diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 31b26e1..1159097 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -689,7 +689,7 @@ index 3a45f23..f4754f0 100644
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index 28802c5..88519a9 100644
+index 28802c5..fdcb9a7 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -329,6 +329,7 @@ class process
@@ -710,7 +710,7 @@ index 28802c5..88519a9 100644
+ undefined
+ enable
+ disable
-+ reload
++ reload
}
#
@@ -9249,7 +9249,7 @@ index cf04cb5..369ddc2 100644
+ ')
+')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c2c6e05..d14e35b 100644
+index c2c6e05..058bb58 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -9285,7 +9285,7 @@ index c2c6e05..d14e35b 100644
/etc/.* gen_context(system_u:object_r:etc_t,s0)
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -52,13 +53,16 @@ ifdef(`distro_suse',`
+@@ -52,13 +53,17 @@ ifdef(`distro_suse',`
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -9304,10 +9304,11 @@ index c2c6e05..d14e35b 100644
+/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
++/etc/yum\.repos\.d/redhat\.repo -- gen_context(system_u:object_r:system_conf_t,s0)
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
-@@ -70,7 +74,10 @@ ifdef(`distro_suse',`
+@@ -70,7 +75,10 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -9319,7 +9320,7 @@ index c2c6e05..d14e35b 100644
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -78,10 +85,6 @@ ifdef(`distro_gentoo', `
+@@ -78,10 +86,6 @@ ifdef(`distro_gentoo', `
/etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -9330,7 +9331,7 @@ index c2c6e05..d14e35b 100644
ifdef(`distro_suse',`
/etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -104,7 +107,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -104,7 +108,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/initrd -d gen_context(system_u:object_r:root_t,s0)
#
@@ -9339,7 +9340,7 @@ index c2c6e05..d14e35b 100644
#
/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
-@@ -129,6 +132,8 @@ ifdef(`distro_debian',`
+@@ -129,6 +133,8 @@ ifdef(`distro_debian',`
/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
/media/[^/]*/.* <<none>>
/media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
@@ -9348,7 +9349,7 @@ index c2c6e05..d14e35b 100644
#
# /misc
-@@ -150,10 +155,10 @@ ifdef(`distro_debian',`
+@@ -150,10 +156,10 @@ ifdef(`distro_debian',`
#
# /opt
#
@@ -9361,7 +9362,7 @@ index c2c6e05..d14e35b 100644
#
# /proc
-@@ -161,6 +166,12 @@ ifdef(`distro_debian',`
+@@ -161,6 +167,12 @@ ifdef(`distro_debian',`
/proc -d <<none>>
/proc/.* <<none>>
@@ -9374,7 +9375,7 @@ index c2c6e05..d14e35b 100644
#
# /run
#
-@@ -169,6 +180,7 @@ ifdef(`distro_debian',`
+@@ -169,6 +181,7 @@ ifdef(`distro_debian',`
/run/.*\.*pid <<none>>
/run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
@@ -9382,7 +9383,7 @@ index c2c6e05..d14e35b 100644
#
# /selinux
#
-@@ -178,13 +190,14 @@ ifdef(`distro_debian',`
+@@ -178,13 +191,14 @@ ifdef(`distro_debian',`
#
# /srv
#
@@ -9399,7 +9400,7 @@ index c2c6e05..d14e35b 100644
/tmp/.* <<none>>
/tmp/\.journal <<none>>
-@@ -194,9 +207,10 @@ ifdef(`distro_debian',`
+@@ -194,9 +208,10 @@ ifdef(`distro_debian',`
#
# /usr
#
@@ -9411,7 +9412,7 @@ index c2c6e05..d14e35b 100644
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
-@@ -204,15 +218,9 @@ ifdef(`distro_debian',`
+@@ -204,15 +219,9 @@ ifdef(`distro_debian',`
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
@@ -9428,7 +9429,7 @@ index c2c6e05..d14e35b 100644
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
-@@ -220,8 +228,6 @@ ifdef(`distro_debian',`
+@@ -220,8 +229,6 @@ ifdef(`distro_debian',`
/usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
@@ -9437,7 +9438,7 @@ index c2c6e05..d14e35b 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -229,7 +235,7 @@ ifndef(`distro_redhat',`
+@@ -229,7 +236,7 @@ ifndef(`distro_redhat',`
#
# /var
#
@@ -9446,7 +9447,7 @@ index c2c6e05..d14e35b 100644
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
-@@ -237,11 +243,24 @@ ifndef(`distro_redhat',`
+@@ -237,11 +244,24 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -9472,7 +9473,7 @@ index c2c6e05..d14e35b 100644
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/log/lost\+found/.* <<none>>
-@@ -256,12 +275,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +276,14 @@ ifndef(`distro_redhat',`
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
@@ -9487,14 +9488,14 @@ index c2c6e05..d14e35b 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -270,3 +291,5 @@ ifndef(`distro_redhat',`
+@@ -270,3 +292,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..4adeb32 100644
+index 64ff4d7..5a0a4ea 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10402,11 +10403,13 @@ index 64ff4d7..4adeb32 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -3208,6 +3701,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3205,6 +3698,62 @@ interface(`files_delete_isid_type_dirs',`
- ########################################
- ## <summary>
-+## Relabelfrom all file opbjects on new filesystems
+ delete_dirs_pattern($1, file_t, file_t)
+ ')
++########################################
++## <summary>
++## Execute files on new filesystems
+## that have not yet been labeled.
+## </summary>
+## <param name="domain">
@@ -10415,25 +10418,18 @@ index 64ff4d7..4adeb32 100644
+## </summary>
+## </param>
+#
-+interface(`files_relabelfrom_isid_type',`
++interface(`files_exec_isid_files',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ dontaudit $1 file_t:dir_file_class_set relabelfrom;
++ can_exec($1, file_t)
+')
+
+########################################
+## <summary>
- ## Create, read, write, and delete directories
- ## on new filesystems that have not yet been labeled.
- ## </summary>
-@@ -3455,6 +3967,25 @@ interface(`files_rw_isid_type_blk_files',`
-
- ########################################
- ## <summary>
-+## rw any files inherited from another process
-+## on new filesystems that have not yet been labeled.
++## Moundon directories on new filesystems
++## that have not yet been labeled.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -10441,20 +10437,94 @@ index 64ff4d7..4adeb32 100644
+## </summary>
+## </param>
+#
-+interface(`files_rw_inherited_isid_type_files',`
++interface(`files_mounton_isid',`
+ gen_require(`
+ type file_t;
+ ')
+
-+ allow $1 file_t:file rw_inherited_file_perms;
++ allow $1 file_t:dir mounton;
+')
+
+########################################
+## <summary>
- ## Create, read, write, and delete block device nodes
++## Relabelfrom all file opbjects on new filesystems
++## that have not yet been labeled.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_relabelfrom_isid_type',`
++ gen_require(`
++ type file_t;
++ ')
++
++ dontaudit $1 file_t:dir_file_class_set relabelfrom;
++')
+
+ ########################################
+ ## <summary>
+@@ -3455,7 +4004,7 @@ interface(`files_rw_isid_type_blk_files',`
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete block device nodes
++## rw any files inherited from another process
+ ## on new filesystems that have not yet been labeled.
+ ## </summary>
+ ## <param name="domain">
+@@ -3464,17 +4013,17 @@ interface(`files_rw_isid_type_blk_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_isid_type_blk_files',`
++interface(`files_rw_inherited_isid_type_files',`
+ gen_require(`
+ type file_t;
+ ')
+
+- allow $1 file_t:blk_file manage_blk_file_perms;
++ allow $1 file_t:file rw_inherited_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete character device nodes
++## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
## </summary>
-@@ -3796,20 +4327,38 @@ interface(`files_list_mnt',`
+ ## <param name="domain">
+@@ -3483,7 +4032,26 @@ interface(`files_manage_isid_type_blk_files',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`files_manage_isid_type_chr_files',`
++interface(`files_manage_isid_type_blk_files',`
++ gen_require(`
++ type file_t;
++ ')
++
++ allow $1 file_t:blk_file manage_blk_file_perms;
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete character device nodes
++## on new filesystems that have not yet been labeled.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_isid_type_chr_files',`
+ gen_require(`
+ type file_t;
+ ')
+@@ -3796,20 +4364,38 @@ interface(`files_list_mnt',`
######################################
## <summary>
@@ -10498,20 +10568,14 @@ index 64ff4d7..4adeb32 100644
')
########################################
-@@ -4199,14 +4748,178 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,6 +4785,171 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
--########################################
+#######################################
- ## <summary>
--## Allow the specified type to associate
--## to a filesystem with the type of the
--## temporary directory (/tmp).
++## <summary>
+## Read manageable system configuration files in /etc
- ## </summary>
--## <param name="file_type">
--## <summary>
++## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -10576,6 +10640,7 @@ index 64ff4d7..4adeb32 100644
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables.old")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "ip6tables-config.old")
++ filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
+ filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
+')
@@ -10672,18 +10737,10 @@ index 64ff4d7..4adeb32 100644
+ filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
+')
+
-+########################################
-+## <summary>
-+## Allow the specified type to associate
-+## to a filesystem with the type of the
-+## temporary directory (/tmp).
-+## </summary>
-+## <param name="file_type">
-+## <summary>
- ## Type of the file to associate.
