diff --git a/modules-targeted.conf b/modules-targeted.conf
index 5fd759d..905cd44 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2328,3 +2328,10 @@ milter = module
# /etc/sysconfig/keyboard and writes out an xorg.conf.d snippet
#
keyboardd = module
+
+# Layer: services
+# Module: firewalld
+#
+# firewalld is firewall service daemon that provides dynamic customizable
+#
+firewalld = module
diff --git a/policy-F15.patch b/policy-F15.patch
index af42ac2..bb4ab9d 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -352,7 +352,7 @@ index 63eb96b..17a9f6d 100644
##
## Execute bootloader interactively and do
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index d3da8f2..c171daf 100644
+index d3da8f2..9799904 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -23,7 +23,7 @@ role system_r types bootloader_t;
@@ -364,6 +364,17 @@ index d3da8f2..c171daf 100644
#
# The temp file is used for initrd creation;
+@@ -171,6 +171,10 @@ ifdef(`distro_redhat',`
+ ')
+
+ optional_policy(`
++ devicekit_dontaudit_read_pid_files(bootloader_t)
++')
++
++optional_policy(`
+ fstools_exec(bootloader_t)
+ ')
+
diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
index 2c2cdb6..73b3814 100644
--- a/policy/modules/admin/brctl.if
@@ -416,10 +427,18 @@ index 9de382b..682e78e 100644
optional_policy(`
apache_exec_modules(certwatch_t)
diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te
-index cd5e005..7f3f992 100644
+index cd5e005..24f73ca 100644
--- a/policy/modules/admin/consoletype.te
+++ b/policy/modules/admin/consoletype.te
-@@ -79,16 +79,18 @@ optional_policy(`
+@@ -48,6 +48,7 @@ mls_file_read_all_levels(consoletype_t)
+ mls_file_write_all_levels(consoletype_t)
+
+ term_use_all_terms(consoletype_t)
++term_use_ptmx(consoletype_t)
+
+ init_use_fds(consoletype_t)
+ init_use_script_ptys(consoletype_t)
+@@ -79,16 +80,18 @@ optional_policy(`
')
optional_policy(`
@@ -442,7 +461,7 @@ index cd5e005..7f3f992 100644
')
optional_policy(`
-@@ -114,6 +116,7 @@ optional_policy(`
+@@ -114,6 +117,7 @@ optional_policy(`
optional_policy(`
userdom_use_unpriv_users_fds(consoletype_t)
@@ -1764,7 +1783,7 @@ index d0604cf..679d61c 100644
##
##
diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
-index 8966ec9..80939b0 100644
+index 8966ec9..fb8d63f 100644
--- a/policy/modules/admin/shutdown.te
+++ b/policy/modules/admin/shutdown.te
@@ -7,6 +7,7 @@ policy_module(shutdown, 1.1.0)
@@ -1775,7 +1794,14 @@ index 8966ec9..80939b0 100644
application_domain(shutdown_t, shutdown_exec_t)
role system_r types shutdown_t;
-@@ -38,13 +39,14 @@ domain_use_interactive_fds(shutdown_t)
+@@ -33,18 +34,21 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
+ manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
+ files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
+
++kernel_read_system_state(shutdown_t)
++
+ domain_use_interactive_fds(shutdown_t)
+
files_read_etc_files(shutdown_t)
files_read_generic_pids(shutdown_t)
@@ -1792,7 +1818,7 @@ index 8966ec9..80939b0 100644
init_stream_connect(shutdown_t)
init_telinit(shutdown_t)
-@@ -59,5 +61,10 @@ optional_policy(`
+@@ -59,5 +63,10 @@ optional_policy(`
')
optional_policy(`
@@ -2001,7 +2027,7 @@ index 81fb26f..cd18ca8 100644
optional_policy(`
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..e1b55f8 100644
+index 441cf22..b90d4cc 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -88,9 +88,7 @@ fs_search_auto_mountpoints(chfn_t)
@@ -2015,7 +2041,17 @@ index 441cf22..e1b55f8 100644
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
-@@ -291,17 +289,18 @@ selinux_compute_create_context(passwd_t)
+@@ -194,8 +192,7 @@ selinux_compute_create_context(groupadd_t)
+ selinux_compute_relabel_context(groupadd_t)
+ selinux_compute_user_contexts(groupadd_t)
+
+-term_use_all_ttys(groupadd_t)
+-term_use_all_ptys(groupadd_t)
++term_use_all_terms(groupadd_t)
+
+ init_use_fds(groupadd_t)
+ init_read_utmp(groupadd_t)
+@@ -291,17 +288,18 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
@@ -2038,7 +2074,7 @@ index 441cf22..e1b55f8 100644
domain_use_interactive_fds(passwd_t)
