diff --git a/modules-targeted.conf b/modules-targeted.conf
index ec4d9b5..eb35a96 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2291,3 +2291,11 @@ pingd = module
#
#
milter = module
+
+# Layer: apps
+# Module: mediawiki
+#
+# mediawiki is the software used for Wikipedia and the other Wikimedia
+# Foundation websites.
+#
+mediawiki = module
diff --git a/policy-F15.patch b/policy-F15.patch
index f8f4f66..f183fb0 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -371,6 +371,35 @@ index 66e486e..bfda8e9 100644
gnome_manage_config(firstboot_t)
')
+diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if
+index 4198ff5..df3f4d6 100644
+--- a/policy/modules/admin/kdump.if
++++ b/policy/modules/admin/kdump.if
+@@ -56,6 +56,24 @@ interface(`kdump_read_config',`
+ allow $1 kdump_etc_t:file read_file_perms;
+ ')
+
++#####################################
++##
++## Dontaudit read kdump configuration file.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`kdump_dontaudit_read_config',`
++ gen_require(`
++ type kdump_etc_t;
++ ')
++
++ dontaudit $1 kdump_etc_t:file read_inherited_file_perms;
++')
++
+ ####################################
+ ##
+ ## Manage kdump configuration file.
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 7390b15..a46b249 100644
--- a/policy/modules/admin/logrotate.te
@@ -662,7 +691,7 @@ index 0000000..eef0c87
+ netutils_domtrans(ncftool_t)
+')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index 6a53a18..202c770 100644
+index 6a53a18..1bc14ea 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
@@ -684,7 +713,16 @@ index 6a53a18..202c770 100644
fs_getattr_xattr_fs(netutils_t)
-@@ -134,8 +139,6 @@ logging_send_syslog_msg(ping_t)
+@@ -104,6 +109,8 @@ optional_policy(`
+ #
+
+ allow ping_t self:capability { setuid net_raw };
++allow ping_t self:process setcap;
++
+ dontaudit ping_t self:capability sys_tty_config;
+ allow ping_t self:tcp_socket create_socket_perms;
+ allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+@@ -134,8 +141,6 @@ logging_send_syslog_msg(ping_t)
miscfiles_read_localization(ping_t)
@@ -693,7 +731,7 @@ index 6a53a18..202c770 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -145,11 +148,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -145,11 +150,25 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -719,7 +757,7 @@ index 6a53a18..202c770 100644
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -194,6 +211,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -194,6 +213,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -727,7 +765,7 @@ index 6a53a18..202c770 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -204,9 +222,16 @@ logging_send_syslog_msg(traceroute_t)
+@@ -204,9 +224,16 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
@@ -5890,10 +5928,10 @@ index 0000000..9783c8f
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..8211b91
+index 0000000..aa1d56d
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,431 @@
+@@ -0,0 +1,430 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -5999,7 +6037,6 @@ index 0000000..8211b91
+# sandbox local policy
+#
+
-+## internal communication is often done using fifo and unix sockets.
+allow sandbox_domain self:fifo_file manage_file_perms;
+allow sandbox_domain self:sem create_sem_perms;
+allow sandbox_domain self:shm create_shm_perms;
@@ -8278,7 +8315,7 @@ index 3517db2..4dd4bef 100644
+
+/usr/lib/debug <>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 5302dac..9b828ee 100644
+index 5302dac..2c77493 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -8656,7 +8693,7 @@ index 5302dac..9b828ee 100644
## Manage temporary files and directories in /tmp.
##
##
-@@ -3950,6 +4233,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3950,6 +4233,84 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
@@ -8696,10 +8733,52 @@ index 5302dac..9b828ee 100644
+
+########################################
+##
++## Relabel all tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_relabelto_all_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ type var_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ relabelto_dirs_pattern($1, tmpfile, tmpfile)
++')
++
++########################################
++##
++## Relabel all tmp dirs.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`files_relabelto_all_tmp_dirs',`
++ gen_require(`
++ attribute tmpfile;
++ type var_t;
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
++ relabelto_dirs_pattern($1, tmpfile, tmpfile)
++')
++
++########################################
++##
## Set the attributes of all tmp directories.
##
##
-@@ -4109,6 +4428,13 @@ interface(`files_purge_tmp',`
+@@ -4109,6 +4470,13 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -8713,32 +8792,79 @@ index 5302dac..9b828ee 100644
')
########################################
-@@ -4718,6 +5044,24 @@ interface(`files_read_var_files',`
+@@ -4718,7 +5086,7 @@ interface(`files_read_var_files',`
########################################
##
+-## Read and write files in the /var directory.
