diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index cc2839a..803caa9 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -70640,7 +70640,7 @@ index cda5588..91d1e25 100644
+/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
+/usr/lib/udev/devices/shm/.* <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 7c6b791..aad6319 100644
+index 7c6b791..b40a5a5 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -71137,7 +71137,7 @@ index 7c6b791..aad6319 100644
########################################
## <summary>
## Mount a FUSE filesystem.
-@@ -2025,6 +2387,68 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -2025,6 +2387,87 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@@ -71203,10 +71203,29 @@ index 7c6b791..aad6319 100644
+
+########################################
+## <summary>
++## Get the attributes of a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_getattr_fusefs',`
++ gen_require(`
++ type fusefs_t;
++ ')
++
++ allow $1 fusefs_t:filesystem getattr;
++')
++
++########################################
++## <summary>
## Get the attributes of an hugetlbfs
## filesystem.
## </summary>
-@@ -2080,6 +2504,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2080,6 +2523,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
########################################
## <summary>
@@ -71231,7 +71250,7 @@ index 7c6b791..aad6319 100644
## Read and write hugetlbfs files.
## </summary>
## <param name="domain">
-@@ -2148,11 +2590,12 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,11 +2609,12 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -71245,7 +71264,7 @@ index 7c6b791..aad6319 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2485,6 +2928,7 @@ interface(`fs_read_nfs_files',`
+@@ -2485,6 +2947,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -71253,7 +71272,7 @@ index 7c6b791..aad6319 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2523,6 +2967,7 @@ interface(`fs_write_nfs_files',`
+@@ -2523,6 +2986,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -71261,7 +71280,7 @@ index 7c6b791..aad6319 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2549,6 +2994,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2549,6 +3013,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -71287,7 +71306,7 @@ index 7c6b791..aad6319 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2569,7 +3033,7 @@ interface(`fs_append_nfs_files',`
+@@ -2569,7 +3052,7 @@ interface(`fs_append_nfs_files',`
########################################
## <summary>
@@ -71296,7 +71315,7 @@ index 7c6b791..aad6319 100644
## on a NFS filesystem.
## </summary>
## <param name="domain">
-@@ -2589,6 +3053,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2589,6 +3072,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -71339,7 +71358,7 @@ index 7c6b791..aad6319 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2603,7 +3103,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3122,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -71348,7 +71367,7 @@ index 7c6b791..aad6319 100644
')
########################################
-@@ -2627,7 +3127,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3146,7 @@ interface(`fs_read_nfs_symlinks',`
########################################
## <summary>
@@ -71357,7 +71376,7 @@ index 7c6b791..aad6319 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2741,7 +3241,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3260,7 @@ interface(`fs_search_removable',`
## </summary>
## <param name="domain">
## <summary>
@@ -71366,7 +71385,7 @@ index 7c6b791..aad6319 100644
## </summary>
## </param>
#
-@@ -2777,7 +3277,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3296,7 @@ interface(`fs_read_removable_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -71375,7 +71394,7 @@ index 7c6b791..aad6319 100644
## </summary>
## </param>
#
-@@ -2970,6 +3470,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +3489,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -71383,7 +71402,7 @@ index 7c6b791..aad6319 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -3010,6 +3511,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +3530,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -71391,7 +71410,7 @@ index 7c6b791..aad6319 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3050,6 +3552,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +3571,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -71399,7 +71418,7 @@ index 7c6b791..aad6319 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3263,6 +3766,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,6 +3785,24 @@ interface(`fs_getattr_nfsd_files',`
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
')
@@ -71424,7 +71443,7 @@ index 7c6b791..aad6319 100644
########################################
## <summary>
## Read and write NFS server files.
-@@ -3283,6 +3804,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3283,6 +3823,24 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
@@ -71449,7 +71468,7 @@ index 7c6b791..aad6319 100644
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
-@@ -3392,7 +3931,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +3950,7 @@ interface(`fs_search_ramfs',`
########################################
## <summary>
@@ -71458,7 +71477,7 @@ index 7c6b791..aad6319 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3429,7 +3968,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +3987,7 @@ interface(`fs_manage_ramfs_dirs',`
########################################
## <summary>
@@ -71467,7 +71486,7 @@ index 7c6b791..aad6319 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3447,7 +3986,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4005,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
########################################
## <summary>
@@ -71476,7 +71495,7 @@ index 7c6b791..aad6319 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3815,6 +4354,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4373,24 @@ interface(`fs_unmount_tmpfs',`
########################################
## <summary>
@@ -71501,7 +71520,7 @@ index 7c6b791..aad6319 100644
## Get the attributes of a tmpfs
## filesystem.
## </summary>
-@@ -3963,6 +4520,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3963,6 +4539,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -71544,7 +71563,7 @@ index 7c6b791..aad6319 100644
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -4069,7 +4662,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4069,7 +4681,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
type tmpfs_t;
')
@@ -71553,7 +71572,7 @@ index 7c6b791..aad6319 100644
')
########################################
-@@ -4129,6 +4722,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4129,6 +4741,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
@@ -71578,7 +71597,7 @@ index 7c6b791..aad6319 100644
## Read tmpfs link files.
## </summary>
## <param name="domain">
-@@ -4166,7 +4777,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4166,7 +4796,7 @@ interface(`fs_rw_tmpfs_chr_files',`
########################################
## <summary>
@@ -71587,7 +71606,7 @@ index 7c6b791..aad6319 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4185,6 +4796,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4185,6 +4815,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -71630,7 +71649,7 @@ index 7c6b791..aad6319 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4242,6 +4889,43 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4242,6 +4908,43 @@ interface(`fs_relabel_tmpfs_blk_file',`
########################################
## <summary>
@@ -71674,7 +71693,7 @@ index 7c6b791..aad6319 100644
## Read and write, create and delete generic
## files on tmpfs filesystems.
## </summary>
-@@ -4261,6 +4945,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4261,6 +4964,25 @@ interface(`fs_manage_tmpfs_files',`
########################################
## <summary>
@@ -71700,7 +71719,7 @@ index 7c6b791..aad6319 100644
## Read and write, create and delete symbolic
## links on tmpfs filesystems.
## </summary>
-@@ -4467,6 +5170,8 @@ interface(`fs_mount_all_fs',`
+@@ -4467,6 +5189,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -71709,7 +71728,7 @@ index 7c6b791..aad6319 100644
')
########################################
-@@ -4513,7 +5218,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4513,7 +5237,7 @@ interface(`fs_unmount_all_fs',`
## <desc>
## <p>
## Allow the specified domain to
@@ -71718,7 +71737,7 @@ index 7c6b791..aad6319 100644
## Example attributes:
## </p>
## <ul>
-@@ -4876,3 +5581,43 @@ interface(`fs_unconfined',`
+@@ -4876,3 +5600,43 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -87697,14 +87716,15 @@ index cbbda4a..8dcc346 100644
+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
+
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
-index d43f3b1..5858c5f 100644
+index d43f3b1..c4182e8 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
-@@ -6,13 +6,13 @@
+@@ -6,13 +6,14 @@
/etc/selinux(/.*)? gen_context(system_u:object_r:selinux_config_t,s0)
/etc/selinux/([^/]*/)?contexts(/.*)? gen_context(system_u:object_r:default_context_t,s0)
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
-/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
++/etc/selinux/([^/]*/)?logins(/.*)? gen_context(system_u:object_r:selinux_login_config_t,s0)
+/etc/selinux/([^/]*/)?policy(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/etc/selinux/([^/]*/)?setrans\.conf -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?seusers -- gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
@@ -87717,7 +87737,7 @@ index d43f3b1..5858c5f 100644
#
# /root
-@@ -35,12 +35,14 @@
+@@ -35,12 +36,14 @@
/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
@@ -87733,7 +87753,7 @@ index d43f3b1..5858c5f 100644
#
# /var/lib
-@@ -51,3 +53,7 @@
+@@ -51,3 +54,7 @@
# /var/run
#
/var/run/restorecond\.pid -- gen_context(system_u:object_r:restorecond_var_run_t,s0)
@@ -87742,7 +87762,7 @@ index d43f3b1..5858c5f 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..cac0b1e 100644
+index 3822072..beae2dc 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -192,11 +192,22 @@ interface(`seutil_domtrans_newrole',`
