++tunable_policy(`telepathy_connect_all_ports', `
++ corenet_tcp_connect_all_ports(telepathy_domain)
++ corenet_tcp_sendrecv_all_ports(telepathy_domain)
++ corenet_udp_sendrecv_all_ports(telepathy_domain)
++')
++
+optional_policy(`
+ automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
+')
+
+optional_policy(`
-+ nis_use_ypbind(telepathy_domain)
++ gnome_read_generic_cache_files(telepathy_domain)
++ gnome_write_generic_cache_files(telepathy_domain)
+')
+
+optional_policy(`
@@ -10720,9 +10738,18 @@ index 34c9d01..0d54b2c 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a..24018ce 100644
+index 9e9263a..32826ad 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
+@@ -203,7 +203,7 @@ interface(`corecmd_getattr_bin_files',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
@@ -1049,6 +1049,7 @@ interface(`corecmd_manage_all_executables',`
type bin_t;
')
@@ -11119,7 +11146,7 @@ index 6cf8784..5b25039 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index e9313fb..f8b1eee 100644
+index e9313fb..ddb84e0 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -11208,6 +11235,15 @@ index e9313fb..f8b1eee 100644
## Dontaudit getattr on generic block devices.
## </summary>
## <param name="domain">
+@@ -628,7 +683,7 @@ interface(`dev_rw_generic_blk_files',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to dontaudit access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
@@ -715,7 +770,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
########################################
@@ -11493,6 +11529,15 @@ index e9313fb..f8b1eee 100644
## Delete all block device files.
## </summary>
## <param name="domain">
+@@ -2663,7 +2914,7 @@ interface(`dev_write_misc',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
@@ -3192,24 +3443,6 @@ interface(`dev_rw_printer',`
########################################
@@ -12410,7 +12455,7 @@ index 3ff4f60..89ffda6 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index aad8c52..e957e76 100644
+index aad8c52..53b0624 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -474,6 +474,25 @@ interface(`domain_signal_all_domains',`
@@ -12448,7 +12493,7 @@ index aad8c52..e957e76 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -630,7 +649,7 @@ interface(`domain_getattr_all_domains',`
+@@ -630,11 +649,11 @@ interface(`domain_getattr_all_domains',`
########################################
## <summary>
@@ -12457,6 +12502,11 @@ index aad8c52..e957e76 100644
## </summary>
## <param name="domain">
## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
@@ -886,6 +905,24 @@ interface(`domain_getsched_all_domains',`
########################################
@@ -12526,7 +12576,7 @@ index aad8c52..e957e76 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -12866,7 +12916,7 @@ index 16108f6..de3c68f 100644
+
+/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..4f3ff26 100644
+index 958ca84..1204be0 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -12987,7 +13037,7 @@ index 958ca84..4f3ff26 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -13038,7 +13088,7 @@ index 958ca84..4f3ff26 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -13053,6 +13103,15 @@ index 958ca84..4f3ff26 100644
##########################################
## <summary>
## Manage generic directories in /etc
+@@ -2379,7 +2504,7 @@ interface(`files_read_etc_files',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
@@ -2453,6 +2578,24 @@ interface(`files_delete_etc_files',`
########################################
@@ -13127,7 +13186,7 @@ index 958ca84..4f3ff26 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -13195,7 +13254,7 @@ index 958ca84..4f3ff26 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -13354,6 +13413,24 @@ index 958ca84..4f3ff26 100644
########################################
## <summary>
## Allow the specified type to associate
+@@ -3774,7 +4128,7 @@ interface(`files_getattr_tmp_dirs',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+@@ -3846,7 +4200,7 @@ interface(`files_list_tmp',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
@@ -3858,6 +4212,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -13379,12 +13456,13 @@ index 958ca84..4f3ff26 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -3914,6 +4286,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3914,25 +4286,33 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
+-## Manage temporary files and directories in /tmp.
+## Allow shared library text relocations in tmp files.
-+## </summary>
+ ## </summary>
+## <desc>
+## <p>
+## Allow shared library text relocations in tmp files.
@@ -13393,52 +13471,91 @@ index 958ca84..4f3ff26 100644
+## This is added to support java policy.
+## </p>
+## </desc>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_files',`
++interface(`files_execmod_tmp',`
+ gen_require(`
+- type tmp_t;
++ attribute tmpfile;
+ ')
+
+- manage_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmpfile:file execmod;
+ ')
+
+ ########################################
+ ## <summary>
+-## Read symbolic links in the tmp directory (/tmp).
++## Manage temporary files and directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3940,17 +4320,35 @@ interface(`files_manage_generic_tmp_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_symlinks',`
++interface(`files_manage_generic_tmp_files',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+- read_lnk_files_pattern($1, tmp_t, tmp_t)
++ manage_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Read and write generic named sockets in the tmp directory (/tmp).
++## Read symbolic links in the tmp directory (/tmp).
++## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_execmod_tmp',`
++interface(`files_read_generic_tmp_symlinks',`
+ gen_require(`
-+ attribute tmpfile;
++ type tmp_t;
+ ')
+
-+ allow $1 tmpfile:file execmod;
++ read_lnk_files_pattern($1, tmp_t, tmp_t)
+')
+
+########################################
+## <summary>
- ## Manage temporary files and directories in /tmp.
++## Read and write generic named sockets in the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -3968,7 +4366,7 @@ interface(`files_rw_generic_tmp_sockets',`
+ ## <summary>
+@@ -3968,6 +4366,84 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
--## Set the attributes of all tmp directories.
+## Relabel a dir from the type used in /tmp.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -3976,17 +4374,95 @@ interface(`files_rw_generic_tmp_sockets',`
- ## </summary>
- ## </param>
- #
--interface(`files_setattr_all_tmp_dirs',`
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+interface(`files_relabelfrom_tmp_dirs',`
- gen_require(`
-- attribute tmpfile;
++ gen_require(`
+ type tmp_t;
- ')
-
-- allow $1 tmpfile:dir { search_dir_perms setattr };
++ ')
++
+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
- ')
-
- ########################################
- ## <summary>
--## List all tmp directories.
++')
++
++########################################
++## <summary>
+## Relabel a file from the type used in /tmp.