+## Append files in the /var directory.
+ ##
+ ##
+ ##
+@@ -4726,36 +5094,54 @@ interface(`files_read_var_files',`
+ ##
+ ##
+ #
+-interface(`files_rw_var_files',`
++interface(`files_append_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+
+- rw_files_pattern($1, var_t, var_t)
++ append_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read and write
+-## files in the /var directory.
++## Read and write files in the /var directory.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`files_dontaudit_rw_var_files',`
++interface(`files_rw_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+
+- dontaudit $1 var_t:file rw_file_perms;
++ rw_files_pattern($1, var_t, var_t)
+ ')
+
+ ########################################
+ ##
+-## Create, read, write, and delete files in the /var directory.
++## Do not audit attempts to read and write
++## files in the /var directory.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`files_append_var_files',`
++interface(`files_dontaudit_rw_var_files',`
+ gen_require(`
+ type var_t;
+ ')
+
-+ append_files_pattern($1, var_t, var_t)
++ dontaudit $1 var_t:file rw_file_perms;
+')
+
+########################################
+##
- ## Read and write files in the /var directory.
++## Create, read, write, and delete files in the /var directory.
##
##
-@@ -5053,6 +5397,24 @@ interface(`files_manage_mounttab',`
+ ##
+@@ -5053,6 +5439,24 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -8763,7 +8889,7 @@ index 5302dac..9b828ee 100644
## Search the locks directory (/var/lock).
##
##
-@@ -5138,12 +5500,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5138,12 +5542,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -8780,85 +8906,35 @@ index 5302dac..9b828ee 100644
')
########################################
-@@ -5189,29 +5551,28 @@ interface(`files_delete_all_locks',`
+@@ -5189,6 +5593,27 @@ interface(`files_delete_all_locks',`
########################################
##
--## Read all lock files.
+## Relabel all lock files.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
- #
--interface(`files_read_all_locks',`
-+interface(`files_relabel_all_lock_dirs',`
- gen_require(`
- attribute lockfile;
-- type var_t, var_lock_t;
-+ type var_t;
- ')
-
-- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- allow $1 lockfile:dir list_dir_perms;
-- read_files_pattern($1, lockfile, lockfile)
-- read_lnk_files_pattern($1, lockfile, lockfile)
-+ allow $1 var_t:dir search_dir_perms;
-+ relabel_dirs_pattern($1, lockfile, lockfile)
- ')
-
- ########################################
- ##
--## manage all lock files.
-+## Read all lock files.
- ##
- ##
- ##
-@@ -5219,15 +5580,37 @@ interface(`files_read_all_locks',`
- ##
- ##
- #
--interface(`files_manage_all_locks',`
-+interface(`files_read_all_locks',`
- gen_require(`
- attribute lockfile;
- type var_t, var_lock_t;
- ')
-
- allow $1 { var_t var_lock_t }:dir search_dir_perms;
-- manage_dirs_pattern($1, lockfile, lockfile)
-- manage_files_pattern($1, lockfile, lockfile)
-+ allow $1 lockfile:dir list_dir_perms;
-+ read_files_pattern($1, lockfile, lockfile)
-+ read_lnk_files_pattern($1, lockfile, lockfile)
-+')
-+
-+########################################
-+##
-+## manage all lock files.
+##
+##
+##
+## Domain allowed access.
+##
+##
++##
+#
-+interface(`files_manage_all_locks',`
++interface(`files_relabel_all_lock_dirs',`
+ gen_require(`
+ attribute lockfile;
-+ type var_t, var_lock_t;
++ type var_t;
+ ')
+
-+ allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+ manage_dirs_pattern($1, lockfile, lockfile)
-+ manage_files_pattern($1, lockfile, lockfile)
- manage_lnk_files_pattern($1, lockfile, lockfile)
- ')
-
-@@ -5317,6 +5700,43 @@ interface(`files_search_pids',`
++ allow $1 var_t:dir search_dir_perms;
++ relabel_dirs_pattern($1, lockfile, lockfile)
++')
++
++########################################
++##
+ ## Read all lock files.
