diff --git a/policy-F16.patch b/policy-F16.patch
index 3dbb7e8..a0439ac 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -965,11 +965,54 @@ index c4d8998..f808287 100644
xserver_unconfined(firstboot_t)
+ xserver_stream_connect(firstboot_t)
')
+diff --git a/policy/modules/admin/kdump.fc b/policy/modules/admin/kdump.fc
+index c66934f..1aa1205 100644
+--- a/policy/modules/admin/kdump.fc
++++ b/policy/modules/admin/kdump.fc
+@@ -1,5 +1,7 @@
+ /etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
+ /etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
+
++/lib/systemd/system/kdump.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
+ /sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
+ /sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if
-index 4198ff5..df3f4d6 100644
+index 4198ff5..a296bfa 100644
--- a/policy/modules/admin/kdump.if
+++ b/policy/modules/admin/kdump.if
-@@ -56,6 +56,24 @@ interface(`kdump_read_config',`
+@@ -37,6 +37,30 @@ interface(`kdump_initrc_domtrans',`
+ init_labeled_script_domtrans($1, kdump_initrc_exec_t)
+ ')
+
++########################################
++## <summary>
++## Execute kdump server in the kdump domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`kdump_systemctl',`
++ gen_require(`
++ type kdump_unit_file_t;
++ type kdump_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 kdump_unit_file_t:file read_file_perms;
++ allow $1 kdump_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, kdump_t)
++')
++
+ #####################################
+ ## <summary>
+ ## Read kdump configuration file.
+@@ -56,6 +80,24 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
@@ -994,6 +1037,20 @@ index 4198ff5..df3f4d6 100644
####################################
## <summary>
## Manage kdump configuration file.
+diff --git a/policy/modules/admin/kdump.te b/policy/modules/admin/kdump.te
+index b29d8e2..bcd9273 100644
+--- a/policy/modules/admin/kdump.te
++++ b/policy/modules/admin/kdump.te
+@@ -15,6 +15,9 @@ files_config_file(kdump_etc_t)
+ type kdump_initrc_exec_t;
+ init_script_file(kdump_initrc_exec_t)
+
++type kdump_unit_file_t;
++systemd_unit_file(kdump_unit_file_t)
++
+ #####################################
+ #
+ # kdump local policy
diff --git a/policy/modules/admin/kismet.te b/policy/modules/admin/kismet.te
index 9dd6880..4b7fa27 100644
--- a/policy/modules/admin/kismet.te
@@ -1381,7 +1438,7 @@ index 75ee31d..a28ab46 100644
+ allow $2 ncftool_t:process signal;
+')
diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te
-index ec29391..41b58fd 100644
+index ec29391..b25d59a 100644
--- a/policy/modules/admin/ncftool.te
+++ b/policy/modules/admin/ncftool.te
@@ -18,9 +18,13 @@ role system_r types ncftool_t;
@@ -1422,6 +1479,14 @@ index ec29391..41b58fd 100644
sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)
+@@ -66,6 +76,7 @@ optional_policy(`
+
+ optional_policy(`
+ iptables_initrc_domtrans(ncftool_t)
++ iptables_systemctl(ncftool_t)
+ ')
+
+ optional_policy(`
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 407078f..a818e14 100644
--- a/policy/modules/admin/netutils.fc
@@ -1674,10 +1739,10 @@ index 0000000..bd83148
+## <summary>No Interfaces</summary>
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
-index 0000000..3008c85
+index 0000000..f95087c
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,244 @@
+policy_module(permissivedomains,16)
+
+optional_policy(`
@@ -1914,6 +1979,14 @@ index 0000000..3008c85
+ permissive glance_api_t;
+')
+
++optional_policy(`
++ gen_require(`
++ type thumb_t;
++ ')
++
++ permissive thumb_t;
++')
++
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -4644,10 +4717,10 @@ index 0000000..2bd5790
+')
diff --git a/policy/modules/apps/firewallgui.te b/policy/modules/apps/firewallgui.te
new file mode 100644
-index 0000000..5e96d3d
+index 0000000..86b640d
--- /dev/null
+++ b/policy/modules/apps/firewallgui.te
-@@ -0,0 +1,71 @@
+@@ -0,0 +1,72 @@
+policy_module(firewallgui,1.0.0)
+
+########################################
@@ -4710,6 +4783,7 @@ index 0000000..5e96d3d
+optional_policy(`
+ iptables_domtrans(firewallgui_t)
+ iptables_initrc_domtrans(firewallgui_t)
++ iptables_systemctl(firewallgui_t)
+')
+
+optional_policy(`
@@ -6996,7 +7070,7 @@ index 0000000..6d0c9e3
+')
+
diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te
-index 2dde73a..e4ccac2 100644
+index 2dde73a..8ebd16b 100644
--- a/policy/modules/apps/kdumpgui.te
+++ b/policy/modules/apps/kdumpgui.te
@@ -36,6 +36,8 @@ files_manage_etc_runtime_files(kdumpgui_t)
@@ -7021,6 +7095,14 @@ index 2dde73a..e4ccac2 100644
optional_policy(`
consoletype_exec(kdumpgui_t)
')
+@@ -58,6 +66,7 @@ optional_policy(`
+ optional_policy(`
+ kdump_manage_config(kdumpgui_t)
+ kdump_initrc_domtrans(kdumpgui_t)
++ kdump_systemctl(kdumpgui_t)
+ ')
+
+ optional_policy(`
diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if
index b2e27ec..c324f94 100644
--- a/policy/modules/apps/livecd.if
@@ -8262,7 +8344,7 @@ index 0000000..1925bd9
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..3700bcb
+index 0000000..9bf1dd8
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
@@ -0,0 +1,338 @@
@@ -8557,24 +8639,24 @@ index 0000000..3700bcb
+ fs_getattr_nfs(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_t)
+ fs_manage_nfs_files(nsplugin_t)
-+ fs_read_nfs_symlinks(nsplugin_t)
++ fs_manage_nfs_symlinks(nsplugin_t)
+ fs_manage_nfs_named_pipes(nsplugin_t)
+ fs_manage_nfs_dirs(nsplugin_config_t)
+ fs_manage_nfs_files(nsplugin_config_t)
+ fs_manage_nfs_named_pipes(nsplugin_config_t)
-+ fs_read_nfs_symlinks(nsplugin_config_t)
++ fs_manage_nfs_symlinks(nsplugin_config_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_getattr_cifs(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_t)
+ fs_manage_cifs_files(nsplugin_t)
-+ fs_read_cifs_symlinks(nsplugin_t)
++ fs_manage_cifs_symlinks(nsplugin_t)
+ fs_manage_cifs_named_pipes(nsplugin_t)
+ fs_manage_cifs_dirs(nsplugin_config_t)
+ fs_manage_cifs_files(nsplugin_config_t)
+ fs_manage_cifs_named_pipes(nsplugin_config_t)
-+ fs_read_cifs_symlinks(nsplugin_config_t)
++ fs_manage_cifs_symlinks(nsplugin_config_t)
+')
+
+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
@@ -9178,7 +9260,7 @@ index 4c091ca..a58f123 100644
+
+/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
-index f594e12..340c389 100644
+index f594e12..c4ee834 100644
--- a/policy/modules/apps/sambagui.te
+++ b/policy/modules/apps/sambagui.te
@@ -27,6 +27,7 @@ corecmd_exec_bin(sambagui_t)
@@ -9189,6 +9271,14 @@ index f594e12..340c389 100644
files_read_etc_files(sambagui_t)
files_search_var_lib(sambagui_t)
files_read_usr_files(sambagui_t)
+@@ -56,6 +57,7 @@ optional_policy(`
+ samba_manage_var_files(sambagui_t)
+ samba_read_secrets(sambagui_t)
+ samba_initrc_domtrans(sambagui_t)
++ samba_systemctl(sambagui_t)
+ samba_domtrans_smbd(sambagui_t)
+ samba_domtrans_nmbd(sambagui_t)
+ ')
diff --git a/policy/modules/apps/sandbox.fc b/policy/modules/apps/sandbox.fc
new file mode 100644
index 0000000..6caef63
@@ -10769,6 +10859,149 @@ index 2533ea0..11187e0 100644
+
+ role unconfined_r types telepathy_domain;
+')
+diff --git a/policy/modules/apps/thumb.fc b/policy/modules/apps/thumb.fc
+new file mode 100644
+index 0000000..a4be758
+--- /dev/null
++++ b/policy/modules/apps/thumb.fc
+@@ -0,0 +1,4 @@
++
++/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/gnome-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/bin/totem-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
+diff --git a/policy/modules/apps/thumb.if b/policy/modules/apps/thumb.if
+new file mode 100644
+index 0000000..b78aa77
+--- /dev/null
++++ b/policy/modules/apps/thumb.if
+@@ -0,0 +1,79 @@
++
++## <summary>policy for thumb</summary>
++
++
++########################################
++## <summary>
++## Transition to thumb.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`thumb_domtrans',`
++ gen_require(`
++ type thumb_t, thumb_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, thumb_exec_t, thumb_t)
++')
++
++
++########################################
++## <summary>
++## Execute thumb in the thumb domain, and
++## allow the specified role the thumb domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the thumb domain.
++## </summary>
++## </param>
++#
++interface(`thumb_run',`
++ gen_require(`
++ type thumb_t;
++ ')
++
++ thumb_domtrans($1)
++ role $2 types thumb_t;
++
++ allow $1 thumb_t:process signal;
++')
++
++########################################
++## <summary>
++## Role access for thumb
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role
++## </summary>
++## </param>
++#
++interface(`thumb_role',`
++ gen_require(`
++ type thumb_t;
++ ')
++
++ role $1 types thumb_t;
++
++ thumb_domtrans($2)
++
++ ps_process_pattern($2, thumb_t)
++ allow $2 thumb_t:process signal;
++')
++
+diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
+new file mode 100644
+index 0000000..7eba136
+--- /dev/null
++++ b/policy/modules/apps/thumb.te
+@@ -0,0 +1,42 @@
++policy_module(thumb, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type thumb_t;
++type thumb_exec_t;
++application_domain(thumb_t, thumb_exec_t)
++role system_r types thumb_t;
++
++type thumb_tmp_t;
++files_tmp_file(thumb_tmp_t)
++
++########################################
++#
++# thumb local policy
++#
++
++allow thumb_t self:process { setsched signal setrlimit };
++
++allow thumb_t self:fifo_file manage_fifo_file_perms;
++allow thumb_t self:unix_stream_socket create_stream_socket_perms;
++
++domain_use_interactive_fds(thumb_t)
++
++kernel_read_system_state(thumb_t)
++
++files_read_etc_files(thumb_t)
++files_read_usr_files(thumb_t)
++
++manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
++userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, file)
++
++miscfiles_read_fonts(thumb_t)
++miscfiles_read_localization(thumb_t)
++
++userdom_read_user_tmp_files(thumb_t)
++userdom_read_user_home_content_files(thumb_t)
++userdom_dontaudit_write_user_tmp_files(thumb_t)
++userdom_use_inherited_user_ptys(thumb_t)
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index 11fe4f2..98bfbf3 100644
--- a/policy/modules/apps/tvtime.te
@@ -12996,7 +13229,7 @@ index 35fed4f..49f27ca 100644
type $1_server_packet_t, packet_type, server_packet_type;
declare_ports($1_port_t,shift($*))dnl
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 6cf8784..a9038b9 100644
+index 6cf8784..ff9dad6 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -20,6 +20,7 @@
@@ -13007,15 +13240,26 @@ index 6cf8784..a9038b9 100644
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -57,6 +58,7 @@
+@@ -57,8 +58,10 @@
/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/loop-control -c gen_context(system_u:object_r:loop_control_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
++/dev/media.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-@@ -187,8 +189,6 @@ ifdef(`distro_suse', `
+ /dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+@@ -126,6 +129,7 @@ ifdef(`distro_suse', `
+ /dev/vttuner -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/vtx.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/watchdog -c gen_context(system_u:object_r:watchdog_device_t,s0)
++/dev/cdc-wdm[0-1] -c gen_context(system_u:object_r:wireless_device_t,s0)
+ /dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/z90crypt -c gen_context(system_u:object_r:crypt_device_t,s0)
+ /dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
+@@ -187,8 +191,6 @@ ifdef(`distro_suse', `
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
@@ -13024,7 +13268,7 @@ index 6cf8784..a9038b9 100644
ifdef(`distro_redhat',`
# originally from named.fc
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
-@@ -196,3 +196,8 @@ ifdef(`distro_redhat',`
+@@ -196,3 +198,8 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -13034,7 +13278,7 @@ index 6cf8784..a9038b9 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..2429787 100644
+index f820f3b..aa0635f 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -13434,6 +13678,15 @@ index f820f3b..2429787 100644
## </summary>
## </param>
#
+@@ -2932,7 +3168,7 @@ interface(`dev_dontaudit_write_mtrr',`
+ ')
+
+ dontaudit $1 mtrr_device_t:file write;
+- dontaudit $1 mtrr_device_t:chr_file write;
++ dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
+ ')
