diff --git a/policy-F16.patch b/policy-F16.patch
index 8c28a80..d891175 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -8580,10 +8580,10 @@ index 0000000..0fedd57
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..88efdca
+index 0000000..104b919
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,479 @@
+@@ -0,0 +1,481 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -8778,6 +8778,7 @@ index 0000000..88efdca
+manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
++dontaudit sandbox_x_domain sandbox_file_t:dir mounton;
+
+domain_dontaudit_read_all_domains_state(sandbox_x_domain)
+
@@ -9019,6 +9020,7 @@ index 0000000..88efdca
+')
+
+optional_policy(`
++ nsplugin_manage_rw(sandbox_web_type)
+ nsplugin_read_rw_files(sandbox_web_type)
+ nsplugin_rw_exec(sandbox_web_type)
+')
@@ -10342,7 +10344,7 @@ index 223ad43..d400ef6 100644
# Reading dotfiles...
# cjp: ?
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..d0c0d02 100644
+index 34c9d01..0d54b2c 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -10395,7 +10397,7 @@ index 34c9d01..d0c0d02 100644
#
# /usr
#
-@@ -196,47 +195,49 @@ ifdef(`distro_gentoo',`
+@@ -196,47 +195,50 @@ ifdef(`distro_gentoo',`
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0)
@@ -10441,6 +10443,7 @@ index 34c9d01..d0c0d02 100644
-
-/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -10486,7 +10489,7 @@ index 34c9d01..d0c0d02 100644
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -244,9 +245,13 @@ ifdef(`distro_gentoo',`
+@@ -244,9 +246,13 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -10501,7 +10504,7 @@ index 34c9d01..d0c0d02 100644
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -283,6 +288,7 @@ ifdef(`distro_gentoo',`
+@@ -283,6 +289,7 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -10509,7 +10512,7 @@ index 34c9d01..d0c0d02 100644
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -291,7 +297,7 @@ ifdef(`distro_gentoo',`
+@@ -291,7 +298,7 @@ ifdef(`distro_gentoo',`
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -10518,7 +10521,7 @@ index 34c9d01..d0c0d02 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -304,9 +310,8 @@ ifdef(`distro_redhat', `
+@@ -304,9 +311,8 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -10529,7 +10532,7 @@ index 34c9d01..d0c0d02 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -316,9 +321,11 @@ ifdef(`distro_redhat', `
+@@ -316,9 +322,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -10541,7 +10544,7 @@ index 34c9d01..d0c0d02 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -360,7 +367,7 @@ ifdef(`distro_redhat', `
+@@ -360,7 +368,7 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -10550,7 +10553,7 @@ index 34c9d01..d0c0d02 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -373,7 +380,6 @@ ifdef(`distro_suse', `
+@@ -373,7 +381,6 @@ ifdef(`distro_suse', `
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -10957,7 +10960,7 @@ index 6cf8784..5b25039 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index e9313fb..255c5bb 100644
+index e9313fb..6db0863 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -11112,6 +11115,15 @@ index e9313fb..255c5bb 100644
')
########################################
+@@ -920,7 +975,7 @@ interface(`dev_filetrans',`
+ type device_t;
+ ')
+
+- filetrans_pattern($1, device_t, $2, $3)
++ filetrans_pattern($1, device_t, $2, $3, $4)
+
+ dev_associate($2)
+ files_associate_tmp($2)
@@ -1178,6 +1233,42 @@ interface(`dev_create_all_chr_files',`
########################################
@@ -11299,7 +11311,7 @@ index e9313fb..255c5bb 100644
## Write to watchdog devices.
## </summary>
## <param name="domain">
-@@ -4748,3 +4874,22 @@ interface(`dev_unconfined',`
+@@ -4748,3 +4874,751 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -11322,6 +11334,735 @@ index e9313fb..255c5bb 100644
+
+ dontaudit $1 { device_t device_node }:dir_file_class_set getattr;
+')
++
++########################################
++## <summary>
++## Create all named devices with the correct label
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_filetrans_all_named_dev',`
++
++gen_require(`
++ type device_t;
++ type usb_device_t;
++ type xserver_misc_device_t;
++ type sound_device_t;
++ type apm_bios_t;
++ type mouse_device_t;
++ type autofs_device_t;
++ type lvm_control_t;
++ type crash_device_t;
++ type dlm_control_device_t;
++ type clock_device_t;
++ type v4l_device_t;
++ type event_device_t;
++ type xen_device_t;
++ type framebuf_device_t;
++ type null_device_t;
++ type random_device_t;
++ type dri_device_t;
++ type ipmi_device_t;
++ type printer_device_t;
++ type memory_device_t;
++ type kmsg_device_t;
++ type qemu_device_t;
++ type ksm_device_t;
++ type kvm_device_t;
++ type lirc_device_t;
++ type cpu_device_t;
++ type scanner_device_t;
++ type modem_device_t;
++ type vhost_device_t;
++ type netcontrol_device_t;
++ type nvram_device_t;
++ type power_device_t;
++ type wireless_device_t;
++ type tpm_device_t;
++ type userio_device_t;
++ type urandom_device_t;
++ type usbmon_device_t;
++ type vmware_device_t;
++ type watchdog_device_t;
++ type crypt_device_t;
++ type zero_device_t;
++ type smartcard_device_t;
++ type mtrr_device_t;
++')
++
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, 3dfx)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi0)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi1)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi2)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi3)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi4)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi5)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi6)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi7)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi8)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, admmidi9)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp0)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp1)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp2)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp3)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp4)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp5)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp6)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp7)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp8)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, adsp9)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload0)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload1)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload2)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload3)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload4)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload5)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload6)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload7)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload8)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, aload9)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi0)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi1)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi2)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi3)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi4)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi5)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi6)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi7)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi8)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amidi9)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer0)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer1)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer2)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer3)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer4)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer5)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer6)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer7)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer8)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, amixer9)
++ filetrans_pattern($1, device_t, apm_bios_t, chr_file, apm_bios)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, atibm)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio0)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio1)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio2)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio3)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio4)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio5)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio6)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio7)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio8)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, audio9)
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs0)
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs1)
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs2)
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs3)
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs4)
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs5)
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs6)
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs7)
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs8)
++ filetrans_pattern($1, device_t, autofs_device_t, chr_file, autofs9)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, beep)
++ filetrans_pattern($1, device_t, lvm_control_t, chr_file, btrfs-control)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, controlD64)
++ filetrans_pattern($1, device_t, crash_device_t, chr_file, crash)
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm0)
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm1)
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm2)
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm3)
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm4)
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm5)
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm6)
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm7)
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm8)
++ filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, dlm9)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmfm)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi0)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi1)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi2)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi3)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi4)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi5)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi6)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi7)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi8)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dmmidi9)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp0)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp1)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp2)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp3)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp4)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp5)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp6)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp7)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp8)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, dsp9)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, efirtc)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, e2201)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83000)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83001)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83002)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83003)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83004)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83005)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83006)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83007)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83008)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, em83009)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, event0)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, event1)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, event2)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, event3)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, event4)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, event5)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, event6)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, event7)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, event8)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, event9)
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, evtchn)
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb0)
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb1)
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb2)
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb3)
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb4)
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb5)
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb6)
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb7)
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb8)
++ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, fb9)
++ filetrans_pattern($1, device_t, null_device_t, chr_file, full)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw0)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw1)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw2)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw3)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw4)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw5)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw6)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw7)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw8)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw9)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, gfx)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, graphics)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc0)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc1)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc2)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc3)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc4)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc5)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc6)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc7)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc8)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc9)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, hfmodem)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev0)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev1)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev2)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev3)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev4)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev5)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev6)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev7)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev8)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hiddev9)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw0)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw1)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw2)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw3)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw4)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw5)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw6)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw7)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw8)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, hidraw9)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, hpet)
++ filetrans_pattern($1, device_t, random_device_t, chr_file, hw_random)
++ filetrans_pattern($1, device_t, random_device_t, chr_file, hwrng)
++ filetrans_pattern($1, device_t, dri_device_t, chr_file, i915)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, inportbm)
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi0)
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi1)
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi2)
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi3)
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi4)
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi5)
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi6)
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi7)
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi8)