+ ##
+ ##
+@@ -5317,6 +5742,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -8902,7 +8978,7 @@ index 5302dac..9b828ee 100644
########################################
##
## Do not audit attempts to search
-@@ -5524,6 +5944,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5524,6 +5986,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -8965,7 +9041,7 @@ index 5302dac..9b828ee 100644
## Read all process ID files.
##
##
-@@ -5541,6 +6017,44 @@ interface(`files_read_all_pids',`
+@@ -5541,6 +6059,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -9010,7 +9086,7 @@ index 5302dac..9b828ee 100644
')
########################################
-@@ -5826,3 +6340,247 @@ interface(`files_unconfined',`
+@@ -5826,3 +6382,247 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -9315,7 +9391,7 @@ index 59bae6a..2e55e71 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 437a42a..b9e3aa9 100644
+index 437a42a..725b363 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -9645,7 +9721,33 @@ index 437a42a..b9e3aa9 100644
## Read removable storage symbolic links.
##
##
-@@ -2779,6 +2955,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2653,6 +2829,25 @@ interface(`fs_read_removable_symlinks',`
+ read_lnk_files_pattern($1, removable_t, removable_t)
+ ')
+
++######################################
++##
++## Read block nodes on removable filesystems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_removable_blk_files',`
++ gen_require(`
++ type removable_t;
++ ')
++
++ allow $1 removable_t:dir list_dir_perms;
++ read_blk_files_pattern($1, removable_t, removable_t)
++')
++
+ ########################################
+ ##
+ ## Read and write block nodes on removable filesystems.
+@@ -2779,6 +2974,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -9653,7 +9755,7 @@ index 437a42a..b9e3aa9 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -2819,6 +2996,7 @@ interface(`fs_manage_nfs_files',`
+@@ -2819,6 +3015,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -9661,7 +9763,7 @@ index 437a42a..b9e3aa9 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2845,7 +3023,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+@@ -2845,7 +3042,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
#########################################
##
## Create, read, write, and delete symbolic links
@@ -9670,7 +9772,7 @@ index 437a42a..b9e3aa9 100644
##
##
##
-@@ -2859,6 +3037,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -2859,6 +3056,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -9678,7 +9780,7 @@ index 437a42a..b9e3aa9 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3970,6 +4149,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3970,6 +4168,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
##
@@ -9721,7 +9823,7 @@ index 437a42a..b9e3aa9 100644
## Relabel character nodes on tmpfs filesystems.
##
##
-@@ -4252,6 +4467,8 @@ interface(`fs_mount_all_fs',`
+@@ -4252,6 +4486,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -9730,7 +9832,7 @@ index 437a42a..b9e3aa9 100644
')
########################################
-@@ -4662,3 +4879,24 @@ interface(`fs_unconfined',`
+@@ -4662,3 +4898,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -32441,7 +32543,7 @@ index f1aea88..c3ffa9d 100644
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
-index 22184ad..87810ec 100644
+index 22184ad..687f9ae 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -42,13 +42,17 @@ allow saslauthd_t saslauthd_tmp_t:dir setattr;
@@ -32463,6 +32565,14 @@ index 22184ad..87810ec 100644
corenet_all_recvfrom_unlabeled(saslauthd_t)
corenet_all_recvfrom_netlabel(saslauthd_t)
corenet_tcp_sendrecv_generic_if(saslauthd_t)
+@@ -94,6 +98,7 @@ tunable_policy(`allow_saslauthd_read_shadow',`
+
+ optional_policy(`
+ kerberos_keytab_template(saslauthd, saslauthd_t)
++ kerberos_manage_host_rcache(saslauthd_t)
+ ')
+
+ optional_policy(`
diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc
index a86ec50..ef4199b 100644
--- a/policy/modules/services/sendmail.fc
@@ -35207,7 +35317,7 @@ index a4fbe31..a717e2d 100644
logging_list_logs($1)