+## </summary>
+## <param name="domain">
@@ -13499,28 +13616,27 @@ index 958ca84..4f3ff26 100644
+
+########################################
+## <summary>
-+## Set the attributes of all tmp directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_setattr_all_tmp_dirs',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ allow $1 tmpfile:dir { search_dir_perms setattr };
-+')
-+
-+########################################
-+## <summary>
-+## List all tmp directories.
+ ## Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -4009,7 +4485,7 @@ interface(`files_list_all_tmp',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+@@ -4047,7 +4523,7 @@ interface(`files_getattr_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
+-## Domain not to audit.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
@@ -4103,7 +4579,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -14128,7 +14244,7 @@ index 958ca84..4f3ff26 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -14261,7 +14377,7 @@ index 59bae6a..2e55e71 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index dfe361a..79b4c0f 100644
+index dfe361a..1c83074 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -14310,7 +14426,7 @@ index dfe361a..79b4c0f 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -14770,6 +14886,24 @@ index dfe361a..79b4c0f 100644
')
########################################
+@@ -2587,7 +2911,7 @@ interface(`fs_search_removable',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+@@ -2623,7 +2947,7 @@ interface(`fs_read_removable_files',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
@@ -2637,6 +2961,24 @@ interface(`fs_dontaudit_read_removable_files',`
########################################
@@ -14778,7 +14912,7 @@ index dfe361a..79b4c0f 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain not to audit.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -14905,7 +15039,7 @@ index dfe361a..79b4c0f 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -14931,6 +15065,15 @@ index dfe361a..79b4c0f 100644
')
########################################
+@@ -4317,7 +4737,7 @@ interface(`fs_unmount_all_fs',`
+ ## <desc>
+ ## <p>
+ ## Allow the specified domain to
+-## et the attributes of all filesystems.
++## get the attributes of all filesystems.
+ ## Example attributes:
+ ## </p>
+ ## <ul>
@@ -4681,3 +5101,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
@@ -14943,7 +15086,7 @@ index dfe361a..79b4c0f 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -15043,7 +15186,7 @@ index e49c148..4d6bbf4 100644
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 069d36c..78a81b3 100644
+index 069d36c..8cbeefb 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -735,6 +735,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',`
@@ -15108,6 +15251,15 @@ index 069d36c..78a81b3 100644
')
########################################
+@@ -2254,7 +2293,7 @@ interface(`kernel_read_unlabeled_state',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
@@ -2436,6 +2475,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
@@ -15226,7 +15378,7 @@ index 069d36c..78a81b3 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 5001b89..fef153d 100644
+index 5001b89..e1fe78d 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -15266,7 +15418,7 @@ index 5001b89..fef153d 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -268,19 +275,28 @@ files_list_root(kernel_t)
+@@ -268,19 +275,40 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -15292,10 +15444,22 @@ index 5001b89..fef153d 100644
')
+
++optional_policy(`
++ apache_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
++ gnome_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
++ kerberos_filetrans_home_content(kernel_t)
++')
++
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -296,6 +312,11 @@ optional_policy(`
+@@ -296,6 +324,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -15303,16 +15467,29 @@ index 5001b89..fef153d 100644
+')
+
+optional_policy(`
++ mta_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
++ ssh_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
+ userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
')
optional_policy(`
-@@ -357,6 +378,10 @@ optional_policy(`
+@@ -357,6 +398,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
+optional_policy(`
++ virt_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
+ xserver_xdm_manage_spool(kernel_t)
++ xserver_filetrans_home_content(kernel_t)
+')
+
########################################
@@ -15874,7 +16051,7 @@ index 3994e57..a1923fe 100644
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index f3acfee..0082923 100644
+index f3acfee..5260651 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
@@ -16022,6 +16199,15 @@ index f3acfee..0082923 100644
')
########################################
+@@ -903,7 +982,7 @@ interface(`term_getattr_all_user_ptys',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
@@ -1123,7 +1202,7 @@ interface(`term_relabel_unallocated_ttys',`
')
@@ -16114,6 +16300,15 @@ index f3acfee..0082923 100644
')
########################################
+@@ -1467,7 +1570,7 @@ interface(`term_use_all_user_ttys',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
@@ -1475,3 +1578,382 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
@@ -16623,7 +16818,7 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..95ff489 100644
+index 2be17d2..ddb6f0a 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,51 @@ policy_module(staff, 2.2.0)
@@ -16678,7 +16873,7 @@ index 2be17d2..95ff489 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,25 +66,140 @@ optional_policy(`
+@@ -27,25 +66,139 @@ optional_policy(`
')
optional_policy(`
@@ -16701,7 +16896,6 @@ index 2be17d2..95ff489 100644
+optional_policy(`
+ gnome_role(staff_r, staff_t)
+ gnome_role_gkeyringd(staff, staff_r, staff_t)
-+ permissive staff_gkeyringd_t;
+')
+
+optional_policy(`
@@ -16752,7 +16946,7 @@ index 2be17d2..95ff489 100644
optional_policy(`
+ qemu_run(staff_t, staff_r)
+ virt_manage_tmpfs_files(staff_t)
-+ virt_user_home_dir_filetrans(staff_t)
++ virt_filetrans_home_content(staff_t)
+')
+
+optional_policy(`
@@ -16821,7 +17015,7 @@ index 2be17d2..95ff489 100644
optional_policy(`
vlock_run(staff_t, staff_r)
-@@ -89,10 +243,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +242,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16832,7 +17026,7 @@ index 2be17d2..95ff489 100644
gpg_role(staff_r, staff_t)
')
-@@ -137,10 +287,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +286,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16843,7 +17037,7 @@ index 2be17d2..95ff489 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +318,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +317,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -16852,7 +17046,7 @@ index 2be17d2..95ff489 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 4a8d146..65a8661 100644
+index 4a8d146..4fb9455 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,55 @@ ifndef(`enable_mls',`