+
+ ########################################
@@ -3210,24 +3446,6 @@ interface(`dev_rw_printer',`
########################################
@@ -13622,7 +13875,7 @@ index f820f3b..2429787 100644
## Read and write VMWare devices.
## </summary>
## <param name="domain">
-@@ -4784,3 +5092,772 @@ interface(`dev_unconfined',`
+@@ -4784,3 +5092,794 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -13835,6 +14088,16 @@ index f820f3b..2429787 100644
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event7")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event8")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event9")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event10")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event11")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event12")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event13")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event14")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event15")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event16")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event17")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event18")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event19")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1")
@@ -14133,6 +14396,8 @@ index f820f3b..2429787 100644
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13947")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13948")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13949")
++ filetrans_pattern($1, device_t, wireless_device_t, chr_file, "cdc-wdm0")
++ filetrans_pattern($1, device_t, wireless_device_t, chr_file, "cdc-wdm1")
+ filetrans_pattern($1, device_t, wireless_device_t, chr_file, "rfkill")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer")
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer2")
@@ -14235,6 +14500,16 @@ index f820f3b..2429787 100644
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet7")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet8")
+ filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet9")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media0")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media1")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media2")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media3")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media4")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media5")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media6")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media7")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media8")
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media9")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video0")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video1")
+ filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video2")
@@ -18484,10 +18759,10 @@ index 1700ef2..6b7eabb 100644
+ dev_filetrans($1, removable_device_t, chr_file, "rio500")
+')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 7d45d15..6d27fb3 100644
+index 7d45d15..eeb5889 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
-@@ -14,11 +14,11 @@
+@@ -14,11 +14,12 @@
/dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0)
@@ -18496,18 +18771,19 @@ index 7d45d15..6d27fb3 100644
/dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
++/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0)
+/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
-@@ -41,3 +41,5 @@ ifdef(`distro_gentoo',`
+@@ -41,3 +42,5 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 01dd2f1..ea0ff94 100644
+index 01dd2f1..7a8e118 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
@@ -18638,17 +18914,37 @@ index 01dd2f1..ea0ff94 100644
## </summary>
## </param>
#
-@@ -1240,7 +1302,8 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1240,7 +1302,28 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+ init_dontaudit_use_fds($1)
+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++## <summary>
++## Read and write USB tty character
++## device nodes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`term_use_usb_ttys',`
++ gen_require(`
++ type usbtty_device_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 usbtty_device_t:chr_file rw_chr_file_perms;
')
########################################
-@@ -1256,11 +1319,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1256,11 +1339,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -18662,7 +18958,7 @@ index 01dd2f1..ea0ff94 100644
')
########################################
-@@ -1277,10 +1342,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1277,10 +1362,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -18675,7 +18971,7 @@ index 01dd2f1..ea0ff94 100644
')
########################################
-@@ -1358,7 +1425,27 @@ interface(`term_use_all_ttys',`
+@@ -1358,7 +1445,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -18704,7 +19000,7 @@ index 01dd2f1..ea0ff94 100644
')
########################################
-@@ -1377,7 +1464,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1377,7 +1484,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -18713,7 +19009,7 @@ index 01dd2f1..ea0ff94 100644
')
########################################
-@@ -1485,7 +1572,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1485,7 +1592,7 @@ interface(`term_use_all_user_ttys',`
## </summary>
## <param name="domain">
## <summary>
@@ -18722,7 +19018,7 @@ index 01dd2f1..ea0ff94 100644
## </summary>
## </param>
#
-@@ -1493,3 +1580,416 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1493,3 +1600,426 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -19117,6 +19413,16 @@ index 01dd2f1..ea0ff94 100644
+ dev_filetrans($1, tty_device_t, chr_file, "ttySG7")
+ dev_filetrans($1, tty_device_t, chr_file, "ttySG8")
+ dev_filetrans($1, tty_device_t, chr_file, "ttySG9")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB0")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB1")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB2")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB3")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB4")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB5")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB6")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB7")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB8")
++ dev_filetrans($1, usbtty_device_t, chr_file, "ttyUSB9")
+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p0")
+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p1")
+ dev_filetrans($1, virtio_device_t, chr_file, "vport0p2")
@@ -22605,7 +22911,7 @@ index deca9d3..ae8c579 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..83dbd34 100644
+index 9e39aa5..8002a1f 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,13 +1,18 @@
@@ -22632,7 +22938,7 @@ index 9e39aa5..83dbd34 100644
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_t,s0)
++/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -22744,7 +23050,7 @@ index 9e39aa5..83dbd34 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..b963935 100644
+index 6480167..e12bbc0 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@@ -23301,7 +23607,7 @@ index 6480167..b963935 100644
+ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
- type httpd_initrc_exec_t;
-+ type httpd_unit_t;
++ type httpd_unit_file_t;
')
- allow $1 httpd_t:process { getattr ptrace signal_perms };
@@ -23341,7 +23647,7 @@ index 6480167..b963935 100644
admin_pattern($1, httpd_php_tmp_t)
admin_pattern($1, httpd_suexec_tmp_t)
+
-+ allow $1 httpd_unit_t:service all_service_perms;
++ allow $1 httpd_unit_file_t:service all_service_perms;
+
+ ifdef(`TODO',`
+ apache_set_booleans($1, $2, $3, httpd_bool_t)
@@ -23398,7 +23704,7 @@ index 6480167..b963935 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..fddb752 100644
+index 3136c6a..8596b90 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -23666,8 +23972,8 @@ index 3136c6a..fddb752 100644
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
-+type httpd_unit_t;
-+systemd_unit_file(httpd_unit_t)
++type httpd_unit_file_t;
++systemd_unit_file(httpd_unit_file_t)
+
type httpd_lock_t;
files_lock_file(httpd_lock_t)
@@ -24673,7 +24979,7 @@ index 8b8143e..c1a2b96 100644
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
-index b3b0176..987245c 100644
+index b3b0176..8e66610 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -19,10 +19,11 @@ type asterisk_log_t;
@@ -24713,7 +25019,7 @@ index b3b0176..987245c 100644
kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)
-@@ -108,6 +110,9 @@ corenet_tcp_bind_generic_port(asterisk_t)
+@@ -108,14 +110,19 @@ corenet_tcp_bind_generic_port(asterisk_t)
corenet_udp_bind_generic_port(asterisk_t)
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)
@@ -24723,7 +25029,9 @@ index b3b0176..987245c 100644
corenet_tcp_connect_postgresql_port(asterisk_t)
corenet_tcp_connect_snmp_port(asterisk_t)
corenet_tcp_connect_sip_port(asterisk_t)
-@@ -116,6 +121,7 @@ dev_rw_generic_usb_dev(asterisk_t)
++corenet_tcp_connect_jabber_client_port(asterisk_t)
+
+ dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
dev_read_sound(asterisk_t)
dev_write_sound(asterisk_t)
@@ -24731,7 +25039,7 @@ index b3b0176..987245c 100644
dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
-@@ -125,6 +131,7 @@ files_search_spool(asterisk_t)
+@@ -125,6 +132,7 @@ files_search_spool(asterisk_t)
# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
# are labeled usr_t
files_read_usr_files(asterisk_t)
@@ -24739,7 +25047,7 @@ index b3b0176..987245c 100644
fs_getattr_all_fs(asterisk_t)
fs_list_inotifyfs(asterisk_t)
-@@ -141,6 +148,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
+@@ -141,6 +149,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
@@ -24877,11 +25185,55 @@ index a7a0e71..5352ef6 100644
seutil_sigchld_newrole(avahi_t)
')
+diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
+index 59aa54f..f944a65 100644
+--- a/policy/modules/services/bind.fc
++++ b/policy/modules/services/bind.fc
+@@ -5,6 +5,8 @@
+ /etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+ /etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+
++/lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
++
+ /usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
+ /usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
+ /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
-index 44a1e3d..7e9d2fb 100644
+index 44a1e3d..f5c476a 100644
--- a/policy/modules/services/bind.if
+++ b/policy/modules/services/bind.if
-@@ -186,7 +186,7 @@ interface(`bind_write_config',`
+@@ -20,6 +20,30 @@ interface(`bind_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute bind server in the bind domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`bind_systemctl',`
++ gen_require(`
++ type named_unit_file_t;
++ type named_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 named_unit_file_t:file read_file_perms;
++ allow $1 named_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, named_t)
++')
++
++########################################
++## <summary>
+ ## Execute ndc in the ndc domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -186,7 +210,7 @@ interface(`bind_write_config',`
')
write_files_pattern($1, named_conf_t, named_conf_t)
@@ -24890,7 +25242,7 @@ index 44a1e3d..7e9d2fb 100644
')
########################################
-@@ -266,7 +266,7 @@ interface(`bind_setattr_pid_dirs',`
+@@ -266,7 +290,7 @@ interface(`bind_setattr_pid_dirs',`
type named_var_run_t;
')
@@ -24899,7 +25251,7 @@ index 44a1e3d..7e9d2fb 100644
')
########################################
-@@ -284,7 +284,7 @@ interface(`bind_setattr_zone_dirs',`
+@@ -284,7 +308,7 @@ interface(`bind_setattr_zone_dirs',`
type named_zone_t;
')
@@ -24908,7 +25260,7 @@ index 44a1e3d..7e9d2fb 100644
')
########################################
-@@ -308,6 +308,27 @@ interface(`bind_read_zone',`
+@@ -308,6 +332,27 @@ interface(`bind_read_zone',`
########################################
## <summary>
@@ -24936,7 +25288,7 @@ index 44a1e3d..7e9d2fb 100644
## Manage BIND zone files.
## </summary>
## <param name="domain">
-@@ -359,10 +380,9 @@ interface(`bind_udp_chat_named',`
+@@ -359,10 +404,9 @@ interface(`bind_udp_chat_named',`
interface(`bind_admin',`
gen_require(`
type named_t, named_tmp_t, named_log_t;
@@ -24950,7 +25302,7 @@ index 44a1e3d..7e9d2fb 100644
')
allow $1 named_t:process { ptrace signal_perms };
-@@ -391,8 +411,7 @@ interface(`bind_admin',`
+@@ -391,9 +435,10 @@ interface(`bind_admin',`
admin_pattern($1, named_zone_t)
admin_pattern($1, dnssec_t)
@@ -24960,8 +25312,11 @@ index 44a1e3d..7e9d2fb 100644
files_list_pids($1)
admin_pattern($1, named_var_run_t)
++
++ named_systemctl($1)
+ ')
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
-index 4deca04..5f387b2 100644
+index 4deca04..8d81308 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -6,16 +6,24 @@ policy_module(bind, 1.11.0)
@@ -25002,7 +25357,17 @@ index 4deca04..5f387b2 100644
files_mountpoint(named_conf_t)
# for secondary zone files
-@@ -89,9 +97,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+@@ -37,6 +45,9 @@ files_type(named_cache_t)
+ type named_initrc_exec_t;
+ init_script_file(named_initrc_exec_t)
+
++type named_unit_file_t;
++systemd_unit_file(named_unit_file_t)
++
+ type named_log_t;
+ logging_log_file(named_log_t)
+
+@@ -89,9 +100,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
files_tmp_filetrans(named_t, named_tmp_t, { file dir })
@@ -25014,7 +25379,7 @@ index 4deca04..5f387b2 100644
# read zone files
allow named_t named_zone_t:dir list_dir_perms;
-@@ -147,6 +156,10 @@ miscfiles_read_generic_certs(named_t)
+@@ -147,6 +159,10 @@ miscfiles_read_generic_certs(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
@@ -25025,7 +25390,7 @@ index 4deca04..5f387b2 100644
tunable_policy(`named_write_master_zones',`
manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
manage_files_pattern(named_t, named_zone_t, named_zone_t)
-@@ -198,18 +211,18 @@ allow ndc_t self:process { fork signal_perms };
+@@ -198,18 +214,18 @@ allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { connect create_stream_socket_perms };
allow ndc_t self:tcp_socket create_socket_perms;
@@ -25047,7 +25412,7 @@ index 4deca04..5f387b2 100644
kernel_read_kernel_sysctls(ndc_t)
corenet_all_recvfrom_unlabeled(ndc_t)
-@@ -228,6 +241,8 @@ files_search_pids(ndc_t)
+@@ -228,6 +244,8 @@ files_search_pids(ndc_t)
fs_getattr_xattr_fs(ndc_t)
@@ -25056,7 +25421,7 @@ index 4deca04..5f387b2 100644
init_use_fds(ndc_t)
init_use_script_ptys(ndc_t)
-@@ -235,24 +250,13 @@ logging_send_syslog_msg(ndc_t)
+@@ -235,24 +253,13 @@ logging_send_syslog_msg(ndc_t)
miscfiles_read_localization(ndc_t)
@@ -26961,14 +27326,14 @@ index dad226c..7617c53 100644
miscfiles_read_localization(cgred_t)
diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc
-index fd8cd0b..3d61138 100644
+index fd8cd0b..45096d8 100644
--- a/policy/modules/services/chronyd.fc
+++ b/policy/modules/services/chronyd.fc
@@ -2,8 +2,12 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
-+/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_t,s0)
++/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
@@ -26978,7 +27343,7 @@ index fd8cd0b..3d61138 100644
+/var/run/chronyd(/.*) gen_context(system_u:object_r:chronyd_var_run_t,s0)
+/var/run/chronyd\.sock gen_context(system_u:object_r:chronyd_var_run_t,s0)
diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
-index 9a0da94..5383054 100644
+index 9a0da94..fecceac 100644
--- a/policy/modules/services/chronyd.if
+++ b/policy/modules/services/chronyd.if
@@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
@@ -27081,13 +27446,13 @@ index 9a0da94..5383054 100644
+interface(`chronyd_systemctl',`
+ gen_require(`
+ type chronyd_t;
-+ type chronyd_unit_t;
++ type chronyd_unit_file_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
-+ allow $1 chronyd_unit_t:file read_file_perms;
-+ allow $1 chronyd_unit_t:service all_service_perms;
++ allow $1 chronyd_unit_file_t:file read_file_perms;
++ allow $1 chronyd_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, chronyd_t)
+')
@@ -27173,7 +27538,7 @@ index 9a0da94..5383054 100644
+ chronyd_systemctl($1)
')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
-index fa82327..4b32348 100644
+index fa82327..1a486b0 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t)
@@ -27183,8 +27548,8 @@ index fa82327..4b32348 100644
+type chronyd_tmpfs_t;
+files_tmpfs_file(chronyd_tmpfs_t)
+
-+type chronyd_unit_t;
-+systemd_unit_file(chronyd_unit_t)
++type chronyd_unit_file_t;
++systemd_unit_file(chronyd_unit_file_t)
+
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
@@ -27807,7 +28172,7 @@ index 116d60f..82306eb 100644
+ ')
')
diff --git a/policy/modules/services/cobbler.te b/policy/modules/services/cobbler.te
-index 0258b48..8535cc6 100644
+index 0258b48..2607914 100644
--- a/policy/modules/services/cobbler.te
+++ b/policy/modules/services/cobbler.te
@@ -6,13 +6,35 @@ policy_module(cobbler, 1.1.0)
@@ -27907,7 +28272,7 @@ index 0258b48..8535cc6 100644
corecmd_exec_bin(cobblerd_t)
corecmd_exec_shell(cobblerd_t)
-@@ -65,26 +107,77 @@ corenet_tcp_bind_generic_node(cobblerd_t)
+@@ -65,44 +107,110 @@ corenet_tcp_bind_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_if(cobblerd_t)
corenet_tcp_sendrecv_generic_node(cobblerd_t)
corenet_tcp_sendrecv_generic_port(cobblerd_t)
@@ -27987,7 +28352,11 @@ index 0258b48..8535cc6 100644
optional_policy(`
bind_read_config(cobblerd_t)
bind_write_config(cobblerd_t)
-@@ -95,6 +188,10 @@ optional_policy(`
+ bind_domtrans_ndc(cobblerd_t)
+ bind_domtrans(cobblerd_t)
+ bind_initrc_domtrans(cobblerd_t)
++ bind_systemctl(cobblerd_t)
+ bind_manage_zone(cobblerd_t)
')
optional_policy(`
@@ -27997,20 +28366,26 @@ index 0258b48..8535cc6 100644
+optional_policy(`
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
- ')
-@@ -106,16 +203,32 @@ optional_policy(`
++ dhcpd_systemctl(cobblerd_t)
')
optional_policy(`
-+ gnome_dontaudit_search_config(cobblerd_t)
+ dnsmasq_domtrans(cobblerd_t)
+ dnsmasq_initrc_domtrans(cobblerd_t)
+ dnsmasq_write_config(cobblerd_t)
++ dnsmasq_systemctl(cobblerd_t)
+')
+
+optional_policy(`
-+ puppet_domtrans_puppetca(cobblerd_t)
++ gnome_dontaudit_search_config(cobblerd_t)
+')
+
+optional_policy(`
- rpm_exec(cobblerd_t)
++ puppet_domtrans_puppetca(cobblerd_t)
+ ')
+
+ optional_policy(`
+@@ -110,12 +218,20 @@ optional_policy(`
')
optional_policy(`
@@ -28034,7 +28409,7 @@ index 0258b48..8535cc6 100644
')
########################################
-@@ -124,5 +237,6 @@ optional_policy(`
+@@ -124,5 +240,6 @@ optional_policy(`
#
apache_content_template(cobbler)
@@ -28888,10 +29263,18 @@ index 13d2f63..861fad7 100644
')
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
-index 2eefc08..34ab5ce 100644
+index 2eefc08..b0cdf28 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
-@@ -14,9 +14,10 @@
+@@ -2,6 +2,7 @@
+
+ /etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
++/lib/systemd/system/crond\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0)
+
+ /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
+ /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
+@@ -14,9 +15,10 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -28903,14 +29286,14 @@ index 2eefc08..34ab5ce 100644
/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
-@@ -45,3 +46,5 @@ ifdef(`distro_suse', `
+@@ -45,3 +47,5 @@ ifdef(`distro_suse', `
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..92acfae 100644
+index 35241ed..d972767 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
@@ -29125,7 +29508,38 @@ index 35241ed..92acfae 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -377,6 +386,47 @@ interface(`cron_read_pipes',`
+@@ -322,6 +331,30 @@ interface(`cron_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute crond server in the crond domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`cron_systemctl',`
++ gen_require(`
++ type crond_unit_file_t;
++ type crond_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 crond_unit_file_t:file read_file_perms;
++ allow $1 crond_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, crond_t)
++')
++
++########################################
++## <summary>
+ ## Inherit and use a file descriptor
+ ## from the cron daemon.
+ ## </summary>
+@@ -377,6 +410,47 @@ interface(`cron_read_pipes',`
########################################
## <summary>
@@ -29173,7 +29587,7 @@ index 35241ed..92acfae 100644
## Do not audit attempts to write cron daemon unnamed pipes.
## </summary>
## <param name="domain">
-@@ -390,6 +440,7 @@ interface(`cron_dontaudit_write_pipes',`
+@@ -390,6 +464,7 @@ interface(`cron_dontaudit_write_pipes',`
type crond_t;
')
@@ -29181,7 +29595,7 @@ index 35241ed..92acfae 100644
dontaudit $1 crond_t:fifo_file write;
')
-@@ -408,7 +459,43 @@ interface(`cron_rw_pipes',`
+@@ -408,7 +483,43 @@ interface(`cron_rw_pipes',`
type crond_t;
')
@@ -29226,7 +29640,7 @@ index 35241ed..92acfae 100644
')
########################################
-@@ -468,6 +555,25 @@ interface(`cron_search_spool',`
+@@ -468,6 +579,25 @@ interface(`cron_search_spool',`
########################################
## <summary>
@@ -29252,7 +29666,7 @@ index 35241ed..92acfae 100644
## Manage pid files used by cron
## </summary>
## <param name="domain">
-@@ -481,6 +587,7 @@ interface(`cron_manage_pid_files',`
+@@ -481,6 +611,7 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
@@ -29260,7 +29674,7 @@ index 35241ed..92acfae 100644
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
-@@ -536,7 +643,7 @@ interface(`cron_write_system_job_pipes',`
+@@ -536,7 +667,7 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
@@ -29269,7 +29683,7 @@ index 35241ed..92acfae 100644
')
########################################
-@@ -554,7 +661,7 @@ interface(`cron_rw_system_job_pipes',`
+@@ -554,7 +685,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
@@ -29278,7 +29692,7 @@ index 35241ed..92acfae 100644
')
########################################
-@@ -587,11 +694,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+@@ -587,11 +718,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -29294,7 +29708,7 @@ index 35241ed..92acfae 100644
')
########################################
-@@ -627,7 +737,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +761,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -29343,7 +29757,7 @@ index 35241ed..92acfae 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..ee001c7 100644
+index f7583ab..86ea0ba 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -29390,8 +29804,13 @@ index f7583ab..ee001c7 100644
# var/log files
type cron_log_t;
-@@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t)
+@@ -61,11 +61,17 @@ domain_cron_exemption_source(crond_t)
+ type crond_initrc_exec_t;
+ init_script_file(crond_initrc_exec_t)
++type crond_unit_file_t;
++systemd_unit_file(crond_unit_file_t)
++
type crond_tmp_t;
files_tmp_file(crond_tmp_t)
+files_poly_parent(crond_tmp_t)
@@ -29403,7 +29822,7 @@ index f7583ab..ee001c7 100644
type crontab_exec_t;
application_executable_file(crontab_exec_t)
-@@ -79,14 +82,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
+@@ -79,14 +85,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
@@ -29421,7 +29840,7 @@ index f7583ab..ee001c7 100644
type system_cronjob_lock_t alias system_crond_lock_t;
files_lock_file(system_cronjob_lock_t)
-@@ -94,10 +99,6 @@ files_lock_file(system_cronjob_lock_t)
+@@ -94,10 +102,6 @@ files_lock_file(system_cronjob_lock_t)
type system_cronjob_tmp_t alias system_crond_tmp_t;
files_tmp_file(system_cronjob_tmp_t)
@@ -29432,7 +29851,7 @@ index f7583ab..ee001c7 100644
type unconfined_cronjob_t;
domain_type(unconfined_cronjob_t)
domain_cron_exemption_target(unconfined_cronjob_t)
-@@ -106,8 +107,20 @@ domain_cron_exemption_target(unconfined_cronjob_t)
+@@ -106,8 +110,20 @@ domain_cron_exemption_target(unconfined_cronjob_t)
type user_cron_spool_t, cron_spool_type;
typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
@@ -29454,7 +29873,7 @@ index f7583ab..ee001c7 100644
########################################
#
-@@ -115,7 +128,7 @@ ubac_constrained(user_cron_spool_t)
+@@ -115,7 +131,7 @@ ubac_constrained(user_cron_spool_t)
