diff --git a/policy-F15.patch b/policy-F15.patch
index fd599d3..f667cb2 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -2408,11 +2408,71 @@ index 0000000..0852151
+ fs_read_inherited_cifs_files(chrome_sandbox_t)
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+')
+diff --git a/policy/modules/apps/cpufreqselector.if b/policy/modules/apps/cpufreqselector.if
+index ed94975..e43186f 100644
+--- a/policy/modules/apps/cpufreqselector.if
++++ b/policy/modules/apps/cpufreqselector.if
+@@ -1 +1,42 @@
+ ## <summary>Command-line CPU frequency settings.</summary>
++
++########################################
++## <summary>
++## Send a dbus message to
++## cpufreq-selector.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cpufreqselector_dbus_send',`
++ gen_require(`
++ type cpufreqselector_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 cpufreqselector_t:dbus send_msg;
++')
++
++########################################
++## <summary>
++## Send and receive messages from
++## cpufreq-selector over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`cpufreqselector_dbus_chat',`
++ gen_require(`
++ type cpufreqselector_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 cpufreqselector_t:dbus send_msg;
++ allow cpufreqselector_t $1:dbus send_msg;
++')
diff --git a/policy/modules/apps/cpufreqselector.te b/policy/modules/apps/cpufreqselector.te
-index 0457de1..f702cfe 100644
+index 0457de1..b440acb 100644
--- a/policy/modules/apps/cpufreqselector.te
+++ b/policy/modules/apps/cpufreqselector.te
-@@ -27,7 +27,7 @@ dev_rw_sysfs(cpufreqselector_t)
+@@ -16,6 +16,7 @@ application_domain(cpufreqselector_t, cpufreqselector_exec_t)
+
+ allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
+ allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
++allow cpufreqselector_t self:process getsched;
+
+ files_read_etc_files(cpufreqselector_t)
+ files_read_usr_files(cpufreqselector_t)
+@@ -24,10 +25,12 @@ corecmd_search_bin(cpufreqselector_t)
+
+ dev_rw_sysfs(cpufreqselector_t)
+
++kernel_read_system_state(cpufreqselector_t)
++
miscfiles_read_localization(cpufreqselector_t)
userdom_read_all_users_state(cpufreqselector_t)
@@ -2421,6 +2481,14 @@ index 0457de1..f702cfe 100644
optional_policy(`
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
+@@ -50,3 +53,7 @@ optional_policy(`
+ policykit_read_lib(cpufreqselector_t)
+ policykit_read_reload(cpufreqselector_t)
+ ')
++
++optional_policy(`
++ xserver_dbus_chat_xdm(cpufreqselector_t)
++')
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
new file mode 100644
index 0000000..09f0673
@@ -2737,13 +2805,14 @@ index 0000000..0bbd523
+')
+
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
-index 00a19e3..1aaa958 100644
+index 00a19e3..638c4cf 100644
--- a/policy/modules/apps/gnome.fc
+++ b/policy/modules/apps/gnome.fc
-@@ -1,9 +1,33 @@
+@@ -1,9 +1,34 @@
-HOME_DIR/\.config/gtk-.* gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
++HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
@@ -2777,7 +2846,7 @@ index 00a19e3..1aaa958 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..60258d1 100644
+index f5afe78..509c4c3 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,24 +1,29 @@
@@ -3349,7 +3418,7 @@ index f5afe78..60258d1 100644
')
########################################
-@@ -151,40 +568,257 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +568,258 @@ interface(`gnome_setattr_config_dirs',`
########################################
## <summary>
@@ -3514,6 +3583,7 @@ index f5afe78..60258d1 100644
+
+ list_dirs_pattern($1, config_home_t, config_home_t)
+ read_files_pattern($1, config_home_t, config_home_t)
++ read_lnk_files_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
@@ -3618,7 +3688,7 @@ index f5afe78..60258d1 100644
userdom_search_user_home_dirs($1)
')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..8e83829 100644
+index 2505654..10c3341 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -5,12 +5,25 @@ policy_module(gnome, 2.1.0)
@@ -3796,9 +3866,9 @@ index 2505654..8e83829 100644
+manage_files_pattern(gkeyringd_t, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+filetrans_pattern(gkeyringd_t, gnome_home_t, gkeyringd_gnome_home_t, dir)
+
-+manage_dirs_pattern(gkeyringd_t, gkeyringd_tmp_t, gkeyringd_tmp_t)
-+manage_sock_files_pattern(gkeyringd_t, gkeyringd_tmp_t, gkeyringd_tmp_t)
-+files_tmp_filetrans(gkeyringd_t, gkeyringd_tmp_t, dir)
++#manage_dirs_pattern(gkeyringd_t, gkeyringd_tmp_t, gkeyringd_tmp_t)
++#manage_sock_files_pattern(gkeyringd_t, gkeyringd_tmp_t, gkeyringd_tmp_t)
++#files_tmp_filetrans(gkeyringd_t, gkeyringd_tmp_t, dir)
+
+kernel_read_crypto_sysctls(gkeyringd_t)
