diff --git a/policy-F16.patch b/policy-F16.patch
index 5fd713e..02d58d6 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1966,7 +1966,7 @@ index b4ac57e..ef944a4 100644
logging_send_syslog_msg(readahead_t)
logging_set_audit_parameters(readahead_t)
diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
-index b206bf6..bbd902f 100644
+index b206bf6..b11df05 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@@ -7,6 +7,7 @@
@@ -1977,9 +1977,11 @@ index b206bf6..bbd902f 100644
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -25,8 +26,12 @@ ifdef(`distro_redhat', `
+@@ -24,9 +25,14 @@ ifdef(`distro_redhat', `
+ /usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/rhnreg_ks -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -1990,7 +1992,7 @@ index b206bf6..bbd902f 100644
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-@@ -36,6 +41,8 @@ ifdef(`distro_redhat', `
+@@ -36,6 +42,8 @@ ifdef(`distro_redhat', `
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
@@ -2196,7 +2198,7 @@ index d33daa8..8ba0f86 100644
+ allow rpm_script_t $1:process sigchld;
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 47a8f7d..fdbf07c 100644
+index 47a8f7d..0d42e00 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,11 @@
@@ -2212,16 +2214,17 @@ index 47a8f7d..fdbf07c 100644
type debuginfo_exec_t;
domain_entry_file(rpm_t, debuginfo_exec_t)
-@@ -76,6 +77,8 @@ allow rpm_t self:shm create_shm_perms;
+@@ -76,6 +77,9 @@ allow rpm_t self:shm create_shm_perms;
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
+allow rpm_t self:dir search;
+allow rpm_t self:file rw_file_perms;;
++allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
-@@ -101,13 +104,16 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
+@@ -101,13 +105,16 @@ files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
@@ -2239,7 +2242,7 @@ index 47a8f7d..fdbf07c 100644
corecmd_exec_all_executables(rpm_t)
-@@ -127,6 +133,18 @@ corenet_sendrecv_all_client_packets(rpm_t)
+@@ -127,6 +134,18 @@ corenet_sendrecv_all_client_packets(rpm_t)
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
@@ -2258,7 +2261,7 @@ index 47a8f7d..fdbf07c 100644
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
-@@ -154,8 +172,8 @@ storage_raw_read_fixed_disk(rpm_t)
+@@ -154,8 +173,8 @@ storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t)
@@ -2269,7 +2272,7 @@ index 47a8f7d..fdbf07c 100644
auth_dontaudit_read_shadow(rpm_t)
auth_use_nsswitch(rpm_t)
-@@ -173,11 +191,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
+@@ -173,11 +192,13 @@ domain_dontaudit_getattr_all_packet_sockets(rpm_t)
domain_dontaudit_getattr_all_raw_sockets(rpm_t)
domain_dontaudit_getattr_all_stream_sockets(rpm_t)
domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
@@ -2283,7 +2286,7 @@ index 47a8f7d..fdbf07c 100644
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -189,7 +209,7 @@ logging_send_syslog_msg(rpm_t)
+@@ -189,7 +210,7 @@ logging_send_syslog_msg(rpm_t)
seutil_manage_src_policy(rpm_t)
seutil_manage_bin_policy(rpm_t)
@@ -2292,7 +2295,7 @@ index 47a8f7d..fdbf07c 100644
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
-@@ -207,6 +227,7 @@ optional_policy(`
+@@ -207,6 +228,7 @@ optional_policy(`
optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
@@ -2300,7 +2303,7 @@ index 47a8f7d..fdbf07c 100644
')
optional_policy(`
-@@ -214,7 +235,7 @@ optional_policy(`
+@@ -214,7 +236,7 @@ optional_policy(`
')
optional_policy(`
@@ -2309,15 +2312,26 @@ index 47a8f7d..fdbf07c 100644
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
-@@ -261,6 +282,7 @@ kernel_read_crypto_sysctls(rpm_script_t)
+@@ -257,12 +279,18 @@ manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+ fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+ can_exec(rpm_script_t, rpm_script_tmpfs_t)
+
++allow rpm_script_t rpm_t:netlink_route_socket { read write };
++
+ kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
kernel_read_network_state(rpm_script_t)
+kernel_list_all_proc(rpm_script_t)
kernel_read_software_raid_state(rpm_script_t)
++# needed by rhn_check
++corenet_tcp_connect_http_port(rpm_script_t)
++
dev_list_sysfs(rpm_script_t)
-@@ -299,15 +321,17 @@ storage_raw_write_fixed_disk(rpm_script_t)
+
+ # ideally we would not need this
+@@ -299,15 +327,17 @@ storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
@@ -2338,7 +2352,7 @@ index 47a8f7d..fdbf07c 100644
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -332,18 +356,18 @@ logging_send_syslog_msg(rpm_script_t)
+@@ -332,18 +362,18 @@ logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
@@ -2360,7 +2374,7 @@ index 47a8f7d..fdbf07c 100644
')
')
-@@ -368,6 +392,11 @@ optional_policy(`
+@@ -368,6 +398,11 @@ optional_policy(`
')
optional_policy(`
@@ -2372,7 +2386,7 @@ index 47a8f7d..fdbf07c 100644
