diff --git a/policy-F15.patch b/policy-F15.patch
index 9844784..00dd796 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -723,7 +723,7 @@ index 56c43c0..de535e4 100644
+/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
+
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
-index 5671977..7b4728c 100644
+index 5671977..8498ed1 100644
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
@@ -7,9 +7,13 @@ policy_module(mcelog, 1.1.0)
@@ -744,10 +744,10 @@ index 5671977..7b4728c 100644
allow mcelog_t self:capability sys_admin;
-+allow mcelog_t mcelog_var_run_t:file manage_file_perms;
-+allow mcelog_t mcelog_var_run_t:sock_file manage_sock_file_perms;
-+allow mcelog_t mcelog_var_run_t:dir manage_dir_perms;
-+files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
++manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
++manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
++manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
++files_pid_filetrans(mcelog_t, mcelog_var_run_t, sock_file )
+
kernel_read_system_state(mcelog_t)
@@ -1242,7 +1242,7 @@ index 47c4723..4866a08 100644
+ domtrans_pattern($1, readahead_exec_t, readahead_t)
+')
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
-index b4ac57e..c00f4d9 100644
+index b4ac57e..d3b51b7 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -16,13 +16,14 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
@@ -1272,15 +1272,21 @@ index b4ac57e..c00f4d9 100644
kernel_read_all_sysctls(readahead_t)
kernel_read_system_state(readahead_t)
-@@ -53,6 +56,7 @@ domain_read_all_domains_state(readahead_t)
+@@ -53,10 +56,13 @@ domain_read_all_domains_state(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
+files_dontaudit_read_security_files(readahead_t)
++files_dontaudit_write_all_files(readahead_t)
files_create_boot_flag(readahead_t)
files_getattr_all_pipes(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
-@@ -66,12 +70,14 @@ fs_read_cgroup_files(readahead_t)
+ files_dontaudit_getattr_non_security_blk_files(readahead_t)
++files_dontaudit_all_access_check(readahead_t)
+
+ fs_getattr_all_fs(readahead_t)
+ fs_search_auto_mountpoints(readahead_t)
+@@ -66,12 +72,14 @@ fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
@@ -2020,7 +2026,7 @@ index 975af1a..30a7f38 100644
fs_manage_nfs_files($1_sudo_t)
')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index 7aacfc2..9829fc3 100644
+index 2731fa1..3443ba2 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -7,3 +7,7 @@ attribute sudodomain;
@@ -2108,7 +2114,7 @@ index 81fb26f..cd18ca8 100644
optional_policy(`
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..b90d4cc 100644
+index 441cf22..89a126f 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
@@ -2122,7 +2128,18 @@ index 441cf22..b90d4cc 100644
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
-@@ -194,8 +192,7 @@ selinux_compute_create_context(groupadd_t)
+@@ -118,6 +116,10 @@ userdom_use_unpriv_users_fds(chfn_t)
+ # on user home dir
+ userdom_dontaudit_search_user_home_content(chfn_t)
+
++optional_policy(`
++ rssh_exec(chfn_t)
++')
++
+ ########################################
+ #
+ # Crack local policy
+@@ -194,8 +196,7 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
@@ -2132,7 +2149,7 @@ index 441cf22..b90d4cc 100644
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -291,17 +288,18 @@ selinux_compute_create_context(passwd_t)
+@@ -291,17 +292,18 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -2155,7 +2172,7 @@ index 441cf22..b90d4cc 100644
domain_use_interactive_fds(passwd_t)
-@@ -332,6 +330,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +334,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -2163,7 +2180,7 @@ index 441cf22..b90d4cc 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -381,8 +380,7 @@ dev_read_urand(sysadm_passwd_t)
+@@ -381,8 +384,7 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
@@ -2173,7 +2190,7 @@ index 441cf22..b90d4cc 100644
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
-@@ -426,7 +424,7 @@ optional_policy(`
+@@ -426,7 +428,7 @@ optional_policy(`
# Useradd local policy
#
@@ -2182,7 +2199,7 @@ index 441cf22..b90d4cc 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -469,8 +467,7 @@ selinux_compute_create_context(useradd_t)
+@@ -469,8 +471,7 @@ selinux_compute_create_context(useradd_t)
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)
@@ -2192,7 +2209,7 @@ index 441cf22..b90d4cc 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -498,12 +495,8 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -498,12 +499,8 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -2613,15 +2630,16 @@ index 0000000..09f0673
+/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
new file mode 100644
-index 0000000..06ed3de
+index 0000000..ee9466f
--- /dev/null
+++ b/policy/modules/apps/execmem.if
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,111 @@
+## <summary>execmem domain</summary>
+
+########################################
+## <summary>
-+## Execute the execmem program in the execmem domain.
++## Execute the execmem program
++## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -4918,7 +4936,7 @@ index 9a6d67d..dba7755 100644
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2a91fa8..2b4fe93 100644
+index 2a91fa8..26f1ff3 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0)
@@ -5000,7 +5018,7 @@ index 2a91fa8..2b4fe93 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,176 @@ optional_policy(`
+@@ -266,3 +291,180 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -5030,6 +5048,7 @@ index 2a91fa8..2b4fe93 100644
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
++userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
+
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
@@ -5083,6 +5102,8 @@ index 2a91fa8..2b4fe93 100644
+
+application_dontaudit_signull(mozilla_plugin_t)
+
++auth_use_nsswitch(mozilla_plugin_t)
++
+logging_send_syslog_msg(mozilla_plugin_t)
+
+miscfiles_read_localization(mozilla_plugin_t)
@@ -5101,6 +5122,7 @@ index 2a91fa8..2b4fe93 100644
+userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
+userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
++userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
+
+userdom_list_user_tmp(mozilla_plugin_t)
+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
@@ -6679,10 +6701,36 @@ index 4c091ca..a58f123 100644
+
+/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
diff --git a/policy/modules/apps/rssh.if b/policy/modules/apps/rssh.if
-index 7cdac1e..6f9f6e6 100644
+index 7cdac1e..8b920c8 100644
--- a/policy/modules/apps/rssh.if
+++ b/policy/modules/apps/rssh.if
-@@ -64,3 +64,21 @@ interface(`rssh_read_ro_content',`
+@@ -2,6 +2,25 @@
+
+ ########################################
+ ## <summary>
++## Execute the rssh program
++## in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rssh_exec',`
++ gen_require(`
++ type rssh_exec_t;
++ ')
++
++ can_exec($1, rssh_exec_t)
++')
++
++########################################
++## <summary>
+ ## Role access for rssh
+ ## </summary>
+ ## <param name="role">
+@@ -64,3 +83,21 @@ interface(`rssh_read_ro_content',`
read_files_pattern($1, rssh_ro_t, rssh_ro_t)
read_lnk_files_pattern($1, rssh_ro_t, rssh_ro_t)
')
@@ -9115,7 +9163,7 @@ index 0757523..791a227 100644
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 3b2da10..cb1a128 100644
+index 8ac94e4..c02f095 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -18,6 +18,7 @@
@@ -9134,7 +9182,7 @@ index 3b2da10..cb1a128 100644
/dev/pts(/.*)? <<none>>
/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -176,13 +178,12 @@ ifdef(`distro_suse', `
+@@ -178,13 +180,12 @@ ifdef(`distro_suse', `
/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
@@ -9150,7 +9198,7 @@ index 3b2da10..cb1a128 100644
ifdef(`distro_redhat',`
# originally from named.fc
-@@ -191,3 +192,8 @@ ifdef(`distro_redhat',`
+@@ -193,3 +194,8 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -9160,7 +9208,7 @@ index 3b2da10..cb1a128 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index efaf808..79e4ff3 100644
+index efaf808..321f9ad 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,8 +146,8 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -9174,7 +9222,32 @@ index efaf808..79e4ff3 100644
relabel_blk_files_pattern($1, device_t, { device_t device_node })
relabel_chr_files_pattern($1, device_t, { device_t device_node })
')
-@@ -336,6 +336,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
+@@ -209,6 +209,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
+
+ ########################################
+ ## <summary>
++## Dontaudit attempts to list all device nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dev_dontaudit_all_access_check',`
++ gen_require(`
++ attribute device_node;
++ ')
++
++ dontaudit $1 device_node:file_class_set audit_access;
++')
++
++########################################
++## <summary>
+ ## Add entries to directories in /dev.
+ ## </summary>
+ ## <param name="domain">
+@@ -336,6 +354,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
########################################
## <summary>
@@ -9199,7 +9272,7 @@ index efaf808..79e4ff3 100644
## Read and write generic files in /dev.
## </summary>
## <param name="domain">
-@@ -516,6 +534,24 @@ interface(`dev_getattr_generic_chr_files',`
+@@ -516,6 +552,24 @@ interface(`dev_getattr_generic_chr_files',`
########################################
## <summary>
@@ -9224,7 +9297,7 @@ index efaf808..79e4ff3 100644
## Dontaudit getattr for generic character device files.
## </summary>
## <param name="domain">
-@@ -552,6 +588,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
+@@ -552,6 +606,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
########################################
## <summary>
@@ -9249,7 +9322,7 @@ index efaf808..79e4ff3 100644
## Read and write generic character device files.
## </summary>
## <param name="domain">
-@@ -570,6 +624,24 @@ interface(`dev_rw_generic_chr_files',`
+@@ -570,6 +642,24 @@ interface(`dev_rw_generic_chr_files',`
########################################
## <summary>
@@ -9274,7 +9347,7 @@ index efaf808..79e4ff3 100644
## Dontaudit attempts to read/write generic character device files.
## </summary>
## <param name="domain">
-@@ -679,6 +751,24 @@ interface(`dev_delete_generic_symlinks',`
+@@ -679,6 +769,24 @@ interface(`dev_delete_generic_symlinks',`
########################################
## <summary>
@@ -9299,7 +9372,7 @@ index efaf808..79e4ff3 100644
## Create, delete, read, and write symbolic links in device directories.
## </summary>
## <param name="domain">
-@@ -1088,6 +1178,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1088,6 +1196,42 @@ interface(`dev_create_all_chr_files',`
########################################
## <summary>
@@ -9342,7 +9415,7 @@ index efaf808..79e4ff3 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -1350,6 +1476,24 @@ interface(`dev_getattr_autofs_dev',`