- ## </summary>
- ## </param>
-@@ -4221,6 +4934,26 @@ interface(`files_associate_tmp',`
+ ########################################
+ ## <summary>
+ ## Allow the specified type to associate
+@@ -4221,6 +4972,26 @@ interface(`files_associate_tmp',`
########################################
## <summary>
@@ -10710,7 +10767,7 @@ index 64ff4d7..4adeb32 100644
## Get the attributes of the tmp directory (/tmp).
## </summary>
## <param name="domain">
-@@ -4234,17 +4967,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4234,17 +5005,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -10749,7 +10806,7 @@ index 64ff4d7..4adeb32 100644
## </summary>
## </param>
#
-@@ -4271,6 +5024,7 @@ interface(`files_search_tmp',`
+@@ -4271,6 +5062,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -10757,7 +10814,7 @@ index 64ff4d7..4adeb32 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4307,6 +5061,7 @@ interface(`files_list_tmp',`
+@@ -4307,6 +5099,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -10765,7 +10822,7 @@ index 64ff4d7..4adeb32 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4316,7 +5071,7 @@ interface(`files_list_tmp',`
+@@ -4316,7 +5109,7 @@ interface(`files_list_tmp',`
## </summary>
## <param name="domain">
## <summary>
@@ -10774,7 +10831,7 @@ index 64ff4d7..4adeb32 100644
## </summary>
## </param>
#
-@@ -4328,6 +5083,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4328,6 +5121,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -10800,7 +10857,7 @@ index 64ff4d7..4adeb32 100644
########################################
## <summary>
## Remove entries from the tmp directory.
-@@ -4343,6 +5117,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4343,6 +5155,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -10808,7 +10865,7 @@ index 64ff4d7..4adeb32 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4384,6 +5159,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4384,6 +5197,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -10841,7 +10898,7 @@ index 64ff4d7..4adeb32 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -4438,6 +5239,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4438,6 +5277,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -10884,7 +10941,7 @@ index 64ff4d7..4adeb32 100644
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
-@@ -4456,6 +5293,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4456,6 +5331,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
## <summary>
@@ -10945,7 +11002,7 @@ index 64ff4d7..4adeb32 100644
## List all tmp directories.
## </summary>
## <param name="domain">
-@@ -4501,7 +5392,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4501,7 +5430,7 @@ interface(`files_relabel_all_tmp_dirs',`
## </summary>
## <param name="domain">
## <summary>
@@ -10954,7 +11011,7 @@ index 64ff4d7..4adeb32 100644
## </summary>
## </param>
#
-@@ -4561,7 +5452,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4561,7 +5490,7 @@ interface(`files_relabel_all_tmp_files',`
## </summary>
## <param name="domain">
## <summary>
@@ -10963,18 +11020,22 @@ index 64ff4d7..4adeb32 100644
## </summary>
## </param>
#
-@@ -4593,6 +5484,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4593,15 +5522,53 @@ interface(`files_read_all_tmp_files',`
########################################
## <summary>
+-## Create an object in the tmp directories, with a private
+-## type using a type transition.
+## Do not audit attempts to read or write
+## all leaked tmpfiles files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain allowed access.
+## Domain to not audit.
-+## </summary>
-+## </param>
+ ## </summary>
+ ## </param>
+-## <param name="private type">
+#
+interface(`files_dontaudit_tmp_file_leaks',`
+ gen_require(`
@@ -11005,10 +11066,19 @@ index 64ff4d7..4adeb32 100644
+
+########################################
+## <summary>
- ## Create an object in the tmp directories, with a private
- ## type using a type transition.
- ## </summary>
-@@ -4646,6 +5575,16 @@ interface(`files_purge_tmp',`
++## Create an object in the tmp directories, with a private
++## type using a type transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="private type">
+ ## <summary>
+ ## The type of the object to be created.
+ ## </summary>
+@@ -4646,6 +5613,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -11025,17 +11095,14 @@ index 64ff4d7..4adeb32 100644
')
########################################
-@@ -5223,12 +6162,30 @@ interface(`files_list_var',`
+@@ -5223,6 +6200,24 @@ interface(`files_list_var',`
########################################
## <summary>
--## Create, read, write, and delete directories
--## in the /var directory.
+## Do not audit listing of the var directory (/var).
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
@@ -11050,16 +11117,10 @@ index 64ff4d7..4adeb32 100644
+
+########################################
+## <summary>
-+## Create, read, write, and delete directories
-+## in the /var directory.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
-@@ -5578,6 +6535,25 @@ interface(`files_read_var_lib_symlinks',`
+ ## Create, read, write, and delete directories
+ ## in the /var directory.
+ ## </summary>
+@@ -5578,6 +6573,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -11085,7 +11146,7 @@ index 64ff4d7..4adeb32 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5623,7 +6599,7 @@ interface(`files_manage_mounttab',`
+@@ -5623,7 +6637,7 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -11094,7 +11155,7 @@ index 64ff4d7..4adeb32 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5631,12 +6607,13 @@ interface(`files_manage_mounttab',`
+@@ -5631,12 +6645,13 @@ interface(`files_manage_mounttab',`
## </summary>
## </param>
#
@@ -11110,7 +11171,7 @@ index 64ff4d7..4adeb32 100644
')
########################################
-@@ -5654,6 +6631,7 @@ interface(`files_search_locks',`
+@@ -5654,6 +6669,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11118,7 +11179,7 @@ index 64ff4d7..4adeb32 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5680,7 +6658,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5680,7 +6696,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -11146,7 +11207,7 @@ index 64ff4d7..4adeb32 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5688,13 +6685,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,13 +6723,12 @@ interface(`files_dontaudit_search_locks',`
## </summary>
## </param>
#
@@ -11163,7 +11224,7 @@ index 64ff4d7..4adeb32 100644
')
########################################
-@@ -5713,7 +6709,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5713,7 +6747,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11172,7 +11233,7 @@ index 64ff4d7..4adeb32 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5746,7 +6742,6 @@ interface(`files_create_lock_dirs',`
+@@ -5746,7 +6780,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
## </summary>
## </param>
@@ -11180,7 +11241,7 @@ index 64ff4d7..4adeb32 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5761,7 +6756,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5761,7 +6794,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
## <summary>
@@ -11189,7 +11250,7 @@ index 64ff4d7..4adeb32 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -5769,13 +6764,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5769,13 +6802,33 @@ interface(`files_relabel_all_lock_dirs',`
## </summary>
## </param>
#
@@ -11224,7 +11285,7 @@ index 64ff4d7..4adeb32 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5791,13 +6806,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6844,12 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -11242,7 +11303,7 @@ index 64ff4d7..4adeb32 100644
')
########################################
-@@ -5816,9 +6830,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +6868,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11253,7 +11314,7 @@ index 64ff4d7..4adeb32 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5860,8 +6872,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +6910,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11263,7 +11324,7 @@ index 64ff4d7..4adeb32 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6894,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +6932,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11273,7 +11334,7 @@ index 64ff4d7..4adeb32 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +6931,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +6969,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11283,7 +11344,7 @@ index 64ff4d7..4adeb32 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5961,7 +6970,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5961,7 +7008,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11292,7 +11353,7 @@ index 64ff4d7..4adeb32 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5981,10 +6990,48 @@ interface(`files_search_pids',`
+@@ -5981,10 +7028,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11341,7 +11402,7 @@ index 64ff4d7..4adeb32 100644
########################################
## <summary>
## Do not audit attempts to search
-@@ -6007,6 +7054,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6007,6 +7092,25 @@ interface(`files_dontaudit_search_pids',`
########################################
## <summary>
@@ -11367,7 +11428,7 @@ index 64ff4d7..4adeb32 100644
## List the contents of the runtime process
## ID directories (/var/run).
## </summary>
-@@ -6021,7 +7087,7 @@ interface(`files_list_pids',`
+@@ -6021,7 +7125,7 @@ interface(`files_list_pids',`
type var_t, var_run_t;
')
@@ -11376,7 +11437,7 @@ index 64ff4d7..4adeb32 100644
list_dirs_pattern($1, var_t, var_run_t)
')
-@@ -6040,7 +7106,7 @@ interface(`files_read_generic_pids',`
+@@ -6040,7 +7144,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
@@ -11385,7 +11446,7 @@ index 64ff4d7..4adeb32 100644
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6060,7 +7126,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6060,7 +7164,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11394,7 +11455,7 @@ index 64ff4d7..4adeb32 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6122,7 +7188,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +7226,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11402,7 +11463,7 @@ index 64ff4d7..4adeb32 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6151,6 +7216,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6151,6 +7254,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
## <summary>
@@ -11427,7 +11488,7 @@ index 64ff4d7..4adeb32 100644
## Read and write generic process ID files.
## </summary>
## <param name="domain">
-@@ -6164,7 +7247,7 @@ interface(`files_rw_generic_pids',`
+@@ -6164,7 +7285,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -11436,7 +11497,7 @@ index 64ff4d7..4adeb32 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6231,55 +7314,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6231,55 +7352,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -11499,7 +11560,7 @@ index 64ff4d7..4adeb32 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6287,42 +7358,35 @@ interface(`files_delete_all_pids',`
+@@ -6287,42 +7396,35 @@ interface(`files_delete_all_pids',`
## </summary>
## </param>
#
@@ -11549,7 +11610,7 @@ index 64ff4d7..4adeb32 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6330,18 +7394,18 @@ interface(`files_manage_all_pids',`
+@@ -6330,18 +7432,18 @@ interface(`files_manage_all_pids',`
## </summary>
## </param>
#
@@ -11573,7 +11634,7 @@ index 64ff4d7..4adeb32 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6349,37 +7413,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6349,37 +7451,40 @@ interface(`files_mounton_all_poly_members',`
## </summary>
## </param>
#
@@ -11625,7 +11686,7 @@ index 64ff4d7..4adeb32 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6387,18 +7454,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6387,18 +7492,17 @@ interface(`files_dontaudit_search_spool',`
## </summary>
## </param>
#
@@ -11648,7 +11709,7 @@ index 64ff4d7..4adeb32 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6406,18 +7472,18 @@ interface(`files_list_spool',`
+@@ -6406,18 +7510,18 @@ interface(`files_list_spool',`
## </summary>
## </param>
#
@@ -11672,7 +11733,7 @@ index 64ff4d7..4adeb32 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6425,19 +7491,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6425,19 +7529,18 @@ interface(`files_manage_generic_spool_dirs',`
## </summary>
## </param>
#
@@ -11697,55 +11758,32 @@ index 64ff4d7..4adeb32 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -6445,45 +7510,312 @@ interface(`files_read_generic_spool',`
+@@ -6445,7 +7548,274 @@ interface(`files_read_generic_spool',`
## </summary>
## </param>
#
-interface(`files_manage_generic_spool',`
+interface(`files_mounton_all_poly_members',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute polymember;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ allow $1 polymember:dir mounton;
- ')
-
- ########################################
- ## <summary>
--## Create objects in the spool directory
--## with a private type with a type transition.
