diff --git a/policy-F16.patch b/policy-F16.patch
index db25c5a..ece00d4 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -757,7 +757,7 @@ index 8fa451c..f3a67c9 100644
')
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
-index c4d8998..d62fdd2 100644
+index c4d8998..419d14a 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -75,12 +75,7 @@ logging_send_syslog_msg(firstboot_t)
@@ -793,6 +793,15 @@ index c4d8998..d62fdd2 100644
optional_policy(`
samba_rw_config(firstboot_t)
+@@ -113,7 +118,7 @@ optional_policy(`
+ optional_policy(`
+ unconfined_domtrans(firstboot_t)
+ # The big hammer
+- unconfined_domain(firstboot_t)
++ unconfined_domain_noaudit(firstboot_t)
+ ')
+
+ optional_policy(`
@@ -125,6 +130,7 @@ optional_policy(`
')
@@ -11303,7 +11312,7 @@ index 4f3b542..4581434 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..e2f9c64 100644
+index 99b71cb..b49e084 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -11423,8 +11432,12 @@ index 99b71cb..e2f9c64 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -158,10 +188,18 @@ network_port(ntp, udp,123,s0)
- network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
+@@ -155,13 +185,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
+ network_port(nmbd, udp,137,s0, udp,138,s0)
+ network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
+ network_port(ntp, udp,123,s0)
+-network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
++network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
+network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0)
@@ -15422,6 +15435,13 @@ index 0e5b661..3168d72 100644
attribute mcsreadall;
+attribute mcsuntrustedproc;
+attribute mcsnetwrite;
+diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc
+index 7be4ddf..4d4c577 100644
+--- a/policy/modules/kernel/selinux.fc
++++ b/policy/modules/kernel/selinux.fc
+@@ -1 +1 @@
+-# This module currently does not have any file contexts.
++/selinux -l gen_context(system_u:object_r:security_t,s0)
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index ca7e808..23a065c 100644
--- a/policy/modules/kernel/selinux.if
@@ -19261,7 +19281,7 @@ index 0b827c5..7382308 100644
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..2fe2895 100644
+index 30861ec..ced411a 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0)
@@ -19473,7 +19493,7 @@ index 30861ec..2fe2895 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +293,130 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +293,131 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -19595,6 +19615,7 @@ index 30861ec..2fe2895 100644
+
+kernel_read_kernel_sysctls(abrt_dump_oops_t)
+kernel_read_ring_buffer(abrt_dump_oops_t)
++kernel_read_system_state(abrt_dump_oops_t)
+
+domain_use_interactive_fds(abrt_dump_oops_t)
+
@@ -20782,7 +20803,7 @@ index 6480167..970916e 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..8115e0e 100644
+index 3136c6a..0966da0 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -21233,8 +21254,8 @@ index 3136c6a..8115e0e 100644
+ corenet_tcp_connect_firebird_port(httpd_t)
+ corenet_tcp_connect_mssql_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
-+ corenet_tcp_connect_oracledb_port(httpd_t)
-+ corenet_sendrecv_oracledb_client_packets(httpd_t)
++ corenet_tcp_connect_oracle_port(httpd_t)
++ corenet_sendrecv_oracle_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_memcache',`
@@ -21499,8 +21520,8 @@ index 3136c6a..8115e0e 100644
+ corenet_tcp_connect_firebird_port(httpd_php_t)
+ corenet_tcp_connect_mssql_port(httpd_php_t)
+ corenet_sendrecv_mssql_client_packets(httpd_php_t)