@@ -16906,7 +17100,7 @@ index 4a8d146..65a8661 100644
+userdom_manage_user_tmp_blk_files(sysadm_t)
+
+optional_policy(`
-+ ssh_admin_home_dir_filetrans(sysadm_t)
++ ssh_filetrans_admin_home_content(sysadm_t)
+')
ifdef(`direct_sysadm_daemon',`
@@ -17133,7 +17327,7 @@ index 4a8d146..65a8661 100644
optional_policy(`
- wireshark_role(sysadm_r, sysadm_t)
+ virt_stream_connect(sysadm_t)
-+ virt_user_home_dir_filetrans(sysadm_t)
++ virt_filetrans_home_content(sysadm_t)
')
optional_policy(`
@@ -17157,7 +17351,7 @@ index 4a8d146..65a8661 100644
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
-+ gnome_admin_home_dir_filetrans(sysadm_t)
++ gnome_filetrans_admin_home_content(sysadm_t)
')
optional_policy(`
@@ -17932,7 +18126,7 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..4c5f006
+index 0000000..4cf791b
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,525 @@
@@ -18035,7 +18229,7 @@ index 0000000..4c5f006
+sysnet_etc_filetrans_config(unconfined_t, yp.conf)
+
+optional_policy(`
-+ ssh_admin_home_dir_filetrans(unconfined_t)
++ ssh_filetrans_admin_home_content(unconfined_t)
+')
+
+mcs_killall(unconfined_t)
@@ -18237,7 +18431,7 @@ index 0000000..4c5f006
+ optional_policy(`
+ gnomeclock_dbus_chat(unconfined_usertype)
+ gnome_dbus_chat_gconfdefault(unconfined_usertype)
-+ gnome_admin_home_dir_filetrans(unconfined_usertype)
++ gnome_filetrans_admin_home_content(unconfined_usertype)
+ ')
+
+ optional_policy(`
@@ -18383,7 +18577,7 @@ index 0000000..4c5f006
+
+optional_policy(`
+ virt_transition_svirt(unconfined_t, unconfined_r)
-+ virt_user_home_dir_filetrans(unconfined_t)
++ virt_filetrans_home_content(unconfined_t)
+')
+
+optional_policy(`
@@ -22673,7 +22867,7 @@ index 0000000..18f37e2
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if
new file mode 100644
-index 0000000..3964548
+index 0000000..d1fd21d
--- /dev/null
+++ b/policy/modules/services/bugzilla.if
@@ -0,0 +1,80 @@
@@ -22705,7 +22899,7 @@ index 0000000..3964548
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -24616,10 +24810,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..e79f653
+index 0000000..13278c0
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,106 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -24637,10 +24831,16 @@ index 0000000..e79f653
+type colord_tmp_t;
+files_tmp_file(colord_tmp_t)
+
++type colord_tmpfs_t;
++files_tmpfs_file(colord_tmpfs_t)
++
+########################################
+#
+# colord local policy
+#
++
++allow colord_t self:process signal;
++
+allow colord_t self:fifo_file rw_fifo_file_perms;
+allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow colord_t self:udp_socket create_socket_perms;
@@ -24650,6 +24850,10 @@ index 0000000..e79f653
+manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
+files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
+
++manage_dirs_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
++manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
++fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
++
+manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
+files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
@@ -24717,7 +24921,7 @@ index 0000000..e79f653
+ udev_read_db(colord_t)
+')
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
-index fd15dfe..ad224fa 100644
+index fd15dfe..0716ee4 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -5,9 +5,9 @@
@@ -24741,7 +24945,7 @@ index fd15dfe..ad224fa 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -25947,7 +26151,7 @@ index 305ddf4..777091a 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..cda064a 100644
+index 0f28095..a3a6265 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -26059,11 +26263,12 @@ index 0f28095..cda064a 100644
files_search_all_mountpoints(cupsd_config_t)
-@@ -425,11 +438,10 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +438,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
+userdom_rw_user_tmp_files(cupsd_config_t)
++userdom_read_user_tmp_symlinks(cupsd_config_t)
cups_stream_connect(cupsd_config_t)
@@ -26072,7 +26277,7 @@ index 0f28095..cda064a 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +465,10 @@ optional_policy(`
+@@ -453,6 +466,10 @@ optional_policy(`
')
optional_policy(`
@@ -26083,7 +26288,7 @@ index 0f28095..cda064a 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +483,10 @@ optional_policy(`
+@@ -467,6 +484,10 @@ optional_policy(`
')
optional_policy(`
@@ -26094,7 +26299,7 @@ index 0f28095..cda064a 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -587,13 +607,17 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,13 +608,17 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -26114,7 +26319,7 @@ index 0f28095..cda064a 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
-@@ -606,6 +630,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -606,6 +631,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(cups_pdf_t)
')
@@ -26125,7 +26330,7 @@ index 0f28095..cda064a 100644
########################################
#
# HPLIP local policy
-@@ -639,7 +667,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +668,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -26134,7 +26339,7 @@ index 0f28095..cda064a 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +713,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +714,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -26142,7 +26347,7 @@ index 0f28095..cda064a 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +725,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +726,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -26156,7 +26361,7 @@ index 0f28095..cda064a 100644
optional_policy(`
dbus_system_bus_client(hplip_t)
diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
-index c43ff4c..a9783e3 100644
+index c43ff4c..6ca9a6b 100644
--- a/policy/modules/services/cvs.if
+++ b/policy/modules/services/cvs.if
@@ -1,5 +1,23 @@
@@ -26168,7 +26373,7 @@ index c43ff4c..a9783e3 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -28777,7 +28982,7 @@ index f28f64b..18c3c33 100644
optional_policy(`
diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
-index f590a1f..87f6bfb 100644
+index f590a1f..3cc3f80 100644
--- a/policy/modules/services/fail2ban.if
+++ b/policy/modules/services/fail2ban.if
@@ -5,9 +5,9 @@
@@ -28812,7 +29017,7 @@ index f590a1f..87f6bfb 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -29377,7 +29582,7 @@ index 54f0737..2b552c5 100644
+/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
-index 458aac6..03645a9 100644
+index 458aac6..8e83609 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -1 +1,539 @@
@@ -29763,7 +29968,7 @@ index 458aac6..03645a9 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -31376,7 +31581,7 @@ index 3525d24..923e979 100644
/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..414cfb4 100644
+index 604f67b..04309ea 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -31505,7 +31710,7 @@ index 604f67b..414cfb4 100644
')
allow $1 kadmind_t:process { ptrace signal_perms };
