diff --git a/policy-F15.patch b/policy-F15.patch
index f667cb2..4663488 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -1218,7 +1218,7 @@ index 47c4723..4866a08 100644
+ domtrans_pattern($1, readahead_exec_t, readahead_t)
+')
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
-index b4ac57e..39fbe42 100644
+index b4ac57e..e2d07b1 100644
--- a/policy/modules/admin/readahead.te
+++ b/policy/modules/admin/readahead.te
@@ -16,6 +16,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
@@ -1229,15 +1229,18 @@ index b4ac57e..39fbe42 100644
########################################
#
-@@ -32,6 +33,7 @@ files_search_var_lib(readahead_t)
+@@ -31,7 +32,9 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
+ files_search_var_lib(readahead_t)
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
- files_pid_filetrans(readahead_t, readahead_var_run_t, file)
+-files_pid_filetrans(readahead_t, readahead_var_run_t, file)
++manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
++files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
+dev_filetrans(readahead_t, readahead_var_run_t, { dir file })
kernel_read_all_sysctls(readahead_t)
kernel_read_system_state(readahead_t)
-@@ -53,6 +55,7 @@ domain_read_all_domains_state(readahead_t)
+@@ -53,6 +56,7 @@ domain_read_all_domains_state(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
@@ -1245,7 +1248,7 @@ index b4ac57e..39fbe42 100644
files_create_boot_flag(readahead_t)
files_getattr_all_pipes(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
-@@ -66,6 +69,7 @@ fs_read_cgroup_files(readahead_t)
+@@ -66,12 +70,14 @@ fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
@@ -1253,6 +1256,13 @@ index b4ac57e..39fbe42 100644
fs_dontaudit_search_ramfs(readahead_t)
fs_dontaudit_read_ramfs_pipes(readahead_t)
fs_dontaudit_read_ramfs_files(readahead_t)
+ fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
+
+ mls_file_read_all_levels(readahead_t)
++mcs_file_read_all(readahead_t)
+
+ storage_raw_read_fixed_disk(readahead_t)
+
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
index b206bf6..48922c9 100644
--- a/policy/modules/admin/rpm.fc
@@ -1285,7 +1295,7 @@ index b206bf6..48922c9 100644
/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
-index d33daa8..e50a5ed 100644
+index d33daa8..c76708e 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -13,10 +13,13 @@
@@ -1384,6 +1394,15 @@ index d33daa8..e50a5ed 100644
')
########################################
+@@ -516,7 +564,7 @@ interface(`rpm_dontaudit_manage_db',`
+ type rpm_var_lib_t;
+ ')
+
+- dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
++ dontaudit $1 rpm_var_lib_t:dir manage_dir_perms;
+ dontaudit $1 rpm_var_lib_t:file manage_file_perms;
+ dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
+ ')
@@ -576,3 +624,66 @@ interface(`rpm_pid_filetrans',`
files_pid_filetrans($1, rpm_var_run_t, file)
@@ -4516,6 +4535,20 @@ index 49abe8e..47a193c 100644
')
optional_policy(`
+diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te
+index 2523758..113a08b 100644
+--- a/policy/modules/apps/loadkeys.te
++++ b/policy/modules/apps/loadkeys.te
+@@ -46,5 +46,9 @@ ifdef(`hide_broken_symptoms',`
+ ')
+
+ optional_policy(`
++ keyboardd_read_pipes(loadkeys_t)
++')
++
++optional_policy(`
+ nscd_dontaudit_search_pid(loadkeys_t)
+ ')
diff --git a/policy/modules/apps/mediawiki.fc b/policy/modules/apps/mediawiki.fc
new file mode 100644
index 0000000..bf872ef
@@ -4664,7 +4697,7 @@ index 93ac529..aafece7 100644
/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..5ac3ea5 100644
+index 9a6d67d..76caa60 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -4795,8 +4828,31 @@ index 9a6d67d..5ac3ea5 100644