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
-index b775aaf..1e40c2a 100644
+index b775aaf..7718dbb 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -7,7 +7,6 @@ policy_module(uucp, 1.11.0)
@@ -35226,7 +35336,7 @@ index b775aaf..1e40c2a 100644
dev_read_urand(uucpd_t)
-@@ -113,13 +113,17 @@ optional_policy(`
+@@ -113,13 +113,19 @@ optional_policy(`
kerberos_use(uucpd_t)
')
@@ -35242,6 +35352,8 @@ index b775aaf..1e40c2a 100644
allow uux_t self:capability { setuid setgid };
-allow uux_t self:fifo_file write_file_perms;
+allow uux_t self:fifo_file write_fifo_file_perms;
++
++domtrans_pattern(uux_t, uucpd_exec_t, uucpd_t)
uucp_append_log(uux_t)
uucp_manage_spool(uux_t)
@@ -39362,7 +39474,7 @@ index 88df85d..2fa3974 100644
ssh_sigchld(application_domain_type)
ssh_rw_stream_sockets(application_domain_type)
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 1c4b1e7..8d326d4 100644
+index 1c4b1e7..ffa4134 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -10,6 +10,7 @@
@@ -39373,7 +39485,7 @@ index 1c4b1e7..8d326d4 100644
/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
ifdef(`distro_suse', `
-@@ -27,12 +28,14 @@ ifdef(`distro_gentoo', `
+@@ -27,6 +28,7 @@ ifdef(`distro_gentoo', `
/var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
@@ -39381,15 +39493,16 @@ index 1c4b1e7..8d326d4 100644
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
- /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
- /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
- /var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0)
-+/var/log/faillock(/.*)? gen_context(system_u:object_r:faillog_t,s0)
- /var/log/lastlog -- gen_context(system_u:object_r:lastlog_t,s0)
- /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
- /var/log/tallylog -- gen_context(system_u:object_r:faillog_t,s0)
+@@ -39,6 +41,7 @@ ifdef(`distro_gentoo', `
+ /var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
+
+ /var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
++/var/run/faillock(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+ /var/run/pam_mount(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+ /var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+ /var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index bea0ade..6f47773 100644
+index bea0ade..f459bae 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -39540,12 +39653,30 @@ index bea0ade..6f47773 100644
typeattribute $1 can_relabelto_shadow_passwords;
')
-@@ -736,6 +788,25 @@ interface(`auth_rw_faillog',`
+@@ -736,6 +788,43 @@ interface(`auth_rw_faillog',`
allow $1 faillog_t:file rw_file_perms;
')
+########################################
+##
++## Relabel the login failure log.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_relabel_faillog',`
++ gen_require(`
++ type faillog_t;
++ ')
++
++ allow $1 faillog_t:file relabel_file_perms;
++')
++
++########################################
++##
+## Manage the login failure log.
+##
+##
@@ -39566,7 +39697,7 @@ index bea0ade..6f47773 100644
#######################################
##
## Read the last logins log.
-@@ -874,6 +945,26 @@ interface(`auth_exec_pam',`
+@@ -874,6 +963,26 @@ interface(`auth_exec_pam',`
########################################
##
@@ -39593,7 +39724,7 @@ index bea0ade..6f47773 100644
## Manage var auth files. Used by various other applications
## and pam applets etc.
##
-@@ -896,6 +987,26 @@ interface(`auth_manage_var_auth',`
+@@ -896,6 +1005,26 @@ interface(`auth_manage_var_auth',`
########################################
##
@@ -39620,7 +39751,33 @@ index bea0ade..6f47773 100644
## Read PAM PID files.
##
##
-@@ -1500,6 +1611,8 @@ interface(`auth_manage_login_records',`
+@@ -1326,6 +1455,25 @@ interface(`auth_setattr_login_records',`
+
+ ########################################
+ ##
++## Relabel login record files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_relabel_login_records',`
++ gen_require(`
++ type wtmp_t;
++ ')
++
++ allow $1 wtmp_t:file relabel_file_perms;
++')
++
++
++########################################
++##
+ ## Read login records files (/var/log/wtmp).