-+ corenet_tcp_connect_oracledb_port(httpd_php_t)
-+ corenet_sendrecv_oracledb_client_packets(httpd_php_t)
++ corenet_tcp_connect_oracle_port(httpd_php_t)
++ corenet_sendrecv_oracle_client_packets(httpd_php_t)
')
optional_policy(`
@@ -21566,8 +21587,8 @@ index 3136c6a..8115e0e 100644
+ corenet_tcp_connect_firebird_port(httpd_suexec_t)
+ corenet_tcp_connect_mssql_port(httpd_suexec_t)
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
-+ corenet_tcp_connect_oracledb_port(httpd_suexec_t)
-+ corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
++ corenet_tcp_connect_oracle_port(httpd_suexec_t)
++ corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
+')
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
@@ -21649,8 +21670,8 @@ index 3136c6a..8115e0e 100644
+ corenet_tcp_connect_firebird_port(httpd_sys_script_t)
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
-+ corenet_tcp_connect_oracledb_port(httpd_sys_script_t)
-+ corenet_sendrecv_oracledb_client_packets(httpd_sys_script_t)
++ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
++ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
+')
+
+fs_cifs_entry_type(httpd_sys_script_t)
@@ -50934,7 +50955,7 @@ index 7c5d8d8..59ba27c 100644
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..6182880 100644
+index 3eca020..b2c36e4 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,67 @@ policy_module(virt, 1.4.0)
@@ -51443,7 +51464,7 @@ index 3eca020..6182880 100644
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
term_use_ptmx(virt_domain)
-@@ -457,8 +613,166 @@ optional_policy(`
+@@ -457,8 +613,176 @@ optional_policy(`
')
optional_policy(`
@@ -51572,8 +51593,12 @@ index 3eca020..6182880 100644
+allow virt_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
+allow virt_lxc_t self:unix_stream_socket create_stream_socket_perms;
+
++allow virt_lxc_t virt_image_type:dir mounton;
++
++allow virt_lxc_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
++
+domtrans_pattern(virtd_t, virt_lxc_exec_t, virt_lxc_t)
-+allow virtd_t virt_lxc_t:process signal;
++allow virtd_t virt_lxc_t:process { signal signull sigkill };
+
+manage_dirs_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
@@ -51592,9 +51617,15 @@ index 3eca020..6182880 100644
+files_mount_all_file_type_fs(virt_lxc_t)
+files_unmount_all_file_type_fs(virt_lxc_t)
+
++fs_manage_tmpfs_dirs(virt_lxc_t)
++fs_manage_tmpfs_chr_files(virt_lxc_t)
++fs_manage_tmpfs_symlinks(virt_lxc_t)
+fs_manage_cgroup_dirs(virt_lxc_t)
+fs_rw_cgroup_files(virt_lxc_t)
+
++selinux_mount_fs(virt_lxc_t)
++selinux_unmount_fs(virt_lxc_t)
++
+term_use_generic_ptys(virt_lxc_t)
+term_use_ptmx(virt_lxc_t)
+
@@ -56329,7 +56360,7 @@ index 94fd8dd..0d7aa40 100644
+ read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..fcf5d6c 100644
+index 29a9565..70532cc 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -56424,7 +56455,7 @@ index 29a9565..fcf5d6c 100644
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -114,24 +151,32 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -114,25 +151,34 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
@@ -56455,9 +56486,11 @@ index 29a9565..fcf5d6c 100644
files_dontaudit_search_isid_type_dirs(init_t)
+files_read_etc_runtime_files(init_t)
files_manage_etc_runtime_files(init_t)
++files_manage_etc_symlinks(init_t)
files_etc_filetrans_etc_runtime(init_t, file)
# Run /etc/X11/prefdm:
-@@ -151,10 +196,19 @@ mls_file_read_all_levels(init_t)
+ files_exec_etc_files(init_t)
+@@ -151,10 +197,19 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -56478,7 +56511,7 @@ index 29a9565..fcf5d6c 100644