-@@ -378,3 +374,110 @@ interface(`kerberos_admin',`
+@@ -378,3 +374,108 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -31609,8 +31814,6 @@ index 604f67b..414cfb4 100644
+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, principal1)
+
+ kerberos_etc_filetrans_keytab($1, krb5.keytab)
-+ # this is defined in userdom_login_user_template
-+ #kerberos_filetrans_home_content($1)
+ kerberos_filetrans_admin_home_content($1)
+
+ kerberos_tmp_filetrans_host_rcache($1, host_0)
@@ -33091,7 +33294,7 @@ index 0000000..68ad33f
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if
new file mode 100644
-index 0000000..f60483e
+index 0000000..ec2832c
--- /dev/null
+++ b/policy/modules/services/mock.if
@@ -0,0 +1,272 @@
@@ -33254,7 +33457,7 @@ index 0000000..f60483e
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -35678,7 +35881,7 @@ index 2324d9e..8069487 100644
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..8f8c519 100644
+index 0619395..863ba2d 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -35739,7 +35942,15 @@ index 0619395..8f8c519 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -133,30 +155,37 @@ logging_send_syslog_msg(NetworkManager_t)
+@@ -100,6 +122,7 @@ dev_read_rand(NetworkManager_t)
+ dev_read_urand(NetworkManager_t)
+ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+ dev_getattr_all_chr_files(NetworkManager_t)
++dev_rw_wireless(NetworkManager_t)
+
+ fs_getattr_all_fs(NetworkManager_t)
+ fs_search_auto_mountpoints(NetworkManager_t)
+@@ -133,30 +156,37 @@ logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
@@ -35779,7 +35990,7 @@ index 0619395..8f8c519 100644
')
optional_policy(`
-@@ -172,14 +201,21 @@ optional_policy(`
+@@ -172,14 +202,21 @@ optional_policy(`
')
optional_policy(`
@@ -35802,7 +36013,7 @@ index 0619395..8f8c519 100644
')
')
-@@ -202,6 +238,17 @@ optional_policy(`
+@@ -202,6 +239,17 @@ optional_policy(`
')
optional_policy(`
@@ -35820,7 +36031,7 @@ index 0619395..8f8c519 100644
iptables_domtrans(NetworkManager_t)
')
-@@ -219,6 +266,11 @@ optional_policy(`
+@@ -219,6 +267,11 @@ optional_policy(`
')
optional_policy(`
@@ -35832,7 +36043,7 @@ index 0619395..8f8c519 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -263,6 +315,7 @@ optional_policy(`
+@@ -263,6 +316,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -38809,7 +39020,7 @@ index 46bee12..37bd751 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..8bf015c 100644
+index 06e37d4..38fe95a 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
@@ -39047,7 +39258,16 @@ index 06e37d4..8bf015c 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +564,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -507,6 +552,8 @@ optional_policy(`
+ # Postfix qmgr local policy
+ #
+
++allow postfix_qmgr_t self:fifo_file rw_fifo_file_perms;
++
+ stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+
+ rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
+@@ -519,7 +566,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -39056,7 +39276,7 @@ index 06e37d4..8bf015c 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +584,7 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +586,7 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -39065,7 +39285,7 @@ index 06e37d4..8bf015c 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +633,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +635,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -39082,7 +39302,7 @@ index 06e37d4..8bf015c 100644
')
optional_policy(`
-@@ -611,8 +662,8 @@ optional_policy(`
+@@ -611,8 +664,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -39092,7 +39312,7 @@ index 06e37d4..8bf015c 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +681,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +683,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -45101,7 +45321,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..de9d29e 100644
+index 22adaca..0ecf6e4 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -45418,7 +45638,7 @@ index 22adaca..de9d29e 100644
')
######################################
-@@ -735,3 +795,61 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +795,62 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -45452,7 +45672,7 @@ index 22adaca..de9d29e 100644
+## </summary>
+## </param>
+#
-+interface(`ssh_admin_home_dir_filetrans',`
++interface(`ssh_filetrans_admin_home_content',`
+ gen_require(`
+ type ssh_home_t;
+ ')
@@ -45472,7 +45692,8 @@ index 22adaca..de9d29e 100644
+## </summary>
+## </param>
+#
-+interface(`ssh_user_home_dir_filetrans',`
++interface(`ssh_filetrans_home_content',`
++
+ gen_require(`
+ type ssh_home_t;
+ ')
@@ -47064,7 +47285,7 @@ index 2124b6a..9682c44 100644
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..05a7054 100644
+index 7c5d8d8..16f69c9 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,14 +13,15 @@
@@ -47249,7 +47470,7 @@ index 7c5d8d8..05a7054 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -47494,7 +47715,7 @@ index 7c5d8d8..05a7054 100644
+## </summary>
+## </param>
+#
-+interface(`virt_user_home_dir_filetrans',`
++interface(`virt_filetrans_home_content',`
+ gen_require(`
+ type virt_home_t;
+ ')
@@ -48245,10 +48466,10 @@ index 0000000..b9104b7
+')
diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
new file mode 100644
-index 0000000..a7de540
+index 0000000..90b8072
--- /dev/null
+++ b/policy/modules/services/vnstatd.te
-@@ -0,0 +1,73 @@
+@@ -0,0 +1,78 @@
+policy_module(vnstatd, 1.0.0)
+
+########################################
@@ -48286,10 +48507,15 @@ index 0000000..a7de540
+manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
+
++kernel_read_network_state(vnstatd_t)
++kernel_read_system_state(vnstatd_t)
++
+domain_use_interactive_fds(vnstatd_t)
+
+files_read_etc_files(vnstatd_t)
+
++fs_getattr_xattr_fs(vnstatd_t)
++
+logging_send_syslog_msg(vnstatd_t)
+
+miscfiles_read_localization(vnstatd_t)
@@ -48496,7 +48722,7 @@ index 6f1e3c7..a3986f4 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..ade50fd 100644
+index 130ced9..463447d 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -48806,7 +49032,7 @@ index 130ced9..ade50fd 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -48934,7 +49160,7 @@ index 130ced9..ade50fd 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -49146,7 +49372,7 @@ index 130ced9..ade50fd 100644
')
########################################
-@@ -1243,10 +1462,397 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1462,431 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -49541,13 +49767,47 @@ index 130ced9..ade50fd 100644
+
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+
-+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, .k5login)
-+ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, .fonts.d)
++# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, .fonts.d)
++# userdom_user_home_dir_filetrans($1, user_fonts_t, dir, .fonts)
++# userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, .fontconfig)
++')
++