+@@ -1350,6 +1494,24 @@ interface(`dev_getattr_autofs_dev',`
########################################
## <summary>
@@ -9367,7 +9440,7 @@ index efaf808..79e4ff3 100644
## Do not audit attempts to get the attributes of
## the autofs device node.
## </summary>
-@@ -1597,6 +1741,24 @@ interface(`dev_rw_cpu_microcode',`
+@@ -1597,6 +1759,24 @@ interface(`dev_rw_cpu_microcode',`
########################################
## <summary>
@@ -9392,7 +9465,7 @@ index efaf808..79e4ff3 100644
## Read and write the the hardware SSL accelerator.
## </summary>
## <param name="domain">
-@@ -1979,6 +2141,24 @@ interface(`dev_read_kmsg',`
+@@ -1979,6 +2159,24 @@ interface(`dev_read_kmsg',`
########################################
## <summary>
@@ -9417,7 +9490,7 @@ index efaf808..79e4ff3 100644
## Write to the kernel messages device
## </summary>
## <param name="domain">
-@@ -3048,24 +3228,6 @@ interface(`dev_rw_printer',`
+@@ -3048,24 +3246,6 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -9442,7 +9515,7 @@ index efaf808..79e4ff3 100644
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
-@@ -3613,6 +3775,24 @@ interface(`dev_manage_smartcard',`
+@@ -3613,6 +3793,24 @@ interface(`dev_manage_smartcard',`
########################################
## <summary>
@@ -9467,7 +9540,7 @@ index efaf808..79e4ff3 100644
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
-@@ -3773,6 +3953,24 @@ interface(`dev_rw_sysfs',`
+@@ -3773,6 +3971,24 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -9492,7 +9565,7 @@ index efaf808..79e4ff3 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -3960,6 +4158,24 @@ interface(`dev_read_usbmon_dev',`
+@@ -3960,6 +4176,24 @@ interface(`dev_read_usbmon_dev',`
########################################
## <summary>
@@ -9517,7 +9590,7 @@ index efaf808..79e4ff3 100644
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -4270,11 +4486,10 @@ interface(`dev_write_video_dev',`
+@@ -4270,11 +4504,10 @@ interface(`dev_write_video_dev',`
#
interface(`dev_rw_vhost',`
gen_require(`
@@ -9532,7 +9605,7 @@ index efaf808..79e4ff3 100644
########################################
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 41f892f..5ce9978 100644
+index c03e21b..2942d8d 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -56,6 +56,12 @@ dev_node(clock_device_t)
@@ -9660,7 +9733,7 @@ index aad8c52..6ac24b0 100644
+ dontaudit $1 domain:socket_class_set { read write };
+')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index bc534c1..778d512 100644
+index bc534c1..2a6b5e1 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.0)
@@ -9753,7 +9826,7 @@ index bc534c1..778d512 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -160,3 +197,81 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +197,85 @@ allow unconfined_domain_type domain:key *;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -9819,6 +9892,10 @@ index bc534c1..778d512 100644
+')
+
+optional_policy(`
++ ipsec_match_default_spd(domain)
++')
++
++optional_policy(`
+ ifdef(`hide_broken_symptoms',`
+ afs_rw_udp_sockets(domain)
+ ')
@@ -9943,7 +10020,7 @@ index 3517db2..f798a69 100644
+
+/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ed203b2..d38c240 100644
+index ed203b2..45fe4f9 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -10244,7 +10321,7 @@ index ed203b2..d38c240 100644
########################################
## <summary>
## Create, read, write, and delete symbolic links in /mnt.
-@@ -3729,6 +3935,100 @@ interface(`files_read_world_readable_sockets',`
+@@ -3729,6 +3935,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -10257,7 +10334,6 @@ index ed203b2..d38c240 100644
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
+interface(`files_read_system_conf_files',`
+ gen_require(`
@@ -10345,7 +10421,7 @@ index ed203b2..d38c240 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3914,6 +4214,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3914,6 +4213,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -10378,7 +10454,7 @@ index ed203b2..d38c240 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3968,7 +4294,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3968,7 +4293,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -10387,7 +10463,7 @@ index ed203b2..d38c240 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3976,17 +4302,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3976,17 +4301,17 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -10409,7 +10485,7 @@ index ed203b2..d38c240 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3994,74 +4320,77 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -3994,74 +4319,77 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@@ -10505,7 +10581,7 @@ index ed203b2..d38c240 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -4069,22 +4398,97 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
+@@ -4069,25 +4397,100 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
## </summary>
## </param>
#
@@ -10530,8 +10606,9 @@ index ed203b2..d38c240 100644
## <summary>
-## Domain allowed access.
+## Domain not to audit.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="private type">
+#
+interface(`files_dontaudit_getattr_all_tmp_files',`
+ gen_require(`
@@ -10605,10 +10682,13 @@ index ed203b2..d38c240 100644
+## <param name="domain">
+## <summary>
+## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private type">
+ ## <summary>
+ ## The type of the object to be created.
## </summary>
- ## </param>
- ## <param name="private type">
-@@ -4127,6 +4531,13 @@ interface(`files_purge_tmp',`
+@@ -4127,6 +4530,13 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -10622,7 +10702,7 @@ index ed203b2..d38c240 100644
')
########################################
-@@ -4736,6 +5147,24 @@ interface(`files_read_var_files',`
+@@ -4736,6 +5146,24 @@ interface(`files_read_var_files',`
########################################
## <summary>
@@ -10647,7 +10727,7 @@ index ed203b2..d38c240 100644
## Read and write files in the /var directory.
## </summary>
## <param name="domain">
-@@ -5071,6 +5500,24 @@ interface(`files_manage_mounttab',`
+@@ -5071,6 +5499,24 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -10672,7 +10752,7 @@ index ed203b2..d38c240 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5156,12 +5603,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5156,12 +5602,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -10689,7 +10769,7 @@ index ed203b2..d38c240 100644
')
########################################
-@@ -5207,6 +5654,27 @@ interface(`files_delete_all_locks',`
+@@ -5207,6 +5653,27 @@ interface(`files_delete_all_locks',`
########################################
## <summary>
@@ -10717,7 +10797,7 @@ index ed203b2..d38c240 100644
## Read all lock files.
## </summary>
## <param name="domain">
-@@ -5335,6 +5803,43 @@ interface(`files_search_pids',`
+@@ -5335,6 +5802,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -10761,7 +10841,7 @@ index ed203b2..d38c240 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5542,6 +6047,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6046,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -10824,7 +10904,7 @@ index ed203b2..d38c240 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5559,6 +6120,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6119,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -10869,7 +10949,7 @@ index ed203b2..d38c240 100644
')
########################################
-@@ -5844,3 +6443,247 @@ interface(`files_unconfined',`
+@@ -5844,3 +6442,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -11117,6 +11197,43 @@ index ed203b2..d38c240 100644
+
+ allow $1 file_type:kernel_service create_files_as;
+')
++
++########################################
++## <summary>
++## Do not audit attempts to check the
++## write access on all files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_all_access_check',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:file_class_set audit_access;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to write to all files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_write_all_files',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ dontaudit $1 file_type:file_class_set write;
++')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index e8a6b1d..fd53860 100644
--- a/policy/modules/kernel/files.te
@@ -15248,10 +15365,10 @@ index 0000000..8e6e2c3
+')
diff --git a/policy/modules/services/ajaxterm.te b/policy/modules/services/ajaxterm.te
new file mode 100644
-index 0000000..cee49e3
+index 0000000..ffdcad1
--- /dev/null
+++ b/policy/modules/services/ajaxterm.te
-@@ -0,0 +1,54 @@
+@@ -0,0 +1,59 @@
+policy_module(ajaxterm, 1.0.0)
+
+########################################
@@ -15277,7 +15394,7 @@ index 0000000..cee49e3
+# ajaxterm local policy
+#
+allow ajaxterm_t self:capability setuid;
-+allow ajaxterm_t self:process setpgid;
++allow ajaxterm_t self:process { setpgid signal };
+allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
+allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
+allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
@@ -15306,6 +15423,11 @@ index 0000000..cee49e3
+miscfiles_read_localization(ajaxterm_t)
+
+sysnet_dns_name_resolve(ajaxterm_t)
++
++optional_policy(`
++ ssh_domtrans(ajaxterm_t)
++')
++
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index ceb2142..e31d92a 100644
--- a/policy/modules/services/amavis.if
@@ -15424,7 +15546,7 @@ index 9e39aa5..7ba3b11 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index c9e1a44..1a1ba36 100644
+index 6480167..504ec33 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@@ -15579,7 +15701,7 @@ index c9e1a44..1a1ba36 100644
')
optional_policy(`
-@@ -211,16 +201,15 @@ template(`apache_content_template',`
+@@ -211,14 +201,15 @@ template(`apache_content_template',`
interface(`apache_role',`
gen_require(`
attribute httpdcontent;
@@ -15592,14 +15714,14 @@ index c9e1a44..1a1ba36 100644
role $1 types httpd_user_script_t;
- allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
-
- allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
++ allow $2 httpd_user_content_t:{ dir file lnk_file } { relabelto relabelfrom };
++
+ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
- manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
- manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
-@@ -229,6 +218,13 @@ interface(`apache_role',`
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
+@@ -234,6 +225,13 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
@@ -15613,7 +15735,7 @@ index c9e1a44..1a1ba36 100644
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-@@ -243,6 +239,8 @@ interface(`apache_role',`
+@@ -248,6 +246,8 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
@@ -15622,7 +15744,7 @@ index c9e1a44..1a1ba36 100644
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
-@@ -312,6 +310,25 @@ interface(`apache_domtrans',`
+@@ -317,6 +317,25 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -15648,7 +15770,7 @@ index c9e1a44..1a1ba36 100644
#######################################
## <summary>
## Send a generic signal to apache.
-@@ -400,7 +417,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -405,7 +424,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -15657,7 +15779,7 @@ index c9e1a44..1a1ba36 100644
')
########################################
-@@ -482,7 +499,7 @@ interface(`apache_setattr_cache_dirs',`
+@@ -487,7 +506,7 @@ interface(`apache_setattr_cache_dirs',`
type httpd_cache_t;
')
@@ -15666,7 +15788,7 @@ index c9e1a44..1a1ba36 100644
')