# Run init scripts.
init_domtrans_script(init_t)
-@@ -162,12 +216,16 @@ init_domtrans_script(init_t)
+@@ -162,12 +217,16 @@ init_domtrans_script(init_t)
libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
@@ -56495,7 +56528,7 @@ index 29a9565..fcf5d6c 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
')
-@@ -178,7 +236,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +237,7 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
@@ -56504,7 +56537,7 @@ index 29a9565..fcf5d6c 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +244,131 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +245,131 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -56636,7 +56669,7 @@ index 29a9565..fcf5d6c 100644
')
optional_policy(`
-@@ -199,10 +376,26 @@ optional_policy(`
+@@ -199,10 +377,26 @@ optional_policy(`
')
optional_policy(`
@@ -56663,7 +56696,7 @@ index 29a9565..fcf5d6c 100644
unconfined_domain(init_t)
')
-@@ -212,7 +405,7 @@ optional_policy(`
+@@ -212,7 +406,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -56672,7 +56705,7 @@ index 29a9565..fcf5d6c 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +434,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +435,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -56688,7 +56721,7 @@ index 29a9565..fcf5d6c 100644
init_write_initctl(initrc_t)
-@@ -258,20 +454,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +455,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -56725,7 +56758,7 @@ index 29a9565..fcf5d6c 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +487,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +488,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -56733,7 +56766,7 @@ index 29a9565..fcf5d6c 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +498,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +499,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -56744,7 +56777,7 @@ index 29a9565..fcf5d6c 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +509,14 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +510,14 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -56761,7 +56794,7 @@ index 29a9565..fcf5d6c 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +528,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +529,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -56769,7 +56802,7 @@ index 29a9565..fcf5d6c 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +536,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +537,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -56781,7 +56814,7 @@ index 29a9565..fcf5d6c 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +555,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +556,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -56795,7 +56828,7 @@ index 29a9565..fcf5d6c 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +570,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +571,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -56804,7 +56837,7 @@ index 29a9565..fcf5d6c 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +584,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +585,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -56812,7 +56845,7 @@ index 29a9565..fcf5d6c 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +596,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +597,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -56820,7 +56853,7 @@ index 29a9565..fcf5d6c 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +617,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +618,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -56842,7 +56875,7 @@ index 29a9565..fcf5d6c 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +680,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +681,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -56853,7 +56886,7 @@ index 29a9565..fcf5d6c 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +704,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +705,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -56862,7 +56895,7 @@ index 29a9565..fcf5d6c 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +719,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +720,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -56870,7 +56903,7 @@ index 29a9565..fcf5d6c 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +749,33 @@ ifdef(`distro_redhat',`
+@@ -522,8 +750,33 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -56904,7 +56937,7 @@ index 29a9565..fcf5d6c 100644
')
optional_policy(`
-@@ -531,10 +783,26 @@ ifdef(`distro_redhat',`
+@@ -531,10 +784,26 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -56931,7 +56964,7 @@ index 29a9565..fcf5d6c 100644
')
optional_policy(`
-@@ -549,6 +817,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +818,39 @@ ifdef(`distro_suse',`
')
')
@@ -56971,7 +57004,7 @@ index 29a9565..fcf5d6c 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +862,8 @@ optional_policy(`
+@@ -561,6 +863,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -56980,7 +57013,7 @@ index 29a9565..fcf5d6c 100644
')
optional_policy(`