@@ -87899,7 +87919,7 @@ index 3822072..cac0b1e 100644
## Execute setfiles in the caller domain.
## </summary>
## <param name="domain">
-@@ -680,6 +776,7 @@ interface(`seutil_manage_config',`
+@@ -680,10 +776,94 @@ interface(`seutil_manage_config',`
')
files_search_etc($1)
@@ -87907,7 +87927,160 @@ index 3822072..cac0b1e 100644
manage_files_pattern($1, selinux_config_t, selinux_config_t)
read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
')
-@@ -746,6 +843,29 @@ interface(`seutil_read_default_contexts',`
+
++########################################
++## <summary>
++## Do not audit attempts to search the SELinux
++## login configuration directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`seutil_dontaudit_search_login_config',`
++ gen_require(`
++ type selinux_login_config_t;
++ ')
++
++ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to read the SELinux
++## login configuration.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`seutil_dontaudit_read_login_config',`
++ gen_require(`
++ type selinux_login_config_t;
++ ')
++ dontaudit $1 selinux_login_config_t:dir search_dir_perms;
++ dontaudit $1 selinux_login_config_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Read the SELinux login configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_read_login_config',`
++ gen_require(`
++ type selinux_config_t;
++ type selinux_login_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir search_dir_perms;
++ allow $1 selinux_login_config_t:dir list_dir_perms;
++ read_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++')
++
++########################################
++## <summary>
++## Read and write the SELinux login configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_rw_login_config',`
++ gen_require(`
++ type selinux_config_t;
++ type selinux_login_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir search_dir_perms;
++ allow $1 selinux_login_config_t:dir list_dir_perms;
++ rw_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++')
++
+ #######################################
+ ## <summary>
+ ## Create, read, write, and delete
+@@ -694,15 +874,62 @@ interface(`seutil_manage_config',`
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`seutil_manage_config_dirs',`
++interface(`seutil_rw_login_config_dirs',`
+ gen_require(`
+ type selinux_config_t;
++ type selinux_login_config_t;
+ ')
+
+ files_search_etc($1)
+- allow $1 selinux_config_t:dir manage_dir_perms;
++ allow $1 selinux_config_t:dir search_dir_perms;
++ allow $1 selinux_login_config_t:dir rw_dir_perms;
++')
++
++######################################
++## <summary>
++## Create, read, write, and delete
++## the general selinux configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_manage_login_config',`
++ gen_require(`
++ type selinux_config_t;
++ type selinux_login_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir search_dir_perms;
++ manage_dirs_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++')
++
++######################################
++## <summary>
++## manage the login selinux configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_manage_login_config_files',`
++ gen_require(`
++ type selinux_config_t;
++ type selinux_login_config_t;
++ ')
++
++ files_search_etc($1)
++ allow $1 selinux_config_t:dir search_dir_perms;
++ manage_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
++ read_lnk_files_pattern($1, selinux_login_config_t, selinux_login_config_t)
+ ')
+
+ ########################################
+@@ -746,6 +973,29 @@ interface(`seutil_read_default_contexts',`
read_files_pattern($1, default_context_t, default_context_t)
')
@@ -87937,7 +88110,7 @@ index 3822072..cac0b1e 100644
########################################
## <summary>
## Create, read, write, and delete the default_contexts files.
-@@ -999,6 +1119,26 @@ interface(`seutil_domtrans_semanage',`
+@@ -999,6 +1249,26 @@ interface(`seutil_domtrans_semanage',`
########################################
## <summary>
@@ -87964,7 +88137,7 @@ index 3822072..cac0b1e 100644
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1017,11 +1157,66 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1287,66 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
@@ -88033,7 +88206,17 @@ index 3822072..cac0b1e 100644
')
########################################
-@@ -1137,3 +1332,58 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1044,6 +1369,9 @@ interface(`seutil_manage_module_store',`
+ manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
+ manage_files_pattern($1, semanage_store_t, semanage_store_t)
+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "active")
++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "previous")
++ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "tmp")
+ ')
+
+ #######################################
+@@ -1137,3 +1465,58 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -88093,7 +88276,7 @@ index 3822072..cac0b1e 100644
+ auth_relabelto_shadow($1)
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..98094ae 100644
+index ec01d0b..12ed3ea 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,17 @@ gen_require(`
@@ -88119,17 +88302,20 @@ index ec01d0b..98094ae 100644
#
# selinux_config_t is the type applied to
-@@ -30,6 +33,9 @@ roleattribute system_r semanage_roles;
+@@ -30,6 +33,12 @@ roleattribute system_r semanage_roles;
type selinux_config_t;
files_type(selinux_config_t)
++type selinux_login_config_t;
++files_type(selinux_login_config_t)
++
+type selinux_var_lib_t;
+files_type(selinux_var_lib_t)
+
type checkpolicy_t, can_write_binary_policy;
type checkpolicy_exec_t;
application_domain(checkpolicy_t, checkpolicy_exec_t)
-@@ -60,14 +66,20 @@ application_domain(newrole_t, newrole_exec_t)
+@@ -60,14 +69,20 @@ application_domain(newrole_t, newrole_exec_t)
domain_role_change_exemption(newrole_t)
domain_obj_id_change_exemption(newrole_t)
domain_interactive_fd(newrole_t)
@@ -88153,7 +88339,7 @@ index ec01d0b..98094ae 100644
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
-@@ -83,7 +95,6 @@ type restorecond_t;
+@@ -83,7 +98,6 @@ type restorecond_t;
type restorecond_exec_t;
init_daemon_domain(restorecond_t, restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t)
@@ -88161,7 +88347,7 @@ index ec01d0b..98094ae 100644
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
-@@ -92,25 +103,33 @@ type run_init_t;
+@@ -92,25 +106,32 @@ type run_init_t;
type run_init_exec_t;
application_domain(run_init_t, run_init_exec_t)
domain_system_change_exemption(run_init_t)
@@ -88172,7 +88358,6 @@ index ec01d0b..98094ae 100644
type semanage_t;
type semanage_exec_t;
application_domain(semanage_t, semanage_exec_t)
-+dbus_system_domain(semanage_t, semanage_exec_t)
+init_daemon_domain(semanage_t, semanage_exec_t)
domain_interactive_fd(semanage_t)
-role semanage_roles types semanage_t;
@@ -88200,7 +88385,7 @@ index ec01d0b..98094ae 100644
type semanage_var_lib_t;
files_type(semanage_var_lib_t)
-@@ -120,6 +139,11 @@ type setfiles_exec_t alias restorecon_exec_t;
+@@ -120,6 +141,11 @@ type setfiles_exec_t alias restorecon_exec_t;
init_system_domain(setfiles_t, setfiles_exec_t)
domain_obj_id_change_exemption(setfiles_t)
@@ -88212,7 +88397,15 @@ index ec01d0b..98094ae 100644
########################################
#
# Checkpolicy local policy
-@@ -151,7 +175,7 @@ term_use_console(checkpolicy_t)
+@@ -137,6 +163,7 @@ filetrans_add_pattern(checkpolicy_t, policy_src_t, policy_config_t, file)
+ read_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
+ read_lnk_files_pattern(checkpolicy_t, policy_src_t, policy_src_t)
+ allow checkpolicy_t selinux_config_t:dir search_dir_perms;
++allow checkpolicy_t selinux_login_config_t:dir search_dir_perms;
+
+ domain_use_interactive_fds(checkpolicy_t)
+
+@@ -151,7 +178,7 @@ term_use_console(checkpolicy_t)
init_use_fds(checkpolicy_t)
init_use_script_ptys(checkpolicy_t)
@@ -88221,7 +88414,7 @@ index ec01d0b..98094ae 100644
userdom_use_all_users_fds(checkpolicy_t)
ifdef(`distro_ubuntu',`
-@@ -188,13 +212,15 @@ term_list_ptys(load_policy_t)
+@@ -188,13 +215,15 @@ term_list_ptys(load_policy_t)
init_use_script_fds(load_policy_t)
init_use_script_ptys(load_policy_t)
@@ -88238,7 +88431,15 @@ index ec01d0b..98094ae 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -220,7 +246,7 @@ optional_policy(`
+@@ -205,6 +234,7 @@ ifdef(`distro_ubuntu',`
+ ifdef(`hide_broken_symptoms',`
+ # cjp: cover up stray file descriptors.