## Send and receive messages from
## mozilla over dbus.
## </summary>
+@@ -204,3 +295,22 @@ interface(`mozilla_rw_tcp_sockets',`
+
+ allow $1 mozilla_t:tcp_socket rw_socket_perms;
+ ')
++
++########################################
++## <summary>
++## Delete mozilla_plugin tmpf files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`mozilla_plugin_delete_tmpfs_files',`
++ gen_require(`
++ type mozilla_plugin_tmpfs_t;
++ ')
++
++ allow $1 mozilla_plugin_tmpfs_t:file unlink;
++')
++
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2a91fa8..319c66a 100644
+index 2a91fa8..2fad053 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0)
@@ -4878,7 +4934,7 @@ index 2a91fa8..319c66a 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,161 @@ optional_policy(`
+@@ -266,3 +291,175 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -4894,6 +4950,7 @@ index 2a91fa8..319c66a 100644
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
+allow mozilla_plugin_t self:udp_socket create_socket_perms;
++allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+allow mozilla_plugin_t self:sem create_sem_perms;
+allow mozilla_plugin_t self:shm create_shm_perms;
@@ -4986,6 +5043,7 @@ index 2a91fa8..319c66a 100644
+userdom_read_user_home_content_files(mozilla_plugin_t)
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
+userdom_read_home_certs(mozilla_plugin_t)
++userdom_dontaudit_write_home_certs(mozilla_plugin_t)
+
+optional_policy(`
+ alsa_read_rw_config(mozilla_plugin_t)
@@ -5040,6 +5098,18 @@ index 2a91fa8..319c66a 100644
+ xserver_read_user_iceauth(mozilla_plugin_t)
+ xserver_read_user_xauth(mozilla_plugin_t)
+')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(mozilla_plugin_t)
++ fs_manage_nfs_files(mozilla_plugin_t)
++ fs_manage_nfs_symlinks(mozilla_plugin_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_dirs(mozilla_plugin_t)
++ fs_manage_cifs_files(mozilla_plugin_t)
++ fs_manage_cifs_symlinks(mozilla_plugin_t)
++')
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
index d8ea41d..8bdc526 100644
--- a/policy/modules/apps/mplayer.if
@@ -5135,10 +5205,10 @@ index 0000000..ce51c8d
+
diff --git a/policy/modules/apps/namespace.if b/policy/modules/apps/namespace.if
new file mode 100644
-index 0000000..9747548
+index 0000000..8d7c751
--- /dev/null
+++ b/policy/modules/apps/namespace.if
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,48 @@
+
+## <summary>policy for namespace</summary>
+
@@ -5184,6 +5254,8 @@ index 0000000..9747548
+
+ namespace_init_domtrans($1)
+ role $2 types namespace_init_t;
++
++ seutil_run_setfiles(namespace_init_t, $2)
+')
diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te
new file mode 100644
@@ -5734,10 +5806,10 @@ index 0000000..4f9cb05
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..a353718
+index 0000000..e9d4d0c
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,317 @@
+@@ -0,0 +1,318 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -5927,6 +5999,7 @@ index 0000000..a353718
+ mozilla_execute_user_home_files(nsplugin_t)
+ mozilla_read_user_home_files(nsplugin_t)
+ mozilla_write_user_home_files(nsplugin_t)
++ mozilla_plugin_delete_tmpfs_files(nsplugin_t)
+')
+
+optional_policy(`
@@ -8580,7 +8653,7 @@ index 82842a0..4111a1d 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..b25eac7 100644
+index 34c9d01..75c0fdf 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -8613,7 +8686,17 @@ index 34c9d01..b25eac7 100644
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -247,6 +247,8 @@ ifdef(`distro_gentoo',`
+@@ -232,6 +232,9 @@ ifdef(`distro_gentoo',`
+ /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/xulrunner[^/]*/xulrunner[^/]* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/xulrunner[^/]*/updater -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/xulrunner[^/]*/crashreporter -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+@@ -247,6 +250,8 @@ ifdef(`distro_gentoo',`
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -8622,7 +8705,7 @@ index 34c9d01..b25eac7 100644
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -307,6 +309,7 @@ ifdef(`distro_redhat', `
+@@ -307,6 +312,7 @@ ifdef(`distro_redhat', `
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -8630,7 +8713,7 @@ index 34c9d01..b25eac7 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -316,9 +319,11 @@ ifdef(`distro_redhat', `
+@@ -316,9 +322,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -8750,7 +8833,7 @@ index 5a07a43..e97e47f 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index f12e087..bb37cd3 100644
+index f12e087..71e46ab 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -8880,7 +8963,7 @@ index f12e087..bb37cd3 100644
-network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0)
+network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
-+network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
++network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
@@ -15711,7 +15794,7 @@ index c9e1a44..1a1ba36 100644
+ dontaudit $1 httpd_tmp_t:file { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 08dfa0c..9dd70c3 100644
+index 08dfa0c..61f340d 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0)
@@ -16127,8 +16210,8 @@ index 08dfa0c..9dd70c3 100644
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mssql_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
-+ corenet_tcp_connect_oracle_port(httpd_t)
-+ corenet_sendrecv_oracle_client_packets(httpd_t)
++ corenet_tcp_connect_oracledb_port(httpd_t)
++ corenet_sendrecv_oracledb_client_packets(httpd_t)
+')
+
+tunable_policy(`httpd_can_network_memcache',`
@@ -16377,8 +16460,8 @@ index 08dfa0c..9dd70c3 100644
- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_mssql_port(httpd_php_t)
+ corenet_sendrecv_mssql_client_packets(httpd_php_t)
-+ corenet_tcp_connect_oracle_port(httpd_php_t)
-+ corenet_sendrecv_oracle_client_packets(httpd_php_t)
++ corenet_tcp_connect_oracledb_port(httpd_php_t)
++ corenet_sendrecv_oracledb_client_packets(httpd_php_t)
')
optional_policy(`
@@ -16434,8 +16517,8 @@ index 08dfa0c..9dd70c3 100644
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mssql_port(httpd_suexec_t)
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
-+ corenet_tcp_connect_oracle_port(httpd_suexec_t)
-+ corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
++ corenet_tcp_connect_oracledb_port(httpd_suexec_t)
++ corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
+')
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
@@ -16508,8 +16591,8 @@ index 08dfa0c..9dd70c3 100644
+tunable_policy(`httpd_can_network_connect_db',`
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