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
-@@ -377,8 +406,9 @@ optional_policy(`
+@@ -377,8 +412,9 @@ optional_policy(`
')
optional_policy(`
@@ -3692,10 +3706,10 @@ index 0000000..bacc639
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..9f6478c
+index 0000000..22ddda5
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,124 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -3810,6 +3824,13 @@ index 0000000..9f6478c
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+')
+
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_search_fusefs(chrome_sandbox_t)
++ fs_read_fusefs_files(chrome_sandbox_t)
++ fs_exec_fusefs_files(chrome_sandbox_t)
++ fs_read_fusefs_symlinks(chrome_sandbox_t)
++')
++
+optional_policy(`
+ sandbox_use_ptys(chrome_sandbox_t)
+')
@@ -13610,7 +13631,7 @@ index 6a1e4d1..cf3d50b 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..da927bb 100644
+index fae1ab1..1c54937 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -13623,7 +13644,7 @@ index fae1ab1..da927bb 100644
+##
+##
+#
-+gen_tunable(allow_domain_fd_use, false)
++gen_tunable(allow_domain_fd_use, true)
+
+##
+##
@@ -13908,7 +13929,7 @@ index c19518a..b630279c 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..367d234 100644
+index ff006ea..ff0c14f 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -14048,7 +14069,32 @@ index ff006ea..367d234 100644
')
########################################
-@@ -1848,7 +1934,7 @@ interface(`files_boot_filetrans',`
+@@ -1660,6 +1746,24 @@ interface(`files_delete_root_dir_entry',`
+
+ ########################################
+ ##
++## Set attributes of the root directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_setattr_root_dirs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:dir setattr_dir_perms;
++')
++
++########################################
++##
+ ## Unmount a rootfs filesystem.
+ ##
+ ##
+@@ -1848,7 +1952,7 @@ interface(`files_boot_filetrans',`
type boot_t;
')
@@ -14057,7 +14103,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -2372,6 +2458,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2372,6 +2476,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -14082,7 +14128,7 @@ index ff006ea..367d234 100644
##########################################
##
## Manage generic directories in /etc
-@@ -2451,7 +2555,7 @@ interface(`files_read_etc_files',`
+@@ -2451,7 +2573,7 @@ interface(`files_read_etc_files',`
##
##
##
@@ -14091,7 +14137,7 @@ index ff006ea..367d234 100644
##
##
#
-@@ -2525,6 +2629,24 @@ interface(`files_delete_etc_files',`
+@@ -2525,6 +2647,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -14116,7 +14162,7 @@ index ff006ea..367d234 100644
## Execute generic files in /etc.
##
##
-@@ -2624,7 +2746,7 @@ interface(`files_etc_filetrans',`
+@@ -2624,7 +2764,7 @@ interface(`files_etc_filetrans',`
type etc_t;
')
@@ -14125,7 +14171,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -2680,24 +2802,6 @@ interface(`files_delete_boot_flag',`
+@@ -2680,24 +2820,6 @@ interface(`files_delete_boot_flag',`
########################################
##
@@ -14150,7 +14196,7 @@ index ff006ea..367d234 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -2738,6 +2842,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2738,6 +2860,24 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -14175,7 +14221,7 @@ index ff006ea..367d234 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -2775,6 +2897,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2775,6 +2915,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -14183,7 +14229,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -3364,7 +3487,7 @@ interface(`files_home_filetrans',`
+@@ -3364,7 +3505,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
@@ -14192,7 +14238,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -3502,20 +3625,38 @@ interface(`files_list_mnt',`
+@@ -3502,20 +3643,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -14236,7 +14282,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -3900,6 +4041,99 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,6 +4059,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -14336,7 +14382,7 @@ index ff006ea..367d234 100644
########################################
##
## Allow the specified type to associate
-@@ -3945,7 +4179,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -3945,7 +4197,7 @@ interface(`files_getattr_tmp_dirs',`
##
##
##
@@ -14345,7 +14391,7 @@ index ff006ea..367d234 100644
##
##
#
-@@ -4017,7 +4251,7 @@ interface(`files_list_tmp',`
+@@ -4017,7 +4269,7 @@ interface(`files_list_tmp',`
##
##
##
@@ -14354,7 +14400,7 @@ index ff006ea..367d234 100644
##
##
#
-@@ -4029,6 +4263,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4281,24 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -14379,7 +14425,7 @@ index ff006ea..367d234 100644