########################################
-@@ -526,6 +543,25 @@ interface(`apache_rw_cache_files',`
+@@ -531,6 +550,25 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
## Allow the specified domain to delete
@@ -15692,7 +15814,7 @@ index c9e1a44..1a1ba36 100644
## Apache cache.
## </summary>
## <param name="domain">
-@@ -544,6 +580,26 @@ interface(`apache_delete_cache_files',`
+@@ -549,6 +587,26 @@ interface(`apache_delete_cache_files',`
########################################
## <summary>
@@ -15719,7 +15841,7 @@ index c9e1a44..1a1ba36 100644
## Allow the specified domain to read
## apache configuration files.
## </summary>
-@@ -694,7 +750,7 @@ interface(`apache_dontaudit_append_log',`
+@@ -699,7 +757,7 @@ interface(`apache_dontaudit_append_log',`
type httpd_log_t;
')
@@ -15728,7 +15850,7 @@ index c9e1a44..1a1ba36 100644
')
########################################
-@@ -740,6 +796,25 @@ interface(`apache_dontaudit_search_modules',`
+@@ -745,6 +803,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
## <summary>
@@ -15754,7 +15876,7 @@ index c9e1a44..1a1ba36 100644
## Allow the specified domain to list
## the contents of the apache modules
## directory.
-@@ -756,6 +831,7 @@ interface(`apache_list_modules',`
+@@ -761,6 +838,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -15762,7 +15884,7 @@ index c9e1a44..1a1ba36 100644
')
########################################
-@@ -814,6 +890,7 @@ interface(`apache_list_sys_content',`
+@@ -819,6 +897,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -15770,7 +15892,7 @@ index c9e1a44..1a1ba36 100644
files_search_var($1)
')
-@@ -841,6 +918,74 @@ interface(`apache_manage_sys_content',`
+@@ -846,6 +925,74 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -15845,7 +15967,7 @@ index c9e1a44..1a1ba36 100644
########################################
## <summary>
## Execute all web scripts in the system
-@@ -857,7 +1002,11 @@ interface(`apache_manage_sys_content',`
+@@ -862,7 +1009,11 @@ interface(`apache_manage_sys_content',`
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
@@ -15858,7 +15980,7 @@ index c9e1a44..1a1ba36 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -916,9 +1065,10 @@ interface(`apache_domtrans_all_scripts',`
+@@ -921,9 +1072,10 @@ interface(`apache_domtrans_all_scripts',`
## </param>
## <param name="role">
## <summary>
@@ -15870,7 +15992,7 @@ index c9e1a44..1a1ba36 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -945,7 +1095,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -950,7 +1102,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -15879,7 +16001,7 @@ index c9e1a44..1a1ba36 100644
')
########################################
-@@ -1086,6 +1236,25 @@ interface(`apache_read_tmp_files',`
+@@ -1091,6 +1243,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -15905,7 +16027,7 @@ index c9e1a44..1a1ba36 100644
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1102,7 +1271,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1107,7 +1278,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -15914,7 +16036,7 @@ index c9e1a44..1a1ba36 100644
')
########################################
-@@ -1165,17 +1334,14 @@ interface(`apache_cgi_domain',`
+@@ -1170,17 +1341,14 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
@@ -15936,7 +16058,7 @@ index c9e1a44..1a1ba36 100644
ps_process_pattern($1, httpd_t)
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-@@ -1186,10 +1352,10 @@ interface(`apache_admin',`
+@@ -1191,10 +1359,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -15949,7 +16071,7 @@ index c9e1a44..1a1ba36 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1200,14 +1366,43 @@ interface(`apache_admin',`
+@@ -1205,14 +1373,43 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -15999,10 +16121,10 @@ index c9e1a44..1a1ba36 100644
+ dontaudit $1 httpd_tmp_t:file { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 08dfa0c..61f340d 100644
+index 3136c6a..9c0dab5 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0)
+@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
# Declarations
#
@@ -16950,7 +17072,7 @@ index 1ea99b2..49e6c74 100644
+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..62bc936 100644
+index 1c8c27e..5fbd9b3 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -16969,15 +17091,16 @@ index 1c8c27e..62bc936 100644
allow apmd_t self:unix_dgram_socket create_socket_perms;
allow apmd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -81,6 +83,7 @@ kernel_rw_all_sysctls(apmd_t)
+@@ -81,6 +83,8 @@ kernel_rw_all_sysctls(apmd_t)
kernel_read_system_state(apmd_t)
kernel_write_proc_files(apmd_t)
+dev_read_input(apmd_t)
++dev_read_mouse(apmd_t)
dev_read_realtime_clock(apmd_t)
dev_read_urand(apmd_t)
dev_rw_apm_bios(apmd_t)
-@@ -142,9 +145,8 @@ ifdef(`distro_redhat',`
+@@ -142,9 +146,8 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
@@ -16988,7 +17111,7 @@ index 1c8c27e..62bc936 100644
')
optional_policy(`
-@@ -155,6 +157,15 @@ ifdef(`distro_redhat',`
+@@ -155,6 +158,15 @@ ifdef(`distro_redhat',`
netutils_domtrans(apmd_t)
')
@@ -18544,7 +18667,7 @@ index d020c93..e5cbcef 100644
cgroup_initrc_domtrans_cgconfig($1)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
-index 8ca2333..460f4fd 100644
+index 8ca2333..8b8aa15 100644
--- a/policy/modules/services/cgroup.te
+++ b/policy/modules/services/cgroup.te
@@ -16,14 +16,17 @@ init_daemon_domain(cgred_t, cgred_exec_t)
@@ -18598,7 +18721,7 @@ index 8ca2333..460f4fd 100644
#
-allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
-+allow cgred_t self:capability { chown net_admin sys_admin sys_ptrace dac_override };
++allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
@@ -19143,10 +19266,10 @@ index 0000000..756ac91
+')
diff --git a/policy/modules/services/cmirrord.te b/policy/modules/services/cmirrord.te
new file mode 100644
-index 0000000..a2c7134
+index 0000000..6897361
--- /dev/null
+++ b/policy/modules/services/cmirrord.te
-@@ -0,0 +1,53 @@
+@@ -0,0 +1,57 @@
+policy_module(cmirrord, 1.0.0)
+
+########################################
@@ -19174,7 +19297,7 @@ index 0000000..a2c7134
+
+allow cmirrord_t self:capability { net_admin kill };
+dontaudit cmirrord_t self:capability sys_tty_config;
-+allow cmirrord_t self:process signal;
++allow cmirrord_t self:process { setfscreate signal};
+allow cmirrord_t self:fifo_file rw_fifo_file_perms;
+allow cmirrord_t self:sem create_sem_perms;
+allow cmirrord_t self:shm create_shm_perms;
@@ -19193,6 +19316,10 @@ index 0000000..a2c7134
+
+files_read_etc_files(cmirrord_t)
+
++storage_create_fixed_disk_dev(cmirrord_t)
++
++seutil_read_file_contexts(cmirrord_t)
++
+logging_send_syslog_msg(cmirrord_t)
+
+miscfiles_read_localization(cmirrord_t)
@@ -20343,7 +20470,7 @@ index 35241ed..b6402c9 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f35b243..c6b63be 100644
+index f35b243..8296aaa 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -20481,8 +20608,17 @@ index f35b243..c6b63be 100644
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
-@@ -208,7 +224,9 @@ init_spec_domtrans_script(crond_t)
+@@ -203,12 +219,18 @@ files_list_usr(crond_t)
+ files_search_var_lib(crond_t)
+ files_search_default(crond_t)
+
++fs_manage_cgroup_dirs(crond_t)
++fs_manage_cgroup_files(crond_t)
++
+ init_rw_utmp(crond_t)
+ init_spec_domtrans_script(crond_t)
++auth_manage_var_auth(crond_t)
auth_use_nsswitch(crond_t)
+logging_send_audit_msgs(crond_t)
@@ -20491,7 +20627,7 @@ index f35b243..c6b63be 100644
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -219,8 +237,10 @@ miscfiles_read_localization(crond_t)
+@@ -219,8 +241,10 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
@@ -20502,7 +20638,7 @@ index f35b243..c6b63be 100644
ifdef(`distro_debian',`
# pam_limits is used
-@@ -232,7 +252,7 @@ ifdef(`distro_debian',`
+@@ -232,7 +256,7 @@ ifdef(`distro_debian',`
')
')
@@ -20511,7 +20647,7 @@ index f35b243..c6b63be 100644
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
-@@ -240,16 +260,39 @@ ifdef(`distro_redhat', `
+@@ -240,16 +264,39 @@ ifdef(`distro_redhat', `
')
')
@@ -20552,7 +20688,7 @@ index f35b243..c6b63be 100644
amanda_search_var_lib(crond_t)
')
-@@ -259,6 +302,8 @@ optional_policy(`
+@@ -259,6 +306,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
@@ -20561,7 +20697,7 @@ index f35b243..c6b63be 100644
')
optional_policy(`
-@@ -284,12 +329,18 @@ optional_policy(`
+@@ -284,12 +333,18 @@ optional_policy(`
udev_read_db(crond_t)
')
@@ -20580,7 +20716,7 @@ index f35b243..c6b63be 100644
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -301,10 +352,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -301,10 +356,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -20601,7 +20737,7 @@ index f35b243..c6b63be 100644
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -324,6 +384,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -324,6 +388,7 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -20609,7 +20745,7 @@ index f35b243..c6b63be 100644
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -335,9 +396,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -335,9 +400,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -20624,7 +20760,7 @@ index f35b243..c6b63be 100644
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -360,6 +425,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -360,6 +429,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -20632,7 +20768,7 @@ index f35b243..c6b63be 100644
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -386,6 +452,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -386,6 +456,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -20640,7 +20776,7 @@ index f35b243..c6b63be 100644
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -408,8 +475,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -408,8 +479,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
@@ -20652,7 +20788,7 @@ index f35b243..c6b63be 100644
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -434,6 +503,8 @@ optional_policy(`
+@@ -434,6 +507,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -20661,7 +20797,7 @@ index f35b243..c6b63be 100644
')
optional_policy(`
-@@ -441,6 +512,14 @@ optional_policy(`
+@@ -441,6 +516,14 @@ optional_policy(`
')
optional_policy(`
@@ -20676,7 +20812,7 @@ index f35b243..c6b63be 100644
ftp_read_log(system_cronjob_t)
')
-@@ -451,15 +530,24 @@ optional_policy(`
+@@ -451,15 +534,24 @@ optional_policy(`
')
optional_policy(`
@@ -20701,7 +20837,7 @@ index f35b243..c6b63be 100644
')
optional_policy(`
-@@ -475,7 +563,7 @@ optional_policy(`
+@@ -475,7 +567,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -20710,7 +20846,7 @@ index f35b243..c6b63be 100644
')
optional_policy(`
-@@ -490,6 +578,7 @@ optional_policy(`
+@@ -490,6 +582,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -20718,7 +20854,7 @@ index f35b243..c6b63be 100644
')
optional_policy(`
-@@ -497,7 +586,13 @@ optional_policy(`
+@@ -497,7 +590,13 @@ optional_policy(`
')
optional_policy(`
@@ -20732,7 +20868,7 @@ index f35b243..c6b63be 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -590,9 +685,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -590,9 +689,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -24761,7 +24897,7 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..d1c4458 100644
+index 4fde46b..9507bbb 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
@@ -19,7 +19,10 @@ allow gnomeclock_t self:process { getattr getsched };
@@ -24784,7 +24920,7 @@ index 4fde46b..d1c4458 100644
+
+optional_policy(`
+ ntp_initrc_domtrans(gnomeclock_t)
