diff --git a/policy-F16.patch b/policy-F16.patch
index e0d652c..ee7f839 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -6172,7 +6172,7 @@ index 93ac529..35b51ab 100644
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..d88c02c 100644
+index 9a6d67d..19de023 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -6283,7 +6283,7 @@ index 9a6d67d..d88c02c 100644
+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
+ allow $1 mozilla_plugin_t:process { signal sigkill };
+
-+
++ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
+')
+
+########################################
@@ -6309,7 +6309,7 @@ index 9a6d67d..d88c02c 100644
## Send and receive messages from
## mozilla over dbus.
##
-@@ -204,3 +301,40 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -204,3 +301,39 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -6349,9 +6349,8 @@ index 9a6d67d..d88c02c 100644
+
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
+')
-+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2a91fa8..3ed1287 100644
+index 2a91fa8..5f272f7 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0)
@@ -6440,7 +6439,7 @@ index 2a91fa8..3ed1287 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +289,192 @@ optional_policy(`
+@@ -266,3 +289,194 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -6604,6 +6603,7 @@ index 2a91fa8..3ed1287 100644
+ nsplugin_manage_home_files(mozilla_plugin_t)
+ nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir)
+ nsplugin_user_home_filetrans(mozilla_plugin_t, file)
++ nsplugin_read_rw_files(mozilla_plugin_t);
+ nsplugin_signal(mozilla_plugin_t)
+')
+
@@ -6620,6 +6620,7 @@ index 2a91fa8..3ed1287 100644
+ xserver_use_user_fonts(mozilla_plugin_t)
+ xserver_read_user_iceauth(mozilla_plugin_t)
+ xserver_read_user_xauth(mozilla_plugin_t)
++ xserver_append_xdm_home_files(mozilla_plugin_t);
+')
+
+tunable_policy(`use_nfs_home_dirs',`
@@ -6796,10 +6797,10 @@ index 0000000..8d7c751
+')
diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te
new file mode 100644
-index 0000000..4af1aa0
+index 0000000..bb6b61e
--- /dev/null
+++ b/policy/modules/apps/namespace.te
-@@ -0,0 +1,36 @@
+@@ -0,0 +1,38 @@
+policy_module(namespace,1.0.0)
+
+########################################
@@ -6829,6 +6830,8 @@ index 0000000..4af1aa0
+files_read_etc_files(namespace_init_t)
+files_polyinstantiate_all(namespace_init_t)
+
++auth_use_nsswitch(namespace_init_t)
++
+miscfiles_read_localization(namespace_init_t)
+
+userdom_manage_user_home_content_dirs(namespace_init_t)
@@ -8717,10 +8720,10 @@ index 0000000..0fedd57
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..104b919
+index 0000000..fc0e3f7
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,481 @@
+@@ -0,0 +1,483 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -8950,6 +8953,8 @@ index 0000000..104b919
+init_read_utmp(sandbox_x_domain)
+init_dontaudit_write_utmp(sandbox_x_domain)
+
++libs_dontaudit_setattr_lib_files(sandbox_x_domain)
++
+miscfiles_read_localization(sandbox_x_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
+
@@ -9324,10 +9329,10 @@ index 1dc7a85..787df80 100644
+ ')
')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 7590165..708e1f2 100644
+index 7590165..9a7ebe5 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
-@@ -5,40 +5,59 @@ policy_module(seunshare, 1.1.0)
+@@ -5,40 +5,61 @@ policy_module(seunshare, 1.1.0)
# Declarations
#
@@ -9360,25 +9365,27 @@ index 7590165..708e1f2 100644
-files_read_etc_files(seunshare_t)
-files_mounton_all_poly_members(seunshare_t)
++dev_read_urand(seunshare_domain)
+
+-auth_use_nsswitch(seunshare_t)
+files_search_all(seunshare_domain)
+files_read_etc_files(seunshare_domain)
+files_mounton_all_poly_members(seunshare_domain)
+files_manage_generic_tmp_dirs(seunshare_domain)
+files_relabelfrom_tmp_dirs(seunshare_domain)
--auth_use_nsswitch(seunshare_t)
+-logging_send_syslog_msg(seunshare_t)
+fs_manage_cgroup_dirs(seunshare_domain)
+fs_manage_cgroup_files(seunshare_domain)
--logging_send_syslog_msg(seunshare_t)
+-miscfiles_read_localization(seunshare_t)
+auth_use_nsswitch(seunshare_domain)
--miscfiles_read_localization(seunshare_t)
+-userdom_use_user_terminals(seunshare_t)
+logging_send_syslog_msg(seunshare_domain)
--userdom_use_user_terminals(seunshare_t)
+miscfiles_read_localization(seunshare_domain)
-
++
+userdom_use_inherited_user_terminals(seunshare_domain)
+userdom_list_user_home_content(seunshare_domain)
ifdef(`hide_broken_symptoms', `
@@ -10429,8 +10436,17 @@ index 8bfe97d..6bba1a8 100644
userdom_user_home_content(wireshark_home_t)
type wireshark_tmp_t;
+diff --git a/policy/modules/apps/wm.fc b/policy/modules/apps/wm.fc
+index be30d55..93d128c 100644
+--- a/policy/modules/apps/wm.fc
++++ b/policy/modules/apps/wm.fc
+@@ -1,3 +1,4 @@
+ /usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
+ /usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0)
+ /usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)
++/usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0)
diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
-index 82842a0..4111a1d 100644
+index 82842a0..50c1a74 100644
--- a/policy/modules/apps/wm.if
+++ b/policy/modules/apps/wm.if
@@ -44,7 +44,7 @@ template(`wm_role_template',`
@@ -10442,7 +10458,7 @@ index 82842a0..4111a1d 100644
allow $1_wm_t $3:process { signull sigkill };
allow $1_wm_t $3:dbus send_msg;
-@@ -72,9 +72,15 @@ template(`wm_role_template',`
+@@ -72,9 +72,16 @@ template(`wm_role_template',`
auth_use_nsswitch($1_wm_t)
@@ -10454,6 +10470,7 @@ index 82842a0..4111a1d 100644
+ userdom_manage_home_role($2, $1_wm_t)
+ userdom_manage_tmpfs_role($2, $1_wm_t)
+ userdom_manage_tmp_role($2, $1_wm_t)
++ userdom_exec_user_tmp_files($1_wm_t)
+
optional_policy(`
dbus_system_bus_client($1_wm_t)
@@ -10844,7 +10861,7 @@ index 5a07a43..99c7564 100644
##
##
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..f8de84b 100644
+index 0757523..7b77799 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -10921,7 +10938,7 @@ index 0757523..f8de84b 100644
network_port(dbskkd, tcp,1178,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dccm, tcp,5679,s0, udp,5679,s0)
-@@ -96,9 +117,12 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -96,9 +117,13 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -10930,11 +10947,12 @@ index 0757523..f8de84b 100644
network_port(epmap, tcp,135,s0, udp,135,s0)
+network_port(festival, tcp,1314,s0)
network_port(fingerd, tcp,79,s0)
++network_port(firebird, tcp,3050,s0, udp,3050,s0)
+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -112,7 +136,7 @@ network_port(hddtemp, tcp,7634,s0)
+@@ -112,7 +137,7 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@@ -10943,7 +10961,7 @@ index 0757523..f8de84b 100644
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -126,43 +150,58 @@ network_port(iscsi, tcp,3260,s0)
+@@ -126,43 +151,58 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -11008,7 +11026,7 @@ index 0757523..f8de84b 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
-@@ -177,24 +216,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -177,24 +217,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -11042,7 +11060,7 @@ index 0757523..f8de84b 100644
network_port(syslogd, udp,514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
-@@ -205,16 +249,17 @@ network_port(transproxy, tcp,8081,s0)
+@@ -205,16 +250,17 @@ network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
@@ -11063,7 +11081,7 @@ index 0757523..f8de84b 100644
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
-@@ -276,5 +321,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
+@@ -276,5 +322,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
@@ -11101,7 +11119,7 @@ index 6cf8784..5b25039 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index e9313fb..6db0863 100644
+index e9313fb..f8b1eee 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -11256,7 +11274,174 @@ index e9313fb..6db0863 100644
')
########################################
-@@ -920,7 +975,7 @@ interface(`dev_filetrans',`
+@@ -841,6 +896,166 @@ interface(`dev_manage_all_dev_nodes',`
+
+ ########################################
+ ##
++## Check generic block device nodes
++## for read permission.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_check_read_generic_blk_dev_nodes',`
++ gen_require(`
++ attribute device_node;
++ type device_t;
++ ')
++
++ allow $1 { device_t device_node }:blk_file read;
++')
++
++########################################
++##
++## Check generic block device nodes
++## for write permission.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_check_write_generic_blk_dev_nodes',`
++ gen_require(`
++ attribute device_node;
++ type device_t;
++ ')
++
++ allow $1 { device_t device_node }:blk_file write;
++')
++
++########################################
++##
++## Check all character device nodes
++## for read permission.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_check_read_all_chr_dev_nodes',`
++ gen_require(`
++ attribute device_node, memory_raw_read;
++ type device_t;
++ ')
++
++ allow $1 { device_t device_node }:chr_file read;
++ typeattribute $1 memory_raw_read;
++')
++
++########################################
++##
++## Check all character device nodes
++## for write permission.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_check_write_all_chr_dev_nodes',`
++ gen_require(`
++ attribute device_node, memory_raw_write;
++ type device_t;
++ ')
++
++ allow $1 { device_t device_node }:chr_file write;
++ typeattribute $1 memory_raw_write;
++')
++
++########################################
++##
++## Create all character device_nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_create_all_chr_dev_nodes',`
++ gen_require(`
++ attribute device_node;
++ type device_t;
++ ')
++
++ create_chr_files_pattern($1, device_t, device_node)
++')
++
++########################################
++##
++## Create all block device_nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_create_all_blk_dev_nodes',`
++ gen_require(`
++ attribute device_node;
++ type device_t;
++ ')
++
++ create_blk_files_pattern($1, device_t, device_node)
++')
++
++########################################
++##
++## Set attributes of all character
++## device_nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_setattr_all_chr_dev_nodes',`
++ gen_require(`
++ type device_t;
++ attribute device_node;
++ ')
++
++ setattr_chr_files_pattern($1, device_t, { device_t device_node })
++')
++
++########################################
++##
++## Set attributes of all block
++## device_nodes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dev_setattr_all_blk_dev_nodes',`
++ gen_require(`
++ type device_t;
++ attribute device_node;
++ ')
++
++ setattr_blk_files_pattern($1, device_t, { device_t device_node })
++')
++
++########################################
++##
+ ## Dontaudit getattr for generic device files.