-@@ -332,6 +331,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +330,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -2046,7 +2082,17 @@ index 441cf22..e1b55f8 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -426,7 +426,7 @@ optional_policy(`
+@@ -381,8 +380,7 @@ dev_read_urand(sysadm_passwd_t)
+ fs_getattr_xattr_fs(sysadm_passwd_t)
+ fs_search_auto_mountpoints(sysadm_passwd_t)
+
+-term_use_all_ttys(sysadm_passwd_t)
+-term_use_all_ptys(sysadm_passwd_t)
++term_use_all_terms(sysadm_passwd_t)
+
+ auth_manage_shadow(sysadm_passwd_t)
+ auth_relabel_shadow(sysadm_passwd_t)
+@@ -426,7 +424,7 @@ optional_policy(`
# Useradd local policy
#
@@ -2055,7 +2101,17 @@ index 441cf22..e1b55f8 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -498,12 +498,8 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -469,8 +467,7 @@ selinux_compute_create_context(useradd_t)
+ selinux_compute_relabel_context(useradd_t)
+ selinux_compute_user_contexts(useradd_t)
+
+-term_use_all_ttys(useradd_t)
+-term_use_all_ptys(useradd_t)
++term_use_all_terms(useradd_t)
+
+ auth_domtrans_chk_passwd(useradd_t)
+ auth_rw_lastlog(useradd_t)
+@@ -498,12 +495,8 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -6857,6 +6913,19 @@ index 0000000..5259647
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
+')
+
+diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
+index 320df26..879e804 100644
+--- a/policy/modules/apps/screen.if
++++ b/policy/modules/apps/screen.if
+@@ -81,8 +81,6 @@ template(`screen_role_template',`
+ relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
+
+ manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
+- manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
+- manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
+ manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
+
+ kernel_read_system_state($1_screen_t)
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
index 1dc7a85..7455c19 100644
--- a/policy/modules/apps/seunshare.if
@@ -7187,10 +7256,10 @@ index 0000000..46368cc
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..24f8037
+index 0000000..d4e5e9e
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,329 @@
+@@ -0,0 +1,331 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -7374,6 +7443,8 @@ index 0000000..24f8037
+
+dev_read_rand(telepathy_mission_control_t)
+
++fs_getattr_all_fs(telepathy_mission_control_t)
++
+files_read_etc_files(telepathy_mission_control_t)
+files_read_usr_files(telepathy_mission_control_t)
+
@@ -7681,7 +7752,7 @@ index 5872ea2..028c994 100644
/var/run/vmnat.* -s gen_context(system_u:object_r:vmware_var_run_t,s0)
/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
-index c76ceb2..d7df452 100644
+index c76ceb2..9562e78 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -126,6 +126,7 @@ dev_getattr_all_blk_files(vmware_host_t)
@@ -7708,7 +7779,7 @@ index c76ceb2..d7df452 100644
userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
userdom_dontaudit_search_user_home_dirs(vmware_host_t)
-@@ -158,8 +161,19 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
+@@ -158,8 +161,23 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
netutils_domtrans_ping(vmware_host_t)
optional_policy(`
@@ -7720,6 +7791,10 @@ index c76ceb2..d7df452 100644
+')
+
+optional_policy(`
++ samba_read_config(vmware_host_t)
++')
++
++optional_policy(`
seutil_sigchld_newrole(vmware_host_t)
+')
@@ -10986,7 +11061,7 @@ index b4ad6d7..67e89f0 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 9e2e6d7..08e82d9 100644
+index 9e2e6d7..d5c4f76 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -11016,7 +11091,7 @@ index 9e2e6d7..08e82d9 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -268,19 +272,30 @@ files_list_root(kernel_t)
+@@ -268,19 +272,31 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -11030,6 +11105,7 @@ index 9e2e6d7..08e82d9 100644
mls_process_read_up(kernel_t)
mls_process_write_down(kernel_t)
++mls_file_downgrade(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
+mls_socket_write_all_levels(kernel_t)
@@ -11047,7 +11123,7 @@ index 9e2e6d7..08e82d9 100644
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -357,6 +372,10 @@ optional_policy(`