+ ##
+ ##
+@@ -1500,6 +1648,8 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -39629,7 +39786,7 @@ index bea0ade..6f47773 100644
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1644,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1681,15 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@@ -39867,7 +40024,7 @@ index a97a096..dd65c15 100644
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index a442acc..7cb7582 100644
+index a442acc..e159f32 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
@@ -39888,7 +40045,15 @@ index a442acc..7cb7582 100644
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -147,7 +151,7 @@ modutils_read_module_deps(fsadm_t)
+@@ -130,6 +134,7 @@ storage_raw_write_fixed_disk(fsadm_t)
+ storage_raw_read_removable_device(fsadm_t)
+ storage_raw_write_removable_device(fsadm_t)
+ storage_read_scsi_generic(fsadm_t)
++storage_rw_fuse(fsadm_t)
+ storage_swapon_fixed_disk(fsadm_t)
+
+ term_use_console(fsadm_t)
+@@ -147,7 +152,7 @@ modutils_read_module_deps(fsadm_t)
seutil_read_config(fsadm_t)
@@ -39897,7 +40062,7 @@ index a442acc..7cb7582 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -166,6 +170,14 @@ optional_policy(`
+@@ -166,6 +171,14 @@ optional_policy(`
')
optional_policy(`
@@ -39912,7 +40077,7 @@ index a442acc..7cb7582 100644
nis_use_ypbind(fsadm_t)
')
-@@ -175,6 +187,10 @@ optional_policy(`
+@@ -175,6 +188,10 @@ optional_policy(`
')
optional_policy(`
@@ -40395,7 +40560,7 @@ index df3fa64..73dc579 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 8a105fd..8a59b8e 100644
+index 8a105fd..eb0cec2 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -40525,7 +40690,7 @@ index 8a105fd..8a59b8e 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +221,107 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +221,113 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -40583,6 +40748,8 @@ index 8a105fd..8a59b8e 100644
+
+ storage_getattr_removable_dev(init_t)
+
++ auth_relabel_login_records(init_t)
++
+ init_read_script_state(init_t)
+
+ seutil_read_file_contexts(init_t)
@@ -40599,8 +40766,11 @@ index 8a105fd..8a59b8e 100644
+ files_manage_generic_tmp_dirs(init_t)
+ files_relabelfrom_tmp_dirs(init_t)
+ files_relabelfrom_tmp_files(init_t)
++ files_relabelto_all_tmp_dirs(init_t)
++ files_relabelto_all_tmp_files(init_t)
+
-+ auth_manage_faillog(initrc_t)
++ auth_manage_faillog(init_t)
++ auth_relabel_faillog(init_t)
+ auth_manage_var_auth(init_t)
+ auth_relabel_var_auth_dirs(init_t)
+ auth_setattr_login_records(init_t)
@@ -40608,6 +40778,7 @@ index 8a105fd..8a59b8e 100644
+ logging_create_devlog_dev(init_t)
+
+ miscfiles_delete_man_pages(init_t)
++ miscfiles_relabel_man_pages(init_t)
+')
+
optional_policy(`
@@ -40633,7 +40804,7 @@ index 8a105fd..8a59b8e 100644
')
optional_policy(`
-@@ -199,10 +329,24 @@ optional_policy(`
+@@ -199,10 +335,24 @@ optional_policy(`
')
optional_policy(`
@@ -40658,7 +40829,7 @@ index 8a105fd..8a59b8e 100644
unconfined_domain(init_t)
')
-@@ -212,7 +356,7 @@ optional_policy(`
+@@ -212,7 +362,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -40667,7 +40838,7 @@ index 8a105fd..8a59b8e 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +385,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +391,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -40682,7 +40853,7 @@ index 8a105fd..8a59b8e 100644
init_write_initctl(initrc_t)
-@@ -258,11 +404,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +410,23 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -40706,7 +40877,7 @@ index 8a105fd..8a59b8e 100644
corecmd_exec_all_executables(initrc_t)
-@@ -291,6 +449,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +455,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -40714,7 +40885,7 @@ index 8a105fd..8a59b8e 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +457,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +463,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -40730,7 +40901,7 @@ index 8a105fd..8a59b8e 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -323,8 +482,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +488,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -40742,7 +40913,7 @@ index 8a105fd..8a59b8e 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +501,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +507,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -40756,7 +40927,7 @@ index 8a105fd..8a59b8e 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +516,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +522,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -40765,7 +40936,7 @@ index 8a105fd..8a59b8e 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +530,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +536,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -40773,7 +40944,7 @@ index 8a105fd..8a59b8e 100644
selinux_get_enforce_mode(initrc_t)
-@@ -394,13 +562,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +568,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -40789,7 +40960,7 @@ index 8a105fd..8a59b8e 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +642,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +648,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -40798,7 +40969,7 @@ index 8a105fd..8a59b8e 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -519,6 +688,23 @@ ifdef(`distro_redhat',`