+ ##
+ ##
+@@ -920,7 +1135,7 @@ interface(`dev_filetrans',`
type device_t;
')
@@ -11265,7 +11450,7 @@ index e9313fb..6db0863 100644
dev_associate($2)
files_associate_tmp($2)
-@@ -1178,6 +1233,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1178,6 +1393,42 @@ interface(`dev_create_all_chr_files',`
########################################
##
@@ -11308,7 +11493,7 @@ index e9313fb..6db0863 100644
## Delete all block device files.
##
##
-@@ -3192,24 +3283,6 @@ interface(`dev_rw_printer',`
+@@ -3192,24 +3443,6 @@ interface(`dev_rw_printer',`
########################################
##
@@ -11333,7 +11518,7 @@ index e9313fb..6db0863 100644
## Get the attributes of the QEMU
## microcode and id interfaces.
##
-@@ -3793,6 +3866,24 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3793,6 +4026,24 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
##
@@ -11358,7 +11543,7 @@ index e9313fb..6db0863 100644
## Search the sysfs directories.
##
##
-@@ -3884,25 +3975,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3884,25 +4135,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
##
@@ -11384,7 +11569,7 @@ index e9313fb..6db0863 100644
## Read hardware state information.
##
##
-@@ -3954,6 +4026,42 @@ interface(`dev_rw_sysfs',`
+@@ -3954,6 +4186,42 @@ interface(`dev_rw_sysfs',`
########################################
##
@@ -11427,7 +11612,7 @@ index e9313fb..6db0863 100644
## Read and write the TPM device.
##
##
-@@ -4514,6 +4622,24 @@ interface(`dev_rwx_vmware',`
+@@ -4514,6 +4782,24 @@ interface(`dev_rwx_vmware',`
########################################
##
@@ -11452,7 +11637,7 @@ index e9313fb..6db0863 100644
## Write to watchdog devices.
##
##
-@@ -4748,3 +4874,751 @@ interface(`dev_unconfined',`
+@@ -4748,3 +5034,752 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -11874,6 +12059,7 @@ index e9313fb..6db0863 100644
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia7)
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia8)
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia9)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidiactl)
+ filetrans_pattern($1, device_t, nvram_device_t, chr_file, nvram)
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, oldmem)
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, opengl)
@@ -12536,7 +12722,7 @@ index bc534c1..b70ea07 100644
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 16108f6..e76bf67 100644
+index 16108f6..de3c68f 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -12642,7 +12828,7 @@ index 16108f6..e76bf67 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -227,6 +241,8 @@ ifndef(`distro_redhat',`
+@@ -227,23 +241,27 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -12651,7 +12837,11 @@ index 16108f6..e76bf67 100644
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <>
-@@ -237,13 +253,14 @@ ifndef(`distro_redhat',`
+
+ /var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
++/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
+
+ /var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/lost\+found/.* <>
/var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
@@ -12667,7 +12857,7 @@ index 16108f6..e76bf67 100644
/var/tmp/.* <>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <>
-@@ -252,3 +269,7 @@ ifndef(`distro_redhat',`
+@@ -252,3 +270,7 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -12676,7 +12866,7 @@ index 16108f6..e76bf67 100644
+
+/usr/lib/debug(/.*)? <>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..4725d50 100644
+index 958ca84..4f3ff26 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -12778,6 +12968,15 @@ index 958ca84..4725d50 100644
## List the contents of the root directory.
##
##
+@@ -1526,7 +1596,7 @@ interface(`files_root_filetrans',`
+ type root_t;
+ ')
+
+- filetrans_pattern($1, root_t, $2, $3)
++ filetrans_pattern($1, root_t, $2, $3, $4)
+ ')
+
+ ########################################
@@ -1731,6 +1801,24 @@ interface(`files_list_boot',`
allow $1 boot_t:dir list_dir_perms;
')
@@ -13322,6 +13521,15 @@ index 958ca84..4725d50 100644
##
##
##
+@@ -4103,7 +4579,7 @@ interface(`files_tmp_filetrans',`
+ type tmp_t;
+ ')
+
+- filetrans_pattern($1, tmp_t, $2, $3)
++ filetrans_pattern($1, tmp_t, $2, $3, $4)
+ ')
+
+ ########################################
@@ -4127,6 +4603,15 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
@@ -15283,7 +15491,7 @@ index a9b8982..57c4a6a 100644
+/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 3723150..aa1ba6a 100644
+index 3723150..a137563 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@@ -15295,7 +15503,41 @@ index 3723150..aa1ba6a 100644
typeattribute $1 fixed_disk_raw_read;
')
-@@ -203,7 +205,10 @@ interface(`storage_create_fixed_disk_dev',`
+@@ -152,6 +154,33 @@ interface(`storage_raw_write_fixed_disk',`
+
+ ########################################
+ ##
++## Directly check for write from a
++## fixed disk. This is extremly
++## dangerous as it can bypass the
++## SELinux protections for filesystem
++## objects, and should only be used
++## by trusted domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`storage_raw_check_write_fixed_disk',`
++ gen_require(`
++ attribute fixed_disk_raw_write;
++ type fixed_disk_device_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 fixed_disk_device_t:blk_file write;
++ allow $1 fixed_disk_device_t:chr_file write;
++ typeattribute $1 fixed_disk_raw_write;
++')
++
++########################################
++##
+ ## Do not audit attempts made by the caller to write
+ ## fixed disk device nodes.
+ ##
+@@ -203,7 +232,10 @@ interface(`storage_create_fixed_disk_dev',`
type fixed_disk_device_t;
')
@@ -15306,7 +15548,40 @@ index 3723150..aa1ba6a 100644
dev_add_entry_generic_dirs($1)
')
-@@ -807,3 +812,265 @@ interface(`storage_unconfined',`
+@@ -474,6 +506,32 @@ interface(`storage_write_scsi_generic',`
+
+ ########################################
+ ##
++## Directly check for write from any
++## SCSI device. This is extremly
++## dangerous as it can bypass the
++## SELinux protections for filesystem
++## objects, and should only be used
++## by trusted domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`storage_check_write_scsi_generic',`
++ gen_require(`
++ attribute scsi_generic_write;
++ type scsi_generic_device_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 scsi_generic_device_t:chr_file write;
++ typeattribute $1 scsi_generic_write;
++')
++
++########################################
++##
+ ## Set attributes of the device nodes
+ ## for the SCSI generic inerface.
+ ##
+@@ -807,3 +865,265 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -16348,7 +16623,7 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..db5a937 100644
+index 2be17d2..95ff489 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,51 @@ policy_module(staff, 2.2.0)
@@ -16403,7 +16678,7 @@ index 2be17d2..db5a937 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,25 +66,139 @@ optional_policy(`
+@@ -27,25 +66,140 @@ optional_policy(`
')
optional_policy(`
@@ -16477,6 +16752,7 @@ index 2be17d2..db5a937 100644
optional_policy(`
+ qemu_run(staff_t, staff_r)
+ virt_manage_tmpfs_files(staff_t)
++ virt_user_home_dir_filetrans(staff_t)
+')
+
+optional_policy(`
@@ -16545,7 +16821,7 @@ index 2be17d2..db5a937 100644
optional_policy(`
vlock_run(staff_t, staff_r)
-@@ -89,10 +242,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +243,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16556,7 +16832,7 @@ index 2be17d2..db5a937 100644
gpg_role(staff_r, staff_t)
')
-@@ -137,10 +286,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +287,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16567,7 +16843,7 @@ index 2be17d2..db5a937 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +317,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +318,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -16576,7 +16852,7 @@ index 2be17d2..db5a937 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 4a8d146..d73faa1 100644
+index 4a8d146..65a8661 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,55 @@ ifndef(`enable_mls',`
@@ -16643,15 +16919,18 @@ index 4a8d146..d73faa1 100644
')
tunable_policy(`allow_ptrace',`
-@@ -69,7 +105,6 @@ optional_policy(`
+@@ -67,9 +103,9 @@ optional_policy(`
+
+ optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
++ apache_filetrans_home_content(sysadm_t)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
- apache_role(sysadm_r, sysadm_t)
')
optional_policy(`
-@@ -98,6 +133,10 @@ optional_policy(`
+@@ -98,6 +134,10 @@ optional_policy(`
')
optional_policy(`
@@ -16662,7 +16941,7 @@ index 4a8d146..d73faa1 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -114,7 +153,7 @@ optional_policy(`
+@@ -114,7 +154,7 @@ optional_policy(`
')
optional_policy(`
@@ -16671,7 +16950,7 @@ index 4a8d146..d73faa1 100644
')
optional_policy(`
-@@ -124,6 +163,10 @@ optional_policy(`
+@@ -124,6 +164,10 @@ optional_policy(`
')
optional_policy(`
@@ -16682,7 +16961,7 @@ index 4a8d146..d73faa1 100644
ddcprobe_run(sysadm_t, sysadm_r)
')
-@@ -163,6 +206,13 @@ optional_policy(`
+@@ -163,6 +207,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -16696,12 +16975,13 @@ index 4a8d146..d73faa1 100644
')
optional_policy(`
-@@ -170,15 +220,15 @@ optional_policy(`
+@@ -170,15 +221,16 @@ optional_policy(`
')
optional_policy(`
- kudzu_run(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
++ kerberos_filetrans_named_content(sysadm_t)
')
optional_policy(`
@@ -16715,7 +16995,7 @@ index 4a8d146..d73faa1 100644
')
optional_policy(`
-@@ -198,18 +248,12 @@ optional_policy(`
+@@ -198,22 +250,19 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -16736,7 +17016,14 @@ index 4a8d146..d73faa1 100644
')
optional_policy(`
-@@ -225,6 +269,10 @@ optional_policy(`
+ mta_role(sysadm_r, sysadm_t)
++ # this is defined in userdom_common_user_template
++ #mta_filetrans_home_content(sysadm_t)
++ mta_filetrans_admin_home_content(sysadm_t)
+ ')
+
+ optional_policy(`
+@@ -225,6 +274,10 @@ optional_policy(`
')
optional_policy(`
@@ -16747,7 +17034,7 @@ index 4a8d146..d73faa1 100644
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
-@@ -253,7 +301,7 @@ optional_policy(`
+@@ -253,7 +306,7 @@ optional_policy(`
')
optional_policy(`
@@ -16756,7 +17043,7 @@ index 4a8d146..d73faa1 100644
')
optional_policy(`
-@@ -265,20 +313,14 @@ optional_policy(`
+@@ -265,20 +318,14 @@ optional_policy(`
')
optional_policy(`
@@ -16778,7 +17065,7 @@ index 4a8d146..d73faa1 100644
optional_policy(`
rsync_exec(sysadm_t)
-@@ -307,7 +349,7 @@ optional_policy(`
+@@ -307,7 +354,7 @@ optional_policy(`
')
optional_policy(`
@@ -16787,7 +17074,7 @@ index 4a8d146..d73faa1 100644
')
optional_policy(`
-@@ -332,10 +374,6 @@ optional_policy(`
+@@ -332,10 +379,6 @@ optional_policy(`
')
optional_policy(`
@@ -16798,7 +17085,7 @@ index 4a8d146..d73faa1 100644
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -343,19 +381,15 @@ optional_policy(`
+@@ -343,19 +386,15 @@ optional_policy(`
')
optional_policy(`
@@ -16820,7 +17107,7 @@ index 4a8d146..d73faa1 100644
')
optional_policy(`
-@@ -367,17 +401,14 @@ optional_policy(`
+@@ -367,17 +406,14 @@ optional_policy(`
')
optional_policy(`
@@ -16840,16 +17127,17 @@ index 4a8d146..d73faa1 100644
')
optional_policy(`
-@@ -389,7 +420,7 @@ optional_policy(`
+@@ -389,7 +425,8 @@ optional_policy(`
')
optional_policy(`
