-##
@@ -12785,105 +12963,6 @@ index 64ff4d7..90999af 100644
##
-##
+#
-+interface(`files_search_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ search_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search generic
-+## spool directories.
-+##
-+##
- ##
--## The type of the object to be created.
-+## Domain to not audit.
- ##
- ##
--##
-+#
-+interface(`files_dontaudit_search_spool',`
-+ gen_require(`
-+ type var_spool_t;
-+ ')
-+
-+ dontaudit $1 var_spool_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## List the contents of generic spool
-+## (/var/spool) directories.
-+##
-+##
- ##
--## The object class of the object being created.
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete generic
-+## spool directories (/var/spool).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_spool_dirs',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Read generic spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_generic_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+ read_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete generic
-+## spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+interface(`files_manage_generic_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
@@ -12899,12 +12978,15 @@ index 64ff4d7..90999af 100644
+## with a private type with a type transition.
+##
+##
-+##
+ ##
+-## The type of the object to be created.
+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+-##
+##
-+##
+ ##
+-## The object class of the object being created.
+## Type to which the created node will be transitioned.
+##
+##
@@ -13099,7 +13181,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6159,20 +7813,18 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6159,20 +7831,18 @@ interface(`files_pid_filetrans_lock_dir',`
##
##
#
@@ -13125,7 +13207,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6180,19 +7832,17 @@ interface(`files_rw_generic_pids',`
+@@ -6180,19 +7850,17 @@ interface(`files_rw_generic_pids',`
##
##
#
@@ -13149,7 +13231,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6200,18 +7850,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6200,18 +7868,17 @@ interface(`files_dontaudit_getattr_all_pids',`
##
##
#
@@ -13172,7 +13254,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6219,41 +7868,43 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6219,41 +7886,43 @@ interface(`files_dontaudit_write_all_pids',`
##
##
#
@@ -13230,7 +13312,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6262,67 +7913,55 @@ interface(`files_read_all_pids',`
+@@ -6262,67 +7931,55 @@ interface(`files_read_all_pids',`
##
##
#
@@ -13315,7 +13397,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6330,37 +7969,37 @@ interface(`files_manage_all_pids',`
+@@ -6330,37 +7987,37 @@ interface(`files_manage_all_pids',`
##
##
#
@@ -13364,7 +13446,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6368,186 +8007,169 @@ interface(`files_search_spool',`
+@@ -6368,186 +8025,169 @@ interface(`files_search_spool',`
##
##
#
@@ -13631,7 +13713,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6555,10 +8177,11 @@ interface(`files_polyinstantiate_all',`
+@@ -6555,10 +8195,11 @@ interface(`files_polyinstantiate_all',`
##
##
#
@@ -15150,18 +15232,20 @@ index 8416beb..60b2ce1 100644
+ fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
+')
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 9e603f5..97dbeb4 100644
+index 9e603f5..2b79004 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
-@@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+@@ -32,7 +32,9 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
# Use the allocating task SID to label inodes in the following filesystem
-@@ -53,6 +54,7 @@ type anon_inodefs_t;
+@@ -53,6 +55,7 @@ type anon_inodefs_t;
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
@@ -15169,7 +15253,7 @@ index 9e603f5..97dbeb4 100644
type bdev_t;
fs_type(bdev_t)
-@@ -68,7 +70,7 @@ fs_type(capifs_t)
+@@ -68,7 +71,7 @@ fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
@@ -15178,7 +15262,7 @@ index 9e603f5..97dbeb4 100644
fs_type(cgroup_t)
files_type(cgroup_t)
files_mountpoint(cgroup_t)
-@@ -89,6 +91,11 @@ fs_noxattr_type(ecryptfs_t)
+@@ -89,6 +92,11 @@ fs_noxattr_type(ecryptfs_t)
files_mountpoint(ecryptfs_t)
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
@@ -15190,7 +15274,7 @@ index 9e603f5..97dbeb4 100644
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -97,6 +104,7 @@ type hugetlbfs_t;
+@@ -97,6 +105,7 @@ type hugetlbfs_t;
fs_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -15198,7 +15282,7 @@ index 9e603f5..97dbeb4 100644
type ibmasmfs_t;
fs_type(ibmasmfs_t)
-@@ -125,6 +133,10 @@ type oprofilefs_t;
+@@ -125,6 +134,10 @@ type oprofilefs_t;
fs_type(oprofilefs_t)
genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
@@ -15209,7 +15293,7 @@ index 9e603f5..97dbeb4 100644
type ramfs_t;
fs_type(ramfs_t)
files_mountpoint(ramfs_t)
-@@ -145,11 +157,6 @@ fs_type(spufs_t)
+@@ -145,11 +158,6 @@ fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -15221,7 +15305,7 @@ index 9e603f5..97dbeb4 100644
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
-@@ -167,6 +174,8 @@ type vxfs_t;
+@@ -167,6 +175,8 @@ type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -15230,7 +15314,7 @@ index 9e603f5..97dbeb4 100644
#
# tmpfs_t is the type for tmpfs filesystems
-@@ -176,6 +185,8 @@ fs_type(tmpfs_t)
+@@ -176,6 +186,8 @@ fs_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
@@ -15239,7 +15323,7 @@ index 9e603f5..97dbeb4 100644
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
-@@ -255,6 +266,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -255,6 +267,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
@@ -15248,7 +15332,7 @@ index 9e603f5..97dbeb4 100644
files_mountpoint(removable_t)
#
-@@ -274,6 +287,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -274,6 +288,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -15265,7 +15349,7 @@ index 7be4ddf..f7021a0 100644
+
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..31a14c8 100644
+index 649e458..cc924ae 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -15277,7 +15361,32 @@ index 649e458..31a14c8 100644
')
########################################
-@@ -804,6 +804,24 @@ interface(`kernel_unmount_proc',`
+@@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',`
+
+ ########################################
+ ##
++## Mount the proc filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kernel_mount_proc',`
++ gen_require(`
++ type proc_t;
++ ')
++
++ allow $1 proc_t:filesystem mount;
++')
++
++########################################
++##
+ ## Unmount the proc filesystem.
+ ##
+ ##
+@@ -804,6 +822,24 @@ interface(`kernel_unmount_proc',`
########################################
##
@@ -15302,7 +15411,7 @@ index 649e458..31a14c8 100644
## Get the attributes of the proc filesystem.
##
##
-@@ -991,13 +1009,10 @@ interface(`kernel_read_proc_symlinks',`
+@@ -991,13 +1027,10 @@ interface(`kernel_read_proc_symlinks',`
#
interface(`kernel_read_system_state',`
gen_require(`
@@ -15318,7 +15427,7 @@ index 649e458..31a14c8 100644
')
########################################
-@@ -1477,6 +1492,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1477,6 +1510,24 @@ interface(`kernel_dontaudit_list_all_proc',`
########################################
##
@@ -15343,7 +15452,7 @@ index 649e458..31a14c8 100644
## Do not audit attempts by caller to search
## the base directory of sysctls.
##
-@@ -2085,7 +2118,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,7 +2136,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
')
dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -15352,7 +15461,7 @@ index 649e458..31a14c8 100644
')
########################################
-@@ -2282,6 +2315,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2333,25 @@ interface(`kernel_list_unlabeled',`
########################################
##
@@ -15378,7 +15487,7 @@ index 649e458..31a14c8 100644
## Read the process state (/proc/pid) of all unlabeled_t.
##
##
-@@ -2306,7 +2358,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2376,7 @@ interface(`kernel_read_unlabeled_state',`
##
##
##
@@ -15387,7 +15496,7 @@ index 649e458..31a14c8 100644
##
##
#
-@@ -2488,6 +2540,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2558,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
########################################
##
@@ -15412,7 +15521,7 @@ index 649e458..31a14c8 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
##
-@@ -2525,6 +2595,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2613,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
########################################
##
@@ -15437,7 +15546,7 @@ index 649e458..31a14c8 100644
## Allow caller to relabel unlabeled files.
##
##
-@@ -2632,7 +2720,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2632,7 +2738,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
allow $1 unlabeled_t:association { sendto recvfrom };
# temporary hack until labeling on packets is supported
@@ -15446,7 +15555,7 @@ index 649e458..31a14c8 100644
')
########################################
-@@ -2670,6 +2758,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2670,6 +2776,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
##
@@ -15471,7 +15580,7 @@ index 649e458..31a14c8 100644
## Receive TCP packets from an unlabeled connection.
##
##
-@@ -2697,6 +2803,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2697,6 +2821,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
##
@@ -15497,7 +15606,7 @@ index 649e458..31a14c8 100644
## Do not audit attempts to receive TCP packets from an unlabeled
## connection.
##
-@@ -2806,6 +2931,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2806,6 +2949,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
allow $1 unlabeled_t:rawip_socket recvfrom;
')
@@ -15531,7 +15640,7 @@ index 649e458..31a14c8 100644
########################################
##
-@@ -2961,6 +3113,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2961,6 +3131,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
##
@@ -15556,7 +15665,7 @@ index 649e458..31a14c8 100644
## Unconfined access to kernel module resources.
##
##
-@@ -2975,5 +3145,299 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3163,299 @@ interface(`kernel_unconfined',`
')
typeattribute $1 kern_unconfined;
@@ -17136,7 +17245,7 @@ index 7d45d15..22c9cfe 100644
+
+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 771bce1..8b0e5e6 100644
+index 771bce1..55ebf4b 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -124,7 +124,7 @@ interface(`term_user_tty',`
@@ -17198,7 +17307,50 @@ index 771bce1..8b0e5e6 100644
')
########################################
-@@ -481,6 +504,24 @@ interface(`term_list_ptys',`
+@@ -384,6 +407,42 @@ interface(`term_getattr_pty_fs',`
+
+ ########################################
+ ##
++## Mount a pty filesystem
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_mount_pty_fs',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ allow $1 devpts_t:filesystem mount;
++')
++
++########################################
++##
++## Unmount a pty filesystem
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_unmount_pty_fs',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ allow $1 devpts_t:filesystem unmount;
++')
++
++########################################
++##
+ ## Relabel from and to pty filesystem.
+ ##
+ ##
+@@ -481,6 +540,24 @@ interface(`term_list_ptys',`
########################################
##
@@ -17223,7 +17375,7 @@ index 771bce1..8b0e5e6 100644
## Do not audit attempts to read the
## /dev/pts directory.
##
-@@ -620,7 +661,7 @@ interface(`term_use_generic_ptys',`
+@@ -620,7 +697,7 @@ interface(`term_use_generic_ptys',`
########################################
##
@@ -17232,7 +17384,7 @@ index 771bce1..8b0e5e6 100644
## write the generic pty type. This is
## generally only used in the targeted policy.
##
-@@ -635,6 +676,7 @@ interface(`term_dontaudit_use_generic_ptys',`
+@@ -635,6 +712,7 @@ interface(`term_dontaudit_use_generic_ptys',`
type devpts_t;
')
@@ -17240,7 +17392,7 @@ index 771bce1..8b0e5e6 100644
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
')
-@@ -879,6 +921,26 @@ interface(`term_use_all_ptys',`
+@@ -879,6 +957,26 @@ interface(`term_use_all_ptys',`
########################################
##
@@ -17267,7 +17419,7 @@ index 771bce1..8b0e5e6 100644
## Do not audit attempts to read or write any ptys.
##
##
-@@ -892,7 +954,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -892,7 +990,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@@ -17276,7 +17428,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
-@@ -912,7 +974,7 @@ interface(`term_relabel_all_ptys',`
+@@ -912,7 +1010,7 @@ interface(`term_relabel_all_ptys',`
')
dev_list_all_dev_nodes($1)
@@ -17285,7 +17437,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
-@@ -940,7 +1002,7 @@ interface(`term_getattr_all_user_ptys',`
+@@ -940,7 +1038,7 @@ interface(`term_getattr_all_user_ptys',`
##
##
##
@@ -17294,7 +17446,7 @@ index 771bce1..8b0e5e6 100644
##
##
#
-@@ -1259,7 +1321,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1259,7 +1357,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -17343,7 +17495,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
-@@ -1275,11 +1377,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1275,11 +1413,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -17357,7 +17509,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
-@@ -1296,10 +1400,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1296,10 +1436,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -17370,7 +17522,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
-@@ -1377,7 +1483,27 @@ interface(`term_use_all_ttys',`
+@@ -1377,7 +1519,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -17399,7 +17551,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
-@@ -1396,7 +1522,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1396,7 +1558,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -17408,7 +17560,7 @@ index 771bce1..8b0e5e6 100644
')
########################################
-@@ -1504,7 +1630,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1504,7 +1666,7 @@ interface(`term_use_all_user_ttys',`
##
##
##
@@ -17417,7 +17569,7 @@ index 771bce1..8b0e5e6 100644
##
##
#
-@@ -1512,3 +1638,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1512,3 +1674,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -18965,10 +19117,10 @@ index 0000000..0e8654b
+/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
new file mode 100644
-index 0000000..bac0dc0
+index 0000000..cf6582f
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,595 @@
+@@ -0,0 +1,613 @@
+## Unconfiend user role
+
+########################################
@@ -19396,6 +19548,24 @@ index 0000000..bac0dc0
+
+########################################
+##
++## Write keys for the unconfined domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`unconfined_write_keys',`
++ gen_require(`
++ type unconfined_t;
++ ')
++
++ allow $1 unconfined_t:key write;
++')
++
++########################################
++##
+## Send messages to the unconfined domain over dbus.