++')
++
++########################################
++## <summary>
+## Delete all process IDs.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
--## <param name="file">
--## <summary>
--## Type to which the created node will be transitioned.
--## </summary>
--## </param>
--## <param name="class">
--## <summary>
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
--## </summary>
--## </param>
--## <param name="name" optional="true">
--## <summary>
--## The name of the object being created.
--## </summary>
--## </param>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`files_spool_filetrans',`
++#
+interface(`files_delete_all_pids',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute pidfile;
+ type var_t, var_run_t;
+ ')
@@ -11993,48 +12031,10 @@ index 64ff4d7..4adeb32 100644
+## </param>
+#
+interface(`files_manage_generic_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+## Create objects in the spool directory
-+## with a private type with a type transition.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="file">
-+## <summary>
-+## Type to which the created node will be transitioned.
-+## </summary>
-+## </param>
-+## <param name="class">
-+## <summary>
-+## Object class(es) (single or set including {}) for which this
-+## the transition will occur.
-+## </summary>
-+## </param>
-+## <param name="name" optional="true">
-+## <summary>
-+## The name of the object being created.
-+## </summary>
-+## </param>
-+#
-+interface(`files_spool_filetrans',`
-+ gen_require(`
-+ type var_t, var_spool_t;
+ gen_require(`
+ type var_t, var_spool_t;
')
-
- allow $1 var_t:dir search_dir_perms;
-@@ -6562,3 +7894,491 @@ interface(`files_unconfined',`
+@@ -6562,3 +7932,491 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -12527,7 +12527,7 @@ index 64ff4d7..4adeb32 100644
+ allow $1 etc_t:service status;
+')
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 148d87a..15e8466 100644
+index 148d87a..ccbcb66 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -5,12 +5,16 @@ policy_module(files, 1.17.5)
@@ -12576,14 +12576,14 @@ index 148d87a..15e8466 100644
+# created by several domains.
+#
+type system_conf_t, configfile;
-+files_type(system_conf_t)
++files_ro_base_file(system_conf_t)
+# compatibility aliases for removed type:
+typealias system_conf_t alias iptables_conf_t;
+
+# system_db_t is a new type of various
+# db files.
+type system_db_t;
-+files_type(system_db_t)
++files_ro_base_file(system_db_t)
+
#
# etc_runtime_t is the type of various
@@ -17227,7 +17227,7 @@ index 234a940..d340f20 100644
########################################
## <summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..70297bc 100644
+index 5da7870..4f46291 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,71 @@ policy_module(staff, 2.3.1)
@@ -17302,7 +17302,7 @@ index 5da7870..70297bc 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -23,11 +82,106 @@ optional_policy(`
+@@ -23,11 +82,110 @@ optional_policy(`
')
optional_policy(`
@@ -17355,6 +17355,10 @@ index 5da7870..70297bc 100644
+')
+
+optional_policy(`
++ journalctl_role(staff_r, staff_t)
++')
++
++optional_policy(`
+ kerneloops_dbus_chat(staff_t)
+')
+
@@ -17410,7 +17414,7 @@ index 5da7870..70297bc 100644
')
optional_policy(`
-@@ -35,15 +189,31 @@ optional_policy(`
+@@ -35,15 +193,31 @@ optional_policy(`
')
optional_policy(`
@@ -17444,7 +17448,7 @@ index 5da7870..70297bc 100644
')
optional_policy(`
-@@ -52,10 +222,55 @@ optional_policy(`
+@@ -52,10 +226,55 @@ optional_policy(`
')
optional_policy(`
@@ -17500,7 +17504,7 @@ index 5da7870..70297bc 100644
xserver_role(staff_r, staff_t)
')
-@@ -65,10 +280,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +284,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17511,7 +17515,7 @@ index 5da7870..70297bc 100644
cdrecord_role(staff_r, staff_t)
')
-@@ -78,10 +289,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +293,6 @@ ifndef(`distro_redhat',`
optional_policy(`
dbus_role_template(staff, staff_r, staff_t)
@@ -17522,7 +17526,7 @@ index 5da7870..70297bc 100644
')
optional_policy(`
-@@ -101,10 +308,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +312,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17533,7 +17537,7 @@ index 5da7870..70297bc 100644
java_role(staff_r, staff_t)
')
-@@ -125,10 +328,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +332,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17544,7 +17548,7 @@ index 5da7870..70297bc 100644
pyzor_role(staff_r, staff_t)
')
-@@ -141,10 +340,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +344,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -17555,7 +17559,7 @@ index 5da7870..70297bc 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -176,3 +371,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +375,22 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -17607,7 +17611,7 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..eea8991 100644
+index 88d0028..f520b74 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1)
@@ -17971,7 +17975,15 @@ index 88d0028..eea8991 100644
')
optional_policy(`
-@@ -319,12 +417,20 @@ optional_policy(`
+@@ -312,6 +410,7 @@ optional_policy(`
+
+ optional_policy(`
+ screen_role_template(sysadm, sysadm_r, sysadm_t)
++ allow sysadm_screen_t self:capability dac_override;
+ ')
+
+ optional_policy(`
+@@ -319,12 +418,20 @@ optional_policy(`
')
optional_policy(`
@@ -17993,7 +18005,7 @@ index 88d0028..eea8991 100644
')
optional_policy(`
-@@ -349,7 +455,18 @@ optional_policy(`
+@@ -349,7 +456,18 @@ optional_policy(`
')
optional_policy(`
@@ -18013,7 +18025,7 @@ index 88d0028..eea8991 100644
')
optional_policy(`
-@@ -360,19 +477,15 @@ optional_policy(`
+@@ -360,19 +478,15 @@ optional_policy(`
')
optional_policy(`
@@ -18035,7 +18047,7 @@ index 88d0028..eea8991 100644
')
optional_policy(`
-@@ -384,10 +497,6 @@ optional_policy(`
+@@ -384,10 +498,6 @@ optional_policy(`
')
optional_policy(`
@@ -18046,7 +18058,7 @@ index 88d0028..eea8991 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +504,9 @@ optional_policy(`
+@@ -395,6 +505,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -18056,7 +18068,7 @@ index 88d0028..eea8991 100644
')
optional_policy(`
-@@ -402,31 +514,34 @@ optional_policy(`
+@@ -402,31 +515,34 @@ optional_policy(`
')
optional_policy(`
@@ -18097,7 +18109,7 @@ index 88d0028..eea8991 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +554,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +555,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -18108,7 +18120,7 @@ index 88d0028..eea8991 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +574,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +575,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19210,7 +19222,7 @@ index 3835596..fbca2be 100644
########################################
## <summary>
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index cdfddf4..35179f7 100644
+index cdfddf4..ad1f001 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,12 @@