+
@@ -3914,7 +3984,7 @@ index 40e0a2a..f4a103c 100644
## <summary>
## Send generic signals to user gpg processes.
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..8af881a 100644
+index 9050e8c..504280f 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -4031,7 +4101,16 @@ index 9050e8c..8af881a 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(gpg_pinentry_t)
-@@ -347,6 +372,12 @@ optional_policy(`
+@@ -342,11 +367,21 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+
+ optional_policy(`
++ gnome_read_home_config(gpg_pinentry_t)
++')
++
++optional_policy(`
+ dbus_session_bus_client(gpg_pinentry_t)
+ dbus_system_bus_client(gpg_pinentry_t)
')
optional_policy(`
@@ -4044,7 +4123,7 @@ index 9050e8c..8af881a 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -356,4 +387,28 @@ optional_policy(`
+@@ -356,4 +391,28 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -7368,32 +7447,35 @@ index 0000000..5259647
+')
+
diff --git a/policy/modules/apps/screen.fc b/policy/modules/apps/screen.fc
-index 1f2cde4..7bb3047 100644
+index 1f2cde4..7227631 100644
--- a/policy/modules/apps/screen.fc
+++ b/policy/modules/apps/screen.fc
-@@ -2,6 +2,7 @@
+@@ -2,6 +2,9 @@
# /home
#
HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
+HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
++
++/root/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
#
# /usr
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
-index 320df26..174ca5e 100644
+index 320df26..0e4ead0 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
-@@ -64,6 +64,9 @@ template(`screen_role_template',`
+@@ -64,6 +64,10 @@ template(`screen_role_template',`
files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
allow $1_screen_t screen_home_t:dir list_dir_perms;
+ manage_dirs_pattern($1_screen_t, screen_home_t, screen_home_t)
+ manage_fifo_files_pattern($1_screen_t, screen_home_t, screen_home_t)
+ userdom_user_home_dir_filetrans($1_screen_t, screen_home_t, dir)
++ userdom_admin_home_dir_filetrans($1_screen_t, screen_home_t, dir)
read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
-@@ -73,6 +76,7 @@ template(`screen_role_template',`
+@@ -73,6 +77,7 @@ template(`screen_role_template',`
allow $3 $1_screen_t:process { signal sigchld };
allow $1_screen_t $3:process signal;
@@ -7401,7 +7483,7 @@ index 320df26..174ca5e 100644
manage_dirs_pattern($3, screen_home_t, screen_home_t)
manage_files_pattern($3, screen_home_t, screen_home_t)
manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
-@@ -81,8 +85,6 @@ template(`screen_role_template',`
+@@ -81,8 +86,6 @@ template(`screen_role_template',`
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
@@ -7410,7 +7492,7 @@ index 320df26..174ca5e 100644
manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
kernel_read_system_state($1_screen_t)
-@@ -112,6 +114,7 @@ template(`screen_role_template',`
+@@ -112,6 +115,7 @@ template(`screen_role_template',`
# for SSP
dev_read_urand($1_screen_t)
@@ -9555,7 +9637,7 @@ index bc534c1..778d512 100644
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 3517db2..ebf38e4 100644
+index 3517db2..f798a69 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -9660,7 +9742,7 @@ index 3517db2..ebf38e4 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
-+/usr/lib/debug <<none>>
++/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ed203b2..d38c240 100644
--- a/policy/modules/kernel/files.if
@@ -12145,7 +12227,7 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..dd62b91 100644
+index 2be17d2..b7c4d13 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,48 @@ policy_module(staff, 2.2.0)
@@ -12338,6 +12420,15 @@ index 2be17d2..dd62b91 100644
spamassassin_role(staff_r, staff_t)
')
+@@ -172,3 +291,8 @@ ifndef(`distro_redhat',`
+ wireshark_role(staff_r, staff_t)
+ ')
+ ')
++
++tunable_policy(`allow_execmod',`
++ userdom_execmod_user_home_files(staff_usertype)
++')
++
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 4a8d146..a0a91fe 100644
--- a/policy/modules/roles/sysadm.te
@@ -13864,15 +13955,19 @@ index 0000000..ec21f9a
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..60cc0d5 100644
+index e5bfdd4..0c84965 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,55 @@ role user_r;
+@@ -12,15 +12,59 @@ role user_r;
userdom_unpriv_user_template(user)
+fs_exec_noxattr(user_t)
+
++tunable_policy(`allow_execmod',`
++ userdom_execmod_user_home_files(user_usertype)
++')
++
optional_policy(`
apache_role(user_r, user_t)
')
@@ -13923,7 +14018,7 @@ index e5bfdd4..60cc0d5 100644
vlock_run(user_t, user_r)
')
-@@ -62,10 +102,6 @@ ifndef(`distro_redhat',`
+@@ -62,10 +106,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -13934,7 +14029,7 @@ index e5bfdd4..60cc0d5 100644
gpg_role(user_r, user_t)
')
-@@ -118,7 +154,7 @@ ifndef(`distro_redhat',`
+@@ -118,7 +158,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -13943,7 +14038,7 @@ index e5bfdd4..60cc0d5 100644
')
optional_policy(`
-@@ -157,3 +193,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +197,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -20340,10 +20435,18 @@ index f35b243..c6b63be 100644
')
diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
-index 1b492ed..286ec9e 100644
+index 1b492ed..3d09c0e 100644
--- a/policy/modules/services/cups.fc
+++ b/policy/modules/services/cups.fc
-@@ -71,3 +71,9 @@
+@@ -56,6 +56,7 @@
+
+ /var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+
+ /var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
+
+@@ -71,3 +72,9 @@
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
@@ -20883,7 +20986,7 @@ index 0d5711c..bbc1a8f 100644
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 98e5af6..61bb74a 100644
+index 98e5af6..3c13628 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -74,9 +74,10 @@ files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
@@ -20898,7 +21001,16 @@ index 98e5af6..61bb74a 100644
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
