diff --git a/policy-F16.patch b/policy-F16.patch
index b066667..1873398 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -211,10 +211,10 @@ index 4705ab6..262b5ba 100644
+gen_tunable(allow_console_login,false)
+
diff --git a/policy/mcs b/policy/mcs
-index df8e0fa..ed7a0c1 100644
+index df8e0fa..6568d96 100644
--- a/policy/mcs
+++ b/policy/mcs
-@@ -69,16 +69,20 @@ gen_levels(1,mcs_num_cats)
+@@ -69,16 +69,28 @@ gen_levels(1,mcs_num_cats)
# - /proc/pid operations are not constrained.
mlsconstrain file { read ioctl lock execute execute_no_trans }
@@ -236,10 +236,18 @@ index df8e0fa..ed7a0c1 100644
- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
+ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
+ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
++
++mlsconstrain { lnk_file chr_file blk_file sock_file fifo_file } { getattr read ioctl }
++ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
++
++mlsconstrain { lnk_file chr_file blk_file sock_file fifo_file } { write setattr }
++ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
# New filesystem object labels must be dominated by the relabeling subject
# clearance, also the objects are single-level.
-@@ -101,6 +105,9 @@ mlsconstrain process { ptrace }
+@@ -101,6 +113,9 @@ mlsconstrain process { ptrace }
mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
@@ -249,7 +257,7 @@ index df8e0fa..ed7a0c1 100644
#
# MCS policy for SELinux-enabled databases
#
-@@ -144,4 +151,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+@@ -144,4 +159,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
@@ -2490,10 +2498,18 @@ index af55369..ec838bd 100644
+ miscfiles_read_man_pages(prelink_t)
+')
diff --git a/policy/modules/admin/quota.fc b/policy/modules/admin/quota.fc
-index f387230..a59bf52 100644
+index f387230..e13dbdd 100644
--- a/policy/modules/admin/quota.fc
+++ b/policy/modules/admin/quota.fc
-@@ -17,3 +17,7 @@ ifdef(`distro_redhat',`
+@@ -10,10 +10,14 @@ HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+ /var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+ /var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
+-/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
++/var/spool/(.*/)?a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+ ifdef(`distro_redhat',`
+ /usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
',`
/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
')
@@ -2502,10 +2518,10 @@ index f387230..a59bf52 100644
+
+/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
-index bf75d99..9e3153a 100644
+index bf75d99..d1af9cf 100644
--- a/policy/modules/admin/quota.if
+++ b/policy/modules/admin/quota.if
-@@ -83,3 +83,55 @@ interface(`quota_manage_flags',`
+@@ -83,3 +83,59 @@ interface(`quota_manage_flags',`
files_search_var_lib($1)
manage_files_pattern($1, quota_flag_t, quota_flag_t)
')
@@ -2541,6 +2557,10 @@ index bf75d99..9e3153a 100644
+ files_var_filetrans($1, quota_db_t, file, "aquota.group")
+ files_spool_filetrans($1, quota_db_t, file, "aquota.user")
+ files_spool_filetrans($1, quota_db_t, file, "aquota.group")
++ mta_spool_filetrans($1, quota_db_t, file, "aquota.user")
++ mta_spool_filetrans($1, quota_db_t, file, "aquota.group")
++ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.user")
++ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.group")
+')
+
+#######################################
@@ -2562,7 +2582,7 @@ index bf75d99..9e3153a 100644
+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
+')
diff --git a/policy/modules/admin/quota.te b/policy/modules/admin/quota.te
-index 5dd42f5..4d272f2 100644
+index 5dd42f5..bef4392 100644
--- a/policy/modules/admin/quota.te
+++ b/policy/modules/admin/quota.te
@@ -15,6 +15,13 @@ files_type(quota_db_t)
@@ -2579,7 +2599,17 @@ index 5dd42f5..4d272f2 100644
########################################
#
# Local policy
-@@ -72,7 +79,7 @@ init_use_script_ptys(quota_t)
+@@ -34,6 +41,9 @@ files_home_filetrans(quota_t, quota_db_t, file)
+ files_usr_filetrans(quota_t, quota_db_t, file)
+ files_var_filetrans(quota_t, quota_db_t, file)
+ files_spool_filetrans(quota_t, quota_db_t, file)
++mta_spool_filetrans(quota_t, quota_db_t, file)
++mta_spool_filetrans(quota_t, quota_db_t, file)
++mta_spool_filetrans_queue(quota_t, quota_db_t, file)
+
+ kernel_list_proc(quota_t)
+ kernel_read_proc_symlinks(quota_t)
+@@ -72,7 +82,7 @@ init_use_script_ptys(quota_t)
logging_send_syslog_msg(quota_t)
@@ -2588,7 +2618,7 @@ index 5dd42f5..4d272f2 100644
userdom_dontaudit_use_unpriv_user_fds(quota_t)
optional_policy(`
-@@ -82,3 +89,34 @@ optional_policy(`
+@@ -82,3 +92,34 @@ optional_policy(`
optional_policy(`
udev_read_db(quota_t)
')
@@ -2768,7 +2798,7 @@ index b4ac57e..ef944a4 100644
logging_send_syslog_msg(readahead_t)
logging_set_audit_parameters(readahead_t)
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
-index b206bf6..de6d89b 100644
+index b206bf6..2ba67e7 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@@ -6,7 +6,9 @@
@@ -2781,7 +2811,13 @@ index b206bf6..de6d89b 100644
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -24,9 +26,14 @@ ifdef(`distro_redhat', `
+@@ -19,14 +21,20 @@
+ /usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+ ifdef(`distro_redhat', `
++/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
+ /usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -2796,7 +2832,7 @@ index b206bf6..de6d89b 100644
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-@@ -36,6 +43,8 @@ ifdef(`distro_redhat', `
+@@ -36,6 +44,8 @@ ifdef(`distro_redhat', `
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
@@ -3865,16 +3901,17 @@ index 975af1a..634c47a 100644
+ can_exec($1, sudo_exec_t)
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index 2731fa1..11212f2 100644
+index 2731fa1..71bf5e8 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
-@@ -7,3 +7,111 @@ attribute sudodomain;
+@@ -7,3 +7,112 @@ attribute sudodomain;
type sudo_exec_t;
application_executable_file(sudo_exec_t)
+
+type sudo_db_t;
+files_type(sudo_db_t)
++mls_trusted_object(sudo_db_t)
+
+manage_dirs_pattern(sudodomain, sudo_db_t, sudo_db_t)
+manage_files_pattern(sudodomain, sudo_db_t, sudo_db_t)
@@ -5549,7 +5586,7 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..47c5063 100644
+index f5afe78..3f977fc 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,787 @@
@@ -6266,11 +6303,10 @@ index f5afe78..47c5063 100644
+## Set attributes of Gnome config dirs.