++ filetrans_pattern($1, device_t, ipmi_device_t, chr_file, ipmi9)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt0)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt1)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt2)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt3)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt4)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt5)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt6)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt7)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt8)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, irlpt9)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, jbm)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js0)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js1)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js2)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js3)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js4)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js5)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js6)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js7)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js8)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js9)
++ filetrans_pattern($1, device_t, memory_device_t, chr_file, kmem)
++ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, kmsg)
++ filetrans_pattern($1, device_t, qemu_device_t, chr_file, kqemu)
++ filetrans_pattern($1, device_t, ksm_device_t, chr_file, ksm)
++ filetrans_pattern($1, device_t, kvm_device_t, chr_file, kvm)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik0)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik1)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik2)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik3)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik4)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik5)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik6)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik7)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik8)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, lik9)
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc0)
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc1)
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc2)
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc3)
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc4)
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc5)
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc6)
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc7)
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc8)
++ filetrans_pattern($1, device_t, lirc_device_t, chr_file, lirc9)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, lircm)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, logibm)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp0)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp1)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp2)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp3)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp4)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp5)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp6)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp7)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp8)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, lp9)
++ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, mcelog)
++ filetrans_pattern($1, device_t, memory_device_t, chr_file, mem)
++ filetrans_pattern($1, device_t, memory_device_t, chr_file, mergemem)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid0)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid1)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid2)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid3)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid4)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid5)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid6)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid7)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid8)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, mga_vid9)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mice)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, microcode)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi0)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi1)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi2)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi3)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi4)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi5)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi6)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi7)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi8)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, midi9)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer0)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer1)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer2)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer3)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer4)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer5)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer6)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer7)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer8)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mixer9)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mmetfgrab)
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, modem)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4010)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4011)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4012)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4013)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4014)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4015)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4016)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4017)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4018)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, mpu4019)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr0)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr1)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr2)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr3)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr4)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr5)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr6)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr7)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr8)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, msr9)
++ filetrans_pattern($1, device_t, vhost_device_t, chr_file, vhost)
++ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, network_latency)
++ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, network_throughput)
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz0)
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz1)
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz2)
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz3)
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz4)
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz5)
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz6)
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz7)
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz8)
++ filetrans_pattern($1, device_t, modem_device_t, chr_file, noz9)
++ filetrans_pattern($1, device_t, null_device_t, chr_file, null)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia0)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia1)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia2)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia3)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia4)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia5)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia6)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia7)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia8)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, nvidia9)
++ filetrans_pattern($1, device_t, nvram_device_t, chr_file, nvram)
++ filetrans_pattern($1, device_t, memory_device_t, chr_file, oldmem)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, opengl)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par0)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par1)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par2)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par3)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par4)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par5)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par6)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par7)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par8)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, par9)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, pc110pad)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock0)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock1)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock2)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock3)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock4)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock5)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock6)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock7)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock8)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pcfclock9)
++ filetrans_pattern($1, device_t, power_device_t, chr_file, pmu)
++ filetrans_pattern($1, device_t, memory_device_t, chr_file, port)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps0)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps1)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps2)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps3)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps4)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps5)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps6)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps7)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps8)
++ filetrans_pattern($1, device_t, clock_device_t, chr_file, pps9)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi0)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi1)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi2)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi3)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi4)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi5)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi6)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi7)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi8)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, rmidi9)
++ filetrans_pattern($1, device_t, dri_device_t, chr_file, radeon)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio0)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio1)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio2)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio3)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio4)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio5)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio6)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio7)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio8)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, radio9)
++ filetrans_pattern($1, device_t, random_device_t, chr_file, random)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13940)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13941)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13942)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13943)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13944)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13945)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13946)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13947)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13948)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, raw13949)
++ filetrans_pattern($1, device_t, wireless_device_t, chr_file, rfkill)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, sequencer)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, sequencer2)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte0)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte1)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte2)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte3)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte4)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte5)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte6)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte7)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte8)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, smpte9)
++ filetrans_pattern($1, device_t, power_device_t, chr_file, smu)
++ filetrans_pattern($1, device_t, apm_bios_t, chr_file, snapshot)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, sndstat)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, sonypi)
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm0)
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm1)
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm2)
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm3)
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm4)
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm5)
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm6)
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm7)
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm8)
++ filetrans_pattern($1, device_t, tpm_device_t, chr_file, tpm9)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, uinput)
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio0)
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio1)
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio2)
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio3)
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio4)
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio5)
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio6)
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio7)
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio8)
++ filetrans_pattern($1, device_t, userio_device_t, chr_file, uio9)
++ filetrans_pattern($1, device_t, urandom_device_t, chr_file, urandom)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb0)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb1)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb2)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb3)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb4)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb5)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb6)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb7)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, usb8)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp0)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp1)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp2)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp3)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp4)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp5)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp6)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp7)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp8)
++ filetrans_pattern($1, device_t, printer_device_t, chr_file, usblp9)
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon0)
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon1)
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon2)
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon3)
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon4)
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon5)
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon6)
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon7)
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon8)
++ filetrans_pattern($1, device_t, usbmon_device_t, chr_file, usbmon9)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, usbscanner)
++ filetrans_pattern($1, device_t, vhost_device_t, chr_file, vhost-net)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi0)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi1)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi2)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi3)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi4)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi5)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi6)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi7)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi8)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vbi9)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox0)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox1)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox2)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox3)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox4)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox5)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox6)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox7)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox8)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vbox9)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, vga_arbiter)