#
# Allow our crontab domain to unlink a user cron spool file.
@@ -29463,7 +29882,7 @@ index f7583ab..ee001c7 100644
# Manipulate other users crontab.
selinux_get_fs_mount(admin_crontab_t)
-@@ -125,7 +138,7 @@ selinux_compute_create_context(admin_crontab_t)
+@@ -125,7 +141,7 @@ selinux_compute_create_context(admin_crontab_t)
selinux_compute_relabel_context(admin_crontab_t)
selinux_compute_user_contexts(admin_crontab_t)
@@ -29472,7 +29891,7 @@ index f7583ab..ee001c7 100644
# fcron wants an instant update of a crontab change for the administrator
# also crontab does a security check for crontab -u
allow admin_crontab_t self:process setfscreate;
-@@ -136,9 +149,9 @@ tunable_policy(`fcron_crond', `
+@@ -136,9 +152,9 @@ tunable_policy(`fcron_crond', `
# Cron daemon local policy
#
@@ -29484,7 +29903,7 @@ index f7583ab..ee001c7 100644
allow crond_t self:process { setexec setfscreate };
allow crond_t self:fd use;
allow crond_t self:fifo_file rw_fifo_file_perms;
-@@ -187,12 +200,16 @@ fs_list_inotifyfs(crond_t)
+@@ -187,12 +203,16 @@ fs_list_inotifyfs(crond_t)
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
@@ -29501,7 +29920,7 @@ index f7583ab..ee001c7 100644
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
-@@ -203,11 +220,17 @@ files_list_usr(crond_t)
+@@ -203,11 +223,17 @@ files_list_usr(crond_t)
files_search_var_lib(crond_t)
files_search_default(crond_t)
@@ -29519,7 +29938,7 @@ index f7583ab..ee001c7 100644
logging_send_syslog_msg(crond_t)
logging_set_loginuid(crond_t)
-@@ -220,8 +243,11 @@ miscfiles_read_localization(crond_t)
+@@ -220,8 +246,11 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
@@ -29531,7 +29950,7 @@ index f7583ab..ee001c7 100644
ifdef(`distro_debian',`
# pam_limits is used
-@@ -233,7 +259,7 @@ ifdef(`distro_debian',`
+@@ -233,7 +262,7 @@ ifdef(`distro_debian',`
')
')
@@ -29540,7 +29959,7 @@ index f7583ab..ee001c7 100644
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
-@@ -250,11 +276,30 @@ tunable_policy(`fcron_crond', `
+@@ -250,11 +279,30 @@ tunable_policy(`fcron_crond', `
')
optional_policy(`
@@ -29571,7 +29990,7 @@ index f7583ab..ee001c7 100644
amanda_search_var_lib(crond_t)
')
-@@ -264,6 +309,8 @@ optional_policy(`
+@@ -264,6 +312,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
@@ -29580,7 +29999,7 @@ index f7583ab..ee001c7 100644
')
optional_policy(`
-@@ -286,15 +333,26 @@ optional_policy(`
+@@ -286,15 +336,26 @@ optional_policy(`
')
optional_policy(`
@@ -29607,7 +30026,7 @@ index f7583ab..ee001c7 100644
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -306,10 +364,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -306,10 +367,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -29628,7 +30047,7 @@ index f7583ab..ee001c7 100644
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -329,6 +396,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -329,6 +399,7 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -29636,7 +30055,7 @@ index f7583ab..ee001c7 100644
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -340,9 +408,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -340,9 +411,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -29651,7 +30070,7 @@ index f7583ab..ee001c7 100644
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -365,6 +437,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -365,6 +440,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -29659,7 +30078,7 @@ index f7583ab..ee001c7 100644
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -391,6 +464,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -391,6 +467,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -29667,7 +30086,7 @@ index f7583ab..ee001c7 100644
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -413,8 +487,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -413,8 +490,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
@@ -29679,7 +30098,7 @@ index f7583ab..ee001c7 100644
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -439,6 +515,8 @@ optional_policy(`
+@@ -439,6 +518,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -29688,7 +30107,7 @@ index f7583ab..ee001c7 100644
')
optional_policy(`
-@@ -446,6 +524,14 @@ optional_policy(`
+@@ -446,6 +527,14 @@ optional_policy(`
')
optional_policy(`
@@ -29703,7 +30122,7 @@ index f7583ab..ee001c7 100644
ftp_read_log(system_cronjob_t)
')
-@@ -456,15 +542,24 @@ optional_policy(`
+@@ -456,15 +545,24 @@ optional_policy(`
')
optional_policy(`
@@ -29728,7 +30147,7 @@ index f7583ab..ee001c7 100644
')
optional_policy(`
-@@ -480,7 +575,7 @@ optional_policy(`
+@@ -480,7 +578,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -29737,7 +30156,7 @@ index f7583ab..ee001c7 100644
')
optional_policy(`
-@@ -495,6 +590,7 @@ optional_policy(`
+@@ -495,6 +593,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -29745,7 +30164,7 @@ index f7583ab..ee001c7 100644
')
optional_policy(`
-@@ -502,7 +598,13 @@ optional_policy(`
+@@ -502,7 +601,13 @@ optional_policy(`
')
optional_policy(`
@@ -29759,7 +30178,7 @@ index f7583ab..ee001c7 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +697,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +700,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -30061,10 +30480,10 @@ index 0000000..1c3a90b
+
diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te
new file mode 100644
-index 0000000..e6042d9
+index 0000000..5a15b82
--- /dev/null
+++ b/policy/modules/services/ctdbd.te
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,114 @@
+policy_module(ctdbd, 1.0.0)
+
+########################################
@@ -30173,6 +30592,7 @@ index 0000000..e6042d9
+ samba_initrc_domtrans(ctdbd_t)
+ samba_domtrans_net(ctdbd_t)
+ samba_rw_var_files(ctdbd_t)
++ samba_systemctl(ctdbd_t)
+')
+
+optional_policy(`
@@ -30981,7 +31401,7 @@ index 1a1becd..d4357ec 100644
')
+
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..fbfc5db 100644
+index 1bff6ee..9540fee 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -31043,7 +31463,7 @@ index 1bff6ee..fbfc5db 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -141,6 +148,19 @@ optional_policy(`
+@@ -141,6 +148,20 @@ optional_policy(`
')
optional_policy(`
@@ -31057,13 +31477,14 @@ index 1bff6ee..fbfc5db 100644
+
+optional_policy(`
+ networkmanager_initrc_domtrans(system_dbusd_t)
++ networkmanager_systemctl(system_dbusd_t)
+')
+
+optional_policy(`
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -151,12 +171,166 @@ optional_policy(`
+@@ -151,12 +172,166 @@ optional_policy(`
')
optional_policy(`
@@ -31719,7 +32140,7 @@ index f706b99..13d3a35 100644
+ files_list_pids($1)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..544ab05 100644
+index f231f17..c5244c8 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
@@ -31870,7 +32291,7 @@ index f231f17..544ab05 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,6 +273,10 @@ optional_policy(`
+@@ -235,7 +273,12 @@ optional_policy(`
')
optional_policy(`
@@ -31879,9 +32300,11 @@ index f231f17..544ab05 100644
+
+optional_policy(`
cron_initrc_domtrans(devicekit_power_t)
++ cron_systemctl(devicekit_power_t)
')
-@@ -261,14 +303,21 @@ optional_policy(`
+ optional_policy(`
+@@ -261,14 +304,21 @@ optional_policy(`
')
optional_policy(`
@@ -31904,7 +32327,7 @@ index f231f17..544ab05 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +325,30 @@ optional_policy(`
+@@ -276,9 +326,30 @@ optional_policy(`
')
optional_policy(`
@@ -31936,12 +32359,14 @@ index f231f17..544ab05 100644
+ xserver_stream_connect(devicekit_power_t)
+')
diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc
-index 767e0c7..7956248 100644
+index 767e0c7..4fbde9d 100644
--- a/policy/modules/services/dhcp.fc
+++ b/policy/modules/services/dhcp.fc
-@@ -1,8 +1,8 @@
+@@ -1,8 +1,10 @@
-/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
++
++/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
@@ -31951,7 +32376,7 @@ index 767e0c7..7956248 100644
-/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
+/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
diff --git a/policy/modules/services/dhcp.if b/policy/modules/services/dhcp.if
-index 5e2cea8..7e129ff 100644
+index 5e2cea8..7a18800 100644
--- a/policy/modules/services/dhcp.if
+++ b/policy/modules/services/dhcp.if
@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
@@ -31963,7 +32388,38 @@ index 5e2cea8..7e129ff 100644
')
########################################
-@@ -77,7 +77,7 @@ interface(`dhcpd_initrc_domtrans',`
+@@ -60,6 +60,30 @@ interface(`dhcpd_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute dhcpd server in the dhcpd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`dhcpd_systemctl',`
++ gen_require(`
++ type dhcpd_unit_file_t;
++ type dhcpd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 dhcpd_unit_file_t:file read_file_perms;
++ allow $1 dhcpd_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, dhcpd_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an dhcp environment
+ ## </summary>
+@@ -77,7 +101,7 @@ interface(`dhcpd_initrc_domtrans',`
#
interface(`dhcpd_admin',`
gen_require(`
@@ -31972,11 +32428,28 @@ index 5e2cea8..7e129ff 100644
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
')
+@@ -96,4 +120,6 @@ interface(`dhcpd_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, dhcpd_var_run_t)
++
++ dhcpd_systemctl($1)
+ ')
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
-index d4424ad..a809e38 100644
+index d4424ad..f90959a 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
-@@ -26,9 +26,9 @@ files_pid_file(dhcpd_var_run_t)
+@@ -12,6 +12,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
+ type dhcpd_initrc_exec_t;
+ init_script_file(dhcpd_initrc_exec_t)
+
++type dhcpd_unit_file_t;
++systemd_unit_file(dhcpd_unit_file_t)
++
+ type dhcpd_state_t;
+ files_type(dhcpd_state_t)
+
+@@ -26,9 +29,9 @@ files_pid_file(dhcpd_var_run_t)
# Local policy
#
@@ -31988,7 +32461,7 @@ index d4424ad..a809e38 100644
allow dhcpd_t self:fifo_file rw_fifo_file_perms;
allow dhcpd_t self:unix_dgram_socket create_socket_perms;
allow dhcpd_t self:unix_stream_socket create_socket_perms;
-@@ -73,6 +73,8 @@ corenet_tcp_connect_all_ports(dhcpd_t)
+@@ -73,6 +76,8 @@ corenet_tcp_connect_all_ports(dhcpd_t)
corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
corenet_sendrecv_pxe_server_packets(dhcpd_t)
corenet_sendrecv_all_client_packets(dhcpd_t)
@@ -31997,7 +32470,7 @@ index d4424ad..a809e38 100644
dev_read_sysfs(dhcpd_t)
dev_read_rand(dhcpd_t)
-@@ -111,6 +113,10 @@ optional_policy(`
+@@ -111,6 +116,10 @@ optional_policy(`
')
optional_policy(`
@@ -32806,10 +33279,17 @@ index dc1056c..bd60100 100644
+
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
-index b886676..ad3210e 100644
+index b886676..ab3af9c 100644
--- a/policy/modules/services/dnsmasq.fc
+++ b/policy/modules/services/dnsmasq.fc
-@@ -6,7 +6,7 @@
+@@ -1,12 +1,14 @@
+ /etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
+ /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+
++/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
++
+ /usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
+
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0)
@@ -32819,10 +33299,41 @@ index b886676..ad3210e 100644
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/policy/modules/services/dnsmasq.if b/policy/modules/services/dnsmasq.if
-index 9bd812b..2385a2c 100644
+index 9bd812b..f3c2d82 100644
--- a/policy/modules/services/dnsmasq.if
+++ b/policy/modules/services/dnsmasq.if
-@@ -101,9 +101,9 @@ interface(`dnsmasq_kill',`
+@@ -41,6 +41,30 @@ interface(`dnsmasq_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute dnsmasq server in the dnsmasq domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`dnsmasq_systemctl',`
++ gen_require(`
++ type dnsmasq_unit_file_t;
++ type dnsmasq_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 dnsmasq_unit_file_t:file read_file_perms;
++ allow $1 dnsmasq_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, dnsmasq_t)
++')
++
++########################################
++## <summary>
+ ## Send dnsmasq a signal
+ ## </summary>
+ ## <param name="domain">
+@@ -101,9 +125,9 @@ interface(`dnsmasq_kill',`
## Read dnsmasq config files.
## </summary>
## <param name="domain">
@@ -32834,7 +33345,7 @@ index 9bd812b..2385a2c 100644
## </param>
#
interface(`dnsmasq_read_config',`
-@@ -120,9 +120,9 @@ interface(`dnsmasq_read_config',`
+@@ -120,9 +144,9 @@ interface(`dnsmasq_read_config',`
## Write to dnsmasq config files.
## </summary>
## <param name="domain">
@@ -32846,7 +33357,7 @@ index 9bd812b..2385a2c 100644
## </param>
#
interface(`dnsmasq_write_config',`
-@@ -144,12 +144,12 @@ interface(`dnsmasq_write_config',`
+@@ -144,12 +168,12 @@ interface(`dnsmasq_write_config',`
## </summary>
## </param>
#
@@ -32860,7 +33371,7 @@ index 9bd812b..2385a2c 100644
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
')
-@@ -163,17 +163,80 @@ interface(`dnsmasq_delete_pid_files',`
+@@ -163,17 +187,80 @@ interface(`dnsmasq_delete_pid_files',`
## </summary>
## </param>
#
@@ -32942,11 +33453,28 @@ index 9bd812b..2385a2c 100644
## All of the rules required to administrate
## an dnsmasq environment
## </summary>
+@@ -208,4 +295,6 @@ interface(`dnsmasq_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, dnsmasq_var_run_t)
++
++ dnsmasq_systemctl($1)
+ ')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..06021d4 100644
+index fdaeeba..8542225 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
-@@ -48,11 +48,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
+ type dnsmasq_var_run_t;
+ files_pid_file(dnsmasq_var_run_t)
+
++type dnsmasq_unit_file_t;
++systemd_unit_file(dnsmasq_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -48,11 +51,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
@@ -32961,7 +33489,7 @@ index fdaeeba..06021d4 100644
corenet_all_recvfrom_unlabeled(dnsmasq_t)
corenet_all_recvfrom_netlabel(dnsmasq_t)
-@@ -88,6 +90,8 @@ logging_send_syslog_msg(dnsmasq_t)
+@@ -88,6 +93,8 @@ logging_send_syslog_msg(dnsmasq_t)
miscfiles_read_localization(dnsmasq_t)
@@ -32970,7 +33498,7 @@ index fdaeeba..06021d4 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -96,7 +100,20 @@ optional_policy(`
+@@ -96,7 +103,20 @@ optional_policy(`
')
optional_policy(`
@@ -32991,7 +33519,7 @@ index fdaeeba..06021d4 100644
')
optional_policy(`
-@@ -114,4 +131,5 @@ optional_policy(`
+@@ -114,4 +134,5 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
@@ -34805,19 +35333,29 @@ index 7df52c7..899feaf 100644
+ policykit_dbus_chat_auth(fprintd_t)
')
diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc
-index 69dcd2a..a9a9116 100644
+index 69dcd2a..80eefd3 100644
--- a/policy/modules/services/ftp.fc
+++ b/policy/modules/services/ftp.fc
-@@ -29,3 +29,4 @@
+@@ -6,6 +6,9 @@
+ /etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+
++/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
+ #
+ # /usr
+ #
+@@ -29,3 +32,4 @@
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
+/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
-index 9d3201b..748cac5 100644
+index 9d3201b..a8ad41e 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
-@@ -1,5 +1,43 @@
+@@ -1,5 +1,67 @@
## <summary>File transfer protocol service</summary>
+######################################
@@ -34858,11 +35396,42 @@ index 9d3201b..748cac5 100644
+ init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
+')
+
++########################################
++## <summary>
++## Execute ftpd server in the ftpd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ftp_systemctl',`
++ gen_require(`
++ type ftpd_unit_file_t;
++ type ftpd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 ftpd_unit_file_t:file read_file_perms;
++ allow $1 ftpd_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, ftpd_t)
++')
