diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index c754c80..6732fd3 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -11246,7 +11246,7 @@ index b876c48..03f9342 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..fa12587 100644
+index f962f76..e06a46c 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -13210,33 +13210,7 @@ index f962f76..fa12587 100644
  ')
  
  ########################################
-@@ -4126,6 +5028,25 @@ interface(`files_kernel_modules_filetrans',`
- 
- ########################################
- ## <summary>
-+##	Load kernel module files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_load_kernel_modules',`
-+	gen_require(`
-+		type modules_object_t;
-+	')
-+
-+	files_read_kernel_modules($1)
-+	allow $1 modules_object_t:system module_load;
-+')
-+
-+########################################
-+## <summary>
- ##	List world-readable directories.
- ## </summary>
- ## <param name="domain">
-@@ -4217,174 +5138,275 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,174 +5119,218 @@ interface(`files_read_world_readable_sockets',`
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
@@ -13383,61 +13357,91 @@ index f962f76..fa12587 100644
  ## <summary>
 -##	Do not audit attempts to search the tmp directory (/tmp).
 +##  Relabel manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain to not audit.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_search_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_relabelfrom_system_conf_files',`
 +    gen_require(`
 +        type usr_t;
 +    ')
-+
+ 
+-	dontaudit $1 tmp_t:dir search_dir_perms;
 +    relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
+ ')
+ 
+-########################################
 +###################################
-+## <summary>
+ ## <summary>
+-##	Read the tmp directory (/tmp).
 +##  Create files in /etc with the type used for
 +##  the manageable system config files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  The type of the process performing this action.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_list_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_etc_filetrans_system_conf',`
 +    gen_require(`
 +        type etc_t, system_conf_t;
 +    ')
-+
+ 
+-	allow $1 tmp_t:dir list_dir_perms;
 +    filetrans_pattern($1, etc_t, system_conf_t, file)
-+')
-+
+ ')
+ 
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Do not audit listing of the tmp directory (/tmp).
 +##  Manage manageable system db files in /var/lib.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain not to audit.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_list_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_manage_system_db_files',`
 +     gen_require(`
 +         type var_lib_t, system_db_t;
 +    ')
-+
+ 
+-	dontaudit $1 tmp_t:dir list_dir_perms;
 +     manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t)
 +     files_filetrans_system_db_named_files($1)
-+')
-+
+ ')
+ 
+-########################################
 +#####################################
-+## <summary>
+ ## <summary>
+-##	Remove entries from the tmp directory.
 +##  File name transition for system db files in /var/lib.
  ## </summary>
  ## <param name="domain">
@@ -13463,24 +13467,24 @@ index f962f76..fa12587 100644
 +## </summary>
 +## <param name="file_type">
  ##	<summary>
--##	Domain to not audit.
+-##	Domain allowed access.
 +##	Type of the file to associate.
  ##	</summary>
  ## </param>
  #
--interface(`files_dontaudit_search_tmp',`
+-interface(`files_delete_tmp_dir_entry',`
 +interface(`files_associate_tmp',`
  	gen_require(`
  		type tmp_t;
  	')
  
--	dontaudit $1 tmp_t:dir search_dir_perms;
+-	allow $1 tmp_t:dir del_entry_dir_perms;
 +	allow $1 tmp_t:filesystem associate;
  ')
  
  ########################################
  ## <summary>
--##	Read the tmp directory (/tmp).
+-##	Read files in the tmp directory (/tmp).
 +##	Allow the specified type to associate
 +##	to a filesystem with the type of the
 +##	/ file system
@@ -13493,43 +13497,42 @@ index f962f76..fa12587 100644
  ##	</summary>
  ## </param>
  #
--interface(`files_list_tmp',`
+-interface(`files_read_generic_tmp_files',`
 +interface(`files_associate_rootfs',`
  	gen_require(`
 -		type tmp_t;
 +		type root_t;
  	')
  
--	allow $1 tmp_t:dir list_dir_perms;
+-	read_files_pattern($1, tmp_t, tmp_t)
 +	allow $1 root_t:filesystem associate;
  ')
  
  ########################################
  ## <summary>
--##	Do not audit listing of the tmp directory (/tmp).
+-##	Manage temporary directories in /tmp.
 +##	Get the	attributes of the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain not to audit.
-+##	Domain allowed access.
+@@ -4392,53 +5338,56 @@ interface(`files_read_generic_tmp_files',`
  ##	</summary>
  ## </param>
  #
--interface(`files_dontaudit_list_tmp',`
+-interface(`files_manage_generic_tmp_dirs',`
 +interface(`files_getattr_tmp_dirs',`
  	gen_require(`
  		type tmp_t;
  	')
  
--	dontaudit $1 tmp_t:dir list_dir_perms;
+-	manage_dirs_pattern($1, tmp_t, tmp_t)
 +	read_lnk_files_pattern($1, tmp_t, tmp_t)
 +	allow $1 tmp_t:dir getattr;
  ')
  
  ########################################
  ## <summary>
--##	Remove entries from the tmp directory.
+-##	Manage temporary files and directories in /tmp.
 +##	Do not audit attempts to check the 
 +##	access on tmp files
  ## </summary>
@@ -13540,20 +13543,20 @@ index f962f76..fa12587 100644
  ##	</summary>
  ## </param>
  #
--interface(`files_delete_tmp_dir_entry',`
+-interface(`files_manage_generic_tmp_files',`
 +interface(`files_dontaudit_access_check_tmp',`
  	gen_require(`
 -		type tmp_t;
 +		type etc_t;
  	')
  
--	allow $1 tmp_t:dir del_entry_dir_perms;
+-	manage_files_pattern($1, tmp_t, tmp_t)
 +	dontaudit $1 tmp_t:dir_file_class_set audit_access;
  ')
  
  ########################################
  ## <summary>
--##	Read files in the tmp directory (/tmp).
+-##	Read symbolic links in the tmp directory (/tmp).
 +##	Do not audit attempts to get the
 +##	attributes of the tmp directory (/tmp).
  ## </summary>
@@ -13564,34 +13567,34 @@ index f962f76..fa12587 100644
  ##	</summary>
  ## </param>
  #
--interface(`files_read_generic_tmp_files',`
+-interface(`files_read_generic_tmp_symlinks',`
 +interface(`files_dontaudit_getattr_tmp_dirs',`
  	gen_require(`
  		type tmp_t;
  	')
  
--	read_files_pattern($1, tmp_t, tmp_t)
+-	read_lnk_files_pattern($1, tmp_t, tmp_t)
 +	dontaudit $1 tmp_t:dir getattr;
  ')
  
  ########################################
  ## <summary>
--##	Manage temporary directories in /tmp.
+-##	Read and write generic named sockets in the tmp directory (/tmp).
 +##	Search the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4392,35 +5414,37 @@ interface(`files_read_generic_tmp_files',`
+@@ -4446,35 +5395,37 @@ interface(`files_read_generic_tmp_symlinks',`
  ##	</summary>
  ## </param>
  #
--interface(`files_manage_generic_tmp_dirs',`
+-interface(`files_rw_generic_tmp_sockets',`
 +interface(`files_search_tmp',`
  	gen_require(`
  		type tmp_t;
  	')
  
--	manage_dirs_pattern($1, tmp_t, tmp_t)
+-	rw_sock_files_pattern($1, tmp_t, tmp_t)
 +    fs_search_tmpfs($1)
 +	read_lnk_files_pattern($1, tmp_t, tmp_t)
 +	allow $1 tmp_t:dir search_dir_perms;
@@ -13599,7 +13602,7 @@ index f962f76..fa12587 100644
  
  ########################################
  ## <summary>
--##	Manage temporary files and directories in /tmp.
+-##	Set the attributes of all tmp directories.
 +##	Do not audit attempts to search the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
@@ -13609,40 +13612,44 @@ index f962f76..fa12587 100644
  ##	</summary>
  ## </param>
  #
--interface(`files_manage_generic_tmp_files',`
+-interface(`files_setattr_all_tmp_dirs',`
 +interface(`files_dontaudit_search_tmp',`
  	gen_require(`
- 		type tmp_t;
+-		attribute tmpfile;
++		type tmp_t;
  	')
  
--	manage_files_pattern($1, tmp_t, tmp_t)
+-	allow $1 tmpfile:dir { search_dir_perms setattr };
 +	dontaudit $1 tmp_t:dir search_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Read symbolic links in the tmp directory (/tmp).
+-##	List all tmp directories.
 +##	Read the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4428,53 +5452,55 @@ interface(`files_manage_generic_tmp_files',`
+@@ -4482,59 +5433,55 @@ interface(`files_setattr_all_tmp_dirs',`
  ##	</summary>
  ## </param>
  #
--interface(`files_read_generic_tmp_symlinks',`
+-interface(`files_list_all_tmp',`
 +interface(`files_list_tmp',`
  	gen_require(`
- 		type tmp_t;
+-		attribute tmpfile;
++		type tmp_t;
  	')
  
- 	read_lnk_files_pattern($1, tmp_t, tmp_t)
+-	allow $1 tmpfile:dir list_dir_perms;
++	read_lnk_files_pattern($1, tmp_t, tmp_t)
 +	allow $1 tmp_t:dir list_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Read and write generic named sockets in the tmp directory (/tmp).
+-##	Relabel to and from all temporary
+-##	directory types.
 +##	Do not audit listing of the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
@@ -13651,33 +13658,38 @@ index f962f76..fa12587 100644
 +##	Domain to not audit.
  ##	</summary>
  ## </param>
+-## <rolecap/>
  #
--interface(`files_rw_generic_tmp_sockets',`
+-interface(`files_relabel_all_tmp_dirs',`
 +interface(`files_dontaudit_list_tmp',`
  	gen_require(`
- 		type tmp_t;
+-		attribute tmpfile;
+-		type var_t;
++		type tmp_t;
  	')
  
--	rw_sock_files_pattern($1, tmp_t, tmp_t)
+-	allow $1 var_t:dir search_dir_perms;
+-	relabel_dirs_pattern($1, tmpfile, tmpfile)
 +	dontaudit $1 tmp_t:dir list_dir_perms;
  ')
  