++########################################
++## <summary>
++## Transition to xserver named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_filetrans_home_content',`
++ gen_require(`
++ type xdm_home_t;
++ type xauth_home_t;
++ type iceauth_home_t;
++ type user_home_t;
++ type user_fonts_t;
++ type user_fonts_cache_t;
++ type user_fonts_config_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, .dmrc)
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, .xsession-errors)
++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, .DCOP)
++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, .ICEauthority)
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, .Xauthority)
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, .xauth)
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, .Xauth)
++ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, .fonts.conf)
++ userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, .fonts.d)
+ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, .fonts)
+ userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, .fontconfig)
++ filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, auto)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 6c01261..8cb530b 100644
+index 6c01261..1a345d6 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -49869,7 +50129,7 @@ index 6c01261..8cb530b 100644
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -302,20 +415,38 @@ optional_policy(`
+@@ -302,20 +415,34 @@ optional_policy(`
# XDM Local policy
#
@@ -49899,11 +50159,7 @@ index 6c01261..8cb530b 100644
+
+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
+userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
-+userdom_user_home_dir_filetrans(xdm_t, iceauth_home_t, file, .DCOP)
-+userdom_user_home_dir_filetrans(xdm_t, iceauth_home_t, file, .ICEauthority)
-+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, .Xauthority)
-+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, .xauth)
-+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, .Xauth)
++xserver_filetrans_home_content(xdm_t)
+
+#Handle mislabeled files in homedir
+userdom_delete_user_home_content_files(xdm_t)
@@ -49912,7 +50168,7 @@ index 6c01261..8cb530b 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -323,43 +454,62 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -323,43 +450,62 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -49981,7 +50237,7 @@ index 6c01261..8cb530b 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -368,18 +518,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -368,18 +514,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -50009,7 +50265,7 @@ index 6c01261..8cb530b 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -391,18 +549,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -391,18 +545,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -50033,7 +50289,7 @@ index 6c01261..8cb530b 100644
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -411,18 +573,24 @@ dev_setattr_xserver_misc_dev(xdm_t)
+@@ -411,18 +569,24 @@ dev_setattr_xserver_misc_dev(xdm_t)
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -50061,7 +50317,7 @@ index 6c01261..8cb530b 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -433,9 +601,23 @@ files_list_mnt(xdm_t)
+@@ -433,9 +597,23 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -50085,7 +50341,7 @@ index 6c01261..8cb530b 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -444,28 +626,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -444,28 +622,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -50124,7 +50380,7 @@ index 6c01261..8cb530b 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -474,9 +664,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -474,9 +660,30 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -50155,7 +50411,7 @@ index 6c01261..8cb530b 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -492,6 +703,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -492,6 +699,14 @@ tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files(xdm_t)
')
@@ -50170,7 +50426,7 @@ index 6c01261..8cb530b 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -505,11 +724,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -505,11 +720,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -50192,7 +50448,7 @@ index 6c01261..8cb530b 100644
')
optional_policy(`
-@@ -517,7 +746,43 @@ optional_policy(`
+@@ -517,7 +742,43 @@ optional_policy(`
')
optional_policy(`
@@ -50237,7 +50493,7 @@ index 6c01261..8cb530b 100644
')
optional_policy(`
-@@ -527,6 +792,16 @@ optional_policy(`
+@@ -527,6 +788,16 @@ optional_policy(`
')
optional_policy(`
@@ -50254,7 +50510,7 @@ index 6c01261..8cb530b 100644
hostname_exec(xdm_t)
')
-@@ -544,28 +819,65 @@ optional_policy(`
+@@ -544,28 +815,65 @@ optional_policy(`
')
optional_policy(`
@@ -50329,7 +50585,7 @@ index 6c01261..8cb530b 100644
')
optional_policy(`
-@@ -577,6 +889,14 @@ optional_policy(`
+@@ -577,6 +885,14 @@ optional_policy(`
')
optional_policy(`
@@ -50344,7 +50600,7 @@ index 6c01261..8cb530b 100644
xfs_stream_connect(xdm_t)
')
-@@ -601,7 +921,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -601,7 +917,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -50353,7 +50609,7 @@ index 6c01261..8cb530b 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -615,8 +935,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -615,8 +931,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -50369,7 +50625,7 @@ index 6c01261..8cb530b 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -635,12 +962,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -635,12 +958,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -50391,7 +50647,7 @@ index 6c01261..8cb530b 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -648,6 +982,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -648,6 +978,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -50399,7 +50655,7 @@ index 6c01261..8cb530b 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -674,7 +1009,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -674,7 +1005,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -50407,7 +50663,7 @@ index 6c01261..8cb530b 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -684,11 +1018,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -684,11 +1014,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -50425,7 +50681,7 @@ index 6c01261..8cb530b 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -699,8 +1039,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -699,8 +1035,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -50439,7 +50695,7 @@ index 6c01261..8cb530b 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -713,8 +1058,6 @@ init_getpgid(xserver_t)
+@@ -713,8 +1054,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -50448,7 +50704,7 @@ index 6c01261..8cb530b 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -722,11 +1065,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -722,11 +1061,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -50463,7 +50719,7 @@ index 6c01261..8cb530b 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -780,16 +1124,36 @@ optional_policy(`