########################################
##
## Remove entries from the tmp directory.
-@@ -4085,6 +4337,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4085,6 +4355,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
@@ -14412,11 +14458,79 @@ index ff006ea..367d234 100644
## Manage temporary files and directories in /tmp.
##
##
-@@ -4139,6 +4417,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4139,7 +4435,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
+-## Set the attributes of all tmp directories.
+## Relabel a dir from the type used in /tmp.
+ ##
+ ##
+ ##
+@@ -4147,17 +4443,17 @@ interface(`files_rw_generic_tmp_sockets',`
+ ##
+ ##
+ #
+-interface(`files_setattr_all_tmp_dirs',`
++interface(`files_relabelfrom_tmp_dirs',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir { search_dir_perms setattr };
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ##
+-## List all tmp directories.
++## Relabel a file from the type used in /tmp.
+ ##
+ ##
+ ##
+@@ -4165,33 +4461,69 @@ interface(`files_setattr_all_tmp_dirs',`
+ ##
+ ##
+ #
+-interface(`files_list_all_tmp',`
++interface(`files_relabelfrom_tmp_files',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir list_dir_perms;
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ##
+-## Relabel to and from all temporary
+-## directory types.
++## Set the attributes of all tmp directories.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`files_relabel_all_tmp_dirs',`
++interface(`files_setattr_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
+- type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
++ allow $1 tmpfile:dir { search_dir_perms setattr };
++')
++
++########################################
++##
++## List all tmp directories.
+##
+##
+##
@@ -14424,38 +14538,37 @@ index ff006ea..367d234 100644
+##
+##
+#
-+interface(`files_relabelfrom_tmp_dirs',`
++interface(`files_list_all_tmp',`
+ gen_require(`
-+ type tmp_t;
++ attribute tmpfile;
+ ')
+
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++ allow $1 tmpfile:dir list_dir_perms;
+')
+
+########################################
+##
-+## Relabel a file from the type used in /tmp.
++## Relabel to and from all temporary
++## directory types.
+##
+##
+##
+## Domain allowed access.
+##
+##
++##
+#
-+interface(`files_relabelfrom_tmp_files',`
++interface(`files_relabel_all_tmp_dirs',`
+ gen_require(`
-+ type tmp_t;
++ attribute tmpfile;
++ type var_t;
+ ')
+
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+##
- ## Set the attributes of all tmp directories.
- ##
- ##
-@@ -4202,7 +4516,7 @@ interface(`files_relabel_all_tmp_dirs',`
++ allow $1 var_t:dir search_dir_perms;
+ relabel_dirs_pattern($1, tmpfile, tmpfile)
+ ')
+
+@@ -4202,7 +4534,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
@@ -14464,7 +14577,7 @@ index ff006ea..367d234 100644
##
##
#
-@@ -4262,7 +4576,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4594,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
@@ -14473,7 +14586,7 @@ index ff006ea..367d234 100644
##
##
#
-@@ -4318,7 +4632,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4650,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -14482,7 +14595,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -4342,6 +4656,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4674,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -14499,7 +14612,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -4681,7 +5005,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5023,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -14508,7 +14621,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -5084,7 +5408,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5426,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -14517,7 +14630,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -5219,7 +5543,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5561,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -14526,11 +14639,10 @@ index ff006ea..367d234 100644
')
########################################
-@@ -5304,7 +5628,26 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5646,25 @@ interface(`files_manage_mounttab',`
########################################
##
--## Search the locks directory (/var/lock).
+## List generic lock directories.
+##
+##
@@ -14550,11 +14662,10 @@ index ff006ea..367d234 100644
+
+########################################
+##
-+## Search the locks directory (/var/lock).
+ ## Search the locks directory (/var/lock).