+@@ -357,6 +373,10 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -11508,7 +11584,7 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..faaf889 100644
+index 2be17d2..5728fc1 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,48 @@ policy_module(staff, 2.2.0)
@@ -11560,7 +11636,7 @@ index 2be17d2..faaf889 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,25 +63,108 @@ optional_policy(`
+@@ -27,25 +63,112 @@ optional_policy(`
')
optional_policy(`
@@ -11581,6 +11657,10 @@ index 2be17d2..faaf889 100644
+')
+
+optional_policy(`
++ mock_role(staff_r, staff_t)
++')
++
++optional_policy(`
+ kerneloops_dbus_chat(staff_t)
+')
+
@@ -11671,7 +11751,7 @@ index 2be17d2..faaf889 100644
optional_policy(`
vlock_run(staff_t, staff_r)
-@@ -137,10 +256,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +260,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -12710,10 +12790,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..7d5de28
+index 0000000..ec21f9a
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,489 @@
+@@ -0,0 +1,493 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -13043,6 +13123,10 @@ index 0000000..7d5de28
+')
+
+optional_policy(`
++ mock_role(unconfined_r, unconfined_t)
++')
++
++optional_policy(`
+ modutils_run_update_mods(unconfined_t, unconfined_r)
+')
+
@@ -17628,7 +17712,7 @@ index 9a0da94..2ede737 100644
+ admin_pattern($1, chronyd_tmpfs_t)
')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
-index fa82327..7f4ca47 100644
+index fa82327..db20d26 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -15,6 +15,9 @@ init_script_file(chronyd_initrc_exec_t)
@@ -17641,7 +17725,11 @@ index fa82327..7f4ca47 100644
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
-@@ -37,6 +40,10 @@ allow chronyd_t self:unix_dgram_socket create_socket_perms;
+@@ -34,9 +37,14 @@ allow chronyd_t self:process { getcap setcap setrlimit };
+ allow chronyd_t self:shm create_shm_perms;
+ allow chronyd_t self:udp_socket create_socket_perms;
+ allow chronyd_t self:unix_dgram_socket create_socket_perms;
++allow chronyd_t self:fifo_file rw_fifo_file_perms;
allow chronyd_t chronyd_keys_t:file read_file_perms;
@@ -17652,14 +17740,27 @@ index fa82327..7f4ca47 100644
manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
-@@ -50,6 +57,7 @@ manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
+@@ -50,6 +58,11 @@ manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
files_pid_filetrans(chronyd_t, chronyd_var_run_t, file)
++kernel_read_system_state(chronyd_t)
++
++corecmd_exec_shell(chronyd_t)
++
+corenet_udp_bind_generic_node(chronyd_t)
corenet_udp_bind_ntp_port(chronyd_t)
# bind to udp/323
corenet_udp_bind_chronyd_port(chronyd_t)
+@@ -63,6 +76,8 @@ logging_send_syslog_msg(chronyd_t)
+
+ miscfiles_read_localization(chronyd_t)
+
++mta_send_mail(chronyd_t)
++
+ optional_policy(`
+ gpsd_rw_shm(chronyd_t)
+ ')
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 1f11572..7f6a7ab 100644
--- a/policy/modules/services/clamav.if
@@ -18058,10 +18159,10 @@ index 0000000..a2c7134
+ corosync_stream_connect(cmirrord_t)
+')
diff --git a/policy/modules/services/cobbler.fc b/policy/modules/services/cobbler.fc
-index 1cf6c4e..90c60df 100644
+index 1cf6c4e..e4bac67 100644
--- a/policy/modules/services/cobbler.fc
+++ b/policy/modules/services/cobbler.fc
-@@ -1,7 +1,32 @@
+@@ -1,7 +1,33 @@
-/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
-/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
@@ -18075,6 +18176,7 @@ index 1cf6c4e..90c60df 100644
+/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+
+/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
++/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
+/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
@@ -20520,7 +20622,7 @@ index f706b99..22b862e 100644
+ files_list_pids($1)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..4ecd4b7 100644
+index f231f17..10c33ed 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
@@ -20546,7 +20648,7 @@ index f231f17..4ecd4b7 100644
kernel_getattr_message_if(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