++
#######################################
## <summary>
## Allow domain dyntransition to sftpd_anon domain.
+@@ -203,4 +265,6 @@ interface(`ftp_admin',`
+
+ logging_list_logs($1)
+ admin_pattern($1, xferlog_t)
++
++ ftp_systemctl($1)
+ ')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..3283e90 100644
+index 8a74a83..9a1355e 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -34894,7 +35463,17 @@ index 8a74a83..3283e90 100644
type anon_sftpd_t;
typealias anon_sftpd_t alias sftpd_anon_t;
domain_type(anon_sftpd_t)
-@@ -115,6 +130,10 @@ ifdef(`enable_mcs',`
+@@ -85,6 +100,9 @@ files_config_file(ftpd_etc_t)
+ type ftpd_initrc_exec_t;
+ init_script_file(ftpd_initrc_exec_t)
+
++type ftpd_unit_file_t;
++systemd_unit_file(ftpd_unit_file_t)
++
+ type ftpd_lock_t;
+ files_lock_file(ftpd_lock_t)
+
+@@ -115,6 +133,10 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
')
@@ -34905,7 +35484,7 @@ index 8a74a83..3283e90 100644
########################################
#
# anon-sftp local policy
-@@ -122,6 +141,7 @@ ifdef(`enable_mcs',`
+@@ -122,6 +144,7 @@ ifdef(`enable_mcs',`
files_read_etc_files(anon_sftpd_t)
@@ -34913,7 +35492,7 @@ index 8a74a83..3283e90 100644
miscfiles_read_public_files(anon_sftpd_t)
tunable_policy(`sftpd_anon_write',`
-@@ -133,7 +153,7 @@ tunable_policy(`sftpd_anon_write',`
+@@ -133,7 +156,7 @@ tunable_policy(`sftpd_anon_write',`
# ftpd local policy
#
@@ -34922,7 +35501,7 @@ index 8a74a83..3283e90 100644
dontaudit ftpd_t self:capability sys_tty_config;
allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
allow ftpd_t self:fifo_file rw_fifo_file_perms;
-@@ -151,7 +171,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+@@ -151,7 +174,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
@@ -34930,7 +35509,7 @@ index 8a74a83..3283e90 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -163,13 +182,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
+@@ -163,13 +185,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
@@ -34946,7 +35525,7 @@ index 8a74a83..3283e90 100644
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-@@ -219,6 +238,7 @@ auth_append_login_records(ftpd_t)
+@@ -219,6 +241,7 @@ auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
auth_write_login_records(ftpd_t)
auth_rw_faillog(ftpd_t)
@@ -34954,7 +35533,7 @@ index 8a74a83..3283e90 100644
init_rw_utmp(ftpd_t)
-@@ -261,7 +281,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+@@ -261,7 +284,7 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
tunable_policy(`allow_ftpd_full_access',`
allow ftpd_t self:capability { dac_override dac_read_search };
@@ -34963,7 +35542,7 @@ index 8a74a83..3283e90 100644
')
tunable_policy(`ftp_home_dir',`
-@@ -270,10 +290,13 @@ tunable_policy(`ftp_home_dir',`
+@@ -270,10 +293,13 @@ tunable_policy(`ftp_home_dir',`
# allow access to /home
files_list_home(ftpd_t)
userdom_read_user_home_content_files(ftpd_t)
@@ -34981,7 +35560,7 @@ index 8a74a83..3283e90 100644
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,6 +332,10 @@ optional_policy(`
+@@ -309,6 +335,10 @@ optional_policy(`
')
optional_policy(`
@@ -34992,7 +35571,7 @@ index 8a74a83..3283e90 100644
selinux_validate_context(ftpd_t)
kerberos_keytab_template(ftpd, ftpd_t)
-@@ -316,6 +343,25 @@ optional_policy(`
+@@ -316,6 +346,25 @@ optional_policy(`
')
optional_policy(`
@@ -35018,7 +35597,7 @@ index 8a74a83..3283e90 100644
inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
optional_policy(`
-@@ -347,16 +393,17 @@ optional_policy(`
+@@ -347,16 +396,17 @@ optional_policy(`
# Allow ftpdctl to talk to ftpd over a socket connection
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -35038,7 +35617,7 @@ index 8a74a83..3283e90 100644
########################################
#
-@@ -365,18 +412,33 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +415,33 @@ userdom_use_user_terminals(ftpdctl_t)
files_read_etc_files(sftpd_t)
@@ -35075,7 +35654,7 @@ index 8a74a83..3283e90 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,7 +456,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,7 +459,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -38636,29 +39215,31 @@ index 0000000..4aac893
+
+sysnet_dns_name_resolve(l2tpd_t)
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
-index c62f23e..92f3475 100644
+index c62f23e..f8a4301 100644
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
-@@ -1,6 +1,8 @@
+@@ -1,6 +1,10 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+
+/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
++
++/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
-@@ -15,3 +17,4 @@ ifdef(`distro_debian',`
+@@ -15,3 +19,4 @@ ifdef(`distro_debian',`
/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
-index 3aa8fa7..8fa74c3 100644
+index 3aa8fa7..2a407cd 100644
--- a/policy/modules/services/ldap.if
+++ b/policy/modules/services/ldap.if
-@@ -1,5 +1,41 @@
+@@ -1,5 +1,65 @@
## <summary>OpenLDAP directory server</summary>
+#######################################
@@ -38697,10 +39278,34 @@ index 3aa8fa7..8fa74c3 100644
+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
+')
+
++########################################
++## <summary>
++## Execute slapd server in the slapd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ldap_systemctl',`
++ gen_require(`
++ type slapd_unit_file_t;
++ type slapd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 slapd_unit_file_t:file read_file_perms;
++ allow $1 slapd_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, slapd_t)
++')
++
########################################
## <summary>
## Read the contents of the OpenLDAP
-@@ -21,6 +57,25 @@ interface(`ldap_list_db',`
+@@ -21,6 +81,25 @@ interface(`ldap_list_db',`
########################################
## <summary>
@@ -38726,7 +39331,7 @@ index 3aa8fa7..8fa74c3 100644
## Read the OpenLDAP configuration files.
## </summary>
## <param name="domain">
-@@ -69,8 +124,7 @@ interface(`ldap_stream_connect',`
+@@ -69,8 +148,7 @@ interface(`ldap_stream_connect',`
')
files_search_pids($1)
@@ -38736,7 +39341,7 @@ index 3aa8fa7..8fa74c3 100644
')
########################################
-@@ -110,6 +164,7 @@ interface(`ldap_admin',`
+@@ -110,6 +188,7 @@ interface(`ldap_admin',`
admin_pattern($1, slapd_lock_t)
@@ -38744,8 +39349,15 @@ index 3aa8fa7..8fa74c3 100644
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
+@@ -117,4 +196,6 @@ interface(`ldap_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, slapd_var_run_t)
++
++ ldap_systemctl($1)
+ ')
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
-index 64fd1ff..10c2d54 100644
+index 64fd1ff..211180e 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -10,7 +10,7 @@ type slapd_exec_t;
@@ -38757,7 +39369,16 @@ index 64fd1ff..10c2d54 100644
type slapd_db_t;
files_type(slapd_db_t)
-@@ -27,9 +27,15 @@ files_lock_file(slapd_lock_t)
+@@ -21,15 +21,24 @@ files_config_file(slapd_etc_t)
+ type slapd_initrc_exec_t;
+ init_script_file(slapd_initrc_exec_t)
+
++type slapd_unit_file_t;
++systemd_unit_file(slapd_unit_file_t)
++
+ type slapd_lock_t;
+ files_lock_file(slapd_lock_t)
+
type slapd_replog_t;
files_type(slapd_replog_t)
@@ -38773,7 +39394,7 @@ index 64fd1ff..10c2d54 100644
type slapd_var_run_t;
files_pid_file(slapd_var_run_t)
-@@ -67,13 +73,21 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+@@ -67,13 +76,21 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
@@ -38844,7 +39465,7 @@ index 49e04e5..69db026 100644
/usr/sbin/lircd -- gen_context(system_u:object_r:lircd_exec_t,s0)
diff --git a/policy/modules/services/lircd.te b/policy/modules/services/lircd.te
-index 6a78de1..a32fbe8 100644
+index 6a78de1..8db7d14 100644
--- a/policy/modules/services/lircd.te
+++ b/policy/modules/services/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -38864,12 +39485,12 @@ index 6a78de1..a32fbe8 100644
allow lircd_t self:fifo_file rw_fifo_file_perms;
allow lircd_t self:unix_dgram_socket create_socket_perms;
allow lircd_t self:tcp_socket create_stream_socket_perms;
-@@ -44,13 +45,14 @@ corenet_tcp_bind_lirc_port(lircd_t)
+@@ -44,18 +45,20 @@ corenet_tcp_bind_lirc_port(lircd_t)
corenet_tcp_sendrecv_all_ports(lircd_t)
corenet_tcp_connect_lirc_port(lircd_t)
-dev_read_generic_usb_dev(lircd_t)
-+dev_rw_generic_usb_dev(lircd_t)
++dev_rw_generic_usb_dev(lircd_t) # this needs to be reproduced. might not be right
dev_read_mouse(lircd_t)
dev_filetrans_lirc(lircd_t)
dev_rw_lirc(lircd_t)
@@ -38881,6 +39502,12 @@ index 6a78de1..a32fbe8 100644
files_list_var(lircd_t)
files_manage_generic_locks(lircd_t)
files_read_all_locks(lircd_t)
+
+ term_use_ptmx(lircd_t)
++term_use_usb_ttys(lircd_t)
+
+ logging_send_syslog_msg(lircd_t)
+
diff --git a/policy/modules/services/lldpad.fc b/policy/modules/services/lldpad.fc
new file mode 100644
index 0000000..83a4348
@@ -42691,10 +43318,10 @@ index 74da57f..b94bb3b 100644
/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
-index 386543b..984eefc 100644
+index 386543b..47e1b41 100644
--- a/policy/modules/services/networkmanager.fc
+++ b/policy/modules/services/networkmanager.fc
-@@ -1,6 +1,13 @@
+@@ -1,6 +1,15 @@
/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -42706,10 +43333,12 @@ index 386543b..984eefc 100644
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
++
++/lib/systemd/system/NetworkManager\.service -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-@@ -16,7 +23,8 @@
+@@ -16,7 +25,8 @@
/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
@@ -42720,7 +43349,7 @@ index 386543b..984eefc 100644
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
-index 2324d9e..eebf5a7 100644
+index 2324d9e..ac2e779 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -43,9 +43,9 @@ interface(`networkmanager_rw_packet_sockets',`
@@ -42736,7 +43365,38 @@ index 2324d9e..eebf5a7 100644
## </param>
#
interface(`networkmanager_attach_tun_iface',`
-@@ -137,6 +137,28 @@ interface(`networkmanager_dbus_chat',`
+@@ -116,6 +116,30 @@ interface(`networkmanager_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute NetworkManager server in the NetworkManager domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`networkmanager_systemctl',`
++ gen_require(`
++ type NetworkManager_unit_file_t;
++ type NetworkManager_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 NetworkManager_unit_file_t:file read_file_perms;
++ allow $1 NetworkManager_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, NetworkManager_t)
++')
++
++########################################
++## <summary>
+ ## Send and receive messages from
+ ## NetworkManager over dbus.
+ ## </summary>
+@@ -137,6 +161,28 @@ interface(`networkmanager_dbus_chat',`
########################################
## <summary>
@@ -42765,7 +43425,7 @@ index 2324d9e..eebf5a7 100644
## Send a generic signal to NetworkManager
## </summary>
## <param name="domain">
-@@ -191,3 +213,77 @@ interface(`networkmanager_read_pid_files',`
+@@ -191,3 +237,77 @@ interface(`networkmanager_read_pid_files',`
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
@@ -42844,13 +43504,16 @@ index 2324d9e..eebf5a7 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..8785eef 100644
+index 0619395..c985b07 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
-@@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
+@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
type NetworkManager_initrc_exec_t;
init_script_file(NetworkManager_initrc_exec_t)
++type NetworkManager_unit_file_t;
++systemd_unit_file(NetworkManager_unit_file_t)
++
+type NetworkManager_etc_t;
+files_config_file(NetworkManager_etc_t)
+
@@ -42860,7 +43523,7 @@ index 0619395..8785eef 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -35,16 +41,21 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -35,16 +44,21 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
@@ -42884,7 +43547,7 @@ index 0619395..8785eef 100644
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
-@@ -52,9 +63,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
+@@ -52,9 +66,20 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
can_exec(NetworkManager_t, NetworkManager_exec_t)
@@ -42905,7 +43568,7 @@ index 0619395..8785eef 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -100,6 +122,7 @@ dev_read_rand(NetworkManager_t)
+@@ -100,6 +125,7 @@ dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
@@ -42913,7 +43576,7 @@ index 0619395..8785eef 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
-@@ -113,7 +136,7 @@ corecmd_exec_shell(NetworkManager_t)
+@@ -113,7 +139,7 @@ corecmd_exec_shell(NetworkManager_t)
corecmd_exec_bin(NetworkManager_t)
domain_use_interactive_fds(NetworkManager_t)
@@ -42922,7 +43585,7 @@ index 0619395..8785eef 100644
files_read_etc_files(NetworkManager_t)
files_read_etc_runtime_files(NetworkManager_t)
-@@ -133,30 +156,37 @@ logging_send_syslog_msg(NetworkManager_t)
+@@ -133,30 +159,37 @@ logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
miscfiles_read_generic_certs(NetworkManager_t)
@@ -42962,7 +43625,7 @@ index 0619395..8785eef 100644
')
optional_policy(`
-@@ -172,14 +202,21 @@ optional_policy(`
+@@ -172,14 +205,21 @@ optional_policy(`
')
optional_policy(`
@@ -42985,7 +43648,15 @@ index 0619395..8785eef 100644
')
')
-@@ -202,10 +239,25 @@ optional_policy(`
+@@ -191,6 +231,7 @@ optional_policy(`
+ dnsmasq_kill(NetworkManager_t)
+ dnsmasq_signal(NetworkManager_t)
+ dnsmasq_signull(NetworkManager_t)
++ dnsmasq_systemctl(NetworkManager_t)
+ ')
+
+ optional_policy(`
+@@ -202,23 +243,45 @@ optional_policy(`
')
optional_policy(`
@@ -43011,19 +43682,35 @@ index 0619395..8785eef 100644
nscd_domtrans(NetworkManager_t)
nscd_signal(NetworkManager_t)
nscd_signull(NetworkManager_t)
-@@ -219,6 +271,11 @@ optional_policy(`
+ nscd_kill(NetworkManager_t)
+ nscd_initrc_domtrans(NetworkManager_t)
++ nscd_systemctl(NetworkManager_t)
')
optional_policy(`
-+ modutils_domtrans_insmod(NetworkManager_t)
+ # Dispatcher starting and stoping ntp
+ ntp_initrc_domtrans(NetworkManager_t)
++ ntp_systemctl(NetworkManager_t)
+')
+
+optional_policy(`
++ modutils_domtrans_insmod(NetworkManager_t)
+ ')
+
+ optional_policy(`
+ openvpn_read_config(NetworkManager_t)
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -263,6 +320,7 @@ optional_policy(`
+@@ -241,6 +304,7 @@ optional_policy(`
+ ppp_signal(NetworkManager_t)
+ ppp_signull(NetworkManager_t)
+ ppp_read_config(NetworkManager_t)
++ ppp_systemctl(NetworkManager_t)
+ ')
+
+ optional_policy(`
+@@ -263,6 +327,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -43032,7 +43719,7 @@ index 0619395..8785eef 100644
########################################
diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc
-index 15448d5..b6b42c1 100644
+index 15448d5..3587f6a 100644
--- a/policy/modules/services/nis.fc
+++ b/policy/modules/services/nis.fc
@@ -1,5 +1,5 @@
@@ -43059,12 +43746,12 @@ index 15448d5..b6b42c1 100644
/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
+
-+/lib/systemd/system/ypbind\.service -- gen_context(system_u:object_r:ypbind_unit_t,s0)
-+/lib/systemd/system/ypserv\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
-+/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
-+/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_t,s0)
++/lib/systemd/system/ypbind\.service -- gen_context(system_u:object_r:ypbind_unit_file_t,s0)
++/lib/systemd/system/ypserv\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
++/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
++/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
-index abe3f7f..2de87de 100644
+index abe3f7f..9e96501 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',`
@@ -43132,14 +43819,14 @@ index abe3f7f..2de87de 100644
+#
+interface(`nis_systemctl_ypbind',`
+ gen_require(`
-+ type ypbind_unit_t;
++ type ypbind_unit_file_t;
+ type ypbind_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
-+ allow $1 ypbind_unit_t:file read_file_perms;
-+ allow $1 ypbind_unit_t:service all_service_perms;
++ allow $1 ypbind_unit_file_t:file read_file_perms;
++ allow $1 ypbind_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, ypbind_t)
+')
@@ -43156,14 +43843,14 @@ index abe3f7f..2de87de 100644
+#
+interface(`nis_systemctl',`
+ gen_require(`
-+ type nis_unit_t;
++ type nis_unit_file_t;
+ type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
-+ allow $1 nis_unit_t:file read_file_perms;
-+ allow $1 nis_unit_t:service all_service_perms;
++ allow $1 nis_unit_file_t:file read_file_perms;
++ allow $1 nis_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, ypbind_t)
+ ps_process_pattern($1, yppasswdd_t)
@@ -43204,15 +43891,15 @@ index abe3f7f..2de87de 100644
+ nis_systemctl($1)
')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
-index 4876cae..dccdc78 100644
+index 4876cae..eabed96 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -24,6 +24,9 @@ files_tmp_file(ypbind_tmp_t)