+##
+##
@@ -22053,7 +22223,7 @@ index d1f64a0..3be3d00 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..d4ed029 100644
+index 6bf0ecc..ad955d5 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -22301,32 +22471,11 @@ index 6bf0ecc..d4ed029 100644
')
allow $2 self:shm create_shm_perms;
-@@ -456,11 +495,34 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +495,13 @@ template(`xserver_user_x_domain_template',`
allow $2 xauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file read_file_perms;
-+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".DCOP")
-+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority")
-+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-c")
-+ userdom_user_home_dir_filetrans($2, iceauth_home_t, file, ".ICEauthority-n")
-+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority")
-+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-l")
-+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c")
-+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:0")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:1")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:2")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:3")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:4")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:5")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:6")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:7")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:8")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:9")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped.old")
-+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".dmrc")
++ xserver_filetrans_home_content($2)
+
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -22338,7 +22487,7 @@ index 6bf0ecc..d4ed029 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +534,26 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +513,26 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -22368,7 +22517,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -517,6 +585,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +564,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -22376,7 +22525,7 @@ index 6bf0ecc..d4ed029 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -547,6 +616,42 @@ interface(`xserver_domtrans_xauth',`
+@@ -547,6 +595,42 @@ interface(`xserver_domtrans_xauth',`
domtrans_pattern($1, xauth_exec_t, xauth_t)
')
@@ -22419,7 +22568,7 @@ index 6bf0ecc..d4ed029 100644
########################################
##
## Create a Xauthority file in the user home directory.
-@@ -598,6 +703,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +682,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -22427,7 +22576,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -615,7 +721,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +700,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -22436,7 +22585,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -638,6 +744,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +723,25 @@ interface(`xserver_rw_console',`
########################################
##
@@ -22462,7 +22611,7 @@ index 6bf0ecc..d4ed029 100644
## Use file descriptors for xdm.
##
##
-@@ -651,7 +776,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +755,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -22471,7 +22620,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -670,7 +795,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +774,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -22480,7 +22629,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -688,7 +813,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +792,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -22489,7 +22638,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -703,12 +828,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +807,11 @@ interface(`xserver_rw_xdm_pipes',`
##
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -22503,7 +22652,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -765,11 +889,71 @@ interface(`xserver_manage_xdm_spool_files',`
+@@ -765,11 +868,71 @@ interface(`xserver_manage_xdm_spool_files',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -22577,7 +22726,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -793,6 +977,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -793,6 +956,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
##
@@ -22603,7 +22752,7 @@ index 6bf0ecc..d4ed029 100644
## Set the attributes of XDM temporary directories.
##
##
-@@ -806,7 +1009,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -806,7 +988,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -22630,7 +22779,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -846,7 +1067,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -846,7 +1046,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -22658,7 +22807,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -869,6 +1109,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -869,6 +1088,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
##
@@ -22683,7 +22832,7 @@ index 6bf0ecc..d4ed029 100644
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -938,7 +1196,26 @@ interface(`xserver_getattr_log',`
+@@ -938,7 +1175,26 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -22711,7 +22860,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -957,7 +1234,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -957,7 +1213,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -22720,7 +22869,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -1004,6 +1281,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1260,45 @@ interface(`xserver_read_xkb_libs',`
########################################
##
@@ -22766,7 +22915,7 @@ index 6bf0ecc..d4ed029 100644
## Read xdm temporary files.
##
##
-@@ -1017,7 +1333,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1312,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -22775,7 +22924,7 @@ index 6bf0ecc..d4ed029 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1079,6 +1395,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,6 +1374,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
##
@@ -22818,7 +22967,7 @@ index 6bf0ecc..d4ed029 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
##
-@@ -1093,7 +1445,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1093,7 +1424,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -22827,7 +22976,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -1111,8 +1463,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1442,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -22839,7 +22988,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -1226,6 +1580,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1559,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -22866,7 +23015,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -1251,7 +1625,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1604,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -22875,7 +23024,7 @@ index 6bf0ecc..d4ed029 100644
##
##
##
-@@ -1261,13 +1635,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1614,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -22900,7 +23049,7 @@ index 6bf0ecc..d4ed029 100644
')
########################################
-@@ -1284,10 +1668,577 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1647,604 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -23393,14 +23542,28 @@ index 6bf0ecc..d4ed029 100644
+ ')
+
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
-+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
-+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
+ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-c")
++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority-n")
++ userdom_user_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
++ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, ".fonts.conf")
+ userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
+ userdom_user_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
@@ -23429,6 +23592,18 @@ index 6bf0ecc..d4ed029 100644
+
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".dmrc")
+ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:0")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:1")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:2")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:3")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:4")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:5")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:6")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:7")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:8")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-:9")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped")
++ userdom_admin_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors-stamped.old")
+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".DCOP")
+ userdom_admin_home_dir_filetrans($1, iceauth_home_t, file, ".ICEauthority")
+ userdom_admin_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
@@ -23440,6 +23615,7 @@ index 6bf0ecc..d4ed029 100644
+ userdom_admin_home_dir_filetrans($1, user_fonts_config_t, dir, ".fonts.d")
+ userdom_admin_home_dir_filetrans($1, user_fonts_t, dir, ".fonts")
+ userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
++
+ optional_policy(`
+ gnome_cache_filetrans($1, xdm_home_t, dir, "xdm")
+ ')
@@ -23481,7 +23657,7 @@ index 6bf0ecc..d4ed029 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..8ac9130 100644
+index 2696452..0881350 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -24046,7 +24222,7 @@ index 2696452..8ac9130 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +620,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +620,41 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -24087,10 +24263,11 @@ index 2696452..8ac9130 100644
-sysnet_read_config(xdm_t)
+systemd_write_inhibit_pipes(xdm_t)
++systemd_dbus_chat_localed(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +662,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +663,43 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -24140,7 +24317,7 @@ index 2696452..8ac9130 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +712,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +713,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -24167,7 +24344,7 @@ index 2696452..8ac9130 100644
')
optional_policy(`
-@@ -514,12 +739,72 @@ optional_policy(`
+@@ -514,12 +740,72 @@ optional_policy(`
')
optional_policy(`
@@ -24240,7 +24417,7 @@ index 2696452..8ac9130 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +822,78 @@ optional_policy(`
+@@ -537,28 +823,78 @@ optional_policy(`
')
optional_policy(`
@@ -24328,7 +24505,7 @@ index 2696452..8ac9130 100644
')
optional_policy(`
-@@ -570,6 +905,14 @@ optional_policy(`
+@@ -570,6 +906,14 @@ optional_policy(`
')
optional_policy(`
@@ -24343,7 +24520,7 @@ index 2696452..8ac9130 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +937,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +938,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -24356,7 +24533,7 @@ index 2696452..8ac9130 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +954,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +955,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -24372,7 +24549,7 @@ index 2696452..8ac9130 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +970,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +971,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -24383,7 +24560,7 @@ index 2696452..8ac9130 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +985,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +986,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -24405,7 +24582,7 @@ index 2696452..8ac9130 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1005,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1006,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -24419,7 +24596,7 @@ index 2696452..8ac9130 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1031,27 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1032,27 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -24450,7 +24627,7 @@ index 2696452..8ac9130 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1062,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1063,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -24468,7 +24645,7 @@ index 2696452..8ac9130 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1085,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1086,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -24492,7 +24669,7 @@ index 2696452..8ac9130 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1104,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1105,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -24501,7 +24678,7 @@ index 2696452..8ac9130 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1148,44 @@ optional_policy(`
+@@ -775,16 +1149,44 @@ optional_policy(`
')
optional_policy(`
@@ -24547,7 +24724,7 @@ index 2696452..8ac9130 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1194,10 @@ optional_policy(`
+@@ -793,6 +1195,10 @@ optional_policy(`
')
optional_policy(`
@@ -24558,7 +24735,7 @@ index 2696452..8ac9130 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1213,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1214,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -24572,7 +24749,7 @@ index 2696452..8ac9130 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1224,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1225,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -24581,7 +24758,7 @@ index 2696452..8ac9130 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1237,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1238,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -24616,7 +24793,7 @@ index 2696452..8ac9130 100644
')
optional_policy(`
-@@ -902,7 +1302,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1303,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -24625,7 +24802,7 @@ index 2696452..8ac9130 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1356,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1357,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -24657,7 +24834,7 @@ index 2696452..8ac9130 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1402,40 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1403,40 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -26275,7 +26452,7 @@ index 016a770..1effeb4 100644
+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
+')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 6c4b6ee..4ea7640 100644
+index 6c4b6ee..f512b72 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -13,6 +13,9 @@ role system_r types fsadm_t;
@@ -26304,7 +26481,15 @@ index 6c4b6ee..4ea7640 100644
# log files
allow fsadm_t fsadm_log_t:dir setattr;
-@@ -101,6 +110,8 @@ files_read_usr_files(fsadm_t)
+@@ -53,6 +62,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
+ # Enable swapping to files
+ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
+
++kernel_get_sysvipc_info(fsadm_t)
+ kernel_read_system_state(fsadm_t)
+ kernel_read_kernel_sysctls(fsadm_t)
+ kernel_request_load_module(fsadm_t)
+@@ -101,6 +111,8 @@ files_read_usr_files(fsadm_t)
files_read_etc_files(fsadm_t)
files_manage_lost_found(fsadm_t)
files_manage_isid_type_dirs(fsadm_t)
@@ -26313,7 +26498,7 @@ index 6c4b6ee..4ea7640 100644
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
files_etc_filetrans_etc_runtime(fsadm_t, file)
-@@ -120,6 +131,9 @@ fs_list_auto_mountpoints(fsadm_t)
+@@ -120,6 +132,9 @@ fs_list_auto_mountpoints(fsadm_t)
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
@@ -26323,7 +26508,7 @@ index 6c4b6ee..4ea7640 100644
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
-@@ -133,21 +147,26 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,21 +148,27 @@ storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
@@ -26341,6 +26526,7 @@ index 6c4b6ee..4ea7640 100644
+init_stream_connect(fsadm_t)
logging_send_syslog_msg(fsadm_t)
++logging_send_audit_msgs(fsadm_t)
+logging_stream_connect_syslog(fsadm_t)
-miscfiles_read_localization(fsadm_t)
@@ -26352,7 +26538,7 @@ index 6c4b6ee..4ea7640 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -166,6 +185,11 @@ optional_policy(`
+@@ -166,6 +187,11 @@ optional_policy(`
')
optional_policy(`
@@ -26364,7 +26550,7 @@ index 6c4b6ee..4ea7640 100644
hal_dontaudit_write_log(fsadm_t)
')
-@@ -179,6 +203,10 @@ optional_policy(`
+@@ -179,6 +205,10 @@ optional_policy(`
')
optional_policy(`
@@ -26375,7 +26561,7 @@ index 6c4b6ee..4ea7640 100644
nis_use_ypbind(fsadm_t)
')
-@@ -192,6 +220,10 @@ optional_policy(`
+@@ -192,6 +222,10 @@ optional_policy(`
')
optional_policy(`
@@ -26716,7 +26902,7 @@ index 9a4d3a7..9d960bb 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..f03be17 100644
+index 24e7804..1894886 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1,5 +1,21 @@
@@ -27601,7 +27787,7 @@ index 24e7804..f03be17 100644
########################################
##
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2284,283 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2284,284 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -27828,6 +28014,7 @@ index 24e7804..f03be17 100644
+ ')
+
+ allow $1 init_t:system status;
++ allow $1 init_t:service status;
+')
+
+########################################
@@ -27886,7 +28073,7 @@ index 24e7804..f03be17 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..8913598 100644
+index dd3be8d..61531ce 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -28152,10 +28339,9 @@ index dd3be8d..8913598 100644
+
+optional_policy(`
+ gnome_filetrans_home_content(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ modutils_domtrans_insmod(init_t)
+ modutils_list_module_config(init_t)
+')
@@ -28287,10 +28473,11 @@ index dd3be8d..8913598 100644
')
optional_policy(`
+- auth_rw_login_records(init_t)
+ consolekit_manage_log(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -28948,7 +29135,7 @@ index dd3be8d..8913598 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1353,185 @@ optional_policy(`
+@@ -896,3 +1353,191 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -28999,6 +29186,8 @@ index dd3be8d..8913598 100644
+allow initrc_t daemon:process siginh;
+allow daemon initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+allow daemon initrc_transition_domain:fd use;
++allow daemon init_var_run_t:dir search_dir_perms;
++allow systemprocess init_var_run_t:dir search_dir_perms;
+
+allow init_t daemon:unix_stream_socket create_stream_socket_perms;
+allow init_t daemon:unix_dgram_socket create_socket_perms;
@@ -29128,14 +29317,18 @@ index dd3be8d..8913598 100644
+allow initrc_domain systemprocess_entry:file { getattr open read execute };
+allow initrc_domain systemprocess:process transition;
+
++optional_policy(`
++ rgmanager_search_lib(initrc_domain)
++')
++
+ifdef(`direct_sysadm_daemon',`
-+ allow daemon direct_run_init:fd use;
-+ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms;
-+ allow daemon direct_run_init:process sigchld;
-+ allow direct_run_init direct_init_entry:file { getattr open read execute };
++ allow daemon direct_run_init:fd use;
++ allow daemon direct_run_init:fifo_file rw_inherited_fifo_file_perms;
++ allow daemon direct_run_init:process sigchld;
++ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..a452892 100644
+index 662e79b..626a689 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -1,6 +1,8 @@
@@ -29160,7 +29353,7 @@ index 662e79b..a452892 100644
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-+/usr/libexec/strongswan -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
++/usr/libexec/strongswan/.* -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
@@ -29170,7 +29363,7 @@ index 662e79b..a452892 100644
/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..ac0a652 100644
+index 0d4c8d3..3375525 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -120,7 +120,6 @@ interface(`ipsec_exec_mgmt',`
@@ -29197,7 +29390,68 @@ index 0d4c8d3..ac0a652 100644
interface(`ipsec_kill_mgmt',`
gen_require(`
type ipsec_mgmt_t;
-@@ -225,6 +222,7 @@ interface(`ipsec_match_default_spd',`
+@@ -167,6 +164,60 @@ interface(`ipsec_kill_mgmt',`
+ allow $1 ipsec_mgmt_t:process sigkill;
+ ')
+
++########################################
++##
++## Send ipsec a general signal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_signal',`
++ gen_require(`
++ type ipsec_t;
++ ')
++
++ allow $1 ipsec_t:process signal;
++')
++
++########################################
++##
++## Send ipsec a null signal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_signull',`
++ gen_require(`
++ type ipsec_t;
++ ')
++
++ allow $1 ipsec_t:process signull;
++')
++
++########################################
++##
++## Send ipsec a kill signal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ipsec_kill',`
++ gen_require(`
++ type ipsec_t;
++ ')
++
++ allow $1 ipsec_t:process sigkill;
++')
++
+ ######################################
+ ##
+ ## Send and receive messages from
+@@ -225,6 +276,7 @@ interface(`ipsec_match_default_spd',`
allow $1 ipsec_spd_t:association polmatch;
allow $1 self:association sendto;
@@ -29205,7 +29459,7 @@ index 0d4c8d3..ac0a652 100644
')
########################################
-@@ -369,3 +367,26 @@ interface(`ipsec_run_setkey',`
+@@ -369,3 +421,26 @@ interface(`ipsec_run_setkey',`
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
@@ -31580,7 +31834,7 @@ index 58bc27f..51e9872 100644
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index e8c59a5..ea56d23 100644
+index e8c59a5..df70cac 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -31602,7 +31856,7 @@ index e8c59a5..ea56d23 100644
type lvm_lock_t;
files_lock_file(lvm_lock_t)
-@@ -49,13 +52,16 @@ files_tmp_file(lvm_tmp_t)
+@@ -49,15 +52,19 @@ files_tmp_file(lvm_tmp_t)
allow clvmd_t self:capability { sys_nice chown ipc_lock sys_admin mknod };
dontaudit clvmd_t self:capability sys_tty_config;
allow clvmd_t self:process { signal_perms setsched };
@@ -31617,10 +31871,14 @@ index e8c59a5..ea56d23 100644
+manage_files_pattern(clvmd_t, clvmd_tmpfs_t,clvmd_tmpfs_t)
+fs_tmpfs_filetrans(clvmd_t, clvmd_tmpfs_t, { dir file })
+
++manage_dirs_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
- files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
+-files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
++files_pid_filetrans(clvmd_t, clvmd_var_run_t, { file dir })
-@@ -71,7 +77,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t)
+ read_files_pattern(clvmd_t, lvm_metadata_t, lvm_metadata_t)
+
+@@ -71,7 +78,6 @@ kernel_dontaudit_getattr_core_if(clvmd_t)
corecmd_exec_shell(clvmd_t)
corecmd_getattr_bin_files(clvmd_t)
@@ -31628,7 +31886,7 @@ index e8c59a5..ea56d23 100644
corenet_all_recvfrom_netlabel(clvmd_t)
corenet_tcp_sendrecv_generic_if(clvmd_t)
corenet_udp_sendrecv_generic_if(clvmd_t)
-@@ -120,9 +125,7 @@ init_dontaudit_getattr_initctl(clvmd_t)
+@@ -120,9 +126,7 @@ init_dontaudit_getattr_initctl(clvmd_t)
logging_send_syslog_msg(clvmd_t)
@@ -31638,7 +31896,7 @@ index e8c59a5..ea56d23 100644
seutil_sigchld_newrole(clvmd_t)
seutil_read_config(clvmd_t)
seutil_read_file_contexts(clvmd_t)
-@@ -141,6 +144,11 @@ ifdef(`distro_redhat',`
+@@ -141,6 +145,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -31650,7 +31908,7 @@ index e8c59a5..ea56d23 100644
ccs_stream_connect(clvmd_t)
')
-@@ -170,6 +178,7 @@ dontaudit lvm_t self:capability sys_tty_config;
+@@ -170,6 +179,7 @@ dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
@@ -31658,7 +31916,7 @@ index e8c59a5..ea56d23 100644
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -191,10 +200,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
+@@ -191,10 +201,12 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
can_exec(lvm_t, lvm_exec_t)
# Creating lock files
@@ -31671,7 +31929,7 @@ index e8c59a5..ea56d23 100644
manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
-@@ -202,8 +213,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+@@ -202,8 +214,10 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
@@ -31679,10 +31937,11 @@ index e8c59a5..ea56d23 100644
manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
-files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
+files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file })
++init_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file })
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
-@@ -220,6 +232,7 @@ kernel_read_kernel_sysctls(lvm_t)
+@@ -220,6 +234,7 @@ kernel_read_kernel_sysctls(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
@@ -31690,7 +31949,7 @@ index e8c59a5..ea56d23 100644
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -230,11 +243,13 @@ dev_delete_generic_dirs(lvm_t)
+@@ -230,11 +245,13 @@ dev_delete_generic_dirs(lvm_t)