+##
+##
- ##
--## Role allowed access
++##
+## Domain allowed access.
- ##
- ##
++##
++##
+#
+interface(`gnome_setattr_config_dirs',`
+ gen_require(`
@@ -6285,22 +6321,18 @@ index f5afe78..47c5063 100644
+##
+## Manage generic gnome home files.
+##
- ##
++##
##
--## User domain for the role
+-## Role allowed access
+## Domain allowed access.
##
##
- #
--interface(`gnome_role',`
++#
+interface(`gnome_manage_generic_home_files',`
- gen_require(`
-- type gconfd_t, gconfd_exec_t;
-- type gconf_tmp_t;
++ gen_require(`
+ type gnome_home_t;
- ')
-
-- role $1 types gconfd_t;
++ ')
++
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, gnome_home_t, gnome_home_t)
+')
@@ -6309,17 +6341,23 @@ index f5afe78..47c5063 100644
+##
+## Manage generic gnome home directories.
+##
-+##
-+##
+ ##
+ ##
+-## User domain for the role
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`gnome_role',`
+interface(`gnome_manage_generic_home_dirs',`
-+ gen_require(`
+ gen_require(`
+- type gconfd_t, gconfd_exec_t;
+- type gconf_tmp_t;
+ type gnome_home_t;
-+ ')
+ ')
+- role $1 types gconfd_t;
+-
- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
- allow gconfd_t $2:fd use;
- allow gconfd_t $2:fifo_file write;
@@ -6358,7 +6396,7 @@ index f5afe78..47c5063 100644
##
##
##
-@@ -46,37 +789,60 @@ interface(`gnome_role',`
+@@ -46,37 +789,117 @@ interface(`gnome_role',`
##
##
#
@@ -6420,22 +6458,78 @@ index f5afe78..47c5063 100644
- read_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
+ allow $1 config_home_t:dir list_dir_perms;
++')
++
++########################################
++##
++## Set attributes of gnome homedir content (.config)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_setattr_home_config',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ setattr_dirs_pattern($1, config_home_t, config_home_t)
++ userdom_search_user_home_dirs($1)
++')
++
++########################################
++##
++## read gnome homedir content (.config)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_read_home_config',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ list_dirs_pattern($1, config_home_t, config_home_t)
++ read_files_pattern($1, config_home_t, config_home_t)
++ read_lnk_files_pattern($1, config_home_t, config_home_t)
')
--#######################################
-+########################################
+ #######################################
##
-## Create, read, write, and delete gconf config files.
-+## Set attributes of gnome homedir content (.config)
++## delete gnome homedir content (.config)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_delete_home_config',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ delete_files_pattern($1, config_home_t, config_home_t)
++')
++
++########################################
++##
++## manage gnome homedir content (.config)
##
##
##
-@@ -84,37 +850,38 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +907,53 @@ template(`gnome_read_gconf_config',`
##
##
#
-interface(`gnome_manage_gconf_config',`
-+interface(`gnome_setattr_home_config',`
++interface(`gnome_manage_home_config',`
gen_require(`
- type gconf_etc_t;
+ type config_home_t;
@@ -6443,14 +6537,31 @@ index f5afe78..47c5063 100644
- manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
-+ setattr_dirs_pattern($1, config_home_t, config_home_t)
-+ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, config_home_t, config_home_t)
++')
++
++#######################################
++##
++## delete gnome homedir content (.config)
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_delete_home_config_dirs',`
++ gen_require(`
++ type config_home_t;
++ ')
++
++ delete_dirs_pattern($1, config_home_t, config_home_t)
')
########################################
##
-## gconf connection template.
-+## read gnome homedir content (.config)
++## manage gnome homedir content (.config)
##
-##
+##
@@ -6460,7 +6571,7 @@ index f5afe78..47c5063 100644
##
#
-interface(`gnome_stream_connect_gconf',`
-+interface(`gnome_read_home_config',`
++interface(`gnome_manage_home_config_dirs',`
gen_require(`
- type gconfd_t, gconf_tmp_t;
+ type config_home_t;
@@ -6468,60 +6579,59 @@ index f5afe78..47c5063 100644
- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
- allow $1 gconfd_t:unix_stream_socket connectto;
-+ list_dirs_pattern($1, config_home_t, config_home_t)
-+ read_files_pattern($1, config_home_t, config_home_t)
-+ read_lnk_files_pattern($1, config_home_t, config_home_t)
++ manage_dirs_pattern($1, config_home_t, config_home_t)
')
########################################
##
-## Run gconfd in gconfd domain.
-+## manage gnome homedir content (.config)
++## manage gstreamer home content files.
##
##
##
-@@ -122,17 +889,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +961,17 @@ interface(`gnome_stream_connect_gconf',`
##
##
#
-interface(`gnome_domtrans_gconfd',`
-+interface(`gnome_manage_home_config',`
++interface(`gnome_manage_gstreamer_home_files',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
-+ type config_home_t;
++ type gstreamer_home_t;
')
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
-+ manage_files_pattern($1, config_home_t, config_home_t)
++ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
')
########################################
##
-## Set attributes of Gnome config dirs.