-+ init_getattr_all_script_files(gnomeclock_t)
++ init_dontaudit_getattr_all_script_files(gnomeclock_t)
+')
+
+optional_policy(`
@@ -26062,7 +26198,7 @@ index 0000000..6134ef2
+')
diff --git a/policy/modules/services/keyboardd.te b/policy/modules/services/keyboardd.te
new file mode 100644
-index 0000000..a2bf9c3
+index 0000000..045207f
--- /dev/null
+++ b/policy/modules/services/keyboardd.te
@@ -0,0 +1,28 @@
@@ -26088,7 +26224,7 @@ index 0000000..a2bf9c3
+allow keyboardd_t self:fifo_file rw_fifo_file_perms;
+allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
+
-+files_rw_etc_runtime_files(keyboardd_t)
++files_manage_etc_runtime_files(keyboardd_t)
+files_etc_filetrans_etc_runtime(keyboardd_t, file)
+
+files_read_etc_files(keyboardd_t)
@@ -26571,10 +26707,10 @@ index 67c7fdd..84b7626 100644
files_list_var_lib(mailman_$1_t)
files_read_var_lib_symlinks(mailman_$1_t)
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
-index af4d572..96e3c80 100644
+index af4d572..0fd2357 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
-@@ -61,9 +61,9 @@ optional_policy(`
+@@ -61,14 +61,18 @@ optional_policy(`
# Mailman mail local policy
#
@@ -26586,7 +26722,16 @@ index af4d572..96e3c80 100644
manage_dirs_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
manage_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
-@@ -81,6 +81,10 @@ optional_policy(`
+ manage_lnk_files_pattern(mailman_mail_t, mailman_archive_t, mailman_archive_t)
+
++# make NNTP gateway working
++corenet_tcp_connect_innd_port(mailman_mail_t)
++corenet_tcp_connect_spamd_port(mailman_mail_t)
++
+ files_search_spool(mailman_mail_t)
+
+ fs_rw_anon_inodefs_files(mailman_mail_t)
+@@ -81,6 +85,10 @@ optional_policy(`
')
optional_policy(`
@@ -26597,7 +26742,16 @@ index af4d572..96e3c80 100644
cron_read_pipes(mailman_mail_t)
')
-@@ -125,4 +129,4 @@ optional_policy(`
+@@ -104,6 +112,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
+
+ kernel_read_proc_symlinks(mailman_queue_t)
+
++corenet_tcp_connect_innd_port(mailman_queue_t)
++
+ auth_domtrans_chk_passwd(mailman_queue_t)
+
+ files_dontaudit_search_pids(mailman_queue_t)
+@@ -125,4 +135,4 @@ optional_policy(`
optional_policy(`
su_exec(mailman_queue_t)
@@ -38081,7 +38235,7 @@ index 22adaca..2cfaf93 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..7230490 100644
+index 2dad3c8..9a289e2 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -38176,7 +38330,7 @@ index 2dad3c8..7230490 100644
manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -113,6 +114,7 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -113,20 +114,23 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@@ -38184,7 +38338,12 @@ index 2dad3c8..7230490 100644
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -124,9 +126,10 @@ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
+
+ allow ssh_t sshd_t:unix_stream_socket connectto;
++allow ssh_t sshd_t:peer recv;
+
+ # ssh client can manage the keys and config
+ manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
# ssh servers can read the user keys and config
@@ -38198,7 +38357,7 @@ index 2dad3c8..7230490 100644
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
-@@ -138,6 +141,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
+@@ -138,6 +142,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -38207,7 +38366,7 @@ index 2dad3c8..7230490 100644
dev_read_urand(ssh_t)
-@@ -162,6 +167,7 @@ logging_read_generic_logs(ssh_t)
+@@ -162,6 +168,7 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
@@ -38215,7 +38374,7 @@ index 2dad3c8..7230490 100644
seutil_read_config(ssh_t)
-@@ -169,14 +175,18 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
+@@ -169,14 +176,18 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
@@ -38239,7 +38398,7 @@ index 2dad3c8..7230490 100644
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -200,6 +210,57 @@ optional_policy(`
+@@ -200,6 +211,57 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -38297,7 +38456,7 @@ index 2dad3c8..7230490 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,7 +270,7 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,7 +271,7 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -38306,7 +38465,7 @@ index 2dad3c8..7230490 100644
dev_read_urand(ssh_keysign_t)
-@@ -232,33 +293,43 @@ optional_policy(`
+@@ -232,33 +294,43 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -38359,7 +38518,7 @@ index 2dad3c8..7230490 100644
')
optional_policy(`
-@@ -266,11 +337,24 @@ optional_policy(`
+@@ -266,11 +338,24 @@ optional_policy(`
')
optional_policy(`
@@ -38385,7 +38544,7 @@ index 2dad3c8..7230490 100644
')
optional_policy(`
-@@ -284,6 +368,11 @@ optional_policy(`
+@@ -284,6 +369,11 @@ optional_policy(`
')
optional_policy(`
@@ -38397,7 +38556,7 @@ index 2dad3c8..7230490 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +381,26 @@ optional_policy(`
+@@ -292,26 +382,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -38443,7 +38602,7 @@ index 2dad3c8..7230490 100644
') dnl endif TODO
########################################
-@@ -324,7 +413,6 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -324,7 +414,6 @@ tunable_policy(`ssh_sysadm_login',`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@@ -38451,7 +38610,7 @@ index 2dad3c8..7230490 100644
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-@@ -353,10 +441,6 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -353,10 +442,6 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@@ -38610,10 +38769,10 @@ index 6073656..eaf49b2 100644
allow $1 stunnel_t:tcp_socket rw_socket_perms;
')
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
-index f646c66..b8eec46 100644
+index f646c66..5370bb8 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
-@@ -6,17 +6,7 @@ policy_module(stunnel, 1.10.0)
+@@ -6,17 +6,9 @@ policy_module(stunnel, 1.10.0)
#
type stunnel_t;
@@ -38628,23 +38787,12 @@ index f646c66..b8eec46 100644
-',`
- inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
-')
++init_daemon_domain(stunnel_t, stunnel_exec_t)
++inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
type stunnel_etc_t;
files_config_file(stunnel_etc_t)
-@@ -27,6 +17,12 @@ files_tmp_file(stunnel_tmp_t)
- type stunnel_var_run_t;
- files_pid_file(stunnel_var_run_t)
-
-+ifdef(`distro_gentoo',`
-+ init_daemon_domain(stunnel_t, stunnel_exec_t)
-+',`
-+ inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
-+')
-+
- ########################################
- #
- # Local policy
-@@ -40,7 +36,7 @@ allow stunnel_t self:udp_socket create_socket_perms;
+@@ -40,7 +32,7 @@ allow stunnel_t self:udp_socket create_socket_perms;
allow stunnel_t stunnel_etc_t:dir list_dir_perms;
allow stunnel_t stunnel_etc_t:file read_file_perms;
@@ -38653,7 +38801,7 @@ index f646c66..b8eec46 100644
manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
-@@ -77,7 +73,7 @@ miscfiles_read_localization(stunnel_t)
+@@ -77,7 +69,7 @@ miscfiles_read_localization(stunnel_t)
sysnet_read_config(stunnel_t)
@@ -38662,7 +38810,7 @@ index f646c66..b8eec46 100644
dontaudit stunnel_t self:capability sys_tty_config;
allow stunnel_t self:udp_socket create_socket_perms;
-@@ -120,4 +116,5 @@ ifdef(`distro_gentoo', `
+@@ -120,4 +112,5 @@ ifdef(`distro_gentoo', `
gen_require(`
type stunnel_port_t;
')
@@ -38710,196 +38858,21 @@ index 7038b55..4e84f23 100644
type tcpd_tmp_t;
files_tmp_file(tcpd_tmp_t)
-diff --git a/policy/modules/services/tcsd.fc b/policy/modules/services/tcsd.fc
-index 8a473e7..7fdda14 100644
---- a/policy/modules/services/tcsd.fc
-+++ b/policy/modules/services/tcsd.fc
-@@ -1,3 +1,6 @@
-+/etc/rc\.d/init\.d/tcsd -- gen_context(system_u:object_r:tcsd_initrc_exec_t,s0)
-+
- /usr/sbin/tcsd -- gen_context(system_u:object_r:tcsd_exec_t,s0)
-+
- /var/lib/tpm(/.*)? gen_context(system_u:object_r:tcsd_var_lib_t,s0)
-
diff --git a/policy/modules/services/tcsd.if b/policy/modules/services/tcsd.if
-index e814f69..f7d6fa3 100644
+index 595f5a7..459d773 100644
--- a/policy/modules/services/tcsd.if
+++ b/policy/modules/services/tcsd.if
-@@ -1 +1,153 @@
- ## <summary>TSS Core Services (TCS) daemon (tcsd) policy</summary>
-+
-+########################################
-+## <summary>
-+## Execute a domain transition to run tcsd.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`tcsd_domtrans',`
-+ gen_require(`
-+ type tcsd_t, tcsd_exec_t;
-+ ')
-+
-+ domtrans_pattern($1, tcsd_exec_t, tcsd_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## Execute tcsd server in the tcsd domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`tcsd_initrc_domtrans',`
-+ gen_require(`
-+ type tcsd_initrc_exec_t;
-+ ')
-+
-+ init_labeled_script_domtrans($1, tcsd_initrc_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+## Search tcsd lib directories.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`tcsd_search_lib',`
-+ gen_require(`
-+ type tcsd_var_lib_t;
-+ ')
-+
-+ allow $1 tcsd_var_lib_t:dir search_dir_perms;
-+ files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
-+## Read tcsd lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`tcsd_read_lib_files',`
-+ gen_require(`
-+ type tcsd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ read_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete
-+## tcsd lib files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`tcsd_manage_lib_files',`
-+ gen_require(`
-+ type tcsd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_files_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+## Manage tcsd lib dirs files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`tcsd_manage_lib_dirs',`
-+ gen_require(`
-+ type tcsd_var_lib_t;
-+ ')
-+
-+ files_search_var_lib($1)
-+ manage_dirs_pattern($1, tcsd_var_lib_t, tcsd_var_lib_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate
-+## an tcsd environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## Role allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`tcsd_admin',`
-+ gen_require(`
-+ type tcsd_t;
-+ type tcsd_initrc_exec_t;
-+ type tcsd_var_lib_t;
-+ ')
-+
-+ allow $1 tcsd_t:process { ptrace signal_perms };
-+ ps_process_pattern($1, tcsd_t)
-+
-+ tcsd_initrc_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 tcsd_initrc_exec_t system_r;
-+ allow $2 system_r;
-+
-+ files_search_var_lib($1)
-+ admin_pattern($1, tcsd_var_lib_t)
+@@ -147,4 +147,5 @@ interface(`tcsd_admin',`
+
+ files_search_var_lib($1)
+ admin_pattern($1, tcsd_var_lib_t)
+
-+')
+ ')
diff --git a/policy/modules/services/tcsd.te b/policy/modules/services/tcsd.te
-index f17dafd..30d2c75 100644
+index ee9f3c6..30d2c75 100644
--- a/policy/modules/services/tcsd.te
+++ b/policy/modules/services/tcsd.te
-@@ -10,7 +10,9 @@ type tcsd_exec_t;
- domain_type(tcsd_t)
- init_daemon_domain(tcsd_t, tcsd_exec_t)
-
--# /var/lib/tpm
-+type tcsd_initrc_exec_t;
-+init_script_file(tcsd_initrc_exec_t)
-+
- type tcsd_var_lib_t;
- files_type(tcsd_var_lib_t)
-
-@@ -23,26 +25,24 @@ allow tcsd_t self:capability { dac_override setuid };
- allow tcsd_t self:process { signal sigkill };
- allow tcsd_t self:tcp_socket create_stream_socket_perms;
-
--# var/lib files for tcsd
- manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
+@@ -29,13 +29,11 @@ manage_dirs_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
manage_files_pattern(tcsd_t, tcsd_var_lib_t, tcsd_var_lib_t)
files_var_lib_filetrans(tcsd_t, tcsd_var_lib_t, { file dir })
@@ -38913,17 +38886,6 @@ index f17dafd..30d2c75 100644
dev_rw_tpm(tcsd_t)
files_read_etc_files(tcsd_t)
- files_read_usr_files(tcsd_t)
-
--# Log messages via syslog.