@@ -19226,7 +19238,7 @@ index cdfddf4..35179f7 100644
# this module should be named user, but that is
# a compile error since user is a keyword.
-@@ -12,12 +19,96 @@ role user_r;
+@@ -12,12 +19,100 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -19276,6 +19288,10 @@ index cdfddf4..35179f7 100644
+')
+
+optional_policy(`
++ journalctl_role(user_r, user_t)
++')
++
++optional_policy(`
+ irc_role(user_r, user_t)
+')
+
@@ -19324,7 +19340,7 @@ index cdfddf4..35179f7 100644
')
optional_policy(`
-@@ -25,6 +116,18 @@ optional_policy(`
+@@ -25,6 +120,18 @@ optional_policy(`
')
optional_policy(`
@@ -19343,7 +19359,7 @@ index cdfddf4..35179f7 100644
vlock_run(user_t, user_r)
')
-@@ -102,10 +205,6 @@ ifndef(`distro_redhat',`
+@@ -102,10 +209,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19354,7 +19370,7 @@ index cdfddf4..35179f7 100644
postgresql_role(user_r, user_t)
')
-@@ -128,7 +227,6 @@ ifndef(`distro_redhat',`
+@@ -128,7 +231,6 @@ ifndef(`distro_redhat',`
optional_policy(`
ssh_role_template(user, user_r, user_t)
')
@@ -19362,7 +19378,7 @@ index cdfddf4..35179f7 100644
optional_policy(`
su_role_template(user, user_r, user_t)
')
-@@ -161,3 +259,15 @@ ifndef(`distro_redhat',`
+@@ -161,3 +263,15 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -19948,24 +19964,26 @@ index 346d011..3e23acb 100644
+ ')
+')
diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
-index 76d9f66..f2672ea 100644
+index 76d9f66..5c271ce 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
-@@ -1,16 +1,39 @@
+@@ -1,16 +1,41 @@
HOME_DIR/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.ansible/cp/.* -s gen_context(system_u:object_r:ssh_home_t,s0)
+HOME_DIR/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
-/etc/ssh/primes -- gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host.*_key -- gen_context(system_u:object_r:sshd_key_t,s0)
++/var/lib/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/amanda/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/gitolite/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/gitolite3/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/nocpulse/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
-+/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/one/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/openshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/openshift/gear/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/var/lib/pgsql/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
++/var/lib/stickshift/[^/]+/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+
+/etc/rc\.d/init\.d/sshd -- gen_context(system_u:object_r:sshd_initrc_exec_t,s0)
+
@@ -19994,7 +20012,7 @@ index 76d9f66..f2672ea 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..225aaa7 100644
+index fe0c682..c0413e8 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -20542,7 +20560,7 @@ index fe0c682..225aaa7 100644
')
######################################
-@@ -754,3 +873,149 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +873,150 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -20606,6 +20624,7 @@ index fe0c682..225aaa7 100644
+
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".ssh")
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
++ files_var_lib_filetrans($1, ssh_home_t, dir, ".ssh")
+')
+
+########################################
@@ -21485,7 +21504,7 @@ index d1f64a0..9a5dab5 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..7c72b3f 100644
+index 6bf0ecc..5a7e2a4 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@@ -22449,7 +22468,7 @@ index 6bf0ecc..7c72b3f 100644
')
########################################
-@@ -1284,10 +1659,623 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1659,624 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -23005,6 +23024,7 @@ index 6bf0ecc..7c72b3f 100644
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9")
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors.old")
+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
@@ -28023,7 +28043,7 @@ index 24e7804..76da5dd 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..d145ffc 100644
+index dd3be8d..0996734 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -28257,17 +28277,17 @@ index dd3be8d..d145ffc 100644
+
+miscfiles_manage_localization(init_t)
+miscfiles_filetrans_named_content(init_t)
-+
+
+-miscfiles_read_localization(init_t)
+userdom_use_user_ttys(init_t)
+userdom_manage_tmp_dirs(init_t)
+userdom_manage_tmp_sockets(init_t)
-
--miscfiles_read_localization(init_t)
++
+allow init_t self:process setsched;
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +284,204 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +284,208 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -28443,6 +28463,10 @@ index dd3be8d..d145ffc 100644
+auth_domtrans_chk_passwd(init_t)
+
+optional_policy(`
++ ipsec_read_config(init_t)
++')
++
++optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
+')
@@ -28480,7 +28504,7 @@ index dd3be8d..d145ffc 100644
')
optional_policy(`
-@@ -216,7 +489,30 @@ optional_policy(`
+@@ -216,7 +493,30 @@ optional_policy(`
')
optional_policy(`
@@ -28511,7 +28535,7 @@ index dd3be8d..d145ffc 100644
')
########################################
-@@ -225,8 +521,9 @@ optional_policy(`
+@@ -225,8 +525,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28523,7 +28547,7 @@ index dd3be8d..d145ffc 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +554,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +558,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28540,7 +28564,7 @@ index dd3be8d..d145ffc 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +579,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +583,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28583,7 +28607,7 @@ index dd3be8d..d145ffc 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +616,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +620,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28595,7 +28619,7 @@ index dd3be8d..d145ffc 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +628,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +632,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -28606,7 +28630,7 @@ index dd3be8d..d145ffc 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +639,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +643,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -28616,7 +28640,7 @@ index dd3be8d..d145ffc 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +648,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +652,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -28624,7 +28648,7 @@ index dd3be8d..d145ffc 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +655,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +659,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28632,7 +28656,7 @@ index dd3be8d..d145ffc 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +663,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +667,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -28650,7 +28674,7 @@ index dd3be8d..d145ffc 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +681,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +685,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -28664,7 +28688,7 @@ index dd3be8d..d145ffc 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +696,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +700,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -28678,7 +28702,7 @@ index dd3be8d..d145ffc 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +709,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +713,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -28686,7 +28710,7 @@ index dd3be8d..d145ffc 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +721,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +725,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -28694,7 +28718,7 @@ index dd3be8d..d145ffc 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +740,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +744,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -28718,7 +28742,7 @@ index dd3be8d..d145ffc 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +773,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +777,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -28726,7 +28750,7 @@ index dd3be8d..d145ffc 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +807,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +811,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -28737,7 +28761,7 @@ index dd3be8d..d145ffc 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +831,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +835,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -28746,7 +28770,7 @@ index dd3be8d..d145ffc 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +846,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +850,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -28754,7 +28778,7 @@ index dd3be8d..d145ffc 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +867,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +871,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -28762,7 +28786,7 @@ index dd3be8d..d145ffc 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +877,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +881,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -28807,7 +28831,7 @@ index dd3be8d..d145ffc 100644
')
optional_policy(`
-@@ -558,14 +922,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +926,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -28839,7 +28863,7 @@ index dd3be8d..d145ffc 100644
')
')
-@@ -576,6 +957,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +961,39 @@ ifdef(`distro_suse',`
')
')
@@ -28879,7 +28903,7 @@ index dd3be8d..d145ffc 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1002,8 @@ optional_policy(`
+@@ -588,6 +1006,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -28888,7 +28912,7 @@ index dd3be8d..d145ffc 100644
')
optional_policy(`
-@@ -609,6 +1025,7 @@ optional_policy(`
+@@ -609,6 +1029,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -28896,7 +28920,7 @@ index dd3be8d..d145ffc 100644
')
optional_policy(`
-@@ -625,6 +1042,17 @@ optional_policy(`
+@@ -625,6 +1046,17 @@ optional_policy(`
')
optional_policy(`
@@ -28914,7 +28938,7 @@ index dd3be8d..d145ffc 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1069,13 @@ optional_policy(`
+@@ -641,9 +1073,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -28928,7 +28952,7 @@ index dd3be8d..d145ffc 100644
')
optional_policy(`
-@@ -656,15 +1088,11 @@ optional_policy(`
+@@ -656,15 +1092,11 @@ optional_policy(`
')
optional_policy(`
@@ -28946,7 +28970,7 @@ index dd3be8d..d145ffc 100644
')
optional_policy(`
-@@ -685,6 +1113,15 @@ optional_policy(`
+@@ -685,6 +1117,15 @@ optional_policy(`
')
optional_policy(`
@@ -28962,7 +28986,7 @@ index dd3be8d..d145ffc 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1162,7 @@ optional_policy(`
+@@ -725,6 +1166,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -28970,7 +28994,7 @@ index dd3be8d..d145ffc 100644
')
optional_policy(`
-@@ -742,7 +1180,13 @@ optional_policy(`
+@@ -742,7 +1184,13 @@ optional_policy(`
')
optional_policy(`
@@ -28985,7 +29009,7 @@ index dd3be8d..d145ffc 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1209,10 @@ optional_policy(`
+@@ -765,6 +1213,10 @@ optional_policy(`
')
optional_policy(`
@@ -28996,7 +29020,7 @@ index dd3be8d..d145ffc 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1222,20 @@ optional_policy(`
+@@ -774,10 +1226,20 @@ optional_policy(`
')
optional_policy(`
@@ -29017,7 +29041,7 @@ index dd3be8d..d145ffc 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1244,10 @@ optional_policy(`