-+ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
-+ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
++ corenet_tcp_connect_oracledb_port(httpd_sys_script_t)
++ corenet_sendrecv_oracledb_client_packets(httpd_sys_script_t)
+')
+
+fs_cifs_entry_type(httpd_sys_script_t)
@@ -16734,7 +16817,7 @@ index 8b8143e..c1a2b96 100644
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
-index b3b0176..cb0c6e7 100644
+index b3b0176..99f98ff 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -76,10 +76,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
@@ -16750,6 +16833,14 @@ index b3b0176..cb0c6e7 100644
kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)
+@@ -108,6 +109,7 @@ corenet_tcp_bind_generic_port(asterisk_t)
+ corenet_udp_bind_generic_port(asterisk_t)
+ corenet_dontaudit_udp_bind_all_ports(asterisk_t)
+ corenet_sendrecv_generic_server_packets(asterisk_t)
++corenet_tcp_connect_festival_port(asterisk_t)
+ corenet_tcp_connect_postgresql_port(asterisk_t)
+ corenet_tcp_connect_snmp_port(asterisk_t)
+ corenet_tcp_connect_sip_port(asterisk_t)
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
index d80a16b..a43e006 100644
--- a/policy/modules/services/automount.if
@@ -22538,7 +22629,7 @@ index e1d7dc5..673f185 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..ae635c6 100644
+index cbe14e4..2bf7e73 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -22638,15 +22729,16 @@ index cbe14e4..ae635c6 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -242,6 +260,7 @@ optional_policy(`
+@@ -242,6 +260,8 @@ optional_policy(`
')
optional_policy(`
+ postfix_manage_private_sockets(dovecot_auth_t)
++ postfix_rw_master_pipes(dovecot_deliver_t)
postfix_search_spool(dovecot_auth_t)
')
-@@ -249,23 +268,39 @@ optional_policy(`
+@@ -249,23 +269,39 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -22688,7 +22780,7 @@ index cbe14e4..ae635c6 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -301,5 +336,15 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -301,5 +337,15 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -24420,7 +24512,7 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..078ea24 100644
+index 4fde46b..22a3833 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
@@ -19,7 +19,10 @@ allow gnomeclock_t self:process { getattr getsched };
@@ -24434,7 +24526,7 @@ index 4fde46b..078ea24 100644
files_read_etc_files(gnomeclock_t)
files_read_usr_files(gnomeclock_t)
-@@ -39,6 +42,10 @@ optional_policy(`
+@@ -39,6 +42,14 @@ optional_policy(`
')
optional_policy(`
@@ -24442,6 +24534,10 @@ index 4fde46b..078ea24 100644
+')
+
+optional_policy(`
++ ntp_initrc_domtrans(gnomeclock_t)
++')
++
++optional_policy(`
policykit_dbus_chat(gnomeclock_t)
policykit_domtrans_auth(gnomeclock_t)
policykit_read_lib(gnomeclock_t)
@@ -25360,7 +25456,7 @@ index 3525d24..e5db539 100644
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..31a6075 100644
+index 604f67b..39b860f 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -25406,7 +25502,33 @@ index 604f67b..31a6075 100644
')
optional_policy(`
-@@ -235,7 +234,7 @@ template(`kerberos_keytab_template',`
+@@ -218,6 +217,25 @@ interface(`kerberos_rw_keytab',`
+
+ ########################################
+ ## <summary>
++## Create keytab file in /etc
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kerberos_etc_filetrans_keytab',`
++ gen_require(`
++ type krb5_keytab_t;
++ ')
++
++ allow $1 krb5_keytab_t:file manage_file_perms;
++ files_etc_filetrans($1, krb5_keytab_t, file)
++')
++
++########################################
++## <summary>
+ ## Create a derived type for kerberos keytab
+ ## </summary>
+ ## <param name="prefix">
+@@ -235,7 +253,7 @@ template(`kerberos_keytab_template',`
type $1_keytab_t;
files_type($1_keytab_t)
@@ -25415,7 +25537,7 @@ index 604f67b..31a6075 100644
kerberos_read_keytab($2)
kerberos_use($2)
-@@ -338,9 +337,8 @@ interface(`kerberos_admin',`
+@@ -338,9 +356,8 @@ interface(`kerberos_admin',`
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
@@ -25426,7 +25548,7 @@ index 604f67b..31a6075 100644
')
allow $1 kadmind_t:process { ptrace signal_perms };
-@@ -378,3 +376,22 @@ interface(`kerberos_admin',`
+@@ -378,3 +395,22 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -25640,10 +25762,10 @@ index 0000000..485aacc
+/usr/bin/system-setup-keyboard -- gen_context(system_u:object_r:keyboardd_exec_t,s0)
diff --git a/policy/modules/services/keyboardd.if b/policy/modules/services/keyboardd.if
new file mode 100644
-index 0000000..26391e6
+index 0000000..6134ef2
--- /dev/null
+++ b/policy/modules/services/keyboardd.if
-@@ -0,0 +1,21 @@
+@@ -0,0 +1,39 @@
+
+## <summary>policy for system-setup-keyboard daemon</summary>
+
@@ -25665,6 +25787,24 @@ index 0000000..26391e6
+ domtrans_pattern($1, keyboardd_exec_t, keyboardd_t)
+')
+
++######################################
++## <summary>
++## Allow attempts to read to
++## keyboardd unnamed pipes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`keyboardd_read_pipes',`
++ gen_require(`
++ type keyboardd_t;
++ ')
++
++ allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
++')
diff --git a/policy/modules/services/keyboardd.te b/policy/modules/services/keyboardd.te
new file mode 100644
index 0000000..a2bf9c3
@@ -26719,10 +26859,10 @@ index 0000000..6395ec8
+')
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
new file mode 100644
-index 0000000..36d15ad
+index 0000000..5576314
--- /dev/null
+++ b/policy/modules/services/mock.te
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,102 @@
+policy_module(mock,1.0.0)
+
+########################################
@@ -26764,6 +26904,7 @@ index 0000000..36d15ad
+
+manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
++manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+files_var_filetrans(mock_t, mock_cache_t, { dir file } )
+
+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
@@ -28373,7 +28514,7 @@ index 0a0d63c..579f237 100644
########################################
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
-index 8581040..cfcdf10 100644
+index 8581040..2367841 100644
--- a/policy/modules/services/nagios.if
+++ b/policy/modules/services/nagios.if
@@ -12,10 +12,8 @@
@@ -28400,16 +28541,20 @@ index 8581040..cfcdf10 100644
allow nagios_t nagios_$1_plugin_t:process signal_perms;
-@@ -36,6 +36,8 @@ template(`nagios_plugin_template',`
+@@ -36,6 +36,12 @@ template(`nagios_plugin_template',`
dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
++ # FIXME
++ # Probably add nagios_plugin_domain attribute
++ kernel_read_system_state(nagios_$1_plugin_t)
++
+ files_read_usr_files(nagios_$1_plugin_t)
+
miscfiles_read_localization(nagios_$1_plugin_t)
')