 -########################################
 +#######################################
  ## <summary>
--##	Set the attributes of all tmp directories.
+-##	Do not audit attempts to get the attributes
+-##	of all tmp files.
 +##  Allow read and write to the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
 -##	<summary>
--##	Domain allowed access.
+-##	Domain not to audit.
 -##	</summary>
 +##  <summary>
 +##  Domain not to audit.
 +##  </summary>
  ## </param>
  #
--interface(`files_setattr_all_tmp_dirs',`
+-interface(`files_dontaudit_getattr_all_tmp_files',`
 -	gen_require(`
 -		attribute tmpfile;
 -	')
@@ -13686,30 +13698,31 @@ index f962f76..fa12587 100644
 +        type tmp_t;
 +    ')
  
--	allow $1 tmpfile:dir { search_dir_perms setattr };
+-	dontaudit $1 tmpfile:file getattr;
 +    files_search_tmp($1)
 +    allow $1 tmp_t:dir rw_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	List all tmp directories.
+-##	Allow attempts to get the attributes
+-##	of all tmp files.
 +##	Remove entries from the tmp directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4482,118 +5508,116 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4542,110 +5489,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
  ##	</summary>
  ## </param>
  #
--interface(`files_list_all_tmp',`
+-interface(`files_getattr_all_tmp_files',`
 +interface(`files_delete_tmp_dir_entry',`
  	gen_require(`
 -		attribute tmpfile;
 +		type tmp_t;
  	')
  
--	allow $1 tmpfile:dir list_dir_perms;
+-	allow $1 tmpfile:file getattr;
 +	files_search_tmp($1)
 +	allow $1 tmp_t:dir del_entry_dir_perms;
  ')
@@ -13717,7 +13730,7 @@ index f962f76..fa12587 100644
  ########################################
  ## <summary>
 -##	Relabel to and from all temporary
--##	directory types.
+-##	file types.
 +##	Read files in the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
@@ -13727,7 +13740,7 @@ index f962f76..fa12587 100644
  ## </param>
 -## <rolecap/>
  #
--interface(`files_relabel_all_tmp_dirs',`
+-interface(`files_relabel_all_tmp_files',`
 +interface(`files_read_generic_tmp_files',`
  	gen_require(`
 -		attribute tmpfile;
@@ -13736,14 +13749,14 @@ index f962f76..fa12587 100644
  	')
  
 -	allow $1 var_t:dir search_dir_perms;
--	relabel_dirs_pattern($1, tmpfile, tmpfile)
+-	relabel_files_pattern($1, tmpfile, tmpfile)
 +	read_files_pattern($1, tmp_t, tmp_t)
  ')
  
  ########################################
  ## <summary>
 -##	Do not audit attempts to get the attributes
--##	of all tmp files.
+-##	of all tmp sock_file.
 +##	Manage temporary directories in /tmp.
  ## </summary>
  ## <param name="domain">
@@ -13753,21 +13766,20 @@ index f962f76..fa12587 100644
  ##	</summary>
  ## </param>
  #
--interface(`files_dontaudit_getattr_all_tmp_files',`
+-interface(`files_dontaudit_getattr_all_tmp_sockets',`
 +interface(`files_manage_generic_tmp_dirs',`
  	gen_require(`
 -		attribute tmpfile;
 +		type tmp_t;
  	')
  
--	dontaudit $1 tmpfile:file getattr;
+-	dontaudit $1 tmpfile:sock_file getattr;
 +	manage_dirs_pattern($1, tmp_t, tmp_t)
  ')
  
  ########################################
  ## <summary>
--##	Allow attempts to get the attributes
--##	of all tmp files.
+-##	Read all tmp files.
 +##	Allow shared library text relocations in tmp files.
  ## </summary>
 +## <desc>
@@ -13784,20 +13796,20 @@ index f962f76..fa12587 100644
  ##	</summary>
  ## </param>
  #
--interface(`files_getattr_all_tmp_files',`
+-interface(`files_read_all_tmp_files',`
 +interface(`files_execmod_tmp',`
  	gen_require(`
  		attribute tmpfile;
  	')
  
--	allow $1 tmpfile:file getattr;
+-	read_files_pattern($1, tmpfile, tmpfile)
 +	allow $1 tmpfile:file execmod;
  ')
  
  ########################################
  ## <summary>
--##	Relabel to and from all temporary
--##	file types.
+-##	Create an object in the tmp directories, with a private
+-##	type using a type transition.
 +##	Manage temporary files and directories in /tmp.
  ## </summary>
  ## <param name="domain">
@@ -13805,259 +13817,253 @@ index f962f76..fa12587 100644
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
--## <rolecap/>
+-## <param name="private type">
+-##	<summary>
+-##	The type of the object to be created.
+-##	</summary>
+-## </param>
+-## <param name="object">
+-##	<summary>
+-##	The object class of the object being created.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
+-##	</summary>
+-## </param>
  #
--interface(`files_relabel_all_tmp_files',`
+-interface(`files_tmp_filetrans',`
 +interface(`files_manage_generic_tmp_files',`
  	gen_require(`
--		attribute tmpfile;
--		type var_t;
-+		type tmp_t;
+ 		type tmp_t;
  	')
  
--	allow $1 var_t:dir search_dir_perms;
--	relabel_files_pattern($1, tmpfile, tmpfile)
+-	filetrans_pattern($1, tmp_t, $2, $3, $4)
 +	manage_files_pattern($1, tmp_t, tmp_t)
  ')
  
  ########################################
  ## <summary>
--##	Do not audit attempts to get the attributes
--##	of all tmp sock_file.
+-##	Delete the contents of /tmp.
 +##	Read symbolic links in the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain not to audit.
-+##	Domain allowed access.
+@@ -4653,22 +5588,17 @@ interface(`files_tmp_filetrans',`
  ##	</summary>
  ## </param>
  #
--interface(`files_dontaudit_getattr_all_tmp_sockets',`
+-interface(`files_purge_tmp',`
 +interface(`files_read_generic_tmp_symlinks',`
  	gen_require(`
 -		attribute tmpfile;
 +		type tmp_t;
  	')
  
--	dontaudit $1 tmpfile:sock_file getattr;
+-	allow $1 tmpfile:dir list_dir_perms;
+-	delete_dirs_pattern($1, tmpfile, tmpfile)
+-	delete_files_pattern($1, tmpfile, tmpfile)
+-	delete_lnk_files_pattern($1, tmpfile, tmpfile)
+-	delete_fifo_files_pattern($1, tmpfile, tmpfile)
+-	delete_sock_files_pattern($1, tmpfile, tmpfile)
 +	read_lnk_files_pattern($1, tmp_t, tmp_t)
  ')
  
  ########################################
  ## <summary>
--##	Read all tmp files.
+-##	Set the attributes of the /usr directory.
 +##	Read and write generic named sockets in the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4601,51 +5625,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
+@@ -4676,17 +5606,17 @@ interface(`files_purge_tmp',`
  ##	</summary>
  ## </param>
  #
--interface(`files_read_all_tmp_files',`
+-interface(`files_setattr_usr_dirs',`
 +interface(`files_rw_generic_tmp_sockets',`
  	gen_require(`
--		attribute tmpfile;
+-		type usr_t;
 +		type tmp_t;
  	')
  
--	read_files_pattern($1, tmpfile, tmpfile)
+-	allow $1 usr_t:dir setattr;
 +	rw_sock_files_pattern($1, tmp_t, tmp_t)
  ')
  
  ########################################
  ## <summary>
--##	Create an object in the tmp directories, with a private
--##	type using a type transition.
+-##	Search the content of /usr.
 +##	Relabel a dir from the type used in /tmp.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -4694,18 +5624,17 @@ interface(`files_setattr_usr_dirs',`
  ##	</summary>
  ## </param>
--## <param name="private type">
--##	<summary>
--##	The type of the object to be created.
--##	</summary>
--## </param>
--## <param name="object">
--##	<summary>
--##	The object class of the object being created.
--##	</summary>
--## </param>
--## <param name="name" optional="true">
--##	<summary>
--##	The name of the object being created.
--##	</summary>
--## </param>
  #
--interface(`files_tmp_filetrans',`
+-interface(`files_search_usr',`
 +interface(`files_relabelfrom_tmp_dirs',`
  	gen_require(`
- 		type tmp_t;
+-		type usr_t;
++		type tmp_t;
  	')
  
--	filetrans_pattern($1, tmp_t, $2, $3, $4)
+-	allow $1 usr_t:dir search_dir_perms;
 +	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
  ')
  
  ########################################
  ## <summary>
--##	Delete the contents of /tmp.
+-##	List the contents of generic
+-##	directories in /usr.
 +##	Relabel a file from the type used in /tmp.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4653,22 +5661,17 @@ interface(`files_tmp_filetrans',`
+@@ -4713,35 +5642,35 @@ interface(`files_search_usr',`
  ##	</summary>
  ## </param>
  #
--interface(`files_purge_tmp',`
+-interface(`files_list_usr',`
 +interface(`files_relabelfrom_tmp_files',`
  	gen_require(`
--		attribute tmpfile;
+-		type usr_t;
 +		type tmp_t;
  	')
  
--	allow $1 tmpfile:dir list_dir_perms;
--	delete_dirs_pattern($1, tmpfile, tmpfile)
--	delete_files_pattern($1, tmpfile, tmpfile)
--	delete_lnk_files_pattern($1, tmpfile, tmpfile)
--	delete_fifo_files_pattern($1, tmpfile, tmpfile)
--	delete_sock_files_pattern($1, tmpfile, tmpfile)
+-	allow $1 usr_t:dir list_dir_perms;
 +	relabelfrom_files_pattern($1, tmp_t, tmp_t)
  ')
  
  ########################################
  ## <summary>
--##	Set the attributes of the /usr directory.
+-##	Do not audit write of /usr dirs
 +##	Set the attributes of all tmp directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4676,17 +5679,17 @@ interface(`files_purge_tmp',`
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
--interface(`files_setattr_usr_dirs',`
+-interface(`files_dontaudit_write_usr_dirs',`
 +interface(`files_setattr_all_tmp_dirs',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
  	')
  
--	allow $1 usr_t:dir setattr;
+-	dontaudit $1 usr_t:dir write;
 +	allow $1 tmpfile:dir { search_dir_perms setattr };
  ')
  
  ########################################
  ## <summary>
--##	Search the content of /usr.
+-##	Add and remove entries from /usr directories.
 +##	Allow caller to read inherited tmp files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4694,18 +5697,17 @@ interface(`files_setattr_usr_dirs',`
+@@ -4749,36 +5678,35 @@ interface(`files_dontaudit_write_usr_dirs',`
  ##	</summary>
  ## </param>
  #
--interface(`files_search_usr',`
+-interface(`files_rw_usr_dirs',`
 +interface(`files_read_inherited_tmp_files',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
  	')
  