+@@ -786,6 +1248,10 @@ optional_policy(`
')
optional_policy(`
@@ -29028,7 +29052,7 @@ index dd3be8d..d145ffc 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1269,6 @@ optional_policy(`
+@@ -807,8 +1273,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29037,7 +29061,7 @@ index dd3be8d..d145ffc 100644
')
optional_policy(`
-@@ -817,6 +1277,10 @@ optional_policy(`
+@@ -817,6 +1281,10 @@ optional_policy(`
')
optional_policy(`
@@ -29048,7 +29072,7 @@ index dd3be8d..d145ffc 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1290,12 @@ optional_policy(`
+@@ -826,10 +1294,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -29061,7 +29085,7 @@ index dd3be8d..d145ffc 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1322,33 @@ optional_policy(`
+@@ -856,12 +1326,33 @@ optional_policy(`
')
optional_policy(`
@@ -29096,7 +29120,7 @@ index dd3be8d..d145ffc 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1358,18 @@ optional_policy(`
+@@ -871,6 +1362,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29115,7 +29139,7 @@ index dd3be8d..d145ffc 100644
')
optional_policy(`
-@@ -886,6 +1385,10 @@ optional_policy(`
+@@ -886,6 +1389,10 @@ optional_policy(`
')
optional_policy(`
@@ -29126,7 +29150,7 @@ index dd3be8d..d145ffc 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1399,218 @@ optional_policy(`
+@@ -896,3 +1403,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29587,7 +29611,7 @@ index 0d4c8d3..e6ffda3 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..ecc6d2c 100644
+index 9e54bf9..ceb7f99 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -29622,17 +29646,20 @@ index 9e54bf9..ecc6d2c 100644
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
-@@ -88,8 +95,8 @@ read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
+@@ -88,8 +95,11 @@ read_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
read_lnk_files_pattern(ipsec_t, ipsec_conf_file_t, ipsec_conf_file_t)
allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
-manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
+manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
++
++manage_files_pattern(ipsec_t, ipsec_log_t, ipsec_log_t)
++logging_log_filetrans(ipsec_t, ipsec_log_t, file, "pluto.log")
manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
-@@ -110,10 +117,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
+@@ -110,10 +120,10 @@ corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
@@ -29645,7 +29672,7 @@ index 9e54bf9..ecc6d2c 100644
kernel_list_proc(ipsec_t)
kernel_read_proc_symlinks(ipsec_t)
# allow pluto to access /proc/net/ipsec_eroute;
-@@ -128,20 +135,22 @@ corecmd_exec_shell(ipsec_t)
+@@ -128,20 +138,22 @@ corecmd_exec_shell(ipsec_t)
corecmd_exec_bin(ipsec_t)
# Pluto needs network access
@@ -29675,7 +29702,7 @@ index 9e54bf9..ecc6d2c 100644
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
-@@ -157,24 +166,33 @@ files_dontaudit_search_home(ipsec_t)
+@@ -157,24 +169,33 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -29710,7 +29737,7 @@ index 9e54bf9..ecc6d2c 100644
seutil_sigchld_newrole(ipsec_t)
')
-@@ -187,10 +205,10 @@ optional_policy(`
+@@ -187,10 +208,10 @@ optional_policy(`
# ipsec_mgmt Local policy
#
@@ -29725,7 +29752,7 @@ index 9e54bf9..ecc6d2c 100644
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -208,12 +226,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+@@ -208,12 +229,14 @@ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
@@ -29741,7 +29768,7 @@ index 9e54bf9..ecc6d2c 100644
# _realsetup needs to be able to cat /var/run/pluto.pid,
# run ps on that pid, and delete the file
-@@ -246,6 +266,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -246,6 +269,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -29758,7 +29785,7 @@ index 9e54bf9..ecc6d2c 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -255,6 +285,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +288,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
corecmd_exec_bin(ipsec_mgmt_t)
corecmd_exec_shell(ipsec_mgmt_t)
@@ -29767,7 +29794,7 @@ index 9e54bf9..ecc6d2c 100644
dev_read_rand(ipsec_mgmt_t)
dev_read_urand(ipsec_mgmt_t)
-@@ -278,9 +310,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +313,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -29779,7 +29806,7 @@ index 9e54bf9..ecc6d2c 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -290,15 +323,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -290,15 +326,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
logging_send_syslog_msg(ipsec_mgmt_t)
@@ -29803,7 +29830,7 @@ index 9e54bf9..ecc6d2c 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +358,10 @@ optional_policy(`
+@@ -322,6 +361,10 @@ optional_policy(`
')
optional_policy(`
@@ -29814,7 +29841,7 @@ index 9e54bf9..ecc6d2c 100644
modutils_domtrans_insmod(ipsec_mgmt_t)
')
-@@ -335,7 +375,7 @@ optional_policy(`
+@@ -335,7 +378,7 @@ optional_policy(`
#
allow racoon_t self:capability { net_admin net_bind_service };
@@ -29823,7 +29850,7 @@ index 9e54bf9..ecc6d2c 100644
allow racoon_t self:unix_dgram_socket { connect create ioctl write };
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +410,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +413,12 @@ kernel_request_load_module(racoon_t)
corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
@@ -29843,7 +29870,7 @@ index 9e54bf9..ecc6d2c 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -401,10 +440,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +443,10 @@ locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
logging_send_audit_msgs(racoon_t)
@@ -29856,7 +29883,7 @@ index 9e54bf9..ecc6d2c 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +477,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +480,8 @@ corenet_setcontext_all_spds(setkey_t)
locallogin_use_fds(setkey_t)
@@ -32086,7 +32113,7 @@ index 58bc27f..51e9872 100644
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index e8c59a5..d2df072 100644
+index e8c59a5..b22837c 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -32314,10 +32341,14 @@ index e8c59a5..d2df072 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -333,14 +374,26 @@ optional_policy(`
+@@ -333,14 +374,30 @@ optional_policy(`
')
optional_policy(`
++ docker_rw_sem(lvm_t)
++')
++
++optional_policy(`
+ livecd_rw_semaphores(lvm_t)
+')
+
@@ -33862,7 +33893,7 @@ index b263a8a..15576ab 100644
+/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
+/usr/sbin/netlabel-config -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
-index cbbda4a..1136c7b 100644
+index cbbda4a..e3c34dc 100644
--- a/policy/modules/system/netlabel.te
+++ b/policy/modules/system/netlabel.te
@@ -7,9 +7,13 @@ policy_module(netlabel, 1.3.0)
@@ -33879,17 +33910,18 @@ index cbbda4a..1136c7b 100644
########################################
#
# NetLabel Management Tools Local policy
-@@ -19,10 +23,20 @@ role system_r types netlabel_mgmt_t;
+@@ -19,10 +23,21 @@ role system_r types netlabel_mgmt_t;
allow netlabel_mgmt_t self:capability net_admin;
allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
+can_exec(netlabel_mgmt_t, netlabel_mgmt_t)
+
kernel_read_network_state(netlabel_mgmt_t)
-
++kernel_read_system_state(netlabel_mgmt_t)
++
+corecmd_exec_bin(netlabel_mgmt_t)
+corecmd_exec_shell(netlabel_mgmt_t)
-+
+
files_read_etc_files(netlabel_mgmt_t)
+term_use_all_inherited_terms(netlabel_mgmt_t)
@@ -38627,7 +38659,7 @@ index 0f64692..d7e8a01 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..e7663f3 100644
+index a5ec88b..de9d585 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -38786,17 +38818,20 @@ index a5ec88b..e7663f3 100644
seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
-@@ -170,6 +195,9 @@ sysnet_signal_dhcpc(udev_t)
+@@ -168,7 +193,11 @@ sysnet_read_dhcpc_pid(udev_t)
+ sysnet_delete_dhcpc_pid(udev_t)
+ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
- sysnet_etc_filetrans_config(udev_t)
-
+-sysnet_etc_filetrans_config(udev_t)
++sysnet_filetrans_named_content(udev_t)
++#sysnet_etc_filetrans_config(udev_t)
++
+systemd_login_read_pid_files(udev_t)
+systemd_getattr_unit_files(udev_t)
-+
+
userdom_dontaudit_search_user_home_content(udev_t)
- ifdef(`distro_gentoo',`
-@@ -179,16 +207,9 @@ ifdef(`distro_gentoo',`
+@@ -179,16 +208,9 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -38815,7 +38850,7 @@ index a5ec88b..e7663f3 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -226,19 +247,34 @@ optional_policy(`
+@@ -226,19 +248,34 @@ optional_policy(`
optional_policy(`
cups_domtrans_config(udev_t)
@@ -38850,7 +38885,7 @@ index a5ec88b..e7663f3 100644
')
optional_policy(`
-@@ -264,6 +300,10 @@ optional_policy(`
+@@ -264,6 +301,10 @@ optional_policy(`
')
optional_policy(`
@@ -38861,7 +38896,7 @@ index a5ec88b..e7663f3 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -278,6 +318,15 @@ optional_policy(`
+@@ -278,6 +319,15 @@ optional_policy(`
')
optional_policy(`
@@ -38877,7 +38912,7 @@ index a5ec88b..e7663f3 100644
unconfined_signal(udev_t)
')
-@@ -290,6 +339,7 @@ optional_policy(`
+@@ -290,6 +340,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
@@ -39709,7 +39744,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..5b93224 100644
+index 3c5dba7..2890de8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -42377,7 +42412,7 @@ index 3c5dba7..5b93224 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3285,36 +4035,37 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3285,46 +4035,122 @@ interface(`userdom_write_user_tmp_files',`
## </summary>
## </param>
#
@@ -42395,8 +42430,8 @@ index 3c5dba7..5b93224 100644
########################################
## <summary>
-## Read the process state of all user domains.
-+## Do not audit attempts to read/write users
-+## temporary fifo files.
++## Do not audit attempts to delete users
++## temporary files.
## </summary>
## <param name="domain">
## <summary>
@@ -42406,7 +42441,7 @@ index 3c5dba7..5b93224 100644
## </param>
#
-interface(`userdom_read_all_users_state',`
-+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
++interface(`userdom_dontaudit_delete_user_tmp_files',`
gen_require(`
- attribute userdomain;
+ type user_tmp_t;
@@ -42414,39 +42449,57 @@ index 3c5dba7..5b93224 100644
- read_files_pattern($1, userdomain, userdomain)
- kernel_search_proc($1)
-+ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++ dontaudit $1 user_tmp_t:file delete_file_perms;
')
########################################
## <summary>
-## Get the attributes of all user domains.
-+## Allow domain to read/write inherited users
-+## fifo files.
++## Do not audit attempts to read/write users
++## temporary fifo files.
## </summary>
## <param name="domain">
## <summary>
-@@ -3322,21 +4073,77 @@ interface(`userdom_read_all_users_state',`
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
-interface(`userdom_getattr_all_users',`
-+interface(`userdom_rw_inherited_user_pipes',`
++interface(`userdom_dontaudit_rw_user_tmp_pipes',`
gen_require(`
- attribute userdomain;
- ')
-
-- allow $1 userdomain:process getattr;
+- attribute userdomain;
++ type user_tmp_t;
++ ')
++
++ dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++## <summary>
++## Allow domain to read/write inherited users
++## fifo files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_rw_inherited_user_pipes',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
+ allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
- ')
-
- ########################################
- ## <summary>
--## Inherit the file descriptors from all user domains
++')
++
++########################################
++## <summary>
+## Do not audit attempts to use user ttys.
- ## </summary>
- ## <param name="domain">
- ## <summary>
--## Domain allowed access.