-@@ -577,6 +880,7 @@ optional_policy(`
+@@ -577,6 +881,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -56988,7 +57021,7 @@ index 29a9565..fcf5d6c 100644
')
optional_policy(`
-@@ -589,6 +893,11 @@ optional_policy(`
+@@ -589,6 +894,11 @@ optional_policy(`
')
optional_policy(`
@@ -57000,7 +57033,7 @@ index 29a9565..fcf5d6c 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +914,13 @@ optional_policy(`
+@@ -605,9 +915,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -57014,7 +57047,7 @@ index 29a9565..fcf5d6c 100644
')
optional_policy(`
-@@ -649,6 +962,11 @@ optional_policy(`
+@@ -649,6 +963,11 @@ optional_policy(`
')
optional_policy(`
@@ -57026,7 +57059,7 @@ index 29a9565..fcf5d6c 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1007,7 @@ optional_policy(`
+@@ -689,6 +1008,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -57034,7 +57067,7 @@ index 29a9565..fcf5d6c 100644
')
optional_policy(`
-@@ -706,7 +1025,13 @@ optional_policy(`
+@@ -706,7 +1026,13 @@ optional_policy(`
')
optional_policy(`
@@ -57048,7 +57081,7 @@ index 29a9565..fcf5d6c 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1054,10 @@ optional_policy(`
+@@ -729,6 +1055,10 @@ optional_policy(`
')
optional_policy(`
@@ -57059,7 +57092,7 @@ index 29a9565..fcf5d6c 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1067,20 @@ optional_policy(`
+@@ -738,10 +1068,20 @@ optional_policy(`
')
optional_policy(`
@@ -57080,7 +57113,7 @@ index 29a9565..fcf5d6c 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1089,10 @@ optional_policy(`
+@@ -750,6 +1090,10 @@ optional_policy(`
')
optional_policy(`
@@ -57091,7 +57124,7 @@ index 29a9565..fcf5d6c 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1114,6 @@ optional_policy(`
+@@ -771,8 +1115,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -57100,7 +57133,7 @@ index 29a9565..fcf5d6c 100644
')
optional_policy(`
-@@ -790,10 +1131,12 @@ optional_policy(`
+@@ -790,10 +1132,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -57113,7 +57146,7 @@ index 29a9565..fcf5d6c 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1148,6 @@ optional_policy(`
+@@ -805,7 +1149,6 @@ optional_policy(`
')
optional_policy(`
@@ -57121,7 +57154,7 @@ index 29a9565..fcf5d6c 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1157,24 @@ optional_policy(`
+@@ -815,11 +1158,24 @@ optional_policy(`
')
optional_policy(`
@@ -57147,7 +57180,7 @@ index 29a9565..fcf5d6c 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1184,25 @@ optional_policy(`
+@@ -829,6 +1185,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -57173,7 +57206,7 @@ index 29a9565..fcf5d6c 100644
')
optional_policy(`
-@@ -844,6 +1218,10 @@ optional_policy(`
+@@ -844,6 +1219,10 @@ optional_policy(`
')
optional_policy(`
@@ -57184,7 +57217,7 @@ index 29a9565..fcf5d6c 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1232,45 @@ optional_policy(`
+@@ -854,3 +1233,45 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -59496,7 +59529,7 @@ index 8b5c196..1ac1567 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..43f0a0b 100644
+index 15832c7..ed497ff 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -59573,7 +59606,7 @@ index 15832c7..43f0a0b 100644
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
-@@ -57,50 +95,74 @@ kernel_request_load_module(mount_t)
+@@ -57,65 +95,93 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -59655,8 +59688,9 @@ index 15832c7..43f0a0b 100644
+mls_process_write_to_clearance(mount_t)
selinux_get_enforce_mode(mount_t)
++selinux_mounton_fs(mount_t)
-@@ -108,14 +170,17 @@ storage_raw_read_fixed_disk(mount_t)
+ storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -59675,7 +59709,7 @@ index 15832c7..43f0a0b 100644
logging_send_syslog_msg(mount_t)
-@@ -126,6 +191,12 @@ sysnet_use_portmap(mount_t)
+@@ -126,6 +192,12 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -59688,7 +59722,7 @@ index 15832c7..43f0a0b 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -141,26 +212,29 @@ ifdef(`distro_ubuntu',`
+@@ -141,26 +213,29 @@ ifdef(`distro_ubuntu',`
')
')
@@ -59726,7 +59760,7 @@ index 15832c7..43f0a0b 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -174,6 +248,8 @@ optional_policy(`
+@@ -174,6 +249,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -59735,7 +59769,7 @@ index 15832c7..43f0a0b 100644
')
optional_policy(`
-@@ -181,6 +257,28 @@ optional_policy(`
+@@ -181,6 +258,28 @@ optional_policy(`
')
optional_policy(`
@@ -59764,7 +59798,7 @@ index 15832c7..43f0a0b 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,13 +286,52 @@ optional_policy(`
+@@ -188,13 +287,52 @@ optional_policy(`
')
')
@@ -59817,7 +59851,7 @@ index 15832c7..43f0a0b 100644
')
########################################
-@@ -203,6 +340,43 @@ optional_policy(`
+@@ -203,6 +341,43 @@ optional_policy(`
#
optional_policy(`
@@ -63453,7 +63487,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..181ada4 100644
+index 4b2878a..c0e5c10 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -63467,7 +63501,7 @@ index 4b2878a..181ada4 100644
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
-@@ -43,69 +44,103 @@ template(`userdom_base_user_template',`