+@@ -519,6 +694,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -40822,7 +40993,7 @@ index 8a105fd..8a59b8e 100644
')
optional_policy(`
-@@ -526,10 +712,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +718,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -40840,7 +41011,7 @@ index 8a105fd..8a59b8e 100644
')
optional_policy(`
-@@ -544,6 +737,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +743,35 @@ ifdef(`distro_suse',`
')
')
@@ -40876,7 +41047,7 @@ index 8a105fd..8a59b8e 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +778,8 @@ optional_policy(`
+@@ -556,6 +784,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -40885,7 +41056,7 @@ index 8a105fd..8a59b8e 100644
')
optional_policy(`
-@@ -572,6 +796,7 @@ optional_policy(`
+@@ -572,6 +802,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -40893,7 +41064,7 @@ index 8a105fd..8a59b8e 100644
')
optional_policy(`
-@@ -584,6 +809,11 @@ optional_policy(`
+@@ -584,6 +815,11 @@ optional_policy(`
')
optional_policy(`
@@ -40905,7 +41076,7 @@ index 8a105fd..8a59b8e 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -600,9 +830,13 @@ optional_policy(`
+@@ -600,9 +836,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -40919,7 +41090,7 @@ index 8a105fd..8a59b8e 100644
')
optional_policy(`
-@@ -701,7 +935,13 @@ optional_policy(`
+@@ -701,7 +941,13 @@ optional_policy(`
')
optional_policy(`
@@ -40933,7 +41104,7 @@ index 8a105fd..8a59b8e 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +964,10 @@ optional_policy(`
+@@ -724,6 +970,10 @@ optional_policy(`
')
optional_policy(`
@@ -40944,7 +41115,7 @@ index 8a105fd..8a59b8e 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -737,6 +981,10 @@ optional_policy(`
+@@ -737,6 +987,10 @@ optional_policy(`
')
optional_policy(`
@@ -40955,7 +41126,7 @@ index 8a105fd..8a59b8e 100644
quota_manage_flags(initrc_t)
')
-@@ -745,6 +993,10 @@ optional_policy(`
+@@ -745,6 +999,10 @@ optional_policy(`
')
optional_policy(`
@@ -40966,7 +41137,7 @@ index 8a105fd..8a59b8e 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +1018,6 @@ optional_policy(`
+@@ -766,8 +1024,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -40975,7 +41146,7 @@ index 8a105fd..8a59b8e 100644
')
optional_policy(`
-@@ -776,14 +1026,21 @@ optional_policy(`
+@@ -776,14 +1032,21 @@ optional_policy(`
')
optional_policy(`
@@ -40997,7 +41168,7 @@ index 8a105fd..8a59b8e 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1062,19 @@ optional_policy(`
+@@ -805,11 +1068,19 @@ optional_policy(`
')
optional_policy(`
@@ -41018,7 +41189,7 @@ index 8a105fd..8a59b8e 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1084,25 @@ optional_policy(`
+@@ -819,6 +1090,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -41044,7 +41215,7 @@ index 8a105fd..8a59b8e 100644
')
optional_policy(`
-@@ -844,3 +1128,59 @@ optional_policy(`
+@@ -844,3 +1134,59 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -41583,7 +41754,7 @@ index 1d1c399..3ab3a47 100644
+ tgtd_manage_semaphores(iscsid_t)
')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 9df8c4d..7a942fc 100644
+index 9df8c4d..8d1d7fa 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -44,6 +44,7 @@ ifdef(`distro_redhat',`
@@ -41629,7 +41800,16 @@ index 9df8c4d..7a942fc 100644
/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -208,6 +209,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+@@ -198,8 +199,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+ /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -208,6 +207,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -41637,7 +41817,7 @@ index 9df8c4d..7a942fc 100644
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -247,6 +249,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+@@ -247,6 +247,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -41645,7 +41825,7 @@ index 9df8c4d..7a942fc 100644
/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-@@ -302,13 +305,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -302,13 +303,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -41661,7 +41841,7 @@ index 9df8c4d..7a942fc 100644
') dnl end distro_redhat
#
-@@ -319,14 +317,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -319,14 +315,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -42516,7 +42696,7 @@ index 7711464..a8bd9fe 100644
ifdef(`distro_debian',`
/var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index fe4e741..926ba65 100644
+index fe4e741..9ce4a4f 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -414,9 +414,6 @@ interface(`miscfiles_read_localization',`
@@ -42529,6 +42709,32 @@ index fe4e741..926ba65 100644
')
########################################
+@@ -585,6 +582,25 @@ interface(`miscfiles_manage_man_pages',`
+
+ ########################################
+ ##
++## Allow process to relabel man_pages info
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`miscfiles_relabel_man_pages',`
++ gen_require(`
++ type man_t;
++ ')
++
++ files_search_usr($1)
++ relabel_files_pattern($1, man_t, man_t)
++')
++
++########################################
++##
+ ## Read public files used for file
+ ## transfer services.