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
@@ -31705,7 +31964,7 @@ index e8c59a5..ea56d23 100644
# cjp: this has no effect since LVM does not
# have lnk_file relabelto for anything else.
# perhaps this should be blk_files?
-@@ -246,6 +261,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -246,6 +263,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -31713,7 +31972,7 @@ index e8c59a5..ea56d23 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -255,17 +271,21 @@ files_read_etc_files(lvm_t)
+@@ -255,17 +273,21 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -31736,7 +31995,7 @@ index e8c59a5..ea56d23 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -285,7 +305,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
+@@ -285,7 +307,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -31745,15 +32004,15 @@ index e8c59a5..ea56d23 100644
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
-@@ -293,15 +313,20 @@ init_use_script_ptys(lvm_t)
+@@ -293,15 +315,22 @@ init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
logging_send_syslog_msg(lvm_t)
+logging_stream_connect_syslog(lvm_t)
-+
-+authlogin_rw_pipes(lvm_t)
-miscfiles_read_localization(lvm_t)
++authlogin_rw_pipes(lvm_t)
++auth_use_nsswitch(lvm_t)
seutil_read_config(lvm_t)
seutil_read_file_contexts(lvm_t)
@@ -31764,10 +32023,12 @@ index e8c59a5..ea56d23 100644
userdom_use_user_terminals(lvm_t)
+userdom_rw_semaphores(lvm_t)
+userdom_search_user_home_dirs(lvm_t)
++
++usermanage_read_crack_db(lvm_t)
ifdef(`distro_redhat',`
# this is from the initrd:
-@@ -313,6 +338,11 @@ ifdef(`distro_redhat',`
+@@ -313,6 +342,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -31779,7 +32040,7 @@ index e8c59a5..ea56d23 100644
bootloader_rw_tmp_files(lvm_t)
')
-@@ -333,14 +363,26 @@ optional_policy(`
+@@ -333,14 +367,26 @@ optional_policy(`
')
optional_policy(`
@@ -31807,7 +32068,7 @@ index e8c59a5..ea56d23 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..06fa481 100644
+index 9fe8e01..fa82aac 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',`
@@ -31826,7 +32087,7 @@ index 9fe8e01..06fa481 100644
ifdef(`distro_redhat',`
/etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
-@@ -37,11 +39,6 @@ ifdef(`distro_redhat',`
+@@ -37,14 +39,10 @@ ifdef(`distro_redhat',`
/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -31838,7 +32099,19 @@ index 9fe8e01..06fa481 100644
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -77,7 +74,7 @@ ifdef(`distro_redhat',`
++/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+ /usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+ /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+@@ -53,6 +51,7 @@ ifdef(`distro_redhat',`
+ /usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+ /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
+
++/usr/share/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
+@@ -77,7 +76,7 @@ ifdef(`distro_redhat',`
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
@@ -31847,7 +32120,7 @@ index 9fe8e01..06fa481 100644
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -90,6 +87,7 @@ ifdef(`distro_debian',`
+@@ -90,6 +89,7 @@ ifdef(`distro_debian',`
')
ifdef(`distro_redhat',`
@@ -32478,7 +32751,7 @@ index 72c746e..f035d9f 100644
+/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
+/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..0755e25 100644
+index 4584457..e432df3 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
@@ -32495,7 +32768,7 @@ index 4584457..0755e25 100644
')
########################################
-@@ -38,11 +45,103 @@ interface(`mount_domtrans',`
+@@ -38,11 +45,122 @@ interface(`mount_domtrans',`
#
interface(`mount_run',`
gen_require(`
@@ -32583,6 +32856,25 @@ index 4584457..0755e25 100644
+
+########################################
+##
++## Read/write mount PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`mount_rw_pid_files',`
++ gen_require(`
++ type mount_var_run_t;
++ ')
++
++ rw_files_pattern($1, mount_var_run_t, mount_var_run_t)
++ files_search_pids($1)
++')
++
++########################################
++##
+## Manage mount PID files.
+##
+##
@@ -32601,7 +32893,7 @@ index 4584457..0755e25 100644
')
########################################
-@@ -91,7 +190,7 @@ interface(`mount_signal',`
+@@ -91,7 +209,7 @@ interface(`mount_signal',`
##
##
##
@@ -32610,7 +32902,7 @@ index 4584457..0755e25 100644
##
##
#
-@@ -131,45 +230,138 @@ interface(`mount_send_nfs_client_request',`
+@@ -131,45 +249,138 @@ interface(`mount_send_nfs_client_request',`
########################################
##
@@ -32670,14 +32962,19 @@ index 4584457..0755e25 100644
##
-## Role allowed access.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+-##
+ #
+-interface(`mount_run_unconfined',`
+interface(`mount_exec_fusermount',`
-+ gen_require(`
+ gen_require(`
+- type unconfined_mount_t;
+ type fusermount_exec_t;
-+ ')
-+
+ ')
+
+- mount_domtrans_unconfined($1)
+- role $2 types unconfined_mount_t;
+ can_exec($1, fusermount_exec_t)
+')
+
@@ -32688,19 +32985,14 @@ index 4584457..0755e25 100644
+##
+##
+## Domain to not audit.
- ##
- ##
--##
- #
--interface(`mount_run_unconfined',`
++##
++##
++#
+interface(`mount_dontaudit_exec_fusermount',`
- gen_require(`
-- type unconfined_mount_t;
++ gen_require(`
+ type fusermount_exec_t;
- ')
-
-- mount_domtrans_unconfined($1)
-- role $2 types unconfined_mount_t;
++ ')
++
+ dontaudit $1 fusermount_exec_t:file exec_file_perms;
+')
+
@@ -32766,7 +33058,7 @@ index 4584457..0755e25 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..ac90315 100644
+index 6a50270..b34911e 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@@ -32867,7 +33159,7 @@ index 6a50270..ac90315 100644
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
-@@ -60,31 +100,46 @@ kernel_request_load_module(mount_t)
+@@ -60,31 +100,47 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -32883,6 +33175,7 @@ index 6a50270..ac90315 100644
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)
++dev_rw_loop_control(mount_t)
+
+ifdef(`hide_broken_symptoms',`
+ dev_rw_generic_blk_files(mount_t)
@@ -32917,7 +33210,7 @@ index 6a50270..ac90315 100644
files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
-@@ -92,28 +147,39 @@ files_list_mnt(mount_t)
+@@ -92,28 +148,39 @@ files_list_mnt(mount_t)
files_dontaudit_write_all_mountpoints(mount_t)
files_dontaudit_setattr_all_mountpoints(mount_t)
@@ -32963,7 +33256,7 @@ index 6a50270..ac90315 100644
term_dontaudit_manage_pty_dirs(mount_t)
auth_use_nsswitch(mount_t)
-@@ -121,16 +187,21 @@ auth_use_nsswitch(mount_t)
+@@ -121,16 +188,21 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -32987,7 +33280,7 @@ index 6a50270..ac90315 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -146,26 +217,27 @@ ifdef(`distro_ubuntu',`
+@@ -146,26 +218,27 @@ ifdef(`distro_ubuntu',`
')
')
@@ -33027,7 +33320,7 @@ index 6a50270..ac90315 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +251,8 @@ optional_policy(`
+@@ -179,6 +252,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -33036,7 +33329,7 @@ index 6a50270..ac90315 100644
')
optional_policy(`
-@@ -186,6 +260,36 @@ optional_policy(`
+@@ -186,6 +261,36 @@ optional_policy(`
')
optional_policy(`
@@ -33073,7 +33366,7 @@ index 6a50270..ac90315 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -194,24 +298,124 @@ optional_policy(`
+@@ -194,24 +299,128 @@ optional_policy(`
')
optional_policy(`
@@ -33133,16 +33426,20 @@ index 6a50270..ac90315 100644
+optional_policy(`
+ usbmuxd_stream_connect(mount_t)
+')
++
++optional_policy(`
++ userhelper_exec_console(mount_t)
++')
++
++optional_policy(`
++ unconfined_write_keys(mount_t)
++')
optional_policy(`
- files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
- unconfined_domain(unconfined_mount_t)
-+ userhelper_exec_console(mount_t)
- ')
-+
-+optional_policy(`
+ virt_read_blk_images(mount_t)
-+')
+ ')
+
+optional_policy(`
+ vmware_exec_host(mount_t)
@@ -34692,10 +34989,10 @@ index 1447687..d5e6fb9 100644
seutil_read_config(setrans_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 346a7cc..2fa1253 100644
+index 346a7cc..b44bb0c 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
-@@ -17,14 +17,15 @@ ifdef(`distro_debian',`
+@@ -17,16 +17,17 @@ ifdef(`distro_debian',`
/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -34712,8 +35009,11 @@ index 346a7cc..2fa1253 100644
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
+-/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
++/etc/dhcp3?(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+
+ ifdef(`distro_redhat',`
@@ -55,6 +56,20 @@ ifdef(`distro_redhat',`
#
# /usr
@@ -35417,12 +35717,29 @@ index 0000000..4e12420
+/var/run/initramfs(/.*)? <>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..fc080a1
+index 0000000..2927875
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1064 @@
+@@ -0,0 +1,1103 @@
+## SELinux policy for systemd components
+
++######################################
++##
++## Create a domain for processes which are started
++## exuting systemctl.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_stub_unit_file',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++')
++
+#######################################
+##
+## Create a domain for processes which are started
@@ -36467,7 +36784,7 @@ index 0000000..fc080a1
+########################################
+##
+## Send and receive messages from
-+## systemd timedated over dbus.
++## systemd hostnamed over dbus.
+##
+##
+##
@@ -36485,9 +36802,31 @@ index 0000000..fc080a1
+ allow systemd_hostnamed_t $1:dbus send_msg;
+ ps_process_pattern(systemd_hostnamed_t, $1)
+')
++
++########################################
++##
++## Send and receive messages from
++## systemd localed over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_dbus_chat_localed',`
++ gen_require(`
++ type systemd_localed_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 systemd_localed_t:dbus send_msg;
++ allow systemd_localed_t $1:dbus send_msg;
++ ps_process_pattern(systemd_localed_t, $1)
++')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..60e3e89
+index 0000000..4d56107
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,641 @@
@@ -36970,7 +37309,7 @@ index 0000000..60e3e89
+
+userdom_dbus_send_all_users(systemd_localed_t)
+
-+xserver_read_config(systemd_localed_t)
++xserver_manage_config(systemd_localed_t)
+
+optional_policy(`
+ dbus_connect_system_bus(systemd_localed_t)
@@ -38503,7 +38842,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..05bc969 100644
+index 3c5dba7..9799799 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -39765,7 +40104,7 @@ index 3c5dba7..05bc969 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1309,59 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1309,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -39812,6 +40151,7 @@ index 3c5dba7..05bc969 100644
+ optional_policy(`
+ systemd_dbus_chat_timedated($1_t)
+ systemd_dbus_chat_hostnamed($1_t)
++ systemd_dbus_chat_localed($1_t)
+ ')
+
+ optional_policy(`
@@ -39835,7 +40175,7 @@ index 3c5dba7..05bc969 100644
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1370,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1371,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -39846,7 +40186,7 @@ index 3c5dba7..05bc969 100644
')
')
-@@ -1082,7 +1408,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1409,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -39855,7 +40195,7 @@ index 3c5dba7..05bc969 100644
')
##############################
-@@ -1109,6 +1435,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1436,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -39863,7 +40203,7 @@ index 3c5dba7..05bc969 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1444,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1445,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -39873,7 +40213,7 @@ index 3c5dba7..05bc969 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1461,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1462,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -39881,7 +40221,7 @@ index 3c5dba7..05bc969 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1479,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1480,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -39896,7 +40236,7 @@ index 3c5dba7..05bc969 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1497,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1498,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -39939,7 +40279,7 @@ index 3c5dba7..05bc969 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1538,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1539,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -39948,7 +40288,7 @@ index 3c5dba7..05bc969 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1547,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1548,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -39967,7 +40307,7 @@ index 3c5dba7..05bc969 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1603,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1604,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -39976,7 +40316,7 @@ index 3c5dba7..05bc969 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1617,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1618,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -39988,7 +40328,7 @@ index 3c5dba7..05bc969 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1631,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1632,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -40031,7 +40371,7 @@ index 3c5dba7..05bc969 100644
')
optional_policy(`
-@@ -1360,14 +1716,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1717,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -40050,7 +40390,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -1408,6 +1767,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1768,51 @@ interface(`userdom_user_tmpfs_file',`
##
## Allow domain to attach to TUN devices created by administrative users.
##
@@ -40102,7 +40442,7 @@ index 3c5dba7..05bc969 100644
##
##
## Domain allowed access.
-@@ -1512,11 +1916,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1917,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -40134,7 +40474,7 @@ index 3c5dba7..05bc969 100644
## Do not audit attempts to search user home directories.
##
##
-@@ -1558,6 +1982,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1983,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -40149,7 +40489,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -1573,9 +2005,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2006,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -40161,7 +40501,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -1632,6 +2066,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2067,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -40204,7 +40544,7 @@ index 3c5dba7..05bc969 100644
########################################
##
## Create directories in the home dir root with
-@@ -1711,6 +2181,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2182,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -40213,7 +40553,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -1744,10 +2216,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2217,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -40228,7 +40568,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -1772,7 +2246,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2247,7 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
@@ -40237,7 +40577,7 @@ index 3c5dba7..05bc969 100644
##
##
##
-@@ -1780,19 +2254,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1780,19 +2255,17 @@ interface(`userdom_manage_user_home_content_dirs',`
##
##
#
@@ -40261,7 +40601,7 @@ index 3c5dba7..05bc969 100644
##
##
##
-@@ -1800,31 +2272,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1800,31 +2273,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
##
##
#
@@ -40301,7 +40641,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -1848,6 +2320,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2321,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
