diff --git a/policy-F15.patch b/policy-F15.patch
index 8871ef6..cc26057 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -208,6 +208,32 @@ index af90ef2..7534872 100644
+ (( h1 dom h2 ) or ( t1 == mcsnetwrite ));
+
') dnl end enable_mcs
+diff --git a/policy/modules/admin/acct.if b/policy/modules/admin/acct.if
+index e66c296..61f738b 100644
+--- a/policy/modules/admin/acct.if
++++ b/policy/modules/admin/acct.if
+@@ -78,3 +78,21 @@ interface(`acct_manage_data',`
+ manage_files_pattern($1, acct_data_t, acct_data_t)
+ manage_lnk_files_pattern($1, acct_data_t, acct_data_t)
+ ')
++
++########################################
++## <summary>
++## Dontaudit Attempts to list acct_data directory
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`acct_dontaudit_list_data',`
++ gen_require(`
++ type acct_data_t;
++ ')
++
++ dontaudit $1 acct_data_t:dir list_dir_perms;
++')
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
index 90d5203..1392679 100644
--- a/policy/modules/admin/alsa.if
@@ -1034,9 +1060,18 @@ index c633aea..b773bc3 100644
type portage_cache_t;
files_type(portage_cache_t)
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..7d2fcff 100644
+index af55369..bc4ae6d 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
+@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
+ # Local policy
+ #
+
+-allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
++allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource };
+ allow prelink_t self:process { execheap execmem execstack signal };
+ allow prelink_t self:fifo_file rw_fifo_file_perms;
+
@@ -59,10 +59,11 @@ manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
@@ -5074,10 +5109,10 @@ index 0000000..4f9cb05
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..7b483f3
+index 0000000..aedbcbe
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,314 @@
+@@ -0,0 +1,315 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -5187,6 +5222,7 @@ index 0000000..7b483f3
+
+domain_dontaudit_read_all_domains_state(nsplugin_t)
+
++dev_read_urand(nsplugin_t)
+dev_read_rand(nsplugin_t)
+dev_read_sound(nsplugin_t)
+dev_write_sound(nsplugin_t)
@@ -5816,7 +5852,7 @@ index c1d5f50..989f88c 100644
+
+
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
-index 5ef2f7d..5a13201 100644
+index 5ef2f7d..d5ed1df 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -21,7 +21,7 @@ gen_tunable(qemu_use_cifs, true)
@@ -5828,7 +5864,15 @@ index 5ef2f7d..5a13201 100644
## </p>
## </desc>
gen_tunable(qemu_use_comm, false)
-@@ -90,7 +90,9 @@ tunable_policy(`qemu_use_usb',`
+@@ -55,6 +55,7 @@ storage_raw_read_removable_device(qemu_t)
+
+ userdom_search_user_home_content(qemu_t)
+ userdom_read_user_tmpfs_files(qemu_t)
++userdom_stream_connect(qemu_t)
+
+ tunable_policy(`qemu_full_network',`
+ allow qemu_t self:udp_socket create_socket_perms;
+@@ -90,7 +91,9 @@ tunable_policy(`qemu_use_usb',`
')
optional_policy(`
@@ -5839,7 +5883,7 @@ index 5ef2f7d..5a13201 100644
')
optional_policy(`
-@@ -102,6 +104,10 @@ optional_policy(`
+@@ -102,6 +105,10 @@ optional_policy(`
xen_rw_image_files(qemu_t)
')
@@ -5850,7 +5894,7 @@ index 5ef2f7d..5a13201 100644
########################################
#
# Unconfined qemu local policy
-@@ -112,6 +118,8 @@ optional_policy(`
+@@ -112,6 +119,8 @@ optional_policy(`
typealias unconfined_qemu_t alias qemu_unconfined_t;
application_type(unconfined_qemu_t)
unconfined_domain(unconfined_qemu_t)
@@ -7104,10 +7148,10 @@ index 0000000..46368cc
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..7d62b71
+index 0000000..2ace399
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,333 @@
+@@ -0,0 +1,328 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -7180,8 +7224,6 @@ index 0000000..7d62b71
+corecmd_exec_shell(telepathy_msn_t)
+corecmd_read_bin_symlinks(telepathy_msn_t)
+
-+dev_read_urand(telepathy_msn_t)
-+
+files_read_etc_files(telepathy_msn_t)
+files_read_usr_files(telepathy_msn_t)
+
@@ -7239,7 +7281,6 @@ index 0000000..7d62b71
+corenet_tcp_connect_vnc_port(telepathy_gabble_t)
+
+dev_read_rand(telepathy_gabble_t)
-+dev_read_urand(telepathy_gabble_t)
+
+files_read_config_files(telepathy_gabble_t)
+files_read_usr_files(telepathy_gabble_t)
@@ -7276,6 +7317,8 @@ index 0000000..7d62b71
+corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
+corenet_tcp_connect_ircd_port(telepathy_idle_t)
+
++dev_read_rand(telepathy_idle_t)
++
+files_read_etc_files(telepathy_idle_t)
+
+sysnet_read_config(telepathy_idle_t)
@@ -7334,8 +7377,6 @@ index 0000000..7d62b71
+corenet_tcp_bind_presence_port(telepathy_salut_t)
+corenet_tcp_connect_presence_port(telepathy_salut_t)
+
-+dev_read_urand(telepathy_salut_t)
-+
+files_read_etc_files(telepathy_salut_t)
+
+sysnet_read_config(telepathy_salut_t)
@@ -7360,8 +7401,6 @@ index 0000000..7d62b71
+corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
+corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
+
-+dev_read_urand(telepathy_sofiasip_t)
-+
+kernel_request_load_module(telepathy_sofiasip_t)
+
+sysnet_read_config(telepathy_sofiasip_t)
@@ -7381,8 +7420,6 @@ index 0000000..7d62b71
+
+corecmd_exec_bin(telepathy_sunshine_t)
+
-+dev_read_urand(telepathy_sunshine_t)
-+
+files_read_etc_files(telepathy_sunshine_t)
+files_read_usr_files(telepathy_sunshine_t)
+
@@ -7411,6 +7448,8 @@ index 0000000..7d62b71
+corenet_tcp_sendrecv_generic_node(telepathy_domain)
+corenet_udp_bind_generic_node(telepathy_domain)
+
++dev_read_urand(telepathy_domain)
++
+kernel_read_system_state(telepathy_domain)
+
+fs_search_auto_mountpoints(telepathy_domain)
@@ -7807,7 +7846,7 @@ index 82842a0..4111a1d 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..6e68bd2 100644
+index 34c9d01..93e0ee8 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -7848,6 +7887,14 @@ index 34c9d01..6e68bd2 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
+@@ -319,6 +324,7 @@ ifdef(`distro_redhat', `
+ /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/kde4/apps/kajongg/kajongg.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 9e9263a..24018ce 100644
--- a/policy/modules/kernel/corecommands.if
@@ -8913,7 +8960,7 @@ index 3517db2..4dd4bef 100644
+
+/usr/lib/debug <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ed203b2..bfb7926 100644
+index ed203b2..7825dd2 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -9066,7 +9113,39 @@ index ed203b2..bfb7926 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2623,6 +2730,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2583,6 +2690,31 @@ interface(`files_create_boot_flag',`
+
+ ########################################
+ ## <summary>
++## Delete a boot flag.
++## </summary>
++## <desc>
++## <p>
++## Delete a boot flag, such as
++## /.autorelabel and /.autofsck.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_delete_boot_flag',`
++ gen_require(`
++ type root_t, etc_runtime_t;
++ ')
++
++ delete_files_pattern($1, root_t, etc_runtime_t)
++')
++
++########################################
++## <summary>
+ ## Read files in /etc that are dynamically
+ ## created on boot, such as mtab.