--	allow $1 usr_t:dir search_dir_perms;
+-	allow $1 usr_t:dir rw_dir_perms;
 +	allow $1 tmpfile:file { append read_inherited_file_perms };
  ')
  
  ########################################
  ## <summary>
--##	List the contents of generic
--##	directories in /usr.
+-##	Do not audit attempts to add and remove
+-##	entries from /usr directories.
 +##	Allow caller to append inherited tmp files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4713,35 +5715,35 @@ interface(`files_search_usr',`
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
--interface(`files_list_usr',`
+-interface(`files_dontaudit_rw_usr_dirs',`
 +interface(`files_append_inherited_tmp_files',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
  	')
  
--	allow $1 usr_t:dir list_dir_perms;
+-	dontaudit $1 usr_t:dir rw_dir_perms;
 +	allow $1 tmpfile:file append_inherited_file_perms;
  ')
  
  ########################################
  ## <summary>
--##	Do not audit write of /usr dirs
+-##	Delete generic directories in /usr in the caller domain.
 +##	Allow caller to read and write inherited tmp files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+@@ -4786,17 +5714,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
  ##	</summary>
  ## </param>
  #
--interface(`files_dontaudit_write_usr_dirs',`
+-interface(`files_delete_usr_dirs',`
 +interface(`files_rw_inherited_tmp_file',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
  	')
  
--	dontaudit $1 usr_t:dir write;
+-	delete_dirs_pattern($1, usr_t, usr_t)
 +	allow $1 tmpfile:file rw_inherited_file_perms;
  ')
  
  ########################################
  ## <summary>
--##	Add and remove entries from /usr directories.
+-##	Delete generic files in /usr in the caller domain.
 +##	List all tmp directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4749,54 +5751,59 @@ interface(`files_dontaudit_write_usr_dirs',`
+@@ -4804,73 +5732,59 @@ interface(`files_delete_usr_dirs',`
  ##	</summary>
  ## </param>
  #
--interface(`files_rw_usr_dirs',`
+-interface(`files_delete_usr_files',`
 +interface(`files_list_all_tmp',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
  	')
  
--	allow $1 usr_t:dir rw_dir_perms;
+-	delete_files_pattern($1, usr_t, usr_t)
 +	allow $1 tmpfile:dir list_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Do not audit attempts to add and remove
--##	entries from /usr directories.
+-##	Get the attributes of files in /usr.
 +##	Relabel to and from all temporary
 +##	directory types.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
 +## <rolecap/>
  #
--interface(`files_dontaudit_rw_usr_dirs',`
+-interface(`files_getattr_usr_files',`
 +interface(`files_relabel_all_tmp_dirs',`
  	gen_require(`
 -		type usr_t;
@@ -14065,72 +14071,95 @@ index f962f76..fa12587 100644
 +		type var_t;
  	')
  
--	dontaudit $1 usr_t:dir rw_dir_perms;
+-	getattr_files_pattern($1, usr_t, usr_t)
 +	allow $1 var_t:dir search_dir_perms;
 +	relabel_dirs_pattern($1, tmpfile, tmpfile)
  ')
  
  ########################################
  ## <summary>
--##	Delete generic directories in /usr in the caller domain.
+-##	Read generic files in /usr.
 +##	Do not audit attempts to get the attributes
 +##	of all tmp files.
  ## </summary>
+-## <desc>
+-##	<p>
+-##	Allow the specified domain to read generic
+-##	files in /usr. These files are various program
+-##	files that do not have more specific SELinux types.
+-##	Some examples of these files are:
+-##	</p>
+-##	<ul>
+-##		<li>/usr/include/*</li>
+-##		<li>/usr/share/doc/*</li>
+-##		<li>/usr/share/info/*</li>
+-##	</ul>
+-##	<p>
+-##	Generally, it is safe for many domains to have
+-##	this access.
+-##	</p>
+-## </desc>
  ## <param name="domain">
  ##	<summary>
 -##	Domain allowed access.
 +##	Domain to not audit.
  ##	</summary>
  ## </param>
+-## <infoflow type="read" weight="10"/>
  #
--interface(`files_delete_usr_dirs',`
+-interface(`files_read_usr_files',`
 +interface(`files_dontaudit_getattr_all_tmp_files',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
  	')
  
--	delete_dirs_pattern($1, usr_t, usr_t)
+-	allow $1 usr_t:dir list_dir_perms;
+-	read_files_pattern($1, usr_t, usr_t)
+-	read_lnk_files_pattern($1, usr_t, usr_t)
 +	dontaudit $1 tmpfile:file getattr;
  ')
  
  ########################################
  ## <summary>
--##	Delete generic files in /usr in the caller domain.
+-##	Execute generic programs in /usr in the caller domain.
 +##	Allow attempts to get the attributes
 +##	of all tmp files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4804,73 +5811,58 @@ interface(`files_delete_usr_dirs',`
+@@ -4878,55 +5792,58 @@ interface(`files_read_usr_files',`
  ##	</summary>
  ## </param>
  #
--interface(`files_delete_usr_files',`
+-interface(`files_exec_usr_files',`
 +interface(`files_getattr_all_tmp_files',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
  	')
  
--	delete_files_pattern($1, usr_t, usr_t)
+-	allow $1 usr_t:dir list_dir_perms;
+-	exec_files_pattern($1, usr_t, usr_t)
+-	read_lnk_files_pattern($1, usr_t, usr_t)
 +	allow $1 tmpfile:file getattr;
  ')
  
  ########################################
  ## <summary>
--##	Get the attributes of files in /usr.
+-##	dontaudit write of /usr files
 +##	Relabel to and from all temporary
 +##	file types.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
 +## <rolecap/>
  #
--interface(`files_getattr_usr_files',`
+-interface(`files_dontaudit_write_usr_files',`
 +interface(`files_relabel_all_tmp_files',`
  	gen_require(`
 -		type usr_t;
@@ -14138,105 +14167,84 @@ index f962f76..fa12587 100644
 +		type var_t;
  	')
  
--	getattr_files_pattern($1, usr_t, usr_t)
+-	dontaudit $1 usr_t:file write;
 +	allow $1 var_t:dir search_dir_perms;
 +	relabel_files_pattern($1, tmpfile, tmpfile)
  ')
  
  ########################################
  ## <summary>
--##	Read generic files in /usr.
+-##	Create, read, write, and delete files in the /usr directory.
 +##	Do not audit attempts to get the attributes
 +##	of all tmp sock_file.
  ## </summary>
--## <desc>
--##	<p>
--##	Allow the specified domain to read generic
--##	files in /usr. These files are various program
--##	files that do not have more specific SELinux types.
--##	Some examples of these files are:
--##	</p>
--##	<ul>
--##		<li>/usr/include/*</li>
--##		<li>/usr/share/doc/*</li>
--##		<li>/usr/share/info/*</li>
--##	</ul>
--##	<p>
--##	Generally, it is safe for many domains to have
--##	this access.
--##	</p>
--## </desc>
  ## <param name="domain">
  ##	<summary>
 -##	Domain allowed access.
 +##	Domain to not audit.
  ##	</summary>
  ## </param>
--## <infoflow type="read" weight="10"/>
  #
--interface(`files_read_usr_files',`
+-interface(`files_manage_usr_files',`
 +interface(`files_dontaudit_getattr_all_tmp_sockets',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
  	')
  
--	allow $1 usr_t:dir list_dir_perms;
--	read_files_pattern($1, usr_t, usr_t)
--	read_lnk_files_pattern($1, usr_t, usr_t)
+-	manage_files_pattern($1, usr_t, usr_t)
 +	dontaudit $1 tmpfile:sock_file getattr;
  ')
  
  ########################################
  ## <summary>
--##	Execute generic programs in /usr in the caller domain.
+-##	Relabel a file to the type used in /usr.
 +##	Read all tmp files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4878,19 +5870,18 @@ interface(`files_read_usr_files',`
+@@ -4934,67 +5851,70 @@ interface(`files_manage_usr_files',`
  ##	</summary>
  ## </param>
  #
--interface(`files_exec_usr_files',`
+-interface(`files_relabelto_usr_files',`
 +interface(`files_read_all_tmp_files',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
  	')
  
--	allow $1 usr_t:dir list_dir_perms;
--	exec_files_pattern($1, usr_t, usr_t)
--	read_lnk_files_pattern($1, usr_t, usr_t)
+-	relabelto_files_pattern($1, usr_t, usr_t)
 +	read_files_pattern($1, tmpfile, tmpfile)
  ')
  
  ########################################
  ## <summary>
--##	dontaudit write of /usr files
+-##	Relabel a file from the type used in /usr.
 +##	Do not audit attempts to read or write
 +##	all leaked tmpfiles files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4898,71 +5889,70 @@ interface(`files_exec_usr_files',`
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
--interface(`files_dontaudit_write_usr_files',`
+-interface(`files_relabelfrom_usr_files',`
 +interface(`files_dontaudit_tmp_file_leaks',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
  	')
  
--	dontaudit $1 usr_t:file write;
+-	relabelfrom_files_pattern($1, usr_t, usr_t)
 +	dontaudit $1 tmpfile:file rw_inherited_file_perms;
  ')
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete files in the /usr directory.
+-##	Read symbolic links in /usr.
 +##	Do allow attempts to read or write
 +##	all leaked tmpfiles files.
  ## </summary>
@@ -14247,20 +14255,20 @@ index f962f76..fa12587 100644
  ##	</summary>
  ## </param>
  #
--interface(`files_manage_usr_files',`
+-interface(`files_read_usr_symlinks',`
 +interface(`files_rw_tmp_file_leaks',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
  	')
  
--	manage_files_pattern($1, usr_t, usr_t)
+-	read_lnk_files_pattern($1, usr_t, usr_t)
 +	allow $1 tmpfile:file rw_inherited_file_perms;
  ')
  