##
##
- ##
-@@ -5317,6 +5660,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5678,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -14563,7 +14674,7 @@ index ff006ea..367d234 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5681,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5699,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -14579,7 +14690,7 @@ index ff006ea..367d234 100644
##
##
##
-@@ -5349,12 +5696,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5714,30 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -14591,8 +14702,7 @@ index ff006ea..367d234 100644
+ files_search_locks($1)
+ allow $1 var_lock_t:dir create_dir_perms;
+')
-
-- list_dirs_pattern($1, var_t, var_lock_t)
++
+########################################
+##
+## Set the attributes of the /var/lock directory.
@@ -14607,12 +14717,13 @@ index ff006ea..367d234 100644
+ gen_require(`
+ type var_lock_t;
+ ')
-+
+
+- list_dirs_pattern($1, var_t, var_lock_t)
+ allow $1 var_lock_t:dir setattr;
')
########################################
-@@ -5373,6 +5738,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5756,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -14620,7 +14731,7 @@ index ff006ea..367d234 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5751,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5769,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
##
##
@@ -14628,7 +14739,7 @@ index ff006ea..367d234 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5777,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5795,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -14637,7 +14748,7 @@ index ff006ea..367d234 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +5793,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5811,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -14654,7 +14765,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -5452,7 +5817,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5835,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -14663,7 +14774,7 @@ index ff006ea..367d234 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +5858,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +5876,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -14672,7 +14783,7 @@ index ff006ea..367d234 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +5880,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +5898,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -14681,7 +14792,7 @@ index ff006ea..367d234 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +5912,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +5930,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -14692,7 +14803,7 @@ index ff006ea..367d234 100644
')
########################################
-@@ -5608,6 +5973,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +5991,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -14736,7 +14847,7 @@ index ff006ea..367d234 100644
########################################
##
## Do not audit attempts to search
-@@ -5736,7 +6138,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6156,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -14745,190 +14856,380 @@ index ff006ea..367d234 100644
')
########################################
-@@ -5815,6 +6217,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,29 +6235,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
+-## Read all process ID files.
+## Relable all pid directories
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`files_read_all_pids',`
+interface(`files_relabel_all_pid_dirs',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+- type var_t;
+ ')
+
+- list_dirs_pattern($1, var_t, pidfile)
+- read_files_pattern($1, pidfile, pidfile)
+ relabel_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Mount filesystems on all polyinstantiation
+-## member directories.
+## Delete all pid sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -5845,42 +6261,35 @@ interface(`files_read_all_pids',`
+ ##
+ ##
+ #
+-interface(`files_mounton_all_poly_members',`
+interface(`files_delete_all_pid_sockets',`
-+ gen_require(`
+ gen_require(`
+- attribute polymember;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- allow $1 polymember:dir mounton;
+ allow $1 pidfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Delete all process IDs.
+## Create all pid sockets
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`files_delete_all_pids',`
+interface(`files_create_all_pid_sockets',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+- type var_t, var_run_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- allow $1 var_run_t:dir rmdir;
+- allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+- delete_files_pattern($1, pidfile, pidfile)
+- delete_fifo_files_pattern($1, pidfile, pidfile)
+- delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+ allow $1 pidfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Delete all process ID directories.
+## Create all pid named pipes
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -5888,20 +6297,17 @@ interface(`files_delete_all_pids',`
+ ##
+ ##
+ #
+-interface(`files_delete_all_pid_dirs',`
+interface(`files_create_all_pid_pipes',`
-+ gen_require(`
-+ attribute pidfile;
-+ ')
-+
+ gen_require(`
+ attribute pidfile;
+- type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- delete_dirs_pattern($1, pidfile, pidfile)
+ allow $1 pidfile:fifo_file create_fifo_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Search the contents of generic spool
+-## directories (/var/spool).
+## Delete all pid named pipes
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -5909,56 +6315,59 @@ interface(`files_delete_all_pid_dirs',`
+ ##
+ ##
+ #
+-interface(`files_search_spool',`
+interface(`files_delete_all_pid_pipes',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- search_dirs_pattern($1, var_t, var_spool_t)
+ allow $1 pidfile:fifo_file delete_fifo_file_perms;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to search generic
+-## spool directories.
+## manage all pidfile directories
+## in the /var/run directory.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain to not audit.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`files_dontaudit_search_spool',`
+interface(`files_manage_all_pid_dirs',`
-+ gen_require(`
+ gen_require(`
+- type var_spool_t;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- dontaudit $1 var_spool_t:dir search_dir_perms;
+ manage_dirs_pattern($1,pidfile,pidfile)
-+')
-+
+ ')
+
+
-+########################################
-+##
- ## Read all process ID files.