-@@ -121,7 +122,9 @@ files_read_usr_files(system_dbusd_t)
+@@ -111,6 +112,8 @@ auth_read_pam_console_data(system_dbusd_t)
+ corecmd_list_bin(system_dbusd_t)
+ corecmd_read_bin_pipes(system_dbusd_t)
+ corecmd_read_bin_sockets(system_dbusd_t)
++# needed for system-tools-backends
++corecmd_exec_shell(system_dbusd_t)
+
+ domain_use_interactive_fds(system_dbusd_t)
+ domain_read_all_domains_state(system_dbusd_t)
+@@ -121,7 +124,9 @@ files_read_usr_files(system_dbusd_t)
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
@@ -20908,7 +21020,7 @@ index 98e5af6..61bb74a 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -141,6 +144,14 @@ optional_policy(`
+@@ -141,6 +146,14 @@ optional_policy(`
')
optional_policy(`
@@ -20923,7 +21035,7 @@ index 98e5af6..61bb74a 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -158,5 +169,12 @@ optional_policy(`
+@@ -158,5 +171,12 @@ optional_policy(`
#
# Unconfined access to this module
#
@@ -21996,10 +22108,10 @@ index 0000000..9d8f5de
+')
diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
new file mode 100644
-index 0000000..5df774f
+index 0000000..d28639e
--- /dev/null
+++ b/policy/modules/services/dirsrv.te
-@@ -0,0 +1,171 @@
+@@ -0,0 +1,173 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -22110,6 +22222,8 @@ index 0000000..5df774f
+
+fs_getattr_all_fs(dirsrv_t)
+
++logging_send_syslog_msg(dirsrv_t)
++
+miscfiles_read_localization(dirsrv_t)
+
+sysnet_dns_name_resolve(dirsrv_t)
@@ -25336,7 +25450,7 @@ index 604f67b..31a6075 100644
+ files_tmp_filetrans($1, krb5_host_rcache_t, file)
+')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
-index 8edc29b..245d4ec 100644
+index 8edc29b..09dac65 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -6,9 +6,9 @@ policy_module(kerberos, 1.11.0)
@@ -25406,7 +25520,7 @@ index 8edc29b..245d4ec 100644
dev_read_sysfs(kadmind_t)
dev_read_rand(kadmind_t)
-@@ -149,6 +152,7 @@ selinux_validate_context(kadmind_t)
+@@ -149,17 +152,25 @@ selinux_validate_context(kadmind_t)
logging_send_syslog_msg(kadmind_t)
@@ -25414,7 +25528,26 @@ index 8edc29b..245d4ec 100644
miscfiles_read_localization(kadmind_t)
seutil_read_file_contexts(kadmind_t)
-@@ -193,13 +197,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
+
+-sysnet_read_config(kadmind_t)
+ sysnet_use_ldap(kadmind_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
+ userdom_dontaudit_search_user_home_dirs(kadmind_t)
+
+ optional_policy(`
++ ldap_stream_connect(kadmind_t)
++')
++
++optional_policy(`
++ dirsrv_stream_connect(kadmind_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(kadmind_t)
+ ')
+
+@@ -193,13 +204,12 @@ can_exec(krb5kdc_t, krb5kdc_exec_t)
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
dontaudit krb5kdc_t krb5kdc_conf_t:file write;
@@ -25430,7 +25563,7 @@ index 8edc29b..245d4ec 100644
manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
-@@ -249,6 +252,7 @@ selinux_validate_context(krb5kdc_t)
+@@ -249,17 +259,25 @@ selinux_validate_context(krb5kdc_t)
logging_send_syslog_msg(krb5kdc_t)
@@ -25438,6 +25571,25 @@ index 8edc29b..245d4ec 100644
miscfiles_read_localization(krb5kdc_t)
seutil_read_file_contexts(krb5kdc_t)
+
+-sysnet_read_config(krb5kdc_t)
+ sysnet_use_ldap(krb5kdc_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
+ userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
+
+ optional_policy(`
++ ldap_stream_connect(krb5kdc_t)
++')
++
++optional_policy(`
++ dirsrv_stream_connect(krb5kdc_t)
++')
++
++optional_policy(`
+ nis_use_ypbind(krb5kdc_t)
+ ')
+
diff --git a/policy/modules/services/kerneloops.if b/policy/modules/services/kerneloops.if
index 835b16b..dd32883 100644
--- a/policy/modules/services/kerneloops.if
@@ -25811,7 +25963,7 @@ index 771e04b..81d98b3 100644
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t, $1_var_run_t, file)
diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
-index 3acbf1d..ef07a0e 100644
+index 3acbf1d..ed036d1 100644
--- a/policy/modules/services/likewise.te
+++ b/policy/modules/services/likewise.te
@@ -17,7 +17,7 @@ type likewise_var_lib_t;
@@ -25823,6 +25975,15 @@ index 3acbf1d..ef07a0e 100644
type likewise_krb5_ad_t;
files_type(likewise_krb5_ad_t)
+@@ -137,7 +137,7 @@ selinux_validate_context(lsassd_t)
+ seutil_read_config(lsassd_t)
+ seutil_read_default_contexts(lsassd_t)
+ seutil_read_file_contexts(lsassd_t)
+-seutil_run_semanage(lsassd_t, lsassd_t)
++seutil_run_semanage(lsassd_t, system_r)
+
+ sysnet_use_ldap(lsassd_t)
+ sysnet_read_config(lsassd_t)
@@ -205,7 +205,7 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_
# Likewise DC location service local policy
#
@@ -27208,12 +27369,12 @@ index 0000000..0b9257a
+ xserver_dontaudit_read_xdm_pid(mpd_t)
+')
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
-index 256166a..c526ce8 100644
+index 256166a..15daf47 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
@@ -1,4 +1,5 @@
-HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
-+HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
++HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
+HOME_DIR/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -29008,7 +29169,7 @@ index 23c769c..be5a5b4 100644
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te
-index 4e28d58..01faaef 100644
+index 4e28d58..08ca30e 100644
--- a/policy/modules/services/nslcd.te
+++ b/policy/modules/services/nslcd.te
@@ -16,7 +16,7 @@ type nslcd_var_run_t;
@@ -29020,6 +29181,23 @@ index 4e28d58..01faaef 100644
########################################
#
+@@ -24,7 +24,7 @@ files_type(nslcd_conf_t)
+ #
+
+ allow nslcd_t self:capability { setgid setuid dac_override };
+-allow nslcd_t self:process signal;
++allow nslcd_t self:process { setsched signal };
+ allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow nslcd_t nslcd_conf_t:file read_file_perms;
+@@ -37,6 +37,7 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+ kernel_read_system_state(nslcd_t)
+
+ files_read_etc_files(nslcd_t)