-+## manage gnome homedir content (.config)
++## Read/Write all inherited gnome home config
##
##
##
-@@ -140,51 +907,335 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +979,299 @@ interface(`gnome_domtrans_gconfd',`
##
##
#
-interface(`gnome_setattr_config_dirs',`
-+interface(`gnome_manage_home_config_dirs',`
++interface(`gnome_rw_inherited_config',`
gen_require(`
- type gnome_home_t;
-+ type config_home_t;
++ attribute gnome_home_type;
')
- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
- files_search_home($1)
-+ manage_dirs_pattern($1, config_home_t, config_home_t)
++ allow $1 gnome_home_type:file rw_inherited_file_perms;
')
########################################
##
-## Read gnome homedir content (.config)
-+## manage gstreamer home content files.
++## Send and receive messages from
++## gconf system service over dbus.
##
-##
+##
@@ -6531,22 +6641,25 @@ index f5afe78..47c5063 100644
##
#
-template(`gnome_read_config',`
-+interface(`gnome_manage_gstreamer_home_files',`
++interface(`gnome_dbus_chat_gconfdefault',`
gen_require(`
- type gnome_home_t;
-+ type gstreamer_home_t;
++ type gconfdefaultsm_t;
++ class dbus send_msg;
')
- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
- read_files_pattern($1, gnome_home_t, gnome_home_t)
- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
-+ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
++ allow $1 gconfdefaultsm_t:dbus send_msg;
++ allow gconfdefaultsm_t $1:dbus send_msg;
')
########################################
##
-## manage gnome homedir content (.config)
-+## Read/Write all inherited gnome home config
++## Send and receive messages from
++## gkeyringd over dbus.
##
-##
+##
@@ -6556,46 +6669,6 @@ index f5afe78..47c5063 100644
##
#
-interface(`gnome_manage_config',`
-+interface(`gnome_rw_inherited_config',`
-+ gen_require(`
-+ attribute gnome_home_type;
-+ ')
-+
-+ allow $1 gnome_home_type:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## gconf system service over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_dbus_chat_gconfdefault',`
-+ gen_require(`
-+ type gconfdefaultsm_t;
-+ class dbus send_msg;
-+ ')
-+
-+ allow $1 gconfdefaultsm_t:dbus send_msg;
-+ allow gconfdefaultsm_t $1:dbus send_msg;
-+')
-+
-+########################################
-+##
-+## Send and receive messages from
-+## gkeyringd over dbus.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+interface(`gnome_dbus_chat_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
@@ -11539,7 +11612,7 @@ index 3cfb128..d49274d 100644
+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..6de0d2d 100644
+index 2533ea0..546f5a5 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -26,12 +26,18 @@ attribute telepathy_executable;
@@ -11676,7 +11749,16 @@ index 2533ea0..6de0d2d 100644
corenet_all_recvfrom_netlabel(telepathy_msn_t)
corenet_all_recvfrom_unlabeled(telepathy_msn_t)
-@@ -246,6 +305,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -228,6 +287,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t)
+ files_read_etc_files(telepathy_msn_t)
+ files_read_usr_files(telepathy_msn_t)
+
++init_read_state(telepathy_msn_t)
++
+ libs_exec_ldconfig(telepathy_msn_t)
+
+ logging_send_syslog_msg(telepathy_msn_t)
+@@ -246,6 +307,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
')
optional_policy(`
@@ -11687,7 +11769,7 @@ index 2533ea0..6de0d2d 100644
dbus_system_bus_client(telepathy_msn_t)
optional_policy(`
-@@ -361,14 +424,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+@@ -361,14 +426,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
allow telepathy_domain self:tcp_socket create_socket_perms;
allow telepathy_domain self:udp_socket create_socket_perms;
@@ -11706,7 +11788,7 @@ index 2533ea0..6de0d2d 100644
miscfiles_read_localization(telepathy_domain)
optional_policy(`
-@@ -376,5 +441,23 @@ optional_policy(`
+@@ -376,5 +443,23 @@ optional_policy(`
')
optional_policy(`
@@ -11742,10 +11824,10 @@ index 0000000..a4be758
+/usr/bin/totem-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/policy/modules/apps/thumb.if b/policy/modules/apps/thumb.if
new file mode 100644
-index 0000000..b78aa77
+index 0000000..5554dc9
--- /dev/null
+++ b/policy/modules/apps/thumb.if
-@@ -0,0 +1,79 @@
+@@ -0,0 +1,84 @@
+
+## policy for thumb
+
@@ -11815,6 +11897,7 @@ index 0000000..b78aa77
+interface(`thumb_role',`
+ gen_require(`
+ type thumb_t;
++ class dbus send_msg;
+ ')
+
+ role $1 types thumb_t;
@@ -11823,6 +11906,10 @@ index 0000000..b78aa77
+
+ ps_process_pattern($2, thumb_t)
+ allow $2 thumb_t:process signal;
++ allow thumb_t $2:unix_stream_socket connectto;
++
++ allow $2 thumb_t:dbus send_msg;
++ allow thumb_t $2:dbus send_msg;
+')
+
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
@@ -11943,7 +12030,7 @@ index e70b0e8..cd83b89 100644
/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
-index ced285a..8895098 100644
+index ced285a..bdfe8dd 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -25,6 +25,7 @@ template(`userhelper_role_template',`
@@ -11983,7 +12070,7 @@ index ced285a..8895098 100644
tunable_policy(`! secure_mode',`
#if we are not in secure mode then we can transition to sysadm_t
sysadm_bin_spec_domtrans($1_userhelper_t)
-@@ -256,3 +248,69 @@ interface(`userhelper_exec',`
+@@ -256,3 +248,87 @@ interface(`userhelper_exec',`
can_exec($1, userhelper_exec_t)
')
@@ -12053,6 +12140,24 @@ index ced285a..8895098 100644
+ xserver_read_xdm_pid($1_consolehelper_t)
+ ')
+')
++
++########################################
++##
++## Execute the consolehelper program in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userhelper_exec_console',`
++ gen_require(`
++ type consolehelper_exec_t;
++ ')
++
++ can_exec($1, consolehelper_exec_t)
++')
diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
index 13b2cea..8ce8577 100644
--- a/policy/modules/apps/userhelper.te
@@ -19717,8 +19822,21 @@ index d70e0b3..99ff2ac 100644