+ ##
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index c51f7f5..59c70bf 100644
--- a/policy/modules/system/miscfiles.te
@@ -42581,7 +42787,7 @@ index 9c0faab..def8d5a 100644
## loading modules.
##
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 74a4466..3120e0e 100644
+index 74a4466..7243733 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -18,6 +18,7 @@ type insmod_t;
@@ -42592,7 +42798,17 @@ index 74a4466..3120e0e 100644
role system_r types insmod_t;
# module loading config
-@@ -55,12 +56,15 @@ corecmd_search_bin(depmod_t)
+@@ -36,6 +37,9 @@ role system_r types update_modules_t;
+ type update_modules_tmp_t;
+ files_tmp_file(update_modules_tmp_t)
+
++type insmod_tmpfs_t;
++files_tmpfs_file(insmod_tmpfs_t)
++
+ ########################################
+ #
+ # depmod local policy
+@@ -55,12 +59,15 @@ corecmd_search_bin(depmod_t)
domain_use_interactive_fds(depmod_t)
@@ -42608,7 +42824,7 @@ index 74a4466..3120e0e 100644
fs_getattr_xattr_fs(depmod_t)
-@@ -74,6 +78,7 @@ userdom_use_user_terminals(depmod_t)
+@@ -74,6 +81,7 @@ userdom_use_user_terminals(depmod_t)
# Read System.map from home directories.
files_list_home(depmod_t)
userdom_read_user_home_content_files(depmod_t)
@@ -42616,7 +42832,7 @@ index 74a4466..3120e0e 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -104,7 +109,7 @@ optional_policy(`
+@@ -104,11 +112,12 @@ optional_policy(`
# insmod local policy
#
@@ -42625,7 +42841,22 @@ index 74a4466..3120e0e 100644
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
-@@ -125,6 +130,7 @@ kernel_write_proc_files(insmod_t)
+ allow insmod_t self:rawip_socket create_socket_perms;
++allow insmod_t self:shm create_shm_perms;
+
+ # Read module config and dependency information
+ list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
+@@ -118,6 +127,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+
+ can_exec(insmod_t, insmod_exec_t)
+
++manage_files_pattern(insmod_t,insmod_tmpfs_t,insmod_tmpfs_t)
++fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file)
++
+ kernel_load_module(insmod_t)
+ kernel_read_system_state(insmod_t)
+ kernel_read_network_state(insmod_t)
+@@ -125,6 +137,7 @@ kernel_write_proc_files(insmod_t)
kernel_mount_debugfs(insmod_t)
kernel_mount_kvmfs(insmod_t)
kernel_read_debugfs(insmod_t)
@@ -42633,7 +42864,7 @@ index 74a4466..3120e0e 100644
# Rules for /proc/sys/kernel/tainted
kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
-@@ -142,6 +148,7 @@ dev_rw_agp(insmod_t)
+@@ -142,6 +155,7 @@ dev_rw_agp(insmod_t)
dev_read_sound(insmod_t)
dev_write_sound(insmod_t)
dev_rw_apm_bios(insmod_t)
@@ -42641,7 +42872,7 @@ index 74a4466..3120e0e 100644
domain_signal_all_domains(insmod_t)
domain_use_interactive_fds(insmod_t)
-@@ -160,11 +167,15 @@ files_write_kernel_modules(insmod_t)
+@@ -160,11 +174,15 @@ files_write_kernel_modules(insmod_t)
fs_getattr_xattr_fs(insmod_t)
fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -42657,7 +42888,7 @@ index 74a4466..3120e0e 100644
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -173,8 +184,7 @@ miscfiles_read_localization(insmod_t)
+@@ -173,8 +191,7 @@ miscfiles_read_localization(insmod_t)
seutil_read_file_contexts(insmod_t)
@@ -42667,7 +42898,7 @@ index 74a4466..3120e0e 100644
userdom_dontaudit_search_user_home_dirs(insmod_t)
if( ! secure_mode_insmod ) {
-@@ -186,8 +196,11 @@ optional_policy(`
+@@ -186,8 +203,11 @@ optional_policy(`
')
optional_policy(`
@@ -42681,7 +42912,7 @@ index 74a4466..3120e0e 100644
')
optional_policy(`
-@@ -235,6 +248,10 @@ optional_policy(`
+@@ -235,6 +255,10 @@ optional_policy(`
')
optional_policy(`