+@@ -43,69 +44,104 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -63559,6 +63593,7 @@ index 4b2878a..181ada4 100644
+
+ files_read_etc_files($1_usertype)
+ files_list_mnt($1_usertype)
++ files_list_var($1_usertype)
+ files_read_mnt_files($1_usertype)
+ files_dontaudit_access_check_mnt($1_usertype)
+ files_read_etc_runtime_files($1_usertype)
@@ -63620,7 +63655,7 @@ index 4b2878a..181ada4 100644
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -116,6 +151,20 @@ template(`userdom_base_user_template',`
+@@ -116,6 +152,20 @@ template(`userdom_base_user_template',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -63641,7 +63676,7 @@ index 4b2878a..181ada4 100644
')
#######################################
-@@ -149,6 +198,8 @@ interface(`userdom_ro_home_role',`
+@@ -149,6 +199,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -63650,7 +63685,7 @@ index 4b2878a..181ada4 100644
##############################
#
# Domain access to home dir
-@@ -166,27 +217,6 @@ interface(`userdom_ro_home_role',`
+@@ -166,27 +218,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -63678,7 +63713,7 @@ index 4b2878a..181ada4 100644
')
#######################################
-@@ -218,8 +248,11 @@ interface(`userdom_ro_home_role',`
+@@ -218,8 +249,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -63690,7 +63725,7 @@ index 4b2878a..181ada4 100644
##############################
#
# Domain access to home dir
-@@ -228,17 +261,21 @@ interface(`userdom_manage_home_role',`
+@@ -228,17 +262,21 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -63722,7 +63757,7 @@ index 4b2878a..181ada4 100644
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
-@@ -246,25 +283,23 @@ interface(`userdom_manage_home_role',`
+@@ -246,25 +284,23 @@ interface(`userdom_manage_home_role',`
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
@@ -63752,7 +63787,7 @@ index 4b2878a..181ada4 100644
')
')
-@@ -286,17 +321,63 @@ interface(`userdom_manage_home_role',`
+@@ -286,17 +322,63 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -63821,7 +63856,7 @@ index 4b2878a..181ada4 100644
')
#######################################
-@@ -316,6 +397,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -316,6 +398,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -63829,7 +63864,7 @@ index 4b2878a..181ada4 100644
files_search_tmp($1)
')
-@@ -347,59 +429,62 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -347,59 +430,62 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
@@ -63924,7 +63959,7 @@ index 4b2878a..181ada4 100644
')
#######################################
-@@ -430,6 +515,7 @@ template(`userdom_xwindows_client_template',`
+@@ -430,6 +516,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -63932,7 +63967,7 @@ index 4b2878a..181ada4 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -462,8 +548,8 @@ template(`userdom_change_password_template',`
+@@ -462,8 +549,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -63943,7 +63978,7 @@ index 4b2878a..181ada4 100644
')
')
-@@ -490,7 +576,7 @@ template(`userdom_common_user_template',`
+@@ -490,7 +577,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -63952,7 +63987,7 @@ index 4b2878a..181ada4 100644
##############################
#
-@@ -500,73 +586,81 @@ template(`userdom_common_user_template',`
+@@ -500,73 +587,81 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -64076,7 +64111,7 @@ index 4b2878a..181ada4 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +668,123 @@ template(`userdom_common_user_template',`
+@@ -574,67 +669,123 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -64218,7 +64253,7 @@ index 4b2878a..181ada4 100644
')
optional_policy(`
-@@ -650,41 +800,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +801,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -64280,7 +64315,7 @@ index 4b2878a..181ada4 100644
')
#######################################
-@@ -712,13 +871,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +872,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
@@ -64312,7 +64347,7 @@ index 4b2878a..181ada4 100644
userdom_change_password_template($1)
-@@ -736,72 +908,76 @@ template(`userdom_login_user_template', `
+@@ -736,72 +909,76 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -64422,7 +64457,7 @@ index 4b2878a..181ada4 100644
')
')
-@@ -833,6 +1009,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1010,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -64432,7 +64467,7 @@ index 4b2878a..181ada4 100644
##############################
#
# Local policy
-@@ -874,45 +1053,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1054,118 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -64562,7 +64597,7 @@ index 4b2878a..181ada4 100644
')
')
-@@ -947,7 +1199,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1200,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -64571,7 +64606,7 @@ index 4b2878a..181ada4 100644
userdom_common_user_template($1)
##############################