type ypbind_var_run_t;
files_pid_file(ypbind_var_run_t)
-+type ypbind_unit_t;
-+systemd_unit_file(ypbind_unit_t)
++type ypbind_unit_file_t;
++systemd_unit_file(ypbind_unit_file_t)
+
type yppasswdd_t;
type yppasswdd_exec_t;
@@ -43230,8 +43917,8 @@ index 4876cae..dccdc78 100644
type ypxfr_var_run_t;
files_pid_file(ypxfr_var_run_t)
-+type nis_unit_t;
-+systemd_unit_file(nis_unit_t)
++type nis_unit_file_t;
++systemd_unit_file(nis_unit_file_t)
+
########################################
#
@@ -43277,7 +43964,7 @@ index 4876cae..dccdc78 100644
allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
-index 85188dc..76f26dd 100644
+index 85188dc..891d4ab 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -116,7 +116,26 @@ interface(`nscd_socket_use',`
@@ -43343,8 +44030,46 @@ index 85188dc..76f26dd 100644
#
interface(`nscd_run',`
gen_require(`
+@@ -254,6 +277,30 @@ interface(`nscd_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute nscd server in the nscd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`nscd_systemctl',`
++ gen_require(`
++ type nscd_unit_file_t;
++ type nscd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 nscd_unit_file_t:file read_file_perms;
++ allow $1 nscd_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, nscd_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an nscd environment
+ ## </summary>
+@@ -288,4 +335,6 @@ interface(`nscd_admin',`
+
+ files_list_pids($1)
+ admin_pattern($1, nscd_var_run_t)
++
++ nscd_systemctl($1)
+ ')
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
-index 7936e09..6b54db7 100644
+index 7936e09..812f966 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,9 +1,16 @@
@@ -43365,7 +44090,17 @@ index 7936e09..6b54db7 100644
########################################
#
# Declarations
-@@ -30,7 +37,7 @@ logging_log_file(nscd_log_t)
+@@ -22,6 +29,9 @@ init_daemon_domain(nscd_t, nscd_exec_t)
+ type nscd_initrc_exec_t;
+ init_script_file(nscd_initrc_exec_t)
+
++type nscd_unit_file_t;
++systemd_unit_file(nscd_unit_file_t)
++
+ type nscd_log_t;
+ logging_log_file(nscd_log_t)
+
+@@ -30,7 +40,7 @@ logging_log_file(nscd_log_t)
# Local policy
#
@@ -43374,7 +44109,7 @@ index 7936e09..6b54db7 100644
dontaudit nscd_t self:capability sys_tty_config;
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
allow nscd_t self:fifo_file read_fifo_file_perms;
-@@ -47,9 +54,10 @@ allow nscd_t self:nscd { admin getstat };
+@@ -47,9 +57,10 @@ allow nscd_t self:nscd { admin getstat };
allow nscd_t nscd_log_t:file manage_file_perms;
logging_log_filetrans(nscd_t, nscd_log_t, file)
@@ -43386,7 +44121,7 @@ index 7936e09..6b54db7 100644
corecmd_search_bin(nscd_t)
can_exec(nscd_t, nscd_exec_t)
-@@ -90,6 +98,7 @@ selinux_compute_create_context(nscd_t)
+@@ -90,6 +101,7 @@ selinux_compute_create_context(nscd_t)
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
domain_use_interactive_fds(nscd_t)
@@ -43394,7 +44129,7 @@ index 7936e09..6b54db7 100644
files_read_etc_files(nscd_t)
files_read_generic_tmp_symlinks(nscd_t)
-@@ -112,6 +121,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
+@@ -112,6 +124,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
optional_policy(`
@@ -43405,7 +44140,7 @@ index 7936e09..6b54db7 100644
cron_read_system_job_tmp_files(nscd_t)
')
-@@ -127,3 +140,17 @@ optional_policy(`
+@@ -127,3 +143,17 @@ optional_policy(`
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
@@ -43527,7 +44262,7 @@ index e79dccc..50202ef 100644
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..4b93b29 100644
+index e80f8c0..c58528f 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -98,6 +98,49 @@ interface(`ntp_initrc_domtrans',`
@@ -43565,14 +44300,14 @@ index e80f8c0..4b93b29 100644
+#
+interface(`ntp_systemctl',`
+ gen_require(`
-+ type ntpd_unit_t;
++ type ntpd_unit_file_t;
+ type ntpd_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ systemd_search_unit_dirs($1)
-+ allow $1 ntpd_unit_t:file read_file_perms;
-+ allow $1 ntpd_unit_t:service all_service_perms;
++ allow $1 ntpd_unit_file_t:file read_file_perms;
++ allow $1 ntpd_unit_file_t:service all_service_perms;
+
+ ps_process_pattern($1, ntpd_t)
+')
@@ -44698,10 +45433,10 @@ index 0000000..548d0a2
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
-index 0000000..2321872
+index 0000000..9c4df9f
--- /dev/null
+++ b/policy/modules/services/piranha.te
-@@ -0,0 +1,296 @@
+@@ -0,0 +1,299 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -44918,6 +45653,7 @@ index 0000000..2321872
+optional_policy(`
+ ftp_domtrans(piranha_pulse_t)
+ ftp_initrc_domtrans(piranha_pulse_t)
++ ftp_systemctl(piranha_pulse_t)
+')
+
+optional_policy(`
@@ -44925,6 +45661,7 @@ index 0000000..2321872
+')
+
+optional_policy(`
++ ldap_systemctl(piranha_pulse_t)
+ ldap_initrc_domtrans(piranha_pulse_t)
+ ldap_domtrans(piranha_pulse_t)
+')
@@ -44946,6 +45683,7 @@ index 0000000..2321872
+
+optional_policy(`
+ samba_initrc_domtrans(piranha_pulse_t)
++ samba_systemctl(piranha_pulse_t)
+ samba_domtrans_smbd(piranha_pulse_t)
+ samba_domtrans_nmbd(piranha_pulse_t)
+ samba_manage_var_files(piranha_pulse_t)
@@ -46844,10 +47582,17 @@ index db843e2..4389e81 100644
type postgrey_var_lib_t;
files_type(postgrey_var_lib_t)
diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
-index 2d82c6d..dd05493 100644
+index 2d82c6d..adf5731 100644
--- a/policy/modules/services/ppp.fc
+++ b/policy/modules/services/ppp.fc
-@@ -16,6 +16,7 @@
+@@ -11,11 +11,14 @@
+ # Fix /etc/ppp {up,down} family scripts (see man pppd)
+ /etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+
++/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
+ /root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
+
#
# /sbin
#
@@ -46855,7 +47600,7 @@ index 2d82c6d..dd05493 100644
/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
#
-@@ -34,5 +35,7 @@
+@@ -34,5 +37,7 @@
# Fix pptp sockets
/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
@@ -46865,7 +47610,7 @@ index 2d82c6d..dd05493 100644
-/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
-index b524673..9d90fb3 100644
+index b524673..d3f932f 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -66,7 +66,6 @@ interface(`ppp_sigchld',`
@@ -46904,7 +47649,38 @@ index b524673..9d90fb3 100644
allow $1 pppd_var_run_t:file manage_file_perms;
')
-@@ -348,21 +348,27 @@ interface(`ppp_initrc_domtrans',`
+@@ -340,6 +340,30 @@ interface(`ppp_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute pppd server in the pppd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ppp_systemctl',`
++ gen_require(`
++ type pppd_unit_file_t;
++ type pppd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 pppd_unit_file_t:file read_file_perms;
++ allow $1 pppd_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, pppd_t)
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an ppp environment
+ ## </summary>
+@@ -348,21 +372,27 @@ interface(`ppp_initrc_domtrans',`
## Domain allowed access.
## </summary>
## </param>
@@ -46937,7 +47713,7 @@ index b524673..9d90fb3 100644
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pppd_initrc_exec_t system_r;
-@@ -374,6 +380,7 @@ interface(`ppp_admin',`
+@@ -374,6 +404,7 @@ interface(`ppp_admin',`
logging_list_logs($1)
admin_pattern($1, pppd_log_t)
@@ -46945,7 +47721,7 @@ index b524673..9d90fb3 100644
admin_pattern($1, pppd_lock_t)
files_list_etc($1)
-@@ -386,9 +393,6 @@ interface(`ppp_admin',`
+@@ -386,10 +417,9 @@ interface(`ppp_admin',`
files_list_pids($1)
admin_pattern($1, pppd_var_run_t)
@@ -46955,8 +47731,11 @@ index b524673..9d90fb3 100644
admin_pattern($1, pptp_log_t)
admin_pattern($1, pptp_var_run_t)
++
++ ppp_systemctl($1)
+ ')
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
-index 2af42e7..0d51fe4 100644
+index 2af42e7..392bc4b 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -6,16 +6,16 @@ policy_module(ppp, 1.12.0)
@@ -46982,7 +47761,17 @@ index 2af42e7..0d51fe4 100644
## </desc>
gen_tunable(pppd_for_user, false)
-@@ -70,9 +70,9 @@ files_pid_file(pptp_var_run_t)
+@@ -39,6 +39,9 @@ files_type(pppd_etc_rw_t)
+ type pppd_initrc_exec_t alias pppd_script_exec_t;
+ init_script_file(pppd_initrc_exec_t)
+
++type pppd_unit_file_t;
++systemd_unit_file(pppd_unit_file_t)
++
+ # pppd_secret_t is the type of the pap and chap password files
+ type pppd_secret_t;
+ files_type(pppd_secret_t)
+@@ -70,9 +73,9 @@ files_pid_file(pptp_var_run_t)
# PPPD Local policy
#
@@ -46994,7 +47783,7 @@ index 2af42e7..0d51fe4 100644
allow pppd_t self:fifo_file rw_fifo_file_perms;
allow pppd_t self:socket create_socket_perms;
allow pppd_t self:unix_dgram_socket create_socket_perms;
-@@ -84,28 +84,29 @@ allow pppd_t self:packet_socket create_socket_perms;
+@@ -84,28 +87,29 @@ allow pppd_t self:packet_socket create_socket_perms;
domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
@@ -47030,7 +47819,7 @@ index 2af42e7..0d51fe4 100644
allow pppd_t pptp_t:process signal;
-@@ -166,6 +167,8 @@ init_dontaudit_write_utmp(pppd_t)
+@@ -166,6 +170,8 @@ init_dontaudit_write_utmp(pppd_t)
init_signal_script(pppd_t)
auth_use_nsswitch(pppd_t)
@@ -47039,7 +47828,7 @@ index 2af42e7..0d51fe4 100644
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
-@@ -176,7 +179,7 @@ sysnet_exec_ifconfig(pppd_t)
+@@ -176,7 +182,7 @@ sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
@@ -47048,7 +47837,7 @@ index 2af42e7..0d51fe4 100644
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
userdom_search_user_home_dirs(pppd_t)
-@@ -187,13 +190,15 @@ optional_policy(`
+@@ -187,13 +193,15 @@ optional_policy(`
')
optional_policy(`
@@ -47065,7 +47854,7 @@ index 2af42e7..0d51fe4 100644
')
optional_policy(`
-@@ -243,14 +248,17 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -243,14 +251,17 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -47571,7 +48360,7 @@ index 2f1e529..8c0b242 100644
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
diff --git a/policy/modules/services/puppet.if b/policy/modules/services/puppet.if
-index 2855a44..9bc56ee 100644
+index 2855a44..58bb459 100644
--- a/policy/modules/services/puppet.if
+++ b/policy/modules/services/puppet.if
@@ -8,6 +8,53 @@
@@ -47628,7 +48417,7 @@ index 2855a44..9bc56ee 100644
################################################
## <summary>
## Read / Write to Puppet temp files. Puppet uses
-@@ -21,7 +68,7 @@
+@@ -21,11 +68,87 @@
## </summary>
## </param>
#
@@ -47637,8 +48426,9 @@ index 2855a44..9bc56ee 100644
gen_require(`
type puppet_tmp_t;
')
-@@ -29,3 +76,79 @@ interface(`puppet_rw_tmp', `
- allow $1 puppet_tmp_t:file rw_file_perms;
+
+- allow $1 puppet_tmp_t:file rw_file_perms;
++ allow $1 puppet_tmp_t:file rw_inherited_file_perms;
files_search_tmp($1)
')
+
@@ -47718,7 +48508,7 @@ index 2855a44..9bc56ee 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..7041ad9 100644
+index 64c5f95..5f6e7b8 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
@@ -47774,7 +48564,18 @@ index 64c5f95..7041ad9 100644
')
optional_policy(`
-@@ -162,7 +174,60 @@ optional_policy(`
+@@ -144,6 +156,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mount_domtrans(puppet_t)
++')
++
++optional_policy(`
+ files_rw_var_files(puppet_t)
+
+ rpm_domtrans(puppet_t)
+@@ -162,7 +178,60 @@ optional_policy(`
########################################
#
@@ -47836,7 +48637,7 @@ index 64c5f95..7041ad9 100644
#
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
-@@ -171,29 +236,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+@@ -171,29 +240,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:socket create;
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
@@ -47875,7 +48676,7 @@ index 64c5f95..7041ad9 100644
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -206,21 +277,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
+@@ -206,21 +281,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
@@ -47891,11 +48692,11 @@ index 64c5f95..7041ad9 100644
+domain_obj_id_change_exemption(puppetmaster_t)
+
+files_read_usr_files(puppetmaster_t)
-+
-+selinux_validate_context(puppetmaster_t)
-files_read_etc_files(puppetmaster_t)
-files_search_var_lib(puppetmaster_t)
++selinux_validate_context(puppetmaster_t)
++
+auth_use_nsswitch(puppetmaster_t)
logging_send_syslog_msg(puppetmaster_t)
@@ -47925,7 +48726,7 @@ index 64c5f95..7041ad9 100644
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +327,9 @@ optional_policy(`
+@@ -231,3 +331,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -49289,7 +50090,7 @@ index 7dc38d1..9c2c963 100644
+ admin_pattern($1, rgmanager_var_run_t)
+')
diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..e605105 100644
+index 00fa514..bac3e66 100644
--- a/policy/modules/services/rgmanager.te
+++ b/policy/modules/services/rgmanager.te
@@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0)
@@ -49404,11 +50205,12 @@ index 00fa514..e605105 100644
fstools_domtrans(rgmanager_t)
')
-@@ -140,6 +158,15 @@ optional_policy(`
+@@ -140,6 +158,16 @@ optional_policy(`
')
optional_policy(`
+ ldap_initrc_domtrans(rgmanager_t)
++ ldap_systemctl(rgmanager_t)
+ ldap_domtrans(rgmanager_t)
+')
+
@@ -49420,11 +50222,20 @@ index 00fa514..e605105 100644
mysql_domtrans_mysql_safe(rgmanager_t)
mysql_stream_connect(rgmanager_t)
')
+@@ -165,6 +193,8 @@ optional_policy(`
+ optional_policy(`
+ rpc_initrc_domtrans_nfsd(rgmanager_t)
+ rpc_initrc_domtrans_rpcd(rgmanager_t)
++ rpc_systemctl_nfsd(rgmanager_t)
++ rpc_systemctl_rpcd(rgmanager_t)
+
+ rpc_domtrans_nfsd(rgmanager_t)
+ rpc_domtrans_rpcd(rgmanager_t)
diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
-index c2ba53b..853eeb5 100644
+index c2ba53b..1f935bf 100644
--- a/policy/modules/services/rhcs.fc
+++ b/policy/modules/services/rhcs.fc
-@@ -1,14 +1,18 @@
+@@ -1,20 +1,25 @@
/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
@@ -49443,6 +50254,13 @@ index c2ba53b..853eeb5 100644
/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
+ /var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
+
+ /var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
++/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+ /var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
+ /var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
+ /var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
index de37806..a21e737 100644
--- a/policy/modules/services/rhcs.if
@@ -51063,17 +51881,27 @@ index 779fa44..4bcaacc 100644
tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
')
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
-index 5c70c0c..6842295 100644
+index 5c70c0c..f9f0f54 100644
--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
-@@ -29,3 +29,5 @@
+@@ -6,6 +6,9 @@
+ /etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+
++/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
++/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
++
+ #
+ # /sbin
+ #
+@@ -29,3 +32,5 @@
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
+/var/tmp/nfs_0 -- gen_context(system_u:object_r:gssd_tmp_t,s0)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
-index cda37bb..484e552 100644
+index cda37bb..41b106f 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -32,7 +32,11 @@ interface(`rpc_stub',`
@@ -51107,7 +51935,38 @@ index cda37bb..484e552 100644
')
########################################
-@@ -246,6 +250,32 @@ interface(`rpc_domtrans_rpcd',`
+@@ -229,6 +233,30 @@ interface(`rpc_initrc_domtrans_nfsd',`
+
+ ########################################
+ ## <summary>
++## Execute nfsd server in the nfsd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rpc_systemctl_nfsd',`
++ gen_require(`
++ type nfsd_unit_file_t;
++ type nfsd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 nfsd_unit_file_t:file read_file_perms;
++ allow $1 nfsd_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, nfsd_t)
++')
++
++########################################
++## <summary>
+ ## Execute domain in rpcd domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -246,6 +274,32 @@ interface(`rpc_domtrans_rpcd',`
allow rpcd_t $1:process signal;
')
@@ -51140,7 +51999,38 @@ index cda37bb..484e552 100644
#######################################
## <summary>
## Execute domain in rpcd domain.
-@@ -282,7 +312,7 @@ interface(`rpc_read_nfs_content',`
+@@ -266,6 +320,30 @@ interface(`rpc_initrc_domtrans_rpcd',`
+
+ ########################################
+ ## <summary>
++## Execute rpcd server in the rpcd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rpc_systemctl_rpcd',`
++ gen_require(`
++ type rpcd_unit_file_t;
++ type rpcd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 rpcd_unit_file_t:file read_file_perms;
++ allow $1 rpcd_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, rpcd_t)
++')
++
++########################################
++## <summary>
+ ## Read NFS exported content.