++files_read_usr_symlinks(nslcd_t)
+
+ auth_use_nsswitch(nslcd_t)
+
diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
index ded9fb6..9d1e60a 100644
--- a/policy/modules/services/ntop.te
@@ -30574,7 +30752,7 @@ index 9759ed8..48a5431 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
-index fb8dc84..ef11559 100644
+index fb8dc84..57fcfe1 100644
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
@@ -19,6 +19,9 @@ files_type(plymouthd_spool_t)
@@ -30598,7 +30776,7 @@ index fb8dc84..ef11559 100644
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
-@@ -60,10 +67,20 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -60,10 +67,22 @@ domain_use_interactive_fds(plymouthd_t)
files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)
@@ -30616,10 +30794,12 @@ index fb8dc84..ef11559 100644
+ xserver_xdm_manage_spool(plymouthd_t)
+')
+
++term_use_unallocated_ttys(plymouthd_t)
++
########################################
#
# Plymouth private policy
-@@ -74,6 +91,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
+@@ -74,6 +93,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(plymouth_t)
@@ -30627,7 +30807,7 @@ index fb8dc84..ef11559 100644
domain_use_interactive_fds(plymouth_t)
-@@ -87,7 +105,7 @@ sysnet_read_config(plymouth_t)
+@@ -87,7 +107,7 @@ sysnet_read_config(plymouth_t)
plymouthd_stream_connect(plymouth_t)
@@ -31336,7 +31516,7 @@ index 46bee12..b87375e 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..5a4973e 100644
+index 06e37d4..a069aae 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
@@ -31484,7 +31664,7 @@ index 06e37d4..5a4973e 100644
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +307,14 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +307,15 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -31495,6 +31675,7 @@ index 06e37d4..5a4973e 100644
-# Might be a leak, but I need a postfix expert to explain
-allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
+userdom_read_user_home_content_files(postfix_local_t)
++userdom_exec_user_bin_files(postfix_local_t)
+
+tunable_policy(`allow_postfix_local_write_mail_spool',`
+ mta_manage_spool(postfix_local_t)
@@ -31502,7 +31683,7 @@ index 06e37d4..5a4973e 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -304,9 +329,18 @@ optional_policy(`
+@@ -304,9 +330,18 @@ optional_policy(`
')
optional_policy(`
@@ -31521,7 +31702,7 @@ index 06e37d4..5a4973e 100644
########################################
#
# Postfix map local policy
-@@ -390,8 +424,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
+@@ -390,8 +425,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
# Postfix pipe local policy
#
@@ -31531,7 +31712,7 @@ index 06e37d4..5a4973e 100644
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +435,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +436,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -31540,7 +31721,7 @@ index 06e37d4..5a4973e 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +456,7 @@ optional_policy(`
+@@ -420,6 +457,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -31548,7 +31729,7 @@ index 06e37d4..5a4973e 100644
')
optional_policy(`
-@@ -436,6 +473,9 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,6 +474,9 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -31558,7 +31739,7 @@ index 06e37d4..5a4973e 100644
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
postfix_list_spool(postfix_postdrop_t)
-@@ -519,7 +559,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +560,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -31567,7 +31748,7 @@ index 06e37d4..5a4973e 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +579,7 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +580,7 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -31576,7 +31757,7 @@ index 06e37d4..5a4973e 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +628,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +629,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -31593,7 +31774,7 @@ index 06e37d4..5a4973e 100644
')
optional_policy(`
-@@ -611,8 +657,8 @@ optional_policy(`
+@@ -611,8 +658,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -31603,7 +31784,7 @@ index 06e37d4..5a4973e 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +676,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +677,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -41107,7 +41288,7 @@ index da2601a..06e7dd4 100644
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 145fc4b..bfb9c7a 100644
+index 145fc4b..9a7611b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -41749,7 +41930,7 @@ index 145fc4b..bfb9c7a 100644
')
optional_policy(`
-@@ -516,12 +737,50 @@ optional_policy(`
+@@ -516,12 +737,54 @@ optional_policy(`
')
optional_policy(`
@@ -41768,6 +41949,10 @@ index 145fc4b..bfb9c7a 100644
+ bluetooth_dbus_chat(xdm_t)
+ ')
+
++ optional_policy(`
++ cpufreqselector_dbus_send(xdm_t)
++ ')
++
+ optional_policy(`
+ devicekit_dbus_chat_disk(xdm_t)
+ devicekit_dbus_chat_power(xdm_t)
@@ -41800,7 +41985,7 @@ index 145fc4b..bfb9c7a 100644
hostname_exec(xdm_t)
')
-@@ -539,28 +798,64 @@ optional_policy(`
+@@ -539,28 +802,64 @@ optional_policy(`
')
optional_policy(`
@@ -41874,7 +42059,7 @@ index 145fc4b..bfb9c7a 100644
')
optional_policy(`
-@@ -572,6 +867,10 @@ optional_policy(`
+@@ -572,6 +871,10 @@ optional_policy(`
')
optional_policy(`
@@ -41885,7 +42070,7 @@ index 145fc4b..bfb9c7a 100644
xfs_stream_connect(xdm_t)
')