+ ## </summary>
+@@ -2623,6 +2755,24 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -9091,7 +9170,7 @@ index ed203b2..bfb7926 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -3104,6 +3229,7 @@ interface(`files_getattr_home_dir',`
+@@ -3104,6 +3254,7 @@ interface(`files_getattr_home_dir',`
')
allow $1 home_root_t:dir getattr;
@@ -9099,7 +9178,7 @@ index ed203b2..bfb7926 100644
')
########################################
-@@ -3124,6 +3250,7 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3124,6 +3275,7 @@ interface(`files_dontaudit_getattr_home_dir',`
')
dontaudit $1 home_root_t:dir getattr;
@@ -9107,7 +9186,7 @@ index ed203b2..bfb7926 100644
')
########################################
-@@ -3365,6 +3492,24 @@ interface(`files_list_mnt',`
+@@ -3365,6 +3517,24 @@ interface(`files_list_mnt',`
allow $1 mnt_t:dir list_dir_perms;
')
@@ -9132,7 +9211,7 @@ index ed203b2..bfb7926 100644
########################################
## <summary>
## Mount a filesystem on /mnt.
-@@ -3438,6 +3583,24 @@ interface(`files_read_mnt_files',`
+@@ -3438,6 +3608,24 @@ interface(`files_read_mnt_files',`
read_files_pattern($1, mnt_t, mnt_t)
')
@@ -9157,7 +9236,7 @@ index ed203b2..bfb7926 100644
########################################
## <summary>
## Create, read, write, and delete symbolic links in /mnt.
-@@ -3729,6 +3892,100 @@ interface(`files_read_world_readable_sockets',`
+@@ -3729,6 +3917,100 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -9258,7 +9337,7 @@ index ed203b2..bfb7926 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3914,6 +4171,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3914,6 +4196,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -9291,29 +9370,184 @@ index ed203b2..bfb7926 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3968,6 +4251,84 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3968,7 +4276,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
+-## Set the attributes of all tmp directories.
+## Relabel a dir from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3976,17 +4284,17 @@ interface(`files_rw_generic_tmp_sockets',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_setattr_all_tmp_dirs',`
+interface(`files_relabelfrom_tmp_dirs',`
-+ gen_require(`
+ gen_require(`
+- attribute tmpfile;
+ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir { search_dir_perms setattr };
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## List all tmp directories.
++## Relabel a file from the type used in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -3994,74 +4302,77 @@ interface(`files_setattr_all_tmp_dirs',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_list_all_tmp',`
++interface(`files_relabelfrom_tmp_files',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir list_dir_perms;
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes
+-## of all tmp files.
++## Relabel all tmp dirs.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_relabel_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
++ type var_t;
+ ')
+
+- dontaudit $1 tmpfile:file getattr;
++ allow $1 var_t:dir search_dir_perms;
++ relabel_dirs_pattern($1, tmpfile, tmpfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow attempts to get the attributes
+-## of all tmp files.
++## Relabel all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+ ## Domain allowed access.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_getattr_all_tmp_files',`
++interface(`files_relabel_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
++ type var_t;
+ ')
+
+- allow $1 tmpfile:file getattr;
++ allow $1 var_t:dir search_dir_perms;
++ relabel_files_pattern($1, tmpfile, tmpfile)
+ ')
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to get the attributes
+-## of all tmp sock_file.
++## Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain not to audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_sockets',`
++interface(`files_setattr_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+- dontaudit $1 tmpfile:sock_file getattr;
++ allow $1 tmpfile:dir { search_dir_perms setattr };
+ ')
+
+ ########################################
+ ## <summary>
+-## Read all tmp files.
++## List all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -4069,36 +4380,111 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_read_all_tmp_files',`
++interface(`files_list_all_tmp',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+- read_files_pattern($1, tmpfile, tmpfile)
++ allow $1 tmpfile:dir list_dir_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create an object in the tmp directories, with a private
+-## type using a type transition.
++## Do not audit attempts to get the attributes
++## of all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+-## </summary>
+-## </param>
+-## <param name="private type">
+-## <summary>
+-## The type of the object to be created.
+-## </summary>
+-## </param>
+-## <param name="object">
+-## <summary>
+-## The object class of the object being created.
++## Domain not to audit.
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_tmp_filetrans',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
+ ')
+
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++ dontaudit $1 tmpfile:file getattr;
+')
+
+########################################
+## <summary>
-+## Relabel a file from the type used in /tmp.
++## Allow attempts to get the attributes
++## of all tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -9321,62 +9555,77 @@ index ed203b2..bfb7926 100644
+## </summary>
+## </param>
+#
-+interface(`files_relabelfrom_tmp_files',`
++interface(`files_getattr_all_tmp_files',`
+ gen_require(`
-+ type tmp_t;
++ attribute tmpfile;
+ ')
+
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmpfile:file getattr;
+')
+
+########################################
+## <summary>
-+## Relabel all tmp dirs.
++## Do not audit attempts to get the attributes
++## of all tmp sock_file.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain not to audit.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_relabel_all_tmp_dirs',`
++interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ gen_require(`
+ attribute tmpfile;
-+ type var_t;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, tmpfile, tmpfile)
++ dontaudit $1 tmpfile:sock_file getattr;
+')
+
+########################################
+## <summary>
-+## Relabel all tmp files.
++## Read all tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`files_relabel_all_tmp_files',`
++interface(`files_read_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
-+ type var_t;
+ ')
+
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_files_pattern($1, tmpfile, tmpfile)
++ read_files_pattern($1, tmpfile, tmpfile)
+')
+
+########################################
+## <summary>
- ## Set the attributes of all tmp directories.
- ## </summary>
- ## <param name="domain">
-@@ -4127,6 +4488,13 @@ interface(`files_purge_tmp',`
++## Create an object in the tmp directories, with a private
++## type using a type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private type">
++## <summary>
++## The type of the object to be created.
++## </summary>
++## </param>
++## <param name="object">
++## <summary>
++## The object class of the object being created.
++## </summary>
++## </param>
++#
++interface(`files_tmp_filetrans',`
+ gen_require(`
+ type tmp_t;
+ ')
+@@ -4127,6 +4513,13 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -9390,79 +9639,32 @@ index ed203b2..bfb7926 100644
')
########################################
-@@ -4736,7 +5104,7 @@ interface(`files_read_var_files',`
+@@ -4736,6 +5129,24 @@ interface(`files_read_var_files',`
########################################
## <summary>
--## Read and write files in the /var directory.
+## Append files in the /var directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -4744,36 +5112,54 @@ interface(`files_read_var_files',`
- ## </summary>
- ## </param>
- #
--interface(`files_rw_var_files',`
-+interface(`files_append_var_files',`
- gen_require(`
- type var_t;
- ')
-
-- rw_files_pattern($1, var_t, var_t)
-+ append_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ## <summary>
--## Do not audit attempts to read and write
--## files in the /var directory.
-+## Read and write files in the /var directory.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain to not audit.
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
--interface(`files_dontaudit_rw_var_files',`
-+interface(`files_rw_var_files',`
- gen_require(`
- type var_t;
- ')
-
-- dontaudit $1 var_t:file rw_file_perms;
-+ rw_files_pattern($1, var_t, var_t)
- ')
-
- ########################################
- ## <summary>
--## Create, read, write, and delete files in the /var directory.
-+## Do not audit attempts to read and write
-+## files in the /var directory.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to not audit.
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`files_dontaudit_rw_var_files',`
++interface(`files_append_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+
-+ dontaudit $1 var_t:file rw_file_perms;
++ append_files_pattern($1, var_t, var_t)
+')
+
+########################################
+## <summary>
-+## Create, read, write, and delete files in the /var directory.