-+auth_use_nsswitch(tcsd_t)
-+
- logging_send_syslog_msg(tcsd_t)
-
- miscfiles_read_localization(tcsd_t)
-
--sysnet_read_config(tcsd_t)
-+sysnet_dns_name_resolve(tcsd_t)
diff --git a/policy/modules/services/telnet.if b/policy/modules/services/telnet.if
index 58e7ec0..cf4cc85 100644
--- a/policy/modules/services/telnet.if
@@ -40067,7 +40029,7 @@ index 7c5d8d8..5e2f264 100644
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..931c98d 100644
+index 3eca020..48fc96d 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,80 +5,97 @@ policy_module(virt, 1.4.0)
@@ -40325,7 +40287,7 @@ index 3eca020..931c98d 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +288,32 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +288,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -40354,12 +40316,11 @@ index 3eca020..931c98d 100644
+
+# Manages /etc/sysconfig/system-config-firewall
+files_manage_system_conf_files(virtd_t)
-+files_manage_system_conf_files(virtd_t)
+files_etc_filetrans_system_conf(virtd_t)
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +321,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +320,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -40378,7 +40339,7 @@ index 3eca020..931c98d 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +356,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +355,30 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -40409,7 +40370,7 @@ index 3eca020..931c98d 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -329,6 +414,10 @@ optional_policy(`
+@@ -329,6 +413,10 @@ optional_policy(`
')
optional_policy(`
@@ -40420,7 +40381,7 @@ index 3eca020..931c98d 100644
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
-@@ -365,6 +454,8 @@ optional_policy(`
+@@ -365,6 +453,8 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -40429,7 +40390,7 @@ index 3eca020..931c98d 100644
')
optional_policy(`
-@@ -396,12 +487,25 @@ optional_policy(`
+@@ -396,12 +486,25 @@ optional_policy(`
allow virt_domain self:capability { dac_read_search dac_override kill };
allow virt_domain self:process { execmem execstack signal getsched signull };
@@ -40456,7 +40417,7 @@ index 3eca020..931c98d 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +526,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +525,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -40464,7 +40425,7 @@ index 3eca020..931c98d 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +534,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +533,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -40477,7 +40438,7 @@ index 3eca020..931c98d 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +547,11 @@ files_search_all(virt_domain)
+@@ -440,6 +546,11 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -40489,7 +40450,7 @@ index 3eca020..931c98d 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +569,117 @@ optional_policy(`
+@@ -457,8 +568,117 @@ optional_policy(`
')
optional_policy(`
@@ -40513,7 +40474,7 @@ index 3eca020..931c98d 100644
+typealias virsh_t alias xm_t;
+typealias virsh_exec_t alias xm_exec_t;
+
-+allow virsh_t self:capability { dac_override ipc_lock sys_tty_config };
++allow virsh_t self:capability { setpcap dac_override ipc_lock sys_tty_config };
+allow virsh_t self:process { getcap getsched setcap signal };
+allow virsh_t self:fifo_file rw_fifo_file_perms;
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -42047,7 +42008,7 @@ index da2601a..223cc80 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 145fc4b..0220e38 100644
+index edc58df..58b515b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -42839,22 +42800,23 @@ index 145fc4b..0220e38 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +914,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -610,8 +914,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
+allow xserver_t self:netlink_selinux_socket create_socket_perms;
-+allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
-+
+ allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
+
+domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
+
+allow xserver_t xauth_home_t:file read_file_perms;
-
++
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +941,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+ manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
+@@ -630,12 +941,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -42876,7 +42838,7 @@ index 145fc4b..0220e38 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +961,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -643,6 +961,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -42884,7 +42846,7 @@ index 145fc4b..0220e38 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +988,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -669,7 +988,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -42892,7 +42854,7 @@ index 145fc4b..0220e38 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,11 +997,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -679,11 +997,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -42910,7 +42872,7 @@ index 145fc4b..0220e38 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -693,8 +1018,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1018,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -42924,7 +42886,7 @@ index 145fc4b..0220e38 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1046,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -717,11 +1046,14 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -42939,7 +42901,7 @@ index 145fc4b..0220e38 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1106,28 @@ optional_policy(`
+@@ -774,16 +1106,28 @@ optional_policy(`
')
optional_policy(`
@@ -42952,7 +42914,6 @@ index 145fc4b..0220e38 100644
')
optional_policy(`
-- unconfined_domain_noaudit(xserver_t)
+ setrans_translate_context(xserver_t)
+')
+
@@ -42961,15 +42922,16 @@ index 145fc4b..0220e38 100644
+')
+
+optional_policy(`
-+ udev_read_db(xserver_t)
-+')
-+
-+optional_policy(`
+ udev_read_db(xserver_t)
+ ')
+
+ optional_policy(`
+- unconfined_domain_noaudit(xserver_t)
+ unconfined_domain(xserver_t)
unconfined_domtrans(xserver_t)
')
-@@ -787,6 +1136,10 @@ optional_policy(`
+@@ -792,6 +1136,10 @@ optional_policy(`
')
optional_policy(`
@@ -42980,7 +42942,7 @@ index 145fc4b..0220e38 100644
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1155,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -807,10 +1155,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -42994,7 +42956,7 @@ index 145fc4b..0220e38 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -813,7 +1166,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -818,7 +1166,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -43003,7 +42965,7 @@ index 145fc4b..0220e38 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -826,6 +1179,9 @@ init_use_fds(xserver_t)
+@@ -831,6 +1179,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -43013,7 +42975,7 @@ index 145fc4b..0220e38 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -833,6 +1189,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -838,6 +1189,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -43025,7 +42987,7 @@ index 145fc4b..0220e38 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -841,11 +1202,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -846,11 +1202,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -43042,7 +43004,7 @@ index 145fc4b..0220e38 100644
')
optional_policy(`
-@@ -853,6 +1217,10 @@ optional_policy(`
+@@ -858,6 +1217,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -43053,7 +43015,7 @@ index 145fc4b..0220e38 100644
########################################
#
# Rules common to all X window domains
-@@ -896,7 +1264,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -901,7 +1264,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -43062,7 +43024,7 @@ index 145fc4b..0220e38 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -950,11 +1318,31 @@ allow x_domain self:x_resource { read write };
+@@ -955,11 +1318,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -43094,7 +43056,7 @@ index 145fc4b..0220e38 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -976,18 +1364,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -981,18 +1364,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -43705,7 +43667,7 @@ index 88df85d..2fa3974 100644
ssh_sigchld(application_domain_type)
ssh_rw_stream_sockets(application_domain_type)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 1c4b1e7..ffa4134 100644
+index 2952cef..4485fd5 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -10,6 +10,7 @@
@@ -44532,7 +44494,7 @@ index 6fed22c..06e5395 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..e96b7b1 100644
+index cc83689..341c578 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,40 @@ interface(`init_script_domain',`
@@ -44848,7 +44810,32 @@ index cc83689..e96b7b1 100644
files_search_etc($1)
')
-@@ -1130,12 +1271,7 @@ interface(`init_read_script_state',`
+@@ -1079,6 +1220,24 @@ interface(`init_read_all_script_files',`
+
+ #######################################
+ ## <summary>
++## Dontaudit getattr all init script files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`init_dontaudit_getattr_all_script_files',`
++ gen_require(`
++ attribute init_script_file_type;
++ ')
++
++ dontaudit $1 init_script_file_type:file getattr;
++')
++
++#######################################
++## <summary>
+ ## Dontaudit read all init script files.