-@@ -596,7 +895,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -596,7 +899,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -41894,7 +42079,7 @@ index 145fc4b..bfb9c7a 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -610,6 +909,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -610,6 +913,14 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -41909,7 +42094,7 @@ index 145fc4b..bfb9c7a 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +936,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -629,12 +940,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -41931,7 +42116,7 @@ index 145fc4b..bfb9c7a 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +956,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -642,6 +960,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -41939,7 +42124,7 @@ index 145fc4b..bfb9c7a 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -668,7 +983,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -668,7 +987,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -41947,7 +42132,7 @@ index 145fc4b..bfb9c7a 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -678,11 +992,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -678,11 +996,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -41965,7 +42150,7 @@ index 145fc4b..bfb9c7a 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -693,8 +1013,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -693,8 +1017,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -41979,7 +42164,7 @@ index 145fc4b..bfb9c7a 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1041,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -716,11 +1045,14 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -41994,7 +42179,7 @@ index 145fc4b..bfb9c7a 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -773,12 +1101,28 @@ optional_policy(`
+@@ -773,12 +1105,28 @@ optional_policy(`
')
optional_policy(`
@@ -42024,7 +42209,7 @@ index 145fc4b..bfb9c7a 100644
unconfined_domtrans(xserver_t)
')
-@@ -787,6 +1131,10 @@ optional_policy(`
+@@ -787,6 +1135,10 @@ optional_policy(`
')
optional_policy(`
@@ -42035,7 +42220,7 @@ index 145fc4b..bfb9c7a 100644
xfs_stream_connect(xserver_t)
')
-@@ -802,10 +1150,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -802,10 +1154,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -42049,7 +42234,7 @@ index 145fc4b..bfb9c7a 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -813,7 +1161,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -813,7 +1165,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -42058,7 +42243,7 @@ index 145fc4b..bfb9c7a 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -826,6 +1174,9 @@ init_use_fds(xserver_t)
+@@ -826,6 +1178,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -42068,7 +42253,7 @@ index 145fc4b..bfb9c7a 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -833,6 +1184,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -833,6 +1188,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -42080,7 +42265,7 @@ index 145fc4b..bfb9c7a 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -841,11 +1197,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -841,11 +1201,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -42097,7 +42282,7 @@ index 145fc4b..bfb9c7a 100644
')
optional_policy(`
-@@ -853,6 +1212,10 @@ optional_policy(`
+@@ -853,6 +1216,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -42108,7 +42293,7 @@ index 145fc4b..bfb9c7a 100644
########################################
#
# Rules common to all X window domains
-@@ -896,7 +1259,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -896,7 +1263,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -42117,7 +42302,7 @@ index 145fc4b..bfb9c7a 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -950,11 +1313,31 @@ allow x_domain self:x_resource { read write };
+@@ -950,11 +1317,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -42149,7 +42334,7 @@ index 145fc4b..bfb9c7a 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -976,18 +1359,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -976,18 +1363,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -46572,19 +46757,23 @@ index 74a4466..9061149 100644
dev_rw_xserver_misc(insmod_t)
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
-index 72c746e..e3d06fd 100644
+index 72c746e..3d0bc28 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
-@@ -1,4 +1,10 @@
+@@ -1,4 +1,14 @@
++/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+
+-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
++/dev/\.mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++
+/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
++
+/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
+/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0)
-
--/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
++
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
@@ -46821,7 +47010,7 @@ index 8b5c196..83107f9 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..6ee04e2 100644
+index 15832c7..dd4dc03 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -46840,7 +47029,7 @@ index 15832c7..6ee04e2 100644
type mount_tmp_t;
files_tmp_file(mount_tmp_t)
-@@ -28,6 +35,17 @@ files_tmp_file(mount_tmp_t)
+@@ -28,6 +35,18 @@ files_tmp_file(mount_tmp_t)
# policy--duplicate type declaration
type unconfined_mount_t;
application_domain(unconfined_mount_t, mount_exec_t)
@@ -46848,6 +47037,7 @@ index 15832c7..6ee04e2 100644
+
+type mount_var_run_t;
+files_pid_file(mount_var_run_t)
++dev_associate(mount_var_run_t)
+
+# showmount - show mount information for an NFS server
+
@@ -46858,7 +47048,7 @@ index 15832c7..6ee04e2 100644
########################################
#
-@@ -35,7 +53,11 @@ application_domain(unconfined_mount_t, mount_exec_t)
+@@ -35,7 +54,11 @@ application_domain(unconfined_mount_t, mount_exec_t)
#
# setuid/setgid needed to mount cifs
@@ -46871,7 +47061,7 @@ index 15832c7..6ee04e2 100644
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -46,9 +68,23 @@ can_exec(mount_t, mount_exec_t)
+@@ -46,9 +69,24 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -46879,6 +47069,7 @@ index 15832c7..6ee04e2 100644
+manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
+files_pid_filetrans(mount_t,mount_var_run_t,dir)
+files_var_filetrans(mount_t,mount_var_run_t,dir)
++dev_filetrans(mount_t, mount_var_run_t, dir)
+
+# In order to mount reiserfs_t
+kernel_dontaudit_getattr_core_if(mount_t)