-@@ -105,8 +110,10 @@ domain_read_all_domains_state(devicekit_disk_t)
+@@ -105,14 +110,17 @@ domain_read_all_domains_state(devicekit_disk_t)
files_dontaudit_read_all_symlinks(devicekit_disk_t)
files_getattr_all_sockets(devicekit_disk_t)
@@ -20558,7 +20660,14 @@ index f231f17..4ecd4b7 100644
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_files(devicekit_disk_t)
-@@ -178,25 +185,47 @@ optional_policy(`
+ files_read_etc_runtime_files(devicekit_disk_t)
+ files_read_usr_files(devicekit_disk_t)
+
++fs_getattr_all_fs(devicekit_disk_t)
+ fs_list_inotifyfs(devicekit_disk_t)
+ fs_manage_fusefs_dirs(devicekit_disk_t)
+ fs_mount_all_fs(devicekit_disk_t)
+@@ -178,25 +186,47 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -20607,7 +20716,7 @@ index f231f17..4ecd4b7 100644
kernel_search_debugfs(devicekit_power_t)
kernel_write_proc_files(devicekit_power_t)
-@@ -212,12 +241,16 @@ dev_rw_generic_usb_dev(devicekit_power_t)
+@@ -212,12 +242,16 @@ dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
@@ -20624,7 +20733,7 @@ index f231f17..4ecd4b7 100644
term_use_all_terms(devicekit_power_t)
-@@ -225,8 +258,11 @@ auth_use_nsswitch(devicekit_power_t)
+@@ -225,8 +259,11 @@ auth_use_nsswitch(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
@@ -20636,7 +20745,7 @@ index f231f17..4ecd4b7 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -261,14 +297,21 @@ optional_policy(`
+@@ -261,14 +298,21 @@ optional_policy(`
')
optional_policy(`
@@ -20659,7 +20768,7 @@ index f231f17..4ecd4b7 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +319,21 @@ optional_policy(`
+@@ -276,9 +320,21 @@ optional_policy(`
')
optional_policy(`
@@ -22302,6 +22411,173 @@ index 6537214..7d64c0a 100644
ps_process_pattern($1, fetchmail_t)
files_list_etc($1)
+diff --git a/policy/modules/services/firewalld.fc b/policy/modules/services/firewalld.fc
+new file mode 100644
+index 0000000..ba9a7a9
+--- /dev/null
++++ b/policy/modules/services/firewalld.fc
+@@ -0,0 +1,10 @@
++
++/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
++
++
++/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
++
++/var/log/firewalld -- gen_context(system_u:object_r:firewalld_var_log_t,s0)
++
++/var/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0)
++/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0)
+diff --git a/policy/modules/services/firewalld.if b/policy/modules/services/firewalld.if
+new file mode 100644
+index 0000000..84d1768
+--- /dev/null
++++ b/policy/modules/services/firewalld.if
+@@ -0,0 +1,73 @@
++
++## policy for firewalld
++
++
++########################################
++##
++## Execute a domain transition to run firewalld.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`firewalld_domtrans',`
++ gen_require(`
++ type firewalld_t, firewalld_exec_t;
++ ')
++
++ domtrans_pattern($1, firewalld_exec_t, firewalld_t)
++')
++
++
++########################################
++##
++## Execute firewalld server in the firewalld domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`firewalld_initrc_domtrans',`
++ gen_require(`
++ type firewalld_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an firewalld environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`firewalld_admin',`
++ gen_require(`
++ type firewalld_t;
++ type firewalld_initrc_exec_t;
++ ')
++
++ allow $1 firewalld_t:process { ptrace signal_perms };
++ ps_process_pattern($1, firewalld_t)
++
++ firewalld_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 firewalld_initrc_exec_t system_r;
++ allow $2 system_r;
++
++')
+diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
+new file mode 100644
+index 0000000..ebb76c1
+--- /dev/null
++++ b/policy/modules/services/firewalld.te
+@@ -0,0 +1,66 @@
++
++policy_module(firewalld,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type firewalld_t;
++type firewalld_exec_t;
++init_daemon_domain(firewalld_t, firewalld_exec_t)
++
++permissive firewalld_t;
++
++type firewalld_initrc_exec_t;
++init_script_file(firewalld_initrc_exec_t)
++
++type firewalld_var_log_t;
++logging_log_file(firewalld_var_log_t)
++
++type firewalld_var_run_t;
++files_pid_file(firewalld_var_run_t)