++## </summary>
++## <param name="domain">
++## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
@@ -42492,22 +42545,10 @@ index 3c5dba7..5b93224 100644
+interface(`userdom_getattr_all_users',`
+ gen_require(`
+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:process getattr;
-+')
-+
-+########################################
-+## <summary>
-+## Inherit the file descriptors from all user domains
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
- ## </summary>
- ## </param>
- #
-@@ -3385,6 +4192,42 @@ interface(`userdom_signal_all_users',`
+ ')
+
+ allow $1 userdomain:process getattr;
+@@ -3385,6 +4211,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -42550,7 +42591,7 @@ index 3c5dba7..5b93224 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4248,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4267,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -42575,7 +42616,7 @@ index 3c5dba7..5b93224 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3438,4 +4299,1630 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4318,1630 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -42777,7 +42818,7 @@ index 3c5dba7..5b93224 100644
+ ')
+
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
-+')
+ ')
+
+########################################
+## <summary>
@@ -42796,7 +42837,7 @@ index 3c5dba7..5b93224 100644
+ ')
+
+ allow $1 unpriv_userdomain:unix_dgram_socket sendto;
- ')
++')
+
+######################################
+## <summary>
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 2e9e563..3f17d3b 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -520,7 +520,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..097a770 100644
+index cc43d25..924daba 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -685,7 +685,7 @@ index cc43d25..097a770 100644
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
-dontaudit abrt_t self:capability sys_rawio;
-+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace };
++allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
+dontaudit abrt_t self:capability { sys_rawio sys_ptrace };
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
@@ -4707,7 +4707,7 @@ index 83e899c..fac6fe5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..d0d7c0b 100644
+index 1a82e29..bfe87eb 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -6417,7 +6417,7 @@ index 1a82e29..d0d7c0b 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1333,104 @@ optional_policy(`
+@@ -1077,172 +1333,106 @@ optional_policy(`
')
')
@@ -6437,13 +6437,13 @@ index 1a82e29..d0d7c0b 100644
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
-+allow httpd_sys_script_t self:process getsched;
-
+-
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--
++allow httpd_sys_script_t self:process getsched;
+
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
@@ -6451,29 +6451,30 @@ index 1a82e29..d0d7c0b 100644
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
--
--corecmd_exec_all_executables(httpd_script_domains)
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
+-corecmd_exec_all_executables(httpd_script_domains)
++dontaudit httpd_sys_script_t httpd_config_t:dir search;
+
-dev_read_rand(httpd_script_domains)
-dev_read_urand(httpd_script_domains)
-+dontaudit httpd_sys_script_t httpd_config_t:dir search;
++allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-files_exec_etc_files(httpd_script_domains)
-files_read_etc_files(httpd_script_domains)
-files_search_home(httpd_script_domains)
-+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
-
--libs_exec_ld_so(httpd_script_domains)
--libs_exec_lib_files(httpd_script_domains)
+allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
+read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
+read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
--logging_search_logs(httpd_script_domains)
+-libs_exec_ld_so(httpd_script_domains)
+-libs_exec_lib_files(httpd_script_domains)
+kernel_read_kernel_sysctls(httpd_sys_script_t)
+-logging_search_logs(httpd_script_domains)
++dev_list_sysfs(httpd_sys_script_t)
+
-miscfiles_read_fonts(httpd_script_domains)
-miscfiles_read_public_files(httpd_script_domains)
+files_read_var_symlinks(httpd_sys_script_t)
@@ -6653,7 +6654,7 @@ index 1a82e29..d0d7c0b 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1438,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6750,7 +6751,7 @@ index 1a82e29..d0d7c0b 100644
########################################
#
-@@ -1315,8 +1513,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6767,7 +6768,7 @@ index 1a82e29..d0d7c0b 100644
')
########################################
-@@ -1324,49 +1529,38 @@ optional_policy(`
+@@ -1324,49 +1531,38 @@ optional_policy(`
# User content local policy
#
@@ -6832,7 +6833,7 @@ index 1a82e29..d0d7c0b 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1570,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1572,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -21394,15 +21395,19 @@ index 41c3f67..653a1ec 100644
## <summary>
## Execute dmidecode in the dmidecode
diff --git a/dmidecode.te b/dmidecode.te
-index c947c2c..441d3f4 100644
+index c947c2c..8d4d843 100644
--- a/dmidecode.te
+++ b/dmidecode.te
-@@ -29,4 +29,4 @@ files_list_usr(dmidecode_t)
+@@ -29,4 +29,8 @@ files_list_usr(dmidecode_t)
locallogin_use_fds(dmidecode_t)
-userdom_use_user_terminals(dmidecode_t)
+userdom_use_inherited_user_terminals(dmidecode_t)
++
++optional_policy(`
++ rhsmcertd_rw_inherited_lock_files(dmidecode_t)
++')
diff --git a/dnsmasq.fc b/dnsmasq.fc
index 23ab808..4a801b5 100644
--- a/dnsmasq.fc
@@ -22127,10 +22132,10 @@ index 0000000..097c75c
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..939365d
+index 0000000..1229d66
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,130 @@
+@@ -0,0 +1,133 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -22212,6 +22217,7 @@ index 0000000..939365d
+mount_domtrans(docker_t)
+
+sysnet_dns_name_resolve(docker_t)
++sysnet_exec_ifconfig(docker_t)
+
+optional_policy(`
+ fstools_domtrans(docker_t)
@@ -22226,7 +22232,7 @@ index 0000000..939365d
+#
+
+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
-+allow docker_t self:process setsched;
++allow docker_t self:process { setsched signal_perms };
+allow docker_t self:netlink_route_socket nlmsg_write;
+allow docker_t self:unix_dgram_socket create_socket_perms;
+
@@ -22236,6 +22242,8 @@ index 0000000..939365d
+
+dev_getattr_all_blk_files(docker_t)
+dev_read_urand(docker_t)
++dev_read_lvm_control(docker_t)
++dev_read_sysfs(docker_t)
+
+files_manage_isid_type_dirs(docker_t)
+files_manage_isid_type_files(docker_t)
@@ -22255,12 +22263,12 @@ index 0000000..939365d
+term_use_ptmx(docker_t)
+term_getattr_pty_fs(docker_t)
+
-+dev_read_lvm_control(docker_t)
++modutils_domtrans_insmod(docker_t)
+
-+gen_require(`
-+type lvm_t;
++optional_policy(`
++ virt_read_config(docker_t)
++ virt_exec(docker_t)
+')
-+docker_rw_sem(lvm_t)
diff --git a/dovecot.fc b/dovecot.fc
index c880070..4448055 100644
--- a/dovecot.fc
@@ -23429,7 +23437,7 @@ index 18f2452..a446210 100644
+
')
diff --git a/dspam.te b/dspam.te
-index 266cb8f..c736297 100644
+index 266cb8f..b619351 100644
--- a/dspam.te
+++ b/dspam.te
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
@@ -23442,17 +23450,20 @@ index 266cb8f..c736297 100644
allow dspam_t self:fifo_file rw_fifo_file_perms;
allow dspam_t self:unix_stream_socket { accept listen };
-@@ -58,20 +61,42 @@ corenet_tcp_bind_spamd_port(dspam_t)
+@@ -57,6 +60,12 @@ corenet_sendrecv_spamd_server_packets(dspam_t)
+ corenet_tcp_bind_spamd_port(dspam_t)
corenet_tcp_connect_spamd_port(dspam_t)
corenet_tcp_sendrecv_spamd_port(dspam_t)
-
++corenet_tcp_bind_lmtp_port(dspam_t)
++corenet_tcp_connect_lmtp_port(dspam_t)
++
+kernel_read_system_state(dspam_t)
+
+corecmd_exec_shell(dspam_t)
-+
+
files_search_spool(dspam_t)
- auth_use_nsswitch(dspam_t)
+@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t)
logging_send_syslog_msg(dspam_t)
@@ -23489,7 +23500,7 @@ index 266cb8f..c736297 100644
')
optional_policy(`
-@@ -87,3 +112,12 @@ optional_policy(`
+@@ -87,3 +114,12 @@ optional_policy(`
postgresql_tcp_connect(dspam_t)
')
@@ -32392,6 +32403,145 @@ index d59ec10..dec1b3b 100644
modutils_read_module_config(jockey_t)
+ modutils_list_module_config(jockey_t)
')
+diff --git a/journalctl.fc b/journalctl.fc
+new file mode 100644
+index 0000000..f270652
+--- /dev/null
++++ b/journalctl.fc
+@@ -0,0 +1 @@
++/usr/bin/journalctl -- gen_context(system_u:object_r:journalctl_exec_t,s0)
+diff --git a/journalctl.if b/journalctl.if
+new file mode 100644
+index 0000000..9d32f23
+--- /dev/null
++++ b/journalctl.if
+@@ -0,0 +1,76 @@
++
++## <summary>policy for journalctl</summary>
++
++########################################
++## <summary>
++## Execute TEMPLATE in the journalctl domin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`journalctl_domtrans',`
++ gen_require(`
++ type journalctl_t, journalctl_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, journalctl_exec_t, journalctl_t)
++')
++
++########################################
++## <summary>
++## Execute journalctl in the journalctl domain, and
++## allow the specified role the journalctl domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the journalctl domain.
++## </summary>
++## </param>
++#
++interface(`journalctl_run',`
++ gen_require(`
++ type journalctl_t;
++ attribute_role journalctl_roles;
++ ')
++
++ journalctl_domtrans($1)
++ roleattribute $2 journalctl_roles;
++')
++
++########################################
++## <summary>
++## Role access for journalctl
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role
++## </summary>
++## </param>
++#
++interface(`journalctl_role',`
++ gen_require(`
++ type journalctl_t;
++ attribute_role journalctl_roles;
++ ')
++
++ roleattribute $1 journalctl_roles;
++
++ journalctl_domtrans($2)
++
++ ps_process_pattern($2, journalctl_t)
++ allow $2 journalctl_t:process { signull signal sigkill };
++')
+diff --git a/journalctl.te b/journalctl.te
+new file mode 100644
+index 0000000..5de3229
+--- /dev/null
++++ b/journalctl.te
+@@ -0,0 +1,44 @@
++policy_module(journalctl, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute_role journalctl_roles;
++roleattribute system_r journalctl_roles;
++
++type journalctl_t;
++type journalctl_exec_t;
++application_domain(journalctl_t, journalctl_exec_t)
++
++role journalctl_roles types journalctl_t;
++
++########################################
++#
++# journalctl local policy
++#
++allow journalctl_t self:process { fork signal_perms };
++
++allow journalctl_t self:fifo_file manage_fifo_file_perms;
++allow journalctl_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_read_system_state(journalctl_t)
++
++corecmd_exec_bin(journalctl_t)
++
++domain_use_interactive_fds(journalctl_t)
++
++files_read_etc_files(journalctl_t)
++
++fs_getattr_all_fs(journalctl_t)
++
++userdom_list_user_home_dirs(journalctl_t)
++userdom_read_user_home_content_files(journalctl_t)
++userdom_use_inherited_user_ptys(journalctl_t)
++userdom_write_inherited_user_tmp_files(journalctl_t)
++userdom_rw_inherited_user_tmpfs_files(journalctl_t)
++userdom_rw_inherited_user_home_content_files(journalctl_t)
++
++miscfiles_read_localization(journalctl_t)
++logging_read_generic_logs(journalctl_t)
diff --git a/kde.fc b/kde.fc
new file mode 100644
index 0000000..25e4b68
@@ -32965,17 +33115,25 @@ index 182ab8b..8b1d9c2 100644
+')
+
diff --git a/kdumpgui.te b/kdumpgui.te
-index e7f5c81..1a8d69e 100644
+index e7f5c81..8c75bc8 100644
--- a/kdumpgui.te
+++ b/kdumpgui.te
-@@ -1,4 +1,4 @@
+@@ -1,83 +1,92 @@
-policy_module(kdumpgui, 1.1.4)
+policy_module(kdumpgui, 1.1.0)
########################################
#
-@@ -7,77 +7,73 @@ policy_module(kdumpgui, 1.1.4)
+ # Declarations
+ #
++## <desc>
++## <p>
++## Allow s-c-kdump to run bootloader in bootloader_t.