+@@ -780,16 +1120,36 @@ optional_policy(`
')
optional_policy(`
@@ -50501,7 +50757,7 @@ index 6c01261..8cb530b 100644
unconfined_domtrans(xserver_t)
')
-@@ -798,6 +1162,10 @@ optional_policy(`
+@@ -798,6 +1158,10 @@ optional_policy(`
')
optional_policy(`
@@ -50512,7 +50768,7 @@ index 6c01261..8cb530b 100644
xfs_stream_connect(xserver_t)
')
-@@ -813,10 +1181,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -813,10 +1177,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -50526,7 +50782,7 @@ index 6c01261..8cb530b 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -824,7 +1192,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -824,7 +1188,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -50535,7 +50791,7 @@ index 6c01261..8cb530b 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -837,6 +1205,9 @@ init_use_fds(xserver_t)
+@@ -837,6 +1201,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -50545,7 +50801,7 @@ index 6c01261..8cb530b 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -844,6 +1215,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -844,6 +1211,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -50557,7 +50813,7 @@ index 6c01261..8cb530b 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -852,11 +1228,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -852,11 +1224,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -50574,7 +50830,7 @@ index 6c01261..8cb530b 100644
')
optional_policy(`
-@@ -864,6 +1243,10 @@ optional_policy(`
+@@ -864,6 +1239,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -50585,7 +50841,7 @@ index 6c01261..8cb530b 100644
########################################
#
# Rules common to all X window domains
-@@ -907,7 +1290,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -907,7 +1286,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -50594,7 +50850,7 @@ index 6c01261..8cb530b 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -961,11 +1344,31 @@ allow x_domain self:x_resource { read write };
+@@ -961,11 +1340,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -50626,7 +50882,7 @@ index 6c01261..8cb530b 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -987,18 +1390,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -987,18 +1386,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -52256,7 +52512,7 @@ index 354ce93..f97fbb7 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..e83c909 100644
+index cc83689..e4f13ca 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,41 @@ interface(`init_script_domain',`
@@ -52529,7 +52785,7 @@ index cc83689..e83c909 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -52542,7 +52798,7 @@ index cc83689..e83c909 100644
')
########################################
-@@ -688,19 +843,24 @@ interface(`init_telinit',`
+@@ -688,19 +843,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -52559,6 +52815,7 @@ index cc83689..e83c909 100644
type init_t;
')
++ ps_process_pattern($1, init_t)
+ allow $1 init_t:process signal;
# upstart uses a datagram socket instead of initctl pipe
allow $1 self:unix_dgram_socket create_socket_perms;
@@ -52568,7 +52825,16 @@ index cc83689..e83c909 100644
')
')
-@@ -773,18 +933,19 @@ interface(`init_script_file_entry_type',`
+@@ -730,7 +891,7 @@ interface(`init_rw_initctl',`
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
++## Domain to not audit.
+ ## </summary>
+ ## </param>
+ #
+@@ -773,18 +934,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -52592,7 +52858,7 @@ index cc83689..e83c909 100644
')
')
-@@ -800,23 +961,45 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +962,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -52615,11 +52881,11 @@ index cc83689..e83c909 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
- ########################################
- ## <summary>
++ ')
++')
++
++########################################
++## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -52632,17 +52898,13 @@ index cc83689..e83c909 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
-+ ')
+ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+## <summary>
- ## Execute a init script in a specified domain.
- ## </summary>
- ## <desc>
-@@ -868,9 +1051,14 @@ interface(`init_script_file_domtrans',`
+ ')
+
+ ########################################
+@@ -868,9 +1052,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -52657,7 +52919,7 @@ index cc83689..e83c909 100644
files_search_etc($1)
')
-@@ -1079,6 +1267,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1268,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -52682,7 +52944,7 @@ index cc83689..e83c909 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1336,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1337,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -52696,7 +52958,7 @@ index cc83689..e83c909 100644
')
########################################
-@@ -1375,6 +1576,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1577,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -52724,7 +52986,7 @@ index cc83689..e83c909 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1683,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1684,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -52750,7 +53012,7 @@ index cc83689..e83c909 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1519,6 +1760,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1761,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -52775,7 +53037,7 @@ index cc83689..e83c909 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1674,7 +1933,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1934,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -52784,7 +53046,7 @@ index cc83689..e83c909 100644
')
########################################
-@@ -1715,6 +1974,74 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1975,74 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -52859,7 +53121,7 @@ index cc83689..e83c909 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2076,139 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2077,139 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -52898,7 +53160,7 @@ index cc83689..e83c909 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -53000,7 +53262,7 @@ index cc83689..e83c909 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..5429a16 100644
+index ea29513..22a5fdd 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -53126,10 +53388,13 @@ index ea29513..5429a16 100644
files_manage_etc_runtime_files(init_t)
files_etc_filetrans_etc_runtime(init_t, file)
# Run /etc/X11/prefdm:
-@@ -151,10 +195,13 @@ mls_file_read_all_levels(init_t)
+@@ -151,10 +195,16 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
++mls_socket_read_all_levels(init_t)
++mls_socket_write_all_levels(init_t)
++
+mls_rangetrans_source(initrc_t)
selinux_set_all_booleans(init_t)