+ ## Read and write files in the /var directory.
## </summary>
## <param name="domain">
- ## <summary>
-@@ -5071,6 +5457,24 @@ interface(`files_manage_mounttab',`
+@@ -5071,6 +5482,24 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -9487,7 +9689,7 @@ index ed203b2..bfb7926 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5156,12 +5560,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5156,12 +5585,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -9504,7 +9706,7 @@ index ed203b2..bfb7926 100644
')
########################################
-@@ -5207,6 +5611,27 @@ interface(`files_delete_all_locks',`
+@@ -5207,6 +5636,27 @@ interface(`files_delete_all_locks',`
########################################
## <summary>
@@ -9532,7 +9734,7 @@ index ed203b2..bfb7926 100644
## Read all lock files.
## </summary>
## <param name="domain">
-@@ -5335,6 +5760,43 @@ interface(`files_search_pids',`
+@@ -5335,6 +5785,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -9576,7 +9778,7 @@ index ed203b2..bfb7926 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -5542,6 +6004,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6029,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -9639,7 +9841,7 @@ index ed203b2..bfb7926 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5559,6 +6077,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6102,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -9684,7 +9886,7 @@ index ed203b2..bfb7926 100644
')
########################################
-@@ -5844,3 +6400,247 @@ interface(`files_unconfined',`
+@@ -5844,3 +6425,247 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -11232,7 +11434,7 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..96d3fbf 100644
+index 2be17d2..faaf889 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,48 @@ policy_module(staff, 2.2.0)
@@ -11284,7 +11486,7 @@ index 2be17d2..96d3fbf 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,25 +63,104 @@ optional_policy(`
+@@ -27,25 +63,108 @@ optional_policy(`
')
optional_policy(`
@@ -11322,6 +11524,10 @@ index 2be17d2..96d3fbf 100644
+')
+
+optional_policy(`
++ mysql_exec(staff_t)
++')
++
++optional_policy(`
postgresql_role(staff_r, staff_t)
')
@@ -11391,7 +11597,7 @@ index 2be17d2..96d3fbf 100644
optional_policy(`
vlock_run(staff_t, staff_r)
-@@ -137,10 +252,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +256,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19529,7 +19735,7 @@ index 9d44538..7e9057e 100644
#
interface(`cyphesis_domtrans',`
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
-index e182bf4..f80e725 100644
+index e182bf4..aab657c 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
@@ -19541,7 +19747,18 @@ index e182bf4..f80e725 100644
dontaudit cyrus_t self:capability sys_tty_config;
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow cyrus_t self:process setrlimit;
-@@ -135,6 +135,7 @@ optional_policy(`
+@@ -119,6 +119,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dirsrv_stream_connect(cyrus_t)
++')
++
++optional_policy(`
+ kerberos_keytab_template(cyrus, cyrus_t)
+ ')
+
+@@ -135,6 +139,7 @@ optional_policy(`
')
optional_policy(`
@@ -20614,10 +20831,10 @@ index 0000000..0070a0d
+/var/log/dirsrv/ldap-agent.log gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
diff --git a/policy/modules/services/dirsrv.if b/policy/modules/services/dirsrv.if
new file mode 100644
-index 0000000..440a6c5
+index 0000000..9d8f5de
--- /dev/null
+++ b/policy/modules/services/dirsrv.if
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,212 @@
+## <summary>policy for dirsrv</summary>
+
+########################################
@@ -20718,6 +20935,25 @@ index 0000000..440a6c5
+ allow $1 dirsrv_var_lib_t:file manage_file_perms;
+')
+
++########################################
++## <summary>
++## Connect to dirsrv over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dirsrv_stream_connect',`
++ gen_require(`
++ type dirsrv_t, dirsrv_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
++')
++
+#######################################
+## <summary>
+## Allow a domain to manage dirsrv /var/run files.
@@ -21013,6 +21249,16 @@ index 03b5286..fcafa0b 100644
ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
########################################
+diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc
+index dc1056c..bd60100 100644
+--- a/policy/modules/services/dkim.fc
++++ b/policy/modules/services/dkim.fc
+@@ -7,3 +7,5 @@
+ /var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
++
++/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
index b886676..ad3210e 100644
--- a/policy/modules/services/dnsmasq.fc
@@ -21077,7 +21323,7 @@ index 9bd812b..c808b31 100644
')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..c516b94 100644
+index fdaeeba..dc4eb3d 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
@@ -21091,7 +21337,16 @@ index fdaeeba..c516b94 100644
kernel_read_kernel_sysctls(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)
-@@ -96,10 +97,18 @@ optional_policy(`
+@@ -88,6 +89,8 @@ logging_send_syslog_msg(dnsmasq_t)
+
+ miscfiles_read_localization(dnsmasq_t)
+
++sysnet_dns_name_resolve(dnsmasq_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
+ userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
+
+@@ -96,10 +99,18 @@ optional_policy(`
')
optional_policy(`
@@ -21110,7 +21365,7 @@ index fdaeeba..c516b94 100644
seutil_sigchld_newrole(dnsmasq_t)
')
-@@ -114,4 +123,5 @@ optional_policy(`
+@@ -114,4 +125,5 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
@@ -24168,7 +24423,7 @@ index c62f23e..335fda1 100644
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
-index 3aa8fa7..c51c1f6 100644
+index 3aa8fa7..8fa74c3 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
@@ -1,5 +1,41 @@
@@ -24239,40 +24494,17 @@ index 3aa8fa7..c51c1f6 100644
## Read the OpenLDAP configuration files.
## </summary>
## <param name="domain">
-@@ -69,8 +124,30 @@ interface(`ldap_stream_connect',`
+@@ -69,8 +124,7 @@ interface(`ldap_stream_connect',`
')
files_search_pids($1)
- allow $1 slapd_var_run_t:sock_file write;
- allow $1 slapd_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
-+
-+ optional_policy(`
-+ ldap_stream_connect_dirsrv($1)
-+ ')
-+')
-+
-+########################################
-+## <summary>
-+## Connect to dirsrv over an unix stream socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`ldap_stream_connect_dirsrv',`
-+ gen_require(`
-+ type dirsrv_t, dirsrv_var_run_t;
-+ ')
-+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
')
########################################
-@@ -110,6 +187,7 @@ interface(`ldap_admin',`
+@@ -110,6 +164,7 @@ interface(`ldap_admin',`
admin_pattern($1, slapd_lock_t)
@@ -24624,17 +24856,18 @@ index db4fd6f..5008a6c 100644
admin_pattern($1, memcached_var_run_t)
')
diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
-index 55a3e2f..613c69d 100644
+index 55a3e2f..bc489e0 100644
--- a/policy/modules/services/milter.fc
+++ b/policy/modules/services/milter.fc
-@@ -1,3 +1,6 @@
+@@ -1,10 +1,15 @@
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
-@@ -5,6 +8,7 @@
+
++/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
@@ -24812,10 +25045,10 @@ index 0000000..42bb2a3
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if
new file mode 100644
-index 0000000..d76fb11
+index 0000000..6395ec8
--- /dev/null
+++ b/policy/modules/services/mock.if
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,254 @@
+## <summary>policy for mock</summary>
+
+########################################
@@ -24876,6 +25109,24 @@ index 0000000..d76fb11
+
+########################################
+## <summary>
++## Getattr on mock lib file,dir,sock_file ...
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mock_getattr_lib',`
++ gen_require(`
++ type mock_var_lib_t;
++ ')
++
++ allow $1 mock_var_lib_t:dir_file_class_set getattr;
++')
++
++########################################
++## <summary>
+## Create, read, write, and delete
+## mock lib files.