++## </p>
++## </desc>
++gen_tunable(kdumpgui_run_bootloader, false)
++
type kdumpgui_t;
type kdumpgui_exec_t;
-init_system_domain(kdumpgui_t, kdumpgui_exec_t)
@@ -33054,8 +33212,14 @@ index e7f5c81..1a8d69e 100644
optional_policy(`
- consoletype_exec(kdumpgui_t)
-+ bootloader_exec(kdumpgui_t)
-+ bootloader_manage_config(kdumpgui_t)
++ tunable_policy(`kdumpgui_run_bootloader',`
++ bootloader_domtrans(kdumpgui_t)
++ #if s-c-kdump is involved
++ bootloader_manage_config(kdumpgui_t)
++ ',`
++ bootloader_exec(kdumpgui_t)
++ bootloader_manage_config(kdumpgui_t)
++ ')
')
optional_policy(`
@@ -33067,7 +33231,7 @@ index e7f5c81..1a8d69e 100644
')
optional_policy(`
-@@ -87,4 +83,10 @@ optional_policy(`
+@@ -87,4 +96,10 @@ optional_policy(`
optional_policy(`
kdump_manage_config(kdumpgui_t)
kdump_initrc_domtrans(kdumpgui_t)
@@ -43460,7 +43624,7 @@ index ed81cac..566684a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index afd2fad..79fe381 100644
+index afd2fad..09ebbbe 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
@@ -43490,7 +43654,7 @@ index afd2fad..79fe381 100644
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
-@@ -43,178 +43,78 @@ role system_r types system_mail_t;
+@@ -43,178 +43,79 @@ role system_r types system_mail_t;
mta_base_mail_template(user)
typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
@@ -43624,11 +43788,12 @@ index afd2fad..79fe381 100644
+# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
-
+-
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
-
-read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
--
++dontaudit system_mail_t self:capability net_admin;
+
allow system_mail_t mail_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward")
@@ -43705,7 +43870,7 @@ index afd2fad..79fe381 100644
')
optional_policy(`
-@@ -223,18 +123,18 @@ optional_policy(`
+@@ -223,18 +124,18 @@ optional_policy(`
')
optional_policy(`
@@ -43727,7 +43892,7 @@ index afd2fad..79fe381 100644
courier_manage_spool_dirs(system_mail_t)
courier_manage_spool_files(system_mail_t)
courier_rw_spool_pipes(system_mail_t)
-@@ -245,13 +145,8 @@ optional_policy(`
+@@ -245,13 +146,8 @@ optional_policy(`
')
optional_policy(`
@@ -43742,7 +43907,7 @@ index afd2fad..79fe381 100644
fail2ban_rw_inherited_tmp_files(system_mail_t)
')
-@@ -264,10 +159,15 @@ optional_policy(`
+@@ -264,10 +160,15 @@ optional_policy(`
')
optional_policy(`
@@ -43758,7 +43923,7 @@ index afd2fad..79fe381 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -278,6 +178,15 @@ optional_policy(`
+@@ -278,6 +179,15 @@ optional_policy(`
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@@ -43774,7 +43939,7 @@ index afd2fad..79fe381 100644
')
optional_policy(`
-@@ -293,42 +202,36 @@ optional_policy(`
+@@ -293,42 +203,36 @@ optional_policy(`
')
optional_policy(`
@@ -43827,7 +43992,7 @@ index afd2fad..79fe381 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -337,40 +240,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -337,40 +241,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -43876,7 +44041,7 @@ index afd2fad..79fe381 100644
files_search_var_lib(mailserver_delivery)
mailman_domtrans(mailserver_delivery)
-@@ -387,24 +276,173 @@ optional_policy(`
+@@ -387,24 +277,173 @@ optional_policy(`
########################################
#
@@ -45201,7 +45366,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..cc14cbc 100644
+index 9f6179e..4383f87 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -45412,7 +45577,7 @@ index 9f6179e..cc14cbc 100644
kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -183,21 +185,26 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -183,21 +185,27 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
@@ -45427,6 +45592,7 @@ index 9f6179e..cc14cbc 100644
-files_dontaudit_getattr_all_dirs(mysqld_safe_t)
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
++files_dontaudit_write_root_dirs(mysqld_safe_t)
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
logging_send_syslog_msg(mysqld_safe_t)
@@ -45445,7 +45611,7 @@ index 9f6179e..cc14cbc 100644
optional_policy(`
hostname_exec(mysqld_safe_t)
-@@ -205,7 +212,7 @@ optional_policy(`
+@@ -205,7 +213,7 @@ optional_policy(`
########################################
#
@@ -45454,7 +45620,7 @@ index 9f6179e..cc14cbc 100644
#
allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +221,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +222,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
@@ -45472,7 +45638,7 @@ index 9f6179e..cc14cbc 100644
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
-@@ -226,31 +234,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +235,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
@@ -72825,7 +72991,7 @@ index 0000000..0e965c3
+ rpm_domtrans(rhnsd_t)
+')
diff --git a/rhsmcertd.if b/rhsmcertd.if
-index 6dbc905..d803796 100644
+index 6dbc905..78746ef 100644
--- a/rhsmcertd.if
+++ b/rhsmcertd.if
@@ -1,8 +1,8 @@
@@ -72921,26 +73087,47 @@ index 6dbc905..d803796 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -198,13 +194,13 @@ interface(`rhsmcertd_read_pid_files',`
+@@ -196,10 +192,9 @@ interface(`rhsmcertd_read_pid_files',`
+ allow $1 rhsmcertd_var_run_t:file read_file_perms;
+ ')
- ####################################
+-####################################
++########################################
## <summary>
-## Connect to rhsmcertd with a
-## unix domain stream socket.
-+## Connect to rhsmcertd over a unix domain
-+## stream socket.
++## Read/wirte inherited lock files.
## </summary>
## <param name="domain">
--## <summary>
--## Domain allowed access.
--## </summary>
+ ## <summary>
+@@ -207,6 +202,26 @@ interface(`rhsmcertd_read_pid_files',`
+ ## </summary>
+ ## </param>
+ #
++interface(`rhsmcertd_rw_inherited_lock_files',`
++ gen_require(`
++ type rhsmcertd_lock_t;
++ ')
++
++ files_search_locks($1)
++ allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms;
++')
++
++####################################
++## <summary>
++## Connect to rhsmcertd over a unix domain
++## stream socket.
++## </summary>
++## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
- ## </param>
- #
++## </param>
++#
interface(`rhsmcertd_stream_connect',`
-@@ -239,30 +235,29 @@ interface(`rhsmcertd_dbus_chat',`
+ gen_require(`
+ type rhsmcertd_t, rhsmcertd_var_run_t;
+@@ -239,30 +254,29 @@ interface(`rhsmcertd_dbus_chat',`
######################################
## <summary>
@@ -72984,7 +73171,7 @@ index 6dbc905..d803796 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -270,35 +265,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
+@@ -270,35 +284,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
## </summary>
## </param>
## <param name="role">
@@ -73016,24 +73203,24 @@ index 6dbc905..d803796 100644
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 rhsmcertd_t:process ptrace;
+ ')
-+
+
+- logging_search_logs($1)
+- admin_pattern($1, rhsmcertd_log_t)
+ rhsmcertd_initrc_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 rhsmcertd_initrc_exec_t system_r;
+ allow $2 system_r;
-- logging_search_logs($1)
-- admin_pattern($1, rhsmcertd_log_t)
-+ logging_search_logs($1)
-+ admin_pattern($1, rhsmcertd_log_t)
-
- files_search_var_lib($1)
- admin_pattern($1, rhsmcertd_var_lib_t)
-+ files_search_var_lib($1)
-+ admin_pattern($1, rhsmcertd_var_lib_t)
++ logging_search_logs($1)
++ admin_pattern($1, rhsmcertd_log_t)
- files_search_pids($1)
- admin_pattern($1, rhsmcertd_var_run_t)
++ files_search_var_lib($1)
++ admin_pattern($1, rhsmcertd_var_lib_t)
++
+ files_search_pids($1)
+ admin_pattern($1, rhsmcertd_var_run_t)
+
@@ -73044,10 +73231,10 @@ index 6dbc905..d803796 100644
- admin_pattern($1, rhsmcertd_lock_t)
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..6508b1e 100644
+index 1cedd70..0369e30 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
-@@ -30,7 +30,8 @@ files_pid_file(rhsmcertd_var_run_t)
+@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
#
allow rhsmcertd_t self:capability sys_nice;
@@ -73057,7 +73244,15 @@ index 1cedd70..6508b1e 100644
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -52,21 +53,37 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+ manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+-append_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+-create_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+-setattr_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
++manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
+
+ manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
+ files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
+@@ -52,21 +51,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
kernel_read_network_state(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
@@ -73075,6 +73270,7 @@ index 1cedd70..6508b1e 100644
-files_read_etc_files(rhsmcertd_t)
-files_read_usr_files(rhsmcertd_t)
+files_manage_generic_locks(rhsmcertd_t)
++files_manage_system_conf_files(rhsmcertd_t)
+
+auth_read_passwd(rhsmcertd_t)
@@ -73084,7 +73280,8 @@ index 1cedd70..6508b1e 100644
+
+logging_send_syslog_msg(rhsmcertd_t)
+
-+miscfiles_read_certs(rhsmcertd_t)
++miscfiles_manage_cert_files(rhsmcertd_t)
++miscfiles_manage_cert_dirs(rhsmcertd_t)
sysnet_dns_name_resolve(rhsmcertd_t)
@@ -80756,6 +80953,21 @@ index a63b875..1c9e41b 100644
')
optional_policy(`
+diff --git a/sblim.fc b/sblim.fc
+index 68a550d..e976fc6 100644
+--- a/sblim.fc
++++ b/sblim.fc
+@@ -1,6 +1,10 @@