+ auditallow can_setbool boolean_type:security setbool;
')
}
+diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
+index 57c4a6a..5e2a7de 100644
+--- a/policy/modules/kernel/storage.fc
++++ b/policy/modules/kernel/storage.fc
+@@ -28,7 +28,7 @@
+ /dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
+-/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
++/dev/megadev.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..6b7eabb 100644
+index 1700ef2..850d168 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@@ -19957,16 +20075,16 @@ index 1700ef2..6b7eabb 100644
+ dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
+ dev_filetrans($1, removable_device_t, blk_file, "mcd")
+ dev_filetrans($1, removable_device_t, blk_file, "mcdx")
-+ dev_filetrans($1, removable_device_t, chr_file, "megadev0")
-+ dev_filetrans($1, removable_device_t, chr_file, "megadev1")
-+ dev_filetrans($1, removable_device_t, chr_file, "megadev2")
-+ dev_filetrans($1, removable_device_t, chr_file, "megadev3")
-+ dev_filetrans($1, removable_device_t, chr_file, "megadev4")
-+ dev_filetrans($1, removable_device_t, chr_file, "megadev5")
-+ dev_filetrans($1, removable_device_t, chr_file, "megadev6")
-+ dev_filetrans($1, removable_device_t, chr_file, "megadev7")
-+ dev_filetrans($1, removable_device_t, chr_file, "megadev8")
-+ dev_filetrans($1, removable_device_t, chr_file, "megadev9")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8")
++ dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9")
+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk0")
+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk1")
+ dev_filetrans($1, removable_device_t, blk_file, "mmcblk2")
@@ -20930,7 +21048,7 @@ index be4de58..7e8b6ec 100644
init_exec(secadm_t)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..b172ab4 100644
+index 2be17d2..e47e0f0 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
@@ -21099,7 +21217,7 @@ index 2be17d2..b172ab4 100644
')
optional_policy(`
-@@ -48,10 +179,48 @@ optional_policy(`
+@@ -48,10 +179,52 @@ optional_policy(`
')
optional_policy(`
@@ -21129,6 +21247,10 @@ index 2be17d2..b172ab4 100644
+')
+
+optional_policy(`
++ usbmuxd_stream_connect(staff_t)
++')
++
++optional_policy(`
+ virt_stream_connect(staff_t)
+')
+
@@ -21148,7 +21270,7 @@ index 2be17d2..b172ab4 100644
xserver_role(staff_r, staff_t)
')
-@@ -89,18 +258,10 @@ ifndef(`distro_redhat',`
+@@ -89,18 +262,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21167,7 +21289,7 @@ index 2be17d2..b172ab4 100644
java_role(staff_r, staff_t)
')
-@@ -121,10 +282,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +286,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21178,7 +21300,7 @@ index 2be17d2..b172ab4 100644
pyzor_role(staff_r, staff_t)
')
-@@ -137,10 +294,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +298,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21189,7 +21311,7 @@ index 2be17d2..b172ab4 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +325,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +329,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -22827,10 +22949,10 @@ index 0000000..4163dc5
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..50e49e6 100644
+index e5bfdd4..cd87e46 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,93 @@ role user_r;
+@@ -12,15 +12,97 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -22921,10 +23043,14 @@ index e5bfdd4..50e49e6 100644
+#')
+
+optional_policy(`
++ usbmuxd_stream_connect(user_t)
++')
++
++optional_policy(`
vlock_run(user_t, user_r)
')
-@@ -62,19 +140,11 @@ ifndef(`distro_redhat',`
+@@ -62,19 +144,11 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22945,7 +23071,7 @@ index e5bfdd4..50e49e6 100644
')
optional_policy(`
-@@ -98,10 +168,6 @@ ifndef(`distro_redhat',`
+@@ -98,10 +172,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22956,7 +23082,7 @@ index e5bfdd4..50e49e6 100644
postgresql_role(user_r, user_t)
')
-@@ -118,11 +184,7 @@ ifndef(`distro_redhat',`
+@@ -118,11 +188,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22969,7 +23095,7 @@ index e5bfdd4..50e49e6 100644
')
optional_policy(`
-@@ -157,3 +219,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +223,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -29305,7 +29431,7 @@ index 6077339..d10acd2 100644
dev_manage_generic_blk_files(clogd_t)
diff --git a/policy/modules/services/cloudform.fc b/policy/modules/services/cloudform.fc
new file mode 100644
-index 0000000..b5058ac
+index 0000000..f2968f8
--- /dev/null
+++ b/policy/modules/services/cloudform.fc
@@ -0,0 +1,23 @@
@@ -29320,18 +29446,18 @@ index 0000000..b5058ac
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
-+/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0)
-+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
-+
+/var/lib/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_lib_t,s0)
-+/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
-+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
+
-+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
++/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
++/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0)
++/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
+
-+/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0)
+
+
++/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
++/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
++/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0)
++/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if
new file mode 100644
index 0000000..917f8d4
@@ -29363,12 +29489,11 @@ index 0000000..917f8d4
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..c7ee7dd
+index 0000000..5c0c84f
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,207 @@
+@@ -0,0 +1,223 @@
+policy_module(cloudform, 1.0)
-+
+########################################
+#