++
++########################################
++#
++# firewalld local policy
++#
++
++allow firewalld_t self:fifo_file rw_fifo_file_perms;
++allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
++
++append_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
++create_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
++read_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
++setattr_files_pattern(firewalld_t, firewalld_var_log_t, firewalld_var_log_t)
++logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
++
++# should be fixed to cooperate with systemd to create /var/run/firewalld directory
++manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
++files_pid_filetrans(firewalld_t, firewalld_var_run_t, { file })
++
++kernel_read_network_state(firewalld_t)
++kernel_read_system_state(firewalld_t)
++
++corecmd_exec_bin(firewalld_t)
++
++domain_use_interactive_fds(firewalld_t)
++
++files_read_etc_files(firewalld_t)
++files_read_usr_files(firewalld_t)
++
++logging_send_syslog_msg(firewalld_t)
++
++miscfiles_read_localization(firewalld_t)
++
++optional_policy(`
++ dbus_system_domain(firewalld_t, firewalld_exec_t)
++')
++
++optional_policy(`
++ iptables_domtrans(firewalld_t)
++')
++
++optional_policy(`
++ modutils_domtrans_insmod(firewalld_t)
++')
diff --git a/policy/modules/services/fprintd.if b/policy/modules/services/fprintd.if
index ebad8c4..c02062c 100644
--- a/policy/modules/services/fprintd.if
@@ -25552,10 +25828,10 @@ index 0000000..6395ec8
+')
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
new file mode 100644
-index 0000000..b05a9cd
+index 0000000..36d15ad
--- /dev/null
+++ b/policy/modules/services/mock.te
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,101 @@
+policy_module(mock,1.0.0)
+
+########################################
@@ -25588,6 +25864,8 @@ index 0000000..b05a9cd
+
+allow mock_t self:capability { sys_admin setfcap setuid sys_ptrace sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
+allow mock_t self:process { siginh noatsecure signull transition rlimitinh setsched setpgid sigkill };
++# Needed because mock can run java and mono withing build environment
++allow mock_t self:process { execmem execstack };
+dontaudit mock_t self:process { siginh noatsecure rlimitinh };
+allow mock_t self:fifo_file manage_fifo_file_perms;
+allow mock_t self:unix_stream_socket create_stream_socket_perms;
@@ -26054,10 +26332,10 @@ index 0000000..311aaed
+')
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
new file mode 100644
-index 0000000..92e86a2
+index 0000000..d87d442
--- /dev/null
+++ b/policy/modules/services/mpd.te
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,143 @@
+policy_module(mpd, 1.0.0)
+
+########################################
@@ -26127,6 +26405,8 @@ index 0000000..92e86a2
+manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+files_var_lib_filetrans(mpd_t, mpd_var_lib_t, { dir file lnk_file })
+
++# needed by pulseaudio
++kernel_getattr_proc(mpd_t)
+kernel_read_system_state(mpd_t)
+kernel_read_kernel_sysctls(mpd_t)
+
@@ -26141,6 +26421,7 @@ index 0000000..92e86a2
+corenet_tcp_bind_soundd_port(mpd_t)
+
+dev_read_sound(mpd_t)
++dev_write_sound(mpd_t)
+dev_read_sysfs(mpd_t)
+
+files_read_usr_files(mpd_t)
@@ -26173,6 +26454,10 @@ index 0000000..92e86a2
+')
+
+optional_policy(`
++ consolekit_dbus_chat(mpd_t)
++')
++
++optional_policy(`
+ dbus_system_bus_client(mpd_t)
+')
+
@@ -26183,8 +26468,17 @@ index 0000000..92e86a2
+')
+
+optional_policy(`
++ rtkit_daemon_dontaudit_dbus_chat(mpd_t)
++')
++
++optional_policy(`
+ udev_read_db(mpd_t)
+')
++
++optional_policy(`
++ xserver_dontaudit_stream_connect(mpd_t)
++ xserver_dontaudit_read_xdm_pid(mpd_t)
++')
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
index 256166a..c526ce8 100644
--- a/policy/modules/services/mta.fc
@@ -26996,7 +27290,7 @@ index f17583b..8f01394 100644
+
+miscfiles_read_localization(munin_plugin_domain)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
-index e9c0982..06034b8 100644
+index e9c0982..a12d5ea 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -18,6 +18,24 @@ interface(`mysql_domtrans',`