+ ## </summary>
+ ## <param name="domain">
+@@ -1130,12 +1289,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -44862,7 +44849,7 @@ index cc83689..e96b7b1 100644
')
########################################
-@@ -1375,6 +1511,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1529,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -44890,7 +44877,7 @@ index cc83689..e96b7b1 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1618,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1636,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -44916,7 +44903,7 @@ index cc83689..e96b7b1 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1674,7 +1850,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1868,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -44925,7 +44912,7 @@ index cc83689..e96b7b1 100644
')
########################################
-@@ -1749,3 +1925,93 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +1943,93 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -45020,7 +45007,7 @@ index cc83689..e96b7b1 100644
+ allow $1 init_t:unix_dgram_socket sendto;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 0580e7c..c45e5d8 100644
+index 77e8ca8..64ba6d1 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -45158,7 +45145,7 @@ index 0580e7c..c45e5d8 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +222,121 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +222,96 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -45223,38 +45210,13 @@ index 0580e7c..c45e5d8 100644
+ init_read_script_state(init_t)
+
+ seutil_read_file_contexts(init_t)
-+
-+ # Permissions for systemd-tmpfiles, needs its own policy.
-+ # Added systemd_tmpfiles_t domain for systemd-tmpfiles
-+ # and will cover by this policy
-+
-+ files_relabel_all_lock_dirs(init_t)
-+ files_relabel_all_pid_dirs(init_t)
-+ files_relabel_all_pid_files(init_t)
-+ files_manage_all_pids(init_t)
-+ files_manage_all_locks(init_t)
-+ files_setattr_all_tmp_dirs(init_t)
-+ logging_setattr_all_log_dirs(init_t)
-+
-+ files_purge_tmp(init_t)
-+ files_manage_generic_tmp_files(init_t)
-+ files_manage_generic_tmp_dirs(init_t)
-+ files_relabelfrom_tmp_dirs(init_t)
-+ files_relabelfrom_tmp_files(init_t)
-+ files_relabel_all_tmp_dirs(init_t)
-+ files_relabel_all_tmp_files(init_t)
-+
-+ auth_manage_faillog(init_t)
-+ auth_relabel_faillog(init_t)
-+ auth_manage_var_auth(init_t)
-+ auth_relabel_var_auth_dirs(init_t)
-+ auth_setattr_login_records(init_t)
+
+ # needs to remain
+ logging_create_devlog_dev(init_t)
+
-+ miscfiles_delete_man_pages(init_t)
-+ miscfiles_relabel_man_pages(init_t)
++# miscfiles_delete_man_pages(init_t)
++# miscfiles_relabel_man_pages(init_t)
++
+')
+
optional_policy(`
@@ -45280,7 +45242,7 @@ index 0580e7c..c45e5d8 100644
')
optional_policy(`
-@@ -199,10 +344,24 @@ optional_policy(`
+@@ -199,10 +319,24 @@ optional_policy(`
')
optional_policy(`
@@ -45305,7 +45267,7 @@ index 0580e7c..c45e5d8 100644
unconfined_domain(init_t)
')
-@@ -212,7 +371,7 @@ optional_policy(`
+@@ -212,7 +346,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -45314,7 +45276,7 @@ index 0580e7c..c45e5d8 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +400,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +375,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -45329,7 +45291,7 @@ index 0580e7c..c45e5d8 100644
init_write_initctl(initrc_t)
-@@ -258,11 +419,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +394,23 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -45353,7 +45315,7 @@ index 0580e7c..c45e5d8 100644
corecmd_exec_all_executables(initrc_t)
-@@ -279,6 +452,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +427,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -45361,7 +45323,7 @@ index 0580e7c..c45e5d8 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +465,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +440,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -45369,7 +45331,7 @@ index 0580e7c..c45e5d8 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +473,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +448,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -45385,7 +45347,7 @@ index 0580e7c..c45e5d8 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -323,8 +498,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +473,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -45397,7 +45359,7 @@ index 0580e7c..c45e5d8 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +517,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +492,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -45411,7 +45373,7 @@ index 0580e7c..c45e5d8 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +532,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +507,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -45420,7 +45382,7 @@ index 0580e7c..c45e5d8 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +546,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +521,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -45428,7 +45390,7 @@ index 0580e7c..c45e5d8 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +558,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +533,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -45436,7 +45398,7 @@ index 0580e7c..c45e5d8 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,13 +579,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +554,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -45452,7 +45414,7 @@ index 0580e7c..c45e5d8 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -474,7 +660,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +639,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -45461,7 +45423,7 @@ index 0580e7c..c45e5d8 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +706,23 @@ ifdef(`distro_redhat',`
+@@ -524,6 +685,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -45485,7 +45447,7 @@ index 0580e7c..c45e5d8 100644
')
optional_policy(`
-@@ -527,10 +730,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +709,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -45503,7 +45465,7 @@ index 0580e7c..c45e5d8 100644
')
optional_policy(`
-@@ -545,6 +755,35 @@ ifdef(`distro_suse',`
+@@ -549,6 +734,35 @@ ifdef(`distro_suse',`
')
')
@@ -45539,7 +45501,7 @@ index 0580e7c..c45e5d8 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -557,6 +796,8 @@ optional_policy(`
+@@ -561,6 +775,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -45548,7 +45510,7 @@ index 0580e7c..c45e5d8 100644
')
optional_policy(`
-@@ -573,6 +814,7 @@ optional_policy(`
+@@ -577,6 +793,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -45556,7 +45518,7 @@ index 0580e7c..c45e5d8 100644
')
optional_policy(`
-@@ -585,6 +827,11 @@ optional_policy(`
+@@ -589,6 +806,11 @@ optional_policy(`
')
optional_policy(`
@@ -45568,7 +45530,7 @@ index 0580e7c..c45e5d8 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -601,9 +848,13 @@ optional_policy(`
+@@ -605,9 +827,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -45582,7 +45544,7 @@ index 0580e7c..c45e5d8 100644
')
optional_policy(`
-@@ -702,7 +953,13 @@ optional_policy(`
+@@ -706,7 +932,13 @@ optional_policy(`
')
optional_policy(`
@@ -45596,7 +45558,7 @@ index 0580e7c..c45e5d8 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -725,6 +982,10 @@ optional_policy(`
+@@ -729,6 +961,10 @@ optional_policy(`
')
optional_policy(`
@@ -45607,7 +45569,7 @@ index 0580e7c..c45e5d8 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -734,10 +995,20 @@ optional_policy(`
+@@ -738,10 +974,20 @@ optional_policy(`
')
optional_policy(`
@@ -45628,7 +45590,7 @@ index 0580e7c..c45e5d8 100644
quota_manage_flags(initrc_t)
')
-@@ -746,6 +1017,10 @@ optional_policy(`
+@@ -750,6 +996,10 @@ optional_policy(`
')
optional_policy(`
@@ -45639,7 +45601,7 @@ index 0580e7c..c45e5d8 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -767,8 +1042,6 @@ optional_policy(`
+@@ -771,8 +1021,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -45648,7 +45610,7 @@ index 0580e7c..c45e5d8 100644
')
optional_policy(`
-@@ -777,14 +1050,21 @@ optional_policy(`
+@@ -781,14 +1029,21 @@ optional_policy(`
')
optional_policy(`
@@ -45670,7 +45632,7 @@ index 0580e7c..c45e5d8 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -806,11 +1086,19 @@ optional_policy(`
+@@ -810,11 +1065,19 @@ optional_policy(`
')
optional_policy(`
@@ -45691,7 +45653,7 @@ index 0580e7c..c45e5d8 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -820,6 +1108,25 @@ optional_policy(`
+@@ -824,6 +1087,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -45717,7 +45679,7 @@ index 0580e7c..c45e5d8 100644
')
optional_policy(`
-@@ -845,3 +1152,59 @@ optional_policy(`
+@@ -849,3 +1131,59 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -45799,7 +45761,7 @@ index 07eba2b..942bea1 100644
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 8232f91..cba1b30 100644
+index 8232f91..8897e32 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -20,6 +20,24 @@ interface(`ipsec_domtrans',`
@@ -45827,7 +45789,15 @@ index 8232f91..cba1b30 100644
## Connect to IPSEC using a unix domain stream socket.
## </summary>
## <param name="domain">
-@@ -273,3 +291,81 @@ interface(`ipsec_run_setkey',`
+@@ -129,6 +147,7 @@ interface(`ipsec_match_default_spd',`
+
+ allow $1 ipsec_spd_t:association polmatch;
+ allow $1 self:association sendto;
++ allow $1 self:peer recv;
+ ')
+
+ ########################################
+@@ -273,3 +292,81 @@ interface(`ipsec_run_setkey',`
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
@@ -47194,15 +47164,15 @@ index 58bc27f..b95f0c0 100644
+ allow $1 clvmd_tmpfs_t:file unlink;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 74e38b4..a5d465f 100644
+index a0a0ebf..402f69e 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
type clvmd_initrc_exec_t;
init_script_file(clvmd_initrc_exec_t)
-+type clmvd_tmpfs_t;
-+files_tmpfs_file(clmvd_tmpfs_t)
++type clvmd_tmpfs_t alias clmvd_tmpfs_t;
++files_tmpfs_file(clvmd_tmpfs_t)
+
type clvmd_var_run_t;
files_pid_file(clvmd_var_run_t)
@@ -47220,9 +47190,9 @@ index 74e38b4..a5d465f 100644
allow clvmd_t self:tcp_socket create_stream_socket_perms;
allow clvmd_t self:udp_socket create_socket_perms;
-+manage_dirs_pattern(clvmd_t, clmvd_tmpfs_t, clmvd_tmpfs_t)
-+manage_files_pattern(clvmd_t, clmvd_tmpfs_t,clmvd_tmpfs_t)
-+fs_tmpfs_filetrans(clvmd_t, clmvd_tmpfs_t, { dir file })
++manage_dirs_pattern(clvmd_t, clvmd_tmpfs_t, clvmd_tmpfs_t)
++manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t)
++fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file })
+
manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
@@ -47251,7 +47221,7 @@ index 74e38b4..a5d465f 100644
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -190,8 +203,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
+@@ -191,8 +204,9 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
can_exec(lvm_t, lvm_exec_t)
# Creating lock files
@@ -47262,7 +47232,7 @@ index 74e38b4..a5d465f 100644
manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
-@@ -200,7 +214,7 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+@@ -201,7 +215,7 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
@@ -47271,11 +47241,9 @@ index 74e38b4..a5d465f 100644
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
-@@ -210,12 +224,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
- files_etc_filetrans(lvm_t, lvm_metadata_t, file)
- files_search_mnt(lvm_t)
+@@ -213,11 +227,13 @@ files_search_mnt(lvm_t)
-+kernel_get_sysvipc_info(lvm_t)
+ kernel_get_sysvipc_info(lvm_t)
kernel_read_system_state(lvm_t)
+kernel_read_kernel_sysctls(lvm_t)
# Read system variables in /proc/sys
@@ -47287,7 +47255,7 @@ index 74e38b4..a5d465f 100644
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -242,6 +259,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -244,6 +260,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -47295,7 +47263,7 @@ index 74e38b4..a5d465f 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -251,8 +269,9 @@ files_read_etc_files(lvm_t)
+@@ -253,8 +270,9 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -47306,7 +47274,7 @@ index 74e38b4..a5d465f 100644
fs_search_auto_mountpoints(lvm_t)
fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
-@@ -262,6 +281,7 @@ fs_rw_anon_inodefs_files(lvm_t)
+@@ -264,6 +282,7 @@ fs_rw_anon_inodefs_files(lvm_t)
mls_file_read_all_levels(lvm_t)
mls_file_write_to_clearance(lvm_t)
@@ -47314,7 +47282,7 @@ index 74e38b4..a5d465f 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -309,6 +329,11 @@ ifdef(`distro_redhat',`
+@@ -311,6 +330,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -47326,7 +47294,7 @@ index 74e38b4..a5d465f 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -329,6 +354,10 @@ optional_policy(`
+@@ -331,6 +355,10 @@ optional_policy(`
')