-@@ -49,7 +51,6 @@ template(`nagios_plugin_template',`
+@@ -49,7 +55,6 @@ template(`nagios_plugin_template',`
## Domain to not audit.
## </summary>
## </param>
@@ -28417,7 +28562,7 @@ index 8581040..cfcdf10 100644
#
interface(`nagios_dontaudit_rw_pipes',`
gen_require(`
-@@ -159,6 +160,26 @@ interface(`nagios_read_tmp_files',`
+@@ -159,6 +164,26 @@ interface(`nagios_read_tmp_files',`
########################################
## <summary>
@@ -28444,7 +28589,7 @@ index 8581040..cfcdf10 100644
## Execute the nagios NRPE with
## a domain transition.
## </summary>
-@@ -195,11 +216,9 @@ interface(`nagios_domtrans_nrpe',`
+@@ -195,11 +220,9 @@ interface(`nagios_domtrans_nrpe',`
#
interface(`nagios_admin',`
gen_require(`
@@ -28460,7 +28605,7 @@ index 8581040..cfcdf10 100644
allow $1 nagios_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..331ad53 100644
+index bf64a4c..f1eff62 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -79,6 +79,7 @@ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
@@ -28532,7 +28677,7 @@ index bf64a4c..331ad53 100644
dev_read_sysfs(nrpe_t)
dev_read_urand(nrpe_t)
-@@ -270,7 +273,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -270,12 +273,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -28540,7 +28685,12 @@ index bf64a4c..331ad53 100644
allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
-@@ -299,7 +301,7 @@ optional_policy(`
+
+-kernel_read_system_state(nagios_mail_plugin_t)
+ kernel_read_kernel_sysctls(nagios_mail_plugin_t)
+
+ corecmd_read_bin_files(nagios_mail_plugin_t)
+@@ -299,7 +300,7 @@ optional_policy(`
optional_policy(`
postfix_stream_connect_master(nagios_mail_plugin_t)
@@ -28549,7 +28699,7 @@ index bf64a4c..331ad53 100644
')
######################################
-@@ -310,6 +312,9 @@ optional_policy(`
+@@ -310,6 +311,9 @@ optional_policy(`
# needed by ioctl()
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
@@ -28559,7 +28709,7 @@ index bf64a4c..331ad53 100644
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,10 +328,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -323,7 +327,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
@@ -28567,12 +28717,7 @@ index bf64a4c..331ad53 100644
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
-+kernel_read_system_state(nagios_services_plugin_t)
-+
- corecmd_exec_bin(nagios_services_plugin_t)
-
- corenet_tcp_connect_all_ports(nagios_services_plugin_t)
-@@ -340,6 +346,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +343,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@@ -28581,6 +28726,14 @@ index bf64a4c..331ad53 100644
')
optional_policy(`
+@@ -363,7 +368,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+ manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
+ files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
+
+-kernel_read_system_state(nagios_system_plugin_t)
+ kernel_read_kernel_sysctls(nagios_system_plugin_t)
+
+ corecmd_exec_bin(nagios_system_plugin_t)
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
index 386543b..1b34e21 100644
--- a/policy/modules/services/networkmanager.fc
@@ -29169,7 +29322,7 @@ index 23c769c..be5a5b4 100644
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te
-index 4e28d58..08ca30e 100644
+index 4e28d58..5b9cf6d 100644
--- a/policy/modules/services/nslcd.te
+++ b/policy/modules/services/nslcd.te
@@ -16,7 +16,7 @@ type nslcd_var_run_t;
@@ -29190,7 +29343,7 @@ index 4e28d58..08ca30e 100644
allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
allow nslcd_t nslcd_conf_t:file read_file_perms;
-@@ -37,6 +37,7 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+@@ -37,9 +37,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
kernel_read_system_state(nslcd_t)
files_read_etc_files(nslcd_t)
@@ -29198,6 +29351,11 @@ index 4e28d58..08ca30e 100644
auth_use_nsswitch(nslcd_t)
+ logging_send_syslog_msg(nslcd_t)
+
+ miscfiles_read_localization(nslcd_t)
++
++userdom_read_user_tmp_files(nslcd_t)
diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
index ded9fb6..9d1e60a 100644
--- a/policy/modules/services/ntop.te
@@ -31237,7 +31395,7 @@ index 55e62d2..c114a40 100644
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..b87375e 100644
+index 46bee12..9b8c3eb 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -31322,7 +31480,32 @@ index 46bee12..b87375e 100644
#
interface(`postfix_stream_connect_master',`
gen_require(`
-@@ -462,7 +484,7 @@ interface(`postfix_domtrans_postqueue',`
+@@ -416,6 +438,24 @@ interface(`postfix_stream_connect_master',`
+
+ ########################################
+ ## <summary>
++## Allow read/write postfix master pipes
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postfix_rw_master_pipes',`
++ gen_require(`
++ type postfix_master_t;
++ ')
++
++ allow $1 postfix_master_t:fifo_file rw_fifo_file_perms;
++')
++
++########################################
++## <summary>
+ ## Execute the master postdrop in the
+ ## postfix_postdrop domain.