  ########################################
  ## <summary>
--##	Relabel a file to the type used in /usr.
+-##	Create objects in the /usr directory
 +##	Create an object in the tmp directories, with a private
 +##	type using a type transition.
  ## </summary>
@@ -14269,67 +14277,56 @@ index f962f76..fa12587 100644
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
--#
--interface(`files_relabelto_usr_files',`
--	gen_require(`
--		type usr_t;
--	')
--
--	relabelto_files_pattern($1, usr_t, usr_t)
--')
--
--########################################
--## <summary>
--##	Relabel a file from the type used in /usr.
--## </summary>
--## <param name="domain">
+-## <param name="file_type">
 +## <param name="private type">
  ##	<summary>
--##	Domain allowed access.
+-##	The type of the object to be created
 +##	The type of the object to be created.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="object_class">
 +## <param name="object">
-+##	<summary>
+ ##	<summary>
+-##	The object class.
 +##	The object class of the object being created.
-+##	</summary>
-+## </param>
-+## <param name="name" optional="true">
-+##	<summary>
-+##	The name of the object being created.
+ ##	</summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -5003,35 +5923,50 @@ interface(`files_read_usr_symlinks',`
  ##	</summary>
  ## </param>
  #
--interface(`files_relabelfrom_usr_files',`
+-interface(`files_usr_filetrans',`
 +interface(`files_tmp_filetrans',`
  	gen_require(`
 -		type usr_t;
 +		type tmp_t;
  	')
  
--	relabelfrom_files_pattern($1, usr_t, usr_t)
+-	filetrans_pattern($1, usr_t, $2, $3, $4)
 +	filetrans_pattern($1, tmp_t, $2, $3, $4)
  ')
  
  ########################################
  ## <summary>
--##	Read symbolic links in /usr.
+-##	Do not audit attempts to search /usr/src.
 +##	Delete the contents of /tmp.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4970,68 +5960,69 @@ interface(`files_relabelfrom_usr_files',`
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
--interface(`files_read_usr_symlinks',`
+-interface(`files_dontaudit_search_src',`
 +interface(`files_purge_tmp',`
  	gen_require(`
--		type usr_t;
+-		type src_t;
 +		attribute tmpfile;
  	')
  
--	read_lnk_files_pattern($1, usr_t, usr_t)
+-	dontaudit $1 src_t:dir search_dir_perms;
 +	allow $1 tmpfile:dir list_dir_perms;
 +	delete_dirs_pattern($1, tmpfile, tmpfile)
 +	delete_files_pattern($1, tmpfile, tmpfile)
@@ -14350,92 +14347,81 @@ index f962f76..fa12587 100644
  
  ########################################
  ## <summary>
--##	Create objects in the /usr directory
+-##	Get the attributes of files in /usr/src.
 +##	Set the attributes of the /usr directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -5039,20 +5974,17 @@ interface(`files_dontaudit_search_src',`
  ##	</summary>
  ## </param>
--## <param name="file_type">
--##	<summary>
--##	The type of the object to be created
--##	</summary>
--## </param>
--## <param name="object_class">
--##	<summary>
--##	The object class.
--##	</summary>
--## </param>
--## <param name="name" optional="true">
--##	<summary>
--##	The name of the object being created.
--##	</summary>
--## </param>
  #
--interface(`files_usr_filetrans',`
+-interface(`files_getattr_usr_src_files',`
 +interface(`files_setattr_usr_dirs',`
  	gen_require(`
- 		type usr_t;
+-		type usr_t, src_t;
++		type usr_t;
  	')
  
--	filetrans_pattern($1, usr_t, $2, $3, $4)
+-	getattr_files_pattern($1, src_t, src_t)
+-
+-	# /usr/src/linux symlink:
+-	read_lnk_files_pattern($1, usr_t, src_t)
 +	allow $1 usr_t:dir setattr;
  ')
  
  ########################################
  ## <summary>
--##	Do not audit attempts to search /usr/src.
+-##	Read files in /usr/src.
 +##	Search the content of /usr.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+@@ -5060,20 +5992,18 @@ interface(`files_getattr_usr_src_files',`
  ##	</summary>
  ## </param>
  #
--interface(`files_dontaudit_search_src',`
+-interface(`files_read_usr_src_files',`
 +interface(`files_search_usr',`
  	gen_require(`
--		type src_t;
+-		type usr_t, src_t;
 +		type usr_t;
  	')
  
--	dontaudit $1 src_t:dir search_dir_perms;
-+	allow $1 usr_t:dir search_dir_perms;
+ 	allow $1 usr_t:dir search_dir_perms;
+-	read_files_pattern($1, { usr_t src_t }, src_t)
+-	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
+-	allow $1 src_t:dir list_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Get the attributes of files in /usr/src.
+-##	Execute programs in /usr/src in the caller domain.
 +##	List the contents of generic
 +##	directories in /usr.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5039,41 +6030,35 @@ interface(`files_dontaudit_search_src',`
+@@ -5081,38 +6011,35 @@ interface(`files_read_usr_src_files',`
  ##	</summary>
  ## </param>
  #
--interface(`files_getattr_usr_src_files',`
+-interface(`files_exec_usr_src_files',`
 +interface(`files_list_usr',`
  	gen_require(`
 -		type usr_t, src_t;
 +		type usr_t;
  	')
  
--	getattr_files_pattern($1, src_t, src_t)
--
--	# /usr/src/linux symlink:
--	read_lnk_files_pattern($1, usr_t, src_t)
+-	list_dirs_pattern($1, usr_t, src_t)
+-	exec_files_pattern($1, src_t, src_t)
+-	read_lnk_files_pattern($1, src_t, src_t)
 +	allow $1 usr_t:dir list_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Read files in /usr/src.
+-##	Install a system.map into the /boot directory.
 +##	Do not audit write of /usr dirs
  ## </summary>
  ## <param name="domain">
@@ -14445,47 +14431,44 @@ index f962f76..fa12587 100644
  ##	</summary>
  ## </param>
  #
--interface(`files_read_usr_src_files',`
+-interface(`files_create_kernel_symbol_table',`
 +interface(`files_dontaudit_write_usr_dirs',`
  	gen_require(`
--		type usr_t, src_t;
+-		type boot_t, system_map_t;
 +		type usr_t;
  	')
  
--	allow $1 usr_t:dir search_dir_perms;
--	read_files_pattern($1, { usr_t src_t }, src_t)
--	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
--	allow $1 src_t:dir list_dir_perms;
+-	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
+-	allow $1 system_map_t:file { create_file_perms rw_file_perms };
 +	dontaudit $1 usr_t:dir write;
  ')
  
  ########################################
  ## <summary>
--##	Execute programs in /usr/src in the caller domain.
+-##	Read system.map in the /boot directory.
 +##	Add and remove entries from /usr directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5081,38 +6066,36 @@ interface(`files_read_usr_src_files',`
+@@ -5120,37 +6047,36 @@ interface(`files_create_kernel_symbol_table',`
  ##	</summary>
  ## </param>
  #
--interface(`files_exec_usr_src_files',`
+-interface(`files_read_kernel_symbol_table',`
 +interface(`files_rw_usr_dirs',`
  	gen_require(`
--		type usr_t, src_t;
+-		type boot_t, system_map_t;
 +		type usr_t;
  	')
  
--	list_dirs_pattern($1, usr_t, src_t)
--	exec_files_pattern($1, src_t, src_t)
--	read_lnk_files_pattern($1, src_t, src_t)
+-	allow $1 boot_t:dir list_dir_perms;
+-	read_files_pattern($1, boot_t, system_map_t)
 +	allow $1 usr_t:dir rw_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Install a system.map into the /boot directory.
+-##	Delete a system.map in the /boot directory.
 +##	Do not audit attempts to add and remove
 +##	entries from /usr directories.
  ## </summary>
@@ -14496,89 +14479,89 @@ index f962f76..fa12587 100644
  ##	</summary>
  ## </param>
  #
--interface(`files_create_kernel_symbol_table',`
+-interface(`files_delete_kernel_symbol_table',`
 +interface(`files_dontaudit_rw_usr_dirs',`
  	gen_require(`
 -		type boot_t, system_map_t;
 +		type usr_t;
  	')
  
--	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
--	allow $1 system_map_t:file { create_file_perms rw_file_perms };
+-	allow $1 boot_t:dir list_dir_perms;
+-	delete_files_pattern($1, boot_t, system_map_t)
 +	dontaudit $1 usr_t:dir rw_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Read system.map in the /boot directory.
+-##	Search the contents of /var.
 +##	Delete generic directories in /usr in the caller domain.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5120,18 +6103,17 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5158,35 +6084,35 @@ interface(`files_delete_kernel_symbol_table',`
  ##	</summary>
  ## </param>
  #
--interface(`files_read_kernel_symbol_table',`
+-interface(`files_search_var',`
 +interface(`files_delete_usr_dirs',`
  	gen_require(`
--		type boot_t, system_map_t;
+-		type var_t;
 +		type usr_t;
  	')
  
--	allow $1 boot_t:dir list_dir_perms;
--	read_files_pattern($1, boot_t, system_map_t)
+-	allow $1 var_t:dir search_dir_perms;
 +	delete_dirs_pattern($1, usr_t, usr_t)
  ')
  
  ########################################
  ## <summary>
--##	Delete a system.map in the /boot directory.
+-##	Do not audit attempts to write to /var.
 +##	Delete generic files in /usr in the caller domain.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5139,18 +6121,17 @@ interface(`files_read_kernel_symbol_table',`
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
--interface(`files_delete_kernel_symbol_table',`
+-interface(`files_dontaudit_write_var_dirs',`
 +interface(`files_delete_usr_files',`
  	gen_require(`
--		type boot_t, system_map_t;
+-		type var_t;
 +		type usr_t;
  	')
  
--	allow $1 boot_t:dir list_dir_perms;
--	delete_files_pattern($1, boot_t, system_map_t)
+-	dontaudit $1 var_t:dir write;
 +	delete_files_pattern($1, usr_t, usr_t)
  ')
  
  ########################################
  ## <summary>
--##	Search the contents of /var.
+-##	Allow attempts to write to /var.dirs
 +##	Get the attributes of files in /usr.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5158,35 +6139,55 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -5194,36 +6120,55 @@ interface(`files_dontaudit_write_var_dirs',`
  ##	</summary>
  ## </param>
  #
--interface(`files_search_var',`
+-interface(`files_write_var_dirs',`
 +interface(`files_getattr_usr_files',`
  	gen_require(`
 -		type var_t;
 +		type usr_t;
  	')
  
--	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_t:dir write;
 +	getattr_files_pattern($1, usr_t, usr_t)
  ')
  
  ########################################
  ## <summary>
--##	Do not audit attempts to write to /var.
+-##	Do not audit attempts to search
+-##	the contents of /var.
 +##	Read generic files in /usr.
  ## </summary>
 +## <desc>
@@ -14606,14 +14589,14 @@ index f962f76..fa12587 100644
  ## </param>
 +## <infoflow type="read" weight="10"/>
  #
--interface(`files_dontaudit_write_var_dirs',`
+-interface(`files_dontaudit_search_var',`
 +interface(`files_read_usr_files',`
  	gen_require(`
 -		type var_t;
 +		type usr_t;
  	')
  