- wireshark_role(sysadm_r, sysadm_t)
+ virt_stream_connect(sysadm_t)
++ virt_user_home_dir_filetrans(sysadm_t)
')
optional_policy(`
-@@ -404,8 +435,15 @@ optional_policy(`
+@@ -404,8 +441,15 @@ optional_policy(`
yam_run(sysadm_t, sysadm_r)
')
@@ -16865,7 +17153,7 @@ index 4a8d146..d73faa1 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,6 +477,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +483,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -16873,7 +17161,7 @@ index 4a8d146..d73faa1 100644
')
optional_policy(`
-@@ -452,5 +491,60 @@ ifndef(`distro_redhat',`
+@@ -452,5 +497,60 @@ ifndef(`distro_redhat',`
optional_policy(`
java_role(sysadm_r, sysadm_t)
')
@@ -17644,10 +17932,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..7d48821
+index 0000000..4c5f006
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,519 @@
+@@ -0,0 +1,525 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -17990,6 +18278,10 @@ index 0000000..7d48821
+')
+
+optional_policy(`
++ kerberos_filetrans_named_content(unconfined_t)
++')
++
++optional_policy(`
+ livecd_run(unconfined_t, unconfined_r)
+')
+
@@ -18021,6 +18313,10 @@ index 0000000..7d48821
+')
+
+optional_policy(`
++ mta_filetrans_named_content(unconfined_t)
++')
++
++optional_policy(`
+ ncftool_run(unconfined_t, unconfined_r)
+')
+
@@ -18072,10 +18368,6 @@ index 0000000..7d48821
+')
+
+optional_policy(`
-+ sendmail_run_unconfined(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
+ sysnet_run_dhcpc(unconfined_t, unconfined_r)
+ sysnet_dbus_chat_dhcpc(unconfined_t)
+ sysnet_role_transition_dhcpc(unconfined_r)
@@ -18091,6 +18383,7 @@ index 0000000..7d48821
+
+optional_policy(`
+ virt_transition_svirt(unconfined_t, unconfined_r)
++ virt_user_home_dir_filetrans(unconfined_t)
+')
+
+optional_policy(`
@@ -18107,6 +18400,7 @@ index 0000000..7d48821
+
+optional_policy(`
+ xserver_run(unconfined_t, unconfined_r)
++ xserver_manage_home_fonts(unconfined_t)
+')
+
+########################################
@@ -19292,7 +19586,7 @@ index 0370dba..af5d229 100644
#
interface(`aisexec_domtrans',`
diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te
-index 97c9cae..c24bd66 100644
+index 97c9cae..568e37d 100644
--- a/policy/modules/services/aisexec.te
+++ b/policy/modules/services/aisexec.te
@@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t)
@@ -19304,7 +19598,7 @@ index 97c9cae..c24bd66 100644
allow aisexec_t self:process { setrlimit setsched signal };
allow aisexec_t self:fifo_file rw_fifo_file_perms;
allow aisexec_t self:sem create_sem_perms;
-@@ -81,6 +81,9 @@ logging_send_syslog_msg(aisexec_t)
+@@ -81,11 +81,18 @@ logging_send_syslog_msg(aisexec_t)
miscfiles_read_localization(aisexec_t)
@@ -19314,6 +19608,15 @@ index 97c9cae..c24bd66 100644
optional_policy(`
ccs_stream_connect(aisexec_t)
')
+
+ optional_policy(`
++ corosync_domtrans(aisexec_t)
++')
++
++optional_policy(`
+ # to communication with RHCS
+ rhcs_rw_dlm_controld_semaphores(aisexec_t)
+
diff --git a/policy/modules/services/ajaxterm.fc b/policy/modules/services/ajaxterm.fc
new file mode 100644
index 0000000..aeb1888
@@ -20293,7 +20596,7 @@ index 6480167..1440827 100644
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, web)
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..64d69b0 100644
+index 3136c6a..26669be 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -20684,7 +20987,7 @@ index 3136c6a..64d69b0 100644
libs_read_lib_files(httpd_t)
-@@ -416,34 +510,73 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,34 +510,74 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -20718,6 +21021,7 @@ index 3136c6a..64d69b0 100644
')
+tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_firebird_port(httpd_t)
+ corenet_tcp_connect_mssql_port(httpd_t)
+ corenet_sendrecv_mssql_client_packets(httpd_t)
+ corenet_tcp_connect_oracledb_port(httpd_t)
@@ -20760,7 +21064,7 @@ index 3136c6a..64d69b0 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +589,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +590,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -20771,7 +21075,7 @@ index 3136c6a..64d69b0 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,15 +603,27 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,15 +604,27 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -20801,7 +21105,7 @@ index 3136c6a..64d69b0 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +633,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +634,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -20818,7 +21122,7 @@ index 3136c6a..64d69b0 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +657,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +658,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -20839,7 +21143,7 @@ index 3136c6a..64d69b0 100644
')
optional_policy(`
-@@ -513,7 +681,13 @@ optional_policy(`
+@@ -513,7 +682,13 @@ optional_policy(`
')
optional_policy(`
@@ -20854,7 +21158,7 @@ index 3136c6a..64d69b0 100644
')
optional_policy(`
-@@ -528,7 +702,18 @@ optional_policy(`
+@@ -528,7 +703,18 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -20874,7 +21178,7 @@ index 3136c6a..64d69b0 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +722,13 @@ optional_policy(`
+@@ -537,8 +723,13 @@ optional_policy(`
')
optional_policy(`
@@ -20889,7 +21193,7 @@ index 3136c6a..64d69b0 100644
')
')
-@@ -556,7 +746,13 @@ optional_policy(`
+@@ -556,7 +747,13 @@ optional_policy(`
')
optional_policy(`
@@ -20903,7 +21207,7 @@ index 3136c6a..64d69b0 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +763,7 @@ optional_policy(`
+@@ -567,6 +764,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -20911,7 +21215,7 @@ index 3136c6a..64d69b0 100644
')
optional_policy(`
-@@ -577,6 +774,16 @@ optional_policy(`
+@@ -577,6 +775,16 @@ optional_policy(`
')
optional_policy(`
@@ -20928,7 +21232,7 @@ index 3136c6a..64d69b0 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +798,11 @@ optional_policy(`
+@@ -591,6 +799,11 @@ optional_policy(`
')
optional_policy(`
@@ -20940,7 +21244,7 @@ index 3136c6a..64d69b0 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +815,11 @@ optional_policy(`
+@@ -603,6 +816,11 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -20952,7 +21256,7 @@ index 3136c6a..64d69b0 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +833,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +834,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -20965,7 +21269,7 @@ index 3136c6a..64d69b0 100644
########################################
#
-@@ -654,28 +875,29 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +876,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -20982,6 +21286,7 @@ index 3136c6a..64d69b0 100644
- corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_mssql_port(httpd_suexec_t)
- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
++ corenet_tcp_connect_firebird_port(httpd_php_t)
+ corenet_tcp_connect_mssql_port(httpd_php_t)
+ corenet_sendrecv_mssql_client_packets(httpd_php_t)
+ corenet_tcp_connect_oracledb_port(httpd_php_t)
@@ -21008,7 +21313,7 @@ index 3136c6a..64d69b0 100644
')
########################################
-@@ -699,17 +921,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +923,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -21034,11 +21339,12 @@ index 3136c6a..64d69b0 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +967,26 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +969,27 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
+tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_firebird_port(httpd_suexec_t)
+ corenet_tcp_connect_mssql_port(httpd_suexec_t)
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
+ corenet_tcp_connect_oracledb_port(httpd_suexec_t)
@@ -21062,7 +21368,7 @@ index 3136c6a..64d69b0 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1009,25 @@ optional_policy(`
+@@ -769,6 +1012,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -21088,7 +21394,7 @@ index 3136c6a..64d69b0 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1048,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1051,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -21106,7 +21412,7 @@ index 3136c6a..64d69b0 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1067,49 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1070,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -21117,6 +21423,7 @@ index 3136c6a..64d69b0 100644
+')
+
+tunable_policy(`httpd_can_network_connect_db',`
++ corenet_tcp_connect_firebird_port(httpd_sys_script_t)
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
+ corenet_tcp_connect_oracledb_port(httpd_sys_script_t)
@@ -21162,7 +21469,7 @@ index 3136c6a..64d69b0 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1117,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1121,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -21193,7 +21500,7 @@ index 3136c6a..64d69b0 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1152,20 @@ optional_policy(`
+@@ -842,10 +1156,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -21214,7 +21521,7 @@ index 3136c6a..64d69b0 100644
')
########################################
-@@ -891,11 +1211,21 @@ optional_policy(`
+@@ -891,11 +1215,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -22740,6 +23047,16 @@ index 0000000..e7d2a5b
+dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)
+diff --git a/policy/modules/services/canna.fc b/policy/modules/services/canna.fc
+index 5432d0e..f77df02 100644
+--- a/policy/modules/services/canna.fc
++++ b/policy/modules/services/canna.fc
+@@ -20,4 +20,4 @@
+
+ /var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0)
+ /var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0)
+-/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0)
++/var/run/wnn-unix(/.*)? gen_context(system_u:object_r:canna_var_run_t,s0)
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index 1d25efe..1b16191 100644
--- a/policy/modules/services/canna.te
@@ -24299,10 +24616,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..eba511c
+index 0000000..e79f653
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,96 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -24367,6 +24684,17 @@ index 0000000..eba511c
+
+sysnet_dns_name_resolve(colord_t)
+
++fs_search_all(colord_t)
++fs_read_noxattr_fs_files(colord_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(colord_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(colord_t)
++')
++
+optional_policy(`
+ cups_read_config(colord_t)
+ cups_read_rw_config(colord_t)
@@ -24375,6 +24703,10 @@ index 0000000..eba511c
+')
+
+optional_policy(`
++ gnome_read_gconf_home_files(colord_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(colord_t)
+ policykit_domtrans_auth(colord_t)
+ policykit_read_lib(colord_t)
@@ -31044,7 +31376,7 @@ index 3525d24..923e979 100644
/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..65fdeb0 100644
+index 604f67b..414cfb4 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -31108,7 +31440,7 @@ index 604f67b..65fdeb0 100644
+ ')
+
+ allow $1 krb5_keytab_t:file manage_file_perms;
-+ files_etc_filetrans($1, krb5_keytab_t, file)
++ files_etc_filetrans($1, krb5_keytab_t, file, $2)
+')
+
+########################################
@@ -31173,7 +31505,7 @@ index 604f67b..65fdeb0 100644
')
allow $1 kadmind_t:process { ptrace signal_perms };