optional_policy(`
@@ -47425,7 +47393,7 @@ index 9c0faab..def8d5a 100644
## loading modules.
## </summary>
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 74a4466..9061149 100644
+index a0eef20..75e256f 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -18,11 +18,12 @@ type insmod_t;
@@ -47498,9 +47466,9 @@ index 74a4466..9061149 100644
+fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file)
+
kernel_load_module(insmod_t)
+ kernel_request_load_module(insmod_t)
kernel_read_system_state(insmod_t)
- kernel_read_network_state(insmod_t)
-@@ -125,6 +137,7 @@ kernel_write_proc_files(insmod_t)
+@@ -126,6 +138,7 @@ kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
kernel_read_debugfs(insmod_t)
@@ -47508,7 +47476,7 @@ index 74a4466..9061149 100644
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
-@@ -142,6 +155,7 @@ dev_rw_agp(insmod_t)
+@@ -143,6 +156,7 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -47516,7 +47484,7 @@ index 74a4466..9061149 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -160,11 +174,15 @@ files_write_kernel_modules(insmod_t)
+@@ -161,11 +175,15 @@ files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -47532,7 +47500,7 @@ index 74a4466..9061149 100644
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -173,8 +191,7 @@ miscfiles_read_localization(insmod_t)
+@@ -174,8 +192,7 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
@@ -47542,7 +47510,7 @@ index 74a4466..9061149 100644
userdom_dontaudit_search_user_home_dirs(insmod_t)
if( ! secure_mode_insmod ) {
-@@ -186,8 +203,11 @@ optional_policy(`
+@@ -187,8 +204,11 @@ optional_policy(`
')
optional_policy(`
@@ -47556,7 +47524,7 @@ index 74a4466..9061149 100644
')
optional_policy(`
-@@ -235,6 +255,10 @@ optional_policy(`
+@@ -236,6 +256,10 @@ optional_policy(`
')
optional_policy(`
@@ -48174,7 +48142,7 @@ index ed9c70d..b961d53 100644
/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
-index 09845c4..8cc2a2b 100644
+index 73cc8cf..bf6a0b6 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -10,11 +10,9 @@ type mdadm_exec_t;
@@ -48210,15 +48178,6 @@ index 09845c4..8cc2a2b 100644
kernel_read_system_state(mdadm_t)
kernel_read_kernel_sysctls(mdadm_t)
-@@ -42,7 +40,7 @@ kernel_getattr_core_if(mdadm_t)
- corecmd_exec_bin(mdadm_t)
- corecmd_exec_shell(mdadm_t)
-
--dev_read_sysfs(mdadm_t)
-+dev_rw_sysfs(mdadm_t)
- # Ignore attempts to read every device file
- dev_dontaudit_getattr_all_blk_files(mdadm_t)
- dev_dontaudit_getattr_all_chr_files(mdadm_t)
@@ -52,13 +50,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
# unfortunately needed for DMI decoding:
@@ -49710,10 +49669,10 @@ index 0000000..5f0352b
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..dae5641
+index 0000000..4d7a07a
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,104 @@
+@@ -0,0 +1,107 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -49777,6 +49736,9 @@ index 0000000..dae5641
+
+files_read_etc_files(systemd_tmpfiles_t)
+
++files_getattr_all_dirs(systemd_tmpfiles_t)
++files_getattr_all_files(systemd_tmpfiles_t)
++
+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_files(systemd_tmpfiles_t)
@@ -49819,7 +49781,7 @@ index 0000000..dae5641
+')
+
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 0291685..44fe366 100644
+index d1c22f3..41150bb 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -22,3 +22,4 @@
@@ -49902,7 +49864,7 @@ index 025348a..cea695c 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a054cf5..4fc2837 100644
+index 8f852e5..4c49051 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
@@ -50792,7 +50754,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..a0cd92e 100644
+index 28b88de..b22960c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -50806,7 +50768,7 @@ index 28b88de..a0cd92e 100644
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
-@@ -43,69 +44,99 @@ template(`userdom_base_user_template',`
+@@ -43,69 +44,100 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -50894,6 +50856,7 @@ index 28b88de..a0cd92e 100644
+ domain_dontaudit_read_all_domains_state($1_usertype)
+ domain_dontaudit_getattr_all_domains($1_usertype)
+ domain_dontaudit_getsession_all_domains($1_usertype)
++ dev_dontaudit_all_access_check($1_usertype)
+
+ files_read_etc_files($1_usertype)
+ files_list_mnt($1_usertype)
@@ -50955,7 +50918,7 @@ index 28b88de..a0cd92e 100644
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -116,6 +147,16 @@ template(`userdom_base_user_template',`
+@@ -116,6 +148,16 @@ template(`userdom_base_user_template',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -50972,7 +50935,7 @@ index 28b88de..a0cd92e 100644
')
#######################################
-@@ -149,6 +190,8 @@ interface(`userdom_ro_home_role',`
+@@ -149,6 +191,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -50981,7 +50944,7 @@ index 28b88de..a0cd92e 100644
##############################
#
# Domain access to home dir
-@@ -166,27 +209,6 @@ interface(`userdom_ro_home_role',`
+@@ -166,27 +210,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -51009,7 +50972,7 @@ index 28b88de..a0cd92e 100644
')
#######################################
-@@ -218,8 +240,11 @@ interface(`userdom_ro_home_role',`
+@@ -218,8 +241,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -51021,7 +50984,7 @@ index 28b88de..a0cd92e 100644
##############################
#
# Domain access to home dir
-@@ -228,17 +253,21 @@ interface(`userdom_manage_home_role',`
+@@ -228,17 +254,21 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -51053,7 +51016,7 @@ index 28b88de..a0cd92e 100644
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
-@@ -246,25 +275,23 @@ interface(`userdom_manage_home_role',`
+@@ -246,25 +276,23 @@ interface(`userdom_manage_home_role',`
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
@@ -51083,7 +51046,7 @@ index 28b88de..a0cd92e 100644
')
')
-@@ -289,6 +316,8 @@ interface(`userdom_manage_tmp_role',`
+@@ -289,6 +317,8 @@ interface(`userdom_manage_tmp_role',`
type user_tmp_t;
')
@@ -51092,7 +51055,7 @@ index 28b88de..a0cd92e 100644
files_poly_member_tmp($2, user_tmp_t)
manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
-@@ -297,6 +326,45 @@ interface(`userdom_manage_tmp_role',`
+@@ -297,6 +327,45 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -51138,7 +51101,7 @@ index 28b88de..a0cd92e 100644
')
#######################################
-@@ -316,6 +384,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -316,6 +385,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -51146,7 +51109,7 @@ index 28b88de..a0cd92e 100644
files_search_tmp($1)
')
-@@ -350,6 +419,8 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -350,6 +420,8 @@ interface(`userdom_manage_tmpfs_role',`
type user_tmpfs_t;
')
@@ -51155,7 +51118,7 @@ index 28b88de..a0cd92e 100644
manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-@@ -360,46 +431,41 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -360,46 +432,41 @@ interface(`userdom_manage_tmpfs_role',`
#######################################
## <summary>
@@ -51224,7 +51187,7 @@ index 28b88de..a0cd92e 100644
')
#######################################
-@@ -430,6 +496,7 @@ template(`userdom_xwindows_client_template',`
+@@ -430,6 +497,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -51232,7 +51195,7 @@ index 28b88de..a0cd92e 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -490,7 +557,7 @@ template(`userdom_common_user_template',`
+@@ -490,7 +558,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -51241,7 +51204,7 @@ index 28b88de..a0cd92e 100644
##############################
#
-@@ -500,73 +567,79 @@ template(`userdom_common_user_template',`
+@@ -500,73 +568,79 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -51360,7 +51323,7 @@ index 28b88de..a0cd92e 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +647,114 @@ template(`userdom_common_user_template',`
+@@ -574,67 +648,114 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -51493,7 +51456,7 @@ index 28b88de..a0cd92e 100644
')
optional_policy(`
-@@ -650,41 +770,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +771,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -51555,7 +51518,7 @@ index 28b88de..a0cd92e 100644
')
#######################################
-@@ -712,13 +841,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +842,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
@@ -51587,7 +51550,7 @@ index 28b88de..a0cd92e 100644
userdom_change_password_template($1)
-@@ -736,72 +878,71 @@ template(`userdom_login_user_template', `
+@@ -736,72 +879,71 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -51696,7 +51659,7 @@ index 28b88de..a0cd92e 100644
')
')
-@@ -833,6 +974,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +975,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -51706,7 +51669,7 @@ index 28b88de..a0cd92e 100644
##############################
#
# Local policy
-@@ -874,45 +1018,107 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1019,107 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -51825,7 +51788,7 @@ index 28b88de..a0cd92e 100644
')
')
-@@ -947,7 +1153,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1154,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -51834,7 +51797,7 @@ index 28b88de..a0cd92e 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1162,77 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1163,77 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -51942,7 +51905,7 @@ index 28b88de..a0cd92e 100644
')
')
-@@ -1039,7 +1268,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1269,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -51951,7 +51914,7 @@ index 28b88de..a0cd92e 100644
')
##############################
-@@ -1066,6 +1295,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1296,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -51959,7 +51922,7 @@ index 28b88de..a0cd92e 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1304,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1305,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -51969,7 +51932,7 @@ index 28b88de..a0cd92e 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1321,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1322,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -51977,7 +51940,7 @@ index 28b88de..a0cd92e 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1119,10 +1353,13 @@ template(`userdom_admin_user_template',`
+@@ -1119,10 +1354,13 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -51991,7 +51954,7 @@ index 28b88de..a0cd92e 100644
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1142,6 +1379,7 @@ template(`userdom_admin_user_template',`
+@@ -1142,6 +1380,7 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