+ ## </summary>
+ ## <param name="domain">
+@@ -282,7 +360,7 @@ interface(`rpc_read_nfs_content',`
allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
@@ -51149,7 +52039,7 @@ index cda37bb..484e552 100644
')
########################################
-@@ -375,7 +405,7 @@ interface(`rpc_search_nfs_state_data',`
+@@ -375,7 +453,7 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
@@ -51158,14 +52048,14 @@ index cda37bb..484e552 100644
')
########################################
-@@ -414,4 +444,5 @@ interface(`rpc_manage_nfs_state_data',`
+@@ -414,4 +492,5 @@ interface(`rpc_manage_nfs_state_data',`
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..4bd5e3c 100644
+index b1468ed..372f918 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -51195,7 +52085,25 @@ index b1468ed..4bd5e3c 100644
## </desc>
gen_tunable(allow_nfsd_anon_write, false)
-@@ -62,9 +62,10 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
+@@ -39,11 +39,17 @@ rpc_domain_template(rpcd)
+ type rpcd_initrc_exec_t;
+ init_script_file(rpcd_initrc_exec_t)
+
++type rpcd_unit_file_t;
++systemd_unit_file(rpcd_unit_file_t)
++
+ rpc_domain_template(nfsd)
+
+ type nfsd_initrc_exec_t;
+ init_script_file(nfsd_initrc_exec_t)
+
++type nfsd_unit_file_t;
++systemd_unit_file(nfsd_unit_file_t)
++
+ type nfsd_rw_t;
+ files_type(nfsd_rw_t)
+
+@@ -62,9 +68,10 @@ allow rpcd_t self:capability { sys_admin chown dac_override setgid setuid };
allow rpcd_t self:process { getcap setcap };
allow rpcd_t self:fifo_file rw_fifo_file_perms;
@@ -51208,7 +52116,7 @@ index b1468ed..4bd5e3c 100644
# rpc.statd executes sm-notify
can_exec(rpcd_t, rpcd_exec_t)
-@@ -87,6 +88,7 @@ fs_read_rpc_files(rpcd_t)
+@@ -87,6 +94,7 @@ fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
fs_rw_rpc_sockets(rpcd_t)
fs_get_all_fs_quotas(rpcd_t)
@@ -51216,7 +52124,7 @@ index b1468ed..4bd5e3c 100644
fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
-@@ -97,15 +99,26 @@ miscfiles_read_generic_certs(rpcd_t)
+@@ -97,15 +105,26 @@ miscfiles_read_generic_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@@ -51243,7 +52151,7 @@ index b1468ed..4bd5e3c 100644
########################################
#
# NFSD local policy
-@@ -120,9 +133,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+@@ -120,9 +139,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
@@ -51258,7 +52166,7 @@ index b1468ed..4bd5e3c 100644
dev_dontaudit_getattr_all_blk_files(nfsd_t)
dev_dontaudit_getattr_all_chr_files(nfsd_t)
-@@ -148,6 +166,8 @@ storage_raw_read_removable_device(nfsd_t)
+@@ -148,6 +172,8 @@ storage_raw_read_removable_device(nfsd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
@@ -51267,7 +52175,7 @@ index b1468ed..4bd5e3c 100644
# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
-@@ -158,7 +178,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -158,7 +184,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -51275,7 +52183,7 @@ index b1468ed..4bd5e3c 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -170,8 +189,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -170,8 +195,7 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -51285,7 +52193,7 @@ index b1468ed..4bd5e3c 100644
')
########################################
-@@ -181,7 +199,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -181,7 +205,7 @@ tunable_policy(`nfs_export_all_ro',`
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
@@ -51294,7 +52202,7 @@ index b1468ed..4bd5e3c 100644
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -199,6 +217,7 @@ corecmd_exec_bin(gssd_t)
+@@ -199,6 +223,7 @@ corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -51302,7 +52210,7 @@ index b1468ed..4bd5e3c 100644
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
-@@ -210,14 +229,14 @@ auth_manage_cache(gssd_t)
+@@ -210,14 +235,14 @@ auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
@@ -51319,7 +52227,7 @@ index b1468ed..4bd5e3c 100644
')
optional_policy(`
-@@ -229,6 +248,10 @@ optional_policy(`
+@@ -229,6 +254,10 @@ optional_policy(`
')
optional_policy(`
@@ -51701,10 +52609,19 @@ index a07b2f4..ee39810 100644
+
+userdom_getattr_user_terminals(rwho_t)
diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
-index 69a6074..73db5ba 100644
+index 69a6074..c79b415 100644
--- a/policy/modules/services/samba.fc
+++ b/policy/modules/services/samba.fc
-@@ -51,3 +51,7 @@
+@@ -11,6 +11,8 @@
+ /etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
+ /etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
+
++/lib/systemd/system/smb.service -- gen_context(system_u:object_r:samba_unit_file_t,s0)
++
+ #
+ # /usr
+ #
+@@ -51,3 +53,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
@@ -51713,10 +52630,41 @@ index 69a6074..73db5ba 100644
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+')
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
-index 82cb169..9e72970 100644
+index 82cb169..87d1eec 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
-@@ -79,6 +79,25 @@ interface(`samba_domtrans_net',`
+@@ -60,6 +60,30 @@ interface(`samba_initrc_domtrans',`
+
+ ########################################
+ ## <summary>
++## Execute samba server in the samba domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`samba_systemctl',`
++ gen_require(`
++ type samba_unit_file_t;
++ type smbd_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 samba_unit_file_t:file read_file_perms;
++ allow $1 samba_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, smbd_t)
++')
++
++########################################
++## <summary>
+ ## Execute samba net in the samba_net domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -79,6 +103,25 @@ interface(`samba_domtrans_net',`
########################################
## <summary>
@@ -51742,7 +52690,7 @@ index 82cb169..9e72970 100644
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
## </summary>
-@@ -103,6 +122,51 @@ interface(`samba_run_net',`
+@@ -103,6 +146,51 @@ interface(`samba_run_net',`
role $2 types samba_net_t;
')
@@ -51794,7 +52742,7 @@ index 82cb169..9e72970 100644
########################################
## <summary>
## Execute smbmount in the smbmount domain.
-@@ -327,7 +391,6 @@ interface(`samba_search_var',`
+@@ -327,7 +415,6 @@ interface(`samba_search_var',`
type samba_var_t;
')
@@ -51802,7 +52750,7 @@ index 82cb169..9e72970 100644
files_search_var_lib($1)
allow $1 samba_var_t:dir search_dir_perms;
')
-@@ -348,7 +411,6 @@ interface(`samba_read_var_files',`
+@@ -348,7 +435,6 @@ interface(`samba_read_var_files',`
type samba_var_t;
')
@@ -51810,7 +52758,7 @@ index 82cb169..9e72970 100644
files_search_var_lib($1)
read_files_pattern($1, samba_var_t, samba_var_t)
')
-@@ -388,7 +450,6 @@ interface(`samba_rw_var_files',`
+@@ -388,7 +474,6 @@ interface(`samba_rw_var_files',`
type samba_var_t;
')
@@ -51818,7 +52766,7 @@ index 82cb169..9e72970 100644
files_search_var_lib($1)
rw_files_pattern($1, samba_var_t, samba_var_t)
')
-@@ -409,9 +470,9 @@ interface(`samba_manage_var_files',`
+@@ -409,9 +494,9 @@ interface(`samba_manage_var_files',`
type samba_var_t;
')
@@ -51829,7 +52777,7 @@ index 82cb169..9e72970 100644
')
########################################
-@@ -419,15 +480,14 @@ interface(`samba_manage_var_files',`
+@@ -419,15 +504,14 @@ interface(`samba_manage_var_files',`
## Execute a domain transition to run smbcontrol.
## </summary>
## <param name="domain">
@@ -51848,7 +52796,7 @@ index 82cb169..9e72970 100644
')
domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
-@@ -564,6 +624,7 @@ interface(`samba_domtrans_winbind_helper',`
+@@ -564,6 +648,7 @@ interface(`samba_domtrans_winbind_helper',`
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
@@ -51856,7 +52804,7 @@ index 82cb169..9e72970 100644
')
########################################
-@@ -644,6 +705,37 @@ interface(`samba_stream_connect_winbind',`
+@@ -644,6 +729,37 @@ interface(`samba_stream_connect_winbind',`
########################################
## <summary>
@@ -51894,7 +52842,7 @@ index 82cb169..9e72970 100644
## All of the rules required to administrate
## an samba environment
## </summary>
-@@ -661,21 +753,12 @@ interface(`samba_stream_connect_winbind',`
+@@ -661,21 +777,12 @@ interface(`samba_stream_connect_winbind',`
#
interface(`samba_admin',`
gen_require(`
@@ -51922,7 +52870,7 @@ index 82cb169..9e72970 100644
')
allow $1 smbd_t:process { ptrace signal_perms };
-@@ -684,6 +767,9 @@ interface(`samba_admin',`
+@@ -684,6 +791,9 @@ interface(`samba_admin',`
allow $1 nmbd_t:process { ptrace signal_perms };
ps_process_pattern($1, nmbd_t)
@@ -51932,7 +52880,7 @@ index 82cb169..9e72970 100644
samba_run_smbcontrol($1, $2, $3)
samba_run_winbind_helper($1, $2, $3)
samba_run_smbmount($1, $2, $3)
-@@ -709,9 +795,6 @@ interface(`samba_admin',`
+@@ -709,9 +819,6 @@ interface(`samba_admin',`
admin_pattern($1, samba_var_t)
files_list_var($1)
@@ -51942,17 +52890,29 @@ index 82cb169..9e72970 100644
admin_pattern($1, smbd_var_run_t)
files_list_pids($1)
-@@ -727,4 +810,5 @@ interface(`samba_admin',`
+@@ -727,4 +834,7 @@ interface(`samba_admin',`
admin_pattern($1, winbind_tmp_t)
admin_pattern($1, winbind_var_run_t)
+ admin_pattern($1, samba_unconfined_script_exec_t)
++
++ samba_systemctl($1)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..be3f853 100644
+index e30bb63..3bc774c 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
-@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
+@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
+ type samba_initrc_exec_t;
+ init_script_file(samba_initrc_exec_t)
+
++type samba_unit_file_t;
++systemd_unit_file(samba_unit_file_t)
++
+ type samba_log_t;
+ logging_log_file(samba_log_t)
+
+@@ -152,9 +155,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
type winbind_log_t;
logging_log_file(winbind_log_t)
@@ -51962,7 +52922,7 @@ index e30bb63..be3f853 100644
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
-@@ -215,7 +212,7 @@ miscfiles_read_localization(samba_net_t)
+@@ -215,7 +215,7 @@ miscfiles_read_localization(samba_net_t)
samba_read_var_files(samba_net_t)
@@ -51971,7 +52931,7 @@ index e30bb63..be3f853 100644
userdom_list_user_home_dirs(samba_net_t)
optional_policy(`
-@@ -224,13 +221,14 @@ optional_policy(`
+@@ -224,13 +224,14 @@ optional_policy(`
optional_policy(`
kerberos_use(samba_net_t)
@@ -51987,7 +52947,7 @@ index e30bb63..be3f853 100644
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -263,7 +261,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+@@ -263,7 +264,7 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -51996,7 +52956,7 @@ index e30bb63..be3f853 100644
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-@@ -279,7 +277,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+@@ -279,7 +280,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
@@ -52005,7 +52965,7 @@ index e30bb63..be3f853 100644
allow smbd_t swat_t:process signal;
-@@ -323,15 +321,18 @@ dev_getattr_all_blk_files(smbd_t)
+@@ -323,15 +324,18 @@ dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
fs_getattr_all_fs(smbd_t)
@@ -52024,7 +52984,7 @@ index e30bb63..be3f853 100644
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -343,6 +344,7 @@ files_read_usr_files(smbd_t)
+@@ -343,6 +347,7 @@ files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
# smbd seems to getattr all mountpoints
files_dontaudit_getattr_all_dirs(smbd_t)
@@ -52032,7 +52992,7 @@ index e30bb63..be3f853 100644
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -385,12 +387,7 @@ tunable_policy(`samba_domain_controller',`
+@@ -385,12 +390,7 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -52046,7 +53006,7 @@ index e30bb63..be3f853 100644
')
# Support Samba sharing of NFS mount points
-@@ -410,6 +407,10 @@ tunable_policy(`samba_share_fusefs',`
+@@ -410,6 +410,10 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
@@ -52057,7 +53017,7 @@ index e30bb63..be3f853 100644
optional_policy(`
cups_read_rw_config(smbd_t)
-@@ -445,26 +446,25 @@ optional_policy(`
+@@ -445,26 +449,25 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -52091,7 +53051,7 @@ index e30bb63..be3f853 100644
########################################
#
# nmbd Local policy
-@@ -484,8 +484,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +487,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -52102,7 +53062,7 @@ index e30bb63..be3f853 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -560,13 +561,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
+@@ -560,13 +564,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
allow smbcontrol_t nmbd_t:process { signal signull };
@@ -52120,7 +53080,7 @@ index e30bb63..be3f853 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -574,11 +575,13 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -574,11 +578,13 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
@@ -52135,7 +53095,7 @@ index e30bb63..be3f853 100644
########################################
#
-@@ -644,19 +647,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +650,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -52160,7 +53120,7 @@ index e30bb63..be3f853 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +682,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +685,7 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -52169,7 +53129,7 @@ index e30bb63..be3f853 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +697,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +700,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -52184,7 +53144,7 @@ index e30bb63..be3f853 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +717,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +720,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -52192,7 +53152,7 @@ index e30bb63..be3f853 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +762,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +765,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -52201,7 +53161,7 @@ index e30bb63..be3f853 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,15 +816,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +819,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -52223,7 +53183,7 @@ index e30bb63..be3f853 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +844,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +847,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -52231,7 +53191,7 @@ index e30bb63..be3f853 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -904,7 +916,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +919,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -52240,7 +53200,7 @@ index e30bb63..be3f853 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,6 +934,18 @@ optional_policy(`
+@@ -922,6 +937,18 @@ optional_policy(`
#
optional_policy(`
@@ -52259,7 +53219,7 @@ index e30bb63..be3f853 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +956,12 @@ optional_policy(`
+@@ -932,9 +959,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -56534,10 +57494,10 @@ index 0000000..7647279
+
diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te
new file mode 100644
-index 0000000..9fb3ea7
+index 0000000..4fd2377
--- /dev/null
+++ b/policy/modules/services/vdagent.te
-@@ -0,0 +1,48 @@
+@@ -0,0 +1,54 @@
+policy_module(vdagent,1.0.0)
+
+########################################
@@ -56560,6 +57520,8 @@ index 0000000..9fb3ea7
+# vdagent local policy
+#
+
++dontaudit vdagent_t self:capability sys_admin;
++
+allow vdagent_t self:fifo_file rw_fifo_file_perms;
+allow vdagent_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -56573,6 +57535,10 @@ index 0000000..9fb3ea7
+logging_log_filetrans(vdagent_t, vdagent_log_t, { file })
+
+dev_rw_input_dev(vdagent_t)
++dev_read_sysfs(vdagent_t)
++dev_dontaudit_write_mtrr(vdagent_t)
++
++files_read_etc_files(vdagent_t)
+
+term_use_virtio_console(vdagent_t)
+
@@ -56685,7 +57651,7 @@ index 32a3c13..7baeb6f 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..55b5012 100644
+index 2124b6a..e14c78c 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -1,5 +1,6 @@
@@ -56697,12 +57663,13 @@ index 2124b6a..55b5012 100644
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +13,29 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +13,30 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
-+/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virt_lxc_exec_t,s0)
++/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
+
++/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virtd_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -56721,7 +57688,7 @@ index 2124b6a..55b5012 100644
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
-+/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
++/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
+
@@ -56731,7 +57698,7 @@ index 2124b6a..55b5012 100644
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..72e3065 100644
+index 7c5d8d8..f2f49f2 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,39 +13,44 @@
@@ -57035,7 +58002,7 @@ index 7c5d8d8..72e3065 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 virtd_initrc_exec_t system_r;