@@ -53141,7 +53406,7 @@ index ea29513..5429a16 100644
# Run init scripts.
init_domtrans_script(init_t)
-@@ -162,12 +209,15 @@ init_domtrans_script(init_t)
+@@ -162,12 +212,15 @@ init_domtrans_script(init_t)
libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
@@ -53157,7 +53422,7 @@ index ea29513..5429a16 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -178,7 +228,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +231,7 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
@@ -53166,7 +53431,7 @@ index ea29513..5429a16 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +236,119 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +239,119 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -53286,7 +53551,7 @@ index ea29513..5429a16 100644
')
optional_policy(`
-@@ -199,10 +356,25 @@ optional_policy(`
+@@ -199,10 +359,25 @@ optional_policy(`
')
optional_policy(`
@@ -53312,7 +53577,7 @@ index ea29513..5429a16 100644
unconfined_domain(init_t)
')
-@@ -212,7 +384,7 @@ optional_policy(`
+@@ -212,7 +387,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -53321,7 +53586,7 @@ index ea29513..5429a16 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +413,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +416,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -53337,7 +53602,7 @@ index ea29513..5429a16 100644
init_write_initctl(initrc_t)
-@@ -258,20 +433,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +436,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -53374,7 +53639,7 @@ index ea29513..5429a16 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +466,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +469,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -53382,7 +53647,7 @@ index ea29513..5429a16 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +479,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +482,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -53390,7 +53655,7 @@ index ea29513..5429a16 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +487,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +490,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -53406,7 +53671,7 @@ index ea29513..5429a16 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +505,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +508,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -53414,7 +53679,7 @@ index ea29513..5429a16 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +513,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +516,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -53426,7 +53691,7 @@ index ea29513..5429a16 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +532,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +535,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -53440,7 +53705,7 @@ index ea29513..5429a16 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +547,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +550,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -53449,7 +53714,7 @@ index ea29513..5429a16 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +561,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +564,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -53457,7 +53722,7 @@ index ea29513..5429a16 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +573,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +576,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -53465,7 +53730,7 @@ index ea29513..5429a16 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +594,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +597,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -53487,7 +53752,7 @@ index ea29513..5429a16 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +657,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +660,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -53498,7 +53763,7 @@ index ea29513..5429a16 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +681,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +684,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -53507,7 +53772,7 @@ index ea29513..5429a16 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +696,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +699,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -53515,7 +53780,7 @@ index ea29513..5429a16 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +726,29 @@ ifdef(`distro_redhat',`
+@@ -522,8 +729,29 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -53545,7 +53810,7 @@ index ea29513..5429a16 100644
')
optional_policy(`
-@@ -531,10 +756,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +759,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -53568,7 +53833,7 @@ index ea29513..5429a16 100644
')
optional_policy(`
-@@ -549,6 +786,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +789,39 @@ ifdef(`distro_suse',`
')
')
@@ -53608,7 +53873,7 @@ index ea29513..5429a16 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +831,8 @@ optional_policy(`
+@@ -561,6 +834,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -53617,7 +53882,7 @@ index ea29513..5429a16 100644
')
optional_policy(`
-@@ -577,6 +849,7 @@ optional_policy(`
+@@ -577,6 +852,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -53625,7 +53890,7 @@ index ea29513..5429a16 100644
')
optional_policy(`
-@@ -589,6 +862,11 @@ optional_policy(`
+@@ -589,6 +865,11 @@ optional_policy(`
')
optional_policy(`
@@ -53637,7 +53902,7 @@ index ea29513..5429a16 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +883,13 @@ optional_policy(`
+@@ -605,9 +886,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -53651,7 +53916,7 @@ index ea29513..5429a16 100644
')
optional_policy(`
-@@ -649,6 +931,11 @@ optional_policy(`
+@@ -649,6 +934,11 @@ optional_policy(`
')
optional_policy(`
@@ -53663,7 +53928,7 @@ index ea29513..5429a16 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +993,13 @@ optional_policy(`
+@@ -706,7 +996,13 @@ optional_policy(`
')
optional_policy(`
@@ -53677,7 +53942,7 @@ index ea29513..5429a16 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1022,10 @@ optional_policy(`
+@@ -729,6 +1025,10 @@ optional_policy(`
')
optional_policy(`
@@ -53688,7 +53953,7 @@ index ea29513..5429a16 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1035,20 @@ optional_policy(`
+@@ -738,10 +1038,20 @@ optional_policy(`
')
optional_policy(`
@@ -53709,7 +53974,7 @@ index ea29513..5429a16 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1057,10 @@ optional_policy(`
+@@ -750,6 +1060,10 @@ optional_policy(`
')
optional_policy(`
@@ -53720,7 +53985,7 @@ index ea29513..5429a16 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1082,6 @@ optional_policy(`
+@@ -771,8 +1085,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -53729,7 +53994,7 @@ index ea29513..5429a16 100644
')
optional_policy(`
-@@ -781,14 +1090,21 @@ optional_policy(`
+@@ -781,14 +1093,21 @@ optional_policy(`
')
optional_policy(`
@@ -53751,7 +54016,7 @@ index ea29513..5429a16 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1116,6 @@ optional_policy(`
+@@ -800,7 +1119,6 @@ optional_policy(`
')
optional_policy(`
@@ -53759,7 +54024,7 @@ index ea29513..5429a16 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1125,24 @@ optional_policy(`
+@@ -810,11 +1128,24 @@ optional_policy(`
')
optional_policy(`
@@ -53785,7 +54050,7 @@ index ea29513..5429a16 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1152,25 @@ optional_policy(`
+@@ -824,6 +1155,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -53811,7 +54076,7 @@ index ea29513..5429a16 100644
')
optional_policy(`
-@@ -849,3 +1196,42 @@ optional_policy(`
+@@ -849,3 +1199,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -55429,7 +55694,7 @@ index c7cfb62..ee89659 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b5a9ed..179ca63 100644
+index 9b5a9ed..869d51c 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -19,6 +19,11 @@ type auditd_log_t;
@@ -55529,7 +55794,7 @@ index 9b5a9ed..179ca63 100644
corenet_all_recvfrom_unlabeled(audisp_remote_t)
corenet_all_recvfrom_netlabel(audisp_remote_t)
-@@ -265,10 +291,19 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -265,10 +291,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
@@ -55539,6 +55804,7 @@ index 9b5a9ed..179ca63 100644
+logging_send_audit_msgs(audisp_remote_t)
+
+auth_use_nsswitch(audisp_remote_t)
++auth_append_login_records(audisp_remote_t)
miscfiles_read_localization(audisp_remote_t)
@@ -55549,7 +55815,7 @@ index 9b5a9ed..179ca63 100644
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -338,11 +373,12 @@ optional_policy(`
+@@ -338,11 +374,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
@@ -55564,7 +55830,7 @@ index 9b5a9ed..179ca63 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -360,6 +396,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -360,6 +397,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -55572,7 +55838,7 @@ index 9b5a9ed..179ca63 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -369,9 +406,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -369,9 +407,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -55588,7 +55854,7 @@ index 9b5a9ed..179ca63 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -412,8 +455,13 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
+@@ -412,8 +456,13 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
@@ -55602,7 +55868,7 @@ index 9b5a9ed..179ca63 100644
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
-@@ -432,6 +480,7 @@ term_write_console(syslogd_t)
+@@ -432,6 +481,7 @@ term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -55610,7 +55876,7 @@ index 9b5a9ed..179ca63 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -480,6 +529,10 @@ optional_policy(`
+@@ -480,6 +530,10 @@ optional_policy(`
')
optional_policy(`
@@ -55621,7 +55887,7 @@ index 9b5a9ed..179ca63 100644
postgresql_stream_connect(syslogd_t)
')
-@@ -488,6 +541,10 @@ optional_policy(`
+@@ -488,6 +542,10 @@ optional_policy(`
')
optional_policy(`
@@ -56243,7 +56509,7 @@ index 72c746e..9f9124f 100644
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 8b5c196..6dc92dd 100644
+index 8b5c196..f66d272 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,16 @@ interface(`mount_domtrans',`
@@ -56263,7 +56529,7 @@ index 8b5c196..6dc92dd 100644
')
########################################
-@@ -45,12 +55,77 @@ interface(`mount_run',`
+@@ -45,8 +55,73 @@ interface(`mount_run',`
role $2 types mount_t;
optional_policy(`
@@ -56286,11 +56552,11 @@ index 8b5c196..6dc92dd 100644
+
+ optional_policy(`
+ samba_run_smbmount(mount_t, $2)
- ')
- ')
-
- ########################################
- ## <summary>
++ ')
++')
++
++########################################
++## <summary>
+## Execute fusermount in the mount domain, and
+## allow the specified role the mount domain,
+## and use the caller's terminal.