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmmon)
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet0)
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet1)
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet2)
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet3)
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet4)
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet5)
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet6)
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet7)
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet8)
++ filetrans_pattern($1, device_t, vmware_device_t, chr_file, vmnet9)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video0)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video1)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video2)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video3)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video4)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video5)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video6)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video7)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video8)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, video9)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, vrtpanel)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vttuner)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx0)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx1)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx2)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx3)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx4)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx5)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx6)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx7)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx8)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, vtx9)
++ filetrans_pattern($1, device_t, watchdog_device_t, chr_file, watchdog)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio0)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio1)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio2)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio3)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio4)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio5)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio6)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio7)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio8)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, winradio9)
++ filetrans_pattern($1, device_t, crypt_device_t, chr_file, z90crypt)
++ filetrans_pattern($1, device_t, zero_device_t, chr_file, zero)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card0)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card1)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card2)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card3)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card4)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card5)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card6)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card7)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card8)
++ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, card9)
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx0)
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx1)
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx2)
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx3)
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx4)
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx5)
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx6)
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx7)
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx8)
++ filetrans_pattern($1, device_t, smartcard_device_t, chr_file, cmx9)
++ filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, cpu_dma_latency)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu0)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu1)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu2)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu3)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu4)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu5)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu6)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu7)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu8)
++ filetrans_pattern($1, device_t, cpu_device_t, chr_file, cpu9)
++ filetrans_pattern($1, device_t, mtrr_device_t, chr_file, mtrr)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor0)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor1)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor2)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor3)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor4)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor5)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor6)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor7)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor8)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, sensor9)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m0)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m1)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m2)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m3)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m4)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m5)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m6)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m7)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m8)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, m9)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard0)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard1)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard2)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard3)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard4)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard5)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard6)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard7)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard8)
++ filetrans_pattern($1, device_t, event_device_t, chr_file, keyboard9)
++ filetrans_pattern($1, device_t, lvm_control_t, chr_file, control)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, ucb1x00)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mk712)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx0)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx1)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx2)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx3)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx4)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx5)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx6)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx7)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx8)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, dc2xx9)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8000)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8001)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8002)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8003)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8004)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8005)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8006)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8007)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8008)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, mdc8009)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner0)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner1)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner2)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner3)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner4)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner5)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner6)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner7)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner8)
++ filetrans_pattern($1, device_t, scanner_device_t, chr_file, scanner9)
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap0)
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap1)
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap2)
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap3)
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap4)
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap5)
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap6)
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap7)
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap8)
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, blktap9)
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, gntdev)
++ filetrans_pattern($1, device_t, xen_device_t, chr_file, gntalloc)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, patmgr0)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, patmgr1)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, srnd0)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, srnd1)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, srnd2)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, srnd3)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, srnd4)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, srnd5)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, srnd6)
++ filetrans_pattern($1, device_t, sound_device_t, chr_file, srnd7)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, tlk0)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, tlk1)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, tlk2)
++ filetrans_pattern($1, device_t, v4l_device_t, chr_file, tlk3)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, uba)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, ubb)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, ubc)
++')
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 3ff4f60..89ffda6 100644
--- a/policy/modules/kernel/devices.te
@@ -14109,7 +14850,7 @@ index 069d36c..78a81b3 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 5001b89..160976e 100644
+index 5001b89..fef153d 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -14129,7 +14870,17 @@ index 5001b89..160976e 100644
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -254,7 +257,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -246,6 +249,9 @@ dev_delete_generic_blk_files(kernel_t)
+ dev_create_generic_chr_files(kernel_t)
+ dev_delete_generic_chr_files(kernel_t)
+ dev_mounton(kernel_t)
++dev_filetrans_all_named_dev(kernel_t)
++storage_filetrans_all_named_dev(kernel_t)
++term_filetrans_all_named_dev(kernel_t)
+
+ # Mount root file system. Used when loading a policy
+ # from initrd, then mounting the root filesystem
+@@ -254,7 +260,8 @@ fs_unmount_all_fs(kernel_t)
selinux_load_policy(kernel_t)
@@ -14139,7 +14890,7 @@ index 5001b89..160976e 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -268,19 +272,28 @@ files_list_root(kernel_t)
+@@ -268,19 +275,28 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -14168,7 +14919,7 @@ index 5001b89..160976e 100644
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -296,6 +309,11 @@ optional_policy(`
+@@ -296,6 +312,11 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -14180,7 +14931,7 @@ index 5001b89..160976e 100644
')
optional_policy(`
-@@ -357,6 +375,10 @@ optional_policy(`
+@@ -357,6 +378,10 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -14364,7 +15115,7 @@ index a9b8982..57c4a6a 100644
+/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 3723150..d6d1dbe 100644
+index 3723150..aa1ba6a 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@@ -14387,6 +15138,272 @@ index 3723150..d6d1dbe 100644
dev_add_entry_generic_dirs($1)
')
+@@ -807,3 +812,265 @@ interface(`storage_unconfined',`
+
+ typeattribute $1 storage_unconfined_type;
+ ')
++
++########################################
++## <summary>
++## Create all named devices with the correct label
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`storage_filetrans_all_named_dev',`
++
++gen_require(`
++ type tape_device_t;
++ type fixed_disk_device_t;
++ type removable_device_t;
++ type scsi_generic_device_t;
++ type fuse_device_t;
++')
++
++ dev_filetrans($1, tape_device_t, chr_file, ht00)
++ dev_filetrans($1, tape_device_t, chr_file, ht01)
++ dev_filetrans($1, tape_device_t, chr_file, ht02)
++ dev_filetrans($1, tape_device_t, chr_file, ht03)
++ dev_filetrans($1, tape_device_t, chr_file, ht04)
++ dev_filetrans($1, tape_device_t, chr_file, ht05)
++ dev_filetrans($1, tape_device_t, chr_file, ht06)
++ dev_filetrans($1, tape_device_t, chr_file, ht07)
++ dev_filetrans($1, tape_device_t, chr_file, ht08)
++ dev_filetrans($1, tape_device_t, chr_file, ht09)
++ dev_filetrans($1, tape_device_t, chr_file, st00)
++ dev_filetrans($1, tape_device_t, chr_file, st01)
++ dev_filetrans($1, tape_device_t, chr_file, st02)
++ dev_filetrans($1, tape_device_t, chr_file, st03)
++ dev_filetrans($1, tape_device_t, chr_file, st04)
++ dev_filetrans($1, tape_device_t, chr_file, st05)
++ dev_filetrans($1, tape_device_t, chr_file, st06)
++ dev_filetrans($1, tape_device_t, chr_file, st07)
++ dev_filetrans($1, tape_device_t, chr_file, st08)
++ dev_filetrans($1, tape_device_t, chr_file, st09)
++ dev_filetrans($1, tape_device_t, chr_file, qft0)
++ dev_filetrans($1, tape_device_t, chr_file, qft1)
++ dev_filetrans($1, tape_device_t, chr_file, qft2)
++ dev_filetrans($1, tape_device_t, chr_file, qft3)
++ dev_filetrans($1, tape_device_t, chr_file, osst00)
++ dev_filetrans($1, tape_device_t, chr_file, osst01)
++ dev_filetrans($1, tape_device_t, chr_file, osst02)
++ dev_filetrans($1, tape_device_t, chr_file, osst03)
++ dev_filetrans($1, tape_device_t, chr_file, osst04)
++ dev_filetrans($1, tape_device_t, chr_file, osst05)
++ dev_filetrans($1, tape_device_t, chr_file, osst06)
++ dev_filetrans($1, tape_device_t, chr_file, osst07)
++ dev_filetrans($1, tape_device_t, chr_file, osst08)
++ dev_filetrans($1, tape_device_t, chr_file, osst09)
++ dev_filetrans($1, tape_device_t, chr_file, pt0)
++ dev_filetrans($1, tape_device_t, chr_file, pt1)
++ dev_filetrans($1, tape_device_t, chr_file, pt2)
++ dev_filetrans($1, tape_device_t, chr_file, pt3)
++ dev_filetrans($1, tape_device_t, chr_file, pt4)
++ dev_filetrans($1, tape_device_t, chr_file, pt5)
++ dev_filetrans($1, tape_device_t, chr_file, pt6)
++ dev_filetrans($1, tape_device_t, chr_file, pt7)
++ dev_filetrans($1, tape_device_t, chr_file, pt8)
++ dev_filetrans($1, tape_device_t, chr_file, pt9)
++ dev_filetrans($1, tape_device_t, chr_file, tpqic0)
++ dev_filetrans($1, tape_device_t, chr_file, tpqic1)
++ dev_filetrans($1, tape_device_t, chr_file, tpqic2)
++ dev_filetrans($1, tape_device_t, chr_file, tpqic3)
++ dev_filetrans($1, tape_device_t, chr_file, tpqic4)
++ dev_filetrans($1, tape_device_t, chr_file, tpqic5)
++ dev_filetrans($1, tape_device_t, chr_file, tpqic6)
++ dev_filetrans($1, tape_device_t, chr_file, tpqic7)
++ dev_filetrans($1, tape_device_t, chr_file, tpqic8)
++ dev_filetrans($1, tape_device_t, chr_file, tpqic9)
++ dev_filetrans($1, removable_device_t, blk_file, aztcd)
++ dev_filetrans($1, removable_device_t, blk_file, bpcd)
++ dev_filetrans($1, removable_device_t, blk_file, cdu0)
++ dev_filetrans($1, removable_device_t, blk_file, cdu1)
++ dev_filetrans($1, removable_device_t, blk_file, cdu2)
++ dev_filetrans($1, removable_device_t, blk_file, cdu3)
++ dev_filetrans($1, removable_device_t, blk_file, cdu4)
++ dev_filetrans($1, removable_device_t, blk_file, cdu5)
++ dev_filetrans($1, removable_device_t, blk_file, cdu6)
++ dev_filetrans($1, removable_device_t, blk_file, cdu7)
++ dev_filetrans($1, removable_device_t, blk_file, cdu8)
++ dev_filetrans($1, removable_device_t, blk_file, cdu9)
++ dev_filetrans($1, removable_device_t, blk_file, cm200)
++ dev_filetrans($1, removable_device_t, blk_file, cm201)
++ dev_filetrans($1, removable_device_t, blk_file, cm202)
++ dev_filetrans($1, removable_device_t, blk_file, cm203)
++ dev_filetrans($1, removable_device_t, blk_file, cm204)
++ dev_filetrans($1, removable_device_t, blk_file, cm205)
++ dev_filetrans($1, removable_device_t, blk_file, cm206)
++ dev_filetrans($1, removable_device_t, blk_file, cm207)
++ dev_filetrans($1, removable_device_t, blk_file, cm208)
++ dev_filetrans($1, removable_device_t, blk_file, cm209)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-0)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-1)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-2)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-3)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-4)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-5)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-6)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-7)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-8)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-9)
++ dev_filetrans($1, removable_device_t, blk_file, gscd)
++ dev_filetrans($1, removable_device_t, blk_file, hitcd)