-@@ -515,4 +615,188 @@ interface(`virt_admin',`
+@@ -515,4 +615,213 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -57043,7 +58010,7 @@ index 7c5d8d8..72e3065 100644
+ virt_manage_images($1)
+
+ allow $1 virt_domain:process { ptrace signal_perms };
-+')
+ ')
+
+########################################
+## <summary>
@@ -57223,9 +58190,34 @@ index 7c5d8d8..72e3065 100644
+ ')
+
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
- ')
++')
++
++########################################
++## <summary>
++## Creates types and rules for a basic
++## virt_lxc process domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`virt_lxc_domain_template',`
++ gen_require(`
++ attribute virt_lxc_domain;
++ ')
++
++ type $1_t, virt_lxc_domain;
++ domain_type($1_t)
++ domain_user_exemption_target($1_t)
++ mls_rangetrans_target($1_t)
++ mcs_untrusted_proc($1_t)
++ role system_r types $1_t;
++')
++
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..1eb165e 100644
+index 3eca020..e92db9c 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,74 @@ policy_module(virt, 1.4.0)
@@ -57369,19 +58361,24 @@ index 3eca020..1eb165e 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -99,20 +130,29 @@ ifdef(`enable_mls',`
+@@ -99,20 +130,34 @@ ifdef(`enable_mls',`
########################################
#
+# Declarations
+#
++attribute virt_lxc_domain;
++
++type virtd_lxc_t;
++type virtd_lxc_exec_t;
++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
+
-+type virt_lxc_t;
-+type virt_lxc_exec_t;
-+init_system_domain(virt_lxc_t, virt_lxc_exec_t)
++type virtd_lxc_var_run_t;
++files_pid_file(virtd_lxc_var_run_t)
+
-+type virt_lxc_var_run_t;
-+files_pid_file(virt_lxc_var_run_t)
++# virt lxc container files
++type virt_lxc_file_t;
++files_mountpoint(virt_lxc_file_t)
+
+########################################
+#
@@ -57403,7 +58400,7 @@ index 3eca020..1eb165e 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -130,9 +170,13 @@ corenet_tcp_connect_all_ports(svirt_t)
+@@ -130,9 +175,13 @@ corenet_tcp_connect_all_ports(svirt_t)
dev_list_sysfs(svirt_t)
@@ -57417,7 +58414,7 @@ index 3eca020..1eb165e 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +191,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +196,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -57433,7 +58430,7 @@ index 3eca020..1eb165e 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +208,28 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +213,28 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -57462,7 +58459,7 @@ index 3eca020..1eb165e 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,21 +239,35 @@ optional_policy(`
+@@ -174,21 +244,36 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -57481,6 +58478,7 @@ index 3eca020..1eb165e 100644
-allow virtd_t self:tun_socket create_socket_perms;
+allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+allow virtd_t self:rawip_socket create_socket_perms;
++allow virtd_t self:packet_socket create_socket_perms;
allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
-manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
@@ -57504,7 +58502,7 @@ index 3eca020..1eb165e 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +279,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +285,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -57522,14 +58520,14 @@ index 3eca020..1eb165e 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +303,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +309,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
-+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
-+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virt_lxc_t)
++manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
++manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
++filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
++stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
@@ -57538,7 +58536,7 @@ index 3eca020..1eb165e 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +331,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +337,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -57571,7 +58569,7 @@ index 3eca020..1eb165e 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +363,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +369,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -57590,14 +58588,14 @@ index 3eca020..1eb165e 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +398,29 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +404,29 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-
-+selinux_validate_context(virtd_t)
+
++selinux_validate_context(virtd_t)
+
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -57620,7 +58618,7 @@ index 3eca020..1eb165e 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +439,10 @@ optional_policy(`
+@@ -313,6 +445,10 @@ optional_policy(`
')
optional_policy(`
@@ -57631,7 +58629,7 @@ index 3eca020..1eb165e 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,11 +459,17 @@ optional_policy(`
+@@ -329,16 +465,23 @@ optional_policy(`
')
optional_policy(`
@@ -57649,7 +58647,13 @@ index 3eca020..1eb165e 100644
')
optional_policy(`
-@@ -365,6 +501,12 @@ optional_policy(`
+ iptables_domtrans(virtd_t)
+ iptables_initrc_domtrans(virtd_t)
++ iptables_systemctl(virtd_t)
+
+ # Manages /etc/sysconfig/system-config-firewall
+ iptables_manage_config(virtd_t)
+@@ -365,6 +508,12 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -57662,7 +58666,7 @@ index 3eca020..1eb165e 100644
')
optional_policy(`
-@@ -394,20 +536,36 @@ optional_policy(`
+@@ -394,20 +543,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -57701,7 +58705,7 @@ index 3eca020..1eb165e 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +576,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +583,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -57714,7 +58718,7 @@ index 3eca020..1eb165e 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +588,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +595,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -57727,7 +58731,7 @@ index 3eca020..1eb165e 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,14 +601,20 @@ files_search_all(virt_domain)
+@@ -440,14 +608,20 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -57735,12 +58739,12 @@ index 3eca020..1eb165e 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -57751,7 +58755,7 @@ index 3eca020..1eb165e 100644
logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
-@@ -457,8 +624,188 @@ optional_policy(`
+@@ -457,8 +631,256 @@ optional_policy(`
')
optional_policy(`
@@ -57875,71 +58879,139 @@ index 3eca020..1eb165e 100644
+#
+# virt_lxc local policy
+#
-+allow virt_lxc_t self:capability { net_admin net_raw setpcap chown sys_admin };
-+allow virt_lxc_t self:process { setsched getcap setcap signal_perms };
-+allow virt_lxc_t self:fifo_file rw_fifo_file_perms;
-+allow virt_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
-+allow virt_lxc_t self:unix_stream_socket create_stream_socket_perms;
-+allow virt_lxc_t self:packet_socket create_socket_perms;
++allow virtd_lxc_t self:capability { net_admin net_raw setpcap chown sys_admin };
++allow virtd_lxc_t self:process { setsched getcap setcap signal_perms };
++allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
++allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
++allow virtd_lxc_t self:unix_stream_socket create_stream_socket_perms;
++allow virtd_lxc_t self:packet_socket create_socket_perms;
+
-+allow virt_lxc_t virt_image_type:dir mounton;
++allow virtd_lxc_t virt_image_type:dir mounton;
+
-+allow virt_lxc_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
++allow virtd_lxc_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
+
-+domtrans_pattern(virtd_t, virt_lxc_exec_t, virt_lxc_t)
-+allow virtd_t virt_lxc_t:process { signal signull sigkill };
++domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
++allow virtd_t virtd_lxc_t:process { signal signull sigkill };
+
-+manage_dirs_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+manage_files_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+manage_sock_files_pattern(virt_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+files_pid_filetrans(virt_lxc_t, virt_lxc_var_run_t, { file dir })
++manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
++manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
++manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
++files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir })
+
-+kernel_read_network_state(virt_lxc_t)
-+kernel_search_network_sysctl(virt_lxc_t)
-+kernel_read_sysctl(virt_lxc_t)
++kernel_read_network_state(virtd_lxc_t)
++kernel_search_network_sysctl(virtd_lxc_t)
++kernel_read_sysctl(virtd_lxc_t)
+
-+dev_read_sysfs(virt_lxc_t)
++dev_read_sysfs(virtd_lxc_t)
+
-+domain_use_interactive_fds(virt_lxc_t)
++domain_use_interactive_fds(virtd_lxc_t)
+
-+files_read_etc_files(virt_lxc_t)
-+files_mounton_all_mountpoints(virt_lxc_t)
-+files_mount_all_file_type_fs(virt_lxc_t)
-+files_unmount_all_file_type_fs(virt_lxc_t)
-+files_list_isid_type_dirs(virt_lxc_t)
++files_read_etc_files(virtd_lxc_t)
++files_mounton_all_mountpoints(virtd_lxc_t)
++files_mount_all_file_type_fs(virtd_lxc_t)
++files_unmount_all_file_type_fs(virtd_lxc_t)
++files_list_isid_type_dirs(virtd_lxc_t)
+
-+fs_manage_tmpfs_dirs(virt_lxc_t)
-+fs_manage_tmpfs_chr_files(virt_lxc_t)
-+fs_manage_tmpfs_symlinks(virt_lxc_t)
-+fs_manage_cgroup_dirs(virt_lxc_t)
-+fs_rw_cgroup_files(virt_lxc_t)
-+fs_remount_all_fs(virt_lxc_t)
++fs_manage_tmpfs_dirs(virtd_lxc_t)
++fs_manage_tmpfs_chr_files(virtd_lxc_t)
++fs_manage_tmpfs_symlinks(virtd_lxc_t)
++fs_manage_cgroup_dirs(virtd_lxc_t)
++fs_rw_cgroup_files(virtd_lxc_t)
++fs_remount_all_fs(virtd_lxc_t)
+
-+selinux_mount_fs(virt_lxc_t)
-+selinux_unmount_fs(virt_lxc_t)
++selinux_mount_fs(virtd_lxc_t)
++selinux_unmount_fs(virtd_lxc_t)
+
-+term_use_generic_ptys(virt_lxc_t)
-+term_use_ptmx(virt_lxc_t)
++term_use_generic_ptys(virtd_lxc_t)
++term_use_ptmx(virtd_lxc_t)
+
-+auth_use_nsswitch(virt_lxc_t)
++auth_use_nsswitch(virtd_lxc_t)
+
-+logging_send_syslog_msg(virt_lxc_t)
++logging_send_syslog_msg(virtd_lxc_t)
+
-+miscfiles_read_localization(virt_lxc_t)
++miscfiles_read_localization(virtd_lxc_t)
+
-+sysnet_domtrans_ifconfig(virt_lxc_t)
++sysnet_domtrans_ifconfig(virtd_lxc_t)
+
-+type lxc_t;
-+domain_type(lxc_t);
++#optional_policy(`
++# unconfined_shell_domtrans(virtd_lxc_t)
++# unconfined_signal(virtd_t)
++#')
+
-+optional_policy(`
-+ unconfined_domain(lxc_t)
-+')
++########################################
++#
++# virt_lxc_domain local policy
++#
++allow virtd_lxc_t virt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
++allow virt_lxc_domain virtd_lxc_t:fd use;
++allow virt_lxc_domain virtd_lxc_var_run_t:dir search_dir_perms;
++dontaudit virt_lxc_domain virtd_lxc_t:unix_stream_socket { read write };
+
-+optional_policy(`
-+ unconfined_shell_domtrans(virt_lxc_t)
-+ unconfined_signal(virtd_t)
-+')
++allow virt_lxc_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
++allow virt_lxc_domain self:fifo_file manage_file_perms;
++allow virt_lxc_domain self:sem create_sem_perms;
++allow virt_lxc_domain self:shm create_shm_perms;
++allow virt_lxc_domain self:msgq create_msgq_perms;
++allow virt_lxc_domain self:unix_stream_socket create_stream_socket_perms;
++allow virt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
++dontaudit virt_lxc_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++
++manage_dirs_pattern(virt_lxc_domain, virt_lxc_file_t, virt_lxc_file_t)
++manage_files_pattern(virt_lxc_domain, virt_lxc_file_t, virt_lxc_file_t)
++manage_lnk_files_pattern(virt_lxc_domain, virt_lxc_file_t, virt_lxc_file_t)
++manage_sock_files_pattern(virt_lxc_domain, virt_lxc_file_t, virt_lxc_file_t)
++manage_fifo_files_pattern(virt_lxc_domain, virt_lxc_file_t, virt_lxc_file_t)
++can_exec(virt_lxc_domain, virt_lxc_file_t)
++
++kernel_getattr_proc(virt_lxc_domain)
++kernel_read_network_state(virt_lxc_domain)
++kernel_read_system_state(virt_lxc_domain)
++kernel_dontaudit_search_kernel_sysctl(virt_lxc_domain)
++
++corecmd_exec_all_executables(virt_lxc_domain)
++
++dev_read_urand(virt_lxc_domain)
++dev_dontaudit_read_rand(virt_lxc_domain)
++dev_read_sysfs(virt_lxc_domain)
++
++files_dontaudit_list_all_mountpoints(virt_lxc_domain)
++files_entrypoint_all_files(virt_lxc_domain)
++files_read_config_files(virt_lxc_domain)
++files_read_usr_files(virt_lxc_domain)
++files_read_usr_symlinks(virt_lxc_domain)
++
++fs_getattr_tmpfs(virt_lxc_domain)
++fs_getattr_xattr_fs(virt_lxc_domain)
++fs_list_inotifyfs(virt_lxc_domain)
++fs_dontaudit_getattr_xattr_fs(virt_lxc_domain)
++
++auth_dontaudit_read_login_records(virt_lxc_domain)
++auth_dontaudit_write_login_records(virt_lxc_domain)
++auth_search_pam_console_data(virt_lxc_domain)
++
++init_read_utmp(virt_lxc_domain)
++init_dontaudit_write_utmp(virt_lxc_domain)
++
++libs_dontaudit_setattr_lib_files(virt_lxc_domain)
++
++miscfiles_read_localization(virt_lxc_domain)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(virt_lxc_domain)
++
++mta_dontaudit_read_spool_symlinks(virt_lxc_domain)
++
++selinux_get_fs_mount(virt_lxc_domain)
++selinux_validate_context(virt_lxc_domain)
++selinux_compute_access_vector(virt_lxc_domain)
++selinux_compute_create_context(virt_lxc_domain)
++selinux_compute_relabel_context(virt_lxc_domain)
++selinux_compute_user_contexts(virt_lxc_domain)
++seutil_read_default_contexts(virt_lxc_domain)
++
++miscfiles_read_fonts(virt_lxc_domain)
++
++virt_lxc_domain_template(svirt_lxc)
++
++corecmd_shell_spec_domtrans(virtd_lxc_t, svirt_lxc_t)
diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc
index 11533cc..4d81b99 100644
--- a/policy/modules/services/vnstatd.fc
@@ -63001,7 +64073,7 @@ index 94fd8dd..b5e5c70 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..1c92ab6 100644
+index 29a9565..53f3bfe 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -63291,31 +64363,31 @@ index 29a9565..1c92ab6 100644
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
+
++optional_policy(`
++ lvm_rw_pipes(init_t)
++')
++
optional_policy(`
- auth_rw_login_records(init_t)
-+ lvm_rw_pipes(init_t)
++ consolekit_manage_log(init_t)
')
optional_policy(`
-+ consolekit_manage_log(init_t)
-+')
-+
-+optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(init_t)
++')
++
++optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(init_t)
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
@@ -63875,7 +64947,7 @@ index 29a9565..1c92ab6 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1241,151 @@ optional_policy(`
+@@ -854,3 +1241,160 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -63960,6 +65032,10 @@ index 29a9565..1c92ab6 100644
+ nscd_socket_use(daemon)
+')
+
++optional_policy(`
++ puppet_rw_tmp(daemon)
++')
++
+allow direct_run_init daemon:process { noatsecure siginh rlimitinh };
+
+allow initrc_t systemprocess:process siginh;
@@ -64010,6 +65086,10 @@ index 29a9565..1c92ab6 100644
+')
+
+optional_policy(`
++ puppet_rw_tmp(systemprocess)
++')
++
++optional_policy(`
+ xserver_dontaudit_append_xdm_home_files(systemprocess)
+')
+
@@ -64027,6 +65107,7 @@ index 29a9565..1c92ab6 100644
+#ifdef(`enable_mls',`
+# mls_rangetrans_target(systemprocess)
+#')
++
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index fb09b9e..e25c6b6 100644
--- a/policy/modules/system/ipsec.fc
@@ -64239,19 +65320,21 @@ index 55a6cd8..fa17b89 100644
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 05fb364..6b895d1 100644
+index 05fb364..c054118 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
-@@ -1,7 +1,5 @@
+@@ -1,7 +1,7 @@
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
++
++/lib/systemd/system/iptables6?.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-@@ -12,8 +10,4 @@
+@@ -12,8 +12,4 @@
/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -64262,7 +65345,7 @@ index 05fb364..6b895d1 100644
-/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
-index 7ba53db..5c94dfe 100644
+index 7ba53db..227887f 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -17,10 +17,6 @@ interface(`iptables_domtrans',`
@@ -64276,11 +65359,42 @@ index 7ba53db..5c94dfe 100644
')
########################################
+@@ -92,6 +88,30 @@ interface(`iptables_initrc_domtrans',`
+ init_labeled_script_domtrans($1, iptables_initrc_exec_t)
+ ')
+
++########################################
++## <summary>
++## Execute iptables server in the iptables domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`iptables_systemctl',`
++ gen_require(`
++ type iptables_unit_file_t;
++ type iptables_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_search_unit_dirs($1)
++ allow $1 iptables_unit_file_t:file read_file_perms;
++ allow $1 iptables_unit_file_t:service all_service_perms;
++
++ ps_process_pattern($1, iptables_t)
++')
++
+ #####################################
+ ## <summary>
+ ## Set the attributes of iptables config files.