@@ -46896,7 +47087,7 @@ index 15832c7..6ee04e2 100644
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
-@@ -57,50 +93,73 @@ kernel_request_load_module(mount_t)
+@@ -57,50 +95,73 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -46978,7 +47169,7 @@ index 15832c7..6ee04e2 100644
selinux_get_enforce_mode(mount_t)
-@@ -108,6 +167,7 @@ storage_raw_read_fixed_disk(mount_t)
+@@ -108,6 +169,7 @@ storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@@ -46986,7 +47177,7 @@ index 15832c7..6ee04e2 100644
term_use_all_terms(mount_t)
-@@ -116,6 +176,8 @@ auth_use_nsswitch(mount_t)
+@@ -116,6 +178,8 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -46995,7 +47186,7 @@ index 15832c7..6ee04e2 100644
logging_send_syslog_msg(mount_t)
-@@ -126,6 +188,12 @@ sysnet_use_portmap(mount_t)
+@@ -126,6 +190,12 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -47008,7 +47199,7 @@ index 15832c7..6ee04e2 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -141,10 +209,17 @@ ifdef(`distro_ubuntu',`
+@@ -141,10 +211,17 @@ ifdef(`distro_ubuntu',`
')
')
@@ -47026,7 +47217,7 @@ index 15832c7..6ee04e2 100644
')
optional_policy(`
-@@ -174,6 +249,8 @@ optional_policy(`
+@@ -174,6 +251,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -47035,7 +47226,7 @@ index 15832c7..6ee04e2 100644
')
optional_policy(`
-@@ -181,6 +258,28 @@ optional_policy(`
+@@ -181,6 +260,28 @@ optional_policy(`
')
optional_policy(`
@@ -47064,7 +47255,7 @@ index 15832c7..6ee04e2 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,13 +287,44 @@ optional_policy(`
+@@ -188,13 +289,44 @@ optional_policy(`
')
')
@@ -47109,7 +47300,7 @@ index 15832c7..6ee04e2 100644
')
########################################
-@@ -203,6 +333,42 @@ optional_policy(`
+@@ -203,6 +335,42 @@ optional_policy(`
#
optional_policy(`
@@ -47154,18 +47345,23 @@ index 15832c7..6ee04e2 100644
+
+userdom_use_user_terminals(showmount_t)
diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc
-index ed9c70d..42d3890 100644
+index ed9c70d..b961d53 100644
--- a/policy/modules/system/raid.fc
+++ b/policy/modules/system/raid.fc
-@@ -1,4 +1,5 @@
+@@ -1,4 +1,10 @@
-/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0)
+/dev/.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0)
+/dev/md(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
++
++#669402
++/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
-index 09845c4..6500830 100644
+index 09845c4..a49121b 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -10,11 +10,9 @@ type mdadm_exec_t;
@@ -47182,9 +47378,11 @@ index 09845c4..6500830 100644
########################################
#
-@@ -26,12 +24,11 @@ dontaudit mdadm_t self:capability sys_tty_config;
+@@ -25,13 +23,13 @@ allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
+ dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
++allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
-# create .mdadm files in /dev
-allow mdadm_t mdadm_map_t:file manage_file_perms;
@@ -47199,7 +47397,7 @@ index 09845c4..6500830 100644
kernel_read_system_state(mdadm_t)
kernel_read_kernel_sysctls(mdadm_t)
-@@ -52,13 +49,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
+@@ -52,13 +50,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
# unfortunately needed for DMI decoding:
dev_read_raw_memory(mdadm_t)
@@ -47217,6 +47415,14 @@ index 09845c4..6500830 100644
fs_dontaudit_list_tmpfs(mdadm_t)
mls_file_read_all_levels(mdadm_t)
+@@ -68,6 +69,7 @@ mls_file_write_all_levels(mdadm_t)
+ storage_manage_fixed_disk(mdadm_t)
+ storage_dev_filetrans_fixed_disk(mdadm_t)
+ storage_read_scsi_generic(mdadm_t)
++storage_write_scsi_generic(mdadm_t)
+
+ term_dontaudit_list_ptys(mdadm_t)
+
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 2cc4bda..9e81136 100644
--- a/policy/modules/system/selinuxutil.fc
@@ -47669,7 +47875,7 @@ index 170e2c7..d95624d 100644
+')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..ad1d4ca 100644
+index 7ed9819..d6a6763 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -47767,7 +47973,15 @@ index 7ed9819..ad1d4ca 100644
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -260,25 +274,25 @@ term_relabel_all_ptys(newrole_t)
+@@ -233,6 +247,7 @@ domain_use_interactive_fds(newrole_t)
+ # for when the user types "exec newrole" at the command line:
+ domain_sigchld_interactive_fds(newrole_t)
+
++files_list_var(newrole_t)
+ files_read_etc_files(newrole_t)
+ files_read_var_files(newrole_t)
+ files_read_var_symlinks(newrole_t)
+@@ -260,25 +275,30 @@ term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -47792,6 +48006,11 @@ index 7ed9819..ad1d4ca 100644
userdom_dontaudit_search_user_home_content(newrole_t)
userdom_search_user_home_dirs(newrole_t)
++# need to talk with dbus
++optional_policy(`
++ dbus_system_bus_client(newrole_t)
++')
++
+optional_policy(`
+ xserver_dontaudit_exec_xauth(newrole_t)
+')
@@ -47799,7 +48018,7 @@ index 7ed9819..ad1d4ca 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
-@@ -312,6 +326,8 @@ kernel_use_fds(restorecond_t)
+@@ -312,6 +332,8 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -47808,7 +48027,7 @@ index 7ed9819..ad1d4ca 100644
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
-@@ -335,6 +351,8 @@ miscfiles_read_localization(restorecond_t)
+@@ -335,6 +357,8 @@ miscfiles_read_localization(restorecond_t)
seutil_libselinux_linked(restorecond_t)
@@ -47817,7 +48036,7 @@ index 7ed9819..ad1d4ca 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -353,7 +371,7 @@ optional_policy(`
+@@ -353,7 +377,7 @@ optional_policy(`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -47826,7 +48045,7 @@ index 7ed9819..ad1d4ca 100644
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -380,6 +398,8 @@ selinux_compute_create_context(run_init_t)
+@@ -380,6 +404,8 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@@ -47835,10 +48054,15 @@ index 7ed9819..ad1d4ca 100644
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