@@ -27024,7 +27318,32 @@ index e9c0982..06034b8 100644
########################################
##
## Send a generic signal to MySQL.
-@@ -73,6 +91,7 @@ interface(`mysql_stream_connect',`
+@@ -36,6 +54,24 @@ interface(`mysql_signal',`
+ allow $1 mysqld_t:process signal;
+ ')
+
++#######################################
++##
++## Send a null signal to mysql.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mysql_signull',`
++ gen_require(`
++ type mysqld_t;
++ ')
++
++ allow $1 mysqld_t:process signull;
++')
++
+ ########################################
+ ##
+ ## Allow the specified domain to connect to postgresql with a tcp socket.
+@@ -73,6 +109,7 @@ interface(`mysql_stream_connect',`
type mysqld_t, mysqld_var_run_t, mysqld_db_t;
')
@@ -27032,7 +27351,7 @@ index e9c0982..06034b8 100644
stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
')
-@@ -252,7 +271,7 @@ interface(`mysql_write_log',`
+@@ -252,7 +289,7 @@ interface(`mysql_write_log',`
')
logging_search_logs($1)
@@ -27041,7 +27360,7 @@ index e9c0982..06034b8 100644
')
######################################
-@@ -329,10 +348,9 @@ interface(`mysql_search_pid_files',`
+@@ -329,10 +366,9 @@ interface(`mysql_search_pid_files',`
#
interface(`mysql_admin',`
gen_require(`
@@ -27055,7 +27374,7 @@ index e9c0982..06034b8 100644
')
allow $1 mysqld_t:process { ptrace signal_perms };
-@@ -343,13 +361,17 @@ interface(`mysql_admin',`
+@@ -343,13 +379,17 @@ interface(`mysql_admin',`
role_transition $2 mysqld_initrc_exec_t system_r;
allow $2 system_r;
@@ -27074,7 +27393,7 @@ index e9c0982..06034b8 100644
admin_pattern($1, mysqld_tmp_t)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..d02b476 100644
+index 0a0d63c..024120d 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -27142,7 +27461,7 @@ index 0a0d63c..d02b476 100644
files_read_etc_files(mysqld_safe_t)
files_read_usr_files(mysqld_safe_t)
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-@@ -183,6 +186,8 @@ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
+@@ -183,11 +186,14 @@ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
hostname_exec(mysqld_safe_t)
@@ -27151,6 +27470,12 @@ index 0a0d63c..d02b476 100644
miscfiles_read_localization(mysqld_safe_t)
mysql_manage_db_files(mysqld_safe_t)
+ mysql_read_config(mysqld_safe_t)
+ mysql_search_pid_files(mysqld_safe_t)
++mysql_signull(mysqld_safe_t)
+ mysql_write_log(mysqld_safe_t)
+
+ ########################################
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
index 8581040..cfcdf10 100644
--- a/policy/modules/services/nagios.if
@@ -27239,7 +27564,7 @@ index 8581040..cfcdf10 100644
allow $1 nagios_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..86c9cba 100644
+index bf64a4c..331ad53 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -79,6 +79,7 @@ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
@@ -27338,7 +27663,7 @@ index bf64a4c..86c9cba 100644
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,7 +328,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -323,10 +328,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
@@ -27346,7 +27671,12 @@ index bf64a4c..86c9cba 100644
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
-@@ -340,6 +344,8 @@ files_read_usr_files(nagios_services_plugin_t)
++kernel_read_system_state(nagios_services_plugin_t)
++
+ corecmd_exec_bin(nagios_services_plugin_t)
+
+ corenet_tcp_connect_all_ports(nagios_services_plugin_t)
+@@ -340,6 +346,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@@ -34358,7 +34688,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..6e627d6 100644
+index e30bb63..a7f61a3 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -34398,7 +34728,7 @@ index e30bb63..6e627d6 100644
allow smbd_t swat_t:process signal;
-@@ -323,10 +320,12 @@ dev_getattr_all_blk_files(smbd_t)
+@@ -323,15 +320,18 @@ dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
fs_getattr_all_fs(smbd_t)
@@ -34411,7 +34741,13 @@ index e30bb63..6e627d6 100644
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
-@@ -343,6 +342,7 @@ files_read_usr_files(smbd_t)
+ auth_domtrans_upd_passwd(smbd_t)
+ auth_manage_cache(smbd_t)
++auth_write_login_records(smbd_t)
+
+ domain_use_interactive_fds(smbd_t)
+ domain_dontaudit_list_all_domains_state(smbd_t)
+@@ -343,6 +343,7 @@ files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
# smbd seems to getattr all mountpoints
files_dontaudit_getattr_all_dirs(smbd_t)
@@ -34419,7 +34755,7 @@ index e30bb63..6e627d6 100644
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -385,12 +385,7 @@ tunable_policy(`samba_domain_controller',`
+@@ -385,12 +386,7 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -34433,7 +34769,7 @@ index e30bb63..6e627d6 100644
')
# Support Samba sharing of NFS mount points
-@@ -445,8 +440,8 @@ optional_policy(`
+@@ -445,8 +441,8 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -34443,7 +34779,7 @@ index e30bb63..6e627d6 100644