@@ -42919,7 +43150,7 @@ index 8b5c196..3490497 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index fca6947..e1f7531 100644
+index fca6947..5dadaa8 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -42969,7 +43200,7 @@ index fca6947..e1f7531 100644
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -46,50 +68,84 @@ can_exec(mount_t, mount_exec_t)
+@@ -46,50 +68,85 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -43051,6 +43282,7 @@ index fca6947..e1f7531 100644
+fs_rw_anon_inodefs_files(mount_t)
fs_rw_tmpfs_chr_files(mount_t)
+fs_rw_nfsd_fs(mount_t)
++fs_rw_removable_blk_files(mount_t)
+fs_manage_tmpfs_dirs(mount_t)
fs_read_tmpfs_symlinks(mount_t)
+fs_read_fusefs_files(mount_t)
@@ -43061,7 +43293,7 @@ index fca6947..e1f7531 100644
mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
-@@ -100,6 +156,7 @@ storage_raw_read_fixed_disk(mount_t)
+@@ -100,6 +157,7 @@ storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -43069,7 +43301,7 @@ index fca6947..e1f7531 100644
term_use_all_terms(mount_t)
-@@ -108,6 +165,8 @@ auth_use_nsswitch(mount_t)
+@@ -108,6 +166,8 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -43078,7 +43310,7 @@ index fca6947..e1f7531 100644
logging_send_syslog_msg(mount_t)
-@@ -118,6 +177,12 @@ sysnet_use_portmap(mount_t)
+@@ -118,6 +178,12 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -43091,7 +43323,7 @@ index fca6947..e1f7531 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -133,10 +198,17 @@ ifdef(`distro_ubuntu',`
+@@ -133,10 +199,17 @@ ifdef(`distro_ubuntu',`
')
')
@@ -43109,7 +43341,7 @@ index fca6947..e1f7531 100644
')
optional_policy(`
-@@ -166,6 +238,8 @@ optional_policy(`
+@@ -166,6 +239,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -43118,7 +43350,7 @@ index fca6947..e1f7531 100644
')
optional_policy(`
-@@ -173,6 +247,28 @@ optional_policy(`
+@@ -173,6 +248,28 @@ optional_policy(`
')
optional_policy(`
@@ -43147,7 +43379,7 @@ index fca6947..e1f7531 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -180,13 +276,44 @@ optional_policy(`
+@@ -180,13 +277,44 @@ optional_policy(`
')
')
@@ -43192,7 +43424,7 @@ index fca6947..e1f7531 100644
')
########################################
-@@ -195,6 +322,42 @@ optional_policy(`
+@@ -195,6 +323,42 @@ optional_policy(`
#
optional_policy(`
@@ -44402,7 +44634,7 @@ index 8e71fb7..350d003 100644
+ role_transition $1 dhcpc_exec_t system_r;
')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index dfbe736..5740b79 100644
+index dfbe736..e70feca 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.0)
@@ -44560,10 +44792,14 @@ index dfbe736..5740b79 100644
')
optional_policy(`
-@@ -334,6 +379,10 @@ optional_policy(`
+@@ -334,6 +379,14 @@ optional_policy(`
')
optional_policy(`
++ kdump_dontaudit_read_config(ifconfig_t)
++')
++
++optional_policy(`
+ netutils_domtrans(dhcpc_t)
+')
+
@@ -44571,7 +44807,7 @@ index dfbe736..5740b79 100644
nis_use_ypbind(ifconfig_t)
')
-@@ -355,3 +404,9 @@ optional_policy(`
+@@ -355,3 +408,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6253bd8..ee60eca 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.8
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,15 @@ exit 0
%endif
%changelog
+* Fri Nov 12 2010 Miroslav Grepl 3.9.8-5
+- Turn on mediawiki policy
+- kdump leaks kdump_etc_t to ifconfig, add dontaudit
+- uux needs to transition to uucpd_t
+- More init fixes relabels man,faillog
+- Remove maxima defs in libraries.fc
+- insmod needs to be able to create tmpfs_t files
+- ping needs setcap
+
* Wed Nov 10 2010 Miroslav Grepl 3.9.8-4
- Allow groupd transition to fenced domain when executes fence_node
- Fixes for rchs policy