+ ## </summary>
+@@ -462,7 +502,7 @@ interface(`postfix_domtrans_postqueue',`
## </summary>
## </param>
#
@@ -31331,7 +31514,7 @@ index 46bee12..b87375e 100644
gen_require(`
type postfix_postqueue_exec_t;
')
-@@ -529,6 +551,25 @@ interface(`postfix_domtrans_smtp',`
+@@ -529,6 +569,25 @@ interface(`postfix_domtrans_smtp',`
########################################
## <summary>
@@ -31357,7 +31540,7 @@ index 46bee12..b87375e 100644
## Search postfix mail spool directories.
## </summary>
## <param name="domain">
-@@ -539,10 +580,10 @@ interface(`postfix_domtrans_smtp',`
+@@ -539,10 +598,10 @@ interface(`postfix_domtrans_smtp',`
#
interface(`postfix_search_spool',`
gen_require(`
@@ -31370,7 +31553,7 @@ index 46bee12..b87375e 100644
files_search_spool($1)
')
-@@ -558,10 +599,10 @@ interface(`postfix_search_spool',`
+@@ -558,10 +617,10 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@@ -31383,7 +31566,7 @@ index 46bee12..b87375e 100644
files_search_spool($1)
')
-@@ -577,11 +618,11 @@ interface(`postfix_list_spool',`
+@@ -577,11 +636,11 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -31397,7 +31580,7 @@ index 46bee12..b87375e 100644
')
########################################
-@@ -596,11 +637,11 @@ interface(`postfix_read_spool_files',`
+@@ -596,11 +655,11 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -31411,7 +31594,7 @@ index 46bee12..b87375e 100644
')
########################################
-@@ -621,3 +662,103 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +680,103 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -31516,7 +31699,7 @@ index 46bee12..b87375e 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..a069aae 100644
+index 06e37d4..3703671 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
@@ -31683,7 +31866,7 @@ index 06e37d4..a069aae 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -304,9 +330,18 @@ optional_policy(`
+@@ -304,9 +330,22 @@ optional_policy(`
')
optional_policy(`
@@ -31695,6 +31878,10 @@ index 06e37d4..a069aae 100644
')
+optional_policy(`
++ sendmail_rw_pipes(postfix_local_t)
++')
++
++optional_policy(`
+ zarafa_deliver_domtrans(postfix_local_t)
+ zarafa_stream_connect_server(postfix_local_t)
+')
@@ -31702,7 +31889,7 @@ index 06e37d4..a069aae 100644
########################################
#
# Postfix map local policy
-@@ -390,8 +425,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
+@@ -390,8 +429,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
# Postfix pipe local policy
#
@@ -31712,7 +31899,7 @@ index 06e37d4..a069aae 100644
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +436,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +440,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -31721,7 +31908,7 @@ index 06e37d4..a069aae 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +457,7 @@ optional_policy(`
+@@ -420,6 +461,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -31729,7 +31916,7 @@ index 06e37d4..a069aae 100644
')
optional_policy(`
-@@ -436,6 +474,9 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,6 +478,9 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -31739,7 +31926,7 @@ index 06e37d4..a069aae 100644
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
postfix_list_spool(postfix_postdrop_t)
-@@ -519,7 +560,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +564,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -31748,7 +31935,7 @@ index 06e37d4..a069aae 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +580,7 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +584,7 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -31757,7 +31944,7 @@ index 06e37d4..a069aae 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +629,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +633,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -31774,7 +31961,7 @@ index 06e37d4..a069aae 100644
')
optional_policy(`
-@@ -611,8 +658,8 @@ optional_policy(`
+@@ -611,8 +662,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -31784,7 +31971,7 @@ index 06e37d4..a069aae 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +677,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +681,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -32149,7 +32336,7 @@ index b524673..9d90fb3 100644
admin_pattern($1, pptp_var_run_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..d32a0d2 100644
+index 2af42e7..74e0984 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -32175,15 +32362,18 @@ index 2af42e7..d32a0d2 100644
## </desc>
gen_tunable(pppd_for_user, false)
-@@ -70,7 +70,7 @@ files_pid_file(pptp_var_run_t)
+@@ -70,9 +70,9 @@ files_pid_file(pptp_var_run_t)
# PPPD Local policy
#
-allow pppd_t self:capability { kill net_admin setuid setgid fsetid fowner net_raw dac_override };
+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override };
dontaudit pppd_t self:capability sys_tty_config;
- allow pppd_t self:process { getsched signal };
+-allow pppd_t self:process { getsched signal };
++allow pppd_t self:process { getsched setsched signal };
allow pppd_t self:fifo_file rw_fifo_file_perms;
+ allow pppd_t self:socket create_socket_perms;
+ allow pppd_t self:unix_dgram_socket create_socket_perms;
@@ -84,11 +84,11 @@ allow pppd_t self:packet_socket create_socket_perms;
domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
@@ -32209,7 +32399,16 @@ index 2af42e7..d32a0d2 100644
allow pppd_t pptp_t:process signal;
-@@ -194,6 +195,8 @@ optional_policy(`
+@@ -166,6 +167,8 @@ init_dontaudit_write_utmp(pppd_t)
+ init_signal_script(pppd_t)
+
+ auth_use_nsswitch(pppd_t)
++auth_domtrans_chk_passwd(pppd_t)
++auth_write_login_records(pppd_t)
+
+ logging_send_syslog_msg(pppd_t)
+ logging_send_audit_msgs(pppd_t)
+@@ -194,6 +197,8 @@ optional_policy(`
optional_policy(`
mta_send_mail(pppd_t)
@@ -32218,7 +32417,7 @@ index 2af42e7..d32a0d2 100644
')
optional_policy(`
-@@ -243,9 +246,10 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,9 +248,10 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -35665,7 +35864,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..a7f61a3 100644
+index e30bb63..395fafb 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -35678,7 +35877,14 @@ index e30bb63..a7f61a3 100644
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