@@ -51999,7 +51962,7 @@ index 28b88de..a0cd92e 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1448,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1449,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -52008,7 +51971,7 @@ index 28b88de..a0cd92e 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1462,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1463,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -52016,7 +51979,7 @@ index 28b88de..a0cd92e 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1237,6 +1478,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1479,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -52024,7 +51987,7 @@ index 28b88de..a0cd92e 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1521,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1522,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -52062,7 +52025,7 @@ index 28b88de..a0cd92e 100644
ubac_constrained($1)
')
-@@ -1395,6 +1663,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1664,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -52070,7 +52033,7 @@ index 28b88de..a0cd92e 100644
files_search_home($1)
')
-@@ -1441,6 +1710,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1711,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -52085,7 +52048,7 @@ index 28b88de..a0cd92e 100644
')
########################################
-@@ -1456,9 +1733,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1734,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -52097,7 +52060,7 @@ index 28b88de..a0cd92e 100644
')
########################################
-@@ -1515,10 +1794,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1795,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -52110,7 +52073,7 @@ index 28b88de..a0cd92e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1526,35 +1805,71 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,35 +1806,71 @@ interface(`userdom_relabelto_user_home_dirs',`
## </summary>
## </param>
#
@@ -52203,7 +52166,7 @@ index 28b88de..a0cd92e 100644
## </summary>
## </param>
## <param name="target_domain">
-@@ -1589,6 +1904,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1905,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -52212,7 +52175,7 @@ index 28b88de..a0cd92e 100644
')
########################################
-@@ -1603,10 +1920,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1921,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -52227,7 +52190,7 @@ index 28b88de..a0cd92e 100644
')
########################################
-@@ -1649,6 +1968,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1969,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -52253,7 +52216,7 @@ index 28b88de..a0cd92e 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1700,12 +2038,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2039,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -52286,7 +52249,7 @@ index 28b88de..a0cd92e 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2074,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2075,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -52304,7 +52267,7 @@ index 28b88de..a0cd92e 100644
')
########################################
-@@ -1810,8 +2171,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2172,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -52314,7 +52277,7 @@ index 28b88de..a0cd92e 100644
')
########################################
-@@ -1827,20 +2187,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2188,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -52339,7 +52302,7 @@ index 28b88de..a0cd92e 100644
########################################
## <summary>
-@@ -2182,7 +2536,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2537,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -52348,7 +52311,7 @@ index 28b88de..a0cd92e 100644
')
########################################
-@@ -2435,13 +2789,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2790,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -52364,7 +52327,7 @@ index 28b88de..a0cd92e 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2817,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2818,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -52391,7 +52354,7 @@ index 28b88de..a0cd92e 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2815,7 +3150,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3151,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -52400,7 +52363,7 @@ index 28b88de..a0cd92e 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3166,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3167,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -52416,7 +52379,7 @@ index 28b88de..a0cd92e 100644
')
########################################
-@@ -2917,7 +3254,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3255,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -52425,7 +52388,7 @@ index 28b88de..a0cd92e 100644
')
########################################
-@@ -2972,7 +3309,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3310,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -52472,7 +52435,7 @@ index 28b88de..a0cd92e 100644
')
########################################
-@@ -3009,6 +3384,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3385,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -52480,7 +52443,7 @@ index 28b88de..a0cd92e 100644
kernel_search_proc($1)
')
-@@ -3139,3 +3515,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3516,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -53644,7 +53607,7 @@ index df29ca1..2333dd8 100644
+# Nautilus causes this avc
+dontaudit unpriv_userdomain self:dir setattr;
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
-index 8c827f8..744fa64 100644
+index a865da7..2e7f2b0 100644
--- a/policy/modules/system/xen.fc
+++ b/policy/modules/system/xen.fc
@@ -1,7 +1,5 @@
@@ -53652,9 +53615,9 @@ index 8c827f8..744fa64 100644
-/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0)
-
+ /usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
-
- ifdef(`distro_debian',`
+ /usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
index 77d41b6..4aa96c6 100644
--- a/policy/modules/system/xen.if
@@ -53707,10 +53670,10 @@ index 77d41b6..4aa96c6 100644
files_search_pids($1)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
-index f661f5a..600d43f 100644
+index 4350ba0..630c03d 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
-@@ -4,6 +4,7 @@ policy_module(xen, 1.10.0)
+@@ -4,6 +4,7 @@ policy_module(xen, 1.10.1)
#
# Declarations
#
@@ -53718,7 +53681,7 @@ index f661f5a..600d43f 100644
## <desc>
## <p>
-@@ -34,6 +35,7 @@ type xen_image_t; # customizable
+@@ -65,6 +66,7 @@ type xen_image_t; # customizable
files_type(xen_image_t)
# xen_image_t can be assigned to blk devices
dev_node(xen_image_t)
@@ -53726,7 +53689,7 @@ index f661f5a..600d43f 100644
type xenctl_t;
files_type(xenctl_t)
-@@ -89,11 +91,6 @@ init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
+@@ -121,11 +123,6 @@ init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
type xenconsoled_var_run_t;
files_pid_file(xenconsoled_var_run_t)
@@ -53735,27 +53698,10 @@ index f661f5a..600d43f 100644
-domain_type(xm_t)
-init_system_domain(xm_t, xm_exec_t)
-
- #######################################
- #
- # evtchnd local policy
-@@ -113,7 +110,7 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
- # xend local policy
+ ########################################
#
-
--allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_nice sys_ptrace sys_tty_config net_raw };
-+allow xend_t self:capability { mknod dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_ptrace sys_tty_config net_raw };
- dontaudit xend_t self:capability { sys_ptrace };
- allow xend_t self:process { signal sigkill };
- dontaudit xend_t self:process ptrace;
-@@ -228,6 +225,7 @@ logging_send_syslog_msg(xend_t)
- lvm_domtrans(xend_t)
-
- miscfiles_read_localization(xend_t)
-+miscfiles_read_hwdata(xend_t)
-
- mount_domtrans(xend_t)
-
-@@ -245,6 +243,8 @@ xen_stream_connect_xenstore(xend_t)
+ # blktap local policy
+@@ -341,6 +338,8 @@ xen_stream_connect_xenstore(xend_t)
netutils_domtrans(xend_t)
@@ -53764,7 +53710,7 @@ index f661f5a..600d43f 100644
optional_policy(`
brctl_domtrans(xend_t)
')
-@@ -317,9 +317,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -413,9 +412,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
@@ -53776,23 +53722,19 @@ index f661f5a..600d43f 100644
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -346,6 +347,7 @@ dev_read_sysfs(xenstored_t)
+@@ -442,9 +442,11 @@ files_read_etc_files(xenstored_t)
files_read_usr_files(xenstored_t)
+fs_search_xenfs(xenstored_t)
fs_manage_xenfs_files(xenstored_t)
- storage_raw_read_fixed_disk(xenstored_t)
-@@ -353,6 +355,7 @@ storage_raw_write_fixed_disk(xenstored_t)
- storage_raw_read_removable_device(xenstored_t)
-
term_use_generic_ptys(xenstored_t)
+term_use_console(xenconsoled_t)
init_use_fds(xenstored_t)
init_use_script_ptys(xenstored_t)
-@@ -365,98 +368,9 @@ xen_append_log(xenstored_t)
+@@ -457,96 +459,9 @@ xen_append_log(xenstored_t)
########################################
#
@@ -53842,8 +53784,6 @@ index f661f5a..600d43f 100644
-fs_manage_xenfs_dirs(xm_t)
-fs_manage_xenfs_files(xm_t)
-
--storage_raw_read_fixed_disk(xm_t)
--
-term_use_all_terms(xm_t)
-
-init_stream_connect_script(xm_t)
@@ -53891,7 +53831,7 @@ index f661f5a..600d43f 100644
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-@@ -469,8 +383,4 @@ optional_policy(`
+@@ -559,8 +474,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
@@ -54042,7 +53982,7 @@ index f7380b3..51867f6 100644
+define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
diff --git a/policy/users b/policy/users
-index c4ebc7e..be2a04c 100644
+index c4ebc7e..30d6d7a 100644
--- a/policy/users
+++ b/policy/users
@@ -15,7 +15,7 @@
@@ -54054,15 +53994,17 @@ index c4ebc7e..be2a04c 100644
#
# user_u is a generic user identity for Linux users who have no
-@@ -25,11 +25,8 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+@@ -24,12 +24,9 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ # SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
- gen_user(user_u, user, user_r, s0, s0)
+-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-
-# Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(user_u, user, user_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(staff_u, user, staff_r system_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2d2eb81..62d6921 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,8 +20,8 @@
%define CHECKPOLICYVER 2.0.21-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.9.14
-Release: 2%{?dist}
+Version: 3.9.15
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,9 @@ exit 0
%endif
%changelog
+* Wed Feb 16 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.15-1
+- Update to upstream
+
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.9.14-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
diff --git a/sources b/sources
index af1ec0f..0fe45a1 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
409b40c8102b1617681ba17c31032e66 config.tgz
-a55f0c692416d73f7805e52fd6511825 serefpolicy-3.9.14.tgz
+2eeeb55c62c5ead3dab8a0ae7b29bfd5 serefpolicy-3.9.15.tgz