-@@ -378,3 +374,41 @@ interface(`kerberos_admin',`
+@@ -378,3 +374,110 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -31189,12 +31521,12 @@ index 604f67b..65fdeb0 100644
+##
+##
+#
-+interface(`mta_tmp_filetrans_host_rcache',`
++interface(`kerberos_tmp_filetrans_host_rcache',`
+ gen_require(`
+ type krb5_host_rcache_t;
+ ')
+
-+ files_tmp_filetrans($1, krb5_host_rcache_t, file)
++ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
+')
+
+########################################
@@ -31215,8 +31547,77 @@ index 604f67b..65fdeb0 100644
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, krb5_home_t, krb5_home_t)
+')
++
++########################################
++##
++## create kerberos content in the in the /root directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kerberos_filetrans_admin_home_content',`
++ gen_require(`
++ type kerberos_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, kerberos_home_t, file, .k5login)
++')
++
++########################################
++##
++## Transition to kerberos named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kerberos_filetrans_home_content',`
++ gen_require(`
++ type kerberos_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, kerberos_home_t, file, .k5login)
++')
++
++########################################
++##
++## Transition to apache named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kerberos_filetrans_named_content',`
++ gen_require(`
++ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
++ type krb5kdc_principal_t;
++ ')
++
++ files_etc_filetrans($1, krb5_conf_t, file, krb5.conf)
++ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, kadm5.keytab)
++ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, principal)
++ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, principal0)
++ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, principal1)
++ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, principal1)
++
++ kerberos_etc_filetrans_keytab($1, krb5.keytab)
++ # this is defined in userdom_login_user_template
++ #kerberos_filetrans_home_content($1)
++ kerberos_filetrans_admin_home_content($1)
++
++ kerberos_tmp_filetrans_host_rcache($1, host_0)
++ kerberos_tmp_filetrans_host_rcache($1, HTTP_23)
++')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
-index 8edc29b..09dac65 100644
+index 8edc29b..92dde2c 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -6,9 +6,9 @@ policy_module(kerberos, 1.11.0)
@@ -31260,6 +31661,15 @@ index 8edc29b..09dac65 100644
# types for KDC principal file(s)
type krb5kdc_principal_t;
+@@ -80,7 +80,7 @@ files_pid_file(krb5kdc_var_run_t)
+ # Use capabilities. Surplus capabilities may be allowed.
+ allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
+ dontaudit kadmind_t self:capability sys_tty_config;
+-allow kadmind_t self:process { setfscreate signal_perms };
++allow kadmind_t self:process { setfscreate setsched getsched signal_perms };
+ allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
+ allow kadmind_t self:unix_dgram_socket { connect create write };
+ allow kadmind_t self:tcp_socket connected_stream_socket_perms;
@@ -93,9 +93,9 @@ allow kadmind_t krb5_conf_t:file read_file_perms;
dontaudit kadmind_t krb5_conf_t:file write;
@@ -32012,7 +32422,7 @@ index 67c7fdd..84b7626 100644
files_list_var_lib(mailman_$1_t)
files_read_var_lib_symlinks(mailman_$1_t)
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
-index af4d572..0fd2357 100644
+index af4d572..999384c 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -61,14 +61,18 @@ optional_policy(`
@@ -32036,7 +32446,7 @@ index af4d572..0fd2357 100644
files_search_spool(mailman_mail_t)
fs_rw_anon_inodefs_files(mailman_mail_t)
-@@ -81,6 +85,10 @@ optional_policy(`
+@@ -81,11 +85,16 @@ optional_policy(`
')
optional_policy(`
@@ -32047,7 +32457,13 @@ index af4d572..0fd2357 100644
cron_read_pipes(mailman_mail_t)
')
-@@ -104,6 +112,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
+ optional_policy(`
+ postfix_search_spool(mailman_mail_t)
++ postfix_rw_master_pipes(mailman_mail_t)
+ ')
+
+ ########################################
+@@ -104,6 +113,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
kernel_read_proc_symlinks(mailman_queue_t)
@@ -32056,7 +32472,7 @@ index af4d572..0fd2357 100644
auth_domtrans_chk_passwd(mailman_queue_t)
files_dontaudit_search_pids(mailman_queue_t)
-@@ -125,4 +135,4 @@ optional_policy(`
+@@ -125,4 +136,4 @@ optional_policy(`
optional_policy(`
su_exec(mailman_queue_t)
@@ -33662,7 +34078,7 @@ index 256166a..df99841 100644
/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..3d7edf0 100644
+index 343cee3..0fbbe06 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -33831,6 +34247,15 @@ index 343cee3..3d7edf0 100644
')
########################################
+@@ -532,7 +570,7 @@ interface(`mta_etc_filetrans_aliases',`
+ type etc_aliases_t;
+ ')
+
+- files_etc_filetrans($1, etc_aliases_t, file)
++ files_etc_filetrans($1, etc_aliases_t, file, $2)
+ ')
+
+ ########################################
@@ -552,7 +590,7 @@ interface(`mta_rw_aliases',`
')
@@ -33871,7 +34296,7 @@ index 343cee3..3d7edf0 100644
')
########################################
-@@ -899,3 +937,50 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +937,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -33922,6 +34347,68 @@ index 343cee3..3d7edf0 100644
+ userdom_search_admin_dir($1)
+ ')
+')
++
++########################################
++##
++## create mail content in the in the /root directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mta_filetrans_admin_home_content',`
++ gen_require(`
++ type mail_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, mail_home_t, file, dead.letter)
++ userdom_admin_home_dir_filetrans($1, mail_home_t, file, .forward)
++')
++
++########################################
++##
++## Transition to mta named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mta_filetrans_home_content',`
++ gen_require(`
++ type mail_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, mail_home_t, file, dead.letter)
++ userdom_user_home_dir_filetrans($1, mail_home_t, file, .forward)
++')
++
++########################################
++##
++## Transition to apache named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mta_filetrans_named_content',`
++ gen_require(`
++ type etc_aliases_t;
++ type etc_mail_t;
++ ')
++
++ filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
++ mta_etc_filetrans_aliases($1, aliases)
++ mta_etc_filetrans_aliases($1, aliases.db)
++ mta_filetrans_home_content($1)
++ mta_filetrans_admin_home_content($1)
++')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 64268e4..9ddac52 100644
--- a/policy/modules/services/mta.te
@@ -43196,7 +43683,7 @@ index f1aea88..a5a75a8 100644
admin_pattern($1, saslauthd_var_run_t)
')
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
-index 22184ad..d87a3f0 100644
+index 22184ad..3d85b76 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
@@ -43216,7 +43703,7 @@ index 22184ad..d87a3f0 100644
-allow saslauthd_t saslauthd_tmp_t:dir setattr;
-manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
-files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
-+mta_tmp_filetrans_host_rcache(saslauthd_t)
++kerberos_tmp_filetrans_host_rcache(saslauthd_t)
+manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
@@ -43354,20 +43841,22 @@ index 7e94c7c..5700fb8 100644
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
-index 22dac1f..b6781d5 100644
+index 22dac1f..c3cf42a 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
-@@ -19,6 +19,9 @@ mta_sendmail_mailserver(sendmail_t)
+@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
+-type unconfined_sendmail_t;
+-application_domain(unconfined_sendmail_t, sendmail_exec_t)
+-role system_r types unconfined_sendmail_t;
+type sendmail_initrc_exec_t;
+init_script_file(sendmail_initrc_exec_t)
-+
- type unconfined_sendmail_t;
- application_domain(unconfined_sendmail_t, sendmail_exec_t)
- role system_r types unconfined_sendmail_t;
-@@ -84,12 +87,14 @@ files_read_usr_files(sendmail_t)
+
+ ########################################
+ #
+@@ -84,12 +83,14 @@ files_read_usr_files(sendmail_t)
files_search_spool(sendmail_t)
# for piping mail to a command
files_read_etc_runtime_files(sendmail_t)
@@ -43382,7 +43871,7 @@ index 22dac1f..b6781d5 100644
auth_use_nsswitch(sendmail_t)
-@@ -103,7 +108,7 @@ miscfiles_read_generic_certs(sendmail_t)
+@@ -103,7 +104,7 @@ miscfiles_read_generic_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
@@ -43391,7 +43880,7 @@ index 22dac1f..b6781d5 100644
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
-@@ -149,7 +154,9 @@ optional_policy(`
+@@ -149,7 +150,9 @@ optional_policy(`
')
optional_policy(`
@@ -43401,23 +43890,29 @@ index 22dac1f..b6781d5 100644
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
-@@ -168,6 +175,10 @@ optional_policy(`
+@@ -168,20 +171,13 @@ optional_policy(`
')
optional_policy(`
+- udev_read_db(sendmail_t)
+ spamd_stream_connect(sendmail_t)
-+')
-+
-+optional_policy(`
- udev_read_db(sendmail_t)
')
-@@ -183,5 +194,5 @@ optional_policy(`
+ optional_policy(`
+- uucp_domtrans_uux(sendmail_t)
++ udev_read_db(sendmail_t)
+ ')
+-########################################
+-#
+-# Unconfined sendmail local policy
+-# Allow unconfined domain to run newalias and have transitions work
+-#
+-
optional_policy(`
- mta_etc_filetrans_aliases(unconfined_sendmail_t)
+- mta_etc_filetrans_aliases(unconfined_sendmail_t)
- unconfined_domain(unconfined_sendmail_t)
-+ unconfined_domain_noaudit(unconfined_sendmail_t)
++ uucp_domtrans_uux(sendmail_t)
')
diff --git a/policy/modules/services/setroubleshoot.if b/policy/modules/services/setroubleshoot.if
index bcdd16c..7c379a8 100644
@@ -44606,7 +45101,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..7631609 100644
+index 22adaca..de9d29e 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -44677,7 +45172,7 @@ index 22adaca..7631609 100644
type $1_t, ssh_server;
auth_login_pgm_domain($1_t)
-@@ -181,16 +179,16 @@ template(`ssh_server_template', `
+@@ -181,16 +179,17 @@ template(`ssh_server_template', `
type $1_var_run_t;
files_pid_file($1_var_run_t)
@@ -44685,7 +45180,8 @@ index 22adaca..7631609 100644
+ allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
-+ allow $1_t self:process { signal getsched setsched setrlimit setexec };
++ allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
++ allow $1_t self:process { signal getcap getsched setsched setrlimit setexec };
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
# ssh agent connections:
@@ -44697,7 +45193,7 @@ index 22adaca..7631609 100644
term_create_pty($1_t, $1_devpts_t)
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-@@ -206,6 +204,7 @@ template(`ssh_server_template', `
+@@ -206,6 +205,7 @@ template(`ssh_server_template', `
kernel_read_kernel_sysctls($1_t)
kernel_read_network_state($1_t)
@@ -44705,7 +45201,7 @@ index 22adaca..7631609 100644
corenet_all_recvfrom_unlabeled($1_t)
corenet_all_recvfrom_netlabel($1_t)
-@@ -220,8 +219,11 @@ template(`ssh_server_template', `
+@@ -220,8 +220,11 @@ template(`ssh_server_template', `
corenet_tcp_bind_generic_node($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_tcp_bind_ssh_port($1_t)
@@ -44718,7 +45214,7 @@ index 22adaca..7631609 100644
fs_dontaudit_getattr_all_fs($1_t)