-@@ -230,7 +227,7 @@ optional_policy(`
+@@ -224,13 +221,14 @@ optional_policy(`
+
+ optional_policy(`
+ kerberos_use(samba_net_t)
++ kerberos_etc_filetrans_keytab(samba_net_t)
+ ')
+
+ ########################################
#
# smbd Local policy
#
@@ -35687,7 +35893,7 @@ index e30bb63..a7f61a3 100644
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -263,7 +260,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+@@ -263,7 +261,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -35696,7 +35902,7 @@ index e30bb63..a7f61a3 100644
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-@@ -279,7 +276,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+@@ -279,7 +277,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
@@ -35705,7 +35911,7 @@ index e30bb63..a7f61a3 100644
allow smbd_t swat_t:process signal;
-@@ -323,15 +320,18 @@ dev_getattr_all_blk_files(smbd_t)
+@@ -323,15 +321,18 @@ dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
fs_getattr_all_fs(smbd_t)
@@ -35724,7 +35930,7 @@ index e30bb63..a7f61a3 100644
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -343,6 +343,7 @@ files_read_usr_files(smbd_t)
+@@ -343,6 +344,7 @@ files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
# smbd seems to getattr all mountpoints
files_dontaudit_getattr_all_dirs(smbd_t)
@@ -35732,7 +35938,7 @@ index e30bb63..a7f61a3 100644
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -385,12 +386,7 @@ tunable_policy(`samba_domain_controller',`
+@@ -385,12 +387,7 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -35746,7 +35952,7 @@ index e30bb63..a7f61a3 100644
')
# Support Samba sharing of NFS mount points
-@@ -445,8 +441,8 @@ optional_policy(`
+@@ -445,8 +442,8 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -35756,7 +35962,7 @@ index e30bb63..a7f61a3 100644
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
-@@ -462,8 +458,8 @@ tunable_policy(`samba_export_all_rw',`
+@@ -462,8 +459,8 @@ tunable_policy(`samba_export_all_rw',`
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
@@ -35766,7 +35972,7 @@ index e30bb63..a7f61a3 100644
########################################
#
-@@ -484,8 +480,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +481,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -35777,7 +35983,7 @@ index e30bb63..a7f61a3 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -560,13 +557,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
+@@ -560,13 +558,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
allow smbcontrol_t nmbd_t:process { signal signull };
@@ -35795,7 +36001,7 @@ index e30bb63..a7f61a3 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -677,7 +674,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +675,7 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -35804,7 +36010,7 @@ index e30bb63..a7f61a3 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +689,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +690,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -35819,7 +36025,7 @@ index e30bb63..a7f61a3 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +709,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +710,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -35827,7 +36033,7 @@ index e30bb63..a7f61a3 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +754,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +755,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -35836,7 +36042,7 @@ index e30bb63..a7f61a3 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,14 +808,14 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,14 +809,14 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -35856,7 +36062,7 @@ index e30bb63..a7f61a3 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +835,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +836,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -35864,7 +36070,7 @@ index e30bb63..a7f61a3 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -922,6 +925,18 @@ optional_policy(`
+@@ -922,6 +926,18 @@ optional_policy(`
#
optional_policy(`
@@ -35883,7 +36089,7 @@ index e30bb63..a7f61a3 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +947,12 @@ optional_policy(`
+@@ -932,9 +948,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -36289,10 +36495,10 @@ index adea9f9..d5b2d93 100644
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
-index 4804f14..6f49778 100644
+index 4804f14..7d09c38 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
-@@ -72,6 +72,7 @@ files_exec_etc_files(fsdaemon_t)
+@@ -72,9 +72,11 @@ files_exec_etc_files(fsdaemon_t)
files_read_etc_runtime_files(fsdaemon_t)
# for config
files_read_etc_files(fsdaemon_t)
@@ -36300,7 +36506,11 @@ index 4804f14..6f49778 100644
fs_getattr_all_fs(fsdaemon_t)
fs_search_auto_mountpoints(fsdaemon_t)
-@@ -82,6 +83,8 @@ mls_file_read_all_levels(fsdaemon_t)
++fs_read_removable_files(fsdaemon_t)
+
+ mls_file_read_all_levels(fsdaemon_t)
+ #mls_rangetrans_target(fsdaemon_t)
+@@ -82,6 +84,8 @@ mls_file_read_all_levels(fsdaemon_t)
storage_raw_read_fixed_disk(fsdaemon_t)
storage_raw_write_fixed_disk(fsdaemon_t)
storage_raw_read_removable_device(fsdaemon_t)
@@ -37254,7 +37464,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..784c363 100644
+index 22adaca..2cfaf93 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -37374,7 +37584,7 @@ index 22adaca..784c363 100644
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
-@@ -243,9 +246,8 @@ template(`ssh_server_template', `
+@@ -243,13 +246,17 @@ template(`ssh_server_template', `
miscfiles_read_localization($1_t)
@@ -37385,7 +37595,16 @@ index 22adaca..784c363 100644
# Allow checking users mail at login
mta_getattr_spool($1_t)
-@@ -268,6 +270,14 @@ template(`ssh_server_template', `
+
++ tunable_policy(`use_fusefs_home_dirs',`
++ fs_manage_fusefs_dirs($1_t)
++ fs_manage_fusefs_files($1_t)
++ ')
++
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files($1_t)
+ fs_read_nfs_symlinks($1_t)
+@@ -268,6 +275,14 @@ template(`ssh_server_template', `
files_read_var_lib_symlinks($1_t)
nx_spec_domtrans_server($1_t)
')
@@ -37400,7 +37619,7 @@ index 22adaca..784c363 100644
')
########################################
-@@ -290,11 +300,11 @@ template(`ssh_server_template', `
+@@ -290,11 +305,11 @@ template(`ssh_server_template', `