##
@@ -40327,7 +40667,7 @@ index 3c5dba7..05bc969 100644
## Mmap user home files.
##
##
-@@ -1878,14 +2369,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2370,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -40365,7 +40705,7 @@ index 3c5dba7..05bc969 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1896,11 +2409,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2410,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -40383,7 +40723,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -1941,7 +2457,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2458,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
##
@@ -40410,7 +40750,7 @@ index 3c5dba7..05bc969 100644
##
##
##
-@@ -1951,17 +2485,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2486,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
#
interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
@@ -40431,7 +40771,7 @@ index 3c5dba7..05bc969 100644
##
##
##
-@@ -1969,12 +2501,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2502,48 @@ interface(`userdom_delete_all_user_home_content_files',`
##
##
#
@@ -40482,7 +40822,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -2010,8 +2578,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2579,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -40492,7 +40832,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -2027,20 +2594,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2595,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -40517,7 +40857,7 @@ index 3c5dba7..05bc969 100644
########################################
##
-@@ -2123,7 +2684,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2685,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -40526,7 +40866,7 @@ index 3c5dba7..05bc969 100644
##
##
##
-@@ -2131,19 +2692,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2693,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -40550,7 +40890,7 @@ index 3c5dba7..05bc969 100644
##
##
##
-@@ -2151,12 +2710,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2711,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -40566,7 +40906,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -2393,11 +2952,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2953,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -40581,7 +40921,7 @@ index 3c5dba7..05bc969 100644
files_search_tmp($1)
')
-@@ -2417,7 +2976,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +2977,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -40590,7 +40930,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -2664,6 +3223,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3224,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -40616,7 +40956,7 @@ index 3c5dba7..05bc969 100644
########################################
##
## Read user tmpfs files.
-@@ -2680,13 +3258,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3259,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -40632,7 +40972,7 @@ index 3c5dba7..05bc969 100644
##
##
##
-@@ -2707,7 +3286,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3287,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -40641,7 +40981,7 @@ index 3c5dba7..05bc969 100644
##
##
##
-@@ -2715,19 +3294,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,19 +3295,17 @@ interface(`userdom_rw_user_tmpfs_files',`
##
##
#
@@ -40664,7 +41004,7 @@ index 3c5dba7..05bc969 100644
##
##
##
-@@ -2735,25 +3312,43 @@ interface(`userdom_manage_user_tmpfs_files',`
+@@ -2735,25 +3313,43 @@ interface(`userdom_manage_user_tmpfs_files',`
##
##
#
@@ -40714,7 +41054,7 @@ index 3c5dba7..05bc969 100644
gen_require(`
type user_tty_device_t;
')
-@@ -2817,6 +3412,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3413,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -40739,7 +41079,7 @@ index 3c5dba7..05bc969 100644
## Read and write a user domain pty.
##
##
-@@ -2835,22 +3448,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3449,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -40782,7 +41122,7 @@ index 3c5dba7..05bc969 100644
##
##
##
-@@ -2859,14 +3484,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3485,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -40820,7 +41160,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -2885,8 +3529,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3530,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -40850,7 +41190,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -2958,69 +3621,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3622,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -40951,7 +41291,7 @@ index 3c5dba7..05bc969 100644
##
##
##
-@@ -3028,12 +3690,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3691,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -40966,7 +41306,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -3097,7 +3759,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3760,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -40975,7 +41315,7 @@ index 3c5dba7..05bc969 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3775,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3776,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -41009,7 +41349,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -3217,7 +3863,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3864,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -41018,7 +41358,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -3272,7 +3918,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3919,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -41084,7 +41424,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -3290,7 +3993,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +3994,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -41093,7 +41433,7 @@ index 3c5dba7..05bc969 100644
')
########################################
-@@ -3309,6 +4012,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4013,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -41101,7 +41441,7 @@ index 3c5dba7..05bc969 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4089,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4090,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -41144,7 +41484,7 @@ index 3c5dba7..05bc969 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4145,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4146,24 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -41169,7 +41509,7 @@ index 3c5dba7..05bc969 100644
## Create keys for all user domains.
##
##
-@@ -3438,4 +4196,1357 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4197,1357 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index ff0cb24..43bfddb 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -516,7 +516,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..304203f 100644
+index cc43d25..563c773 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -732,7 +732,7 @@ index cc43d25..304203f 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +173,34 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +173,36 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -756,13 +756,14 @@ index cc43d25..304203f 100644
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
--auth_use_nsswitch(abrt_t)
--
- logging_read_generic_logs(abrt_t)
++logging_read_generic_logs(abrt_t)
+logging_send_syslog_msg(abrt_t)
-
-+auth_use_nsswitch(abrt_t)
+
+ auth_use_nsswitch(abrt_t)
+
+-logging_read_generic_logs(abrt_t)
++init_read_utmp(abrt_t)
+
+miscfiles_read_generic_certs(abrt_t)
miscfiles_read_public_files(abrt_t)
@@ -771,7 +772,7 @@ index cc43d25..304203f 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +208,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +210,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -788,7 +789,7 @@ index cc43d25..304203f 100644
')
optional_policy(`
-@@ -209,6 +220,12 @@ optional_policy(`
+@@ -209,6 +222,12 @@ optional_policy(`
')
optional_policy(`
@@ -801,7 +802,7 @@ index cc43d25..304203f 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +237,7 @@ optional_policy(`
+@@ -220,6 +239,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -809,7 +810,7 @@ index cc43d25..304203f 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +248,7 @@ optional_policy(`
+@@ -230,6 +250,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -817,7 +818,7 @@ index cc43d25..304203f 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +259,17 @@ optional_policy(`
+@@ -240,9 +261,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -836,7 +837,7 @@ index cc43d25..304203f 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +280,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +282,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -851,7 +852,7 @@ index cc43d25..304203f 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +299,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +301,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -859,7 +860,7 @@ index cc43d25..304203f 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +308,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +310,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -880,7 +881,7 @@ index cc43d25..304203f 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +329,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +331,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -907,7 +908,7 @@ index cc43d25..304203f 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +365,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +367,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -921,7 +922,7 @@ index cc43d25..304203f 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +383,11 @@ optional_policy(`
+@@ -330,10 +385,11 @@ optional_policy(`
#######################################
#
@@ -935,7 +936,7 @@ index cc43d25..304203f 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,30 +406,37 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,30 +408,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -947,6 +948,7 @@ index cc43d25..304203f 100644
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
++ mock_manage_lib_files(abrt_t)
+')
+
########################################
@@ -976,7 +978,7 @@ index cc43d25..304203f 100644
kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t)
-@@ -384,14 +445,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
+@@ -384,14 +448,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
fs_list_inotifyfs(abrt_dump_oops_t)
logging_read_generic_logs(abrt_dump_oops_t)
@@ -994,7 +996,7 @@ index cc43d25..304203f 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +462,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +465,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -2720,7 +2722,7 @@ index 0000000..b334e9a
+ spamassassin_read_pid_files(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index 550a69e..e714059 100644
+index 550a69e..78579c0 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,161 +1,184 @@
@@ -3017,12 +3019,12 @@ index 550a69e..e714059 100644
-/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
-+/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-+/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
++/var/www/html(/.*)?/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
++/var/www/html(/.*)?/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
+
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
-+/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+
@@ -4365,7 +4367,7 @@ index 83e899c..e3bed6a 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..c388418 100644
+index 1a82e29..5e167ca 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,353 @@
@@ -5103,7 +5105,7 @@ index 1a82e29..c388418 100644
-fs_read_anon_inodefs_files(httpd_t)
fs_read_iso9660_files(httpd_t)
-fs_search_auto_mountpoints(httpd_t)
-+fs_read_anon_inodefs_files(httpd_t)
++fs_rw_anon_inodefs_files(httpd_t)
+fs_read_hugetlbfs_files(httpd_t)
+
+auth_use_nsswitch(httpd_t)
@@ -5726,10 +5728,11 @@ index 1a82e29..c388418 100644
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
+# Apache PHP script local policy
+#
+
@@ -5788,11 +5791,10 @@ index 1a82e29..c388418 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
- ')
-
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
+# Apache suexec local policy
#
@@ -6004,7 +6006,7 @@ index 1a82e29..c388418 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1270,103 @@ optional_policy(`
+@@ -1077,172 +1270,104 @@ optional_policy(`
')
')
@@ -6029,11 +6031,11 @@ index 1a82e29..c388418 100644
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-+allow httpd_sys_script_t self:process getsched;
-
+-
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
--
++allow httpd_sys_script_t self:process getsched;
+
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
@@ -6143,6 +6145,7 @@ index 1a82e29..c388418 100644
+fs_cifs_entry_type(httpd_sys_script_t)
+fs_read_iso9660_files(httpd_sys_script_t)
+fs_nfs_entry_type(httpd_sys_script_t)
++fs_rw_anon_inodefs_files(httpd_sys_script_t)
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
- postgresql_tcp_connect(httpd_script_domains)
@@ -6170,7 +6173,8 @@ index 1a82e29..c388418 100644
-#
-
-allow httpd_sys_script_t self:tcp_socket { accept listen };
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
-
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -6200,8 +6204,7 @@ index 1a82e29..c388418 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6239,7 +6242,7 @@ index 1a82e29..c388418 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1374,70 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1375,70 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6333,7 +6336,7 @@ index 1a82e29..c388418 100644
########################################
#
-@@ -1315,8 +1445,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1446,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6350,7 +6353,7 @@ index 1a82e29..c388418 100644
')
########################################
-@@ -1324,49 +1461,36 @@ optional_policy(`
+@@ -1324,49 +1462,36 @@ optional_policy(`
# User content local policy
#
@@ -6414,7 +6417,7 @@ index 1a82e29..c388418 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1500,94 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1501,94 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -9740,10 +9743,10 @@ index 2354e21..bec6c06 100644
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
-index 403af41..7c0b1be 100644
+index 403af41..68a5e26 100644
--- a/certwatch.te
+++ b/certwatch.te
-@@ -21,25 +21,26 @@ role certwatch_roles types certwatch_t;
+@@ -21,27 +21,29 @@ role certwatch_roles types certwatch_t;
allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };
@@ -9774,7 +9777,10 @@ index 403af41..7c0b1be 100644
+userdom_dontaudit_list_admin_dir(certwatch_t)
optional_policy(`
++ apache_exec(certwatch_t)
apache_exec_modules(certwatch_t)
+ apache_read_config(certwatch_t)
+ ')
diff --git a/cfengine.if b/cfengine.if
index a731122..5279d4e 100644
--- a/cfengine.if
@@ -9933,7 +9939,7 @@ index 85ca63f..1d1c99c 100644
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index fdee107..eb7a3ac 100644
+index fdee107..7a38b63 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -9979,10 +9985,10 @@ index fdee107..eb7a3ac 100644
#
# cgred local policy
#
++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
++allow cgred_t self:process signal_perms;
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
-+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
-+
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
@@ -11801,7 +11807,7 @@ index 8e27a37..825f537 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
-index 09f18e2..e891ec4 100644
+index 09f18e2..f0cade4 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
@@ -11902,7 +11908,7 @@ index 09f18e2..e891ec4 100644
')
optional_policy(`
-@@ -133,3 +142,14 @@ optional_policy(`
+@@ -133,3 +142,16 @@ optional_policy(`
optional_policy(`
udev_read_db(colord_t)
')
@@ -11912,6 +11918,8 @@ index 09f18e2..e891ec4 100644
+ xserver_read_xdm_state(colord_t)
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
+ xserver_read_inherited_xdm_lib_files(colord_t)
++ # allow to read /run/initial-setup-$username
++ xserver_read_xdm_pid(colord_t)
+')
+
+optional_policy(`
@@ -12406,7 +12414,7 @@ index 3fe3cb8..684b700 100644
+ ')
')
diff --git a/condor.te b/condor.te
-index 3f2b672..22ddc47 100644
+index 3f2b672..2af6e1e 100644
--- a/condor.te
+++ b/condor.te
@@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t)
@@ -12419,8 +12427,13 @@ index 3f2b672..22ddc47 100644
condor_domain_template(collector)
condor_domain_template(negotiator)
condor_domain_template(procd)
-@@ -59,8 +62,9 @@ condor_domain_template(startd)
+@@ -57,10 +60,14 @@ condor_domain_template(startd)
+ # Global local policy
+ #
++allow condor_domain self:capability dac_override;
++allow condor_domain self:capability2 block_suspend;
++
allow condor_domain self:process signal_perms;
allow condor_domain self:fifo_file rw_fifo_file_perms;
-allow condor_domain self:tcp_socket { accept listen };
@@ -12431,7 +12444,7 @@ index 3f2b672..22ddc47 100644
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
append_files_pattern(condor_domain, condor_log_t, condor_log_t)
-@@ -86,13 +90,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
+@@ -86,13 +93,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
kernel_read_kernel_sysctls(condor_domain)
kernel_read_network_state(condor_domain)
@@ -12445,7 +12458,7 @@ index 3f2b672..22ddc47 100644
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
-@@ -106,9 +107,7 @@ dev_read_rand(condor_domain)
+@@ -106,9 +110,7 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
@@ -12456,16 +12469,36 @@ index 3f2b672..22ddc47 100644
tunable_policy(`condor_tcp_network_connect',`
corenet_sendrecv_all_client_packets(condor_domain)
-@@ -150,8 +149,6 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t)
+@@ -125,7 +127,7 @@ optional_policy(`
+ # Master local policy
+ #
+
+-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
++allow condor_master_t self:capability { setuid setgid sys_ptrace };
+
+ allow condor_master_t condor_domain:process { sigkill signal };
+
+@@ -133,6 +135,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+ manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+ files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
+
++can_exec(condor_master_t, condor_master_exec_t)
++
++kernel_read_system_state(condor_master_tmp_t)
++
+ corenet_udp_sendrecv_generic_if(condor_master_t)
+ corenet_udp_sendrecv_generic_node(condor_master_t)
+ corenet_tcp_bind_generic_node(condor_master_t)
+@@ -150,7 +156,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t)
domain_read_all_domains_state(condor_master_t)
-auth_use_nsswitch(condor_master_t)
--
++auth_read_passwd(condor_master_t)
+
optional_policy(`
mta_send_mail(condor_master_t)
- mta_read_config(condor_master_t)
-@@ -178,6 +175,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -178,6 +184,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -12474,7 +12507,16 @@ index 3f2b672..22ddc47 100644
######################################
#
# Procd local policy
-@@ -209,6 +208,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -201,6 +209,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+
+ allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
+
++allow condor_schedd_t condor_master_tmp_t:dir getattr;