+# Declarations
@@ -29381,6 +29506,12 @@ index 0000000..c7ee7dd
+cloudform_domain_template(mongod)
+cloudform_domain_template(thin)
+
++type deltacloudd_log_t;
++logging_log_file(deltacloudd_log_t)
++
++type deltacloudd_var_run_t;
++files_pid_file(deltacloudd_var_run_t)
++
+type deltacloudd_tmp_t;
+files_tmp_file(deltacloudd_tmp_t)
+
@@ -29447,6 +29578,17 @@ index 0000000..c7ee7dd
+manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
+files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
+
++manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
++manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
++manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
++files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })
++
++manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
++manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
++logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
++
++kernel_read_system_state(deltacloudd_t)
++
+corecmd_exec_bin(deltacloudd_t)
+
+corenet_tcp_bind_generic_node(deltacloudd_t)
@@ -33930,7 +34072,7 @@ index f706b99..5001351 100644
+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..c5244c8 100644
+index f231f17..8cc1f09 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
@@ -33993,7 +34135,7 @@ index f231f17..c5244c8 100644
auth_use_nsswitch(devicekit_disk_t)
-@@ -178,33 +188,53 @@ optional_policy(`
+@@ -178,55 +188,84 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -34050,7 +34192,8 @@ index f231f17..c5244c8 100644
domain_read_all_domains_state(devicekit_power_t)
dev_read_input(devicekit_power_t)
-@@ -212,21 +242,29 @@ dev_rw_generic_usb_dev(devicekit_power_t)
++dev_read_urand(devicekit_power_t)
+ dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
@@ -34081,7 +34224,7 @@ index f231f17..c5244c8 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,7 +273,12 @@ optional_policy(`
+@@ -235,7 +274,12 @@ optional_policy(`
')
optional_policy(`
@@ -34094,11 +34237,11 @@ index f231f17..c5244c8 100644
')
optional_policy(`
-@@ -261,14 +304,21 @@ optional_policy(`
+@@ -261,14 +305,21 @@ optional_policy(`
')
optional_policy(`
-+ gnome_read_home_config(devicekit_power_t)
++ gnome_manage_home_config(devicekit_power_t)
+')
+
+optional_policy(`
@@ -34117,7 +34260,7 @@ index f231f17..c5244c8 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +326,30 @@ optional_policy(`
+@@ -276,9 +327,30 @@ optional_policy(`
')
optional_policy(`
@@ -34303,10 +34446,10 @@ index d2d9359..ee10625 100644
diff --git a/policy/modules/services/dirsrv-admin.fc b/policy/modules/services/dirsrv-admin.fc
new file mode 100644
-index 0000000..c6cbc80
+index 0000000..fdf5675
--- /dev/null
+++ b/policy/modules/services/dirsrv-admin.fc
-@@ -0,0 +1,13 @@
+@@ -0,0 +1,15 @@
+/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
@@ -34320,6 +34463,8 @@ index 0000000..c6cbc80
+
+/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
+/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
++
++/var/lock/subsys/dirsrv -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
diff --git a/policy/modules/services/dirsrv-admin.if b/policy/modules/services/dirsrv-admin.if
new file mode 100644
index 0000000..332a1c9
@@ -34462,10 +34607,10 @@ index 0000000..332a1c9
+')
diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te
new file mode 100644
-index 0000000..de5951e
+index 0000000..c2ac646
--- /dev/null
+++ b/policy/modules/services/dirsrv-admin.te
-@@ -0,0 +1,137 @@
+@@ -0,0 +1,144 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
@@ -34481,6 +34626,9 @@ index 0000000..de5951e
+type dirsrvadmin_config_t;
+files_type(dirsrvadmin_config_t)
+
++type dirsrvadmin_lock_t;
++files_lock_file(dirsrvadmin_lock_t)
++
+type dirsrvadmin_tmp_t;
+files_tmp_file(dirsrvadmin_tmp_t)
+
@@ -34545,6 +34693,10 @@ index 0000000..de5951e
+ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
+ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
+
++
++ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
++ files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
++
+ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
+
+ corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t)
@@ -43624,7 +43776,7 @@ index 256166a..6321a93 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..e5c33d1 100644
+index 343cee3..e261101 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -43869,10 +44021,14 @@ index 343cee3..e5c33d1 100644
')
#######################################
-@@ -680,6 +747,25 @@ interface(`mta_spool_filetrans',`
- filetrans_pattern($1, mail_spool_t, $2, $3)
- ')
+@@ -677,7 +744,26 @@ interface(`mta_spool_filetrans',`
+ ')
+ files_search_spool($1)
+- filetrans_pattern($1, mail_spool_t, $2, $3)
++ filetrans_pattern($1, mail_spool_t, $2, $3, $5)
++')
++
+#######################################
+##
+## Read the mail spool.
@@ -43890,11 +44046,9 @@ index 343cee3..e5c33d1 100644
+
+ files_search_spool($1)
+ read_files_pattern($1, mail_spool_t, mail_spool_t)
-+')
-+
+ ')
+
########################################
- ##
- ## Read and write the mail spool.
@@ -697,8 +783,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
@@ -43915,7 +44069,44 @@ index 343cee3..e5c33d1 100644
')
########################################
-@@ -899,3 +985,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -864,6 +950,36 @@ interface(`mta_manage_queue',`
+
+ #######################################
+ ##
++## Create private objects in the
++## mqueue spool directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the object to be created.
++##
++##
++##
++##
++## The object class of the object being created.
++##
++##
++#
++interface(`mta_spool_filetrans_queue',`
++ gen_require(`
++ type mqueue_spool_t;
++ ')
++
++ files_search_spool($1)
++ filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
++')
++
++#######################################
++##
+ ## Read sendmail binary.