+ dontaudit load_policy_t selinux_config_t:file write;
++ dontaudit load_policy_t selinux_login_config_t:file write;
+
+ optional_policy(`
+ unconfined_dontaudit_read_pipes(load_policy_t)
+@@ -220,7 +250,7 @@ optional_policy(`
# Newrole local policy
#
@@ -88247,7 +88448,7 @@ index ec01d0b..98094ae 100644
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
-@@ -232,7 +258,7 @@ allow newrole_t self:msgq create_msgq_perms;
+@@ -232,7 +262,7 @@ allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -88256,7 +88457,7 @@ index ec01d0b..98094ae 100644
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -249,6 +275,7 @@ domain_use_interactive_fds(newrole_t)
+@@ -249,6 +279,7 @@ domain_use_interactive_fds(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_interactive_fds(newrole_t)
@@ -88264,7 +88465,7 @@ index ec01d0b..98094ae 100644
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
-@@ -276,25 +303,39 @@ term_relabel_all_ptys(newrole_t)
+@@ -276,25 +307,39 @@ term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -88310,7 +88511,7 @@ index ec01d0b..98094ae 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
-@@ -309,7 +350,7 @@ if(secure_mode) {
+@@ -309,7 +354,7 @@ if(secure_mode) {
userdom_spec_domtrans_all_users(newrole_t)
}
@@ -88319,7 +88520,7 @@ index ec01d0b..98094ae 100644
files_polyinstantiate_all(newrole_t)
')
-@@ -328,9 +369,13 @@ kernel_use_fds(restorecond_t)
+@@ -328,9 +373,13 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -88334,7 +88535,7 @@ index ec01d0b..98094ae 100644
fs_list_inotifyfs(restorecond_t)
selinux_validate_context(restorecond_t)
-@@ -341,6 +386,7 @@ selinux_compute_user_contexts(restorecond_t)
+@@ -341,6 +390,7 @@ selinux_compute_user_contexts(restorecond_t)
files_relabel_non_auth_files(restorecond_t )
files_read_non_auth_files(restorecond_t)
@@ -88342,7 +88543,7 @@ index ec01d0b..98094ae 100644
auth_use_nsswitch(restorecond_t)
locallogin_dontaudit_use_fds(restorecond_t)
-@@ -351,6 +397,8 @@ miscfiles_read_localization(restorecond_t)
+@@ -351,6 +401,8 @@ miscfiles_read_localization(restorecond_t)
seutil_libselinux_linked(restorecond_t)
@@ -88351,7 +88552,7 @@ index ec01d0b..98094ae 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -366,21 +414,24 @@ optional_policy(`
+@@ -366,21 +418,24 @@ optional_policy(`
# Run_init local policy
#
@@ -88378,7 +88579,7 @@ index ec01d0b..98094ae 100644
dev_dontaudit_list_all_dev_nodes(run_init_t)
domain_use_interactive_fds(run_init_t)
-@@ -398,14 +449,23 @@ selinux_compute_create_context(run_init_t)
+@@ -398,14 +453,23 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@@ -88404,7 +88605,7 @@ index ec01d0b..98094ae 100644
logging_send_syslog_msg(run_init_t)
-@@ -414,7 +474,7 @@ miscfiles_read_localization(run_init_t)
+@@ -414,7 +478,7 @@ miscfiles_read_localization(run_init_t)
seutil_libselinux_linked(run_init_t)
seutil_read_default_contexts(run_init_t)
@@ -88413,7 +88614,7 @@ index ec01d0b..98094ae 100644
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
-@@ -425,6 +485,19 @@ ifndef(`direct_sysadm_daemon',`
+@@ -425,6 +489,19 @@ ifndef(`direct_sysadm_daemon',`
')
')
@@ -88433,7 +88634,7 @@ index ec01d0b..98094ae 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -440,81 +513,83 @@ optional_policy(`
+@@ -440,81 +517,87 @@ optional_policy(`
# semodule local policy
#
@@ -88480,11 +88681,11 @@ index ec01d0b..98094ae 100644
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
+-
+-locallogin_use_fds(semanage_t)
+# Admins are creating pp files in random locations
+files_read_non_security_files(semanage_t)
--locallogin_use_fds(semanage_t)
--
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
@@ -88527,6 +88728,10 @@ index ec01d0b..98094ae 100644
- unconfined_domain(semanage_t)
- ')
+optional_policy(`
++ dbus_system_domain(semanage_t, semanage_exec_t)
++')
++
++optional_policy(`
+ mock_manage_lib_files(semanage_t)
+ mock_manage_lib_dirs(semanage_t)
+')
@@ -88570,7 +88775,7 @@ index ec01d0b..98094ae 100644
')
########################################
-@@ -522,108 +597,184 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +605,184 @@ ifdef(`distro_ubuntu',`
# Setfiles local policy
#
@@ -88647,14 +88852,15 @@ index ec01d0b..98094ae 100644
+ devicekit_dontaudit_read_pid_files(setfiles_t)
+ devicekit_dontaudit_rw_log(setfiles_t)
+')
-
--seutil_libselinux_linked(setfiles_t)
++
+optional_policy(`
+ xserver_append_xdm_tmp_files(setfiles_t)
+')
-+
+
+-seutil_libselinux_linked(setfiles_t)
+ifdef(`hide_broken_symptoms',`
-+
+
+-userdom_use_all_users_fds(setfiles_t)
+ optional_policy(`
+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
@@ -88665,8 +88871,7 @@ index ec01d0b..98094ae 100644
+ unconfined_domain(setfiles_t)
+ ')
+')
-
--userdom_use_all_users_fds(setfiles_t)
++
+########################################
+#
+# Setfiles common policy
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index 4924769..8e5df66 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -841,7 +841,7 @@ index c0f858d..d75aae9 100644
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/accountsd.te b/accountsd.te
-index 1632f10..1cb95bc 100644
+index 1632f10..1b42ac3 100644
--- a/accountsd.te
+++ b/accountsd.te
@@ -1,5 +1,9 @@
@@ -854,10 +854,11 @@ index 1632f10..1cb95bc 100644
########################################
#
# Declarations
-@@ -8,34 +12,46 @@ policy_module(accountsd, 1.0.0)
+@@ -7,35 +11,46 @@ policy_module(accountsd, 1.0.0)
+
type accountsd_t;
type accountsd_exec_t;
- dbus_system_domain(accountsd_t, accountsd_exec_t)
+-dbus_system_domain(accountsd_t, accountsd_exec_t)
+init_daemon_domain(accountsd_t, accountsd_exec_t)
+role system_r types accountsd_t;
@@ -902,11 +903,15 @@ index 1632f10..1cb95bc 100644
miscfiles_read_localization(accountsd_t)
-@@ -50,8 +66,15 @@ usermanage_domtrans_passwd(accountsd_t)
+@@ -50,8 +65,19 @@ usermanage_domtrans_passwd(accountsd_t)
optional_policy(`
consolekit_read_log(accountsd_t)
+ consolekit_dbus_chat(accountsd_t)
++')
++
++optional_policy(`
++ dbus_system_domain(accountsd_t, accountsd_exec_t)
')
optional_policy(`
@@ -5399,15 +5404,27 @@ index 6355318..98ba16a 100644
/var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
diff --git a/blueman.te b/blueman.te
-index 70969fa..5d26a60 100644
+index 70969fa..2734ef8 100644
--- a/blueman.te
+++ b/blueman.te