@@ -56331,17 +56597,13 @@ index 8b5c196..6dc92dd 100644
+interface(`mount_read_pid_files',`
+ gen_require(`
+ type mount_var_run_t;
-+ ')
+ ')
+
+ allow $1 mount_var_run_t:file read_file_perms;
+ files_search_pids($1)
-+')
-+
-+########################################
-+## <summary>
- ## Execute mount in the caller domain.
- ## </summary>
- ## <param name="domain">
+ ')
+
+ ########################################
@@ -84,9 +159,11 @@ interface(`mount_exec',`
interface(`mount_signal',`
gen_require(`
@@ -56445,7 +56707,7 @@ index 8b5c196..6dc92dd 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -56867,17 +57129,22 @@ index 15832c7..43f0a0b 100644
+
+userdom_use_inherited_user_terminals(showmount_t)
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
-index cbbda4a..83c5ce7 100644
+index cbbda4a..8dcc346 100644
--- a/policy/modules/system/netlabel.te
+++ b/policy/modules/system/netlabel.te
-@@ -25,4 +25,6 @@ files_read_etc_files(netlabel_mgmt_t)
+@@ -23,6 +23,11 @@ kernel_read_network_state(netlabel_mgmt_t)
+
+ files_read_etc_files(netlabel_mgmt_t)
++term_use_all_inherited_terms(netlabel_mgmt_t)
++
seutil_use_newrole_fds(netlabel_mgmt_t)
-userdom_use_user_terminals(netlabel_mgmt_t)
+term_use_all_terms(netlabel_mgmt_t)
+
+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
++
diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
index 4d06ae3..ebd5ed4 100644
--- a/policy/modules/system/pcmcia.te
@@ -58000,7 +58267,7 @@ index 694fd94..334e80e 100644
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index ff80d0a..ec91ad9 100644
+index ff80d0a..95e705c 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',`
@@ -58209,7 +58476,7 @@ index ff80d0a..ec91ad9 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## The domain sending the SIGCHLD.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -58515,7 +58782,7 @@ index 0000000..c7476cb
+
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..4dfe28c
+index 0000000..71398e5
--- /dev/null
+++ b/policy/modules/system/systemd.if
@@ -0,0 +1,246 @@
@@ -58615,7 +58882,7 @@ index 0000000..4dfe28c
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -59400,7 +59667,7 @@ index ce2fbb9..8b34dbc 100644
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 416e668..352e672 100644
+index 416e668..9f3c1c1 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,27 +12,34 @@
@@ -59451,7 +59718,7 @@ index 416e668..352e672 100644
+ domain_mmap_low($1)
+
-+ mls_file_read_all_levels($1)
++ mcs_file_read_all($1)
+
+ ubac_process_exempt($1)
+
@@ -60151,7 +60418,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..78f35d2 100644
+index 28b88de..d933851 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -60466,7 +60733,7 @@ index 28b88de..78f35d2 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -62131,7 +62398,7 @@ index 28b88de..78f35d2 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -62149,7 +62416,7 @@ index 28b88de..78f35d2 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -62764,7 +63031,7 @@ index 28b88de..78f35d2 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -62782,7 +63049,7 @@ index 28b88de..78f35d2 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -62800,7 +63067,7 @@ index 28b88de..78f35d2 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -62818,7 +63085,7 @@ index 28b88de..78f35d2 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -62876,7 +63143,7 @@ index 28b88de..78f35d2 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -63092,7 +63359,7 @@ index 28b88de..78f35d2 100644
+')
+
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index df29ca1..e9e85d7 100644
+index df29ca1..54e3feb 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.0)
@@ -63145,7 +63412,7 @@ index df29ca1..e9e85d7 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +98,63 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +98,66 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -63204,13 +63471,16 @@ index df29ca1..e9e85d7 100644
+dontaudit unpriv_userdomain self:dir setattr;
+
+optional_policy(`
-+ gnome_user_home_dir_filetrans(userdomain)
++ gnome_filetrans_home_content(userdomain)
+')
+
+optional_policy(`
-+ ssh_user_home_dir_filetrans(userdomain)
++ ssh_filetrans_home_content(userdomain)
+')
+
++optional_policy(`
++ xserver_filetrans_home_content(userdomain)
++')
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
index a865da7..a5ed06e 100644
--- a/policy/modules/system/xen.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d15dee3..436ed55 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 18%{?dist}
+Release: 19%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,14 @@ exit 0
%endif
%changelog
+* Tue May 3 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-19
+- Forard port changes from F15 for telepathy
+- NetworkManager should be allowed to use /dev/rfkill
+- Fix dontaudit messages to say Domain to not audit
+- Allow telepathy domains to read/write gnome_cache files
+- Allow telepathy domains to call getpw
+- Fixes for colord and vnstatd policy
+
* Wed Apr 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-18
- Allow init_t getcap and setcap
- Allow namespace_init_t to use nsswitch