++ dev_filetrans($1, tape_device_t, blk_file, ht0)
++ dev_filetrans($1, tape_device_t, blk_file, ht1)
++ dev_filetrans($1, removable_device_t, blk_file, hwcdrom)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, initrd)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, jsfd)
++ dev_filetrans($1, fixed_disk_device_t, chr_file, jsflash)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop0)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop1)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop2)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop3)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop4)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop5)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop6)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop7)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop8)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, loop9)
++ dev_filetrans($1, fixed_disk_device_t, chr_file, lvm)
++ dev_filetrans($1, removable_device_t, blk_file, mcd)
++ dev_filetrans($1, removable_device_t, blk_file, mcdx)
++ dev_filetrans($1, removable_device_t, chr_file, megadev0)
++ dev_filetrans($1, removable_device_t, chr_file, megadev1)
++ dev_filetrans($1, removable_device_t, chr_file, megadev2)
++ dev_filetrans($1, removable_device_t, chr_file, megadev3)
++ dev_filetrans($1, removable_device_t, chr_file, megadev4)
++ dev_filetrans($1, removable_device_t, chr_file, megadev5)
++ dev_filetrans($1, removable_device_t, chr_file, megadev6)
++ dev_filetrans($1, removable_device_t, chr_file, megadev7)
++ dev_filetrans($1, removable_device_t, chr_file, megadev8)
++ dev_filetrans($1, removable_device_t, chr_file, megadev9)
++ dev_filetrans($1, removable_device_t, blk_file, mmcblk0)
++ dev_filetrans($1, removable_device_t, blk_file, mmcblk1)
++ dev_filetrans($1, removable_device_t, blk_file, mmcblk2)
++ dev_filetrans($1, removable_device_t, blk_file, mmcblk3)
++ dev_filetrans($1, removable_device_t, blk_file, mmcblk4)
++ dev_filetrans($1, removable_device_t, blk_file, mmcblk5)
++ dev_filetrans($1, removable_device_t, blk_file, mmcblk6)
++ dev_filetrans($1, removable_device_t, blk_file, mmcblk7)
++ dev_filetrans($1, removable_device_t, blk_file, mmcblk8)
++ dev_filetrans($1, removable_device_t, blk_file, mmcblk9)
++ dev_filetrans($1, removable_device_t, blk_file, mspblk0)
++ dev_filetrans($1, removable_device_t, blk_file, mspblk1)
++ dev_filetrans($1, removable_device_t, blk_file, mspblk2)
++ dev_filetrans($1, removable_device_t, blk_file, mspblk3)
++ dev_filetrans($1, removable_device_t, blk_file, mspblk4)
++ dev_filetrans($1, removable_device_t, blk_file, mspblk5)
++ dev_filetrans($1, removable_device_t, blk_file, mspblk6)
++ dev_filetrans($1, removable_device_t, blk_file, mspblk7)
++ dev_filetrans($1, removable_device_t, blk_file, mspblk8)
++ dev_filetrans($1, removable_device_t, blk_file, mspblk9)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd0)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd1)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd2)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd3)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd4)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd5)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd6)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd7)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd8)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, mtd9)
++ dev_filetrans($1, removable_device_t, blk_file, optcd)
++ dev_filetrans($1, removable_device_t, blk_file, pf0)
++ dev_filetrans($1, removable_device_t, blk_file, pf1)
++ dev_filetrans($1, removable_device_t, blk_file, pf2)
++ dev_filetrans($1, removable_device_t, blk_file, pf3)
++ dev_filetrans($1, removable_device_t, blk_file, pg0)
++ dev_filetrans($1, removable_device_t, blk_file, pg1)
++ dev_filetrans($1, removable_device_t, blk_file, pg2)
++ dev_filetrans($1, removable_device_t, blk_file, pg3)
++ dev_filetrans($1, removable_device_t, blk_file, pcd0)
++ dev_filetrans($1, removable_device_t, blk_file, pcd1)
++ dev_filetrans($1, removable_device_t, blk_file, pcd2)
++ dev_filetrans($1, removable_device_t, blk_file, pcd3)
++ dev_filetrans($1, removable_device_t, chr_file, pg0)
++ dev_filetrans($1, removable_device_t, chr_file, pg1)
++ dev_filetrans($1, removable_device_t, chr_file, pg2)
++ dev_filetrans($1, removable_device_t, chr_file, pg3)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d0)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d1)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d2)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d3)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d4)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d5)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d6)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d7)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d8)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ps3d9)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram0)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram1)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram2)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram3)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram4)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram5)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram6)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram7)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram8)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram9)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd0)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd1)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd2)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd3)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd4)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd5)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd6)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd7)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd8)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, rd9)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, root)
++ dev_filetrans($1, removable_device_t, blk_file, sbpcd0)
++ dev_filetrans($1, removable_device_t, blk_file, sbpcd1)
++ dev_filetrans($1, removable_device_t, blk_file, sbpcd2)
++ dev_filetrans($1, removable_device_t, blk_file, sbpcd3)
++ dev_filetrans($1, removable_device_t, blk_file, sbpcd4)
++ dev_filetrans($1, removable_device_t, blk_file, sbpcd5)
++ dev_filetrans($1, removable_device_t, blk_file, sbpcd6)
++ dev_filetrans($1, removable_device_t, blk_file, sbpcd7)
++ dev_filetrans($1, removable_device_t, blk_file, sbpcd8)
++ dev_filetrans($1, removable_device_t, blk_file, sbpcd9)
++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg0)
++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg1)
++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg2)
++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg3)
++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg4)
++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg5)
++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg6)
++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg7)
++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg8)
++ dev_filetrans($1, scsi_generic_device_t, chr_file, sg9)
++ dev_filetrans($1, removable_device_t, blk_file, sjcd)
++ dev_filetrans($1, removable_device_t, blk_file, sonycd)
++ dev_filetrans($1, tape_device_t, chr_file, tape0)
++ dev_filetrans($1, tape_device_t, chr_file, tape1)
++ dev_filetrans($1, tape_device_t, chr_file, tape2)
++ dev_filetrans($1, tape_device_t, chr_file, tape3)
++ dev_filetrans($1, tape_device_t, chr_file, tape4)
++ dev_filetrans($1, tape_device_t, chr_file, tape5)
++ dev_filetrans($1, tape_device_t, chr_file, tape6)
++ dev_filetrans($1, tape_device_t, chr_file, tape7)
++ dev_filetrans($1, tape_device_t, chr_file, tape8)
++ dev_filetrans($1, tape_device_t, chr_file, tape9)
++ dev_filetrans($1, fuse_device_t, chr_file, fuse)
++ dev_filetrans($1, fixed_disk_device_t, chr_file, device-mapper)
++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw0)
++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw1)
++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw2)
++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw3)
++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw4)
++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw5)
++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw6)
++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw7)
++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw8)
++ dev_filetrans($1, fixed_disk_device_t, chr_file, raw9)
++ dev_filetrans($1, removable_device_t, chr_file, rio500)
++')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
index 3994e57..a1923fe 100644
--- a/policy/modules/kernel/terminal.fc
@@ -14414,7 +15431,7 @@ index 3994e57..a1923fe 100644
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index f3acfee..f54d681 100644
+index f3acfee..0082923 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
@@ -14654,7 +15671,7 @@ index f3acfee..f54d681 100644
')
########################################
-@@ -1475,3 +1578,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1475,3 +1578,382 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -14677,6 +15694,366 @@ index f3acfee..f54d681 100644
+ dev_list_all_dev_nodes($1)
+ allow $1 virtio_device_t:chr_file rw_chr_file_perms;
+')
++
++########################################
++## <summary>
++## Create all named term devices with the correct label
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`term_filetrans_all_named_dev',`
++
++gen_require(`
++ type tty_device_t;
++ type bsdpty_device_t;
++ type console_device_t;
++ type ptmx_t;
++ type devtty_t;
++ type virtio_device_t;
++ type devpts_t;
++ type usbtty_device_t;
++')
++
++ dev_filetrans($1, devtty_t, chr_file, tty)
++ dev_filetrans($1, tty_device_t, chr_file, tty0)
++ dev_filetrans($1, tty_device_t, chr_file, tty1)
++ dev_filetrans($1, tty_device_t, chr_file, tty2)
++ dev_filetrans($1, tty_device_t, chr_file, tty3)
++ dev_filetrans($1, tty_device_t, chr_file, tty4)
++ dev_filetrans($1, tty_device_t, chr_file, tty5)
++ dev_filetrans($1, tty_device_t, chr_file, tty6)
++ dev_filetrans($1, tty_device_t, chr_file, tty7)
++ dev_filetrans($1, tty_device_t, chr_file, tty8)
++ dev_filetrans($1, tty_device_t, chr_file, tty9)
++ dev_filetrans($1, tty_device_t, chr_file, tty10)
++ dev_filetrans($1, tty_device_t, chr_file, tty11)
++ dev_filetrans($1, tty_device_t, chr_file, tty12)
++ dev_filetrans($1, tty_device_t, chr_file, tty13)
++ dev_filetrans($1, tty_device_t, chr_file, tty14)
++ dev_filetrans($1, tty_device_t, chr_file, tty15)
++ dev_filetrans($1, tty_device_t, chr_file, tty16)
++ dev_filetrans($1, tty_device_t, chr_file, tty17)
++ dev_filetrans($1, tty_device_t, chr_file, tty18)
++ dev_filetrans($1, tty_device_t, chr_file, tty19)
++ dev_filetrans($1, tty_device_t, chr_file, tty20)
++ dev_filetrans($1, tty_device_t, chr_file, tty21)
++ dev_filetrans($1, tty_device_t, chr_file, tty22)
++ dev_filetrans($1, tty_device_t, chr_file, tty23)
++ dev_filetrans($1, tty_device_t, chr_file, tty24)
++ dev_filetrans($1, tty_device_t, chr_file, tty25)
++ dev_filetrans($1, tty_device_t, chr_file, tty26)
++ dev_filetrans($1, tty_device_t, chr_file, tty27)
++ dev_filetrans($1, tty_device_t, chr_file, tty28)
++ dev_filetrans($1, tty_device_t, chr_file, tty29)
++ dev_filetrans($1, tty_device_t, chr_file, tty30)
++ dev_filetrans($1, tty_device_t, chr_file, tty31)
++ dev_filetrans($1, tty_device_t, chr_file, tty32)
++ dev_filetrans($1, tty_device_t, chr_file, tty33)
++ dev_filetrans($1, tty_device_t, chr_file, tty34)
++ dev_filetrans($1, tty_device_t, chr_file, tty35)
++ dev_filetrans($1, tty_device_t, chr_file, tty36)
++ dev_filetrans($1, tty_device_t, chr_file, tty37)
++ dev_filetrans($1, tty_device_t, chr_file, tty38)
++ dev_filetrans($1, tty_device_t, chr_file, tty39)
++ dev_filetrans($1, tty_device_t, chr_file, tty40)
++ dev_filetrans($1, tty_device_t, chr_file, tty41)
++ dev_filetrans($1, tty_device_t, chr_file, tty42)
++ dev_filetrans($1, tty_device_t, chr_file, tty43)
++ dev_filetrans($1, tty_device_t, chr_file, tty44)
++ dev_filetrans($1, tty_device_t, chr_file, tty45)
++ dev_filetrans($1, tty_device_t, chr_file, tty46)
++ dev_filetrans($1, tty_device_t, chr_file, tty47)
++ dev_filetrans($1, tty_device_t, chr_file, tty48)
++ dev_filetrans($1, tty_device_t, chr_file, tty49)
++ dev_filetrans($1, tty_device_t, chr_file, tty50)
++ dev_filetrans($1, tty_device_t, chr_file, tty51)
++ dev_filetrans($1, tty_device_t, chr_file, tty52)
++ dev_filetrans($1, tty_device_t, chr_file, tty53)
++ dev_filetrans($1, tty_device_t, chr_file, tty54)
++ dev_filetrans($1, tty_device_t, chr_file, tty55)
++ dev_filetrans($1, tty_device_t, chr_file, tty56)
++ dev_filetrans($1, tty_device_t, chr_file, tty57)
++ dev_filetrans($1, tty_device_t, chr_file, tty58)
++ dev_filetrans($1, tty_device_t, chr_file, tty59)
++ dev_filetrans($1, tty_device_t, chr_file, tty60)
++ dev_filetrans($1, tty_device_t, chr_file, tty61)
++ dev_filetrans($1, tty_device_t, chr_file, tty62)
++ dev_filetrans($1, tty_device_t, chr_file, tty63)
++ dev_filetrans($1, tty_device_t, chr_file, tty64)
++ dev_filetrans($1, tty_device_t, chr_file, tty65)
++ dev_filetrans($1, tty_device_t, chr_file, tty66)
++ dev_filetrans($1, tty_device_t, chr_file, tty67)
++ dev_filetrans($1, tty_device_t, chr_file, tty68)
++ dev_filetrans($1, tty_device_t, chr_file, tty69)
++ dev_filetrans($1, tty_device_t, chr_file, tty70)
++ dev_filetrans($1, tty_device_t, chr_file, tty71)
++ dev_filetrans($1, tty_device_t, chr_file, tty72)
++ dev_filetrans($1, tty_device_t, chr_file, tty73)
++ dev_filetrans($1, tty_device_t, chr_file, tty74)
++ dev_filetrans($1, tty_device_t, chr_file, tty75)
++ dev_filetrans($1, tty_device_t, chr_file, tty76)
++ dev_filetrans($1, tty_device_t, chr_file, tty77)
++ dev_filetrans($1, tty_device_t, chr_file, tty78)
++ dev_filetrans($1, tty_device_t, chr_file, tty79)
++ dev_filetrans($1, tty_device_t, chr_file, tty80)
++ dev_filetrans($1, tty_device_t, chr_file, tty81)
++ dev_filetrans($1, tty_device_t, chr_file, tty82)
++ dev_filetrans($1, tty_device_t, chr_file, tty83)
++ dev_filetrans($1, tty_device_t, chr_file, tty84)
++ dev_filetrans($1, tty_device_t, chr_file, tty85)
++ dev_filetrans($1, tty_device_t, chr_file, tty86)
++ dev_filetrans($1, tty_device_t, chr_file, tty87)
++ dev_filetrans($1, tty_device_t, chr_file, tty88)
++ dev_filetrans($1, tty_device_t, chr_file, tty89)
++ dev_filetrans($1, tty_device_t, chr_file, tty90)
++ dev_filetrans($1, tty_device_t, chr_file, tty91)
++ dev_filetrans($1, tty_device_t, chr_file, tty92)
++ dev_filetrans($1, tty_device_t, chr_file, tty93)
++ dev_filetrans($1, tty_device_t, chr_file, tty94)
++ dev_filetrans($1, tty_device_t, chr_file, tty95)
++ dev_filetrans($1, tty_device_t, chr_file, tty96)
++ dev_filetrans($1, tty_device_t, chr_file, tty97)
++ dev_filetrans($1, tty_device_t, chr_file, tty98)
++ dev_filetrans($1, tty_device_t, chr_file, tty99)
++ dev_filetrans($1, tty_device_t, chr_file, pty)
++ dev_filetrans($1, tty_device_t, chr_file, pty0)
++ dev_filetrans($1, tty_device_t, chr_file, pty1)
++ dev_filetrans($1, tty_device_t, chr_file, pty2)
++ dev_filetrans($1, tty_device_t, chr_file, pty3)
++ dev_filetrans($1, tty_device_t, chr_file, pty4)
++ dev_filetrans($1, tty_device_t, chr_file, pty5)
++ dev_filetrans($1, tty_device_t, chr_file, pty6)
++ dev_filetrans($1, tty_device_t, chr_file, pty7)
++ dev_filetrans($1, tty_device_t, chr_file, pty8)
++ dev_filetrans($1, tty_device_t, chr_file, pty9)
++ dev_filetrans($1, tty_device_t, chr_file, pty10)
++ dev_filetrans($1, tty_device_t, chr_file, pty11)
++ dev_filetrans($1, tty_device_t, chr_file, pty12)
++ dev_filetrans($1, tty_device_t, chr_file, pty13)
++ dev_filetrans($1, tty_device_t, chr_file, pty14)
++ dev_filetrans($1, tty_device_t, chr_file, pty15)
++ dev_filetrans($1, tty_device_t, chr_file, pty16)
++ dev_filetrans($1, tty_device_t, chr_file, pty17)
++ dev_filetrans($1, tty_device_t, chr_file, pty18)
++ dev_filetrans($1, tty_device_t, chr_file, pty19)
++ dev_filetrans($1, tty_device_t, chr_file, pty20)
++ dev_filetrans($1, tty_device_t, chr_file, pty21)
++ dev_filetrans($1, tty_device_t, chr_file, pty22)
++ dev_filetrans($1, tty_device_t, chr_file, pty23)
++ dev_filetrans($1, tty_device_t, chr_file, pty24)
++ dev_filetrans($1, tty_device_t, chr_file, pty25)
++ dev_filetrans($1, tty_device_t, chr_file, pty26)
++ dev_filetrans($1, tty_device_t, chr_file, pty27)
++ dev_filetrans($1, tty_device_t, chr_file, pty28)
++ dev_filetrans($1, tty_device_t, chr_file, pty29)
++ dev_filetrans($1, tty_device_t, chr_file, pty30)
++ dev_filetrans($1, tty_device_t, chr_file, pty31)
++ dev_filetrans($1, tty_device_t, chr_file, pty32)
++ dev_filetrans($1, tty_device_t, chr_file, pty33)
++ dev_filetrans($1, tty_device_t, chr_file, pty34)
++ dev_filetrans($1, tty_device_t, chr_file, pty35)
++ dev_filetrans($1, tty_device_t, chr_file, pty36)