-@@ -44,3 +44,11 @@ miscfiles_read_localization(blueman_t)
+@@ -7,7 +7,6 @@ policy_module(blueman, 1.0.0)
+
+ type blueman_t;
+ type blueman_exec_t;
+-dbus_system_domain(blueman_t, blueman_exec_t)
+ init_daemon_domain(blueman_t, blueman_exec_t)
+
+ type blueman_var_lib_t;
+@@ -44,3 +43,15 @@ miscfiles_read_localization(blueman_t)
optional_policy(`
avahi_domtrans(blueman_t)
')
+
+optional_policy(`
++ dbus_system_domain(blueman_t, blueman_exec_t)
++')
++
++optional_policy(`
+ gnome_search_gconf(blueman_t)
+')
+
@@ -15410,28 +15427,29 @@ index f706b99..aa049fc 100644
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index 1819518..b2dd360 100644
+index 1819518..84a3fbd 100644
--- a/devicekit.te
+++ b/devicekit.te
-@@ -8,14 +8,17 @@ policy_module(devicekit, 1.2.0)
+@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.0)
+
type devicekit_t;
type devicekit_exec_t;
- dbus_system_domain(devicekit_t, devicekit_exec_t)
+-dbus_system_domain(devicekit_t, devicekit_exec_t)
+init_daemon_domain(devicekit_t, devicekit_exec_t)
type devicekit_power_t;
type devicekit_power_exec_t;
- dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+-dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+init_daemon_domain(devicekit_power_t, devicekit_power_exec_t)
type devicekit_disk_t;
type devicekit_disk_exec_t;
- dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
+-dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
+init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t)
type devicekit_tmp_t;
files_tmp_file(devicekit_tmp_t)
-@@ -26,6 +29,9 @@ files_pid_file(devicekit_var_run_t)
+@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
type devicekit_var_lib_t;
files_type(devicekit_var_lib_t)
@@ -15441,7 +15459,7 @@ index 1819518..b2dd360 100644
########################################
#
# DeviceKit local policy
-@@ -42,7 +48,6 @@ kernel_read_system_state(devicekit_t)
+@@ -42,11 +45,11 @@ kernel_read_system_state(devicekit_t)
dev_read_sysfs(devicekit_t)
dev_read_urand(devicekit_t)
@@ -15449,7 +15467,12 @@ index 1819518..b2dd360 100644
miscfiles_read_localization(devicekit_t)
-@@ -62,7 +67,8 @@ optional_policy(`
+ optional_policy(`
++ dbus_system_domain(devicekit_t, devicekit_exec_t)
+ dbus_system_bus_client(devicekit_t)
+
+ allow devicekit_t devicekit_disk_t:dbus send_msg;
+@@ -62,7 +65,8 @@ optional_policy(`
# DeviceKit disk local policy
#
@@ -15459,7 +15482,7 @@ index 1819518..b2dd360 100644
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -75,10 +81,14 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -75,10 +79,14 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
@@ -15474,7 +15497,7 @@ index 1819518..b2dd360 100644
kernel_getattr_message_if(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
-@@ -97,6 +107,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
+@@ -97,6 +105,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
@@ -15482,7 +15505,7 @@ index 1819518..b2dd360 100644
domain_getattr_all_pipes(devicekit_disk_t)
domain_getattr_all_sockets(devicekit_disk_t)
-@@ -105,14 +116,16 @@ domain_read_all_domains_state(devicekit_disk_t)
+@@ -105,14 +114,16 @@ domain_read_all_domains_state(devicekit_disk_t)
files_dontaudit_read_all_symlinks(devicekit_disk_t)
files_getattr_all_sockets(devicekit_disk_t)
@@ -15501,7 +15524,7 @@ index 1819518..b2dd360 100644
fs_list_inotifyfs(devicekit_disk_t)
fs_manage_fusefs_dirs(devicekit_disk_t)
fs_mount_all_fs(devicekit_disk_t)
-@@ -127,14 +140,17 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -127,16 +138,20 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
@@ -15519,8 +15542,11 @@ index 1819518..b2dd360 100644
+userdom_manage_user_tmp_dirs(devicekit_disk_t)
optional_policy(`
++ dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
dbus_system_bus_client(devicekit_disk_t)
-@@ -170,6 +186,10 @@ optional_policy(`
+
+ allow devicekit_disk_t devicekit_t:dbus send_msg;
+@@ -170,6 +185,10 @@ optional_policy(`
')
optional_policy(`
@@ -15531,7 +15557,7 @@ index 1819518..b2dd360 100644
udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t)
')
-@@ -178,55 +198,84 @@ optional_policy(`
+@@ -178,55 +197,84 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -15622,7 +15648,7 @@ index 1819518..b2dd360 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,7 +284,12 @@ optional_policy(`
+@@ -235,10 +283,16 @@ optional_policy(`
')
optional_policy(`
@@ -15635,6 +15661,10 @@ index 1819518..b2dd360 100644
')
optional_policy(`
++ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+ dbus_system_bus_client(devicekit_power_t)
+
+ allow devicekit_power_t devicekit_t:dbus send_msg;
@@ -261,14 +315,21 @@ optional_policy(`
')
@@ -19725,18 +19755,19 @@ index ebad8c4..640293e 100644
')
-
diff --git a/fprintd.te b/fprintd.te
-index 7df52c7..1eb75fd 100644
+index 7df52c7..d27d645 100644
--- a/fprintd.te
+++ b/fprintd.te
-@@ -8,6 +8,7 @@ policy_module(fprintd, 1.1.0)
+@@ -7,7 +7,7 @@ policy_module(fprintd, 1.1.0)
+
type fprintd_t;
type fprintd_exec_t;
- dbus_system_domain(fprintd_t, fprintd_exec_t)
+-dbus_system_domain(fprintd_t, fprintd_exec_t)
+init_daemon_domain(fprintd_t, fprintd_exec_t)
type fprintd_var_lib_t;
files_type(fprintd_var_lib_t)
-@@ -17,9 +18,10 @@ files_type(fprintd_var_lib_t)
+@@ -17,9 +17,10 @@ files_type(fprintd_var_lib_t)
# Local policy
#
@@ -19749,7 +19780,7 @@ index 7df52c7..1eb75fd 100644
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -33,7 +35,6 @@ dev_list_usbfs(fprintd_t)
+@@ -33,7 +34,6 @@ dev_list_usbfs(fprintd_t)
dev_rw_generic_usb_dev(fprintd_t)
dev_read_sysfs(fprintd_t)
@@ -19757,7 +19788,15 @@ index 7df52c7..1eb75fd 100644
files_read_usr_files(fprintd_t)
fs_getattr_all_fs(fprintd_t)
-@@ -54,4 +55,5 @@ optional_policy(`
+@@ -50,8 +50,13 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dbus_system_domain(fprintd_t, fprintd_exec_t)
++')
++
++optional_policy(`
+ policykit_read_reload(fprintd_t)
policykit_read_lib(fprintd_t)
policykit_dbus_chat(fprintd_t)
policykit_domtrans_auth(fprintd_t)
@@ -22952,7 +22991,7 @@ index f5afe78..7861fc8 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/gnome.te b/gnome.te
-index 783c5fb..6667fec 100644
+index 783c5fb..9d2b881 100644
--- a/gnome.te
+++ b/gnome.te
@@ -6,11 +6,31 @@ policy_module(gnome, 2.2.0)