+ /etc/rc\.d/init\.d/gatherer -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/sblim-sfcbd -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0)
+
+ /usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0)
+ /usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0)
++/usr/sbin/sfcbd -- gen_context(system_u:object_r:sblim_sfcbd_exec_t,s0)
++
++/var/lib/sfcb(/.*)? gen_context(system_u:object_r:sblim_var_lib_t,s0)
+
+ /var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0)
diff --git a/sblim.if b/sblim.if
index 98c9e0a..df51942 100644
--- a/sblim.if
@@ -80858,10 +81070,10 @@ index 98c9e0a..df51942 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 4a23d84..d90604c 100644
+index 4a23d84..fcd1610 100644
--- a/sblim.te
+++ b/sblim.te
-@@ -7,13 +7,9 @@ policy_module(sblim, 1.0.3)
+@@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3)
attribute sblim_domain;
@@ -80874,12 +81086,38 @@ index 4a23d84..d90604c 100644
-type sblim_reposd_exec_t;
-init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t)
+sblim_domain_template(reposd)
++
++sblim_domain_template(sfcbd)
type sblim_initrc_exec_t;
init_script_file(sblim_initrc_exec_t)
-@@ -33,10 +29,7 @@ manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+@@ -21,6 +19,12 @@ init_script_file(sblim_initrc_exec_t)
+ type sblim_var_run_t;
+ files_pid_file(sblim_var_run_t)
+
++type sblim_var_lib_t;
++files_type(sblim_var_lib_t)
++
++type sblim_tmp_t;
++files_tmp_file(sblim_tmp_t)
++
+ ######################################
+ #
+ # Common sblim domain local policy
+@@ -32,11 +36,18 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+ manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
++manage_dirs_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
++manage_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
++manage_lnk_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
++files_var_lib_filetrans(sblim_domain, sblim_var_lib_t, { dir file lnk_file })
++
++manage_dirs_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
++manage_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
++manage_sock_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
++files_tmp_filetrans(sblim_domain, sblim_tmp_t, { dir file sock_file})
++
kernel_read_network_state(sblim_domain)
-kernel_read_system_state(sblim_domain)
@@ -80888,7 +81126,7 @@ index 4a23d84..d90604c 100644
corenet_tcp_sendrecv_generic_if(sblim_domain)
corenet_tcp_sendrecv_generic_node(sblim_domain)
-@@ -44,19 +37,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
+@@ -44,19 +55,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
dev_read_sysfs(sblim_domain)
@@ -80911,7 +81149,7 @@ index 4a23d84..d90604c 100644
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
-@@ -84,6 +73,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
+@@ -84,6 +91,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
init_read_utmp(sblim_gatherd_t)
@@ -80920,7 +81158,7 @@ index 4a23d84..d90604c 100644
sysnet_dns_name_resolve(sblim_gatherd_t)
term_getattr_pty_fs(sblim_gatherd_t)
-@@ -103,8 +94,9 @@ optional_policy(`
+@@ -103,8 +112,9 @@ optional_policy(`
')
optional_policy(`
@@ -80931,7 +81169,7 @@ index 4a23d84..d90604c 100644
')
optional_policy(`
-@@ -117,6 +109,10 @@ optional_policy(`
+@@ -117,6 +127,25 @@ optional_policy(`
# Reposd local policy
#
@@ -80943,6 +81181,21 @@ index 4a23d84..d90604c 100644
+
+logging_send_syslog_msg(sblim_reposd_t)
+
++#######################################
++#
++# Sfcbd local policy
++#
++
++allow sblim_sfcbd_t self:capability { sys_ptrace setgid };
++allow sblim_sfcbd_t self:process signal;
++
++auth_use_nsswitch(sblim_sfcbd_t)
++
++corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
++
++domain_read_all_domains_state(sblim_sfcbd_t)
++domain_use_interactive_fds(sblim_sfcbd_t)
++
diff --git a/screen.fc b/screen.fc
index ac04d27..b73334e 100644
--- a/screen.fc
@@ -89522,10 +89775,10 @@ index 0000000..c1fd8b4
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..1a7c61d
+index 0000000..b57cc3c
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,148 @@
+@@ -0,0 +1,149 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -89625,7 +89878,8 @@ index 0000000..1a7c61d
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
+userdom_exec_user_home_content_files(thumb_t)
-+userdom_write_user_tmp_files(thumb_t)
++userdom_dontaudit_write_user_tmp_files(thumb_t)
++userdom_dontaudit_delete_user_tmp_files(thumb_t)
+userdom_read_home_audio_files(thumb_t)
+userdom_home_reader(thumb_t)
+
@@ -94024,7 +94278,7 @@ index 9dec06c..73549fd 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..d798c85 100644
+index 1f22fba..62390bf 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,167 @@
@@ -95921,7 +96175,7 @@ index 1f22fba..d798c85 100644
+#
+
+optional_policy(`
-+ type virt_qemu_ga_unconfined_t, virt_domain;
++ type virt_qemu_ga_unconfined_t;
+ domain_type(virt_qemu_ga_unconfined_t)
+
+ domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t)
@@ -96446,13 +96700,40 @@ index 9329eae..824e86f 100644
-optional_policy(`
- seutil_use_newrole_fds(vpnc_t)
-')
+diff --git a/watchdog.fc b/watchdog.fc
+index eecd0e0..50248a7 100644
+--- a/watchdog.fc
++++ b/watchdog.fc
+@@ -2,6 +2,8 @@
+
+ /usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
+
++/var/cache/watchdog(/.*)? gen_context(system_u:object_r:watchdog_cache_t,s0)
++
+ /var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0)
+
+ /var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
diff --git a/watchdog.te b/watchdog.te
-index 29f79e8..9e403ee 100644
+index 29f79e8..1d43690 100644
--- a/watchdog.te
+++ b/watchdog.te
-@@ -30,7 +30,8 @@ allow watchdog_t self:fifo_file rw_fifo_file_perms;
+@@ -12,6 +12,9 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
+ type watchdog_initrc_exec_t;
+ init_script_file(watchdog_initrc_exec_t)
+
++type watchdog_cache_t;
++files_type(watchdog_cache_t)
++
+ type watchdog_log_t;
+ logging_log_file(watchdog_log_t)
+
+@@ -29,8 +32,12 @@ allow watchdog_t self:process { setsched signal_perms };
+ allow watchdog_t self:fifo_file rw_fifo_file_perms;
allow watchdog_t self:tcp_socket { accept listen };
++manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
++manage_dirs_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
++
allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(watchdog_t, watchdog_log_t, file)
+manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
@@ -96460,7 +96741,7 @@ index 29f79e8..9e403ee 100644
manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
-@@ -63,7 +64,6 @@ domain_signull_all_domains(watchdog_t)
+@@ -63,7 +70,6 @@ domain_signull_all_domains(watchdog_t)
domain_signal_all_domains(watchdog_t)
domain_kill_all_domains(watchdog_t)
@@ -96468,7 +96749,7 @@ index 29f79e8..9e403ee 100644
files_manage_etc_runtime_files(watchdog_t)
files_etc_filetrans_etc_runtime(watchdog_t, file)
-@@ -75,8 +75,6 @@ auth_append_login_records(watchdog_t)
+@@ -75,8 +81,6 @@ auth_append_login_records(watchdog_t)
logging_send_syslog_msg(watchdog_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a296062..e9cb68e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 96%{?dist}
+Release: 97%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -573,6 +573,44 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Nov 6 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-97
+- Add label only for redhat.repo instead of /etc/yum.repos.d. But probably we will need to switch for the directory.
+- Label /etc/yum.repos.d as system_conf_t
+- Use sysnet_filetrans_named_content in udev.te instead of generic transition for net_conf_t
+- Allow dac_override for sysadm_screen_t
+- Allow init_t to read ipsec_conf_t as we had it for initrc_t. Needed by ipsec unit file.
+- Allow netlabel-config to read meminfo
+- Add interface to allow docker to mounton file_t
+- Add new interface to exec unlabeled files
+- Allow lvm to use docker semaphores
+- Setup transitons for .xsessions-errors.old
+- Change labels of files in /var/lib/*/.ssh to transition properly
+- Allow staff_t and user_t to look at logs using journalctl
+- pluto wants to manage own log file
+- Allow pluto running as ipsec_t to create pluto.log
+- Fix alias decl in corenetwork.te.in
+- Add support for fuse.glusterfs
+- Allow dmidecode to read/write /run/lock/subsys/rhsmcertd
+- Allow rhsmcertd to manage redhat.repo which is now labeled as system.conf. Allow rhsmcertd to manage all log files.
+- Additional access for docker
+- Added more rules to sblim policy
+- Fix kdumpgui_run_bootloader boolean
+- Allow dspam to connect to lmtp port
+- Included sfcbd service into sblim policy
+- rhsmcertd wants to manaage /etc/pki/consumer dir
+- Add kdumpgui_run_bootloader boolean
+- Add support for /var/cache/watchdog
+- Remove virt_domain attribute for virt_qemu_ga_unconfined_t
+- Fixes for handling libvirt containes
+- Dontaudit attempts by mysql_safe to write content into /
+- Dontaudit attempts by system_mail to modify network config
+- Allow dspam to bind to lmtp ports
+- Add new policy to allow staff_t and user_t to look at logs using journalctl
+- Allow apache cgi scripts to list sysfs
+- Dontaudit attempts to write/delete user_tmp_t files
+- Allow all antivirus domains to manage also own log dirs
+- Allow pegasus_openlmi_services_t to stream connect to sssd_t
+
* Fri Nov 1 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-96
- Add missing permission checks for nscd