++ dev_filetrans($1, tty_device_t, chr_file, pty37)
++ dev_filetrans($1, tty_device_t, chr_file, pty38)
++ dev_filetrans($1, tty_device_t, chr_file, pty39)
++ dev_filetrans($1, tty_device_t, chr_file, pty40)
++ dev_filetrans($1, tty_device_t, chr_file, pty41)
++ dev_filetrans($1, tty_device_t, chr_file, pty42)
++ dev_filetrans($1, tty_device_t, chr_file, pty43)
++ dev_filetrans($1, tty_device_t, chr_file, pty44)
++ dev_filetrans($1, tty_device_t, chr_file, pty45)
++ dev_filetrans($1, tty_device_t, chr_file, pty46)
++ dev_filetrans($1, tty_device_t, chr_file, pty47)
++ dev_filetrans($1, tty_device_t, chr_file, pty48)
++ dev_filetrans($1, tty_device_t, chr_file, pty49)
++ dev_filetrans($1, tty_device_t, chr_file, pty50)
++ dev_filetrans($1, tty_device_t, chr_file, pty51)
++ dev_filetrans($1, tty_device_t, chr_file, pty52)
++ dev_filetrans($1, tty_device_t, chr_file, pty53)
++ dev_filetrans($1, tty_device_t, chr_file, pty54)
++ dev_filetrans($1, tty_device_t, chr_file, pty55)
++ dev_filetrans($1, tty_device_t, chr_file, pty56)
++ dev_filetrans($1, tty_device_t, chr_file, pty57)
++ dev_filetrans($1, tty_device_t, chr_file, pty58)
++ dev_filetrans($1, tty_device_t, chr_file, pty59)
++ dev_filetrans($1, tty_device_t, chr_file, pty60)
++ dev_filetrans($1, tty_device_t, chr_file, pty61)
++ dev_filetrans($1, tty_device_t, chr_file, pty62)
++ dev_filetrans($1, tty_device_t, chr_file, pty63)
++ dev_filetrans($1, tty_device_t, chr_file, pty64)
++ dev_filetrans($1, tty_device_t, chr_file, pty65)
++ dev_filetrans($1, tty_device_t, chr_file, pty66)
++ dev_filetrans($1, tty_device_t, chr_file, pty67)
++ dev_filetrans($1, tty_device_t, chr_file, pty68)
++ dev_filetrans($1, tty_device_t, chr_file, pty69)
++ dev_filetrans($1, tty_device_t, chr_file, pty70)
++ dev_filetrans($1, tty_device_t, chr_file, pty71)
++ dev_filetrans($1, tty_device_t, chr_file, pty72)
++ dev_filetrans($1, tty_device_t, chr_file, pty73)
++ dev_filetrans($1, tty_device_t, chr_file, pty74)
++ dev_filetrans($1, tty_device_t, chr_file, pty75)
++ dev_filetrans($1, tty_device_t, chr_file, pty76)
++ dev_filetrans($1, tty_device_t, chr_file, pty77)
++ dev_filetrans($1, tty_device_t, chr_file, pty78)
++ dev_filetrans($1, tty_device_t, chr_file, pty79)
++ dev_filetrans($1, tty_device_t, chr_file, pty80)
++ dev_filetrans($1, tty_device_t, chr_file, pty81)
++ dev_filetrans($1, tty_device_t, chr_file, pty82)
++ dev_filetrans($1, tty_device_t, chr_file, pty83)
++ dev_filetrans($1, tty_device_t, chr_file, pty84)
++ dev_filetrans($1, tty_device_t, chr_file, pty85)
++ dev_filetrans($1, tty_device_t, chr_file, pty86)
++ dev_filetrans($1, tty_device_t, chr_file, pty87)
++ dev_filetrans($1, tty_device_t, chr_file, pty88)
++ dev_filetrans($1, tty_device_t, chr_file, pty89)
++ dev_filetrans($1, tty_device_t, chr_file, pty90)
++ dev_filetrans($1, tty_device_t, chr_file, pty91)
++ dev_filetrans($1, tty_device_t, chr_file, pty92)
++ dev_filetrans($1, tty_device_t, chr_file, pty93)
++ dev_filetrans($1, tty_device_t, chr_file, pty94)
++ dev_filetrans($1, tty_device_t, chr_file, pty95)
++ dev_filetrans($1, tty_device_t, chr_file, pty96)
++ dev_filetrans($1, tty_device_t, chr_file, pty97)
++ dev_filetrans($1, tty_device_t, chr_file, pty98)
++ dev_filetrans($1, tty_device_t, chr_file, pty99)
++ dev_filetrans($1, tty_device_t, chr_file, adb0)
++ dev_filetrans($1, tty_device_t, chr_file, adb1)
++ dev_filetrans($1, tty_device_t, chr_file, adb2)
++ dev_filetrans($1, tty_device_t, chr_file, adb3)
++ dev_filetrans($1, tty_device_t, chr_file, adb4)
++ dev_filetrans($1, tty_device_t, chr_file, adb5)
++ dev_filetrans($1, tty_device_t, chr_file, adb6)
++ dev_filetrans($1, tty_device_t, chr_file, adb7)
++ dev_filetrans($1, tty_device_t, chr_file, adb8)
++ dev_filetrans($1, tty_device_t, chr_file, adb9)
++ dev_filetrans($1, tty_device_t, chr_file, capi0)
++ dev_filetrans($1, tty_device_t, chr_file, capi1)
++ dev_filetrans($1, tty_device_t, chr_file, capi2)
++ dev_filetrans($1, tty_device_t, chr_file, capi3)
++ dev_filetrans($1, tty_device_t, chr_file, capi4)
++ dev_filetrans($1, tty_device_t, chr_file, capi5)
++ dev_filetrans($1, tty_device_t, chr_file, capi6)
++ dev_filetrans($1, tty_device_t, chr_file, capi7)
++ dev_filetrans($1, tty_device_t, chr_file, capi8)
++ dev_filetrans($1, tty_device_t, chr_file, capi9)
++ dev_filetrans($1, console_device_t, chr_file, console)
++ dev_filetrans($1, tty_device_t, chr_file, cu0)
++ dev_filetrans($1, tty_device_t, chr_file, cu1)
++ dev_filetrans($1, tty_device_t, chr_file, cu2)
++ dev_filetrans($1, tty_device_t, chr_file, cu3)
++ dev_filetrans($1, tty_device_t, chr_file, cu4)
++ dev_filetrans($1, tty_device_t, chr_file, cu5)
++ dev_filetrans($1, tty_device_t, chr_file, cu6)
++ dev_filetrans($1, tty_device_t, chr_file, cu7)
++ dev_filetrans($1, tty_device_t, chr_file, cu8)
++ dev_filetrans($1, tty_device_t, chr_file, cu9)
++ dev_filetrans($1, tty_device_t, chr_file, dcbri0)
++ dev_filetrans($1, tty_device_t, chr_file, dcbri1)
++ dev_filetrans($1, tty_device_t, chr_file, dcbri2)
++ dev_filetrans($1, tty_device_t, chr_file, dcbri3)
++ dev_filetrans($1, tty_device_t, chr_file, dcbri4)
++ dev_filetrans($1, tty_device_t, chr_file, dcbri5)
++ dev_filetrans($1, tty_device_t, chr_file, dcbri6)
++ dev_filetrans($1, tty_device_t, chr_file, dcbri7)
++ dev_filetrans($1, tty_device_t, chr_file, dcbri8)
++ dev_filetrans($1, tty_device_t, chr_file, dcbri9)
++ dev_filetrans($1, tty_device_t, chr_file, hvc0)
++ dev_filetrans($1, tty_device_t, chr_file, hvc1)
++ dev_filetrans($1, tty_device_t, chr_file, hvc2)
++ dev_filetrans($1, tty_device_t, chr_file, hvc3)
++ dev_filetrans($1, tty_device_t, chr_file, hvc4)
++ dev_filetrans($1, tty_device_t, chr_file, hvc5)
++ dev_filetrans($1, tty_device_t, chr_file, hvc6)
++ dev_filetrans($1, tty_device_t, chr_file, hvc7)
++ dev_filetrans($1, tty_device_t, chr_file, hvc8)
++ dev_filetrans($1, tty_device_t, chr_file, hvc9)
++ dev_filetrans($1, tty_device_t, chr_file, hvsi0)
++ dev_filetrans($1, tty_device_t, chr_file, hvsi1)
++ dev_filetrans($1, tty_device_t, chr_file, hvsi2)
++ dev_filetrans($1, tty_device_t, chr_file, hvsi3)
++ dev_filetrans($1, tty_device_t, chr_file, hvsi4)
++ dev_filetrans($1, tty_device_t, chr_file, hvsi5)
++ dev_filetrans($1, tty_device_t, chr_file, hvsi6)
++ dev_filetrans($1, tty_device_t, chr_file, hvsi7)
++ dev_filetrans($1, tty_device_t, chr_file, hvsi8)
++ dev_filetrans($1, tty_device_t, chr_file, hvsi9)
++ dev_filetrans($1, tty_device_t, chr_file, ircomm0)
++ dev_filetrans($1, tty_device_t, chr_file, ircomm1)
++ dev_filetrans($1, tty_device_t, chr_file, ircomm2)
++ dev_filetrans($1, tty_device_t, chr_file, ircomm3)
++ dev_filetrans($1, tty_device_t, chr_file, ircomm4)
++ dev_filetrans($1, tty_device_t, chr_file, ircomm5)
++ dev_filetrans($1, tty_device_t, chr_file, ircomm6)
++ dev_filetrans($1, tty_device_t, chr_file, ircomm7)
++ dev_filetrans($1, tty_device_t, chr_file, ircomm8)
++ dev_filetrans($1, tty_device_t, chr_file, ircomm9)
++ dev_filetrans($1, tty_device_t, chr_file, isdn0)
++ dev_filetrans($1, tty_device_t, chr_file, isdn1)
++ dev_filetrans($1, tty_device_t, chr_file, isdn2)
++ dev_filetrans($1, tty_device_t, chr_file, isdn3)
++ dev_filetrans($1, tty_device_t, chr_file, isdn4)
++ dev_filetrans($1, tty_device_t, chr_file, isdn5)
++ dev_filetrans($1, tty_device_t, chr_file, isdn6)
++ dev_filetrans($1, tty_device_t, chr_file, isdn7)
++ dev_filetrans($1, tty_device_t, chr_file, isdn8)
++ dev_filetrans($1, tty_device_t, chr_file, isdn9)
++ dev_filetrans($1, ptmx_t, chr_file, ptmx)
++ dev_filetrans($1, tty_device_t, chr_file, rfcomm0)
++ dev_filetrans($1, tty_device_t, chr_file, rfcomm1)
++ dev_filetrans($1, tty_device_t, chr_file, rfcomm2)
++ dev_filetrans($1, tty_device_t, chr_file, rfcomm3)
++ dev_filetrans($1, tty_device_t, chr_file, rfcomm4)
++ dev_filetrans($1, tty_device_t, chr_file, rfcomm5)
++ dev_filetrans($1, tty_device_t, chr_file, rfcomm6)
++ dev_filetrans($1, tty_device_t, chr_file, rfcomm7)
++ dev_filetrans($1, tty_device_t, chr_file, rfcomm8)
++ dev_filetrans($1, tty_device_t, chr_file, rfcomm9)
++ dev_filetrans($1, tty_device_t, chr_file, slamr0)
++ dev_filetrans($1, tty_device_t, chr_file, slamr1)
++ dev_filetrans($1, tty_device_t, chr_file, slamr2)
++ dev_filetrans($1, tty_device_t, chr_file, slamr3)
++ dev_filetrans($1, tty_device_t, chr_file, slamr4)
++ dev_filetrans($1, tty_device_t, chr_file, slamr5)
++ dev_filetrans($1, tty_device_t, chr_file, slamr6)
++ dev_filetrans($1, tty_device_t, chr_file, slamr7)
++ dev_filetrans($1, tty_device_t, chr_file, slamr8)
++ dev_filetrans($1, tty_device_t, chr_file, slamr9)
++ dev_filetrans($1, tty_device_t, chr_file, ttySG0)
++ dev_filetrans($1, tty_device_t, chr_file, ttySG1)
++ dev_filetrans($1, tty_device_t, chr_file, ttySG2)
++ dev_filetrans($1, tty_device_t, chr_file, ttySG3)
++ dev_filetrans($1, tty_device_t, chr_file, ttySG4)
++ dev_filetrans($1, tty_device_t, chr_file, ttySG5)
++ dev_filetrans($1, tty_device_t, chr_file, ttySG6)
++ dev_filetrans($1, tty_device_t, chr_file, ttySG7)
++ dev_filetrans($1, tty_device_t, chr_file, ttySG8)
++ dev_filetrans($1, tty_device_t, chr_file, ttySG9)
++ dev_filetrans($1, virtio_device_t, chr_file, vport0p0)
++ dev_filetrans($1, virtio_device_t, chr_file, vport0p1)
++ dev_filetrans($1, virtio_device_t, chr_file, vport0p2)
++ dev_filetrans($1, virtio_device_t, chr_file, vport0p3)
++ dev_filetrans($1, virtio_device_t, chr_file, vport0p4)
++ dev_filetrans($1, virtio_device_t, chr_file, vport0p5)
++ dev_filetrans($1, virtio_device_t, chr_file, vport0p6)
++ dev_filetrans($1, virtio_device_t, chr_file, vport0p7)
++ dev_filetrans($1, virtio_device_t, chr_file, vport0p8)
++ dev_filetrans($1, virtio_device_t, chr_file, vport0p9)
++ dev_filetrans($1, devpts_t, dir, pts)
++ dev_filetrans($1, tty_device_t, chr_file, xvc0)
++ dev_filetrans($1, tty_device_t, chr_file, xvc1)
++ dev_filetrans($1, tty_device_t, chr_file, xvc2)
++ dev_filetrans($1, tty_device_t, chr_file, xvc3)
++ dev_filetrans($1, tty_device_t, chr_file, xvc4)
++ dev_filetrans($1, tty_device_t, chr_file, xvc5)
++ dev_filetrans($1, tty_device_t, chr_file, xvc6)
++ dev_filetrans($1, tty_device_t, chr_file, xvc7)
++ dev_filetrans($1, tty_device_t, chr_file, xvc8)
++ dev_filetrans($1, tty_device_t, chr_file, xvc9)
++')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index 361692e..0f09fb5 100644
--- a/policy/modules/kernel/terminal.te
@@ -15028,10 +16405,10 @@ index 2be17d2..7ccb554 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 4a8d146..6b0999e 100644
+index 4a8d146..4d02bae 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -24,20 +24,41 @@ ifndef(`enable_mls',`
+@@ -24,20 +24,56 @@ ifndef(`enable_mls',`
#
# Local policy
#
@@ -15043,6 +16420,10 @@ index 4a8d146..6b0999e 100644
+
+files_read_kernel_modules(sysadm_t)
+
++dev_filetrans_all_named_dev(sysadm_t)
++storage_filetrans_all_named_dev(sysadm_t)
++term_filetrans_all_named_dev(sysadm_t)
++
mls_process_read_up(sysadm_t)
+mls_file_read_to_clearance(sysadm_t)
+mls_process_write_to_clearance(sysadm_t)
@@ -15061,6 +16442,12 @@ index 4a8d146..6b0999e 100644
+init_script_role_transition(sysadm_r)
+
+miscfiles_read_hwdata(sysadm_t)
++
++sysnet_etc_filetrans_config(sysadm_t, resolv.conf)
++sysnet_etc_filetrans_config(sysadm_t, denyhosts)
++sysnet_etc_filetrans_config(sysadm_t, hosts)
++sysnet_etc_filetrans_config(sysadm_t, ethers)
++sysnet_etc_filetrans_config(sysadm_t, yp.conf)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
@@ -15070,10 +16457,15 @@ index 4a8d146..6b0999e 100644
+userdom_manage_user_tmp_symlinks(sysadm_t)
+userdom_manage_user_tmp_chr_files(sysadm_t)
+userdom_manage_user_tmp_blk_files(sysadm_t)
++
++optional_policy(`
++ ssh_user_home_dir_filetrans(sysadm_t)
++ ssh_admin_home_dir_filetrans(sysadm_t)
++')
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,6 +76,7 @@ ifndef(`enable_mls',`
+@@ -55,6 +91,7 @@ ifndef(`enable_mls',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
@@ -15081,7 +16473,7 @@ index 4a8d146..6b0999e 100644
')
tunable_policy(`allow_ptrace',`
-@@ -69,7 +91,6 @@ optional_policy(`
+@@ -69,7 +106,6 @@ optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -15089,7 +16481,7 @@ index 4a8d146..6b0999e 100644
')
optional_policy(`
-@@ -98,6 +119,10 @@ optional_policy(`
+@@ -98,6 +134,10 @@ optional_policy(`
')
optional_policy(`
@@ -15100,7 +16492,7 @@ index 4a8d146..6b0999e 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -114,7 +139,7 @@ optional_policy(`
+@@ -114,7 +154,7 @@ optional_policy(`
')
optional_policy(`
@@ -15109,7 +16501,7 @@ index 4a8d146..6b0999e 100644
')
optional_policy(`
-@@ -124,6 +149,10 @@ optional_policy(`
+@@ -124,6 +164,10 @@ optional_policy(`
')
optional_policy(`
@@ -15120,7 +16512,7 @@ index 4a8d146..6b0999e 100644
ddcprobe_run(sysadm_t, sysadm_r)
')
-@@ -163,6 +192,13 @@ optional_policy(`
+@@ -163,6 +207,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -15134,7 +16526,7 @@ index 4a8d146..6b0999e 100644
')
optional_policy(`
-@@ -170,15 +206,15 @@ optional_policy(`
+@@ -170,15 +221,15 @@ optional_policy(`
')
optional_policy(`
@@ -15153,7 +16545,7 @@ index 4a8d146..6b0999e 100644
')
optional_policy(`
-@@ -198,18 +234,12 @@ optional_policy(`
+@@ -198,18 +249,12 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -15174,7 +16566,7 @@ index 4a8d146..6b0999e 100644
')
optional_policy(`
-@@ -225,6 +255,10 @@ optional_policy(`
+@@ -225,6 +270,10 @@ optional_policy(`
')
optional_policy(`
@@ -15185,7 +16577,7 @@ index 4a8d146..6b0999e 100644
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
-@@ -253,7 +287,7 @@ optional_policy(`
+@@ -253,7 +302,7 @@ optional_policy(`
')
optional_policy(`
@@ -15194,7 +16586,7 @@ index 4a8d146..6b0999e 100644
')
optional_policy(`
-@@ -265,20 +299,14 @@ optional_policy(`
+@@ -265,20 +314,14 @@ optional_policy(`
')
optional_policy(`
@@ -15216,7 +16608,7 @@ index 4a8d146..6b0999e 100644
optional_policy(`
rsync_exec(sysadm_t)
-@@ -307,7 +335,7 @@ optional_policy(`
+@@ -307,7 +350,7 @@ optional_policy(`
')
optional_policy(`
@@ -15225,7 +16617,7 @@ index 4a8d146..6b0999e 100644
')
optional_policy(`
-@@ -332,10 +360,6 @@ optional_policy(`
+@@ -332,10 +375,6 @@ optional_policy(`
')
optional_policy(`
@@ -15236,7 +16628,7 @@ index 4a8d146..6b0999e 100644
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -343,19 +367,15 @@ optional_policy(`
+@@ -343,19 +382,15 @@ optional_policy(`
')
optional_policy(`
@@ -15258,7 +16650,7 @@ index 4a8d146..6b0999e 100644
')
optional_policy(`
-@@ -367,17 +387,14 @@ optional_policy(`
+@@ -367,17 +402,14 @@ optional_policy(`
')
optional_policy(`
@@ -15278,7 +16670,7 @@ index 4a8d146..6b0999e 100644
')
optional_policy(`
-@@ -389,7 +406,7 @@ optional_policy(`
+@@ -389,7 +421,7 @@ optional_policy(`
')
optional_policy(`
@@ -15287,7 +16679,7 @@ index 4a8d146..6b0999e 100644
')
optional_policy(`
-@@ -404,8 +421,15 @@ optional_policy(`
+@@ -404,8 +436,15 @@ optional_policy(`
yam_run(sysadm_t, sysadm_r)
')
@@ -15303,7 +16695,7 @@ index 4a8d146..6b0999e 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -452,5 +476,60 @@ ifndef(`distro_redhat',`
+@@ -452,5 +491,60 @@ ifndef(`distro_redhat',`
optional_policy(`
java_role(sysadm_r, sysadm_t)
')
@@ -16074,10 +17466,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..805d0ea
+index 0000000..33c88a7
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,503 @@
+@@ -0,0 +1,519 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -16166,6 +17558,21 @@ index 0000000..805d0ea
+files_create_default_dir(unconfined_t)
+files_root_filetrans_default(unconfined_t, dir)
+
++dev_filetrans_all_named_dev(unconfined_t)
++storage_filetrans_all_named_dev(unconfined_t)
++term_filetrans_all_named_dev(unconfined_t)
++
++sysnet_etc_filetrans_config(unconfined_t, resolv.conf)
++sysnet_etc_filetrans_config(unconfined_t, denyhosts)
++sysnet_etc_filetrans_config(unconfined_t, hosts)
++sysnet_etc_filetrans_config(unconfined_t, ethers)
++sysnet_etc_filetrans_config(unconfined_t, yp.conf)
++
++optional_policy(`
++ ssh_user_home_dir_filetrans(unconfined_t)
++ ssh_admin_home_dir_filetrans(unconfined_t)
++')
++
+mcs_killall(unconfined_t)
+mcs_ptrace_all(unconfined_t)
+mls_file_write_all_levels(unconfined_t)
@@ -16310,6 +17717,7 @@ index 0000000..805d0ea
+
+optional_policy(`
+ apache_run_helper(unconfined_t, unconfined_r)
++ apache_filetrans_home_content(unconfined_t)
+')
+
+optional_policy(`
@@ -17919,7 +19327,7 @@ index 9e39aa5..ec27284 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..09c61a0 100644
+index 6480167..a729492 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@@ -18100,16 +19508,17 @@ index 6480167..09c61a0 100644
manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-@@ -248,6 +244,8 @@ interface(`apache_role',`
+@@ -248,6 +244,9 @@ interface(`apache_role',`
relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
+ apache_exec_modules($2)
++ apache_filetrans_home_content($2)
+
tunable_policy(`httpd_enable_cgi',`
# If a user starts a script by hand it gets the proper context
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
-@@ -317,6 +315,25 @@ interface(`apache_domtrans',`
+@@ -317,6 +316,25 @@ interface(`apache_domtrans',`
domtrans_pattern($1, httpd_exec_t, httpd_t)
')