-@@ -234,6 +236,7 @@ template(`ssh_server_template', `
+@@ -234,6 +237,7 @@ template(`ssh_server_template', `
corecmd_getattr_bin_files($1_t)
domain_interactive_fd($1_t)
@@ -44726,7 +45222,7 @@ index 22adaca..7631609 100644
files_read_etc_files($1_t)
files_read_etc_runtime_files($1_t)
-@@ -243,13 +246,17 @@ template(`ssh_server_template', `
+@@ -243,13 +247,17 @@ template(`ssh_server_template', `
miscfiles_read_localization($1_t)
@@ -44746,7 +45242,7 @@ index 22adaca..7631609 100644
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files($1_t)
fs_read_nfs_symlinks($1_t)
-@@ -268,6 +275,14 @@ template(`ssh_server_template', `
+@@ -268,6 +276,14 @@ template(`ssh_server_template', `
files_read_var_lib_symlinks($1_t)
nx_spec_domtrans_server($1_t)
')
@@ -44761,7 +45257,7 @@ index 22adaca..7631609 100644
')
########################################
-@@ -290,11 +305,11 @@ template(`ssh_server_template', `
+@@ -290,11 +306,11 @@ template(`ssh_server_template', `
## User domain for the role
##
##
@@ -44774,7 +45270,7 @@ index 22adaca..7631609 100644
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
-@@ -327,7 +342,7 @@ template(`ssh_role_template',`
+@@ -327,7 +343,7 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -44783,7 +45279,7 @@ index 22adaca..7631609 100644
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
-@@ -338,6 +353,7 @@ template(`ssh_role_template',`
+@@ -338,6 +354,7 @@ template(`ssh_role_template',`
manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
userdom_search_user_home_dirs($1_t)
@@ -44791,7 +45287,7 @@ index 22adaca..7631609 100644
##############################
#
-@@ -359,7 +375,7 @@ template(`ssh_role_template',`
+@@ -359,7 +376,7 @@ template(`ssh_role_template',`
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
@@ -44800,7 +45296,7 @@ index 22adaca..7631609 100644
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
-@@ -381,7 +397,6 @@ template(`ssh_role_template',`
+@@ -381,7 +398,6 @@ template(`ssh_role_template',`
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
@@ -44808,7 +45304,7 @@ index 22adaca..7631609 100644
libs_read_lib_files($1_ssh_agent_t)
-@@ -393,14 +408,13 @@ template(`ssh_role_template',`
+@@ -393,14 +409,13 @@ template(`ssh_role_template',`
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
@@ -44826,7 +45322,7 @@ index 22adaca..7631609 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +491,9 @@ interface(`ssh_read_pipes',`
+@@ -477,8 +492,9 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@@ -44837,7 +45333,7 @@ index 22adaca..7631609 100644
########################################
##
## Read and write a ssh server unnamed pipe.
-@@ -494,7 +509,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +510,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -44846,7 +45342,7 @@ index 22adaca..7631609 100644
')
########################################
-@@ -586,6 +601,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +602,24 @@ interface(`ssh_domtrans',`
########################################
##
@@ -44871,7 +45367,7 @@ index 22adaca..7631609 100644
## Execute the ssh client in the caller domain.
##
##
-@@ -618,7 +651,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +652,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -44880,7 +45376,7 @@ index 22adaca..7631609 100644
files_search_pids($1)
')
-@@ -680,6 +713,32 @@ interface(`ssh_domtrans_keygen',`
+@@ -680,6 +714,32 @@ interface(`ssh_domtrans_keygen',`
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
@@ -44913,7 +45409,7 @@ index 22adaca..7631609 100644
########################################
##
## Read ssh server keys
-@@ -695,7 +754,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +755,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -44922,7 +45418,7 @@ index 22adaca..7631609 100644
')
######################################
-@@ -735,3 +794,59 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +795,61 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -44962,6 +45458,7 @@ index 22adaca..7631609 100644
+ ')
+
+ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, .ssh)
++ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, .shosts)
+')
+
+########################################
@@ -44981,6 +45478,7 @@ index 22adaca..7631609 100644
+ ')
+
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, .ssh)
++ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, .shosts)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..c71bdb9 100644
@@ -46524,16 +47022,18 @@ index 32a3c13..7baeb6f 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..1b33cbb 100644
+index 2124b6a..9682c44 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
-@@ -1,4 +1,5 @@
+@@ -1,5 +1,6 @@
-HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+-HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
+HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
- HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
++HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+ /etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
@@ -13,17 +14,25 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -46564,7 +47064,7 @@ index 2124b6a..1b33cbb 100644
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..b961fd7 100644
+index 7c5d8d8..05a7054 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,14 +13,15 @@
@@ -46832,7 +47332,7 @@ index 7c5d8d8..b961fd7 100644
')
allow $1 virtd_t:process { ptrace signal_perms };
-@@ -515,4 +590,149 @@ interface(`virt_admin',`
+@@ -515,4 +590,169 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -46981,6 +47481,26 @@ index 7c5d8d8..b961fd7 100644
+ ')
+
+ allow $1 virt_tmpfs_type:file manage_file_perms;
++')
++
++########################################
++##
++## Create .virt directory in the user home directory
++## with an correct label.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_user_home_dir_filetrans',`
++ gen_require(`
++ type virt_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, .libvirt)
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, .virtinst)
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 3eca020..f715498 100644
@@ -47842,7 +48362,7 @@ index aa6e5a8..42a0efb 100644
########################################
##
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 6f1e3c7..62b0b98 100644
+index 6f1e3c7..a3986f4 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,23 @@
@@ -47856,9 +48376,9 @@ index 6f1e3c7..62b0b98 100644
HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:user_fonts_cache_t,s0)
+HOME_DIR/\.DCOP.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
-+HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
+HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
++HOME_DIR/\.Xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.dmrc.* -- gen_context(system_u:object_r:xdm_home_t,s0)
@@ -47976,7 +48496,7 @@ index 6f1e3c7..62b0b98 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..33c8170 100644
+index 130ced9..ade50fd 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -48201,19 +48721,29 @@ index 130ced9..33c8170 100644
')
#######################################
-@@ -444,8 +481,8 @@ template(`xserver_object_types_template',`
+@@ -444,8 +481,9 @@ template(`xserver_object_types_template',`
#
template(`xserver_user_x_domain_template',`
gen_require(`
- type xdm_t, xdm_tmp_t;
- type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
+ type xdm_t, xdm_tmp_t, xserver_tmpfs_t;
++ type xdm_home_t;
+ type xauth_home_t, iceauth_home_t, xserver_t;
')
allow $2 self:shm create_shm_perms;
-@@ -458,9 +495,9 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +494,18 @@ template(`xserver_user_x_domain_template',`
+ allow $2 xauth_home_t:file read_file_perms;
+ allow $2 iceauth_home_t:file read_file_perms;
++ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, .DCOP)
++ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, .ICEauthority)
++ userdom_user_home_dir_filetrans($2, xauth_home_t, file, .Xauthority)
++ userdom_user_home_dir_filetrans($2, xauth_home_t, file, .xauth)
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, .xsession-errors)
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, .dmrc)
++
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
- allow $2 xdm_t:fifo_file { getattr read write ioctl };
@@ -48224,7 +48754,7 @@ index 130ced9..33c8170 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +509,25 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +517,25 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -48252,7 +48782,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -517,6 +559,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +567,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -48260,7 +48790,7 @@ index 130ced9..33c8170 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -545,6 +588,28 @@ interface(`xserver_domtrans_xauth',`
+@@ -545,6 +596,28 @@ interface(`xserver_domtrans_xauth',`
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -48289,7 +48819,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -598,6 +663,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +671,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -48297,7 +48827,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -615,7 +681,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +689,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -48306,7 +48836,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -651,7 +717,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +725,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -48315,7 +48845,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -670,7 +736,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +744,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -48324,7 +48854,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -688,7 +754,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +762,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -48333,7 +48863,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -703,12 +769,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +777,11 @@ interface(`xserver_rw_xdm_pipes',`
##
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -48347,7 +48877,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -724,11 +789,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +797,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -48381,7 +48911,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -765,7 +850,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +858,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -48390,7 +48920,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -805,7 +890,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +898,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -48418,7 +48948,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -897,7 +1001,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1009,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -48427,7 +48957,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -916,7 +1020,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1028,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -48436,7 +48966,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -963,6 +1067,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1075,45 @@ interface(`xserver_read_xkb_libs',`