+ ##
+ ##
+@@ -899,3 +1015,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -48268,7 +48459,7 @@ index 9759ed8..48a5431 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
-index 06e217d..ab25c8c 100644
+index 06e217d..48c56f9 100644
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
@@ -8,17 +8,21 @@ policy_module(plymouthd, 1.0.1)
@@ -48305,7 +48496,7 @@ index 06e217d..ab25c8c 100644
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
-@@ -60,10 +68,26 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -60,10 +68,30 @@ domain_use_interactive_fds(plymouthd_t)
files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)
@@ -48323,6 +48514,10 @@ index 06e217d..ab25c8c 100644
+userdom_read_admin_home_files(plymouthd_t)
+
+optional_policy(`
++ sssd_stream_connect(plymouthd_t)
++')
++
++optional_policy(`
+ xserver_xdm_manage_spool(plymouthd_t)
+ xserver_read_state_xdm(plymouthd_t)
+')
@@ -48332,7 +48527,7 @@ index 06e217d..ab25c8c 100644
########################################
#
# Plymouth private policy
-@@ -74,6 +98,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
+@@ -74,6 +102,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(plymouth_t)
@@ -48340,7 +48535,7 @@ index 06e217d..ab25c8c 100644
domain_use_interactive_fds(plymouth_t)
-@@ -87,7 +112,7 @@ sysnet_read_config(plymouth_t)
+@@ -87,7 +116,7 @@ sysnet_read_config(plymouth_t)
plymouthd_stream_connect(plymouth_t)
@@ -59261,10 +59456,18 @@ index 941380a..ce8c972 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..bd55865 100644
+index 8ffa257..5c32a99 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
-@@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
+@@ -17,6 +17,7 @@ files_pid_file(sssd_public_t)
+
+ type sssd_var_lib_t;
+ files_type(sssd_var_lib_t)
++mls_trusted_object(sssd_var_lib_t)
+
+ type sssd_var_log_t;
+ logging_log_file(sssd_var_log_t)
+@@ -28,9 +29,11 @@ files_pid_file(sssd_var_run_t)
#
# sssd local policy
#
@@ -59278,7 +59481,7 @@ index 8ffa257..bd55865 100644
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
-@@ -38,8 +40,9 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+@@ -38,8 +41,9 @@ manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
@@ -59289,7 +59492,7 @@ index 8ffa257..bd55865 100644
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-@@ -48,11 +51,16 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+@@ -48,11 +52,16 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
@@ -59306,7 +59509,7 @@ index 8ffa257..bd55865 100644
domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
-@@ -60,6 +68,7 @@ domain_obj_id_change_exemption(sssd_t)
+@@ -60,6 +69,7 @@ domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
@@ -59314,16 +59517,20 @@ index 8ffa257..bd55865 100644
fs_list_inotifyfs(sssd_t)
-@@ -69,7 +78,7 @@ seutil_read_file_contexts(sssd_t)
+@@ -68,8 +78,11 @@ selinux_validate_context(sssd_t)
+ seutil_read_file_contexts(sssd_t)
mls_file_read_to_clearance(sssd_t)
++mls_socket_read_to_clearance(sssd_t)
++mls_socket_write_to_clearance(sssd_t)
++mls_trusted_object(sssd_t)
-auth_use_nsswitch(sssd_t)
+# auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
-@@ -79,6 +88,12 @@ logging_send_syslog_msg(sssd_t)
+@@ -79,6 +92,12 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_localization(sssd_t)
@@ -59336,7 +59543,7 @@ index 8ffa257..bd55865 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,4 +102,28 @@ optional_policy(`
+@@ -87,4 +106,28 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
@@ -60758,7 +60965,7 @@ index 2124b6a..49c15d1 100644
+# support for nova-stack
+/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..d711fd5 100644
+index 7c5d8d8..fc6beb9 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,39 +13,44 @@
@@ -61025,7 +61232,15 @@ index 7c5d8d8..d711fd5 100644
##
#
interface(`virt_append_log',`
-@@ -424,6 +520,24 @@ interface(`virt_read_images',`
+@@ -408,6 +504,7 @@ interface(`virt_read_images',`
+ read_files_pattern($1, virt_image_type, virt_image_type)
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
++ read_chr_files_pattern($1, virt_image_type, virt_image_type)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_list_nfs($1)
+@@ -424,6 +521,24 @@ interface(`virt_read_images',`
########################################
##
@@ -61050,7 +61265,7 @@ index 7c5d8d8..d711fd5 100644
## Create, read, write, and delete
## svirt cache files.
##
-@@ -433,15 +547,15 @@ interface(`virt_read_images',`
+@@ -433,15 +548,15 @@ interface(`virt_read_images',`
##
##
#
@@ -61071,7 +61286,15 @@ index 7c5d8d8..d711fd5 100644
')
########################################
-@@ -500,11 +614,16 @@ interface(`virt_manage_images',`
+@@ -466,6 +581,7 @@ interface(`virt_manage_images',`
+ manage_files_pattern($1, virt_image_type, virt_image_type)
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+ rw_blk_files_pattern($1, virt_image_type, virt_image_type)
++ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs($1)
+@@ -500,11 +616,16 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -61088,7 +61311,7 @@ index 7c5d8d8..d711fd5 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 virtd_initrc_exec_t system_r;
-@@ -515,4 +634,213 @@ interface(`virt_admin',`
+@@ -515,4 +636,213 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -61303,7 +61526,7 @@ index 7c5d8d8..d711fd5 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..f6d46db 100644
+index 3eca020..f9a032d 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,81 @@ policy_module(virt, 1.4.0)
@@ -61597,7 +61820,7 @@ index 3eca020..f6d46db 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -199,9 +291,17 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -199,9 +291,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -61608,6 +61831,7 @@ index 3eca020..f6d46db 100644
+manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
++allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
+allow virtd_t virt_ptynode:chr_file rw_term_perms;
+
+manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
@@ -61617,7 +61841,7 @@ index 3eca020..f6d46db 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +317,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +318,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -61633,7 +61857,7 @@ index 3eca020..f6d46db 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +345,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +346,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -61666,7 +61890,7 @@ index 3eca020..f6d46db 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +377,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +378,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -61685,14 +61909,14 @@ index 3eca020..f6d46db 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +412,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +413,30 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-