## User domain for the role
## </summary>
## </param>
@@ -37413,7 +37632,7 @@ index 22adaca..784c363 100644
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
-@@ -327,7 +337,7 @@ template(`ssh_role_template',`
+@@ -327,7 +342,7 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -37422,7 +37641,7 @@ index 22adaca..784c363 100644
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
-@@ -338,6 +348,7 @@ template(`ssh_role_template',`
+@@ -338,6 +353,7 @@ template(`ssh_role_template',`
manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
userdom_search_user_home_dirs($1_t)
@@ -37430,7 +37649,7 @@ index 22adaca..784c363 100644
##############################
#
-@@ -359,7 +370,7 @@ template(`ssh_role_template',`
+@@ -359,7 +375,7 @@ template(`ssh_role_template',`
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
@@ -37439,7 +37658,7 @@ index 22adaca..784c363 100644
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
-@@ -381,7 +392,6 @@ template(`ssh_role_template',`
+@@ -381,7 +397,6 @@ template(`ssh_role_template',`
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
@@ -37447,7 +37666,7 @@ index 22adaca..784c363 100644
libs_read_lib_files($1_ssh_agent_t)
-@@ -398,9 +408,6 @@ template(`ssh_role_template',`
+@@ -398,9 +413,6 @@ template(`ssh_role_template',`
# for the transition back to normal privs upon exec
userdom_search_user_home_content($1_ssh_agent_t)
userdom_user_home_domtrans($1_ssh_agent_t, $3)
@@ -37457,7 +37676,7 @@ index 22adaca..784c363 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +484,9 @@ interface(`ssh_read_pipes',`
+@@ -477,8 +489,9 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@@ -37468,7 +37687,7 @@ index 22adaca..784c363 100644
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
-@@ -494,7 +502,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +507,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -37477,7 +37696,7 @@ index 22adaca..784c363 100644
')
########################################
-@@ -586,6 +594,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +599,24 @@ interface(`ssh_domtrans',`
########################################
## <summary>
@@ -37502,7 +37721,7 @@ index 22adaca..784c363 100644
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
-@@ -618,7 +644,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +649,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -37511,7 +37730,7 @@ index 22adaca..784c363 100644
files_search_pids($1)
')
-@@ -695,7 +721,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +726,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -37520,7 +37739,7 @@ index 22adaca..784c363 100644
')
######################################
-@@ -735,3 +761,21 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +766,21 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -37543,7 +37762,7 @@ index 22adaca..784c363 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..1d1b95f 100644
+index 2dad3c8..7230490 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -37677,7 +37896,7 @@ index 2dad3c8..1d1b95f 100644
seutil_read_config(ssh_t)
-@@ -169,14 +175,13 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
+@@ -169,14 +175,18 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
@@ -37693,10 +37912,15 @@ index 2dad3c8..1d1b95f 100644
- allow ssh_keysign_t ssh_t:process sigchld;
- allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
+ domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_manage_fusefs_dirs(ssh_t)
++ fs_manage_fusefs_files(ssh_t)
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -200,6 +205,57 @@ optional_policy(`
+@@ -200,6 +210,57 @@ optional_policy(`
xserver_domtrans_xauth(ssh_t)
')
@@ -37754,7 +37978,7 @@ index 2dad3c8..1d1b95f 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,7 +265,7 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,7 +270,7 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
@@ -37763,7 +37987,7 @@ index 2dad3c8..1d1b95f 100644
dev_read_urand(ssh_keysign_t)
-@@ -232,33 +288,43 @@ optional_policy(`
+@@ -232,33 +293,43 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -37816,7 +38040,7 @@ index 2dad3c8..1d1b95f 100644
')
optional_policy(`
-@@ -266,11 +332,24 @@ optional_policy(`
+@@ -266,11 +337,24 @@ optional_policy(`
')
optional_policy(`
@@ -37842,7 +38066,7 @@ index 2dad3c8..1d1b95f 100644
')
optional_policy(`
-@@ -284,6 +363,11 @@ optional_policy(`
+@@ -284,6 +368,11 @@ optional_policy(`
')
optional_policy(`
@@ -37854,7 +38078,7 @@ index 2dad3c8..1d1b95f 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +376,26 @@ optional_policy(`
+@@ -292,26 +381,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -37900,7 +38124,7 @@ index 2dad3c8..1d1b95f 100644
') dnl endif TODO
########################################
-@@ -324,7 +408,6 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -324,7 +413,6 @@ tunable_policy(`ssh_sysadm_login',`
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
@@ -37908,7 +38132,7 @@ index 2dad3c8..1d1b95f 100644
allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
allow ssh_keygen_t sshd_key_t:file manage_file_perms;
-@@ -353,10 +436,6 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -353,10 +441,6 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@@ -39310,7 +39534,7 @@ index 7c5d8d8..5e2f264 100644
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..d81582c 100644
+index 3eca020..931c98d 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,80 +5,97 @@ policy_module(virt, 1.4.0)
@@ -39515,8 +39739,9 @@ index 3eca020..d81582c 100644
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
-
+-allow virtd_t self:fifo_file rw_fifo_file_perms;
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
- allow virtd_t self:fifo_file rw_fifo_file_perms;
++allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
allow virtd_t self:tcp_socket create_stream_socket_perms;
allow virtd_t self:tun_socket create_socket_perms;
@@ -40255,7 +40480,7 @@ index 6f1e3c7..ecfe665 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..06e7dd4 100644
+index da2601a..223cc80 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -40666,7 +40891,7 @@ index da2601a..06e7dd4 100644
')
########################################
-@@ -805,7 +888,25 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +888,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -40689,11 +40914,12 @@ index da2601a..06e7dd4 100644