@@ -18135,7 +19544,7 @@ index 6480167..09c61a0 100644
#######################################
## <summary>
## Send a generic signal to apache.
-@@ -405,7 +422,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -405,7 +423,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
type httpd_t;
')
@@ -18144,7 +19553,7 @@ index 6480167..09c61a0 100644
')
########################################
-@@ -487,7 +504,7 @@ interface(`apache_setattr_cache_dirs',`
+@@ -487,7 +505,7 @@ interface(`apache_setattr_cache_dirs',`
type httpd_cache_t;
')
@@ -18153,7 +19562,7 @@ index 6480167..09c61a0 100644
')
########################################
-@@ -531,6 +548,25 @@ interface(`apache_rw_cache_files',`
+@@ -531,6 +549,25 @@ interface(`apache_rw_cache_files',`
########################################
## <summary>
## Allow the specified domain to delete
@@ -18179,7 +19588,7 @@ index 6480167..09c61a0 100644
## Apache cache.
## </summary>
## <param name="domain">
-@@ -549,6 +585,26 @@ interface(`apache_delete_cache_files',`
+@@ -549,6 +586,26 @@ interface(`apache_delete_cache_files',`
########################################
## <summary>
@@ -18206,7 +19615,7 @@ index 6480167..09c61a0 100644
## Allow the specified domain to read
## apache configuration files.
## </summary>
-@@ -699,7 +755,7 @@ interface(`apache_dontaudit_append_log',`
+@@ -699,7 +756,7 @@ interface(`apache_dontaudit_append_log',`
type httpd_log_t;
')
@@ -18215,7 +19624,7 @@ index 6480167..09c61a0 100644
')
########################################
-@@ -745,6 +801,25 @@ interface(`apache_dontaudit_search_modules',`
+@@ -745,6 +802,25 @@ interface(`apache_dontaudit_search_modules',`
########################################
## <summary>
@@ -18241,7 +19650,7 @@ index 6480167..09c61a0 100644
## Allow the specified domain to list
## the contents of the apache modules
## directory.
-@@ -761,6 +836,7 @@ interface(`apache_list_modules',`
+@@ -761,6 +837,7 @@ interface(`apache_list_modules',`
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -18249,7 +19658,7 @@ index 6480167..09c61a0 100644
')
########################################
-@@ -819,6 +895,7 @@ interface(`apache_list_sys_content',`
+@@ -819,6 +896,7 @@ interface(`apache_list_sys_content',`
')
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -18257,7 +19666,7 @@ index 6480167..09c61a0 100644
files_search_var($1)
')
-@@ -846,6 +923,74 @@ interface(`apache_manage_sys_content',`
+@@ -846,6 +924,74 @@ interface(`apache_manage_sys_content',`
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
')
@@ -18332,7 +19741,7 @@ index 6480167..09c61a0 100644
########################################
## <summary>
## Execute all web scripts in the system
-@@ -862,7 +1007,11 @@ interface(`apache_manage_sys_content',`
+@@ -862,7 +1008,11 @@ interface(`apache_manage_sys_content',`
interface(`apache_domtrans_sys_script',`
gen_require(`
attribute httpdcontent;
@@ -18345,7 +19754,7 @@ index 6480167..09c61a0 100644
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -921,9 +1070,10 @@ interface(`apache_domtrans_all_scripts',`
+@@ -921,9 +1071,10 @@ interface(`apache_domtrans_all_scripts',`
## </param>
## <param name="role">
## <summary>
@@ -18357,7 +19766,7 @@ index 6480167..09c61a0 100644
#
interface(`apache_run_all_scripts',`
gen_require(`
-@@ -950,7 +1100,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -950,7 +1101,7 @@ interface(`apache_read_squirrelmail_data',`
type httpd_squirrelmail_t;
')
@@ -18366,7 +19775,7 @@ index 6480167..09c61a0 100644
')
########################################
-@@ -1091,6 +1241,25 @@ interface(`apache_read_tmp_files',`
+@@ -1091,6 +1242,25 @@ interface(`apache_read_tmp_files',`
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -18392,7 +19801,7 @@ index 6480167..09c61a0 100644
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1107,7 +1276,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1107,7 +1277,7 @@ interface(`apache_dontaudit_write_tmp_files',`
type httpd_tmp_t;
')
@@ -18401,7 +19810,7 @@ index 6480167..09c61a0 100644
')
########################################
-@@ -1170,17 +1339,14 @@ interface(`apache_cgi_domain',`
+@@ -1170,17 +1340,14 @@ interface(`apache_cgi_domain',`
#
interface(`apache_admin',`
gen_require(`
@@ -18423,7 +19832,7 @@ index 6480167..09c61a0 100644
ps_process_pattern($1, httpd_t)
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
-@@ -1191,10 +1357,10 @@ interface(`apache_admin',`
+@@ -1191,10 +1358,10 @@ interface(`apache_admin',`
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
@@ -18436,7 +19845,7 @@ index 6480167..09c61a0 100644
admin_pattern($1, httpd_log_t)
admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1371,43 @@ interface(`apache_admin',`
+@@ -1205,14 +1372,63 @@ interface(`apache_admin',`
admin_pattern($1, httpd_var_run_t)
files_pid_filetrans($1, httpd_var_run_t, file)
@@ -18484,6 +19893,26 @@ index 6480167..09c61a0 100644
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
+ dontaudit $1 httpd_tmp_t:file { read write };
++')
++
++########################################
++## <summary>
++## Transition to apache named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`apache_filetrans_home_content',`
++ gen_require(`
++ type httpd_user_content_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, public_html)
++ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, www)
++ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, web)
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 3136c6a..1bf05a6 100644
@@ -29218,7 +30647,7 @@ index 3525d24..923e979 100644
/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..65fdeb0 100644
+index 604f67b..f5de0a2 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -29299,15 +30728,20 @@ index 604f67b..65fdeb0 100644
kerberos_read_keytab($2)
kerberos_use($2)
-@@ -289,6 +307,7 @@ interface(`kerberos_manage_host_rcache',`
+@@ -289,6 +307,12 @@ interface(`kerberos_manage_host_rcache',`
seutil_read_file_contexts($1)
++<<<<<<< HEAD
++ files_rw_tmp_dirs($1)
++||||||| merged common ancestors
++=======
+ files_rw_generic_tmp_dir($1)
++>>>>>>> fc09d81ec7c51e42fe3d0ce894bc530645f46456
allow $1 krb5_host_rcache_t:file manage_file_perms;
files_search_tmp($1)
')
-@@ -296,28 +315,6 @@ interface(`kerberos_manage_host_rcache',`
+@@ -296,28 +320,6 @@ interface(`kerberos_manage_host_rcache',`
########################################
## <summary>
@@ -29336,7 +30770,7 @@ index 604f67b..65fdeb0 100644
## All of the rules required to administrate
## an kerberos environment
## </summary>
-@@ -338,9 +335,8 @@ interface(`kerberos_admin',`
+@@ -338,9 +340,8 @@ interface(`kerberos_admin',`
type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
@@ -29347,7 +30781,7 @@ index 604f67b..65fdeb0 100644
')
allow $1 kadmind_t:process { ptrace signal_perms };
-@@ -378,3 +374,41 @@ interface(`kerberos_admin',`
+@@ -378,3 +379,41 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -42774,7 +44208,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..68ad7a7 100644
+index 22adaca..e064fd6 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -43090,7 +44524,7 @@ index 22adaca..68ad7a7 100644
')
######################################
-@@ -735,3 +794,21 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +794,59 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -43112,6 +44546,44 @@ index 22adaca..68ad7a7 100644
+
+ allow $1 sshd_t:process signull;
+')
++
++########################################
++## <summary>
++## Create .sshd directory in the /root directory
++## with an correct label.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ssh_admin_home_dir_filetrans',`
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ userdom_admin_home_dir_filetrans($1, ssh_home_t, dir, .ssh)
++')
++
++########################################
++## <summary>
++## Create .sshd directory in the /root directory
++## with an correct label.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ssh_user_home_dir_filetrans',`
++ gen_require(`
++ type ssh_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, .ssh)
++')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2dad3c8..c71bdb9 100644
--- a/policy/modules/services/ssh.te
@@ -44623,7 +46095,7 @@ index 32a3c13..7baeb6f 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..6546d6e 100644
+index 2124b6a..1b33cbb 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -1,4 +1,5 @@
@@ -44633,7 +46105,7 @@ index 2124b6a..6546d6e 100644
HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
-@@ -13,17 +14,19 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -13,17 +14,25 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -44656,6 +46128,12 @@ index 2124b6a..6546d6e 100644
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
++
++# support for AEOLUS project
++/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0)
++/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0)
++/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
++/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index 7c5d8d8..b961fd7 100644
--- a/policy/modules/services/virt.if
@@ -48292,10 +49770,10 @@ index c26ecf5..b906c48 100644
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
new file mode 100644
-index 0000000..56cb5af
+index 0000000..72059b2
--- /dev/null
+++ b/policy/modules/services/zarafa.fc
-@@ -0,0 +1,27 @@
+@@ -0,0 +1,29 @@
+
+/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0)
+
@@ -48311,6 +49789,8 @@ index 0000000..56cb5af
+
+/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
+
++/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0)
++
+/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0)
+/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
+/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
@@ -48453,10 +49933,10 @@ index 0000000..8a909f5
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
new file mode 100644
-index 0000000..6b80580
+index 0000000..fec9997
--- /dev/null
+++ b/policy/modules/services/zarafa.te
-@@ -0,0 +1,127 @@
+@@ -0,0 +1,141 @@
+policy_module(zarafa, 1.0.0)
+
+########################################
@@ -48476,6 +49956,12 @@ index 0000000..6b80580
+type zarafa_deliver_tmp_t;
+files_tmp_file(zarafa_deliver_tmp_t)
+
++type zarafa_server_tmp_t;
++files_tmp_file(zarafa_server_tmp_t)
++
++type zarafa_var_lib_t;
++files_tmp_file(zarafa_var_lib_t)
++
+type zarafa_etc_t;
+files_config_file(zarafa_etc_t)
+
@@ -48500,7 +49986,15 @@ index 0000000..6b80580
+#
+
+allow zarafa_server_t self:capability { chown kill net_bind_service };
-+allow zarafa_server_t self:process { setrlimit signal };
++allow zarafa_server_t self:process setrlimit;
++
++manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
++manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
++files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
++
++manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
++manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
++files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir })
+
+corenet_tcp_bind_zarafa_port(zarafa_server_t)
+
@@ -48525,7 +50019,6 @@ index 0000000..6b80580
+#
+
+allow zarafa_spooler_t self:capability { chown kill };
-+allow zarafa_spooler_t self:process signal;
+
+can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
+
@@ -48537,7 +50030,7 @@ index 0000000..6b80580
+#
+
+allow zarafa_gateway_t self:capability { chown kill };
-+allow zarafa_gateway_t self:process { setrlimit signal };
++allow zarafa_gateway_t self:process setrlimit;
+
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
+
@@ -48564,6 +50057,7 @@ index 0000000..6b80580
+
+# bad permission on /etc/zarafa
+allow zarafa_domain self:capability { dac_override setgid setuid };
++allow zarafa_domain self:process signal;
+allow zarafa_domain self:fifo_file rw_fifo_file_perms;
+allow zarafa_domain self:tcp_socket create_stream_socket_perms;
+allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
@@ -50544,7 +52038,7 @@ index cc83689..e83c909 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..0bdb8d8 100644
+index ea29513..44cd32f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -51058,8 +52552,14 @@ index ea29513..0bdb8d8 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -524,6 +727,23 @@ ifdef(`distro_redhat',`
+@@ -522,8 +725,29 @@ ifdef(`distro_redhat',`
+ ')
+
optional_policy(`
++ abrt_manage_pid_files(initrc_t)
++ ')
++
++ optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
+ bind_setattr_zone_dirs(initrc_t)
@@ -51082,7 +52582,7 @@ index ea29513..0bdb8d8 100644
')
optional_policy(`
-@@ -531,10 +751,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +755,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -51100,7 +52600,7 @@ index ea29513..0bdb8d8 100644
')
optional_policy(`
-@@ -549,6 +776,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +780,39 @@ ifdef(`distro_suse',`
')
')
@@ -51140,7 +52640,7 @@ index ea29513..0bdb8d8 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +821,8 @@ optional_policy(`
+@@ -561,6 +825,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -51149,7 +52649,7 @@ index ea29513..0bdb8d8 100644
')
optional_policy(`