@@ -22988,7 +23027,7 @@ index 783c5fb..6667fec 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -28,12 +48,35 @@ typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
+@@ -28,12 +48,33 @@ typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
@@ -23014,18 +23053,16 @@ index 783c5fb..6667fec 100644
+
+type gconfdefaultsm_t;
+type gconfdefaultsm_exec_t;
-+dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+init_daemon_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
+
+type gnomesystemmm_t;
+type gnomesystemmm_exec_t;
-+dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
+init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
+
##############################
#
# Local Policy
-@@ -73,3 +116,157 @@ optional_policy(`
+@@ -73,3 +114,165 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -23059,6 +23096,10 @@ index 783c5fb..6667fec 100644
+')
+
+optional_policy(`
++ dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
++')
++
++optional_policy(`
+ nscd_dontaudit_search_pid(gconfdefaultsm_t)
+')
+
@@ -23106,6 +23147,10 @@ index 783c5fb..6667fec 100644
+')
+
+optional_policy(`
++ dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
++')
++
++optional_policy(`
+ nscd_dontaudit_search_pid(gnomesystemmm_t)
+')
+
@@ -23224,13 +23269,14 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/gnomeclock.te b/gnomeclock.te
-index 4fde46b..469a6e3 100644
+index 4fde46b..eb8918a 100644
--- a/gnomeclock.te
+++ b/gnomeclock.te
-@@ -8,25 +8,37 @@ policy_module(gnomeclock, 1.0.0)
+@@ -7,26 +7,37 @@ policy_module(gnomeclock, 1.0.0)
+
type gnomeclock_t;
type gnomeclock_exec_t;
- dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+-dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+init_daemon_domain(gnomeclock_t, gnomeclock_exec_t)
########################################
@@ -23253,10 +23299,10 @@ index 4fde46b..469a6e3 100644
+corecmd_dontaudit_access_check_bin(gnomeclock_t)
+
+corenet_tcp_connect_time_port(gnomeclock_t)
-+
-+dev_read_sysfs(gnomeclock_t)
-files_read_etc_files(gnomeclock_t)
++dev_read_sysfs(gnomeclock_t)
++
+files_read_etc_runtime_files(gnomeclock_t)
files_read_usr_files(gnomeclock_t)
@@ -23269,7 +23315,7 @@ index 4fde46b..469a6e3 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,10 +47,34 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +46,38 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -23289,6 +23335,10 @@ index 4fde46b..469a6e3 100644
+')
+
+optional_policy(`
++dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
++')
++
++optional_policy(`
+ gnome_manage_usr_config(gnomeclock_t)
+')
+
@@ -26090,10 +26140,10 @@ index 0000000..868c7d0
+')
diff --git a/jockey.te b/jockey.te
new file mode 100644
-index 0000000..0316d53
+index 0000000..9632221
--- /dev/null
+++ b/jockey.te
-@@ -0,0 +1,52 @@
+@@ -0,0 +1,55 @@
+policy_module(jockey, 1.0.0)
+
+########################################
@@ -26103,7 +26153,6 @@ index 0000000..0316d53
+
+type jockey_t;
+type jockey_exec_t;
-+dbus_system_domain(jockey_t, jockey_exec_t)
+init_daemon_domain(jockey_t, jockey_exec_t)
+
+type jockey_cache_t;
@@ -26143,6 +26192,10 @@ index 0000000..0316d53
+miscfiles_read_localization(jockey_t)
+
+optional_policy(`
++ dbus_system_domain(jockey_t, jockey_exec_t)
++')
++
++optional_policy(`
+ modutils_domtrans_insmod(jockey_t)
+ modutils_read_module_config(jockey_t)
+')
@@ -26183,10 +26236,10 @@ index 0000000..cf65577
+')
diff --git a/kde.te b/kde.te
new file mode 100644
-index 0000000..f9b9c0f
+index 0000000..3d7b011
--- /dev/null
+++ b/kde.te
-@@ -0,0 +1,41 @@
+@@ -0,0 +1,44 @@
+policy_module(kde,1.0.0)
+
+########################################
@@ -26196,7 +26249,6 @@ index 0000000..f9b9c0f
+
+type kdebacklighthelper_t;
+type kdebacklighthelper_exec_t;
-+dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
+init_daemon_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
+
+########################################
@@ -26221,6 +26273,10 @@ index 0000000..f9b9c0f
+miscfiles_read_localization(kdebacklighthelper_t)
+
+optional_policy(`
++ dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
++')
++
++optional_policy(`
+ consolekit_dbus_chat(kdebacklighthelper_t)
+')
+
@@ -26476,13 +26532,14 @@ index b29d8e2..c1b4a64 100644
+ unconfined_domain(kdumpctl_t)
+')
diff --git a/kdumpgui.te b/kdumpgui.te
-index 0c52f60..a085fbd 100644
+index 0c52f60..38c154f 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
-@@ -8,6 +8,10 @@ policy_module(kdumpgui, 1.1.0)
+@@ -7,7 +7,10 @@ policy_module(kdumpgui, 1.1.0)
+
type kdumpgui_t;
type kdumpgui_exec_t;
- dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
+-dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
+init_daemon_domain(kdumpgui_t, kdumpgui_exec_t)
+
+type kdumpgui_tmp_t;
@@ -26490,7 +26547,7 @@ index 0c52f60..a085fbd 100644
######################################
#
-@@ -18,6 +22,10 @@ allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
+@@ -18,6 +21,10 @@ allow kdumpgui_t self:capability { net_admin sys_admin sys_rawio };
allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -26501,7 +26558,7 @@ index 0c52f60..a085fbd 100644
kernel_read_system_state(kdumpgui_t)
kernel_read_network_state(kdumpgui_t)
-@@ -36,6 +44,8 @@ files_manage_etc_runtime_files(kdumpgui_t)
+@@ -36,6 +43,8 @@ files_manage_etc_runtime_files(kdumpgui_t)
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
files_read_usr_files(kdumpgui_t)
@@ -26510,7 +26567,7 @@ index 0c52f60..a085fbd 100644
storage_raw_read_fixed_disk(kdumpgui_t)
storage_raw_write_fixed_disk(kdumpgui_t)
-@@ -45,8 +55,20 @@ logging_send_syslog_msg(kdumpgui_t)
+@@ -45,19 +54,36 @@ logging_send_syslog_msg(kdumpgui_t)
miscfiles_read_localization(kdumpgui_t)
@@ -26524,14 +26581,22 @@ index 0c52f60..a085fbd 100644
+ bootloader_exec(kdumpgui_t)
+')
+
-+optional_policy(`
+ optional_policy(`
+ consoletype_exec(kdumpgui_t)
+ ')
+
+ optional_policy(`
+ consoletype_exec(kdumpgui_t)
+')
+
- optional_policy(`
- consoletype_exec(kdumpgui_t)
++optional_policy(`
++ dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
++')
++
++optional_policy(`
+ dev_rw_lvm_control(kdumpgui_t)
')
-@@ -58,6 +80,7 @@ optional_policy(`
+
optional_policy(`
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
@@ -31315,18 +31380,19 @@ index 0000000..00d38c5
+ userdom_read_user_home_content_files(mock_build_t)
+')
diff --git a/modemmanager.te b/modemmanager.te