########################################
##
@@ -48482,7 +49012,7 @@ index 130ced9..33c8170 100644
## Read xdm temporary files.
##
##
-@@ -976,7 +1119,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1127,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -48491,7 +49021,7 @@ index 130ced9..33c8170 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1181,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1189,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
##
@@ -48534,7 +49064,7 @@ index 130ced9..33c8170 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
##
-@@ -1052,7 +1231,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1239,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -48543,7 +49073,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -1070,8 +1249,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1257,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -48555,7 +49085,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -1185,6 +1366,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1374,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -48582,7 +49112,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -1210,7 +1411,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1419,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -48591,7 +49121,7 @@ index 130ced9..33c8170 100644
##
##
##
-@@ -1220,13 +1421,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1429,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -48616,7 +49146,7 @@ index 130ced9..33c8170 100644
')
########################################
-@@ -1243,10 +1454,392 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1462,397 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -49002,7 +49532,7 @@ index 130ced9..33c8170 100644
+#
+interface(`xserver_manage_home_fonts',`
+ gen_require(`
-+ type user_fonts_t, user_fonts_config_t;
++ type user_fonts_t, user_fonts_config_t, user_fonts_cache_t;
+ ')
+
+ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
@@ -49010,9 +49540,14 @@ index 130ced9..33c8170 100644
+ manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
+
+ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
++
++ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, .k5login)
++ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, .fonts.d)
++ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, .fonts)
++ userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, .fontconfig)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 6c01261..3f91fd9 100644
+index 6c01261..8cb530b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -49334,7 +49869,7 @@ index 6c01261..3f91fd9 100644
optional_policy(`
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
-@@ -302,20 +415,33 @@ optional_policy(`
+@@ -302,20 +415,38 @@ optional_policy(`
# XDM Local policy
#
@@ -49364,6 +49899,11 @@ index 6c01261..3f91fd9 100644
+
+manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
+userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
++userdom_user_home_dir_filetrans(xdm_t, iceauth_home_t, file, .DCOP)
++userdom_user_home_dir_filetrans(xdm_t, iceauth_home_t, file, .ICEauthority)
++userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, .Xauthority)
++userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, .xauth)
++userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, .Xauth)
+
+#Handle mislabeled files in homedir
+userdom_delete_user_home_content_files(xdm_t)
@@ -49372,7 +49912,7 @@ index 6c01261..3f91fd9 100644
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -323,43 +449,62 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -323,43 +454,62 @@ can_exec(xdm_t, xdm_exec_t)
allow xdm_t xdm_lock_t:file manage_file_perms;
files_lock_filetrans(xdm_t, xdm_lock_t, file)
@@ -49441,7 +49981,7 @@ index 6c01261..3f91fd9 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -368,18 +513,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -368,18 +518,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -49469,7 +50009,7 @@ index 6c01261..3f91fd9 100644
corenet_all_recvfrom_unlabeled(xdm_t)
corenet_all_recvfrom_netlabel(xdm_t)
-@@ -391,18 +544,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -391,18 +549,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -49493,7 +50033,7 @@ index 6c01261..3f91fd9 100644
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -411,18 +568,24 @@ dev_setattr_xserver_misc_dev(xdm_t)
+@@ -411,18 +573,24 @@ dev_setattr_xserver_misc_dev(xdm_t)
dev_getattr_misc_dev(xdm_t)
dev_setattr_misc_dev(xdm_t)
dev_dontaudit_rw_misc(xdm_t)
@@ -49521,7 +50061,7 @@ index 6c01261..3f91fd9 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -433,9 +596,23 @@ files_list_mnt(xdm_t)
+@@ -433,9 +601,23 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -49545,7 +50085,7 @@ index 6c01261..3f91fd9 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -444,28 +621,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -444,28 +626,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -49584,7 +50124,7 @@ index 6c01261..3f91fd9 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -474,9 +659,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -474,9 +664,30 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -49615,7 +50155,7 @@ index 6c01261..3f91fd9 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_t)
-@@ -492,6 +698,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -492,6 +703,14 @@ tunable_policy(`use_samba_home_dirs',`
fs_exec_cifs_files(xdm_t)
')
@@ -49630,7 +50170,7 @@ index 6c01261..3f91fd9 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -505,11 +719,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -505,11 +724,21 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -49652,7 +50192,7 @@ index 6c01261..3f91fd9 100644
')
optional_policy(`
-@@ -517,7 +741,43 @@ optional_policy(`
+@@ -517,7 +746,43 @@ optional_policy(`
')
optional_policy(`
@@ -49697,7 +50237,7 @@ index 6c01261..3f91fd9 100644
')
optional_policy(`
-@@ -527,6 +787,16 @@ optional_policy(`
+@@ -527,6 +792,16 @@ optional_policy(`
')
optional_policy(`
@@ -49714,7 +50254,7 @@ index 6c01261..3f91fd9 100644
hostname_exec(xdm_t)
')
-@@ -544,28 +814,65 @@ optional_policy(`
+@@ -544,28 +819,65 @@ optional_policy(`
')
optional_policy(`
@@ -49789,7 +50329,7 @@ index 6c01261..3f91fd9 100644
')
optional_policy(`
-@@ -577,6 +884,14 @@ optional_policy(`
+@@ -577,6 +889,14 @@ optional_policy(`
')
optional_policy(`
@@ -49804,7 +50344,7 @@ index 6c01261..3f91fd9 100644
xfs_stream_connect(xdm_t)
')
-@@ -601,7 +916,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -601,7 +921,7 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -49813,7 +50353,7 @@ index 6c01261..3f91fd9 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -615,8 +930,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -615,8 +935,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -49829,7 +50369,7 @@ index 6c01261..3f91fd9 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -635,12 +957,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -635,12 +962,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -49851,7 +50391,7 @@ index 6c01261..3f91fd9 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -648,6 +977,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -648,6 +982,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -49859,7 +50399,7 @@ index 6c01261..3f91fd9 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -674,7 +1004,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -674,7 +1009,6 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -49867,7 +50407,7 @@ index 6c01261..3f91fd9 100644
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -684,11 +1013,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -684,11 +1018,17 @@ dev_wx_raw_memory(xserver_t)
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -49885,7 +50425,7 @@ index 6c01261..3f91fd9 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -699,8 +1034,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -699,8 +1039,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -49899,7 +50439,7 @@ index 6c01261..3f91fd9 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -713,8 +1053,6 @@ init_getpgid(xserver_t)
+@@ -713,8 +1058,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -49908,7 +50448,7 @@ index 6c01261..3f91fd9 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -722,11 +1060,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -722,11 +1065,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -49923,7 +50463,7 @@ index 6c01261..3f91fd9 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -780,16 +1119,36 @@ optional_policy(`
+@@ -780,16 +1124,36 @@ optional_policy(`
')
optional_policy(`
@@ -49961,7 +50501,7 @@ index 6c01261..3f91fd9 100644
unconfined_domtrans(xserver_t)
')
-@@ -798,6 +1157,10 @@ optional_policy(`
+@@ -798,6 +1162,10 @@ optional_policy(`
')
optional_policy(`
@@ -49972,7 +50512,7 @@ index 6c01261..3f91fd9 100644
xfs_stream_connect(xserver_t)
')
-@@ -813,10 +1176,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -813,10 +1181,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -49986,7 +50526,7 @@ index 6c01261..3f91fd9 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -824,7 +1187,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -824,7 +1192,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -49995,7 +50535,7 @@ index 6c01261..3f91fd9 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -837,6 +1200,9 @@ init_use_fds(xserver_t)
+@@ -837,6 +1205,9 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -50005,7 +50545,7 @@ index 6c01261..3f91fd9 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
-@@ -844,6 +1210,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -844,6 +1215,11 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_symlinks(xserver_t)
')
@@ -50017,7 +50557,7 @@ index 6c01261..3f91fd9 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_dirs(xserver_t)
fs_manage_cifs_files(xserver_t)
-@@ -852,11 +1223,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -852,11 +1228,14 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -50034,7 +50574,7 @@ index 6c01261..3f91fd9 100644
')
optional_policy(`
-@@ -864,6 +1238,10 @@ optional_policy(`
+@@ -864,6 +1243,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -50045,7 +50585,7 @@ index 6c01261..3f91fd9 100644
########################################
#
# Rules common to all X window domains
-@@ -907,7 +1285,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -907,7 +1290,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -50054,7 +50594,7 @@ index 6c01261..3f91fd9 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -961,11 +1339,31 @@ allow x_domain self:x_resource { read write };
+@@ -961,11 +1344,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -50086,7 +50626,7 @@ index 6c01261..3f91fd9 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -987,18 +1385,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -987,18 +1390,32 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -52460,7 +53000,7 @@ index cc83689..e83c909 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..7860408 100644
+index ea29513..5429a16 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -52626,7 +53166,7 @@ index ea29513..7860408 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +236,118 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +236,119 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -52639,6 +53179,7 @@ index ea29513..7860408 100644
+tunable_policy(`init_systemd',`
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow init_t self:process { setsockcreate setfscreate };
++ allow init_t self:process { getcap setcap };
+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+ # Until systemd is fixed
@@ -52745,7 +53286,7 @@ index ea29513..7860408 100644
')
optional_policy(`
-@@ -199,10 +355,25 @@ optional_policy(`
+@@ -199,10 +356,25 @@ optional_policy(`
')
optional_policy(`
@@ -52771,7 +53312,7 @@ index ea29513..7860408 100644
unconfined_domain(init_t)
')
-@@ -212,7 +383,7 @@ optional_policy(`
+@@ -212,7 +384,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -52780,7 +53321,7 @@ index ea29513..7860408 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +412,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +413,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -52796,7 +53337,7 @@ index ea29513..7860408 100644
init_write_initctl(initrc_t)