+ ########################################
+ ##
+-## List the contents of generic spool
+-## (/var/spool) directories.
++## Read all process ID files.
##
##
-@@ -5832,6 +6344,62 @@ interface(`files_read_all_pids',`
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`files_list_spool',`
++interface(`files_read_all_pids',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute pidfile;
++ type var_t;
+ ')
- list_dirs_pattern($1, var_t, pidfile)
- read_files_pattern($1, pidfile, pidfile)
+- list_dirs_pattern($1, var_t, var_spool_t)
++ list_dirs_pattern($1, var_t, pidfile)
++ read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete generic
+-## spool directories (/var/spool).
+## Relable all pid files
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -5966,18 +6375,17 @@ interface(`files_list_spool',`
+ ##
+ ##
+ #
+-interface(`files_manage_generic_spool_dirs',`
+interface(`files_relabel_all_pid_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_dirs_pattern($1, var_spool_t, var_spool_t)
+ relabel_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Read generic spool files.
+## Execute generic programs in /var/run in the caller domain.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -5985,19 +6393,18 @@ interface(`files_manage_generic_spool_dirs',`
+ ##
+ ##
+ #
+-interface(`files_read_generic_spool',`
+interface(`files_exec_generic_pid_files',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ type var_run_t;
-+ ')
-+
+ ')
+
+- list_dirs_pattern($1, var_t, var_spool_t)
+- read_files_pattern($1, var_spool_t, var_spool_t)
+ exec_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete generic
+-## spool files.
+## manage all pidfiles
+## in the /var/run directory.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -6005,104 +6412,61 @@ interface(`files_read_generic_spool',`
+ ##
+ ##
+ #
+-interface(`files_manage_generic_spool',`
+interface(`files_manage_all_pids',`
-+ gen_require(`
+ gen_require(`
+- type var_t, var_spool_t;
+ attribute pidfile;
-+ ')
-+
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- manage_files_pattern($1, var_spool_t, var_spool_t)
+ manage_files_pattern($1,pidfile,pidfile)
')
########################################
-@@ -5900,6 +6468,90 @@ interface(`files_delete_all_pid_dirs',`
+ ##
+-## Create objects in the spool directory
+-## with a private type with a type transition.
++## Mount filesystems on all polyinstantiation
++## member directories.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+-##
+-## Type to which the created node will be transitioned.
+-##
+-##
+-##
+-##
+-## Object class(es) (single or set including {}) for which this
+-## the transition will occur.
+-##
+-##
+ #
+-interface(`files_spool_filetrans',`
++interface(`files_mounton_all_poly_members',`
+ gen_require(`
+- type var_t, var_spool_t;
++ attribute polymember;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3)
++ allow $1 polymember:dir mounton;
+ ')
+
+ ########################################
+ ##
+-## Allow access to manage all polyinstantiated
+-## directories on the system.
++## Delete all process IDs.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`files_polyinstantiate_all',`
++interface(`files_delete_all_pids',`
+ gen_require(`
+- attribute polydir, polymember, polyparent;
+- type poly_t;
++ attribute pidfile;
++ type var_t, var_run_t;
+ ')
+
+- # Need to give access to /selinux/member
+- selinux_compute_member($1)
+-
+- # Need sys_admin capability for mounting
+- allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+- # Need to give access to the directories to be polyinstantiated
+- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+- # Need to give access to the polyinstantiated subdirectories
+- allow $1 polymember:dir search_dir_perms;
+-
+- # Need to give access to parent directories where original
+- # is remounted for polyinstantiation aware programs (like gdm)
+- allow $1 polyparent:dir { getattr mounton };
+-
+- # Need to give permission to create directories where applicable
+- allow $1 self:process setfscreate;
+- allow $1 polymember: dir { create setattr relabelto };
+- allow $1 polydir: dir { write add_name open };
+- allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+- # Default type for mountpoints
+- allow $1 poly_t:dir { create mounton };
+- fs_unmount_xattr_fs($1)
+-
+- fs_mount_tmpfs($1)
+- fs_unmount_tmpfs($1)
+-
+- ifdef(`distro_redhat',`
+- # namespace.init
+- files_search_tmp($1)
+- files_search_home($1)
+- corecmd_exec_bin($1)
+- seutil_domtrans_setfiles($1)
+- ')
++ allow $1 var_t:dir search_dir_perms;
++ allow $1 var_run_t:dir rmdir;
++ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++ delete_files_pattern($1, pidfile, pidfile)
++ delete_fifo_files_pattern($1, pidfile, pidfile)
++ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
+ ')
########################################
##
+-## Unconfined access to files.