+## </summary>
@@ -26497,10 +26748,35 @@ index f17583b..8f01394 100644
+
+miscfiles_read_localization(munin_plugin_domain)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
-index e9c0982..4d3b208 100644
+index e9c0982..06034b8 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
-@@ -73,6 +73,7 @@ interface(`mysql_stream_connect',`
+@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
+ domtrans_pattern($1, mysqld_exec_t, mysqld_t)
+ ')
+
++######################################
++## <summary>
++## Execute MySQL in the coller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mysql_exec',`
++ gen_require(`
++ type mysqld_exec_t;
++ ')
++
++ can_exec($1, mysqld_exec_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Send a generic signal to MySQL.
+@@ -73,6 +91,7 @@ interface(`mysql_stream_connect',`
type mysqld_t, mysqld_var_run_t, mysqld_db_t;
')
@@ -26508,7 +26784,7 @@ index e9c0982..4d3b208 100644
stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
')
-@@ -252,7 +253,7 @@ interface(`mysql_write_log',`
+@@ -252,7 +271,7 @@ interface(`mysql_write_log',`
')
logging_search_logs($1)
@@ -26517,7 +26793,7 @@ index e9c0982..4d3b208 100644
')
######################################
-@@ -329,10 +330,9 @@ interface(`mysql_search_pid_files',`
+@@ -329,10 +348,9 @@ interface(`mysql_search_pid_files',`
#
interface(`mysql_admin',`
gen_require(`
@@ -26531,7 +26807,7 @@ index e9c0982..4d3b208 100644
')
allow $1 mysqld_t:process { ptrace signal_perms };
-@@ -343,13 +343,17 @@ interface(`mysql_admin',`
+@@ -343,13 +361,17 @@ interface(`mysql_admin',`
role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
@@ -27957,19 +28233,29 @@ index b246bdd..f414173 100644
files_etc_filetrans(pads_t, pads_config_t, file)
diff --git a/policy/modules/services/passenger.fc b/policy/modules/services/passenger.fc
new file mode 100644
-index 0000000..8d00972
+index 0000000..fbd07f6
--- /dev/null
+++ b/policy/modules/services/passenger.fc
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,16 @@
+
+/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
+
++/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
++/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
++/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++
++
++/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0)
++/var/log/passenger.* -- gen_context(system_u:object_r:passenger_log_t,s0)
++
+/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
+
+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
diff --git a/policy/modules/services/passenger.if b/policy/modules/services/passenger.if
new file mode 100644
-index 0000000..66f9799
+index 0000000..9ef0492
--- /dev/null
+++ b/policy/modules/services/passenger.if
@@ -0,0 +1,67 @@
@@ -27995,7 +28281,7 @@ index 0000000..66f9799
+ allow $1 passenger_t:process signal;
+
+ domtrans_pattern($1, passenger_exec_t, passenger_t)
-+ allow $1 passenger_t:unix_stream_socket { read write shutdown };
++ allow $1 passenger_t:unix_stream_socket { read write connectto shutdown };
+ allow passenger_t $1:unix_stream_socket { read write };
+')
+
@@ -28042,10 +28328,10 @@ index 0000000..66f9799
+')
diff --git a/policy/modules/services/passenger.te b/policy/modules/services/passenger.te
new file mode 100644
-index 0000000..ba9fdb9
+index 0000000..efa9336
--- /dev/null
+++ b/policy/modules/services/passenger.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,76 @@
+policy_module(passanger, 1.0.0)
+
+########################################
@@ -28062,6 +28348,9 @@ index 0000000..ba9fdb9
+type passenger_tmp_t;
+files_tmp_file(passenger_tmp_t)
+
++type passenger_log_t;
++logging_log_file(passenger_log_t)
++
+type passenger_var_lib_t;
+files_type(passenger_var_lib_t)
+
@@ -28075,11 +28364,16 @@ index 0000000..ba9fdb9
+# passanger local policy
+#
+
-+allow passenger_t self:capability { dac_override fsetid fowner chown setuid setgid };
-+allow passenger_t self:process signal;
++allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice };
++allow passenger_t self:process { setpgid setsched sigkill signal };
++
+allow passenger_t self:fifo_file rw_fifo_file_perms;
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
++manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t)
++manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
++logging_log_filetrans(passenger_t, passenger_log_t, file)
++
+files_search_var_lib(passenger_t)
+manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
+manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
@@ -28090,6 +28384,8 @@ index 0000000..ba9fdb9
+manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
+
++can_exec(passenger_t, passenger_exec_t)
++
+kernel_read_system_state(passenger_t)
+kernel_read_kernel_sysctls(passenger_t)
+
@@ -28738,6 +29034,16 @@ index 0000000..5793840
+miscfiles_read_localization(piranha_domain)
+
+sysnet_read_config(piranha_domain)
+diff --git a/policy/modules/services/plymouthd.fc b/policy/modules/services/plymouthd.fc
+index 5702ca4..5df5316 100644
+--- a/policy/modules/services/plymouthd.fc
++++ b/policy/modules/services/plymouthd.fc
+@@ -5,3 +5,5 @@
+ /var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
+ /var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
+ /var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
++
++/var/log/boot\.log -- gen_context(system_u:object_r:plymouthd_var_log_t,s0)
diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if
index 9759ed8..07dd3ff 100644
--- a/policy/modules/services/plymouthd.if
@@ -28903,10 +29209,31 @@ index 9759ed8..07dd3ff 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
-index fb8dc84..56cc327 100644
+index fb8dc84..ef11559 100644
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
-@@ -60,10 +60,20 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -19,6 +19,9 @@ files_type(plymouthd_spool_t)
+ type plymouthd_var_lib_t;
+ files_type(plymouthd_var_lib_t)
+
++type plymouthd_var_log_t;
++logging_log_file(plymouthd_var_log_t)
++
+ type plymouthd_var_run_t;
+ files_pid_file(plymouthd_var_run_t)
+
+@@ -42,6 +45,10 @@ manage_dirs_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+ files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
+
++manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
++manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
++logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
++
+ manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+ manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
+ files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
+@@ -60,10 +67,20 @@ domain_use_interactive_fds(plymouthd_t)
files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)
@@ -28927,7 +29254,7 @@ index fb8dc84..56cc327 100644
########################################
#
# Plymouth private policy
-@@ -74,6 +84,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
+@@ -74,6 +91,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(plymouth_t)
@@ -28935,7 +29262,7 @@ index fb8dc84..56cc327 100644
domain_use_interactive_fds(plymouth_t)
-@@ -87,7 +98,7 @@ sysnet_read_config(plymouth_t)
+@@ -87,7 +105,7 @@ sysnet_read_config(plymouth_t)
plymouthd_stream_connect(plymouth_t)
@@ -34250,7 +34577,7 @@ index 22dfeb4..d9f5dbc 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
-index 086cd5f..679558c 100644
+index 086cd5f..b0ee422 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t)
@@ -34281,7 +34608,7 @@ index 086cd5f..679558c 100644
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-@@ -121,6 +126,10 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -121,6 +126,14 @@ seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