++
+ domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
+ domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
+
+@@ -209,6 +219,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@@ -12483,7 +12525,7 @@ index 3f2b672..22ddc47 100644
#####################################
#
# Startd local policy
-@@ -233,11 +234,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -233,11 +245,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
@@ -12496,7 +12538,7 @@ index 3f2b672..22ddc47 100644
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
-@@ -249,3 +249,7 @@ optional_policy(`
+@@ -249,3 +260,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
@@ -16021,7 +16063,7 @@ index 06da9a0..ca832e1 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..45fe9a0 100644
+index 9f34c2e..3b03f21 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -16243,7 +16285,7 @@ index 9f34c2e..45fe9a0 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -215,16 +246,16 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,16 +246,17 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -16259,10 +16301,11 @@ index 9f34c2e..45fe9a0 100644
fs_search_fusefs(cupsd_t)
fs_read_anon_inodefs_files(cupsd_t)
+fs_rw_anon_inodefs_files(cupsd_t)
++fs_rw_inherited_tmpfs_files(cupsd_t)
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -235,6 +266,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -235,6 +267,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -16271,7 +16314,7 @@ index 9f34c2e..45fe9a0 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,21 +280,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +281,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -16297,7 +16340,7 @@ index 9f34c2e..45fe9a0 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -275,6 +307,8 @@ optional_policy(`
+@@ -275,6 +308,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -16306,7 +16349,7 @@ index 9f34c2e..45fe9a0 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +319,10 @@ optional_policy(`
+@@ -285,8 +320,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -16317,7 +16360,7 @@ index 9f34c2e..45fe9a0 100644
')
')
-@@ -299,8 +335,8 @@ optional_policy(`
+@@ -299,8 +336,8 @@ optional_policy(`
')
optional_policy(`
@@ -16327,7 +16370,7 @@ index 9f34c2e..45fe9a0 100644
')
optional_policy(`
-@@ -309,7 +345,6 @@ optional_policy(`
+@@ -309,7 +346,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -16335,7 +16378,7 @@ index 9f34c2e..45fe9a0 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +372,7 @@ optional_policy(`
+@@ -337,7 +373,7 @@ optional_policy(`
')
optional_policy(`
@@ -16344,7 +16387,7 @@ index 9f34c2e..45fe9a0 100644
')
########################################
-@@ -345,11 +380,9 @@ optional_policy(`
+@@ -345,11 +381,9 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -16358,7 +16401,7 @@ index 9f34c2e..45fe9a0 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +408,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +409,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -16378,7 +16421,7 @@ index 9f34c2e..45fe9a0 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +425,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +426,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -16399,7 +16442,7 @@ index 9f34c2e..45fe9a0 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +442,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +443,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -16411,7 +16454,7 @@ index 9f34c2e..45fe9a0 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +469,12 @@ optional_policy(`
+@@ -452,9 +470,12 @@ optional_policy(`
')
optional_policy(`
@@ -16425,7 +16468,7 @@ index 9f34c2e..45fe9a0 100644
')
optional_policy(`
-@@ -490,10 +510,6 @@ optional_policy(`
+@@ -490,10 +511,6 @@ optional_policy(`
# Lpd local policy
#
@@ -16436,7 +16479,7 @@ index 9f34c2e..45fe9a0 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +527,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +528,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -16469,7 +16512,7 @@ index 9f34c2e..45fe9a0 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +553,6 @@ optional_policy(`
+@@ -546,7 +554,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -16477,7 +16520,7 @@ index 9f34c2e..45fe9a0 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,17 +568,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,17 +569,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -16495,7 +16538,7 @@ index 9f34c2e..45fe9a0 100644
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
-@@ -582,128 +579,12 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -582,128 +580,12 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(cups_pdf_t)
')
@@ -16626,7 +16669,7 @@ index 9f34c2e..45fe9a0 100644
########################################
#
-@@ -731,7 +612,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +613,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -16634,7 +16677,7 @@ index 9f34c2e..45fe9a0 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +621,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +622,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -16648,7 +16691,7 @@ index 9f34c2e..45fe9a0 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +633,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +634,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -18734,7 +18777,7 @@ index d294865..3b4f593 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index ff933af..41ca7ce 100644
+index ff933af..fc9d3f4 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
@@ -18837,18 +18880,19 @@ index ff933af..41ca7ce 100644
')
optional_policy(`
-@@ -180,6 +184,10 @@ optional_policy(`
+@@ -180,6 +184,11 @@ optional_policy(`
')
optional_policy(`
+ systemd_read_logind_sessions_files(devicekit_disk_t)
++ systemd_write_inhibit_pipes(devicekit_disk_t)
+')
+
+optional_policy(`
udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t)
')
-@@ -188,12 +196,19 @@ optional_policy(`
+@@ -188,12 +197,19 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -18869,7 +18913,7 @@ index ff933af..41ca7ce 100644
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
-@@ -207,9 +222,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
@@ -18880,7 +18924,7 @@ index ff933af..41ca7ce 100644
logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-@@ -242,17 +255,16 @@ domain_read_all_domains_state(devicekit_power_t)
+@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_runtime_files(devicekit_power_t)
@@ -18900,7 +18944,7 @@ index ff933af..41ca7ce 100644
sysnet_domtrans_ifconfig(devicekit_power_t)
sysnet_domtrans_dhcpc(devicekit_power_t)
-@@ -269,9 +281,11 @@ optional_policy(`
+@@ -269,9 +282,11 @@ optional_policy(`
optional_policy(`
cron_initrc_domtrans(devicekit_power_t)
@@ -18912,7 +18956,7 @@ index ff933af..41ca7ce 100644
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -302,8 +316,11 @@ optional_policy(`
+@@ -302,8 +317,11 @@ optional_policy(`
')
optional_policy(`
@@ -18925,7 +18969,7 @@ index ff933af..41ca7ce 100644
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
')
-@@ -341,3 +358,9 @@ optional_policy(`
+@@ -341,3 +359,9 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
@@ -19296,10 +19340,10 @@ index 0000000..332a1c9
+')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
-index 0000000..a3d076f
+index 0000000..35455bf
--- /dev/null
+++ b/dirsrv-admin.te
-@@ -0,0 +1,144 @@
+@@ -0,0 +1,156 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
@@ -19332,9 +19376,10 @@ index 0000000..a3d076f
+#
+# Local policy for the daemon
+#
++
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
-+allow dirsrvadmin_t self:process setrlimit;
++allow dirsrvadmin_t self:process { setrlimit signal_perms };
+
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
@@ -19353,7 +19398,6 @@ index 0000000..a3d076f
+
+logging_search_logs(dirsrvadmin_t)
+
-+
+# Needed for stop and restart scripts
+dirsrv_read_var_run(dirsrvadmin_t)
+
@@ -19374,7 +19418,7 @@ index 0000000..a3d076f
+ apache_content_template(dirsrvadmin)
+
+ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
-+ allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
++ allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
+ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
+ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
@@ -19387,7 +19431,12 @@ index 0000000..a3d076f
+
+ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
+
++
++ corenet_tcp_bind_generic_node(httpd_dirsrvadmin_script_t)
++ corenet_udp_bind_generic_node(httpd_dirsrvadmin_script_t)
+ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
++
++ corenet_tcp_bind_http_port(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
+ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
@@ -19401,6 +19450,13 @@ index 0000000..a3d076f
+ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
+
+ optional_policy(`
++ apache_read_modules(httpd_dirsrvadmin_script_t)
++ apache_read_config(httpd_dirsrvadmin_script_t)
++ apache_signal(httpd_dirsrvadmin_script_t)
++ apache_signull(httpd_dirsrvadmin_script_t)
++ ')
++
++ optional_policy(`
+ # The CGI scripts must be able to manage dirsrv-admin
+ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
+ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
@@ -22541,7 +22597,7 @@ index 5cf6ac6..839999e 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index c8014f8..02de884 100644
+index c8014f8..64e18e1 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
@@ -22562,11 +22618,11 @@ index c8014f8..02de884 100644
# Local policy
#
-
-+allow firewalld_t self:capability dac_override;
++allow firewalld_t self:capability { dac_override net_admin };
dontaudit firewalld_t self:capability sys_tty_config;
allow firewalld_t self:fifo_file rw_fifo_file_perms;
allow firewalld_t self:unix_stream_socket { accept listen };
-@@ -40,8 +49,17 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
+@@ -40,11 +49,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
@@ -22584,7 +22640,11 @@ index c8014f8..02de884 100644
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
-@@ -53,20 +71,17 @@ dev_read_urand(firewalld_t)
++kernel_rw_net_sysctls(firewalld_t)
+
+ corecmd_exec_bin(firewalld_t)
+ corecmd_exec_shell(firewalld_t)
+@@ -53,20 +72,17 @@ dev_read_urand(firewalld_t)
domain_use_interactive_fds(firewalld_t)
@@ -22610,7 +22670,7 @@ index c8014f8..02de884 100644
optional_policy(`
dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -85,6 +100,10 @@ optional_policy(`
+@@ -85,6 +101,10 @@ optional_policy(`
')
optional_policy(`
@@ -23081,7 +23141,7 @@ index d062080..e098a40 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index e50f33c..2f7de33 100644
+index e50f33c..5e6cdb8 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
@@ -23102,16 +23162,23 @@ index e50f33c..2f7de33 100644
##
##
-@@ -30,7 +30,7 @@ gen_tunable(allow_ftpd_full_access, false)
+@@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false)
## used for public file transfer services.
##
##
-gen_tunable(allow_ftpd_use_cifs, false)
+gen_tunable(ftpd_use_cifs, false)
++
++##
++##
++## Allow samba to export ntfs/fusefs volumes.
++##
++##
++gen_tunable(ftpd_use_fusefs, false)
##
##
-@@ -38,7 +38,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
+@@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
## used for public file transfer services.
##
##
@@ -23120,7 +23187,7 @@ index e50f33c..2f7de33 100644
##
##
-@@ -124,6 +124,9 @@ files_config_file(ftpd_etc_t)
+@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
@@ -23130,7 +23197,7 @@ index e50f33c..2f7de33 100644
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
-@@ -179,6 +182,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms;
+@@ -179,6 +189,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
@@ -23140,7 +23207,7 @@ index e50f33c..2f7de33 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -201,14 +207,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+@@ -201,14 +214,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
@@ -23156,7 +23223,7 @@ index e50f33c..2f7de33 100644
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -224,9 +229,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
+@@ -224,9 +236,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
@@ -23170,7 +23237,7 @@ index e50f33c..2f7de33 100644
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)
-@@ -245,7 +253,6 @@ logging_send_audit_msgs(ftpd_t)
+@@ -245,7 +260,6 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
@@ -23178,7 +23245,7 @@ index e50f33c..2f7de33 100644
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
-@@ -254,32 +261,42 @@ sysnet_use_ldap(ftpd_t)
+@@ -254,32 +268,49 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
@@ -23201,6 +23268,13 @@ index e50f33c..2f7de33 100644
')
-tunable_policy(`allow_ftpd_use_nfs',`
++tunable_policy(`ftpd_use_fusefs',`
++ fs_manage_fusefs_dirs(ftpd_t)
++ fs_manage_fusefs_files(ftpd_t)
++',`
++ fs_search_fusefs(ftpd_t)
++')
++
+tunable_policy(`ftpd_use_nfs',`
fs_read_nfs_files(ftpd_t)
fs_read_nfs_symlinks(ftpd_t)
@@ -23228,7 +23302,7 @@ index e50f33c..2f7de33 100644
')
tunable_policy(`ftpd_use_passive_mode',`
-@@ -299,9 +316,9 @@ tunable_policy(`ftpd_connect_db',`
+@@ -299,9 +330,9 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -23241,7 +23315,7 @@ index e50f33c..2f7de33 100644
')
tunable_policy(`ftp_home_dir',`
-@@ -309,12 +326,9 @@ tunable_policy(`ftp_home_dir',`
+@@ -309,12 +340,9 @@ tunable_policy(`ftp_home_dir',`
userdom_manage_user_home_content_dirs(ftpd_t)
userdom_manage_user_home_content_files(ftpd_t)
@@ -23254,7 +23328,7 @@ index e50f33c..2f7de33 100644
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
')
-@@ -360,7 +374,7 @@ optional_policy(`
+@@ -360,7 +388,7 @@ optional_policy(`
selinux_validate_context(ftpd_t)
kerberos_keytab_template(ftpd, ftpd_t)
@@ -23263,7 +23337,7 @@ index e50f33c..2f7de33 100644
')
optional_policy(`
-@@ -410,21 +424,20 @@ optional_policy(`
+@@ -410,21 +438,20 @@ optional_policy(`
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -23287,7 +23361,7 @@ index e50f33c..2f7de33 100644
miscfiles_read_public_files(anon_sftpd_t)
-@@ -437,23 +450,34 @@ tunable_policy(`sftpd_anon_write',`
+@@ -437,23 +464,34 @@ tunable_policy(`sftpd_anon_write',`
# Sftpd local policy
#
@@ -23328,7 +23402,7 @@ index e50f33c..2f7de33 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -475,21 +499,11 @@ tunable_policy(`sftpd_anon_write',`
+@@ -475,21 +513,11 @@ tunable_policy(`sftpd_anon_write',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -23503,7 +23577,7 @@ index 1e29af1..a1c464e 100644
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
+')
diff --git a/git.te b/git.te
-index 93b0301..8561970 100644
+index 93b0301..9108ddc 100644
--- a/git.te
+++ b/git.te
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -23521,6 +23595,19 @@ index 93b0301..8561970 100644
## Determine whether Git system daemon
## can search home directories.
##
+@@ -92,10 +84,10 @@ type git_session_t, git_daemon;
+ userdom_user_application_domain(git_session_t, gitd_exec_t)
+ role git_session_roles types git_session_t;
+
+-type git_sys_content_t;
++type git_sys_content_t alias git_system_content_t;
+ files_type(git_sys_content_t)
+
+-type git_user_content_t;
++type git_user_content_t alias git_session_content_t;
+ userdom_user_home_content(git_user_content_t)
+
+ ########################################
@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
userdom_search_user_home_dirs(git_session_t)
@@ -28129,8 +28216,20 @@ index 94ec5f8..801417b 100644
logging_send_syslog_msg(iodined_t)
+diff --git a/irc.fc b/irc.fc
+index 48e7739..c3285c2 100644
+--- a/irc.fc
++++ b/irc.fc
+@@ -1,6 +1,6 @@
+ HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
+ HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
+-HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0)
++HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:issi_home_t,s0)
+
+ /etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0)
+
diff --git a/irc.if b/irc.if
-index ac00fb0..06cb083 100644
+index ac00fb0..53e4fc7 100644
--- a/irc.if
+++ b/irc.if
@@ -20,6 +20,7 @@ interface(`irc_role',`
@@ -28141,7 +28240,7 @@ index ac00fb0..06cb083 100644
')
########################################
-@@ -39,10 +40,33 @@ interface(`irc_role',`
+@@ -39,10 +40,34 @@ interface(`irc_role',`
ps_process_pattern($2, irc_t)
allow $2 irc_t:process { ptrace signal_perms };
@@ -28176,16 +28275,23 @@ index ac00fb0..06cb083 100644
+interface(`irc_filetrans_home_content',`
+ gen_require(`
+ type irc_home_t;
++ type irssi_home_t;
+ ')
+ userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd")
+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi")
-+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, "irclogs")
++ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
')
diff --git a/irc.te b/irc.te
-index ecad9c7..56e2b35 100644
+index ecad9c7..86d790f 100644
--- a/irc.te
+++ b/irc.te
-@@ -37,7 +37,32 @@ userdom_user_home_content(irc_log_home_t)
+@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
+ typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
+ userdom_user_home_content(irc_home_t)
+
+-type irc_log_home_t;
+-userdom_user_home_content(irc_log_home_t)
+-
type irc_tmp_t;
typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
@@ -28214,12 +28320,12 @@ index ecad9c7..56e2b35 100644
+type irssi_etc_t;
+files_config_file(irssi_etc_t)
+
-+type irssi_home_t;
++type irssi_home_t alias irc_log_home_t;
+userdom_user_home_content(irssi_home_t)
########################################
#
-@@ -53,13 +78,7 @@ allow irc_t irc_conf_t:file read_file_perms;
+@@ -53,13 +75,7 @@ allow irc_t irc_conf_t:file read_file_perms;
manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
manage_files_pattern(irc_t, irc_home_t, irc_home_t)
manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
@@ -28234,7 +28340,7 @@ index ecad9c7..56e2b35 100644
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
-@@ -70,7 +89,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
+@@ -70,7 +86,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
kernel_read_system_state(irc_t)
@@ -28242,7 +28348,7 @@ index ecad9c7..56e2b35 100644
corenet_all_recvfrom_netlabel(irc_t)
corenet_tcp_sendrecv_generic_if(irc_t)
corenet_tcp_sendrecv_generic_node(irc_t)
-@@ -93,7 +111,6 @@ dev_read_rand(irc_t)
+@@ -93,7 +108,6 @@ dev_read_rand(irc_t)
domain_use_interactive_fds(irc_t)
@@ -28250,7 +28356,7 @@ index ecad9c7..56e2b35 100644
fs_getattr_all_fs(irc_t)
fs_search_auto_mountpoints(irc_t)
-@@ -106,13 +123,15 @@ auth_use_nsswitch(irc_t)
+@@ -106,13 +120,15 @@ auth_use_nsswitch(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
@@ -28268,7 +28374,7 @@ index ecad9c7..56e2b35 100644
tunable_policy(`irc_use_any_tcp_ports',`
corenet_sendrecv_all_server_packets(irc_t)
-@@ -122,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
+@@ -122,18 +138,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
corenet_tcp_sendrecv_all_ports(irc_t)
')
@@ -33519,10 +33625,10 @@ index b9270f7..15f3748 100644
+ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
')
diff --git a/mailman.if b/mailman.if
-index 108c0f1..d28241c 100644
+index 108c0f1..a248501 100644
--- a/mailman.if
+++ b/mailman.if
-@@ -1,44 +1,66 @@
+@@ -1,44 +1,70 @@
-## Manage electronic mail discussion and e-newsletter lists.