--	dontaudit $1 var_t:dir write;
+-	dontaudit $1 var_t:dir search_dir_perms;
 +	allow $1 usr_t:dir list_dir_perms;
 +	read_files_pattern($1, usr_t, usr_t)
 +	read_lnk_files_pattern($1, usr_t, usr_t)
@@ -14621,23 +14604,23 @@ index f962f76..fa12587 100644
  
  ########################################
  ## <summary>
--##	Allow attempts to write to /var.dirs
+-##	List the contents of /var.
 +##	Execute generic programs in /usr in the caller domain.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5194,18 +6195,19 @@ interface(`files_dontaudit_write_var_dirs',`
+@@ -5231,36 +6176,37 @@ interface(`files_dontaudit_search_var',`
  ##	</summary>
  ## </param>
  #
--interface(`files_write_var_dirs',`
+-interface(`files_list_var',`
 +interface(`files_exec_usr_files',`
  	gen_require(`
 -		type var_t;
 +		type usr_t;
  	')
  
--	allow $1 var_t:dir write;
+-	allow $1 var_t:dir list_dir_perms;
 +	allow $1 usr_t:dir list_dir_perms;
 +	exec_files_pattern($1, usr_t, usr_t)
 +	read_lnk_files_pattern($1, usr_t, usr_t)
@@ -14645,119 +14628,121 @@ index f962f76..fa12587 100644
  
  ########################################
  ## <summary>
--##	Do not audit attempts to search
--##	the contents of /var.
+-##	Create, read, write, and delete directories
+-##	in the /var directory.
 +##	dontaudit write of /usr files
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5213,17 +6215,17 @@ interface(`files_write_var_dirs',`
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
--interface(`files_dontaudit_search_var',`
+-interface(`files_manage_var_dirs',`
 +interface(`files_dontaudit_write_usr_files',`
  	gen_require(`
 -		type var_t;
 +		type usr_t;
  	')
  
--	dontaudit $1 var_t:dir search_dir_perms;
+-	allow $1 var_t:dir manage_dir_perms;
 +	dontaudit $1 usr_t:file write;
  ')
  
  ########################################
  ## <summary>
--##	List the contents of /var.
+-##	Read files in the /var directory.
 +##	Create, read, write, and delete files in the /usr directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5231,18 +6233,17 @@ interface(`files_dontaudit_search_var',`
+@@ -5268,17 +6214,17 @@ interface(`files_manage_var_dirs',`
  ##	</summary>
  ## </param>
  #
--interface(`files_list_var',`
+-interface(`files_read_var_files',`
 +interface(`files_manage_usr_files',`
  	gen_require(`
 -		type var_t;
 +		type usr_t;
  	')
  
--	allow $1 var_t:dir list_dir_perms;
+-	read_files_pattern($1, var_t, var_t)
 +	manage_files_pattern($1, usr_t, usr_t)
  ')
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete directories
--##	in the /var directory.
+-##	Append files in the /var directory.
 +##	Relabel a file to the type used in /usr.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5250,17 +6251,17 @@ interface(`files_list_var',`
+@@ -5286,17 +6232,17 @@ interface(`files_read_var_files',`
  ##	</summary>
  ## </param>
  #
--interface(`files_manage_var_dirs',`
+-interface(`files_append_var_files',`
 +interface(`files_relabelto_usr_files',`
  	gen_require(`
 -		type var_t;
 +		type usr_t;
  	')
  
--	allow $1 var_t:dir manage_dir_perms;
+-	append_files_pattern($1, var_t, var_t)
 +	relabelto_files_pattern($1, usr_t, usr_t)
  ')
  
  ########################################
  ## <summary>
--##	Read files in the /var directory.
+-##	Read and write files in the /var directory.
 +##	Relabel a file from the type used in /usr.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5268,17 +6269,17 @@ interface(`files_manage_var_dirs',`
+@@ -5304,73 +6250,86 @@ interface(`files_append_var_files',`
  ##	</summary>
  ## </param>
  #
--interface(`files_read_var_files',`
+-interface(`files_rw_var_files',`
 +interface(`files_relabelfrom_usr_files',`
  	gen_require(`
 -		type var_t;
 +		type usr_t;
  	')
  
--	read_files_pattern($1, var_t, var_t)
+-	rw_files_pattern($1, var_t, var_t)
 +	relabelfrom_files_pattern($1, usr_t, usr_t)
  ')
  
  ########################################
  ## <summary>
--##	Append files in the /var directory.
+-##	Do not audit attempts to read and write
+-##	files in the /var directory.
 +##	Read symbolic links in /usr.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5286,36 +6287,50 @@ interface(`files_read_var_files',`
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
--interface(`files_append_var_files',`
+-interface(`files_dontaudit_rw_var_files',`
 +interface(`files_read_usr_symlinks',`
  	gen_require(`
 -		type var_t;
 +		type usr_t;
  	')
  
--	append_files_pattern($1, var_t, var_t)
+-	dontaudit $1 var_t:file rw_file_perms;
 +	read_lnk_files_pattern($1, usr_t, usr_t)
  ')
  
  ########################################
  ## <summary>
--##	Read and write files in the /var directory.
+-##	Create, read, write, and delete files in the /var directory.
 +##	Create objects in the /usr directory
  ## </summary>
  ## <param name="domain">
@@ -14781,59 +14766,60 @@ index f962f76..fa12587 100644
 +##	</summary>
 +## </param>
  #
--interface(`files_rw_var_files',`
+-interface(`files_manage_var_files',`
 +interface(`files_usr_filetrans',`
  	gen_require(`
 -		type var_t;
 +		type usr_t;
  	')
  
--	rw_files_pattern($1, var_t, var_t)
+-	manage_files_pattern($1, var_t, var_t)
 +	filetrans_pattern($1, usr_t, $2, $3, $4)
  ')
  
  ########################################
  ## <summary>
--##	Do not audit attempts to read and write
--##	files in the /var directory.
+-##	Read symbolic links in the /var directory.
 +##	Do not audit attempts to search /usr/src.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5323,17 +6338,17 @@ interface(`files_rw_var_files',`
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
--interface(`files_dontaudit_rw_var_files',`
+-interface(`files_read_var_symlinks',`
 +interface(`files_dontaudit_search_src',`
  	gen_require(`
 -		type var_t;
 +		type src_t;
  	')
  
--	dontaudit $1 var_t:file rw_file_perms;
+-	read_lnk_files_pattern($1, var_t, var_t)
 +	dontaudit $1 src_t:dir search_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete files in the /var directory.
+-##	Create, read, write, and delete symbolic
+-##	links in the /var directory.
 +##	Get the attributes of files in /usr/src.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5341,17 +6356,20 @@ interface(`files_dontaudit_rw_var_files',`
+@@ -5378,50 +6337,41 @@ interface(`files_read_var_symlinks',`
  ##	</summary>
  ## </param>
  #
--interface(`files_manage_var_files',`
+-interface(`files_manage_var_symlinks',`
 +interface(`files_getattr_usr_src_files',`
  	gen_require(`
 -		type var_t;
 +		type usr_t, src_t;
  	')
  
--	manage_files_pattern($1, var_t, var_t)
+-	manage_lnk_files_pattern($1, var_t, var_t)
 +	getattr_files_pattern($1, src_t, src_t)
 +
 +	# /usr/src/linux symlink:
@@ -14842,58 +14828,8 @@ index f962f76..fa12587 100644
  
  ########################################
  ## <summary>
--##	Read symbolic links in the /var directory.
-+##	Read files in /usr/src.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5359,18 +6377,20 @@ interface(`files_manage_var_files',`
- ##	</summary>
- ## </param>
- #
--interface(`files_read_var_symlinks',`
-+interface(`files_read_usr_src_files',`
- 	gen_require(`
--		type var_t;
-+		type usr_t, src_t;
- 	')
- 
--	read_lnk_files_pattern($1, var_t, var_t)
-+	allow $1 usr_t:dir search_dir_perms;
-+	read_files_pattern($1, { usr_t src_t }, src_t)
-+	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
-+	allow $1 src_t:dir list_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete symbolic
--##	links in the /var directory.
-+##	Execute programs in /usr/src in the caller domain.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5378,120 +6398,94 @@ interface(`files_read_var_symlinks',`
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_var_symlinks',`
-+interface(`files_exec_usr_src_files',`
- 	gen_require(`
--		type var_t;
-+		type usr_t, src_t;
- 	')
- 
--	manage_lnk_files_pattern($1, var_t, var_t)
-+	list_dirs_pattern($1, usr_t, src_t)
-+	exec_files_pattern($1, src_t, src_t)
-+	read_lnk_files_pattern($1, src_t, src_t)
- ')
- 
- ########################################
- ## <summary>
 -##	Create objects in the /var directory
-+##	Install a system.map into the /boot directory.
++##	Read files in /usr/src.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -14917,44 +14853,47 @@ index f962f76..fa12587 100644
 -## </param>
  #
 -interface(`files_var_filetrans',`
-+interface(`files_create_kernel_symbol_table',`
++interface(`files_read_usr_src_files',`
  	gen_require(`
 -		type var_t;
-+		type boot_t, system_map_t;
++		type usr_t, src_t;
  	')
  
 -	filetrans_pattern($1, var_t, $2, $3, $4)
-+	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
-+	allow $1 system_map_t:file { create_file_perms rw_file_perms };
++	allow $1 usr_t:dir search_dir_perms;
++	read_files_pattern($1, { usr_t src_t }, src_t)
++	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
++	allow $1 src_t:dir list_dir_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Get the attributes of the /var/lib directory.
-+##	Dontaudit getattr attempts on the system.map file
++##	Execute programs in /usr/src in the caller domain.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+@@ -5429,69 +6379,56 @@ interface(`files_var_filetrans',`
  ##	</summary>
  ## </param>
  #
 -interface(`files_getattr_var_lib_dirs',`
-+interface(`files_dontaduit_getattr_kernel_symbol_table',`
++interface(`files_exec_usr_src_files',`
  	gen_require(`
 -		type var_t, var_lib_t;
-+		type system_map_t;
++		type usr_t, src_t;
  	')
  
 -	getattr_dirs_pattern($1, var_t, var_lib_t)
-+	dontaudit $1 system_map_t:file getattr;
++	list_dirs_pattern($1, usr_t, src_t)
++	exec_files_pattern($1, src_t, src_t)
++	read_lnk_files_pattern($1, src_t, src_t)
  ')
  