@@ -34289,10 +34616,14 @@ index 086cd5f..679558c 100644
+')
+
+optional_policy(`
++ mock_getattr_lib(setroubleshootd_t)
++')
++
++optional_policy(`
dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
')
-@@ -152,6 +161,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -152,6 +165,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
seutil_domtrans_setfiles(setroubleshoot_fixit_t)
@@ -34300,7 +34631,7 @@ index 086cd5f..679558c 100644
files_read_usr_files(setroubleshoot_fixit_t)
files_read_etc_files(setroubleshoot_fixit_t)
-@@ -164,6 +174,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+@@ -164,6 +178,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
miscfiles_read_localization(setroubleshoot_fixit_t)
@@ -35579,7 +35910,7 @@ index 22adaca..784c363 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..4877b5a 100644
+index 2dad3c8..4cdb5c2 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -35705,7 +36036,15 @@ index 2dad3c8..4877b5a 100644
dev_read_urand(ssh_t)
-@@ -169,14 +173,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
+@@ -162,6 +166,7 @@ logging_read_generic_logs(ssh_t)
+ auth_use_nsswitch(ssh_t)
+
+ miscfiles_read_localization(ssh_t)
++miscfiles_read_generic_certs(ssh_t)
+
+ seutil_read_config(ssh_t)
+
+@@ -169,14 +174,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
@@ -35724,7 +36063,7 @@ index 2dad3c8..4877b5a 100644
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -200,6 +203,57 @@ optional_policy(`
+@@ -200,6 +204,57 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -35782,7 +36121,7 @@ index 2dad3c8..4877b5a 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,7 +263,7 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,7 +264,7 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -35791,7 +36130,7 @@ index 2dad3c8..4877b5a 100644
dev_read_urand(ssh_keysign_t)
-@@ -232,33 +286,39 @@ optional_policy(`
+@@ -232,33 +287,39 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -35840,7 +36179,7 @@ index 2dad3c8..4877b5a 100644
')
optional_policy(`
-@@ -266,11 +326,24 @@ optional_policy(`
+@@ -266,11 +327,24 @@ optional_policy(`
')
optional_policy(`
@@ -35866,7 +36205,7 @@ index 2dad3c8..4877b5a 100644
')
optional_policy(`
-@@ -284,6 +357,11 @@ optional_policy(`
+@@ -284,6 +358,11 @@ optional_policy(`
')
optional_policy(`
@@ -35878,7 +36217,7 @@ index 2dad3c8..4877b5a 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +370,26 @@ optional_policy(`
+@@ -292,26 +371,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -35924,7 +36263,7 @@ index 2dad3c8..4877b5a 100644
') dnl endif TODO
########################################
-@@ -324,7 +402,6 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -324,7 +403,6 @@ tunable_policy(`ssh_sysadm_login',`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@@ -35932,7 +36271,7 @@ index 2dad3c8..4877b5a 100644
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-@@ -353,10 +430,6 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -353,10 +431,6 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@@ -36001,7 +36340,7 @@ index 941380a..6dbfc01 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..7113802 100644
+index 8ffa257..12d37a2 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
@@ -36035,15 +36374,49 @@ index 8ffa257..7113802 100644
kernel_read_system_state(sssd_t)
corecmd_exec_bin(sssd_t)
-@@ -80,6 +83,8 @@ logging_send_audit_msgs(sssd_t)
+@@ -60,6 +63,7 @@ domain_obj_id_change_exemption(sssd_t)
+ files_list_tmp(sssd_t)
+ files_read_etc_files(sssd_t)
+ files_read_usr_files(sssd_t)
++files_list_var_lib(sssd_t)
- miscfiles_read_localization(sssd_t)
+ fs_list_inotifyfs(sssd_t)
-+userdom_manage_tmp_role(system_r, sssd_t)
+@@ -69,7 +73,8 @@ seutil_read_file_contexts(sssd_t)
+
+ mls_file_read_to_clearance(sssd_t)
+
+-auth_use_nsswitch(sssd_t)
+
++# auth_use_nsswitch(sssd_t)
+ auth_domtrans_chk_passwd(sssd_t)
+ auth_domtrans_upd_passwd(sssd_t)
+
+@@ -79,6 +84,12 @@ logging_send_syslog_msg(sssd_t)
+ logging_send_audit_msgs(sssd_t)
+
+ miscfiles_read_localization(sssd_t)
++miscfiles_read_generic_certs(sssd_t)
++
++sysnet_dns_name_resolve(sssd_t)
++sysnet_use_ldap(sssd_t)
++
++userdom_manage_tmp_role(system_r, sssd_t)
+
optional_policy(`
dbus_system_bus_client(sssd_t)
- dbus_connect_system_bus(sssd_t)
+@@ -88,3 +99,11 @@ optional_policy(`
+ optional_policy(`
+ kerberos_manage_host_rcache(sssd_t)
+ ')
++
++optional_policy(`
++ dirsrv_stream_connect(sssd_t)
++')
++
++optional_policy(`
++ ldap_stream_connect(sssd_t)
++')
diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if
index 6073656..eaf49b2 100644
--- a/policy/modules/services/stunnel.if
@@ -37301,7 +37674,7 @@ index 7c5d8d8..8822e63 100644
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..a48a862 100644
+index 3eca020..333a07f 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,80 +5,97 @@ policy_module(virt, 1.4.0)
@@ -37558,7 +37931,12 @@ index 3eca020..a48a862 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -243,18 +291,27 @@ dev_read_rand(virtd_t)
+@@ -239,22 +287,32 @@ corenet_tcp_connect_soundd_port(virtd_t)
+ corenet_rw_tun_tap_dev(virtd_t)
+
+ dev_rw_sysfs(virtd_t)
++dev_read_urand(virtd_t)
+ dev_read_rand(virtd_t)
dev_rw_kvm(virtd_t)
dev_getattr_all_chr_files(virtd_t)
dev_rw_mtrr(virtd_t)
@@ -37587,7 +37965,7 @@ index 3eca020..a48a862 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +319,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +320,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -37606,7 +37984,7 @@ index 3eca020..a48a862 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +354,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +355,30 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -37637,7 +38015,7 @@ index 3eca020..a48a862 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -365,6 +448,8 @@ optional_policy(`
+@@ -365,6 +449,8 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -37646,7 +38024,7 @@ index 3eca020..a48a862 100644
')
optional_policy(`
-@@ -396,12 +481,25 @@ optional_policy(`
+@@ -396,12 +482,25 @@ optional_policy(`
allow virt_domain self:capability { dac_read_search dac_override kill };
allow virt_domain self:process { execmem execstack signal getsched signull };
@@ -37673,7 +38051,7 @@ index 3eca020..a48a862 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +520,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +521,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -37681,7 +38059,7 @@ index 3eca020..a48a862 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +528,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +529,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -37694,7 +38072,7 @@ index 3eca020..a48a862 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +541,11 @@ files_search_all(virt_domain)
+@@ -440,6 +542,11 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -37706,7 +38084,7 @@ index 3eca020..a48a862 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +563,117 @@ optional_policy(`
+@@ -457,8 +564,117 @@ optional_policy(`
')
optional_policy(`
@@ -39209,7 +39587,7 @@ index da2601a..6b12229 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 145fc4b..6b4d8c9 100644
+index 145fc4b..05cbefe 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -39828,7 +40206,7 @@ index 145fc4b..6b4d8c9 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -504,11 +714,17 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -504,11 +714,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -39836,6 +40214,10 @@ index 145fc4b..6b4d8c9 100644
+')
+
+optional_policy(`
++ acct_dontaudit_list_data(xdm_t)