-@@ -577,6 +839,7 @@ optional_policy(`
+@@ -577,6 +843,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -51157,7 +52657,7 @@ index ea29513..0bdb8d8 100644
')
optional_policy(`
-@@ -589,6 +852,11 @@ optional_policy(`
+@@ -589,6 +856,11 @@ optional_policy(`
')
optional_policy(`
@@ -51169,7 +52669,7 @@ index ea29513..0bdb8d8 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +873,13 @@ optional_policy(`
+@@ -605,9 +877,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -51183,7 +52683,7 @@ index ea29513..0bdb8d8 100644
')
optional_policy(`
-@@ -649,6 +921,11 @@ optional_policy(`
+@@ -649,6 +925,11 @@ optional_policy(`
')
optional_policy(`
@@ -51195,7 +52695,7 @@ index ea29513..0bdb8d8 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +983,13 @@ optional_policy(`
+@@ -706,7 +987,13 @@ optional_policy(`
')
optional_policy(`
@@ -51209,7 +52709,7 @@ index ea29513..0bdb8d8 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1012,10 @@ optional_policy(`
+@@ -729,6 +1016,10 @@ optional_policy(`
')
optional_policy(`
@@ -51220,7 +52720,7 @@ index ea29513..0bdb8d8 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1025,20 @@ optional_policy(`
+@@ -738,10 +1029,20 @@ optional_policy(`
')
optional_policy(`
@@ -51241,7 +52741,7 @@ index ea29513..0bdb8d8 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1047,10 @@ optional_policy(`
+@@ -750,6 +1051,10 @@ optional_policy(`
')
optional_policy(`
@@ -51252,7 +52752,7 @@ index ea29513..0bdb8d8 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1072,6 @@ optional_policy(`
+@@ -771,8 +1076,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -51261,7 +52761,7 @@ index ea29513..0bdb8d8 100644
')
optional_policy(`
-@@ -781,14 +1080,21 @@ optional_policy(`
+@@ -781,14 +1084,21 @@ optional_policy(`
')
optional_policy(`
@@ -51283,7 +52783,7 @@ index ea29513..0bdb8d8 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1106,6 @@ optional_policy(`
+@@ -800,7 +1110,6 @@ optional_policy(`
')
optional_policy(`
@@ -51291,7 +52791,7 @@ index ea29513..0bdb8d8 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1115,19 @@ optional_policy(`
+@@ -810,11 +1119,19 @@ optional_policy(`
')
optional_policy(`
@@ -51312,7 +52812,7 @@ index ea29513..0bdb8d8 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1137,25 @@ optional_policy(`
+@@ -824,6 +1141,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -51338,7 +52838,7 @@ index ea29513..0bdb8d8 100644
')
optional_policy(`
-@@ -849,3 +1181,42 @@ optional_policy(`
+@@ -849,3 +1185,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -52956,7 +54456,7 @@ index c7cfb62..ee89659 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b5a9ed..f610462 100644
+index 9b5a9ed..a3a66a2 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -19,6 +19,11 @@ type auditd_log_t;
@@ -53115,7 +54615,7 @@ index 9b5a9ed..f610462 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -412,6 +455,9 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
+@@ -412,7 +455,11 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
@@ -53123,9 +54623,11 @@ index 9b5a9ed..f610462 100644
+# relating to systemd-kmsg-syslogd
+dev_write_kmsg(syslogd_t)
++domain_read_all_domains_state(syslogd_t)
domain_use_interactive_fds(syslogd_t)
-@@ -432,6 +478,7 @@ term_write_console(syslogd_t)
+ files_read_etc_files(syslogd_t)
+@@ -432,6 +479,7 @@ term_write_console(syslogd_t)
# Allow syslog to a terminal
term_write_unallocated_ttys(syslogd_t)
@@ -53133,7 +54635,7 @@ index 9b5a9ed..f610462 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -480,6 +527,10 @@ optional_policy(`
+@@ -480,6 +528,10 @@ optional_policy(`
')
optional_policy(`
@@ -53144,7 +54646,7 @@ index 9b5a9ed..f610462 100644
postgresql_stream_connect(syslogd_t)
')
-@@ -488,6 +539,10 @@ optional_policy(`
+@@ -488,6 +540,10 @@ optional_policy(`
')
optional_policy(`
@@ -55503,7 +57005,7 @@ index 694fd94..334e80e 100644
+
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index ff80d0a..7f1a21c 100644
+index ff80d0a..ec91ad9 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',`
@@ -55620,6 +57122,15 @@ index ff80d0a..7f1a21c 100644
## Read network config files.
## </summary>
## <desc>
+@@ -405,7 +498,7 @@ interface(`sysnet_etc_filetrans_config',`
+ type net_conf_t;
+ ')
+
+- files_etc_filetrans($1, net_conf_t, file)
++ files_etc_filetrans($1, net_conf_t, file, $2)
+ ')
+
+ #######################################
@@ -426,6 +519,7 @@ interface(`sysnet_manage_config',`
allow $1 net_conf_t:file manage_file_perms;
@@ -57596,7 +59107,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..791d89f 100644
+index 28b88de..5ea0ea4 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -57761,7 +59272,7 @@ index 28b88de..791d89f 100644
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -116,6 +149,17 @@ template(`userdom_base_user_template',`
+@@ -116,6 +149,16 @@ template(`userdom_base_user_template',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -57770,7 +59281,6 @@ index 28b88de..791d89f 100644
+ fs_list_cgroup_dirs($1_usertype)
+ ')
+
-+
+ optional_policy(`
+ ssh_rw_stream_sockets($1_usertype)
+ ssh_delete_tmp($1_t)
@@ -57779,7 +59289,7 @@ index 28b88de..791d89f 100644
')
#######################################
-@@ -149,6 +193,8 @@ interface(`userdom_ro_home_role',`
+@@ -149,6 +192,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -57788,7 +59298,7 @@ index 28b88de..791d89f 100644
##############################
#
# Domain access to home dir
-@@ -166,27 +212,6 @@ interface(`userdom_ro_home_role',`
+@@ -166,27 +211,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -57816,7 +59326,7 @@ index 28b88de..791d89f 100644
')
#######################################
-@@ -218,8 +243,11 @@ interface(`userdom_ro_home_role',`
+@@ -218,8 +242,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -57828,7 +59338,7 @@ index 28b88de..791d89f 100644
##############################
#
# Domain access to home dir
-@@ -228,17 +256,21 @@ interface(`userdom_manage_home_role',`
+@@ -228,17 +255,21 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -57860,7 +59370,7 @@ index 28b88de..791d89f 100644
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
-@@ -246,25 +278,23 @@ interface(`userdom_manage_home_role',`
+@@ -246,25 +277,23 @@ interface(`userdom_manage_home_role',`
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
@@ -57890,7 +59400,7 @@ index 28b88de..791d89f 100644
')
')
-@@ -289,6 +319,8 @@ interface(`userdom_manage_tmp_role',`
+@@ -289,6 +318,8 @@ interface(`userdom_manage_tmp_role',`
type user_tmp_t;
')
@@ -57899,7 +59409,7 @@ index 28b88de..791d89f 100644
files_poly_member_tmp($2, user_tmp_t)
manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
-@@ -297,6 +329,45 @@ interface(`userdom_manage_tmp_role',`
+@@ -297,6 +328,45 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -57945,7 +59455,7 @@ index 28b88de..791d89f 100644
')
#######################################
-@@ -316,6 +387,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -316,6 +386,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -57953,7 +59463,7 @@ index 28b88de..791d89f 100644
files_search_tmp($1)
')
-@@ -350,6 +422,8 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -350,6 +421,8 @@ interface(`userdom_manage_tmpfs_role',`
type user_tmpfs_t;
')
@@ -57962,7 +59472,7 @@ index 28b88de..791d89f 100644
manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-@@ -360,46 +434,41 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -360,46 +433,41 @@ interface(`userdom_manage_tmpfs_role',`
#######################################
## <summary>
@@ -58031,7 +59541,7 @@ index 28b88de..791d89f 100644
')
#######################################
-@@ -430,6 +499,7 @@ template(`userdom_xwindows_client_template',`
+@@ -430,6 +498,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -58039,7 +59549,7 @@ index 28b88de..791d89f 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -490,7 +560,7 @@ template(`userdom_common_user_template',`
+@@ -490,7 +559,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -58048,7 +59558,7 @@ index 28b88de..791d89f 100644
##############################
#
-@@ -500,73 +570,81 @@ template(`userdom_common_user_template',`
+@@ -500,73 +569,81 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -58070,27 +59580,27 @@ index 28b88de..791d89f 100644
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
+-
+- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
-- corecmd_exec_bin($1_t)
+- corenet_udp_bind_generic_node($1_t)
+- corenet_udp_bind_generic_port($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
-- corenet_udp_bind_generic_node($1_t)
-- corenet_udp_bind_generic_port($1_t)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
--
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -58114,10 +59624,10 @@ index 28b88de..791d89f 100644
+ fs_read_noxattr_fs_files($1_usertype)
+ fs_read_noxattr_fs_symlinks($1_usertype)
+ fs_rw_cgroup_files($1_usertype)
-+
-+ application_getattr_socket($1_usertype)
- fs_rw_cgroup_files($1_t)
++ application_getattr_socket($1_usertype)
++
+ logging_send_syslog_msg($1_usertype)
+ logging_send_audit_msgs($1_usertype)
+ selinux_get_enforce_mode($1_usertype)
@@ -58169,7 +59679,7 @@ index 28b88de..791d89f 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +652,122 @@ template(`userdom_common_user_template',`
+@@ -574,67 +651,122 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -58183,23 +59693,23 @@ index 28b88de..791d89f 100644
# Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
+ apm_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ canna_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ chrome_role($1_r, $1_usertype)
')
optional_policy(`
- canna_stream_connect($1_t)
-+ canna_stream_connect($1_usertype)
++ colord_read_lib_files($1_usertype)
')
optional_policy(`
- dbus_system_bus_client($1_t)
-+ chrome_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ colord_read_lib_files($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
@@ -58215,49 +59725,49 @@ index 28b88de..791d89f 100644
+ optional_policy(`
+ bluetooth_dbus_chat($1_usertype)
+ ')
++
++ optional_policy(`
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
++ ')
++
++ optional_policy(`
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ ')
++
++ optional_policy(`
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
++ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
++ gnome_dbus_chat_gconfdefault($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
++ kde_dbus_chat_backlighthelper($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ gnome_dbus_chat_gconfdefault($1_usertype)
++ modemmanager_dbus_chat($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ hal_dbus_chat($1_usertype)
- ')
-+
-+ optional_policy(`
-+ kde_dbus_chat_backlighthelper($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ modemmanager_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ networkmanager_dbus_chat($1_usertype)
+ networkmanager_read_lib_files($1_usertype)
-+ ')
+ ')
+
+ optional_policy(`
+ vpn_dbus_chat($1_usertype)
@@ -58310,7 +59820,7 @@ index 28b88de..791d89f 100644
')
optional_policy(`
-@@ -650,41 +783,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +782,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -58342,51 +59852,53 @@ index 28b88de..791d89f 100644
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
+ rpc_manage_nfs_rw_content($1_usertype)
++ ')
++
++ optional_policy(`
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ rpcbind_stream_connect($1_usertype)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
- usernetctl_run($1_t,$1_r)
-+ seunshare_role_template($1, $1_r, $1_t)
- ')
-+
-+ optional_policy(`
+ slrnpull_search_spool($1_usertype)
-+ ')
+ ')
+
')
#######################################
-@@ -712,13 +854,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +853,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
++
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
-+
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -58394,9 +59906,7 @@ index 28b88de..791d89f 100644
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -58404,7 +59914,7 @@ index 28b88de..791d89f 100644
userdom_change_password_template($1)
-@@ -736,72 +891,70 @@ template(`userdom_login_user_template', `
+@@ -736,72 +890,70 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -58471,10 +59981,10 @@ index 28b88de..791d89f 100644
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
++
++ seutil_read_config($1_usertype)
- seutil_read_config($1_t)
-+ seutil_read_config($1_usertype)
-+
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
@@ -58512,7 +60022,7 @@ index 28b88de..791d89f 100644
')
')
-@@ -833,6 +986,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +985,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -58522,7 +60032,7 @@ index 28b88de..791d89f 100644
##############################
#
# Local policy
-@@ -874,45 +1030,113 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1029,113 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -58593,40 +60103,40 @@ index 28b88de..791d89f 100644
+ abrt_dbus_chat($1_usertype)