++## Delete all process ID directories.
+ ##
+ ##
+ ##
+@@ -6110,10 +6474,597 @@ interface(`files_polyinstantiate_all',`
+ ##
+ ##
+ #
+-interface(`files_unconfined',`
++interface(`files_delete_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ type var_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ delete_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++##
+## Make the specified type a file
+## used for spool files.
+##
@@ -15013,19 +15314,220 @@ index ff006ea..367d234 100644
+
+########################################
+##
- ## Search the contents of generic spool
- ## directories (/var/spool).
- ##
-@@ -6042,7 +6694,7 @@ interface(`files_spool_filetrans',`
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3)
++## Search the contents of generic spool
++## directories (/var/spool).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_search_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ search_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++##
++## Do not audit attempts to search generic
++## spool directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_search_spool',`
++ gen_require(`
++ type var_spool_t;
++ ')
++
++ dontaudit $1 var_spool_t:dir search_dir_perms;
++')
++
++########################################
++##
++## List the contents of generic spool
++## (/var/spool) directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_list_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ list_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++##
++## Create, read, write, and delete generic
++## spool directories (/var/spool).
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_generic_spool_dirs',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_dirs_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++##
++## Read generic spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_read_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ list_dirs_pattern($1, var_t, var_spool_t)
++ read_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++##
++## Create, read, write, and delete generic
++## spool files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_generic_spool',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ manage_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++##
++## Create objects in the spool directory
++## with a private type with a type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Type to which the created node will be transitioned.
++##
++##
++##
++##
++## Object class(es) (single or set including {}) for which this
++## the transition will occur.
++##
++##
++#
++interface(`files_spool_filetrans',`
++ gen_require(`
++ type var_t, var_spool_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
- ')
-
- ########################################
-@@ -6117,3 +6769,284 @@ interface(`files_unconfined',`
++')
++
++########################################
++##
++## Allow access to manage all polyinstantiated
++## directories on the system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_polyinstantiate_all',`
++ gen_require(`
++ attribute polydir, polymember, polyparent;
++ type poly_t;
++ ')
++
++ # Need to give access to /selinux/member
++ selinux_compute_member($1)
++
++ # Need sys_admin capability for mounting
++ allow $1 self:capability { chown fsetid sys_admin fowner };
++
++ # Need to give access to the directories to be polyinstantiated
++ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++ # Need to give access to the polyinstantiated subdirectories
++ allow $1 polymember:dir search_dir_perms;
++
++ # Need to give access to parent directories where original
++ # is remounted for polyinstantiation aware programs (like gdm)
++ allow $1 polyparent:dir { getattr mounton };
++
++ # Need to give permission to create directories where applicable
++ allow $1 self:process setfscreate;
++ allow $1 polymember: dir { create setattr relabelto };
++ allow $1 polydir: dir { write add_name open };
++ allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++
++ # Default type for mountpoints
++ allow $1 poly_t:dir { create mounton };
++ fs_unmount_xattr_fs($1)
++
++ fs_mount_tmpfs($1)
++ fs_unmount_tmpfs($1)
++
++ ifdef(`distro_redhat',`
++ # namespace.init
++ files_search_tmp($1)
++ files_search_home($1)
++ corecmd_exec_bin($1)
++ seutil_domtrans_setfiles($1)
++ ')
++')
++
++########################################
++##
++## Unconfined access to files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_unconfined',`
+ gen_require(`
+ attribute files_unconfined_type;
+ ')
typeattribute $1 files_unconfined_type;
')
@@ -19987,10 +20489,10 @@ index e88b95f..0eb55db 100644
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
-index 1bd5812..b3631d6 100644
+index 1bd5812..0d7d8d1 100644
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
-@@ -1,11 +1,9 @@
+@@ -1,13 +1,13 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
@@ -20002,8 +20504,12 @@ index 1bd5812..b3631d6 100644
-
/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
++
/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-@@ -15,6 +13,19 @@
+ /var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+
+@@ -15,6 +15,19 @@
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -20212,10 +20718,10 @@ index 0b827c5..e03a970 100644
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..d141931 100644
+index 30861ec..e96a565 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
-@@ -5,7 +5,17 @@ policy_module(abrt, 1.2.0)
+@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
# Declarations
#
@@ -20228,13 +20734,21 @@ index 30861ec..d141931 100644
+##
+gen_tunable(abrt_anon_write, false)
+
++##