-@@ -258,20 +432,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +433,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -52833,7 +53374,7 @@ index ea29513..7860408 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +465,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +466,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -52841,7 +53382,7 @@ index ea29513..7860408 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +478,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +479,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -52849,7 +53390,7 @@ index ea29513..7860408 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +486,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +487,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -52865,7 +53406,7 @@ index ea29513..7860408 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +504,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +505,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -52873,7 +53414,7 @@ index ea29513..7860408 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +512,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +513,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -52885,7 +53426,7 @@ index ea29513..7860408 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +531,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +532,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -52899,7 +53440,7 @@ index ea29513..7860408 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +546,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +547,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -52908,7 +53449,7 @@ index ea29513..7860408 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +560,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +561,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -52916,7 +53457,7 @@ index ea29513..7860408 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +572,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +573,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -52924,7 +53465,7 @@ index ea29513..7860408 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +593,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +594,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -52946,7 +53487,7 @@ index ea29513..7860408 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +656,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +657,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -52957,7 +53498,7 @@ index ea29513..7860408 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +680,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +681,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -52966,7 +53507,7 @@ index ea29513..7860408 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +695,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +696,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -52974,7 +53515,7 @@ index ea29513..7860408 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +725,29 @@ ifdef(`distro_redhat',`
+@@ -522,8 +726,29 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -53004,7 +53545,7 @@ index ea29513..7860408 100644
')
optional_policy(`
-@@ -531,10 +755,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +756,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -53019,10 +53560,15 @@ index ea29513..7860408 100644
+ sysnet_relabelfrom_dhcpc_state(initrc_t)
+ sysnet_relabelfrom_net_conf(initrc_t)
+ sysnet_relabelto_net_conf(initrc_t)
++ sysnet_etc_filetrans_config(initrc_t, resolv.conf)
++ sysnet_etc_filetrans_config(initrc_t, denyhosts)
++ sysnet_etc_filetrans_config(initrc_t, hosts)
++ sysnet_etc_filetrans_config(initrc_t, ethers)
++ sysnet_etc_filetrans_config(initrc_t, yp.conf)
')
optional_policy(`
-@@ -549,6 +780,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +786,39 @@ ifdef(`distro_suse',`
')
')
@@ -53062,7 +53608,7 @@ index ea29513..7860408 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +825,8 @@ optional_policy(`
+@@ -561,6 +831,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -53071,7 +53617,7 @@ index ea29513..7860408 100644
')
optional_policy(`
-@@ -577,6 +843,7 @@ optional_policy(`
+@@ -577,6 +849,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -53079,7 +53625,7 @@ index ea29513..7860408 100644
')
optional_policy(`
-@@ -589,6 +856,11 @@ optional_policy(`
+@@ -589,6 +862,11 @@ optional_policy(`
')
optional_policy(`
@@ -53091,7 +53637,7 @@ index ea29513..7860408 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +877,13 @@ optional_policy(`
+@@ -605,9 +883,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -53105,7 +53651,7 @@ index ea29513..7860408 100644
')
optional_policy(`
-@@ -649,6 +925,11 @@ optional_policy(`
+@@ -649,6 +931,11 @@ optional_policy(`
')
optional_policy(`
@@ -53117,7 +53663,7 @@ index ea29513..7860408 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +987,13 @@ optional_policy(`
+@@ -706,7 +993,13 @@ optional_policy(`
')
optional_policy(`
@@ -53131,7 +53677,7 @@ index ea29513..7860408 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1016,10 @@ optional_policy(`
+@@ -729,6 +1022,10 @@ optional_policy(`
')
optional_policy(`
@@ -53142,7 +53688,7 @@ index ea29513..7860408 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1029,20 @@ optional_policy(`
+@@ -738,10 +1035,20 @@ optional_policy(`
')
optional_policy(`
@@ -53163,7 +53709,7 @@ index ea29513..7860408 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1051,10 @@ optional_policy(`
+@@ -750,6 +1057,10 @@ optional_policy(`
')
optional_policy(`
@@ -53174,7 +53720,7 @@ index ea29513..7860408 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1076,6 @@ optional_policy(`
+@@ -771,8 +1082,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -53183,7 +53729,7 @@ index ea29513..7860408 100644
')
optional_policy(`
-@@ -781,14 +1084,21 @@ optional_policy(`
+@@ -781,14 +1090,21 @@ optional_policy(`
')
optional_policy(`
@@ -53205,7 +53751,7 @@ index ea29513..7860408 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1110,6 @@ optional_policy(`
+@@ -800,7 +1116,6 @@ optional_policy(`
')
optional_policy(`
@@ -53213,7 +53759,7 @@ index ea29513..7860408 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1119,24 @@ optional_policy(`
+@@ -810,11 +1125,24 @@ optional_policy(`
')
optional_policy(`
@@ -53239,7 +53785,7 @@ index ea29513..7860408 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1146,25 @@ optional_policy(`
+@@ -824,6 +1152,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -53265,7 +53811,7 @@ index ea29513..7860408 100644
')
optional_policy(`
-@@ -849,3 +1190,42 @@ optional_policy(`
+@@ -849,3 +1196,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -55125,10 +55671,10 @@ index 879bb1e..7b22111 100644
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f..b95f0c0 100644
+index 58bc27f..c3fe956 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
-@@ -123,3 +123,39 @@ interface(`lvm_domtrans_clvmd',`
+@@ -123,3 +123,57 @@ interface(`lvm_domtrans_clvmd',`
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
')
@@ -55168,6 +55714,24 @@ index 58bc27f..b95f0c0 100644
+
+ allow $1 clvmd_tmpfs_t:file unlink;
+')
++
++########################################
++##
++## Send lvm a null signal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`lvm_signull',`
++ gen_require(`
++ type lvm_t;
++ ')
++
++ allow $1 lvm_t:process signull;
++')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index a0a0ebf..e7fd4ec 100644
--- a/policy/modules/system/lvm.te
@@ -56303,14 +56867,16 @@ index 15832c7..43f0a0b 100644
+
+userdom_use_inherited_user_terminals(showmount_t)
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
-index cbbda4a..81ce417 100644
+index cbbda4a..83c5ce7 100644
--- a/policy/modules/system/netlabel.te
+++ b/policy/modules/system/netlabel.te
-@@ -25,4 +25,4 @@ files_read_etc_files(netlabel_mgmt_t)
+@@ -25,4 +25,6 @@ files_read_etc_files(netlabel_mgmt_t)
seutil_use_newrole_fds(netlabel_mgmt_t)
-userdom_use_user_terminals(netlabel_mgmt_t)
++term_use_all_terms(netlabel_mgmt_t)
++
+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
index 4d06ae3..ebd5ed4 100644
@@ -58201,10 +58767,10 @@ index 0000000..4dfe28c
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..ef7eddd
+index 0000000..13b7617
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,180 @@
+@@ -0,0 +1,185 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -58270,10 +58836,15 @@ index 0000000..ef7eddd
+
+init_read_utmp(systemd_passwd_agent_t)
+init_create_pid_dirs(systemd_passwd_agent_t)
++init_stream_connect(systemd_passwd_agent_t)
+
+miscfiles_read_localization(systemd_passwd_agent_t)
+
+optional_policy(`
++ lvm_signull(systemd_passwd_agent_t)
++')
++
++optional_policy(`
+ plymouthd_stream_connect(systemd_passwd_agent_t)
+')
+
@@ -58588,7 +59159,7 @@ index 025348a..4e2ca03 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..b18dc17 100644
+index d88f7c3..7f59b32 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t)
@@ -58633,7 +59204,7 @@ index d88f7c3..b18dc17 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -62,17 +69,16 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -62,17 +69,15 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
@@ -58651,11 +59222,10 @@ index d88f7c3..b18dc17 100644
+files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
+allow udev_t udev_var_run_t:file mounton;
+dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
-+
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
-@@ -87,6 +93,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
+@@ -87,6 +92,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
kernel_search_debugfs(udev_t)
@@ -58663,7 +59233,33 @@ index d88f7c3..b18dc17 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -111,15 +118,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+@@ -95,8 +101,17 @@ kernel_read_software_raid_state(udev_t)
+
+ corecmd_exec_all_executables(udev_t)
+
++dev_write_kmsg(udev_t)
+ dev_rw_sysfs(udev_t)
+-dev_manage_all_dev_nodes(udev_t)
++dev_read_raw_memory(udev_t)
++dev_check_read_all_chr_dev_nodes(udev_t)
++dev_check_read_generic_blk_dev_nodes(udev_t)
++dev_check_write_all_chr_dev_nodes(udev_t)
++dev_check_write_generic_blk_dev_nodes(udev_t)
++dev_create_all_blk_dev_nodes(udev_t)
++dev_create_all_chr_dev_nodes(udev_t)
++dev_setattr_all_chr_dev_nodes(udev_t)
++dev_setattr_all_blk_dev_nodes(udev_t)
+ dev_rw_generic_files(udev_t)
+ dev_delete_generic_files(udev_t)
+ dev_search_usbfs(udev_t)
+@@ -105,21 +120,27 @@ dev_relabel_all_dev_nodes(udev_t)
+ # preserved, instead of short circuiting the relabel
+ dev_relabel_generic_symlinks(udev_t)
+ dev_manage_generic_symlinks(udev_t)
++dev_manage_generic_dirs(udev_t)
+
+ domain_read_all_domains_state(udev_t)
+ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
@@ -58685,7 +59281,21 @@ index d88f7c3..b18dc17 100644
mcs_ptrace_all(udev_t)
-@@ -143,6 +155,7 @@ auth_use_nsswitch(udev_t)
+@@ -136,6 +157,13 @@ selinux_compute_create_context(udev_t)
+ selinux_compute_relabel_context(udev_t)
+ selinux_compute_user_contexts(udev_t)
+
++storage_raw_read_fixed_disk(udev_t)
++storage_read_scsi_generic(udev_t)
++storage_raw_read_removable_device(udev_t)
++storage_raw_write_removable_device(udev_t)
++storage_raw_check_write_fixed_disk(udev_t)
++storage_check_write_scsi_generic(udev_t)
++
+ auth_read_pam_console_data(udev_t)
+ auth_domtrans_pam_console(udev_t)
+ auth_use_nsswitch(udev_t)
+@@ -143,6 +171,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -58693,13 +59303,14 @@ index d88f7c3..b18dc17 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -186,15 +199,16 @@ ifdef(`distro_redhat',`
+@@ -186,15 +215,16 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
+ fs_manage_hugetlbfs_dirs(udev_t)
- term_search_ptys(udev_t)
+- term_search_ptys(udev_t)
++ term_use_generic_ptys(udev_t)
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
@@ -58713,7 +59324,7 @@ index d88f7c3..b18dc17 100644
')
optional_policy(`
-@@ -216,11 +230,16 @@ optional_policy(`
+@@ -216,11 +246,16 @@ optional_policy(`
')
optional_policy(`
@@ -58730,7 +59341,7 @@ index d88f7c3..b18dc17 100644
')
optional_policy(`
-@@ -233,6 +252,10 @@ optional_policy(`
+@@ -233,6 +268,14 @@ optional_policy(`
')
optional_policy(`
@@ -58738,10 +59349,14 @@ index d88f7c3..b18dc17 100644
+')
+
+optional_policy(`
++ gpsd_domtrans(udev_t)
++')
++
++optional_policy(`
lvm_domtrans(udev_t)
')
-@@ -259,6 +282,10 @@ optional_policy(`
+@@ -259,6 +302,10 @@ optional_policy(`
')
optional_policy(`
@@ -58752,7 +59367,7 @@ index d88f7c3..b18dc17 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +300,11 @@ optional_policy(`