-index b3ace16..46f4b11 100644
+index b3ace16..35c92dd 100644
--- a/modemmanager.te
+++ b/modemmanager.te
-@@ -8,6 +8,7 @@ policy_module(modemmanager, 1.1.0)
+@@ -7,7 +7,7 @@ policy_module(modemmanager, 1.1.0)
+
type modemmanager_t;
type modemmanager_exec_t;
- dbus_system_domain(modemmanager_t, modemmanager_exec_t)
+-dbus_system_domain(modemmanager_t, modemmanager_exec_t)
+init_daemon_domain(modemmanager_t, modemmanager_exec_t)
typealias modemmanager_t alias ModemManager_t;
typealias modemmanager_exec_t alias ModemManager_exec_t;
-@@ -16,7 +17,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
+@@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
# ModemManager local policy
#
@@ -31336,7 +31402,7 @@ index b3ace16..46f4b11 100644
allow modemmanager_t self:fifo_file rw_file_perms;
allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -28,13 +30,27 @@ dev_rw_modem(modemmanager_t)
+@@ -28,13 +29,31 @@ dev_rw_modem(modemmanager_t)
files_read_etc_files(modemmanager_t)
@@ -31353,6 +31419,10 @@ index b3ace16..46f4b11 100644
-networkmanager_dbus_chat(modemmanager_t)
+optional_policy(`
++ dbus_system_domain(modemmanager_t, modemmanager_exec_t)
++')
++
++optional_policy(`
+ networkmanager_dbus_chat(modemmanager_t)
+')
+
@@ -40065,7 +40135,7 @@ index 0000000..20ea9f5
+
diff --git a/piranha.if b/piranha.if
new file mode 100644
-index 0000000..548d0a2
+index 0000000..242567b
--- /dev/null
+++ b/piranha.if
@@ -0,0 +1,175 @@
@@ -40105,11 +40175,11 @@ index 0000000..548d0a2
+ # piranha_$1_t local policy
+ #
+
-+ allow piranha_$1_t self:process signal_perms;
-+
+ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file })
++
++ auth_use_nsswitch(piranha_$1_t)
+')
+
+########################################
@@ -40246,10 +40316,10 @@ index 0000000..548d0a2
+')
diff --git a/piranha.te b/piranha.te
new file mode 100644
-index 0000000..925b0a2
+index 0000000..f29bf1d
--- /dev/null
+++ b/piranha.te
-@@ -0,0 +1,299 @@
+@@ -0,0 +1,298 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -40451,8 +40521,6 @@ index 0000000..925b0a2
+
+fs_getattr_all_fs(piranha_pulse_t)
+
-+auth_use_nsswitch(piranha_pulse_t)
-+
+logging_send_syslog_msg(piranha_pulse_t)
+
+miscfiles_read_localization(piranha_pulse_t)
@@ -40519,6 +40587,7 @@ index 0000000..925b0a2
+# piranha domains common policy
+#
+
++allow piranha_domain self:process signal_perms;
+allow piranha_domain self:fifo_file rw_fifo_file_perms;
+allow piranha_domain self:tcp_socket create_stream_socket_perms;
+allow piranha_domain self:udp_socket create_socket_perms;
@@ -44456,7 +44525,7 @@ index f40c64d..a3352d3 100644
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
')
diff --git a/pulseaudio.te b/pulseaudio.te
-index 901ac9b..122431f 100644
+index 901ac9b..10dbb29 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -41,7 +41,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -44542,12 +44611,14 @@ index 901ac9b..122431f 100644
optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
-@@ -125,16 +148,35 @@ optional_policy(`
+@@ -125,16 +148,37 @@ optional_policy(`
')
optional_policy(`
+ gnome_read_gkeyringd_state(pulseaudio_t)
+ gnome_signull_gkeyringd(pulseaudio_t)
++ gnome_manage_gstreamer_home_files(pulseaudio_t)
++ gnome_exec_gstreamer_home_files(pulseaudio_t)
+')
+
+optional_policy(`
@@ -44578,7 +44649,7 @@ index 901ac9b..122431f 100644
udev_read_state(pulseaudio_t)
udev_read_db(pulseaudio_t)
')
-@@ -146,3 +188,7 @@ optional_policy(`
+@@ -146,3 +190,7 @@ optional_policy(`
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
@@ -47873,10 +47944,10 @@ index 0000000..48ea717
+')
diff --git a/realmd.te b/realmd.te
new file mode 100644
-index 0000000..2102bd0
+index 0000000..314e17e
--- /dev/null
+++ b/realmd.te
-@@ -0,0 +1,40 @@
+@@ -0,0 +1,44 @@
+policy_module(realmd, 1.0.0)
+
+########################################
@@ -47886,7 +47957,7 @@ index 0000000..2102bd0
+
+type realmd_t;
+type realmd_exec_t;
-+dbus_system_domain(realmd_t, realmd_exec_t)
++application_domain(realmd_t, realmd_exec_t)
+
+########################################
+#
@@ -47904,6 +47975,10 @@ index 0000000..2102bd0
+miscfiles_read_localization(realmd_t)
+
+optional_policy(`
++ dbus_system_domain(realmd_t, realmd_exec_t)
++')
++
++optional_policy(`
+ kerberos_use(realmd_t)
+')
+
@@ -51347,17 +51422,27 @@ index 46dad1f..051addd 100644
allow rtkit_daemon_t $1:process { getsched setsched };
rtkit_daemon_dbus_chat($1)
diff --git a/rtkit.te b/rtkit.te
-index 6f8e268..7d64285 100644
+index 6f8e268..a50b694 100644
--- a/rtkit.te
+++ b/rtkit.te
-@@ -8,6 +8,7 @@ policy_module(rtkit, 1.1.0)
+@@ -7,7 +7,7 @@ policy_module(rtkit, 1.1.0)
+
type rtkit_daemon_t;
type rtkit_daemon_exec_t;
- dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
+-dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
+init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
########################################
#
+@@ -31,5 +31,8 @@ logging_send_syslog_msg(rtkit_daemon_t)
+ miscfiles_read_localization(rtkit_daemon_t)
+
+ optional_policy(`
++ dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
++')
++optional_policy(`
+ policykit_dbus_chat(rtkit_daemon_t)
+ ')
diff --git a/rwho.if b/rwho.if
index 71ea0ea..886a45e 100644
--- a/rwho.if
@@ -52382,10 +52467,19 @@ index 905883f..564240d 100644
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
diff --git a/sambagui.te b/sambagui.te
-index 1898dbd..fc38344 100644
+index 1898dbd..43fcb73 100644
--- a/sambagui.te
+++ b/sambagui.te
-@@ -27,16 +27,21 @@ corecmd_exec_bin(sambagui_t)
+@@ -7,7 +7,7 @@ policy_module(sambagui, 1.1.0)
+
+ type sambagui_t;
+ type sambagui_exec_t;
+-dbus_system_domain(sambagui_t, sambagui_exec_t)
++application_domain(sambagui_t, sambagui_exec_t)
+
+ ########################################
+ #
+@@ -27,21 +27,30 @@ corecmd_exec_bin(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
@@ -52408,7 +52502,16 @@ index 1898dbd..fc38344 100644
optional_policy(`
consoletype_exec(sambagui_t)
')
-@@ -56,6 +61,7 @@ optional_policy(`
+
+ optional_policy(`
++ dbus_system_domain(sambagui_t, sambagui_exec_t)
++')
++
++optional_policy(`
+ nscd_dontaudit_search_pid(sambagui_t)
+ ')
+
+@@ -56,6 +65,7 @@ optional_policy(`
samba_manage_var_files(sambagui_t)
samba_read_secrets(sambagui_t)
samba_initrc_domtrans(sambagui_t)