  ########################################
  ## <summary>
 -##	Search the /var/lib directory.
-+##	Read system.map in the /boot directory.
++##	Install a system.map into the /boot directory.
  ## </summary>
 -## <desc>
 -##	<p>
@@ -14977,93 +14916,92 @@ index f962f76..fa12587 100644
 -## <infoflow type="read" weight="5"/>
  #
 -interface(`files_search_var_lib',`
-+interface(`files_read_kernel_symbol_table',`
++interface(`files_create_kernel_symbol_table',`
  	gen_require(`
 -		type var_t, var_lib_t;
 +		type boot_t, system_map_t;
  	')
  
 -	search_dirs_pattern($1, var_t, var_lib_t)
-+	allow $1 boot_t:dir list_dir_perms;
-+	read_files_pattern($1, boot_t, system_map_t)
++	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
++	allow $1 system_map_t:file { create_file_perms rw_file_perms };
  ')
  
  ########################################
  ## <summary>
 -##	Do not audit attempts to search the
 -##	contents of /var/lib.
-+##	Delete a system.map in the /boot directory.
++##	Dontaudit getattr attempts on the system.map file
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+ ##	Domain to not audit.
  ##	</summary>
  ## </param>
 -## <infoflow type="read" weight="5"/>
  #
 -interface(`files_dontaudit_search_var_lib',`
-+interface(`files_delete_kernel_symbol_table',`
++interface(`files_dontaduit_getattr_kernel_symbol_table',`
  	gen_require(`
 -		type var_lib_t;
-+		type boot_t, system_map_t;
++		type system_map_t;
  	')
  
 -	dontaudit $1 var_lib_t:dir search_dir_perms;
-+	allow $1 boot_t:dir list_dir_perms;
-+	delete_files_pattern($1, boot_t, system_map_t)
++	dontaudit $1 system_map_t:file getattr;
  ')
  
  ########################################
  ## <summary>
 -##	List the contents of the /var/lib directory.
-+##	Search the contents of /var.
++##	Read system.map in the /boot directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5499,88 +6493,72 @@ interface(`files_dontaudit_search_var_lib',`
+@@ -5499,17 +6436,18 @@ interface(`files_dontaudit_search_var_lib',`
  ##	</summary>
  ## </param>
  #
 -interface(`files_list_var_lib',`
-+interface(`files_search_var',`
++interface(`files_read_kernel_symbol_table',`
  	gen_require(`
 -		type var_t, var_lib_t;
-+		type var_t;
++		type boot_t, system_map_t;
  	')
  
 -	list_dirs_pattern($1, var_t, var_lib_t)
-+	allow $1 var_t:dir search_dir_perms;
++	allow $1 boot_t:dir list_dir_perms;
++	read_files_pattern($1, boot_t, system_map_t)
  ')
  
 -###########################################
 +########################################
  ## <summary>
 -##	Read-write /var/lib directories
-+##	Do not audit attempts to write to /var.
++##	Delete a system.map in the /boot directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+@@ -5517,70 +6455,54 @@ interface(`files_list_var_lib',`
  ##	</summary>
  ## </param>
  #
 -interface(`files_rw_var_lib_dirs',`
-+interface(`files_dontaudit_write_var_dirs',`
++interface(`files_delete_kernel_symbol_table',`
  	gen_require(`
 -		type var_lib_t;
-+		type var_t;
++		type boot_t, system_map_t;
  	')
  
 -	rw_dirs_pattern($1, var_lib_t, var_lib_t)
-+	dontaudit $1 var_t:dir write;
++	allow $1 boot_t:dir list_dir_perms;
++	delete_files_pattern($1, boot_t, system_map_t)
  ')
  
  ########################################
  ## <summary>
 -##	Create objects in the /var/lib directory
-+##	Allow attempts to write to /var.dirs
++##	Search the contents of /var.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -15087,22 +15025,20 @@ index f962f76..fa12587 100644
 -## </param>
  #
 -interface(`files_var_lib_filetrans',`
-+interface(`files_write_var_dirs',`
++interface(`files_search_var',`
  	gen_require(`
 -		type var_t, var_lib_t;
 +		type var_t;
  	')
  
--	allow $1 var_t:dir search_dir_perms;
+ 	allow $1 var_t:dir search_dir_perms;
 -	filetrans_pattern($1, var_lib_t, $2, $3, $4)
-+	allow $1 var_t:dir write;
  ')
  
  ########################################
  ## <summary>
 -##	Read generic files in /var/lib.
-+##	Do not audit attempts to search
-+##	the contents of /var.
++##	Do not audit attempts to write to /var.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -15112,7 +15048,7 @@ index f962f76..fa12587 100644
  ## </param>
  #
 -interface(`files_read_var_lib_files',`
-+interface(`files_dontaudit_search_var',`
++interface(`files_dontaudit_write_var_dirs',`
  	gen_require(`
 -		type var_t, var_lib_t;
 +		type var_t;
@@ -15120,29 +15056,29 @@ index f962f76..fa12587 100644
  
 -	allow $1 var_lib_t:dir list_dir_perms;
 -	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+	dontaudit $1 var_t:dir search_dir_perms;
++	dontaudit $1 var_t:dir write;
  ')
  
  ########################################
  ## <summary>
 -##	Read generic symbolic links in /var/lib
-+##	List the contents of /var.
++##	Allow attempts to write to /var.dirs
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5588,41 +6566,36 @@ interface(`files_read_var_lib_files',`
+@@ -5588,41 +6510,36 @@ interface(`files_read_var_lib_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`files_read_var_lib_symlinks',`
-+interface(`files_list_var',`
++interface(`files_write_var_dirs',`
  	gen_require(`
 -		type var_t, var_lib_t;
 +		type var_t;
  	')
  
 -	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
-+	allow $1 var_t:dir list_dir_perms;
++	allow $1 var_t:dir write;
  ')
  
 -# cjp: the next two interfaces really need to be fixed
@@ -15152,7 +15088,8 @@ index f962f76..fa12587 100644
  ## <summary>
 -##	Create, read, write, and delete the
 -##	pseudorandom number generator seed.
-+##	Do not audit listing of the var directory (/var).
++##	Do not audit attempts to search
++##	the contents of /var.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -15162,7 +15099,7 @@ index f962f76..fa12587 100644
  ## </param>
  #
 -interface(`files_manage_urandom_seed',`
-+interface(`files_dontaudit_list_var',`
++interface(`files_dontaudit_search_var',`
  	gen_require(`
 -		type var_t, var_lib_t;
 +		type var_t;
@@ -15170,24 +15107,23 @@ index f962f76..fa12587 100644
  
 -	allow $1 var_t:dir search_dir_perms;
 -	manage_files_pattern($1, var_lib_t, var_lib_t)
-+	dontaudit $1 var_t:dir list_dir_perms;
++	dontaudit $1 var_t:dir search_dir_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Allow domain to manage mount tables
 -##	necessary for rpcd, nfsd, etc.
-+##	Create, read, write, and delete directories
-+##	in the /var directory.
++##	List the contents of /var.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5630,18 +6603,17 @@ interface(`files_manage_urandom_seed',`
+@@ -5630,36 +6547,36 @@ interface(`files_manage_urandom_seed',`
  ##	</summary>
  ## </param>
  #
 -interface(`files_manage_mounttab',`
-+interface(`files_manage_var_dirs',`
++interface(`files_list_var',`
  	gen_require(`
 -		type var_t, var_lib_t;
 +		type var_t;
@@ -15195,44 +15131,46 @@ index f962f76..fa12587 100644
  
 -	allow $1 var_t:dir search_dir_perms;
 -	manage_files_pattern($1, var_lib_t, var_lib_t)
-+	allow $1 var_t:dir manage_dir_perms;
++	allow $1 var_t:dir list_dir_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Set the attributes of the generic lock directories.
-+##	Read files in the /var directory.
++##	Do not audit listing of the var directory (/var).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5649,17 +6621,17 @@ interface(`files_manage_mounttab',`
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
 -interface(`files_setattr_lock_dirs',`
-+interface(`files_read_var_files',`
++interface(`files_dontaudit_list_var',`
  	gen_require(`
 -		type var_t, var_lock_t;
 +		type var_t;
  	')
  
 -	setattr_dirs_pattern($1, var_t, var_lock_t)
-+	read_files_pattern($1, var_t, var_t)
++	dontaudit $1 var_t:dir list_dir_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Search the locks directory (/var/lock).
-+##	Append files in the /var directory.
++##	Create, read, write, and delete directories
++##	in the /var directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5667,58 +6639,54 @@ interface(`files_setattr_lock_dirs',`
+@@ -5667,38 +6584,35 @@ interface(`files_setattr_lock_dirs',`
  ##	</summary>
  ## </param>
  #
 -interface(`files_search_locks',`
-+interface(`files_append_var_files',`
++interface(`files_manage_var_dirs',`
  	gen_require(`
 -		type var_t, var_lock_t;
 +		type var_t;
@@ -15240,14 +15178,14 @@ index f962f76..fa12587 100644
  
 -	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 -	search_dirs_pattern($1, var_t, var_lock_t)
-+	append_files_pattern($1, var_t, var_t)
++	allow $1 var_t:dir manage_dir_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Do not audit attempts to search the
 -##	locks directory (/var/lock).
-+##	Read and write files in the /var directory.
++##	Read files in the /var directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -15257,7 +15195,7 @@ index f962f76..fa12587 100644
  ## </param>
  #
 -interface(`files_dontaudit_search_locks',`
-+interface(`files_rw_var_files',`
++interface(`files_read_var_files',`
  	gen_require(`
 -		type var_lock_t;
 +		type var_t;
@@ -15265,24 +15203,22 @@ index f962f76..fa12587 100644
  
 -	dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
 -	dontaudit $1 var_lock_t:dir search_dir_perms;
-+	rw_files_pattern($1, var_t, var_t)
++	read_files_pattern($1, var_t, var_t)
  ')
  
  ########################################
  ## <summary>
 -##	List generic lock directories.
-+##	Do not audit attempts to read and write
-+##	files in the /var directory.
++##	Append files in the /var directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+@@ -5706,19 +6620,17 @@ interface(`files_dontaudit_search_locks',`
  ##	</summary>
  ## </param>
  #
 -interface(`files_list_locks',`
-+interface(`files_dontaudit_rw_var_files',`
++interface(`files_append_var_files',`
  	gen_require(`
 -		type var_t, var_lock_t;
 +		type var_t;
@@ -15290,23 +15226,23 @@ index f962f76..fa12587 100644
  