++')
++
++optional_policy(`
alsa_domtrans(xdm_t)
+ alsa_read_rw_config(xdm_t)
')
@@ -39846,7 +40228,7 @@ index 145fc4b..6b4d8c9 100644
')
optional_policy(`
-@@ -516,12 +732,49 @@ optional_policy(`
+@@ -516,12 +736,49 @@ optional_policy(`
')
optional_policy(`
@@ -39896,7 +40278,7 @@ index 145fc4b..6b4d8c9 100644
hostname_exec(xdm_t)
')
-@@ -539,28 +792,63 @@ optional_policy(`
+@@ -539,28 +796,63 @@ optional_policy(`
')
optional_policy(`
@@ -39969,7 +40351,7 @@ index 145fc4b..6b4d8c9 100644
')
optional_policy(`
-@@ -572,6 +860,10 @@ optional_policy(`
+@@ -572,6 +864,10 @@ optional_policy(`
')
optional_policy(`
@@ -39980,7 +40362,7 @@ index 145fc4b..6b4d8c9 100644
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +888,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -596,7 +892,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -39989,7 +40371,7 @@ index 145fc4b..6b4d8c9 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +902,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -610,6 +906,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -40004,7 +40386,7 @@ index 145fc4b..6b4d8c9 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +929,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -629,12 +933,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -40026,7 +40408,7 @@ index 145fc4b..6b4d8c9 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +949,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -642,6 +953,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -40034,7 +40416,7 @@ index 145fc4b..6b4d8c9 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +976,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -668,7 +980,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -40042,7 +40424,7 @@ index 145fc4b..6b4d8c9 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,11 +985,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -678,11 +989,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -40060,7 +40442,7 @@ index 145fc4b..6b4d8c9 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -693,8 +1006,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -693,8 +1010,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -40074,7 +40456,7 @@ index 145fc4b..6b4d8c9 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1034,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -716,11 +1038,14 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -40089,7 +40471,7 @@ index 145fc4b..6b4d8c9 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1094,28 @@ optional_policy(`
+@@ -773,12 +1098,28 @@ optional_policy(`
')
optional_policy(`
@@ -40119,7 +40501,7 @@ index 145fc4b..6b4d8c9 100644
unconfined_domtrans(xserver_t)
')
-@@ -787,6 +1124,10 @@ optional_policy(`
+@@ -787,6 +1128,10 @@ optional_policy(`
')
optional_policy(`
@@ -40130,7 +40512,7 @@ index 145fc4b..6b4d8c9 100644
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1143,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -802,10 +1147,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -40144,7 +40526,7 @@ index 145fc4b..6b4d8c9 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -813,7 +1154,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -813,7 +1158,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -40153,7 +40535,7 @@ index 145fc4b..6b4d8c9 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -826,6 +1167,9 @@ init_use_fds(xserver_t)
+@@ -826,6 +1171,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -40163,7 +40545,7 @@ index 145fc4b..6b4d8c9 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -833,6 +1177,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -833,6 +1181,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -40175,7 +40557,7 @@ index 145fc4b..6b4d8c9 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -841,11 +1190,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -841,11 +1194,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -40192,7 +40574,7 @@ index 145fc4b..6b4d8c9 100644
')
optional_policy(`
-@@ -853,6 +1205,10 @@ optional_policy(`
+@@ -853,6 +1209,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -40203,7 +40585,7 @@ index 145fc4b..6b4d8c9 100644
########################################
#
# Rules common to all X window domains
-@@ -896,7 +1252,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -896,7 +1256,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -40212,7 +40594,7 @@ index 145fc4b..6b4d8c9 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -950,11 +1306,31 @@ allow x_domain self:x_resource { read write };
+@@ -950,11 +1310,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -40244,7 +40626,7 @@ index 145fc4b..6b4d8c9 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -976,18 +1352,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -976,18 +1356,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -40871,7 +41253,7 @@ index 1c4b1e7..ffa4134 100644
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index bea0ade..716da1d 100644
+index bea0ade..cbd62c5 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -41198,37 +41580,88 @@ index bea0ade..716da1d 100644
## Read login records files (/var/log/wtmp).
## </summary>
## <param name="domain">
-@@ -1500,6 +1692,8 @@ interface(`auth_manage_login_records',`
+@@ -1500,28 +1692,38 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
-+ allow $1 self:netlink_route_socket r_netlink_socket_perms;
+- files_list_var_lib($1)
+-
+ # read /etc/nsswitch.conf
+ files_read_etc_files($1)
+
+- miscfiles_read_generic_certs($1)
+-
+ sysnet_dns_name_resolve($1)
+- sysnet_use_ldap($1)
+
- files_list_var_lib($1)
++ tunable_policy(`authlogin_use_sssd',`', `
++ files_list_var_lib($1)
++
++ miscfiles_read_generic_certs($1)
++
++ sysnet_use_ldap($1)
++ ')
- # read /etc/nsswitch.conf
-@@ -1531,7 +1725,15 @@ interface(`auth_use_nsswitch',`
+ optional_policy(`
+- avahi_stream_connect($1)
++ tunable_policy(`authlogin_use_sssd',`', `
++ dirsrv_stream_connect($1)
++ ')
+ ')
+
+ optional_policy(`
+- ldap_stream_connect($1)
++ tunable_policy(`authlogin_use_sssd',`', `
++ ldap_stream_connect($1)
++ ')
+ ')
+
+ optional_policy(`
+- likewise_stream_connect_lsassd($1)
++ tunable_policy(`authlogin_use_sssd',`', `
++ likewise_stream_connect_lsassd($1)
++ ')
+ ')
+
++ # can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off.
+ optional_policy(`
+ kerberos_use($1)
+ ')
+@@ -1531,13 +1733,25 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
- nscd_socket_use($1)
+ nscd_use($1)
+ ')
+
+ optional_policy(`
+- samba_stream_connect_winbind($1)
+- samba_read_var_files($1)
+- samba_dontaudit_write_var_files($1)
++ tunable_policy(`authlogin_use_sssd',`', `
++ nslcd_stream_connect($1)
++ ')
+ ')
+
+ optional_policy(`
-+ nslcd_stream_connect($1)
++ sssd_stream_connect($1)
+ ')
+
+ optional_policy(`
-+ sssd_stream_connect($1)
++ tunable_policy(`authlogin_use_sssd',`', `
++ samba_stream_connect_winbind($1)
++ samba_read_var_files($1)
++ samba_dontaudit_write_var_files($1)
++ ')
')
+ ')
- optional_policy(`
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 54d122b..7413dc4 100644
+index 54d122b..c2a3970 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
-@@ -5,9 +5,17 @@ policy_module(authlogin, 2.2.0)
+@@ -5,9 +5,24 @@ policy_module(authlogin, 2.2.0)
# Declarations
#
@@ -41239,6 +41672,13 @@ index 54d122b..7413dc4 100644
+## </desc>
+gen_tunable(authlogin_radius, false)
+
++## <desc>
++## <p>
++## Allow users to login using a sssd server
++## </p>
++## </desc>
++gen_tunable(authlogin_use_sssd, false)
++
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
@@ -41246,7 +41686,7 @@ index 54d122b..7413dc4 100644