-+selinux_validate_context(virtd_t)
+
++selinux_validate_context(virtd_t)
+
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -61716,7 +61940,7 @@ index 3eca020..f6d46db 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +454,10 @@ optional_policy(`
+@@ -313,6 +455,10 @@ optional_policy(`
')
optional_policy(`
@@ -61727,7 +61951,7 @@ index 3eca020..f6d46db 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,16 +474,23 @@ optional_policy(`
+@@ -329,16 +475,23 @@ optional_policy(`
')
optional_policy(`
@@ -61751,7 +61975,7 @@ index 3eca020..f6d46db 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -360,11 +512,12 @@ optional_policy(`
+@@ -360,11 +513,11 @@ optional_policy(`
')
optional_policy(`
@@ -61760,8 +61984,7 @@ index 3eca020..f6d46db 100644
- qemu_signal(virtd_t)
- qemu_kill(virtd_t)
- qemu_setsched(virtd_t)
-+ qemu_entry_type(virt_domain)
-+ qemu_exec(virt_domain)
++ qemu_exec(virtd_t)
+')
+
+optional_policy(`
@@ -61835,7 +62058,7 @@ index 3eca020..f6d46db 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +612,362 @@ files_search_all(virt_domain)
+@@ -440,25 +612,367 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -61843,12 +62066,12 @@ index 3eca020..f6d46db 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -61873,6 +62096,11 @@ index 3eca020..f6d46db 100644
+')
+
+optional_policy(`
++ qemu_entry_type(virt_domain)
++ qemu_exec(virt_domain)
++')
++
++optional_policy(`
virt_read_config(virt_domain)
virt_read_lib_files(virt_domain)
virt_read_content(virt_domain)
@@ -67280,7 +67508,7 @@ index 94fd8dd..b5e5c70 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..77fb967 100644
+index 29a9565..cbf2f02 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -67412,7 +67640,16 @@ index 29a9565..77fb967 100644
files_etc_filetrans_etc_runtime(init_t, file)
# Run /etc/X11/prefdm:
files_exec_etc_files(init_t)
-@@ -151,10 +199,19 @@ mls_file_read_all_levels(init_t)
+@@ -144,6 +192,8 @@ fs_list_inotifyfs(init_t)
+ # cjp: this may be related to /dev/log
+ fs_write_ramfs_sockets(init_t)
+
++mcs_file_read_all(init_t)
++mcs_file_write_all(init_t)
+ mcs_process_set_categories(init_t)
+ mcs_killall(init_t)
+
+@@ -151,10 +201,19 @@ mls_file_read_all_levels(init_t)
mls_file_write_all_levels(init_t)
mls_process_write_down(init_t)
mls_fd_use_all_levels(init_t)
@@ -67433,7 +67670,7 @@ index 29a9565..77fb967 100644
# Run init scripts.
init_domtrans_script(init_t)
-@@ -162,23 +219,29 @@ init_domtrans_script(init_t)
+@@ -162,23 +221,29 @@ init_domtrans_script(init_t)
libs_rw_ld_so_cache(init_t)
logging_send_syslog_msg(init_t)
@@ -67464,7 +67701,7 @@ index 29a9565..77fb967 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,16 +249,138 @@ tunable_policy(`init_upstart',`
+@@ -186,16 +251,138 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -67605,7 +67842,7 @@ index 29a9565..77fb967 100644
')
optional_policy(`
-@@ -203,6 +388,17 @@ optional_policy(`
+@@ -203,6 +390,17 @@ optional_policy(`
')
optional_policy(`
@@ -67623,7 +67860,7 @@ index 29a9565..77fb967 100644
unconfined_domain(init_t)
')
-@@ -212,7 +408,7 @@ optional_policy(`
+@@ -212,7 +410,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -67632,7 +67869,7 @@ index 29a9565..77fb967 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +437,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +439,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -67648,7 +67885,7 @@ index 29a9565..77fb967 100644
init_write_initctl(initrc_t)
-@@ -258,20 +457,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +459,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -67685,7 +67922,7 @@ index 29a9565..77fb967 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +490,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +492,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -67693,7 +67930,7 @@ index 29a9565..77fb967 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +501,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +503,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -67704,7 +67941,7 @@ index 29a9565..77fb967 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +512,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +514,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -67720,7 +67957,7 @@ index 29a9565..77fb967 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +530,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +532,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -67728,7 +67965,7 @@ index 29a9565..77fb967 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +538,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +540,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -67740,7 +67977,7 @@ index 29a9565..77fb967 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +557,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +559,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -67754,7 +67991,7 @@ index 29a9565..77fb967 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +572,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,8 +574,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -67762,8 +67999,12 @@ index 29a9565..77fb967 100644
+fs_getattr_nfsd_files(initrc_t)
# initrc_t needs to do a pidof which requires ptrace
++mcs_file_read_all(initrc_t)
++mcs_file_write_all(initrc_t)
mcs_ptrace_all(initrc_t)
-@@ -363,6 +586,7 @@ mls_process_read_up(initrc_t)
+ mcs_killall(initrc_t)
+ mcs_process_set_categories(initrc_t)
+@@ -363,6 +590,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -67771,7 +68012,7 @@ index 29a9565..77fb967 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +598,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +602,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -67779,7 +68020,7 @@ index 29a9565..77fb967 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +619,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +623,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -67801,7 +68042,7 @@ index 29a9565..77fb967 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +682,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +686,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -67812,7 +68053,7 @@ index 29a9565..77fb967 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +706,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +710,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -67821,7 +68062,7 @@ index 29a9565..77fb967 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +721,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +725,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -67829,7 +68070,7 @@ index 29a9565..77fb967 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +751,33 @@ ifdef(`distro_redhat',`