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index f3e1b57..d6a93ac 100644
+index f3e1b57..d7fd7fb 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
-@@ -13,9 +13,6 @@ role system_r types iptables_t;
+@@ -13,15 +13,15 @@ role system_r types iptables_t;
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -64290,7 +65404,16 @@ index f3e1b57..d6a93ac 100644
type iptables_tmp_t;
files_tmp_file(iptables_tmp_t)
-@@ -34,8 +31,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+ type iptables_var_run_t;
+ files_pid_file(iptables_var_run_t)
+
++type iptables_unit_file_t;
++systemd_unit_file(iptables_unit_file_t)
++
+ ########################################
+ #
+ # Iptables local policy
+@@ -34,8 +34,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:netlink_socket create_socket_perms;
allow iptables_t self:rawip_socket create_socket_perms;
@@ -64301,7 +65424,7 @@ index f3e1b57..d6a93ac 100644
manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-@@ -46,6 +43,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
+@@ -46,6 +46,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
allow iptables_t iptables_tmp_t:file manage_file_perms;
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
@@ -64309,7 +65432,7 @@ index f3e1b57..d6a93ac 100644
kernel_request_load_module(iptables_t)
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
-@@ -61,6 +59,9 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -61,6 +62,9 @@ corenet_relabelto_all_packets(iptables_t)
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
dev_read_sysfs(iptables_t)
@@ -64319,7 +65442,7 @@ index f3e1b57..d6a93ac 100644
fs_getattr_xattr_fs(iptables_t)
fs_search_auto_mountpoints(iptables_t)
-@@ -69,11 +70,13 @@ fs_list_inotifyfs(iptables_t)
+@@ -69,11 +73,13 @@ fs_list_inotifyfs(iptables_t)
mls_file_read_all_levels(iptables_t)
term_dontaudit_use_console(iptables_t)
@@ -64334,7 +65457,7 @@ index f3e1b57..d6a93ac 100644
auth_use_nsswitch(iptables_t)
-@@ -82,6 +85,7 @@ init_use_script_ptys(iptables_t)
+@@ -82,6 +88,7 @@ init_use_script_ptys(iptables_t)
# to allow rules to be saved on reboot:
init_rw_script_tmp_files(iptables_t)
init_rw_script_stream_sockets(iptables_t)
@@ -64342,7 +65465,7 @@ index f3e1b57..d6a93ac 100644
logging_send_syslog_msg(iptables_t)
-@@ -90,7 +94,7 @@ miscfiles_read_localization(iptables_t)
+@@ -90,7 +97,7 @@ miscfiles_read_localization(iptables_t)
sysnet_domtrans_ifconfig(iptables_t)
sysnet_dns_name_resolve(iptables_t)
@@ -64351,7 +65474,7 @@ index f3e1b57..d6a93ac 100644
userdom_use_all_users_fds(iptables_t)
ifdef(`hide_broken_symptoms',`
-@@ -99,6 +103,8 @@ ifdef(`hide_broken_symptoms',`
+@@ -99,6 +106,8 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
fail2ban_append_log(iptables_t)
@@ -64360,7 +65483,7 @@ index f3e1b57..d6a93ac 100644
')
optional_policy(`
-@@ -121,6 +127,7 @@ optional_policy(`
+@@ -121,6 +130,7 @@ optional_policy(`
optional_policy(`
psad_rw_tmp_files(iptables_t)
@@ -64368,7 +65491,7 @@ index f3e1b57..d6a93ac 100644
')
optional_policy(`
-@@ -134,6 +141,7 @@ optional_policy(`
+@@ -134,6 +144,7 @@ optional_policy(`
optional_policy(`
shorewall_read_tmp_files(iptables_t)
shorewall_rw_lib_files(iptables_t)
@@ -67561,7 +68684,7 @@ index 170e2c7..b85fc73 100644
+ ')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..f2b7643 100644
+index 7ed9819..3ee9ea8 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -67832,17 +68955,17 @@ index 7ed9819..f2b7643 100644
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
--
--allow semanage_t policy_config_t:file rw_file_perms;
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
--allow semanage_t semanage_tmp_t:dir manage_dir_perms;
--allow semanage_t semanage_tmp_t:file manage_file_perms;
--files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+-allow semanage_t policy_config_t:file rw_file_perms;
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
+-allow semanage_t semanage_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-
@@ -67871,13 +68994,13 @@ index 7ed9819..f2b7643 100644
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
--
--locallogin_use_fds(semanage_t)
--
--logging_send_syslog_msg(semanage_t)
+# Admins are creating pp files in random locations
+files_read_non_security_files(semanage_t)
+-locallogin_use_fds(semanage_t)
+-
+-logging_send_syslog_msg(semanage_t)
+-
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
@@ -67894,7 +69017,7 @@ index 7ed9819..f2b7643 100644
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -482,123 +493,85 @@ seutil_manage_default_contexts(semanage_t)
+@@ -482,6 +493,14 @@ seutil_manage_default_contexts(semanage_t)
userdom_read_user_home_content_files(semanage_t)
userdom_read_user_tmp_files(semanage_t)
@@ -67909,17 +69032,7 @@ index 7ed9819..f2b7643 100644
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
files_read_var_lib_symlinks(semanage_t)
- ')
-
-+optional_policy(`
-+ setrans_initrc_domtrans(semanage_t)
-+ domain_system_change_exemption(semanage_t)
-+ consoletype_exec(semanage_t)
-+')
-+
- ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(semanage_t)
+@@ -493,112 +512,60 @@ ifdef(`distro_ubuntu',`
')
')
@@ -67972,23 +69085,23 @@ index 7ed9819..f2b7643 100644
-mls_file_write_all_levels(setfiles_t)
-mls_file_upgrade(setfiles_t)
-mls_file_downgrade(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
-
+-
-selinux_validate_context(setfiles_t)
-selinux_compute_access_vector(setfiles_t)
-selinux_compute_create_context(setfiles_t)
-selinux_compute_relabel_context(setfiles_t)
-selinux_compute_user_contexts(setfiles_t)
++init_dontaudit_use_fds(setsebool_t)
+
+-term_use_all_ttys(setfiles_t)
+-term_use_all_ptys(setfiles_t)
+-term_use_unallocated_ttys(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
--term_use_all_ttys(setfiles_t)
--term_use_all_ptys(setfiles_t)
--term_use_unallocated_ttys(setfiles_t)
--
-# this is to satisfy the assertion:
-auth_relabelto_shadow(setfiles_t)
-
@@ -68366,7 +69479,7 @@ index ff80d0a..be800df 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..7e4782d 100644
+index 34d0ec5..767ccbd 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -68503,7 +69616,7 @@ index 34d0ec5..7e4782d 100644
')
optional_policy(`
-@@ -192,7 +223,19 @@ optional_policy(`
+@@ -192,17 +223,31 @@ optional_policy(`
')
optional_policy(`
@@ -68523,7 +69636,19 @@ index 34d0ec5..7e4782d 100644
')
optional_policy(`
-@@ -213,6 +256,11 @@ optional_policy(`
+ nscd_initrc_domtrans(dhcpc_t)
++ nscd_systemctl(dhcpc_t)
+ nscd_domtrans(dhcpc_t)
+ nscd_read_pid(dhcpc_t)
+ ')
+
+ optional_policy(`
+ ntp_initrc_domtrans(dhcpc_t)
++ ntp_systemctl(dhcpc_t)
+ ')
+
+ optional_policy(`
+@@ -213,6 +258,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -68535,7 +69660,7 @@ index 34d0ec5..7e4782d 100644
')
optional_policy(`
-@@ -255,6 +303,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -255,6 +305,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -68543,7 +69668,7 @@ index 34d0ec5..7e4782d 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -276,8 +325,11 @@ dev_read_urand(ifconfig_t)
+@@ -276,8 +327,11 @@ dev_read_urand(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -68555,7 +69680,7 @@ index 34d0ec5..7e4782d 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -301,11 +353,12 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -301,11 +355,12 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
@@ -68570,7 +69695,7 @@ index 34d0ec5..7e4782d 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +367,18 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +369,18 @@ ifdef(`distro_ubuntu',`
')
')
@@ -68589,7 +69714,7 @@ index 34d0ec5..7e4782d 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,8 +389,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +391,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -68604,7 +69729,7 @@ index 34d0ec5..7e4782d 100644
')
optional_policy(`
-@@ -335,6 +405,18 @@ optional_policy(`
+@@ -335,6 +407,18 @@ optional_policy(`
')
optional_policy(`
@@ -68623,7 +69748,7 @@ index 34d0ec5..7e4782d 100644
nis_use_ypbind(ifconfig_t)
')
-@@ -356,3 +438,9 @@ optional_policy(`
+@@ -356,3 +440,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -68660,10 +69785,10 @@ index 0000000..9eaa38e
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..25872de
+index 0000000..46a3ec0
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,454 @@
+@@ -0,0 +1,456 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -68710,6 +69835,8 @@ index 0000000..25872de
+
+ corecmd_search_bin($1)
+ can_exec($1, systemd_systemctl_exec_t)
++
++ init_read_state($1)
+')
+
+#######################################
@@ -69120,10 +70247,10 @@ index 0000000..25872de
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..0cb5eaa
+index 0000000..c8a0e6f
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,372 @@
+@@ -0,0 +1,368 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -69262,10 +70389,6 @@ index 0000000..0cb5eaa
+')
+
+optional_policy(`
-+ nis_use_ypbind(systemd_logind_t)
-+')
-+
-+optional_policy(`
+ # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file
+ xserver_search_xdm_tmp_dirs(systemd_logind_t)
+')
@@ -70688,7 +71811,7 @@ index db75976..494ec08 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..fe5913a 100644
+index 4b2878a..e548ede 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -71455,7 +72578,7 @@ index 4b2878a..fe5913a 100644
')
optional_policy(`
-@@ -650,41 +798,50 @@ template(`userdom_common_user_template',`
+@@ -650,40 +798,52 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -71512,12 +72635,14 @@ index 4b2878a..fe5913a 100644
optional_policy(`
- usernetctl_run($1_t, $1_r)
+ slrnpull_search_spool($1_usertype)
- ')
++ ')
+
++ optional_policy(`
++ thumb_role($1_r, $1_usertype)
+ ')
')
- #######################################
-@@ -712,13 +869,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +872,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
@@ -71531,7 +72656,9 @@ index 4b2878a..fe5913a 100644
- userdom_manage_tmpfs_role($1_r, $1_t)
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -71539,9 +72666,7 @@ index 4b2878a..fe5913a 100644
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -71549,7 +72674,7 @@ index 4b2878a..fe5913a 100644
userdom_change_password_template($1)
-@@ -736,72 +906,76 @@ template(`userdom_login_user_template', `
+@@ -736,72 +909,76 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -71620,46 +72745,46 @@ index 4b2878a..fe5913a 100644
- seutil_read_config($1_t)
+ seutil_read_config($1_usertype)
-+
-+ optional_policy(`
-+ cups_read_config($1_usertype)
-+ cups_stream_connect($1_usertype)
-+ cups_stream_connect_ptal($1_usertype)
-+ ')
optional_policy(`
- cups_read_config($1_t)
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
-+ kerberos_use($1_usertype)
-+ kerberos_filetrans_home_content($1_usertype)
++ cups_read_config($1_usertype)
++ cups_stream_connect($1_usertype)
++ cups_stream_connect_ptal($1_usertype)
')
optional_policy(`
- kerberos_use($1_t)
-+ mta_dontaudit_read_spool_symlinks($1_usertype)
++ kerberos_use($1_usertype)
++ kerberos_filetrans_home_content($1_usertype)
')
optional_policy(`
- mta_dontaudit_read_spool_symlinks($1_t)
-+ quota_dontaudit_getattr_db($1_usertype)
++ mta_dontaudit_read_spool_symlinks($1_usertype)
')
optional_policy(`
- quota_dontaudit_getattr_db($1_t)
-+ rpm_read_db($1_usertype)
-+ rpm_dontaudit_manage_db($1_usertype)
-+ rpm_read_cache($1_usertype)
++ quota_dontaudit_getattr_db($1_usertype)
')
optional_policy(`
- rpm_read_db($1_t)
- rpm_dontaudit_manage_db($1_t)
++ rpm_read_db($1_usertype)
++ rpm_dontaudit_manage_db($1_usertype)
++ rpm_read_cache($1_usertype)
++ ')
++
++ optional_policy(`
+ oddjob_run_mkhomedir($1_t, $1_r)
')
')
-@@ -833,6 +1007,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1010,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -71669,7 +72794,7 @@ index 4b2878a..fe5913a 100644
##############################
#
# Local policy
-@@ -874,45 +1051,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1054,118 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -71799,7 +72924,7 @@ index 4b2878a..fe5913a 100644
')
')
-@@ -947,7 +1197,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1200,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -71808,7 +72933,7 @@ index 4b2878a..fe5913a 100644
userdom_common_user_template($1)
##############################
-@@ -956,12 +1206,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1209,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -71826,7 +72951,7 @@ index 4b2878a..fe5913a 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,23 +1231,72 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1234,72 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -71861,9 +72986,11 @@ index 4b2878a..fe5913a 100644
+
+ optional_policy(`
+ cron_role($1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ games_rw_data($1_usertype)
+ ')
+
@@ -71885,11 +73012,9 @@ index 4b2878a..fe5913a 100644
+
+ optional_policy(`
+ java_role_template($1, $1_r, $1_t)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ mono_role_template($1, $1_r, $1_t)
+ ')
+
@@ -71908,7 +73033,7 @@ index 4b2878a..fe5913a 100644
')
# Run pppd in pppd_t by default for user
-@@ -1003,7 +1305,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1308,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -71919,7 +73044,7 @@ index 4b2878a..fe5913a 100644
')
')
-@@ -1039,7 +1343,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1346,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -71928,7 +73053,7 @@ index 4b2878a..fe5913a 100644
')
##############################
-@@ -1066,6 +1370,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1373,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -71936,7 +73061,7 @@ index 4b2878a..fe5913a 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1379,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1382,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -71946,7 +73071,7 @@ index 4b2878a..fe5913a 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1396,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1399,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -71954,7 +73079,7 @@ index 4b2878a..fe5913a 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1414,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1417,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -71968,7 +73093,7 @@ index 4b2878a..fe5913a 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1431,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1434,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -72011,7 +73136,7 @@ index 4b2878a..fe5913a 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1472,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1475,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -72020,7 +73145,7 @@ index 4b2878a..fe5913a 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1533,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1536,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -72029,7 +73154,7 @@ index 4b2878a..fe5913a 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1547,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1550,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -72040,7 +73165,7 @@ index 4b2878a..fe5913a 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1560,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1563,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -72069,7 +73194,7 @@ index 4b2878a..fe5913a 100644
')
optional_policy(`
-@@ -1251,12 +1588,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1591,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -72085,7 +73210,7 @@ index 4b2878a..fe5913a 100644
')
optional_policy(`
-@@ -1279,54 +1616,66 @@ template(`userdom_security_admin_template',`
+@@ -1279,54 +1619,66 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -72167,14 +73292,13 @@ index 4b2878a..fe5913a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1334,9 +1683,46 @@ interface(`userdom_setattr_user_ptys',`
+@@ -1334,7 +1686,44 @@ interface(`userdom_setattr_user_ptys',`
## </summary>
## </param>
#
-interface(`userdom_create_user_pty',`
+interface(`userdom_attach_admin_tun_iface',`
- gen_require(`
-- type user_devpts_t;
++ gen_require(`
+ attribute admindomain;
+ ')
+
@@ -72211,12 +73335,10 @@ index 4b2878a..fe5913a 100644
+## </param>
+#
+interface(`userdom_create_user_pty',`
-+ gen_require(`
-+ type user_devpts_t;
+ gen_require(`
+ type user_devpts_t;
')
-
- term_create_pty($1, user_devpts_t)
-@@ -1395,6 +1781,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1784,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -72224,7 +73346,7 @@ index 4b2878a..fe5913a 100644
files_search_home($1)
')
-@@ -1441,6 +1828,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1831,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -72239,7 +73361,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -1456,9 +1851,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1854,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -72251,7 +73373,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -1515,6 +1912,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1915,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -72294,7 +73416,7 @@ index 4b2878a..fe5913a 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1589,6 +2022,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2025,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -72303,7 +73425,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -1603,10 +2038,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2041,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -72318,7 +73440,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -1649,6 +2086,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2089,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -72362,7 +73484,7 @@ index 4b2878a..fe5913a 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1668,6 +2142,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2145,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -72388,7 +73510,7 @@ index 4b2878a..fe5913a 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1700,12 +2193,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2196,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -72421,7 +73543,7 @@ index 4b2878a..fe5913a 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2229,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2232,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -72439,7 +73561,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -1779,6 +2295,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2298,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -72500,7 +73622,7 @@ index 4b2878a..fe5913a 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2380,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2383,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -72510,7 +73632,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -1827,20 +2396,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2399,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -72535,7 +73657,7 @@ index 4b2878a..fe5913a 100644
########################################
## <summary>
-@@ -1941,6 +2504,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2507,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -72560,7 +73682,7 @@ index 4b2878a..fe5913a 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2008,7 +2589,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2592,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -72569,7 +73691,7 @@ index 4b2878a..fe5913a 100644
files_search_home($1)
')
-@@ -2039,7 +2620,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2623,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -72578,7 +73700,7 @@ index 4b2878a..fe5913a 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2182,7 +2763,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2766,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -72587,7 +73709,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -2390,7 +2971,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2974,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -72596,7 +73718,7 @@ index 4b2878a..fe5913a 100644
files_search_tmp($1)
')
-@@ -2435,13 +3016,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3019,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -72612,7 +73734,7 @@ index 4b2878a..fe5913a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +3044,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +3047,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -72639,7 +73761,7 @@ index 4b2878a..fe5913a 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2572,7 +3134,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3137,7 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -72648,7 +73770,7 @@ index 4b2878a..fe5913a 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2580,70 +3142,138 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,70 +3145,138 @@ interface(`userdom_use_user_ttys',`
## </summary>
## </param>
#
@@ -72816,7 +73938,7 @@ index 4b2878a..fe5913a 100644
########################################
## <summary>
## Execute a shell in all user domains. This
-@@ -2713,6 +3343,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2713,6 +3346,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -72841,7 +73963,7 @@ index 4b2878a..fe5913a 100644
########################################
## <summary>
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2736,24 +3384,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2736,24 +3387,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -72866,7 +73988,7 @@ index 4b2878a..fe5913a 100644
########################################
## <summary>
## Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3402,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3405,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -72892,7 +74014,7 @@ index 4b2878a..fe5913a 100644
########################################
## <summary>
## Manage unpriviledged user SysV shared
-@@ -2852,7 +3463,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3466,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -72901,7 +74023,7 @@ index 4b2878a..fe5913a 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3479,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3482,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -72935,7 +74057,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -2972,7 +3567,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3570,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -72944,7 +74066,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -3027,7 +3622,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3625,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -72991,7 +74113,7 @@ index 4b2878a..fe5913a 100644
')
########################################
-@@ -3064,6 +3697,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3700,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -72999,7 +74121,7 @@ index 4b2878a..fe5913a 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3776,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3779,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -73024,7 +74146,7 @@ index 4b2878a..fe5913a 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3194,3 +3846,1076 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3849,1076 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')