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
-@@ -462,8 +457,8 @@ tunable_policy(`samba_export_all_rw',`
+@@ -462,8 +458,8 @@ tunable_policy(`samba_export_all_rw',`
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
@@ -34453,7 +34789,7 @@ index e30bb63..6e627d6 100644
########################################
#
-@@ -484,8 +479,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +480,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -34464,7 +34800,7 @@ index e30bb63..6e627d6 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -560,13 +556,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
+@@ -560,13 +557,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
allow smbcontrol_t nmbd_t:process { signal signull };
@@ -34482,7 +34818,7 @@ index e30bb63..6e627d6 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -677,7 +673,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +674,7 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -34491,7 +34827,7 @@ index e30bb63..6e627d6 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +688,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +689,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -34506,7 +34842,7 @@ index e30bb63..6e627d6 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +708,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +709,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -34514,7 +34850,7 @@ index e30bb63..6e627d6 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +753,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +754,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -34523,7 +34859,7 @@ index e30bb63..6e627d6 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,14 +807,14 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,14 +808,14 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -34543,7 +34879,7 @@ index e30bb63..6e627d6 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +834,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +835,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -34551,7 +34887,7 @@ index e30bb63..6e627d6 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -922,6 +924,18 @@ optional_policy(`
+@@ -922,6 +925,18 @@ optional_policy(`
#
optional_policy(`
@@ -34570,7 +34906,7 @@ index e30bb63..6e627d6 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +946,12 @@ optional_policy(`
+@@ -932,9 +947,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -36228,7 +36564,7 @@ index 22adaca..784c363 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..f4626c0 100644
+index 2dad3c8..2b6aef5 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -36497,7 +36833,7 @@ index 2dad3c8..f4626c0 100644
+')
+
+optional_policy(`
-+ amanda_search_lib(sshd_t)
++ amanda_search_var_lib(sshd_t)
')
optional_policy(`
@@ -37997,7 +38333,7 @@ index 7c5d8d8..5e2f264 100644
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
+')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..191efb7 100644
+index 3eca020..d81582c 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,80 +5,97 @@ policy_module(virt, 1.4.0)
@@ -38312,9 +38648,9 @@ index 3eca020..191efb7 100644
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
++selinux_validate_context(virtd_t)
++
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -38338,7 +38674,18 @@ index 3eca020..191efb7 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -365,6 +450,8 @@ optional_policy(`
+@@ -329,6 +414,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ dmidecode_domtrans(virtd_t)
++')
++
++optional_policy(`
+ dnsmasq_domtrans(virtd_t)
+ dnsmasq_signal(virtd_t)
+ dnsmasq_kill(virtd_t)
+@@ -365,6 +454,8 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -38347,7 +38694,7 @@ index 3eca020..191efb7 100644
')
optional_policy(`
-@@ -396,12 +483,25 @@ optional_policy(`
+@@ -396,12 +487,25 @@ optional_policy(`
allow virt_domain self:capability { dac_read_search dac_override kill };
allow virt_domain self:process { execmem execstack signal getsched signull };
@@ -38374,7 +38721,7 @@ index 3eca020..191efb7 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +522,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +526,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -38382,7 +38729,7 @@ index 3eca020..191efb7 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +530,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +534,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -38395,7 +38742,7 @@ index 3eca020..191efb7 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,6 +543,11 @@ files_search_all(virt_domain)
+@@ -440,6 +547,11 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -38407,7 +38754,7 @@ index 3eca020..191efb7 100644
term_use_all_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
-@@ -457,8 +565,117 @@ optional_policy(`