type auth_cache_t;
logging_log_file(auth_cache_t)
-@@ -44,7 +52,7 @@ type pam_tmp_t;
+@@ -44,7 +59,7 @@ type pam_tmp_t;
files_tmp_file(pam_tmp_t)
type pam_var_console_t;
@@ -41255,7 +41695,7 @@ index 54d122b..7413dc4 100644
type pam_var_run_t;
files_pid_file(pam_var_run_t)
-@@ -83,7 +91,7 @@ logging_log_file(wtmp_t)
+@@ -83,7 +98,7 @@ logging_log_file(wtmp_t)
allow chkpwd_t self:capability { dac_override setuid };
dontaudit chkpwd_t self:capability sys_tty_config;
@@ -41264,7 +41704,7 @@ index 54d122b..7413dc4 100644
allow chkpwd_t shadow_t:file read_file_perms;
files_list_etc(chkpwd_t)
-@@ -394,3 +402,11 @@ optional_policy(`
+@@ -394,3 +409,11 @@ optional_policy(`
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
@@ -41591,10 +42031,10 @@ index c310775..d5fc685 100644
term_dontaudit_use_console(hostname_t)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 9775375..299b718 100644
+index 6fed22c..06e5395 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
-@@ -24,7 +24,21 @@ ifdef(`distro_gentoo',`
+@@ -33,7 +33,21 @@ ifdef(`distro_gentoo', `
#
# /sbin
#
@@ -41616,7 +42056,7 @@ index 9775375..299b718 100644
ifdef(`distro_gentoo', `
/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
-@@ -44,6 +58,9 @@ ifdef(`distro_gentoo', `
+@@ -53,6 +67,9 @@ ifdef(`distro_gentoo', `
/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -41627,7 +42067,7 @@ index 9775375..299b718 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index df3fa64..473d2b4 100644
+index ed152c4..be3bb8f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,40 @@ interface(`init_script_domain',`
@@ -41675,9 +42115,9 @@ index df3fa64..473d2b4 100644
role system_r types $1;
-- domtrans_pattern(init_t,$2,$1)
+- domtrans_pattern(init_t, $2, $1)
+ tunable_policy(`init_systemd',`', `
-+ domtrans_pattern(init_t,$2,$1)
++ domtrans_pattern(init_t, $2, $1)
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
+ ')
@@ -41695,10 +42135,12 @@ index df3fa64..473d2b4 100644
')
typeattribute $1 daemon;
-@@ -205,6 +245,21 @@ interface(`init_daemon_domain',`
+@@ -204,7 +244,22 @@ interface(`init_daemon_domain',`
+
role system_r types $1;
- domtrans_pattern(initrc_t,$2,$1)
+- domtrans_pattern(initrc_t, $2, $1)
++ domtrans_pattern(initrc_t,$2,$1)
+ allow initrc_t $1:process siginh;
+ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 initrc_transition_domain:fd use;
@@ -41724,8 +42166,8 @@ index df3fa64..473d2b4 100644
+ type init_t;
')
-- init_daemon_domain($1,$2)
-+# init_daemon_domain($1,$2)
+- init_daemon_domain($1, $2)
++# init_daemon_domain($1, $2)
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
@@ -41739,7 +42181,7 @@ index df3fa64..473d2b4 100644
')
')
-@@ -336,8 +394,10 @@ interface(`init_ranged_daemon_domain',`
+@@ -336,15 +394,31 @@ interface(`init_ranged_daemon_domain',`
#
interface(`init_system_domain',`
gen_require(`
@@ -41749,11 +42191,12 @@ index df3fa64..473d2b4 100644
+ attribute initrc_transition_domain;
')
- application_domain($1,$2)
-@@ -345,6 +405,20 @@ interface(`init_system_domain',`
+ application_domain($1, $2)
+
role system_r types $1;
- domtrans_pattern(initrc_t,$2,$1)
+- domtrans_pattern(initrc_t, $2, $1)
++ domtrans_pattern(initrc_t,$2,$1)
+ allow initrc_t $1:process siginh;
+ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+ allow $1 initrc_transition_domain:fd use;
@@ -41816,7 +42259,7 @@ index df3fa64..473d2b4 100644
+ type init_t;
')
- init_system_domain($1,$2)
+ init_system_domain($1, $2)
ifdef(`enable_mcs',`
range_transition initrc_t $2:process $3;
@@ -41826,10 +42269,10 @@ index df3fa64..473d2b4 100644
ifdef(`enable_mls',`
range_transition initrc_t $2:process $3;
+ range_transition init_t $2:process $3;
+ mls_rangetrans_target($1)
')
')
-
-@@ -687,19 +795,24 @@ interface(`init_telinit',`
+@@ -688,19 +796,24 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -41855,7 +42298,7 @@ index df3fa64..473d2b4 100644
')
')
-@@ -772,18 +885,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +886,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -41879,7 +42322,7 @@ index df3fa64..473d2b4 100644
')
')
-@@ -799,19 +913,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +914,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -41925,7 +42368,7 @@ index df3fa64..473d2b4 100644
')
########################################
-@@ -867,8 +1003,12 @@ interface(`init_script_file_domtrans',`
+@@ -868,8 +1004,12 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -41938,7 +42381,7 @@ index df3fa64..473d2b4 100644
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
-@@ -1129,12 +1269,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1270,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -41952,7 +42395,7 @@ index df3fa64..473d2b4 100644
')
########################################
-@@ -1374,6 +1509,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1510,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -41980,7 +42423,7 @@ index df3fa64..473d2b4 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1460,6 +1616,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1617,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -42006,7 +42449,7 @@ index df3fa64..473d2b4 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1673,7 +1848,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1849,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -42015,7 +42458,7 @@ index df3fa64..473d2b4 100644
')
########################################
-@@ -1748,3 +1923,93 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +1924,93 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -42110,7 +42553,7 @@ index df3fa64..473d2b4 100644
+ allow $1 init_t:unix_dgram_socket sendto;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 2fbb25a..2cba7c4 100644
+index 0580e7c..28fd86c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -42277,7 +42720,7 @@ index 2fbb25a..2cba7c4 100644
+ dev_write_kmsg(init_t)
+ dev_write_urand(init_t)
+ dev_rw_autofs(init_t)
-+ dev_create_generic_symlinks(init_t)
++ dev_manage_generic_symlinks(init_t)
+ dev_manage_generic_dirs(init_t)
+ dev_manage_generic_files(init_t)
+ dev_read_generic_chr_files(init_t)
@@ -42534,7 +42977,7 @@ index 2fbb25a..2cba7c4 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +658,7 @@ ifdef(`distro_redhat',`
+@@ -474,7 +659,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -42543,7 +42986,7 @@ index 2fbb25a..2cba7c4 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -519,6 +704,23 @@ ifdef(`distro_redhat',`
+@@ -520,6 +705,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -42567,7 +43010,7 @@ index 2fbb25a..2cba7c4 100644
')
optional_policy(`
-@@ -526,10 +728,17 @@ ifdef(`distro_redhat',`
+@@ -527,10 +729,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -42585,7 +43028,7 @@ index 2fbb25a..2cba7c4 100644
')
optional_policy(`
-@@ -544,6 +753,35 @@ ifdef(`distro_suse',`
+@@ -545,6 +754,35 @@ ifdef(`distro_suse',`
')
')
@@ -42621,7 +43064,7 @@ index 2fbb25a..2cba7c4 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +794,8 @@ optional_policy(`
+@@ -557,6 +795,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -42630,7 +43073,7 @@ index 2fbb25a..2cba7c4 100644
')
optional_policy(`
-@@ -572,6 +812,7 @@ optional_policy(`
+@@ -573,6 +813,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -42638,7 +43081,7 @@ index 2fbb25a..2cba7c4 100644
')
optional_policy(`
-@@ -584,6 +825,11 @@ optional_policy(`
+@@ -585,6 +826,11 @@ optional_policy(`
')
optional_policy(`
@@ -42650,7 +43093,7 @@ index 2fbb25a..2cba7c4 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -600,9 +846,13 @@ optional_policy(`