+## Mailman is for managing electronic mail discussion and e-newsletter lists
@@ -33560,8 +33666,13 @@ index 108c0f1..d28241c 100644
+ # Declarations
+ #
- type mailman_$1_t;
+- type mailman_$1_t;
- type mailman_$1_exec_t;
++ gen_require(`
++ attribute mailman_domain;
++ ')
++
++ type mailman_$1_t, mailman_domain;
domain_type(mailman_$1_t)
+ type mailman_$1_exec_t;
domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
@@ -33606,7 +33717,7 @@ index 108c0f1..d28241c 100644
')
#######################################
-@@ -56,15 +78,12 @@ interface(`mailman_domtrans',`
+@@ -56,15 +82,12 @@ interface(`mailman_domtrans',`
type mailman_mail_exec_t, mailman_mail_t;
')
@@ -33623,7 +33734,7 @@ index 108c0f1..d28241c 100644
##
##
##
-@@ -73,18 +92,18 @@ interface(`mailman_domtrans',`
+@@ -73,18 +96,18 @@ interface(`mailman_domtrans',`
##
##
##
@@ -33645,7 +33756,7 @@ index 108c0f1..d28241c 100644
')
#######################################
-@@ -103,7 +122,6 @@ interface(`mailman_domtrans_cgi',`
+@@ -103,7 +126,6 @@ interface(`mailman_domtrans_cgi',`
type mailman_cgi_exec_t, mailman_cgi_t;
')
@@ -33653,7 +33764,7 @@ index 108c0f1..d28241c 100644
domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t)
')
-@@ -122,13 +140,12 @@ interface(`mailman_exec',`
+@@ -122,13 +144,12 @@ interface(`mailman_exec',`
type mailman_mail_exec_t;
')
@@ -33668,7 +33779,7 @@ index 108c0f1..d28241c 100644
##
##
##
-@@ -146,7 +163,7 @@ interface(`mailman_signal_cgi',`
+@@ -146,7 +167,7 @@ interface(`mailman_signal_cgi',`
#######################################
##
@@ -33677,7 +33788,7 @@ index 108c0f1..d28241c 100644
##
##
##
-@@ -159,13 +176,12 @@ interface(`mailman_search_data',`
+@@ -159,13 +180,12 @@ interface(`mailman_search_data',`
type mailman_data_t;
')
@@ -33692,7 +33803,7 @@ index 108c0f1..d28241c 100644
##
##
##
-@@ -178,7 +194,6 @@ interface(`mailman_read_data_files',`
+@@ -178,7 +198,6 @@ interface(`mailman_read_data_files',`
type mailman_data_t;
')
@@ -33700,7 +33811,7 @@ index 108c0f1..d28241c 100644
list_dirs_pattern($1, mailman_data_t, mailman_data_t)
read_files_pattern($1, mailman_data_t, mailman_data_t)
read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
-@@ -186,8 +201,8 @@ interface(`mailman_read_data_files',`
+@@ -186,8 +205,8 @@ interface(`mailman_read_data_files',`
#######################################
##
@@ -33711,7 +33822,7 @@ index 108c0f1..d28241c 100644
##
##
##
-@@ -200,14 +215,13 @@ interface(`mailman_manage_data_files',`
+@@ -200,14 +219,13 @@ interface(`mailman_manage_data_files',`
type mailman_data_t;
')
@@ -33727,7 +33838,7 @@ index 108c0f1..d28241c 100644
##
##
##
-@@ -220,13 +234,12 @@ interface(`mailman_list_data',`
+@@ -220,13 +238,12 @@ interface(`mailman_list_data',`
type mailman_data_t;
')
@@ -33742,7 +33853,7 @@ index 108c0f1..d28241c 100644
##
##
##
-@@ -244,7 +257,7 @@ interface(`mailman_read_data_symlinks',`
+@@ -244,7 +261,7 @@ interface(`mailman_read_data_symlinks',`
#######################################
##
@@ -33751,7 +33862,7 @@ index 108c0f1..d28241c 100644
##
##
##
-@@ -257,13 +270,12 @@ interface(`mailman_read_log',`
+@@ -257,13 +274,12 @@ interface(`mailman_read_log',`
type mailman_log_t;
')
@@ -33766,7 +33877,7 @@ index 108c0f1..d28241c 100644
##
##
##
-@@ -276,14 +288,13 @@ interface(`mailman_append_log',`
+@@ -276,14 +292,13 @@ interface(`mailman_append_log',`
type mailman_log_t;
')
@@ -33782,7 +33893,7 @@ index 108c0f1..d28241c 100644
##
##
##
-@@ -296,14 +307,13 @@ interface(`mailman_manage_log',`
+@@ -296,14 +311,13 @@ interface(`mailman_manage_log',`
type mailman_log_t;
')
@@ -33798,7 +33909,7 @@ index 108c0f1..d28241c 100644
##
##
##
-@@ -316,7 +326,6 @@ interface(`mailman_read_archive',`
+@@ -316,7 +330,6 @@ interface(`mailman_read_archive',`
type mailman_archive_t;
')
@@ -33806,7 +33917,7 @@ index 108c0f1..d28241c 100644
allow $1 mailman_archive_t:dir list_dir_perms;
read_files_pattern($1, mailman_archive_t, mailman_archive_t)
read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t)
-@@ -324,8 +333,7 @@ interface(`mailman_read_archive',`
+@@ -324,8 +337,7 @@ interface(`mailman_read_archive',`
#######################################
##
@@ -33816,7 +33927,7 @@ index 108c0f1..d28241c 100644
##
##
##
-@@ -338,6 +346,5 @@ interface(`mailman_domtrans_queue',`
+@@ -338,6 +350,5 @@ interface(`mailman_domtrans_queue',`
type mailman_queue_exec_t, mailman_queue_t;
')
@@ -33824,10 +33935,23 @@ index 108c0f1..d28241c 100644
domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
')
diff --git a/mailman.te b/mailman.te
-index 8eaf51b..5e9f5bb 100644
+index 8eaf51b..16086a5 100644
--- a/mailman.te
+++ b/mailman.te
-@@ -56,10 +56,7 @@ setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
+@@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4)
+ #
+ # Declarations
+ #
++##
++##
++## Allow mailman to access FUSE file systems
++##
++##
++gen_tunable(mailman_use_fusefs, false)
+
+ attribute mailman_domain;
+
+@@ -56,10 +62,7 @@ setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
logging_log_filetrans(mailman_domain, mailman_log_t, file)
kernel_read_kernel_sysctls(mailman_domain)
@@ -33838,7 +33962,7 @@ index 8eaf51b..5e9f5bb 100644
corenet_tcp_sendrecv_generic_if(mailman_domain)
corenet_tcp_sendrecv_generic_node(mailman_domain)
-@@ -82,10 +79,6 @@ fs_getattr_all_fs(mailman_domain)
+@@ -82,10 +85,6 @@ fs_getattr_all_fs(mailman_domain)
libs_exec_ld_so(mailman_domain)
libs_exec_lib_files(mailman_domain)
@@ -33849,7 +33973,7 @@ index 8eaf51b..5e9f5bb 100644
########################################
#
# CGI local policy
-@@ -115,8 +108,9 @@ optional_policy(`
+@@ -115,8 +114,9 @@ optional_policy(`
# Mail local policy
#
@@ -33861,7 +33985,7 @@ index 8eaf51b..5e9f5bb 100644
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
-@@ -127,8 +121,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t)
+@@ -127,8 +127,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t)
corenet_tcp_sendrecv_innd_port(mailman_mail_t)
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
@@ -33871,7 +33995,7 @@ index 8eaf51b..5e9f5bb 100644
dev_read_urand(mailman_mail_t)
-@@ -142,6 +136,10 @@ optional_policy(`
+@@ -142,6 +142,10 @@ optional_policy(`
')
optional_policy(`
@@ -33882,6 +34006,16 @@ index 8eaf51b..5e9f5bb 100644
cron_read_pipes(mailman_mail_t)
')
+@@ -182,3 +186,9 @@ optional_policy(`
+ optional_policy(`
+ su_exec(mailman_queue_t)
+ ')
++
++tunable_policy(`mailman_use_fusefs',`
++ fs_manage_fusefs_dirs(mailman_domain)
++ fs_manage_fusefs_files(mailman_domain)
++ fs_manage_fusefs_symlinks(mailman_domain)
++')
diff --git a/mailscanner.if b/mailscanner.if
index 0293f34..bd1d48e 100644
--- a/mailscanner.if
@@ -35595,10 +35729,10 @@ index 0000000..1446e6a
+')
diff --git a/mock.te b/mock.te
new file mode 100644
-index 0000000..d27f8f3
+index 0000000..67b8b3d
--- /dev/null
+++ b/mock.te
-@@ -0,0 +1,245 @@
+@@ -0,0 +1,264 @@
+policy_module(mock,1.0.0)
+
+##
@@ -35651,6 +35785,8 @@ index 0000000..d27f8f3
+allow mock_t self:unix_stream_socket create_stream_socket_perms;
+allow mock_t self:unix_dgram_socket create_socket_perms;
+
++allow mock_t mock_build_t:process { siginh noatsecure rlimitinh };
++
+manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
+manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t)
@@ -35674,7 +35810,6 @@ index 0000000..d27f8f3
+allow mock_t mock_var_lib_t:dir relabel_dir_perms;
+allow mock_t mock_var_lib_t:file relabel_file_perms;
+
-+kernel_list_proc(mock_t)
+kernel_read_irq_sysctls(mock_t)
+kernel_read_system_state(mock_t)
+kernel_read_network_state(mock_t)
@@ -35682,6 +35817,13 @@ index 0000000..d27f8f3
+kernel_request_load_module(mock_t)
+kernel_dontaudit_setattr_proc_dirs(mock_t)
+kernel_read_fs_sysctls(mock_t)
++# we run mount in mock_t
++kernel_mount_proc(mock_t)
++kernel_unmount_proc(mock_t)
++
++fs_mount_tmpfs(mock_t)
++fs_unmount_tmpfs(mock_t)
++fs_unmount_xattr_fs(mock_t)
+
+corecmd_exec_bin(mock_t)
+corecmd_exec_shell(mock_t)
@@ -35693,23 +35835,28 @@ index 0000000..d27f8f3
+corenet_tcp_connect_all_ephemeral_ports(mock_t)
+
+dev_read_urand(mock_t)
-+dev_read_sysfs(mock_t)
++dev_rw_sysfs(mock_t)
+dev_setattr_sysfs_dirs(mock_t)
++dev_mount_sysfs_fs(mock_t)
++dev_unmount_sysfs_fs(mock_t)
+
+domain_read_all_domains_state(mock_t)
+domain_use_interactive_fds(mock_t)
+
+files_read_etc_runtime_files(mock_t)
+files_dontaudit_list_boot(mock_t)
++files_list_isid_type_dirs(mock_t)
+
+fs_getattr_all_fs(mock_t)
-+fs_search_all(mock_t)
+fs_manage_cgroup_dirs(mock_t)
-+files_list_isid_type_dirs(mock_t)
++fs_search_all(mock_t)
++fs_setattr_tmpfs_dirs(mock_t)
+
+selinux_get_enforce_mode(mock_t)
+
+term_search_ptys(mock_t)
++term_mount_pty_fs(mock_t)
++term_unmount_pty_fs(mock_t)
+
+auth_use_nsswitch(mock_t)
+
@@ -35749,17 +35896,23 @@ index 0000000..d27f8f3
+')
+
+optional_policy(`
-+ rpm_exec(mock_t)
++ apache_read_sys_content_rw_files(mock_t)
+')
+
+optional_policy(`
-+ mount_exec(mock_t)
++ rpm_exec(mock_t)
++ rpm_manage_cache(mock_t)
++ rpm_manage_db(mock_t)
++ rpm_manage_tmp_files(mock_t)
++ rpm_read_log(mock_t)
+')
+
+optional_policy(`
-+ apache_read_sys_content_rw_files(mock_t)
++ mount_exec(mock_t)
++ mount_rw_pid_files(mock_t)
+')
+
++
+########################################
+#
+# mock_build local policy
@@ -36091,7 +36244,7 @@ index 6ffaba2..18e3a70 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..648d041 100644
+index 6194b80..116d9d2 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -36254,14 +36407,14 @@ index 6194b80..648d041 100644
- allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms };
- allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
- allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-+ mozilla_filetrans_home_content($2)
-
+-
- allow $2 mozilla_plugin_rw_t:dir list_dir_perms;
- allow $2 mozilla_plugin_rw_t:file read_file_perms;
- allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
-
- can_exec($2, mozilla_plugin_rw_t)
--
++ mozilla_filetrans_home_content($2)
+
- optional_policy(`
- mozilla_dbus_chat_plugin($2)
- ')
@@ -36567,7 +36720,7 @@ index 6194b80..648d041 100644
##
##
##
-@@ -433,76 +320,90 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +320,108 @@ interface(`mozilla_dbus_chat',`
##
##
#
@@ -36635,6 +36788,24 @@ index 6194b80..648d041 100644
- libs_search_lib($1)
- manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
++')
++
++#######################################
++##
++## Dontaudit generict ipc read/write to a mozilla_plugin
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`mozilla_plugin_dontaudit_rw_sem',`
++ gen_require(`
++ type mozilla_plugin_t;
++ ')
++
++ allow $1 mozilla_plugin_t:sem { unix_read unix_write };
')
########################################
@@ -36687,7 +36858,7 @@ index 6194b80..648d041 100644
##
##
##
-@@ -510,19 +411,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +429,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
##
##
#
@@ -36712,7 +36883,7 @@ index 6194b80..648d041 100644
##
##
##
-@@ -530,45 +430,50 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +448,50 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
##
##
#
@@ -36788,7 +36959,7 @@ index 6194b80..648d041 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..4c1c064 100644
+index 6a306ee..8faac8d 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -37047,10 +37218,10 @@ index 6a306ee..4c1c064 100644
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
--
--userdom_write_user_tmp_sockets(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
+-userdom_write_user_tmp_sockets(mozilla_t)
+-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
-mozilla_run_plugin_config(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -37213,7 +37384,7 @@ index 6a306ee..4c1c064 100644
')
optional_policy(`
-@@ -300,221 +308,171 @@ optional_policy(`
+@@ -300,221 +308,173 @@ optional_policy(`
########################################
#
@@ -37468,7 +37639,8 @@ index 6a306ee..4c1c064 100644
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -37528,7 +37700,7 @@ index 6a306ee..4c1c064 100644
')
optional_policy(`
-@@ -523,36 +481,47 @@ optional_policy(`
+@@ -523,36 +483,47 @@ optional_policy(`
')
optional_policy(`
@@ -37589,7 +37761,7 @@ index 6a306ee..4c1c064 100644
')
optional_policy(`
-@@ -560,7 +529,7 @@ optional_policy(`
+@@ -560,7 +531,7 @@ optional_policy(`
')
optional_policy(`
@@ -37598,7 +37770,7 @@ index 6a306ee..4c1c064 100644
')
optional_policy(`
-@@ -568,108 +537,108 @@ optional_policy(`
+@@ -568,108 +539,108 @@ optional_policy(`
')
optional_policy(`
@@ -42621,7 +42793,7 @@ index 0e8508c..b9c69d2 100644
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..0c6cd41 100644
+index 0b48a30..57fe60f 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -42652,7 +42824,7 @@ index 0b48a30..0c6cd41 100644
type NetworkManager_log_t;
logging_log_file(NetworkManager_log_t)
-@@ -39,24 +42,41 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -39,24 +42,42 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# Local policy
#
@@ -42679,6 +42851,7 @@ index 0b48a30..0c6cd41 100644
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
++allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow NetworkManager_t self:netlink_socket create_socket_perms;
allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
-allow NetworkManager_t self:tcp_socket { accept listen };
@@ -42703,7 +42876,7 @@ index 0b48a30..0c6cd41 100644
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
-@@ -68,6 +88,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+@@ -68,6 +89,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -42711,7 +42884,7 @@ index 0b48a30..0c6cd41 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,9 +102,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,9 +103,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
@@ -42721,7 +42894,7 @@ index 0b48a30..0c6cd41 100644
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
-@@ -91,7 +109,6 @@ kernel_request_load_module(NetworkManager_t)
+@@ -91,7 +110,6 @@ kernel_request_load_module(NetworkManager_t)
kernel_read_debugfs(NetworkManager_t)
kernel_rw_net_sysctls(NetworkManager_t)
@@ -42729,7 +42902,7 @@ index 0b48a30..0c6cd41 100644
corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,22 +119,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,22 +120,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_sendrecv_all_ports(NetworkManager_t)
corenet_udp_bind_generic_node(NetworkManager_t)
@@ -42755,7 +42928,7 @@ index 0b48a30..0c6cd41 100644
dev_rw_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
-@@ -125,13 +135,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +136,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
dev_getattr_all_chr_files(NetworkManager_t)
dev_rw_wireless(NetworkManager_t)
@@ -42769,7 +42942,7 @@ index 0b48a30..0c6cd41 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
-@@ -140,6 +143,16 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,6 +144,16 @@ mls_file_read_all_levels(NetworkManager_t)
selinux_dontaudit_search_fs(NetworkManager_t)
@@ -42786,7 +42959,7 @@ index 0b48a30..0c6cd41 100644
storage_getattr_fixed_disk_dev(NetworkManager_t)
init_read_utmp(NetworkManager_t)
-@@ -148,10 +161,11 @@ init_domtrans_script(NetworkManager_t)
+@@ -148,10 +162,11 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -42799,7 +42972,7 @@ index 0b48a30..0c6cd41 100644
seutil_read_config(NetworkManager_t)
-@@ -166,21 +180,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +181,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -42836,7 +43009,7 @@ index 0b48a30..0c6cd41 100644
')
optional_policy(`
-@@ -196,10 +221,6 @@ optional_policy(`
+@@ -196,10 +222,6 @@ optional_policy(`
')
optional_policy(`
@@ -42847,7 +43020,7 @@ index 0b48a30..0c6cd41 100644
consoletype_exec(NetworkManager_t)
')
-@@ -210,16 +231,11 @@ optional_policy(`
+@@ -210,16 +232,11 @@ optional_policy(`
optional_policy(`
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -42866,7 +43039,7 @@ index 0b48a30..0c6cd41 100644
')
')
-@@ -231,18 +247,19 @@ optional_policy(`
+@@ -231,18 +248,19 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -42889,7 +43062,18 @@ index 0b48a30..0c6cd41 100644
')
optional_policy(`
-@@ -257,11 +274,7 @@ optional_policy(`
+@@ -250,6 +268,10 @@ optional_policy(`
+ ipsec_kill_mgmt(NetworkManager_t)
+ ipsec_signal_mgmt(NetworkManager_t)
+ ipsec_signull_mgmt(NetworkManager_t)
++ ipsec_domtrans(NetworkManager_t)
++ ipsec_kill(NetworkManager_t)
++ ipsec_signal(NetworkManager_t)
++ ipsec_signull(NetworkManager_t)
+ ')
+
+ optional_policy(`
+@@ -257,11 +279,7 @@ optional_policy(`
')
optional_policy(`
@@ -42902,7 +43086,7 @@ index 0b48a30..0c6cd41 100644
')
optional_policy(`
-@@ -274,10 +287,17 @@ optional_policy(`
+@@ -274,10 +292,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -42920,7 +43104,7 @@ index 0b48a30..0c6cd41 100644
')
optional_policy(`
-@@ -289,6 +309,7 @@ optional_policy(`
+@@ -289,6 +314,7 @@ optional_policy(`
')
optional_policy(`
@@ -42928,7 +43112,7 @@ index 0b48a30..0c6cd41 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +317,7 @@ optional_policy(`
+@@ -296,7 +322,7 @@ optional_policy(`
')
optional_policy(`
@@ -42937,7 +43121,7 @@ index 0b48a30..0c6cd41 100644
')
optional_policy(`
-@@ -307,6 +328,7 @@ optional_policy(`
+@@ -307,6 +333,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -42945,7 +43129,7 @@ index 0b48a30..0c6cd41 100644
')
optional_policy(`
-@@ -320,13 +342,15 @@ optional_policy(`
+@@ -320,13 +347,15 @@ optional_policy(`
')
optional_policy(`
@@ -42965,7 +43149,7 @@ index 0b48a30..0c6cd41 100644
')
optional_policy(`
-@@ -356,6 +380,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +385,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -43275,7 +43459,7 @@ index 46e55c3..346242e 100644
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/nis.te b/nis.te
-index 3e4a31c..0d16edc 100644
+index 3e4a31c..bd8e3ff 100644
--- a/nis.te
+++ b/nis.te
@@ -1,12 +1,10 @@
@@ -43465,7 +43649,7 @@ index 3e4a31c..0d16edc 100644
sysnet_read_config(yppasswdd_t)
-@@ -219,6 +215,10 @@ optional_policy(`
+@@ -219,6 +215,14 @@ optional_policy(`
')
optional_policy(`
@@ -43473,10 +43657,14 @@ index 3e4a31c..0d16edc 100644
+')
+
+optional_policy(`
++ nis_use_ypbind(yppasswdd_t)
++')
++
++optional_policy(`
seutil_sigchld_newrole(yppasswdd_t)
')
-@@ -234,7 +234,8 @@ optional_policy(`
+@@ -234,7 +238,8 @@ optional_policy(`
dontaudit ypserv_t self:capability sys_tty_config;
allow ypserv_t self:fifo_file rw_fifo_file_perms;
allow ypserv_t self:process signal_perms;
@@ -43486,7 +43674,7 @@ index 3e4a31c..0d16edc 100644
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
allow ypserv_t self:tcp_socket connected_stream_socket_perms;
allow ypserv_t self:udp_socket create_socket_perms;
-@@ -254,7 +255,6 @@ kernel_read_kernel_sysctls(ypserv_t)
+@@ -254,7 +259,6 @@ kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t)
@@ -43494,7 +43682,7 @@ index 3e4a31c..0d16edc 100644
corenet_all_recvfrom_netlabel(ypserv_t)
corenet_tcp_sendrecv_generic_if(ypserv_t)
corenet_udp_sendrecv_generic_if(ypserv_t)
-@@ -264,31 +264,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
+@@ -264,31 +268,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
corenet_udp_sendrecv_all_ports(ypserv_t)
corenet_tcp_bind_generic_node(ypserv_t)
corenet_udp_bind_generic_node(ypserv_t)
@@ -43532,7 +43720,7 @@ index 3e4a31c..0d16edc 100644
nis_domtrans_ypxfr(ypserv_t)
-@@ -310,8 +306,8 @@ optional_policy(`
+@@ -310,8 +310,8 @@ optional_policy(`
# ypxfr local policy
#
@@ -43543,7 +43731,7 @@ index 3e4a31c..0d16edc 100644
allow ypxfr_t self:tcp_socket create_stream_socket_perms;
allow ypxfr_t self:udp_socket create_socket_perms;
allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -326,7 +322,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
+@@ -326,7 +326,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
@@ -43551,7 +43739,7 @@ index 3e4a31c..0d16edc 100644
corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_generic_if(ypxfr_t)
corenet_udp_sendrecv_generic_if(ypxfr_t)
-@@ -336,23 +331,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
+@@ -336,23 +335,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
corenet_udp_sendrecv_all_ports(ypxfr_t)
corenet_tcp_bind_generic_node(ypxfr_t)
corenet_udp_bind_generic_node(ypxfr_t)
@@ -47517,7 +47705,7 @@ index 0000000..a437f80
+files_read_config_files(openshift_domain)
diff --git a/openshift.fc b/openshift.fc
new file mode 100644
-index 0000000..e108d48
+index 0000000..f2d6119
--- /dev/null
+++ b/openshift.fc
@@ -0,0 +1,26 @@
@@ -47541,7 +47729,7 @@ index 0000000..e108d48
+/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
+
+/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
-+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(unconfined_u:object_r:httpd_openshift_script_exec_t,s0)
++/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:httpd_openshift_script_exec_t,s0)
+/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
+
@@ -48201,10 +48389,10 @@ index 0000000..407386d
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..45e60e5
+index 0000000..989a48d
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,526 @@
+@@ -0,0 +1,535 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -48301,6 +48489,8 @@ index 0000000..45e60e5
+unconfined_domain_noaudit(openshift_initrc_t)
+mcs_process_set_categories(openshift_initrc_t)
+
++virt_lxc_domain(openshift_initrc_t)
++
+systemd_dbus_chat_logind(openshift_initrc_t)
+
+manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
@@ -48369,7 +48559,10 @@ index 0000000..45e60e5
+
+manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
-+fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file })
++manage_lnk_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
++manage_sock_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
++manage_fifo_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
++fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file sock_file lnk_file fifo_file })
+can_exec(openshift_domain, openshift_tmpfs_t)
+
+manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
@@ -48664,7 +48857,7 @@ index 0000000..45e60e5
+#
+# openshift_cron local policy
+#
-+allow openshift_cron_t self:capability { net_admin sys_admin };
++allow openshift_cron_t self:capability { dac_override net_admin sys_admin };
+allow openshift_cron_t self:process signal_perms;
+allow openshift_cron_t self:tcp_socket create_stream_socket_perms;
+allow openshift_cron_t self:udp_socket create_socket_perms;
@@ -48728,6 +48921,10 @@ index 0000000..45e60e5
+')
+
+optional_policy(`
++ quota_read_db(openshift_cron_t)
++')
++
++optional_policy(`
+ ssh_exec_keygen(openshift_cron_t)
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
+')
@@ -49123,7 +49320,7 @@ index 9b15730..14f29e4 100644
+ ')
')
diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..3e42ef8 100644
+index 508fedf..9d7741b 100644
--- a/openvswitch.te
+++ b/openvswitch.te
@@ -1,4 +1,4 @@
@@ -49192,7 +49389,7 @@ index 508fedf..3e42ef8 100644
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
-@@ -57,33 +58,33 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+@@ -57,33 +58,34 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
@@ -49208,6 +49405,7 @@ index 508fedf..3e42ef8 100644
+kernel_request_load_module(openvswitch_t)
corecmd_exec_bin(openvswitch_t)
++corecmd_exec_shell(openvswitch_t)
+dev_read_rand(openvswitch_t)
dev_read_urand(openvswitch_t)
@@ -61238,10 +61436,28 @@ index cd51b96..f7e9c70 100644
+ admin_pattern($1, qpidd_var_run_t)
')
diff --git a/qpid.te b/qpid.te
-index 76f5b39..53f9a64 100644
+index 76f5b39..8bb80a2 100644
--- a/qpid.te
+++ b/qpid.te
-@@ -37,37 +37,40 @@ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
+@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
+ type qpidd_initrc_exec_t;
+ init_script_file(qpidd_initrc_exec_t)
+
++type qpidd_tmp_t;
++files_tmp_file(qpidd_tmp_t)
++
+ type qpidd_tmpfs_t;
+ files_tmpfs_file(qpidd_tmpfs_t)
+
+@@ -33,41 +36,52 @@ allow qpidd_t self:shm create_shm_perms;
+ allow qpidd_t self:tcp_socket { accept listen };
+ allow qpidd_t self:unix_stream_socket { accept listen };
+
++manage_dirs_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t)
++manage_files_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t)
++files_tmp_filetrans(qpidd_t, qpidd_tmp_t, { dir file })
++
+ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file })
@@ -61289,9 +61505,13 @@ index 76f5b39..53f9a64 100644
optional_policy(`
- corosync_stream_connect(qpidd_t)
-+ rhcs_stream_connect_cluster(qpidd_t)
++ kerberos_use(qpidd_t)
')
+
++optional_policy(`
++ rhcs_stream_connect_cluster(qpidd_t)
++')
++
diff --git a/quantum.fc b/quantum.fc
index 70ab68b..e97da31 100644
--- a/quantum.fc
@@ -63122,7 +63342,7 @@ index bff31df..e38693b 100644
##
##
diff --git a/realmd.te b/realmd.te
-index 9a8f052..727d60a 100644
+index 9a8f052..cffb3ca 100644
--- a/realmd.te
+++ b/realmd.te
@@ -1,4 +1,4 @@
@@ -63131,7 +63351,7 @@ index 9a8f052..727d60a 100644
########################################
#
-@@ -7,43 +7,52 @@ policy_module(realmd, 1.0.2)
+@@ -7,29 +7,38 @@ policy_module(realmd, 1.0.2)
type realmd_t;
type realmd_exec_t;
@@ -63139,6 +63359,9 @@ index 9a8f052..727d60a 100644
+application_domain(realmd_t, realmd_exec_t)
+role system_r types realmd_t;
+
++type realmd_tmp_t;
++files_tmp_file(realmd_tmp_t)
++
+type realmd_var_cache_t;
+files_type(realmd_var_cache_t)
@@ -63151,6 +63374,10 @@ index 9a8f052..727d60a 100644
allow realmd_t self:capability sys_nice;
allow realmd_t self:process setsched;
++manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
++manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
++files_tmp_filetrans(realmd_t, realmd_tmp_t, { dir file })
++
+manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
+
@@ -63167,17 +63394,17 @@ index 9a8f052..727d60a 100644
-corenet_sendrecv_http_client_packets(realmd_t)
corenet_tcp_connect_http_port(realmd_t)
-corenet_tcp_sendrecv_http_port(realmd_t)
++corenet_tcp_connect_ldap_port(realmd_t)
++corenet_tcp_connect_smbd_port(realmd_t)
domain_use_interactive_fds(realmd_t)
- dev_read_rand(realmd_t)
- dev_read_urand(realmd_t)
+@@ -38,12 +47,20 @@ dev_read_urand(realmd_t)
--fs_getattr_all_fs(realmd_t)
+ fs_getattr_all_fs(realmd_t)
-files_read_usr_files(realmd_t)
-+fs_getattr_all_fs(realmd_t)
-
+-
auth_use_nsswitch(realmd_t)
logging_send_syslog_msg(realmd_t)