@@ -53416,7 +53519,7 @@ index cfe3172..3eb745d 100644
+
')
diff --git a/sanlock.te b/sanlock.te
-index e02eb6c..d015830 100644
+index e02eb6c..8e19451 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
@@ -53454,7 +53557,7 @@ index e02eb6c..d015830 100644
#
-allow sanlock_t self:capability { sys_nice ipc_lock };
-allow sanlock_t self:process { setsched signull };
-+allow sanlock_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice sys_resource };
++allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource };
+allow sanlock_t self:process { setrlimit setsched signull signal sigkill };
+
allow sanlock_t self:fifo_file rw_fifo_file_perms;
@@ -53970,18 +54073,19 @@ index 1ed6870..3f1dac5 100644
-/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0)
+/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0)
diff --git a/sectoolm.te b/sectoolm.te
-index c8ef84b..c761721 100644
+index c8ef84b..ffa81dd 100644
--- a/sectoolm.te
+++ b/sectoolm.te
-@@ -8,6 +8,7 @@ policy_module(sectoolm, 1.0.0)
+@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.0.0)
+
type sectoolm_t;
type sectoolm_exec_t;
- dbus_system_domain(sectoolm_t, sectoolm_exec_t)
+-dbus_system_domain(sectoolm_t, sectoolm_exec_t)
+init_daemon_domain(sectoolm_t, sectoolm_exec_t)
type sectool_var_lib_t;
files_type(sectool_var_lib_t)
-@@ -23,7 +24,7 @@ files_tmp_file(sectool_tmp_t)
+@@ -23,7 +23,7 @@ files_tmp_file(sectool_tmp_t)
# sectool local policy
#
@@ -53990,7 +54094,7 @@ index c8ef84b..c761721 100644
allow sectoolm_t self:process { getcap getsched signull setsched };
dontaudit sectoolm_t self:process { execstack execmem };
allow sectoolm_t self:fifo_file rw_fifo_file_perms;
-@@ -70,12 +71,6 @@ application_exec_all(sectoolm_t)
+@@ -70,12 +70,6 @@ application_exec_all(sectoolm_t)
auth_use_nsswitch(sectoolm_t)
@@ -54003,13 +54107,17 @@ index c8ef84b..c761721 100644
libs_exec_ld_so(sectoolm_t)
logging_send_syslog_msg(sectoolm_t)
-@@ -84,6 +79,17 @@ logging_send_syslog_msg(sectoolm_t)
+@@ -84,6 +78,21 @@ logging_send_syslog_msg(sectoolm_t)
sysnet_domtrans_ifconfig(sectoolm_t)
userdom_manage_user_tmp_sockets(sectoolm_t)
+userdom_dgram_send(sectoolm_t)
+
+optional_policy(`
++ dbus_system_domain(sectoolm_t, sectoolm_exec_t)
++')
++
++optional_policy(`
+ # tests related to network
+ hostname_exec(sectoolm_t)
+')
@@ -54341,18 +54449,19 @@ index bcdd16c..039b0c8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 086cd5f..6bc7784 100644
+index 086cd5f..ffb516b 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
-@@ -13,6 +13,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
+@@ -12,7 +12,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
+
type setroubleshoot_fixit_t;
type setroubleshoot_fixit_exec_t;
- dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
+-dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
+init_daemon_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
type setroubleshoot_var_lib_t;
files_type(setroubleshoot_var_lib_t)
-@@ -30,8 +31,10 @@ files_pid_file(setroubleshoot_var_run_t)
+@@ -30,8 +30,10 @@ files_pid_file(setroubleshoot_var_run_t)
# setroubleshootd local policy
#
@@ -54364,7 +54473,7 @@ index 086cd5f..6bc7784 100644
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -49,19 +52,23 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble
+@@ -49,19 +51,23 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble
logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
# pid file
@@ -54390,7 +54499,7 @@ index 086cd5f..6bc7784 100644
corenet_all_recvfrom_netlabel(setroubleshootd_t)
corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
corenet_tcp_sendrecv_generic_node(setroubleshootd_t)
-@@ -74,17 +81,18 @@ dev_read_urand(setroubleshootd_t)
+@@ -74,17 +80,18 @@ dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
dev_getattr_all_blk_files(setroubleshootd_t)
dev_getattr_all_chr_files(setroubleshootd_t)
@@ -54410,7 +54519,7 @@ index 086cd5f..6bc7784 100644
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
-@@ -95,6 +103,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t)
+@@ -95,6 +102,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t)
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
@@ -54418,7 +54527,7 @@ index 086cd5f..6bc7784 100644
term_dontaudit_use_all_ptys(setroubleshootd_t)
term_dontaudit_use_all_ttys(setroubleshootd_t)
-@@ -104,6 +113,8 @@ auth_use_nsswitch(setroubleshootd_t)
+@@ -104,6 +112,8 @@ auth_use_nsswitch(setroubleshootd_t)
init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
@@ -54427,7 +54536,7 @@ index 086cd5f..6bc7784 100644
miscfiles_read_localization(setroubleshootd_t)
locallogin_dontaudit_use_fds(setroubleshootd_t)
-@@ -112,8 +123,6 @@ logging_send_audit_msgs(setroubleshootd_t)
+@@ -112,8 +122,6 @@ logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
@@ -54436,7 +54545,7 @@ index 086cd5f..6bc7784 100644
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
seutil_read_bin_policy(setroubleshootd_t)
-@@ -121,10 +130,23 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -121,10 +129,23 @@ seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
@@ -54460,7 +54569,7 @@ index 086cd5f..6bc7784 100644
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
-@@ -151,10 +173,14 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+@@ -151,10 +172,14 @@ kernel_read_system_state(setroubleshoot_fixit_t)
corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
@@ -54476,7 +54585,7 @@ index 086cd5f..6bc7784 100644
files_list_tmp(setroubleshoot_fixit_t)
auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -164,6 +190,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+@@ -164,6 +189,17 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
miscfiles_read_localization(setroubleshoot_fixit_t)
@@ -54484,6 +54593,10 @@ index 086cd5f..6bc7784 100644
+userdom_signull_unpriv_users(setroubleshoot_fixit_t)
+
+optional_policy(`
++ dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
++')
++
++optional_policy(`
+ gnome_dontaudit_search_config(setroubleshoot_fixit_t)
+')
+
@@ -56816,7 +56929,7 @@ index 941380a..ff89df6 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/sssd.te b/sssd.te
-index a1b61bc..1df45e7 100644
+index a1b61bc..8fc2d2d 100644
--- a/sssd.te
+++ b/sssd.te
@@ -12,11 +12,15 @@ init_daemon_domain(sssd_t, sssd_exec_t)