+@@ -273,6 +320,11 @@ optional_policy(`
')
optional_policy(`
@@ -59536,7 +60151,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <>
+HOME_DIR/\.debug(/.*)? <>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..5ea0ea4 100644
+index 28b88de..78f35d2 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -60108,7 +60723,7 @@ index 28b88de..5ea0ea4 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +651,122 @@ template(`userdom_common_user_template',`
+@@ -574,67 +651,123 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -60241,6 +60856,7 @@ index 28b88de..5ea0ea4 100644
+ optional_policy(`
+ mta_rw_spool($1_usertype)
+ mta_manage_queue($1_usertype)
++ mta_filetrans_home_content($1_usertype)
')
optional_policy(`
@@ -60249,7 +60865,7 @@ index 28b88de..5ea0ea4 100644
')
optional_policy(`
-@@ -650,41 +782,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +783,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -60311,7 +60927,7 @@ index 28b88de..5ea0ea4 100644
')
#######################################
-@@ -712,13 +853,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +854,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
@@ -60343,7 +60959,7 @@ index 28b88de..5ea0ea4 100644
userdom_change_password_template($1)
-@@ -736,72 +890,70 @@ template(`userdom_login_user_template', `
+@@ -736,72 +891,71 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -60425,6 +61041,7 @@ index 28b88de..5ea0ea4 100644
- cups_stream_connect($1_t)
- cups_stream_connect_ptal($1_t)
+ kerberos_use($1_usertype)
++ kerberos_filetrans_home_content($1_usertype)
')
optional_policy(`
@@ -60451,7 +61068,7 @@ index 28b88de..5ea0ea4 100644
')
')
-@@ -833,6 +985,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +987,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -60461,7 +61078,7 @@ index 28b88de..5ea0ea4 100644
##############################
#
# Local policy
-@@ -874,45 +1029,113 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1031,113 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -60586,7 +61203,7 @@ index 28b88de..5ea0ea4 100644
')
')
-@@ -947,7 +1170,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1172,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -60595,7 +61212,7 @@ index 28b88de..5ea0ea4 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1179,83 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1181,83 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -60709,7 +61326,7 @@ index 28b88de..5ea0ea4 100644
')
')
-@@ -1039,7 +1291,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1293,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -60718,7 +61335,7 @@ index 28b88de..5ea0ea4 100644
')
##############################
-@@ -1066,6 +1318,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1320,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -60726,7 +61343,7 @@ index 28b88de..5ea0ea4 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1327,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1329,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -60736,7 +61353,7 @@ index 28b88de..5ea0ea4 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1344,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1346,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -60744,7 +61361,7 @@ index 28b88de..5ea0ea4 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1362,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1364,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -60758,7 +61375,7 @@ index 28b88de..5ea0ea4 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,17 +1379,21 @@ template(`userdom_admin_user_template',`
+@@ -1119,17 +1381,21 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -60781,7 +61398,7 @@ index 28b88de..5ea0ea4 100644
auth_getattr_shadow($1_t)
# Manage almost all files
-@@ -1141,7 +1405,10 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1407,10 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
@@ -60793,7 +61410,7 @@ index 28b88de..5ea0ea4 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1477,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1479,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -60802,7 +61419,7 @@ index 28b88de..5ea0ea4 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1491,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1493,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -60810,7 +61427,7 @@ index 28b88de..5ea0ea4 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1237,6 +1507,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1509,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -60818,7 +61435,7 @@ index 28b88de..5ea0ea4 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1550,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1552,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -60856,7 +61473,7 @@ index 28b88de..5ea0ea4 100644
ubac_constrained($1)
')
-@@ -1395,6 +1692,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1694,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -60864,7 +61481,7 @@ index 28b88de..5ea0ea4 100644
files_search_home($1)
')
-@@ -1441,6 +1739,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1741,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -60879,7 +61496,7 @@ index 28b88de..5ea0ea4 100644
')
########################################
-@@ -1456,9 +1762,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1764,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -60891,7 +61508,7 @@ index 28b88de..5ea0ea4 100644
')
########################################
-@@ -1515,10 +1823,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1825,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -60904,7 +61521,7 @@ index 28b88de..5ea0ea4 100644
##
##
##
-@@ -1526,22 +1834,58 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,22 +1836,58 @@ interface(`userdom_relabelto_user_home_dirs',`
##
##
#
@@ -60972,7 +61589,7 @@ index 28b88de..5ea0ea4 100644
## Do a domain transition to the specified
## domain when executing a program in the
## user home directory.
-@@ -1589,6 +1933,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1935,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -60981,7 +61598,7 @@ index 28b88de..5ea0ea4 100644
')
########################################
-@@ -1603,10 +1949,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1951,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -60996,7 +61613,7 @@ index 28b88de..5ea0ea4 100644
')
########################################
-@@ -1649,6 +1997,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1999,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
##
@@ -61022,7 +61639,7 @@ index 28b88de..5ea0ea4 100644
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1700,12 +2067,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2069,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -61055,7 +61672,7 @@ index 28b88de..5ea0ea4 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1716,11 +2103,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2105,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -61073,7 +61690,7 @@ index 28b88de..5ea0ea4 100644
')
########################################
-@@ -1779,6 +2169,24 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2171,24 @@ interface(`userdom_delete_user_home_content_files',`
########################################
##
@@ -61098,7 +61715,7 @@ index 28b88de..5ea0ea4 100644
## Do not audit attempts to write user home files.
##
##
-@@ -1810,8 +2218,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2220,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -61108,7 +61725,7 @@ index 28b88de..5ea0ea4 100644
')
########################################
-@@ -1827,21 +2234,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2236,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -61134,7 +61751,7 @@ index 28b88de..5ea0ea4 100644
########################################
##
## Do not audit attempts to execute user home files.
-@@ -2008,7 +2409,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2411,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -61143,7 +61760,7 @@ index 28b88de..5ea0ea4 100644
files_search_home($1)
')
-@@ -2182,7 +2583,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2585,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -61152,7 +61769,7 @@ index 28b88de..5ea0ea4 100644
')
########################################
-@@ -2435,13 +2836,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2838,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -61168,7 +61785,7 @@ index 28b88de..5ea0ea4 100644
##
##
##
-@@ -2462,26 +2864,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2866,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -61195,7 +61812,7 @@ index 28b88de..5ea0ea4 100644
## Get the attributes of a user domain tty.
##
##
-@@ -2572,6 +2954,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,6 +2956,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -61220,7 +61837,7 @@ index 28b88de..5ea0ea4 100644
## Read and write a user domain pty.
##
##
-@@ -2590,22 +2990,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2590,22 +2992,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -61263,7 +61880,7 @@ index 28b88de..5ea0ea4 100644
##
##
##
-@@ -2614,14 +3026,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3028,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -61301,7 +61918,7 @@ index 28b88de..5ea0ea4 100644
')
########################################
-@@ -2815,7 +3246,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3248,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -61310,7 +61927,7 @@ index 28b88de..5ea0ea4 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3262,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3264,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -61326,7 +61943,7 @@ index 28b88de..5ea0ea4 100644
')
########################################
-@@ -2917,7 +3350,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3352,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -61335,7 +61952,7 @@ index 28b88de..5ea0ea4 100644
')
########################################
-@@ -2972,7 +3405,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3407,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -61382,7 +61999,7 @@ index 28b88de..5ea0ea4 100644
')
########################################
-@@ -3009,6 +3480,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3482,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -61390,7 +62007,7 @@ index 28b88de..5ea0ea4 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3559,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3561,24 @@ interface(`userdom_signal_all_users',`
########################################
##
@@ -61415,7 +62032,7 @@ index 28b88de..5ea0ea4 100644
## Send a SIGCHLD signal to all user domains.
##
##
-@@ -3139,3 +3629,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3631,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -62595,7 +63212,7 @@ index df29ca1..e9e85d7 100644
+')
+
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
-index a865da7..0818ff0 100644
+index a865da7..a5ed06e 100644
--- a/policy/modules/system/xen.fc
+++ b/policy/modules/system/xen.fc
@@ -1,12 +1,10 @@
@@ -62612,6 +63229,14 @@ index a865da7..0818ff0 100644
ifdef(`distro_debian',`
/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+@@ -17,6 +15,7 @@ ifdef(`distro_debian',`
+ /usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+ /usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
+ /usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
++/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
+ /usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
+ ')
+
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
index 77d41b6..4aa96c6 100644
--- a/policy/modules/system/xen.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 06ee490..d15dee3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 17%{?dist}
+Release: 18%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,13 @@ exit 0
%endif
%changelog
+* Wed Apr 27 2011 Miroslav Grepl 3.9.16-18
+- Allow init_t getcap and setcap
+- Allow namespace_init_t to use nsswitch
+- aisexec will execute corosync
+- colord tries to read files off noxattr file systems
+- Allow init_t getcap and setcap
+
* Thu Apr 21 2011 Miroslav Grepl 3.9.16-17
- Add support for ABRT retrace server
- Allow user_t and staff_t access to generic scsi to handle locally plugged in scanners