+@@ -457,8 +569,117 @@ optional_policy(`
')
optional_policy(`
@@ -38933,7 +39280,7 @@ index 6f1e3c7..ecfe665 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..6b12229 100644
+index da2601a..61bce48 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -39325,16 +39672,34 @@ index da2601a..6b12229 100644
')
########################################
-@@ -805,7 +869,7 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +869,25 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
- allow $1 xdm_var_run_t:file read_file_perms;
+ read_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
++')
++
++######################################
++##
++## Dontaudit Read XDM pid files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xserver_dontaudit_read_xdm_pid',`
++ gen_require(`
++ type xdm_var_run_t;
++ ')
++
++ dontaudit $1 xdm_var_run_t:file read_file_perms;
')
########################################
-@@ -897,7 +961,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +979,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -39343,7 +39708,7 @@ index da2601a..6b12229 100644
')
########################################
-@@ -916,7 +980,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +998,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -39352,7 +39717,7 @@ index da2601a..6b12229 100644
')
########################################
-@@ -963,6 +1027,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1045,45 @@ interface(`xserver_read_xkb_libs',`
########################################
##
@@ -39398,7 +39763,7 @@ index da2601a..6b12229 100644
## Read xdm temporary files.
##
##
-@@ -976,7 +1079,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1097,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -39407,7 +39772,7 @@ index da2601a..6b12229 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1141,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1159,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
##
@@ -39450,7 +39815,7 @@ index da2601a..6b12229 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
##
-@@ -1052,7 +1191,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1209,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -39459,7 +39824,7 @@ index da2601a..6b12229 100644
')
########################################
-@@ -1070,8 +1209,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1227,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -39471,15 +39836,34 @@ index da2601a..6b12229 100644
')
########################################
-@@ -1185,6 +1326,7 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1344,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
+ allow xserver_t $1:shm rw_shm_perms;
++')
++
++######################################
++##
++## Dontaudit attempts to connect to xserver
++## over an unix stream socket.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`xserver_dontaudit_stream_connect',`
++ gen_require(`
++ type xserver_t, xserver_tmp_t;
++ ')
++
++ stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
')
########################################
-@@ -1210,7 +1352,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1389,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -39488,7 +39872,7 @@ index da2601a..6b12229 100644
##
##
##
-@@ -1220,13 +1362,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1399,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -39513,7 +39897,7 @@ index da2601a..6b12229 100644
')
########################################
-@@ -1243,10 +1395,393 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1432,393 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -47450,10 +47834,10 @@ index 0000000..5f0352b
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..52a952b
+index 0000000..174dd0c
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,102 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -47532,6 +47916,7 @@ index 0000000..52a952b
+files_relabelfrom_tmp_files(systemd_tmpfiles_t)
+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+files_relabel_all_tmp_files(systemd_tmpfiles_t)
++files_getattr_lost_found_dirs(systemd_tmpfiles_t)
+
+init_dgram_send(systemd_tmpfiles_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1669f5d..b77d2c2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.12
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,15 @@ exit 0
%endif
%changelog
+* Tue Jan 11 2011 Miroslav Grepl 3.9.12-6
+- Add firewalld policy
+- Allow vmware_host to read samba config
+- Kernel wants to read /proc Fix duplicate grub def in cobbler
+- Chrony sends mail, executes shell, uses fifo_file and reads /proc
+- devicekitdisk getattr all file systems
+- sambd daemon writes wtmp file
+- libvirt transitions to dmidecode
+
* Wed Jan 5 2011 Miroslav Grepl 3.9.12-5
- Add initial policy for system-setup-keyboard which is now daemon
- Label /var/lock/subsys/shorewall as shorewall_lock_t