@@ -56863,7 +56976,7 @@ index a1b61bc..1df45e7 100644
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-@@ -48,18 +57,25 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+@@ -48,30 +57,44 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
@@ -56889,8 +57002,12 @@ index a1b61bc..1df45e7 100644
fs_list_inotifyfs(sssd_t)
-@@ -68,10 +84,14 @@ selinux_validate_context(sssd_t)
+ selinux_validate_context(sssd_t)
+
seutil_read_file_contexts(sssd_t)
++# sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
++seutil_rw_login_config_dirs(sssd_t)
++seutil_manage_login_config_files(sssd_t)
mls_file_read_to_clearance(sssd_t)
+mls_socket_read_to_clearance(sssd_t)
@@ -56905,7 +57022,7 @@ index a1b61bc..1df45e7 100644
init_read_utmp(sssd_t)
-@@ -79,6 +99,12 @@ logging_send_syslog_msg(sssd_t)
+@@ -79,6 +102,12 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_localization(sssd_t)
@@ -56918,7 +57035,7 @@ index a1b61bc..1df45e7 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,8 +113,17 @@ optional_policy(`
+@@ -87,8 +116,17 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
@@ -61752,7 +61869,7 @@ index 6f0736b..3e6749b 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..d0b1ae9 100644
+index 947bbc6..eb0a7dc 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.5.0)
@@ -61975,7 +62092,17 @@ index 947bbc6..d0b1ae9 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -150,11 +231,17 @@ tunable_policy(`virt_use_fusefs',`
+@@ -143,18 +224,26 @@ tunable_policy(`virt_use_comm',`
+ ')
+
+ tunable_policy(`virt_use_fusefs',`
+- fs_read_fusefs_files(svirt_t)
++ fs_manage_fusefs_dirs(svirt_t)
++ fs_manage_fusefs_files(svirt_t)
+ fs_read_fusefs_symlinks(svirt_t)
++ fs_getattr_fusefs(svirt_t)
+ ')
+
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -61993,7 +62120,7 @@ index 947bbc6..d0b1ae9 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -163,11 +250,28 @@ tunable_policy(`virt_use_sysfs',`
+@@ -163,11 +252,28 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -62022,7 +62149,7 @@ index 947bbc6..d0b1ae9 100644
xen_rw_image_files(svirt_t)
')
-@@ -176,22 +280,41 @@ optional_policy(`
+@@ -176,22 +282,41 @@ optional_policy(`
# virtd local policy
#
@@ -62071,7 +62198,7 @@ index 947bbc6..d0b1ae9 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -202,19 +325,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -202,19 +327,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -62106,7 +62233,7 @@ index 947bbc6..d0b1ae9 100644
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +357,21 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -225,16 +359,21 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -62129,7 +62256,7 @@ index 947bbc6..d0b1ae9 100644
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +384,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -247,22 +386,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -62163,7 +62290,7 @@ index 947bbc6..d0b1ae9 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +416,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -270,6 +418,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -62182,7 +62309,7 @@ index 947bbc6..d0b1ae9 100644
mcs_process_set_categories(virtd_t)
-@@ -284,6 +442,8 @@ term_use_ptmx(virtd_t)
+@@ -284,6 +444,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -62191,7 +62318,7 @@ index 947bbc6..d0b1ae9 100644
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -293,17 +453,32 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +455,32 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -62224,7 +62351,7 @@ index 947bbc6..d0b1ae9 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +497,10 @@ optional_policy(`
+@@ -322,6 +499,10 @@ optional_policy(`
')
optional_policy(`
@@ -62235,7 +62362,7 @@ index 947bbc6..d0b1ae9 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -335,19 +514,30 @@ optional_policy(`
+@@ -335,19 +516,30 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -62267,7 +62394,7 @@ index 947bbc6..d0b1ae9 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -362,6 +552,12 @@ optional_policy(`
+@@ -362,6 +554,12 @@ optional_policy(`
')
optional_policy(`
@@ -62280,7 +62407,7 @@ index 947bbc6..d0b1ae9 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +565,11 @@ optional_policy(`
+@@ -369,11 +567,11 @@ optional_policy(`
')
optional_policy(`
@@ -62297,7 +62424,7 @@ index 947bbc6..d0b1ae9 100644
')
optional_policy(`
-@@ -384,6 +580,7 @@ optional_policy(`
+@@ -384,6 +582,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -62305,7 +62432,7 @@ index 947bbc6..d0b1ae9 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -403,34 +600,51 @@ optional_policy(`
+@@ -403,34 +602,51 @@ optional_policy(`
# virtual domains common policy
#
@@ -62362,7 +62489,7 @@ index 947bbc6..d0b1ae9 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,10 +652,11 @@ dev_write_sound(virt_domain)
+@@ -438,10 +654,11 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -62375,7 +62502,7 @@ index 947bbc6..d0b1ae9 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -449,8 +664,16 @@ files_search_all(virt_domain)
+@@ -449,8 +666,16 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -62393,7 +62520,7 @@ index 947bbc6..d0b1ae9 100644
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
term_use_ptmx(virt_domain)
-@@ -459,13 +682,461 @@ logging_send_syslog_msg(virt_domain)
+@@ -459,13 +684,461 @@ logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cea5aa0..e35ab78 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Aug 7 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-2
+- Add new type selinux_login_config_t for /etc/selinux/<type>/logins/
+- Additional fixes for seutil_manage_module_store()
+- dbus_system_domain() should be used with optional_policy
+- Fix svirt to be allowed to use fusefs file system
+- Allow login programs to read /run/ data created by systemd_login
+- sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
+- Fix svirt to be allowed to use fusefs file system
+- Allow piranha domain to use nsswitch
+- Sanlock needs to send Kill Signals to non root processes
+- Pulseaudio wants to execute /run/user/PID/.orc
+
* Fri Aug 3 2012 Miroslav Grepl <mgrepl@redhat.com> 3.11.1-1
- Fix saslauthd when it tries to read /etc/shadow
- Label gnome-boxes as a virt homedir