-@@ -956,12 +1208,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1209,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -64589,7 +64624,7 @@ index 4b2878a..181ada4 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,32 +1233,76 @@ template(`userdom_unpriv_user_template', `
+@@ -978,32 +1234,76 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -64678,7 +64713,7 @@ index 4b2878a..181ada4 100644
')
')
-@@ -1039,7 +1338,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1339,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -64687,7 +64722,7 @@ index 4b2878a..181ada4 100644
')
##############################
-@@ -1066,6 +1365,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1366,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -64695,7 +64730,7 @@ index 4b2878a..181ada4 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1374,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1375,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -64705,7 +64740,7 @@ index 4b2878a..181ada4 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1391,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1392,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -64713,7 +64748,7 @@ index 4b2878a..181ada4 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1409,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1410,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -64727,7 +64762,7 @@ index 4b2878a..181ada4 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,17 +1426,22 @@ template(`userdom_admin_user_template',`
+@@ -1119,17 +1427,22 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -64751,7 +64786,7 @@ index 4b2878a..181ada4 100644
auth_getattr_shadow($1_t)
# Manage almost all files
-@@ -1141,7 +1453,10 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1454,10 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
@@ -64763,7 +64798,7 @@ index 4b2878a..181ada4 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1466,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1467,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -64772,7 +64807,7 @@ index 4b2878a..181ada4 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1527,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1528,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -64781,7 +64816,7 @@ index 4b2878a..181ada4 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1541,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1542,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -64789,7 +64824,7 @@ index 4b2878a..181ada4 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1234,13 +1554,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1555,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -64818,7 +64853,7 @@ index 4b2878a..181ada4 100644
')
optional_policy(`
-@@ -1251,12 +1582,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1583,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -64834,7 +64869,7 @@ index 4b2878a..181ada4 100644
')
optional_policy(`
-@@ -1279,54 +1610,66 @@ template(`userdom_security_admin_template',`
+@@ -1279,54 +1611,66 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -64916,7 +64951,7 @@ index 4b2878a..181ada4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1334,9 +1677,46 @@ interface(`userdom_setattr_user_ptys',`
+@@ -1334,9 +1678,46 @@ interface(`userdom_setattr_user_ptys',`
## </summary>
## </param>
#
@@ -64965,7 +65000,7 @@ index 4b2878a..181ada4 100644
')
term_create_pty($1, user_devpts_t)
-@@ -1395,6 +1775,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1776,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -64973,7 +65008,7 @@ index 4b2878a..181ada4 100644
files_search_home($1)
')
-@@ -1441,6 +1822,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1823,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -64988,7 +65023,7 @@ index 4b2878a..181ada4 100644
')
########################################
-@@ -1456,9 +1845,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1846,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -65000,7 +65035,7 @@ index 4b2878a..181ada4 100644
')
########################################
-@@ -1515,6 +1906,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1907,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -65043,7 +65078,7 @@ index 4b2878a..181ada4 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2016,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2017,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -65052,7 +65087,7 @@ index 4b2878a..181ada4 100644
')
########################################
-@@ -1603,10 +2032,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2033,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -65067,7 +65102,7 @@ index 4b2878a..181ada4 100644
')
########################################
-@@ -1649,6 +2080,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2081,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -65111,7 +65146,7 @@ index 4b2878a..181ada4 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2136,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2137,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -65137,7 +65172,7 @@ index 4b2878a..181ada4 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1700,12 +2187,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2188,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -65170,7 +65205,7 @@ index 4b2878a..181ada4 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2223,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2224,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -65188,7 +65223,7 @@ index 4b2878a..181ada4 100644