auth_domtrans_upd_passwd(run_init_t)
-@@ -405,6 +425,10 @@ ifndef(`direct_sysadm_daemon',`
+@@ -405,6 +431,15 @@ ifndef(`direct_sysadm_daemon',`
')
')
++# need to talk with dbus
++optional_policy(`
++ dbus_system_bus_client(run_init_t)
++')
++
+optional_policy(`
+ rpm_domtrans(run_init_t)
+')
@@ -47846,7 +48070,7 @@ index 7ed9819..ad1d4ca 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -420,61 +444,22 @@ optional_policy(`
+@@ -420,61 +455,22 @@ optional_policy(`
# semodule local policy
#
@@ -47860,20 +48084,20 @@ index 7ed9819..ad1d4ca 100644
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
-+seutil_semanage_policy(semanage_t)
-+allow semanage_t self:fifo_file rw_fifo_file_perms;
-
+-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-
+-
-corecmd_exec_bin(semanage_t)
-
-dev_read_urand(semanage_t)
--
++seutil_semanage_policy(semanage_t)
++allow semanage_t self:fifo_file rw_fifo_file_perms;
+
-domain_use_interactive_fds(semanage_t)
--
++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+
-files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t)
@@ -47916,7 +48140,7 @@ index 7ed9819..ad1d4ca 100644
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -487,118 +472,64 @@ ifdef(`distro_debian',`
+@@ -487,118 +483,64 @@ ifdef(`distro_debian',`
files_read_var_lib_symlinks(semanage_t)
')
@@ -47976,18 +48200,12 @@ index 7ed9819..ad1d4ca 100644
-fs_list_all(setfiles_t)
-fs_search_auto_mountpoints(setfiles_t)
-fs_relabelfrom_noxattr_fs(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
-
+-
-mls_file_read_all_levels(setfiles_t)
-mls_file_write_all_levels(setfiles_t)
-mls_file_upgrade(setfiles_t)
-mls_file_downgrade(setfiles_t)
-+# Bug in semanage
-+seutil_domtrans_setfiles(setsebool_t)
-+seutil_manage_file_contexts(setsebool_t)
-+seutil_manage_default_contexts(setsebool_t)
-+seutil_manage_config(setsebool_t)
-
+-
-selinux_validate_context(setfiles_t)
-selinux_compute_access_vector(setfiles_t)
-selinux_compute_create_context(setfiles_t)
@@ -48007,9 +48225,15 @@ index 7ed9819..ad1d4ca 100644
-init_exec_script_files(setfiles_t)
-
-logging_send_syslog_msg(setfiles_t)
--
++init_dontaudit_use_fds(setsebool_t)
+
-miscfiles_read_localization(setfiles_t)
--
++# Bug in semanage
++seutil_domtrans_setfiles(setsebool_t)
++seutil_manage_file_contexts(setsebool_t)
++seutil_manage_default_contexts(setsebool_t)
++seutil_manage_config(setsebool_t)
+
-seutil_libselinux_linked(setfiles_t)
+########################################
+#
@@ -49744,7 +49968,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..4a3297c 100644
+index 28b88de..1af5d77 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -50193,7 +50417,7 @@ index 28b88de..4a3297c 100644
##############################
#
-@@ -500,73 +567,78 @@ template(`userdom_common_user_template',`
+@@ -500,73 +567,79 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -50208,6 +50432,7 @@ index 28b88de..4a3297c 100644
- kernel_read_net_sysctls($1_t)
+ kernel_read_system_state($1_usertype)
+ kernel_read_network_state($1_usertype)
++ kernel_read_software_raid_state($1_usertype)
+ kernel_read_net_sysctls($1_usertype)
# Very permissive allowing every domain to see every type:
- kernel_get_sysvipc_info($1_t)
@@ -50311,7 +50536,7 @@ index 28b88de..4a3297c 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +646,110 @@ template(`userdom_common_user_template',`
+@@ -574,67 +647,110 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -50440,7 +50665,7 @@ index 28b88de..4a3297c 100644
')
optional_policy(`
-@@ -650,41 +765,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +766,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -50502,7 +50727,7 @@ index 28b88de..4a3297c 100644
')
#######################################
-@@ -712,13 +836,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +837,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
@@ -50534,7 +50759,7 @@ index 28b88de..4a3297c 100644
userdom_change_password_template($1)
-@@ -736,72 +873,71 @@ template(`userdom_login_user_template', `
+@@ -736,72 +874,71 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -50643,7 +50868,7 @@ index 28b88de..4a3297c 100644
')
')
-@@ -833,6 +969,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +970,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -50653,7 +50878,7 @@ index 28b88de..4a3297c 100644
##############################
#
# Local policy
-@@ -874,45 +1013,107 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1014,107 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -50772,7 +50997,7 @@ index 28b88de..4a3297c 100644
')
')
-@@ -947,7 +1148,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1149,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -50781,7 +51006,7 @@ index 28b88de..4a3297c 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1157,77 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1158,77 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -50889,7 +51114,7 @@ index 28b88de..4a3297c 100644
')
')
-@@ -1039,7 +1263,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1264,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -50898,7 +51123,7 @@ index 28b88de..4a3297c 100644
')
##############################
-@@ -1074,6 +1298,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1299,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -50908,7 +51133,7 @@ index 28b88de..4a3297c 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1315,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1316,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -50916,7 +51141,7 @@ index 28b88de..4a3297c 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1119,10 +1347,13 @@ template(`userdom_admin_user_template',`
+@@ -1119,10 +1348,13 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -50930,7 +51155,7 @@ index 28b88de..4a3297c 100644
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1142,6 +1373,7 @@ template(`userdom_admin_user_template',`