+ abrt_run_helper($1_usertype, $1_r)
+ ')
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
++
++ optional_policy(`
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
- ')
-
- optional_policy(`
-- cups_dbus_chat($1_t)
-+ cups_dbus_chat($1_usertype)
-+ cups_dbus_chat_config($1_usertype)
- ')
++ ')
+
+ optional_policy(`
++ cups_dbus_chat($1_usertype)
++ cups_dbus_chat_config($1_usertype)
++ ')
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- cups_dbus_chat($1_t)
+ fprintd_dbus_chat($1_t)
-+ ')
+ ')
+ ')
+
+ optional_policy(`
+- java_role($1_r, $1_t)
++ openoffice_role_template($1, $1_r, $1_usertype)
+ ')
+
+ optional_policy(`
-+ openoffice_role_template($1, $1_r, $1_usertype)
++ policykit_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
-+ policykit_role($1_r, $1_usertype)
- ')
-
- optional_policy(`
-- java_role($1_r, $1_t)
+ pulseaudio_role($1_r, $1_usertype)
+ ')
+
@@ -58647,7 +60157,7 @@ index 28b88de..791d89f 100644
')
')
-@@ -947,7 +1171,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1170,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -58656,7 +60166,7 @@ index 28b88de..791d89f 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1180,83 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1179,83 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -58726,16 +60236,13 @@ index 28b88de..791d89f 100644
+
+ optional_policy(`
+ gpg_role($1_r, $1_usertype)
- ')
-
-- # Run pppd in pppd_t by default for user
- optional_policy(`
-- ppp_run_cond($1_t,$1_r)
++ ')
++
++ optional_policy(`
+ gnomeclock_dbus_chat($1_t)
- ')
-
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ ')
++
++ optional_policy(`
+ gpm_stream_connect($1_usertype)
+ ')
+
@@ -58758,19 +60265,22 @@ index 28b88de..791d89f 100644
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+- # Run pppd in pppd_t by default for user
+ optional_policy(`
+- ppp_run_cond($1_t,$1_r)
+ postfix_run_postdrop($1_t, $1_r)
-+ ')
-+
+ ')
+
+ # Run pppd in pppd_t by default for user
-+ optional_policy(`
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ ppp_run_cond($1_t, $1_r)
')
')
-@@ -1039,7 +1292,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1291,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -58779,7 +60289,7 @@ index 28b88de..791d89f 100644
')
##############################
-@@ -1066,6 +1319,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1318,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -58787,7 +60297,7 @@ index 28b88de..791d89f 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1328,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1327,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -58797,7 +60307,7 @@ index 28b88de..791d89f 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1345,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1344,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -58805,7 +60315,7 @@ index 28b88de..791d89f 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1363,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1362,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -58819,7 +60329,7 @@ index 28b88de..791d89f 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,17 +1380,21 @@ template(`userdom_admin_user_template',`
+@@ -1119,17 +1379,21 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -58842,7 +60352,7 @@ index 28b88de..791d89f 100644
auth_getattr_shadow($1_t)
# Manage almost all files
-@@ -1141,7 +1406,10 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1405,10 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
@@ -58854,7 +60364,7 @@ index 28b88de..791d89f 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1478,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1477,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -58863,7 +60373,7 @@ index 28b88de..791d89f 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1492,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1491,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -58871,7 +60381,7 @@ index 28b88de..791d89f 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1237,6 +1508,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1507,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -58879,7 +60389,7 @@ index 28b88de..791d89f 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1551,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1550,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -58917,7 +60427,7 @@ index 28b88de..791d89f 100644
ubac_constrained($1)
')
-@@ -1395,6 +1693,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1692,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -58925,7 +60435,7 @@ index 28b88de..791d89f 100644
files_search_home($1)
')
-@@ -1441,6 +1740,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1739,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -58940,7 +60450,7 @@ index 28b88de..791d89f 100644
')
########################################
-@@ -1456,9 +1763,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1762,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -58952,7 +60462,7 @@ index 28b88de..791d89f 100644
')
########################################
-@@ -1515,10 +1824,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1823,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -58965,7 +60475,7 @@ index 28b88de..791d89f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1526,21 +1835,57 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,22 +1834,58 @@ interface(`userdom_relabelto_user_home_dirs',`
## </summary>
## </param>
#
@@ -58988,6 +60498,7 @@ index 28b88de..791d89f 100644
+## Relabel user home files.
## </summary>
-## <desc>
+-## <p>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -59028,10 +60539,11 @@ index 28b88de..791d89f 100644
+## user home directory.
+## </summary>
+## <desc>
- ## <p>
++## <p>
## Do a domain transition to the specified
## domain when executing a program in the
-@@ -1589,6 +1934,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+ ## user home directory.
+@@ -1589,6 +1933,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -59040,7 +60552,7 @@ index 28b88de..791d89f 100644
')
########################################
-@@ -1603,10 +1950,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1949,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -59055,7 +60567,7 @@ index 28b88de..791d89f 100644
')
########################################
-@@ -1649,6 +1998,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1997,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -59081,7 +60593,7 @@ index 28b88de..791d89f 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1700,12 +2068,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2067,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -59114,7 +60626,7 @@ index 28b88de..791d89f 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2104,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2103,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -59132,7 +60644,7 @@ index 28b88de..791d89f 100644
')
########################################
-@@ -1779,6 +2170,24 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2169,24 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -59157,7 +60669,7 @@ index 28b88de..791d89f 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1810,8 +2219,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2218,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -59167,7 +60679,7 @@ index 28b88de..791d89f 100644
')
########################################
-@@ -1827,20 +2235,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2234,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -59181,18 +60693,19 @@ index 28b88de..791d89f 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
## <summary>
-@@ -2008,7 +2410,7 @@ interface(`userdom_user_home_dir_filetrans',`
+ ## Do not audit attempts to execute user home files.
+@@ -2008,7 +2409,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -59201,7 +60714,7 @@ index 28b88de..791d89f 100644
files_search_home($1)
')
-@@ -2182,7 +2584,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2583,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -59210,7 +60723,7 @@ index 28b88de..791d89f 100644
')
########################################
-@@ -2435,13 +2837,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2836,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -59226,7 +60739,7 @@ index 28b88de..791d89f 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2865,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2864,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -59253,7 +60766,7 @@ index 28b88de..791d89f 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2572,6 +2955,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,6 +2954,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -59278,7 +60791,7 @@ index 28b88de..791d89f 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2590,22 +2991,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2590,22 +2990,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -59321,7 +60834,7 @@ index 28b88de..791d89f 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2614,14 +3027,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3026,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -59359,7 +60872,7 @@ index 28b88de..791d89f 100644
')
########################################
-@@ -2815,7 +3247,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3246,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -59368,7 +60881,7 @@ index 28b88de..791d89f 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3263,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3262,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -59384,7 +60897,7 @@ index 28b88de..791d89f 100644
')
########################################
-@@ -2917,7 +3351,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3350,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -59393,7 +60906,7 @@ index 28b88de..791d89f 100644
')
########################################
-@@ -2972,7 +3406,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3405,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -59440,7 +60953,7 @@ index 28b88de..791d89f 100644
')
########################################
-@@ -3009,6 +3481,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3480,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -59448,7 +60961,7 @@ index 28b88de..791d89f 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3560,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3559,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -59473,7 +60986,7 @@ index 28b88de..791d89f 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3139,3 +3630,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3629,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -60533,7 +62046,7 @@ index 28b88de..791d89f 100644
+')
+
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index df29ca1..2a5c03d 100644
+index df29ca1..059cac0 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.0)
@@ -60586,7 +62099,7 @@ index df29ca1..2a5c03d 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +98,54 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +98,59 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -60643,6 +62156,11 @@ index df29ca1..2a5c03d 100644
+
+# Nautilus causes this avc
+dontaudit unpriv_userdomain self:dir setattr;
++
++optional_policy(`
++ ssh_admin_home_dir_filetrans(userdomain)
++')
++
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
index a865da7..0818ff0 100644
--- a/policy/modules/system/xen.fc
@@ -60919,6 +62437,19 @@ index 4350ba0..c8b1d3b 100644
- unconfined_domain(xend_t)
- ')
')
+diff --git a/policy/support/file_patterns.spt b/policy/support/file_patterns.spt
+index bdd500c..4719351 100644
+--- a/policy/support/file_patterns.spt
++++ b/policy/support/file_patterns.spt
+@@ -535,7 +535,7 @@ define(`filetrans_add_pattern',`
+
+ define(`filetrans_pattern',`
+ allow $1 $2:dir rw_dir_perms;
+- type_transition $1 $2:$4 $3;
++ type_transition $1 $2:$4 $3 $5;
+ ')
+
+ define(`admin_pattern',`
diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
index 22ca011..df6b5de 100644
--- a/policy/support/misc_patterns.spt
diff --git a/selinux-policy.spec b/selinux-policy.spec
index dbbe4dd..c4f8ec1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 15.1%{?dist}
+Release: 16.1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -474,9 +474,17 @@ exit 0
%endif
%changelog
-* Fri Apr 15 2011 Dan Walsh <dwalsh@redhat.com> 3.9.16-15.1
+* Tue Apr 19 2011 Dan Walsh <dwalsh@redhat.com> 3.9.16-16.1
- Add filename transitions
+* Tue Apr 19 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-16
+- Fixes for zarafa policy
+- Add support for AEOLUS project
+- Change labeling of fping6
+- Allow plymountd to send signals to init
+- Allow initrc_t domain to manage abrt pid files
+- Virt_admin should be allowed to manage images and processes
+
* Fri Apr 15 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-15
- xdm_t needs getsession for switch user
- Every app that used to exec init is now execing systemdctl