')
########################################
-@@ -1779,6 +2289,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2290,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -65249,7 +65284,7 @@ index 4b2878a..181ada4 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2374,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2375,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -65259,7 +65294,7 @@ index 4b2878a..181ada4 100644
')
########################################
-@@ -1827,20 +2390,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2391,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -65284,7 +65319,7 @@ index 4b2878a..181ada4 100644
########################################
## <summary>
-@@ -1941,6 +2498,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2499,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -65309,7 +65344,7 @@ index 4b2878a..181ada4 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2583,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2584,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -65318,7 +65353,7 @@ index 4b2878a..181ada4 100644
files_search_home($1)
')
-@@ -2182,7 +2757,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2758,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -65327,7 +65362,7 @@ index 4b2878a..181ada4 100644
')
########################################
-@@ -2435,13 +3010,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3011,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -65343,7 +65378,7 @@ index 4b2878a..181ada4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +3038,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +3039,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -65370,7 +65405,7 @@ index 4b2878a..181ada4 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2572,7 +3128,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3129,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -65379,7 +65414,7 @@ index 4b2878a..181ada4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2580,70 +3136,138 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,70 +3137,138 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
@@ -65548,7 +65583,7 @@ index 4b2878a..181ada4 100644
########################################
## <summary>
## Execute a shell in all user domains. This
-@@ -2736,24 +3360,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2736,24 +3361,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -65573,7 +65608,7 @@ index 4b2878a..181ada4 100644
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3378,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3379,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -65599,7 +65634,7 @@ index 4b2878a..181ada4 100644
########################################
## <summary>
## Manage unpriviledged user SysV shared
-@@ -2852,7 +3439,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3440,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -65608,7 +65643,7 @@ index 4b2878a..181ada4 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3455,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3456,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -65642,7 +65677,7 @@ index 4b2878a..181ada4 100644
')
########################################
-@@ -2972,7 +3543,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3544,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -65651,7 +65686,7 @@ index 4b2878a..181ada4 100644
')
########################################
-@@ -3027,7 +3598,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3599,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -65698,7 +65733,7 @@ index 4b2878a..181ada4 100644
')
########################################
-@@ -3064,6 +3673,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3674,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -65706,7 +65741,7 @@ index 4b2878a..181ada4 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3752,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3753,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -65731,7 +65766,7 @@ index 4b2878a..181ada4 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3822,1075 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3823,1075 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 34f536c..2ea5fbe 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -452,6 +452,11 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jul 22 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-8
+- Fix oracledb_port definition
+- Allow mount to mounton the selinux file system
+- Allow users to list /var directories
+
* Thu Jul 21 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-7
- systemd fixes