+@@ -1142,6 +1374,7 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
@@ -50938,7 +51163,7 @@ index 28b88de..4a3297c 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1442,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1443,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -50947,7 +51172,7 @@ index 28b88de..4a3297c 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1237,6 +1471,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1472,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -50955,7 +51180,7 @@ index 28b88de..4a3297c 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1514,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1515,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -50993,7 +51218,7 @@ index 28b88de..4a3297c 100644
ubac_constrained($1)
')
-@@ -1395,6 +1656,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1657,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -51001,7 +51226,7 @@ index 28b88de..4a3297c 100644
files_search_home($1)
')
-@@ -1441,6 +1703,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1704,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -51016,7 +51241,7 @@ index 28b88de..4a3297c 100644
')
########################################
-@@ -1456,9 +1726,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1727,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -51028,7 +51253,7 @@ index 28b88de..4a3297c 100644
')
########################################
-@@ -1515,6 +1787,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1788,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -51071,7 +51296,7 @@ index 28b88de..4a3297c 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +1897,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1898,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -51080,7 +51305,7 @@ index 28b88de..4a3297c 100644
')
########################################
-@@ -1603,10 +1913,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1914,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -51095,7 +51320,7 @@ index 28b88de..4a3297c 100644
')
########################################
-@@ -1649,6 +1961,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1962,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -51121,7 +51346,7 @@ index 28b88de..4a3297c 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1700,12 +2031,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2032,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -51154,7 +51379,7 @@ index 28b88de..4a3297c 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2067,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2068,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -51172,7 +51397,7 @@ index 28b88de..4a3297c 100644
')
########################################
-@@ -1810,8 +2164,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2165,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -51182,7 +51407,7 @@ index 28b88de..4a3297c 100644
')
########################################
-@@ -1827,20 +2180,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2181,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -51207,7 +51432,7 @@ index 28b88de..4a3297c 100644
########################################
## <summary>
-@@ -2182,7 +2529,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2530,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -51216,7 +51441,7 @@ index 28b88de..4a3297c 100644
')
########################################
-@@ -2435,13 +2782,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2783,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -51232,7 +51457,7 @@ index 28b88de..4a3297c 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2810,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2811,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -51259,7 +51484,7 @@ index 28b88de..4a3297c 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2815,7 +3143,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3144,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -51268,7 +51493,7 @@ index 28b88de..4a3297c 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3159,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3160,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -51284,7 +51509,7 @@ index 28b88de..4a3297c 100644
')
########################################
-@@ -2917,7 +3247,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3248,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -51293,7 +51518,7 @@ index 28b88de..4a3297c 100644
')
########################################
-@@ -2972,7 +3302,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3303,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -51340,7 +51565,7 @@ index 28b88de..4a3297c 100644
')
########################################
-@@ -3009,6 +3377,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3378,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -51348,7 +51573,7 @@ index 28b88de..4a3297c 100644
kernel_search_proc($1)
')
-@@ -3139,3 +3508,1041 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3509,1041 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6412873..cfc84d3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.13
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,16 @@ exit 0
%endif
%changelog
+* Fri Jan 21 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-4
+- nslcd needs setsched and to read /usr/tmp
+- Invalid call in likewise policy ends up creating a bogus role
+- Cannon puts content into /var/lib/bjlib that cups needs to be able to write
+- Allow screen to create screen_home_t in /root
+- dirsrv sends syslog messages
+- pinentry reads stuff in .kde directory
+- Add labels for .kde directory in homedir
+- Treat irpinit, iprupdate, iprdump services with raid policy
+
* Wed Jan 19 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-3
- NetworkManager wants to read consolekit_var_run_t
- Allow readahead to create /dev/.systemd/readahead