+@@ -601,9 +847,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -42664,7 +43107,7 @@ index 2fbb25a..2cba7c4 100644
')
optional_policy(`
-@@ -701,7 +951,13 @@ optional_policy(`
+@@ -702,7 +952,13 @@ optional_policy(`
')
optional_policy(`
@@ -42678,7 +43121,7 @@ index 2fbb25a..2cba7c4 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +980,10 @@ optional_policy(`
+@@ -725,6 +981,10 @@ optional_policy(`
')
optional_policy(`
@@ -42689,7 +43132,7 @@ index 2fbb25a..2cba7c4 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -737,6 +997,10 @@ optional_policy(`
+@@ -738,6 +998,10 @@ optional_policy(`
')
optional_policy(`
@@ -42700,7 +43143,7 @@ index 2fbb25a..2cba7c4 100644
quota_manage_flags(initrc_t)
')
-@@ -745,6 +1009,10 @@ optional_policy(`
+@@ -746,6 +1010,10 @@ optional_policy(`
')
optional_policy(`
@@ -42711,7 +43154,7 @@ index 2fbb25a..2cba7c4 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +1034,6 @@ optional_policy(`
+@@ -767,8 +1035,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -42720,7 +43163,7 @@ index 2fbb25a..2cba7c4 100644
')
optional_policy(`
-@@ -776,14 +1042,21 @@ optional_policy(`
+@@ -777,14 +1043,21 @@ optional_policy(`
')
optional_policy(`
@@ -42742,7 +43185,7 @@ index 2fbb25a..2cba7c4 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1078,19 @@ optional_policy(`
+@@ -806,11 +1079,19 @@ optional_policy(`
')
optional_policy(`
@@ -42763,7 +43206,7 @@ index 2fbb25a..2cba7c4 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1100,25 @@ optional_policy(`
+@@ -820,6 +1101,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -42789,7 +43232,7 @@ index 2fbb25a..2cba7c4 100644
')
optional_policy(`
-@@ -844,3 +1144,59 @@ optional_policy(`
+@@ -845,3 +1145,59 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -45651,7 +46094,7 @@ index 170e2c7..bbaa8cf 100644
+')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ff5d72d..f5fdb63 100644
+index ff5d72d..8526f19 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -45808,7 +46251,16 @@ index ff5d72d..f5fdb63 100644
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -405,6 +423,10 @@ ifndef(`direct_sysadm_daemon',`
+@@ -380,6 +398,8 @@ selinux_compute_create_context(run_init_t)
+ selinux_compute_relabel_context(run_init_t)
+ selinux_compute_user_contexts(run_init_t)
+
++term_use_console(run_init_t)
++
+ auth_use_nsswitch(run_init_t)
+ auth_domtrans_chk_passwd(run_init_t)
+ auth_domtrans_upd_passwd(run_init_t)
+@@ -405,6 +425,10 @@ ifndef(`direct_sysadm_daemon',`
')
')
@@ -45819,7 +46271,7 @@ index ff5d72d..f5fdb63 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -420,61 +442,22 @@ optional_policy(`
+@@ -420,61 +444,22 @@ optional_policy(`
# semodule local policy
#
@@ -45889,7 +46341,7 @@ index ff5d72d..f5fdb63 100644
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -483,12 +466,23 @@ ifdef(`distro_debian',`
+@@ -483,12 +468,23 @@ ifdef(`distro_debian',`
files_read_var_lib_symlinks(semanage_t)
')
@@ -45913,7 +46365,7 @@ index ff5d72d..f5fdb63 100644
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -498,112 +492,54 @@ ifdef(`enable_mls',`
+@@ -498,112 +494,54 @@ ifdef(`enable_mls',`
userdom_read_user_tmp_files(semanage_t)
')
@@ -46090,7 +46542,7 @@ index 726619b..36426f7 100644
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 8e71fb7..350d003 100644
+index 8e71fb7..f1b155a 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',`
@@ -46207,21 +46659,15 @@ index 8e71fb7..350d003 100644
## Read network config files.
## </summary>
## <desc>
-@@ -403,11 +496,8 @@ interface(`sysnet_manage_config',`
- type net_conf_t;
- ')
+@@ -406,6 +499,7 @@ interface(`sysnet_manage_config',`
+ allow $1 net_conf_t:file manage_file_perms;
-- allow $1 net_conf_t:file manage_file_perms;
--
-- ifdef(`distro_redhat',`
-- manage_files_pattern($1, net_conf_t, net_conf_t)
-- ')
-+ allow $1 net_conf_t:dir list_dir_perms;
-+ manage_files_pattern($1, net_conf_t, net_conf_t)
+ ifdef(`distro_redhat',`
++ allow $1 net_conf_t:dir list_dir_perms;
+ manage_files_pattern($1, net_conf_t, net_conf_t)
+ ')
')
-
- #######################################
-@@ -444,6 +534,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+@@ -444,6 +538,7 @@ interface(`sysnet_delete_dhcpc_pid',`
type dhcpc_var_run_t;
')
@@ -46229,7 +46675,7 @@ index 8e71fb7..350d003 100644
allow $1 dhcpc_var_run_t:file unlink;
')
-@@ -464,6 +555,10 @@ interface(`sysnet_domtrans_ifconfig',`
+@@ -464,6 +559,10 @@ interface(`sysnet_domtrans_ifconfig',`
corecmd_search_bin($1)
domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
@@ -46240,7 +46686,7 @@ index 8e71fb7..350d003 100644
')
########################################
-@@ -534,6 +629,25 @@ interface(`sysnet_signal_ifconfig',`
+@@ -534,6 +633,25 @@ interface(`sysnet_signal_ifconfig',`
########################################
## <summary>
@@ -46266,26 +46712,29 @@ index 8e71fb7..350d003 100644
## Read the DHCP configuration files.
## </summary>
## <param name="domain">
-@@ -677,7 +791,10 @@ interface(`sysnet_use_ldap',`
- corenet_tcp_connect_ldap_port($1)
+@@ -641,6 +759,8 @@ interface(`sysnet_dns_name_resolve',`
+ corenet_tcp_connect_dns_port($1)
+ corenet_sendrecv_dns_client_packets($1)
+
++ miscfiles_read_generic_certs($1)
++
+ sysnet_read_config($1)
+
+ optional_policy(`
+@@ -678,6 +798,9 @@ interface(`sysnet_use_ldap',`
corenet_sendrecv_ldap_client_packets($1)
-- sysnet_read_config($1)
-+ files_search_etc($1)
-+ allow $1 net_conf_t:file read_file_perms;
+ sysnet_read_config($1)
++
+ # LDAP Configuration using encrypted requires
+ dev_read_urand($1)
')
########################################
-@@ -709,5 +826,52 @@ interface(`sysnet_use_portmap',`
- corenet_tcp_connect_portmap_port($1)
- corenet_sendrecv_portmap_client_packets($1)
+@@ -711,3 +834,49 @@ interface(`sysnet_use_portmap',`
-- sysnet_read_config($1)
-+ files_search_etc($1)
-+ allow $1 net_conf_t:file read_file_perms;
-+')
+ sysnet_read_config($1)
+ ')
+
+########################################
+## <summary>
@@ -46331,7 +46780,7 @@ index 8e71fb7..350d003 100644
+ ')
+
+ role_transition $1 dhcpc_exec_t system_r;
- ')
++')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index dfbe736..d8c6f24 100644
--- a/policy/modules/system/sysnetwork.te
@@ -46650,7 +47099,7 @@ index 0000000..5f0352b
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..a74c435
+index 0000000..24f8c6f
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,98 @@
@@ -46721,7 +47170,7 @@ index 0000000..a74c435
+files_manage_all_locks(systemd_tmpfiles_t)
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
+files_unlink_all_pid_sockets(systemd_tmpfiles_t)
-+
++files_delete_boot_flag(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
+files_manage_generic_tmp_files(systemd_tmpfiles_t)
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e7330e3..99148d8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -471,6 +471,17 @@ exit 0
%endif
%changelog
+* Tue Dec 21 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.12-1
+- Update to upstream
+- Fixes for systemd policy
+- Fixes for passenger policy
+- Allow staff users to run mysqld in the staff_t domain, akonadi needs this
+- Add bin_t label for /usr/share/kde4/apps/kajongg/kajongg.py
+- auth_use_nsswitch does not need avahi to read passwords,needed for resolving data
+- Dontaudit (xdm_t) gok attempting to list contents of /var/account
+- Telepathy domains need to read urand
+- Need interface to getattr all file classes in a mock library for setroubleshoot
+
* Wed Dec 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.11-2
- Update selinux policy to handle new /usr/share/sandbox/start script