+@@ -522,8 +755,34 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -67848,6 +68089,7 @@ index 29a9565..77fb967 100644
+
+ optional_policy(`
+ dirsrvadmin_read_config(initrc_t)
++ dirsrv_manage_var_run(initrc_t)
+ ')
+
+ optional_policy(`
@@ -67863,7 +68105,7 @@ index 29a9565..77fb967 100644
')
optional_policy(`
-@@ -531,10 +785,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +790,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -67886,7 +68128,7 @@ index 29a9565..77fb967 100644
')
optional_policy(`
-@@ -549,6 +815,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +820,39 @@ ifdef(`distro_suse',`
')
')
@@ -67926,7 +68168,7 @@ index 29a9565..77fb967 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +860,8 @@ optional_policy(`
+@@ -561,6 +865,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -67935,7 +68177,7 @@ index 29a9565..77fb967 100644
')
optional_policy(`
-@@ -577,6 +878,7 @@ optional_policy(`
+@@ -577,6 +883,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -67943,7 +68185,7 @@ index 29a9565..77fb967 100644
')
optional_policy(`
-@@ -589,6 +891,17 @@ optional_policy(`
+@@ -589,6 +896,17 @@ optional_policy(`
')
optional_policy(`
@@ -67961,7 +68203,7 @@ index 29a9565..77fb967 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +918,13 @@ optional_policy(`
+@@ -605,9 +923,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -67975,7 +68217,7 @@ index 29a9565..77fb967 100644
')
optional_policy(`
-@@ -632,6 +949,10 @@ optional_policy(`
+@@ -632,6 +954,10 @@ optional_policy(`
')
optional_policy(`
@@ -67986,7 +68228,7 @@ index 29a9565..77fb967 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +970,11 @@ optional_policy(`
+@@ -649,6 +975,11 @@ optional_policy(`
')
optional_policy(`
@@ -67998,7 +68240,7 @@ index 29a9565..77fb967 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1015,7 @@ optional_policy(`
+@@ -689,6 +1020,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -68006,7 +68248,7 @@ index 29a9565..77fb967 100644
')
optional_policy(`
-@@ -706,7 +1033,13 @@ optional_policy(`
+@@ -706,7 +1038,13 @@ optional_policy(`
')
optional_policy(`
@@ -68020,7 +68262,7 @@ index 29a9565..77fb967 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1062,10 @@ optional_policy(`
+@@ -729,6 +1067,10 @@ optional_policy(`
')
optional_policy(`
@@ -68031,7 +68273,7 @@ index 29a9565..77fb967 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1075,20 @@ optional_policy(`
+@@ -738,10 +1080,20 @@ optional_policy(`
')
optional_policy(`
@@ -68052,7 +68294,7 @@ index 29a9565..77fb967 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1097,10 @@ optional_policy(`
+@@ -750,6 +1102,10 @@ optional_policy(`
')
optional_policy(`
@@ -68063,7 +68305,7 @@ index 29a9565..77fb967 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1122,6 @@ optional_policy(`
+@@ -771,8 +1127,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -68072,7 +68314,7 @@ index 29a9565..77fb967 100644
')
optional_policy(`
-@@ -790,10 +1139,12 @@ optional_policy(`
+@@ -790,10 +1144,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -68085,7 +68327,7 @@ index 29a9565..77fb967 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1156,6 @@ optional_policy(`
+@@ -805,7 +1161,6 @@ optional_policy(`
')
optional_policy(`
@@ -68093,7 +68335,7 @@ index 29a9565..77fb967 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1165,26 @@ optional_policy(`
+@@ -815,11 +1170,26 @@ optional_policy(`
')
optional_policy(`
@@ -68121,7 +68363,7 @@ index 29a9565..77fb967 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1194,25 @@ optional_policy(`
+@@ -829,6 +1199,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -68147,7 +68389,7 @@ index 29a9565..77fb967 100644
')
optional_policy(`
-@@ -844,6 +1228,10 @@ optional_policy(`
+@@ -844,6 +1233,10 @@ optional_policy(`
')
optional_policy(`
@@ -68158,7 +68400,7 @@ index 29a9565..77fb967 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1242,160 @@ optional_policy(`
+@@ -854,3 +1247,160 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -71090,7 +71332,7 @@ index 8b5c196..da41726 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..b9e7b60 100644
+index 15832c7..4930474 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,17 +17,29 @@ type mount_exec_t;
@@ -71356,7 +71598,7 @@ index 15832c7..b9e7b60 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,21 +275,83 @@ optional_policy(`
+@@ -188,21 +275,87 @@ optional_policy(`
')
')
@@ -71407,6 +71649,10 @@ index 15832c7..b9e7b60 100644
')
+
+optional_policy(`
++ userhelper_exec_console(mount_t)
++')
++
++optional_policy(`
+ virt_read_blk_images(mount_t)
+')
+
@@ -73709,10 +73955,10 @@ index 0000000..5571350
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..84e0e66
+index 0000000..ff3ce3f
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,371 @@
+@@ -0,0 +1,377 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -73974,10 +74220,10 @@ index 0000000..84e0e66
+
+ifdef(`distro_redhat',`
+ userdom_list_user_home_content(systemd_tmpfiles_t)
-+ userdom_delete_user_home_content_dirs(systemd_tmpfiles_t)
-+ userdom_delete_user_home_content_files(systemd_tmpfiles_t)
-+ userdom_delete_user_home_content_sock_files(systemd_tmpfiles_t)
-+ userdom_delete_user_home_content_symlinks(systemd_tmpfiles_t)
++ userdom_delete_all_user_home_content_dirs(systemd_tmpfiles_t)
++ userdom_delete_all_user_home_content_files(systemd_tmpfiles_t)
++ userdom_delete_all_user_home_content_sock_files(systemd_tmpfiles_t)
++ userdom_delete_all_user_home_content_symlinks(systemd_tmpfiles_t)
+')
+
+optional_policy(`
@@ -73994,6 +74240,12 @@ index 0000000..84e0e66
+')
+
+optional_policy(`
++ # we have /run/user/$USER/dconf
++ gnome_delete_home_config(systemd_tmpfiles_t)
++ gnome_delete_home_config_dirs(systemd_tmpfiles_t)
++')
++
++optional_policy(`
+ rpm_read_db(systemd_tmpfiles_t)
+ rpm_delete_db(systemd_tmpfiles_t)
+')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ca8820e..3c15438 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 53%{?dist}
+Release: 54%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -483,6 +483,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Nov 4 2011 Miroslav Grepl 3.10.0-54
+- MCS fixes
+- quota fixes
+
* Tue Nov 1 2011 Miroslav Grepl 3.10.0-53
- Make nvidia* to be labeled correctly
- Fix abrt_manage_cache() interface