 -	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 -	list_dirs_pattern($1, var_t, var_lock_t)
-+	dontaudit $1 var_t:file rw_inherited_file_perms;
++	append_files_pattern($1, var_t, var_t)
  ')
  
  ########################################
  ## <summary>
 -##	Add and remove entries in the /var/lock
 -##	directories.
-+##	Create, read, write, and delete files in the /var directory.
++##	Read and write files in the /var directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5726,81 +6694,88 @@ interface(`files_list_locks',`
+@@ -5726,60 +6638,54 @@ interface(`files_list_locks',`
  ##	</summary>
  ## </param>
  #
 -interface(`files_rw_lock_dirs',`
-+interface(`files_manage_var_files',`
++interface(`files_rw_var_files',`
  	gen_require(`
 -		type var_t, var_lock_t;
 +		type var_t;
@@ -15314,24 +15250,25 @@ index f962f76..fa12587 100644
  
 -	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 -	rw_dirs_pattern($1, var_t, var_lock_t)
-+	manage_files_pattern($1, var_t, var_t)
++	rw_files_pattern($1, var_t, var_t)
  ')
  
  ########################################
  ## <summary>
 -## 	Create lock directories
-+##	Read symbolic links in the /var directory.
++##	Do not audit attempts to read and write
++##	files in the /var directory.
  ## </summary>
  ## <param name="domain">
 -## 	<summary>
 -##	Domain allowed access
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
 -interface(`files_create_lock_dirs',`
-+interface(`files_read_var_symlinks',`
++interface(`files_dontaudit_rw_var_files',`
  	gen_require(`
 -		type var_t, var_lock_t;
 +		type var_t;
@@ -15340,14 +15277,13 @@ index f962f76..fa12587 100644
 -	allow $1 var_t:dir search_dir_perms;
 -	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 -	create_dirs_pattern($1, var_lock_t, var_lock_t)
-+	read_lnk_files_pattern($1, var_t, var_t)
++	dontaudit $1 var_t:file rw_inherited_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Relabel to and from all lock directory types.
-+##	Create, read, write, and delete symbolic
-+##	links in the /var directory.
++##	Create, read, write, and delete files in the /var directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -15357,7 +15293,7 @@ index f962f76..fa12587 100644
 -## <rolecap/>
  #
 -interface(`files_relabel_all_lock_dirs',`
-+interface(`files_manage_var_symlinks',`
++interface(`files_manage_var_files',`
  	gen_require(`
 -		attribute lockfile;
 -		type var_t, var_lock_t;
@@ -15367,12 +15303,63 @@ index f962f76..fa12587 100644
 -	allow $1 var_t:dir search_dir_perms;
 -	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 -	relabel_dirs_pattern($1, lockfile, lockfile)
-+	manage_lnk_files_pattern($1, var_t, var_t)
++	manage_files_pattern($1, var_t, var_t)
  ')
  
  ########################################
  ## <summary>
 -##	Get the attributes of generic lock files.
++##	Read symbolic links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5787,20 +6693,18 @@ interface(`files_relabel_all_lock_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_generic_locks',`
++interface(`files_read_var_symlinks',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_lock_t:dir list_dir_perms;
+-	getattr_files_pattern($1, var_lock_t, var_lock_t)
++	read_lnk_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete generic lock files.
++##	Create, read, write, and delete symbolic
++##	links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5808,63 +6712,68 @@ interface(`files_getattr_generic_locks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_generic_locks',`
++interface(`files_manage_var_symlinks',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	delete_files_pattern($1, var_lock_t, var_lock_t)
++	manage_lnk_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete generic
+-##	lock files.
 +##	Create objects in the /var directory
  ## </summary>
  ## <param name="domain">
@@ -15396,7 +15383,7 @@ index f962f76..fa12587 100644
 +##	</summary>
 +## </param>
  #
--interface(`files_getattr_generic_locks',`
+-interface(`files_manage_generic_locks',`
 +interface(`files_var_filetrans',`
  	gen_require(`
 -		type var_t, var_lock_t;
@@ -15405,65 +15392,68 @@ index f962f76..fa12587 100644
  
 -	allow $1 var_t:dir search_dir_perms;
 -	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	allow $1 var_lock_t:dir list_dir_perms;
--	getattr_files_pattern($1, var_lock_t, var_lock_t)
+-	manage_dirs_pattern($1, var_lock_t, var_lock_t)
+-	manage_files_pattern($1, var_lock_t, var_lock_t)
 +	filetrans_pattern($1, var_t, $2, $3, $4)
  ')
  
 +
  ########################################
  ## <summary>
--##	Delete generic lock files.
+-##	Delete all lock files.
 +## Relabel dirs in the /var directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5808,20 +6783,16 @@ interface(`files_getattr_generic_locks',`
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
+-## <rolecap/>
  #
--interface(`files_delete_generic_locks',`
+-interface(`files_delete_all_locks',`
 +interface(`files_relabel_var_dirs',`
  	gen_require(`
+-		attribute lockfile;
 -		type var_t, var_lock_t;
 +		type var_t;
  	')
 -
 -	allow $1 var_t:dir search_dir_perms;
 -	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	delete_files_pattern($1, var_lock_t, var_lock_t)
+-	delete_files_pattern($1, lockfile, lockfile)
 +    allow $1 var_t:dir relabel_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete generic
--##	lock files.
+-##	Read all lock files.
 +##	Get the attributes of the /var/lib directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5829,65 +6800,69 @@ interface(`files_delete_generic_locks',`
+@@ -5872,101 +6781,87 @@ interface(`files_delete_all_locks',`
  ##	</summary>
  ## </param>
  #
--interface(`files_manage_generic_locks',`
+-interface(`files_read_all_locks',`
 +interface(`files_getattr_var_lib_dirs',`
  	gen_require(`
+-		attribute lockfile;
 -		type var_t, var_lock_t;
 +		type var_t, var_lib_t;
  	')
  
--	allow $1 var_t:dir search_dir_perms;
 -	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	manage_dirs_pattern($1, var_lock_t, var_lock_t)
--	manage_files_pattern($1, var_lock_t, var_lock_t)
+-	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+-	allow $1 lockfile:dir list_dir_perms;
+-	read_files_pattern($1, lockfile, lockfile)
+-	read_lnk_files_pattern($1, lockfile, lockfile)
 +	getattr_dirs_pattern($1, var_t, var_lib_t)
  ')
  
  ########################################
  ## <summary>
--##	Delete all lock files.
+-##	manage all lock files.
 +##	Search the /var/lib directory.
  ## </summary>
 +## <desc>
@@ -15484,10 +15474,9 @@ index f962f76..fa12587 100644
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
--## <rolecap/>
 +## <infoflow type="read" weight="5"/>
  #
--interface(`files_delete_all_locks',`
+-interface(`files_manage_all_locks',`
 +interface(`files_search_var_lib',`
  	gen_require(`
 -		attribute lockfile;
@@ -15495,143 +15484,140 @@ index f962f76..fa12587 100644
 +		type var_t, var_lib_t;
  	')
  
--	allow $1 var_t:dir search_dir_perms;
 -	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	delete_files_pattern($1, lockfile, lockfile)
+-	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+-	manage_dirs_pattern($1, lockfile, lockfile)
+-	manage_files_pattern($1, lockfile, lockfile)
+-	manage_lnk_files_pattern($1, lockfile, lockfile)
 +	search_dirs_pattern($1, var_t, var_lib_t)
  ')
  
  ########################################
  ## <summary>
--##	Read all lock files.
+-##	Create an object in the locks directory, with a private
+-##	type using a type transition.
 +##	Do not audit attempts to search the
 +##	contents of /var/lib.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
 -##	Domain allowed access.
+-##	</summary>
+-## </param>
+-## <param name="private type">
+-##	<summary>
+-##	The type of the object to be created.
+-##	</summary>
+-## </param>
+-## <param name="object">
+-##	<summary>
+-##	The object class of the object being created.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
 +##	Domain to not audit.
  ##	</summary>
  ## </param>
 +## <infoflow type="read" weight="5"/>
  #
--interface(`files_read_all_locks',`
+-interface(`files_lock_filetrans',`
 +interface(`files_dontaudit_search_var_lib',`
  	gen_require(`
--		attribute lockfile;
 -		type var_t, var_lock_t;
 +		type var_lib_t;
  	')
  
+-	allow $1 var_t:dir search_dir_perms;
 -	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	allow $1 { var_t var_lock_t }:dir search_dir_perms;
--	allow $1 lockfile:dir list_dir_perms;
--	read_files_pattern($1, lockfile, lockfile)
--	read_lnk_files_pattern($1, lockfile, lockfile)
+-	filetrans_pattern($1, var_lock_t, $2, $3, $4)
 +	dontaudit $1 var_lib_t:dir search_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	manage all lock files.
+-##	Do not audit attempts to get the attributes
+-##	of the /var/run directory.
 +##	List the contents of the /var/lib directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5895,78 +6870,1372 @@ interface(`files_read_all_locks',`
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
--interface(`files_manage_all_locks',`
+-interface(`files_dontaudit_getattr_pid_dirs',`
 +interface(`files_list_var_lib',`
  	gen_require(`
--		attribute lockfile;
--		type var_t, var_lock_t;
+-		type var_run_t;
 +		type var_t, var_lib_t;
  	')
  
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	allow $1 { var_t var_lock_t }:dir search_dir_perms;
--	manage_dirs_pattern($1, lockfile, lockfile)
--	manage_files_pattern($1, lockfile, lockfile)
--	manage_lnk_files_pattern($1, lockfile, lockfile)
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 var_run_t:dir getattr;
 +	list_dirs_pattern($1, var_t, var_lib_t)
  ')
  
 -########################################
 +###########################################
  ## <summary>
--##	Create an object in the locks directory, with a private
--##	type using a type transition.
+-##	Set the attributes of the /var/run directory.
 +##	Read-write /var/lib directories
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -5974,19 +6869,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
  ##	</summary>
  ## </param>
--## <param name="private type">
--##	<summary>
--##	The type of the object to be created.
--##	</summary>
--## </param>
--## <param name="object">
--##	<summary>
--##	The object class of the object being created.
--##	</summary>
--## </param>
--## <param name="name" optional="true">
--##	<summary>
--##	The name of the object being created.
--##	</summary>
--## </param>
  #
--interface(`files_lock_filetrans',`
+-interface(`files_setattr_pid_dirs',`
 +interface(`files_rw_var_lib_dirs',`
  	gen_require(`
--		type var_t, var_lock_t;
+-		type var_run_t;
 +		type var_lib_t;
  	')
  