+ type xdm_var_run_t;
+ ')
+
++ dontaudit $1 xdm_var_run_t:dir search_dir_perms;
+ dontaudit $1 xdm_var_run_t:file read_file_perms;
')
########################################
-@@ -897,7 +998,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +999,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -40702,7 +40928,7 @@ index da2601a..06e7dd4 100644
')
########################################
-@@ -916,7 +1017,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1018,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -40711,7 +40937,7 @@ index da2601a..06e7dd4 100644
')
########################################
-@@ -963,6 +1064,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1065,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -40757,7 +40983,7 @@ index da2601a..06e7dd4 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1116,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1117,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -40766,7 +40992,7 @@ index da2601a..06e7dd4 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1178,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1179,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -40809,7 +41035,7 @@ index da2601a..06e7dd4 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1228,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1229,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -40818,7 +41044,7 @@ index da2601a..06e7dd4 100644
')
########################################
-@@ -1070,8 +1246,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1247,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -40830,7 +41056,7 @@ index da2601a..06e7dd4 100644
')
########################################
-@@ -1185,6 +1363,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1364,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -40857,7 +41083,7 @@ index da2601a..06e7dd4 100644
')
########################################
-@@ -1210,7 +1408,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1409,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -40866,7 +41092,7 @@ index da2601a..06e7dd4 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1418,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1419,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -40891,7 +41117,7 @@ index da2601a..06e7dd4 100644
')
########################################
-@@ -1243,10 +1451,393 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1452,393 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -47467,7 +47693,7 @@ index 2cc4bda..9e81136 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 170e2c7..d95624d 100644
+index 170e2c7..540a936 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -85,6 +85,10 @@ interface(`seutil_domtrans_loadpolicy',`
@@ -47487,8 +47713,8 @@ index 170e2c7..d95624d 100644
auth_run_upd_passwd(newrole_t, $2)
+
+ optional_policy(`
-+ namespace_init_run(newrole_t, $2)
-+ ')
++ namespace_init_run(newrole_t, $2)
++ ')
')
########################################
@@ -49219,7 +49445,7 @@ index ce2fbb9..8b34dbc 100644
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 416e668..20a28e7 100644
+index 416e668..bd2ec2e 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,27 +12,33 @@
@@ -49235,13 +49461,14 @@ index 416e668..20a28e7 100644
# Use any Linux capability.
- allow $1 self:capability *;
+- allow $1 self:fifo_file manage_fifo_file_perms;
+ allow $1 self:capability ~sys_module;
- allow $1 self:fifo_file manage_fifo_file_perms;
-
++ allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
++
+ if (!secure_mode_insmod) {
+ allow $1 self:capability sys_module;
+ }
-+
+
# Transition to myself, to make get_ordered_context_list happy.
allow $1 self:process transition;
@@ -49968,7 +50195,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..1af5d77 100644
+index 28b88de..97b04f2 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -51573,7 +51800,7 @@ index 28b88de..1af5d77 100644
kernel_search_proc($1)
')
-@@ -3139,3 +3509,1041 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3509,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -52287,7 +52514,6 @@ index 28b88de..1af5d77 100644
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
+interface(`userdom_read_home_certs',`
+ gen_require(`
@@ -52300,6 +52526,24 @@ index 28b88de..1af5d77 100644
+ read_lnk_files_pattern($1, home_cert_t, home_cert_t)
+')
+
++#######################################
++## <summary>
++## Dontaudit Write system SSL certificates in the users homedir.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_write_home_certs',`
++ gen_require(`
++ type home_cert_t;
++ ')
++
++ dontaudit $1 home_cert_t:file write;
++')
++
+########################################
+## <summary>
+## dontaudit Search getatrr /root files
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cfc84d3..6a4792b 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.13
-Release: 4%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,27 @@ exit 0
%endif
%changelog
+* Thu Jan 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-6
+- Fix xserver_dontaudit_read_xdm_pid
+- Change oracle_port_t to oracledb_port_t to prevent conflict with satellite
+- Allow dovecot_deliver_t to read/write postfix_master_t:fifo_file.
+ * These fifo_file is passed from postfix_master_t to postfix_local_t to dovecot_deliver_t
+- Allow readahead to manage readahead pid dirs
+- Allow readahead to read all mcs levels
+- Allow mozilla_plugin_t to use nfs or samba homedirs
+
+* Wed Jan 25 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-5
+- Allow nagios plugin to read /proc/meminfo
+- Fix for mozilla_plugin
+- Allow samba_net_t to create /etc/keytab
+- pppd_t setting up vpns needs to run unix_chkpwd, setsched its process and write wtmp_t
+- nslcd can read user credentials
+- Allow nsplugin to delete mozilla_plugin_tmpfs_t
+- abrt tries to create dir in rpm_var_lib_t
+- virt relabels fifo_files
+- sshd needs to manage content in fusefs homedir
+- mock manages link files in cache dir
+
* Fri Jan 21 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-4
- nslcd needs setsched and to read /usr/tmp
- Invalid call in likewise policy ends up creating a bogus role