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	filetrans_pattern($1, var_lock_t, $2, $3, $4)
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:dir setattr;
 +	rw_dirs_pattern($1, var_lib_t, var_lib_t)
  ')
  
  ########################################
  ## <summary>
--##	Do not audit attempts to get the attributes
--##	of the /var/run directory.
+-##	Search the contents of runtime process
+-##	ID directories (/var/run).
 +##	Create directories in /var/lib
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+@@ -5994,39 +6887,52 @@ interface(`files_setattr_pid_dirs',`
  ##	</summary>
  ## </param>
  #
--interface(`files_dontaudit_getattr_pid_dirs',`
+-interface(`files_search_pids',`
 +interface(`files_create_var_lib_dirs',`
  	gen_require(`
--		type var_run_t;
+-		type var_t, var_run_t;
 +		type var_lib_t;
  	')
  
--	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
--	dontaudit $1 var_run_t:dir getattr;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	search_dirs_pattern($1, var_t, var_run_t)
 +	allow $1 var_lib_t:dir { create rw_dir_perms };
  ')
  
 +
  ########################################
  ## <summary>
--##	Set the attributes of the /var/run directory.
+-##	Do not audit attempts to search
+-##	the /var/run directory.
 +##	Create objects in the /var/lib directory
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
@@ -15648,30 +15634,37 @@ index f962f76..fa12587 100644
 +## <param name="name" optional="true">
 +##	<summary>
 +##	The name of the object being created.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_pids',`
 +interface(`files_var_lib_filetrans',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_run_t;
 +		type var_t, var_lib_t;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 var_run_t:dir search_dir_perms;
 +	allow $1 var_t:dir search_dir_perms;
 +	filetrans_pattern($1, var_lib_t, $2, $3, $4)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of the runtime process
+-##	ID directories (/var/run).
 +##	Read generic files in /var/lib.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6034,18 +6940,1302 @@ interface(`files_dontaudit_search_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_pids',`
 +interface(`files_read_var_lib_files',`
-+	gen_require(`
+ 	gen_require(`
 +		type var_t, var_lib_t;
 +	')
 +
@@ -16792,9 +16785,11 @@ index f962f76..fa12587 100644
 +interface(`files_delete_all_pid_dirs',`
 +	gen_require(`
 +		attribute pidfile;
-+		type var_t, var_run_t;
-+	')
-+
+ 		type var_t, var_run_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
 +	files_search_pids($1)
 +	allow $1 var_t:dir search_dir_perms;
 +	delete_dirs_pattern($1, pidfile, pidfile)
@@ -16947,39 +16942,34 @@ index f962f76..fa12587 100644
 +## <summary>
 +##	List the contents of generic spool
 +##	(/var/spool) directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5974,19 +8243,18 @@ interface(`files_dontaudit_getattr_pid_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`files_setattr_pid_dirs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_list_spool',`
- 	gen_require(`
--		type var_run_t;
++	gen_require(`
 +		type var_t, var_spool_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	allow $1 var_run_t:dir setattr;
++	')
++
 +	list_dirs_pattern($1, var_t, var_spool_t)
  ')
  
  ########################################
  ## <summary>
--##	Search the contents of runtime process
--##	ID directories (/var/run).
+-##	Read generic process ID files.
 +##	Create, read, write, and delete generic
 +##	spool directories (/var/spool).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5994,39 +8262,38 @@ interface(`files_setattr_pid_dirs',`
+@@ -6053,19 +8243,18 @@ interface(`files_list_pids',`
  ##	</summary>
  ## </param>
  #
--interface(`files_search_pids',`
+-interface(`files_read_generic_pids',`
 +interface(`files_manage_generic_spool_dirs',`
  	gen_require(`
 -		type var_t, var_run_t;
@@ -16987,74 +16977,67 @@ index f962f76..fa12587 100644
  	')
  
 -	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	search_dirs_pattern($1, var_t, var_run_t)
+-	list_dirs_pattern($1, var_t, var_run_t)
+-	read_files_pattern($1, var_run_t, var_run_t)
 +	allow $1 var_t:dir search_dir_perms;
 +	manage_dirs_pattern($1, var_spool_t, var_spool_t)
  ')
  
  ########################################
  ## <summary>
--##	Do not audit attempts to search
--##	the /var/run directory.
+-##	Write named generic process ID pipes
 +##	Read generic spool files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+@@ -6073,43 +8262,151 @@ interface(`files_read_generic_pids',`
  ##	</summary>
  ## </param>
  #
--interface(`files_dontaudit_search_pids',`
+-interface(`files_write_generic_pid_pipes',`
 +interface(`files_read_generic_spool',`
  	gen_require(`
 -		type var_run_t;
 +		type var_t, var_spool_t;
  	')
  
--	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
--	dontaudit $1 var_run_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:fifo_file write;
 +	list_dirs_pattern($1, var_t, var_spool_t)
 +	read_files_pattern($1, var_spool_t, var_spool_t)
  ')
  
  ########################################
  ## <summary>
--##	List the contents of the runtime process
--##	ID directories (/var/run).
+-##	Create an object in the process ID directory, with a private type.
 +##	Create, read, write, and delete generic
 +##	spool files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6034,38 +8301,55 @@ interface(`files_dontaudit_search_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_list_pids',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_manage_generic_spool',`
- 	gen_require(`
--		type var_t, var_run_t;
++	gen_require(`
 +		type var_t, var_spool_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, var_run_t)
++	')
++
 +	allow $1 var_t:dir search_dir_perms;
 +	manage_files_pattern($1, var_spool_t, var_spool_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read generic process ID files.
++')
++
++########################################
++## <summary>
 +##	Create objects in the spool directory
 +##	with a private type with a type transition.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <param name="file">
 +##	<summary>
 +##	Type to which the created node will be transitioned.
@@ -17071,43 +17054,33 @@ index f962f76..fa12587 100644
 +##	The name of the object being created.
 +##	</summary>
 +## </param>
- #
--interface(`files_read_generic_pids',`
++#
 +interface(`files_spool_filetrans',`
- 	gen_require(`
--		type var_t, var_run_t;
++	gen_require(`
 +		type var_t, var_spool_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, var_run_t)
--	read_files_pattern($1, var_run_t, var_run_t)
++	')
++
 +	allow $1 var_t:dir search_dir_perms;
 +	filetrans_pattern($1, var_spool_t, $2, $3, $4)
- ')
- 
- ########################################
- ## <summary>
--##	Write named generic process ID pipes
++')
++
++########################################
++## <summary>
 +##	Allow access to manage all polyinstantiated
 +##	directories on the system.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6073,43 +8357,75 @@ interface(`files_read_generic_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_write_generic_pid_pipes',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_polyinstantiate_all',`
- 	gen_require(`
--		type var_run_t;
++	gen_require(`
 +		attribute polydir, polymember, polyparent;
 +		type poly_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	allow $1 var_run_t:fifo_file write;
++	')
++
 +	# Need to give access to /selinux/member
 +	selinux_compute_member($1)
 +
@@ -17144,11 +17117,10 @@ index f962f76..fa12587 100644
 +		corecmd_exec_bin($1)
 +		seutil_domtrans_setfiles($1)
 +	')
- ')
- 
- ########################################
- ## <summary>
--##	Create an object in the process ID directory, with a private type.
++')
++
++########################################
++## <summary>
 +##	Unconfined access to files.
 +## </summary>
 +## <param name="domain">
@@ -17197,7 +17169,7 @@ index f962f76..fa12587 100644
  ##	</p>
  ## </desc>
  ## <param name="domain">
-@@ -6117,80 +8433,157 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6117,80 +8414,157 @@ interface(`files_write_generic_pid_pipes',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -17384,7 +17356,7 @@ index f962f76..fa12587 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6198,19 +8591,17 @@ interface(`files_rw_generic_pids',`
+@@ -6198,19 +8572,17 @@ interface(`files_rw_generic_pids',`
  ##	</summary>
  ## </param>
  #
@@ -17408,7 +17380,7 @@ index f962f76..fa12587 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6218,18 +8609,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6218,18 +8590,17 @@ interface(`files_dontaudit_getattr_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -17431,7 +17403,7 @@ index f962f76..fa12587 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6237,129 +8627,119 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6237,129 +8608,119 @@ interface(`files_dontaudit_write_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -17601,7 +17573,7 @@ index f962f76..fa12587 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6367,18 +8747,19 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,18 +8728,19 @@ interface(`files_mounton_all_poly_members',`
  ##	</summary>
  ## </param>
  #
@@ -17626,7 +17598,7 @@ index f962f76..fa12587 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6386,132 +8767,227 @@ interface(`files_search_spool',`
+@@ -6386,132 +8748,227 @@ interface(`files_search_spool',`
  ##	</summary>
  ## </param>
  #
@@ -17900,7 +17872,7 @@ index f962f76..fa12587 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6519,53 +8995,17 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +8976,17 @@ interface(`files_spool_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -17958,7 +17930,7 @@ index f962f76..fa12587 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6573,10 +9013,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +8994,10 @@ interface(`files_polyinstantiate_all',`
  ##	</summary>
  ## </param>
  #
@@ -23043,7 +23015,7 @@ index e100d88..342fb1e 100644
 +')
 +
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..c4d3183 100644
+index 8dbab4c..5deb336 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
 @@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -23338,20 +23310,7 @@ index 8dbab4c..c4d3183 100644
  ########################################
  #
  # Unlabeled process local policy
-@@ -388,8 +480,12 @@ optional_policy(`
- if( ! secure_mode_insmod ) {
- 	allow can_load_kernmodule self:capability sys_module;
- 
-+	files_load_kernel_modules(can_load_kernmodule)
-+
- 	# load_module() calls stop_machine() which
- 	# calls sched_setscheduler()
-+	# gt: there seems to be no trace of the above, at
-+	# least in kernel versions greater than 2.6.37...
- 	allow can_load_kernmodule self:capability sys_nice;
- 	kernel_setsched(can_load_kernmodule)
- }
-@@ -399,14 +495,38 @@ if( ! secure_mode_insmod ) {
+@@ -399,14 +491,38 @@ if( ! secure_mode_insmod ) {
  # Rules for unconfined acccess to this module
  #