@@ -63195,7 +63422,7 @@ index 9a8f052..727d60a 100644
optional_policy(`
dbus_system_domain(realmd_t, realmd_exec_t)
-@@ -67,17 +76,25 @@ optional_policy(`
+@@ -67,17 +84,25 @@ optional_policy(`
optional_policy(`
nis_exec_ypbind(realmd_t)
@@ -63224,13 +63451,13 @@ index 9a8f052..727d60a 100644
')
optional_policy(`
-@@ -86,5 +103,26 @@ optional_policy(`
+@@ -86,5 +111,26 @@ optional_policy(`
sssd_manage_lib_files(realmd_t)
sssd_manage_public_files(realmd_t)
sssd_read_pid_files(realmd_t)
- sssd_initrc_domtrans(realmd_t)
+ sssd_systemctl(realmd_t)
- ')
++')
+
+optional_policy(`
+ xserver_read_state_xdm(realmd_t)
@@ -63249,7 +63476,7 @@ index 9a8f052..727d60a 100644
+ oddjob_systemctl(realmd_consolehelper_t)
+
+ unconfined_domain_noaudit(realmd_consolehelper_t)
-+')
+ ')
+
+
diff --git a/remotelogin.fc b/remotelogin.fc
@@ -63506,7 +63733,7 @@ index 5421af0..91e69b8 100644
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
diff --git a/rgmanager.if b/rgmanager.if
-index 1c2f9aa..8af1f78 100644
+index 1c2f9aa..a4133dc 100644
--- a/rgmanager.if
+++ b/rgmanager.if
@@ -1,13 +1,13 @@
@@ -63630,7 +63857,7 @@ index 1c2f9aa..8af1f78 100644
init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -121,3 +158,47 @@ interface(`rgmanager_admin',`
+@@ -121,3 +158,66 @@ interface(`rgmanager_admin',`
files_list_pids($1)
admin_pattern($1, rgmanager_var_run_t)
')
@@ -63675,9 +63902,28 @@ index 1c2f9aa..8af1f78 100644
+ ')
+
+ files_list_var_lib($1)
-+ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
++ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
+ can_exec($1, rgmanager_var_lib_t)
+')
++
++######################################
++##
++## Allow the specified domain to search rgmanager's lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rgmanager_search_lib',`
++ gen_require(`
++ type rgmanager_var_lib_t;
++ ')
++
++ files_list_var_lib($1)
++ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
++')
diff --git a/rgmanager.te b/rgmanager.te
index b418d1c..1ad9c12 100644
--- a/rgmanager.te
@@ -67052,7 +67298,7 @@ index 3bd6446..a61764b 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index e5212e6..699925d 100644
+index e5212e6..427ea8c 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@@ -67384,7 +67630,7 @@ index e5212e6..699925d 100644
userdom_list_user_tmp(gssd_t)
userdom_read_user_tmp_files(gssd_t)
userdom_read_user_tmp_symlinks(gssd_t)
-+ userdom_write_user_tmp_files(gssd_t)
++ userdom_manage_user_tmp_files(gssd_t)
+ files_read_generic_tmp_files(gssd_t)
')
@@ -67581,10 +67827,10 @@ index c49828c..a323332 100644
sysnet_dns_name_resolve(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..54fe358 100644
+index ebe91fc..8dd55c5 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -1,61 +1,69 @@
+@@ -1,61 +1,70 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -67637,6 +67883,7 @@ index ebe91fc..54fe358 100644
-/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/sbin/yum-cron -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
@@ -67699,7 +67946,7 @@ index ebe91fc..54fe358 100644
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
diff --git a/rpm.if b/rpm.if
-index 0628d50..dbe00f4 100644
+index 0628d50..c73d362 100644
--- a/rpm.if
+++ b/rpm.if
@@ -1,8 +1,8 @@
@@ -67905,13 +68152,31 @@ index 0628d50..dbe00f4 100644
##
##
##
-@@ -276,14 +318,12 @@ interface(`rpm_append_log',`
+@@ -276,14 +318,30 @@ interface(`rpm_append_log',`
type rpm_log_t;
')
- logging_search_logs($1)
- append_files_pattern($1, rpm_log_t, rpm_log_t)
+ allow $1 rpm_log_t:file append_inherited_file_perms;
++')
++
++########################################
++##
++## Create, read, write, and delete the RPM log.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`rpm_read_log',`
++ gen_require(`
++ type rpm_log_t;
++ ')
++
++ read_files_pattern($1, rpm_log_t, rpm_log_t)
')
########################################
@@ -67922,7 +68187,7 @@ index 0628d50..dbe00f4 100644
##
##
##
-@@ -302,7 +342,7 @@ interface(`rpm_manage_log',`
+@@ -302,7 +360,7 @@ interface(`rpm_manage_log',`
########################################
##
@@ -67931,7 +68196,7 @@ index 0628d50..dbe00f4 100644
##
##
##
-@@ -320,8 +360,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +378,8 @@ interface(`rpm_use_script_fds',`
########################################
##
@@ -67942,7 +68207,7 @@ index 0628d50..dbe00f4 100644
##
##
##
-@@ -335,12 +375,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +393,15 @@ interface(`rpm_manage_script_tmp_files',`
')
files_search_tmp($1)
@@ -67959,7 +68224,7 @@ index 0628d50..dbe00f4 100644
##
##
##
-@@ -353,14 +396,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +414,13 @@ interface(`rpm_append_tmp_files',`
type rpm_tmp_t;
')
@@ -67977,7 +68242,7 @@ index 0628d50..dbe00f4 100644
##
##
##
-@@ -374,12 +416,14 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +434,14 @@ interface(`rpm_manage_tmp_files',`
')
files_search_tmp($1)
@@ -67993,7 +68258,7 @@ index 0628d50..dbe00f4 100644
##
##
##
-@@ -399,7 +443,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +461,7 @@ interface(`rpm_read_script_tmp_files',`
########################################
##
@@ -68002,7 +68267,7 @@ index 0628d50..dbe00f4 100644
##
##
##
-@@ -420,8 +464,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +482,7 @@ interface(`rpm_read_cache',`
########################################
##
@@ -68012,7 +68277,7 @@ index 0628d50..dbe00f4 100644
##
##
##
-@@ -442,7 +485,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +503,7 @@ interface(`rpm_manage_cache',`
########################################
##
@@ -68021,7 +68286,7 @@ index 0628d50..dbe00f4 100644
##
##
##
-@@ -459,11 +502,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +520,12 @@ interface(`rpm_read_db',`
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -68035,7 +68300,7 @@ index 0628d50..dbe00f4 100644
##
##
##
-@@ -482,8 +526,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +544,7 @@ interface(`rpm_delete_db',`
########################################
##
@@ -68045,7 +68310,7 @@ index 0628d50..dbe00f4 100644
##
##
##
-@@ -504,7 +547,7 @@ interface(`rpm_manage_db',`
+@@ -504,7 +565,7 @@ interface(`rpm_manage_db',`
########################################
##
## Do not audit attempts to create, read,
@@ -68054,7 +68319,7 @@ index 0628d50..dbe00f4 100644
##
##
##
-@@ -517,7 +560,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +578,7 @@ interface(`rpm_dontaudit_manage_db',`
type rpm_var_lib_t;
')
@@ -68063,7 +68328,7 @@ index 0628d50..dbe00f4 100644
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
-@@ -543,8 +586,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +604,7 @@ interface(`rpm_read_pid_files',`
#####################################
##
@@ -68073,7 +68338,7 @@ index 0628d50..dbe00f4 100644
##
##
##
-@@ -563,8 +605,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +623,7 @@ interface(`rpm_manage_pid_files',`
######################################
##
@@ -68083,7 +68348,7 @@ index 0628d50..dbe00f4 100644
##
##
##
-@@ -573,94 +614,72 @@ interface(`rpm_manage_pid_files',`
+@@ -573,94 +632,72 @@ interface(`rpm_manage_pid_files',`
##
#
interface(`rpm_pid_filetrans',`
@@ -68187,15 +68452,15 @@ index 0628d50..dbe00f4 100644
-
- files_list_var($1)
- admin_pattern($1, rpm_cache_t)
--
++ typeattribute $1 rpm_transition_domain;
++ allow $1 rpm_script_t:process transition;
+
- files_list_tmp($1)
- admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
-
- files_list_var_lib($1)
- admin_pattern($1, rpm_var_lib_t)
-+ typeattribute $1 rpm_transition_domain;
-+ allow $1 rpm_script_t:process transition;
-
+-
- files_search_locks($1)
- admin_pattern($1, rpm_lock_t)
-
@@ -72193,10 +72458,10 @@ index 0000000..1b21b7b
+')
diff --git a/sandboxX.te b/sandboxX.te
new file mode 100644
-index 0000000..449a87c
+index 0000000..5a3d049
--- /dev/null
+++ b/sandboxX.te
-@@ -0,0 +1,462 @@
+@@ -0,0 +1,463 @@
+policy_module(sandboxX,1.0.0)
+
+dbus_stub()
@@ -72657,6 +72922,7 @@ index 0000000..449a87c
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
++ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain)
+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
+')
diff --git a/sanlock.fc b/sanlock.fc
@@ -72813,7 +73079,7 @@ index cd6c213..34b861a 100644
+ allow $1 sanlock_unit_file_t:service all_service_perms;
')
diff --git a/sanlock.te b/sanlock.te
-index a34eac4..114c9d2 100644
+index a34eac4..25ad7ec 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
@@ -72947,12 +73213,13 @@ index a34eac4..114c9d2 100644
')
optional_policy(`
-@@ -100,7 +117,7 @@ optional_policy(`
+@@ -100,7 +117,8 @@ optional_policy(`
')
optional_policy(`
- virt_kill_all_virt_domains(sanlock_t)
+ virt_kill_svirt(sanlock_t)
++ virt_kill(sanlock_t)
virt_manage_lib_files(sanlock_t)
- virt_signal_all_virt_domains(sanlock_t)
+ virt_signal_svirt(sanlock_t)
@@ -81326,10 +81593,10 @@ index 0000000..bfcd2c7
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..aaf768a
+index 0000000..49cd645
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,137 @@
+@@ -0,0 +1,138 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -81424,6 +81691,7 @@ index 0000000..aaf768a
+userdom_dontaudit_setattr_user_tmp(thumb_t)
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
++userdom_exec_user_home_content_files(thumb_t)
+userdom_write_user_tmp_files(thumb_t)
+userdom_read_home_audio_files(thumb_t)
+userdom_home_reader(thumb_t)
@@ -82357,7 +82625,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..0bd0be9 100644
+index 7116181..a6bd365 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -82370,9 +82638,12 @@ index 7116181..0bd0be9 100644
type tuned_var_run_t;
files_pid_file(tuned_var_run_t)
-@@ -31,8 +34,10 @@ files_pid_file(tuned_var_run_t)
+@@ -29,10 +32,12 @@ files_pid_file(tuned_var_run_t)
+ # Local policy
+ #
- allow tuned_t self:capability { sys_admin sys_nice };
+-allow tuned_t self:capability { sys_admin sys_nice };
++allow tuned_t self:capability { sys_admin sys_nice sys_rawio };
dontaudit tuned_t self:capability { dac_override sys_tty_config };
-allow tuned_t self:process { setsched signal };
+allow tuned_t self:process { setsched signal };
@@ -82403,7 +82674,7 @@ index 7116181..0bd0be9 100644
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -64,31 +74,48 @@ corecmd_exec_shell(tuned_t)
+@@ -64,31 +74,52 @@ corecmd_exec_shell(tuned_t)
dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t)
@@ -82415,10 +82686,10 @@ index 7116181..0bd0be9 100644
files_dontaudit_search_home(tuned_t)
-files_dontaudit_list_tmp(tuned_t)
+files_list_tmp(tuned_t)
-+
-+fs_getattr_all_fs(tuned_t)
-fs_getattr_xattr_fs(tuned_t)
++fs_getattr_all_fs(tuned_t)
++
+auth_use_nsswitch(tuned_t)
logging_send_syslog_msg(tuned_t)
@@ -82435,6 +82706,10 @@ index 7116181..0bd0be9 100644
+ dbus_connect_system_bus(tuned_t)
+')
+
++optional_policy(`
++ dmidecode_domtrans(tuned_t)
++')
++
+# to allow disk tuning
+optional_policy(`
fstools_domtrans(tuned_t)
@@ -84055,7 +84330,7 @@ index c30da4c..014e40c 100644
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..b991ec7 100644
+index 9dec06c..fa2c674 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -85335,32 +85610,47 @@ index 9dec06c..b991ec7 100644
########################################
##
-## Read virt image files.
-+## Send a signal to virtual machines
++## Send a sigkill to virtd daemon.
##
##
##
-@@ -995,36 +867,17 @@ interface(`virt_search_images',`
+@@ -995,36 +867,35 @@ interface(`virt_search_images',`
##
##
#
-interface(`virt_read_images',`
-+interface(`virt_signal_svirt',`
++interface(`virt_kill',`
gen_require(`
- type virt_var_lib_t;
- attribute virt_image_type;
-- ')
--
++ type virtd_t;
+ ')
+
- virt_search_lib($1)
- allow $1 virt_image_type:dir list_dir_perms;
- list_dirs_pattern($1, virt_image_type, virt_image_type)
- read_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
--
++ allow $1 virtd_t:process sigkill;
++')
+
- tunable_policy(`virt_use_nfs',`
- fs_list_nfs($1)
- fs_read_nfs_files($1)
- fs_read_nfs_symlinks($1)
++########################################
++##
++## Send a signal to virtual machines
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`virt_signal_svirt',`
++ gen_require(`
+ attribute virt_domain;
')
@@ -85380,7 +85670,7 @@ index 9dec06c..b991ec7 100644
##
##
##
-@@ -1032,58 +885,57 @@ interface(`virt_read_images',`
+@@ -1032,58 +903,57 @@ interface(`virt_read_images',`
##
##
#
@@ -85460,7 +85750,7 @@ index 9dec06c..b991ec7 100644
##
##
##
-@@ -1091,95 +943,132 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,95 +961,150 @@ interface(`virt_manage_virt_cache',`
##
##
#
@@ -85479,16 +85769,16 @@ index 9dec06c..b991ec7 100644
- manage_files_pattern($1, virt_image_type, virt_image_type)
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
-+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
-+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
-
+-
- tunable_policy(`virt_use_nfs',`
- fs_manage_nfs_dirs($1)
- fs_manage_nfs_files($1)
- fs_read_nfs_symlinks($1)
- ')
--
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
++ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
+
- tunable_policy(`virt_use_samba',`
- fs_manage_cifs_files($1)
- fs_manage_cifs_files($1)
@@ -85553,14 +85843,6 @@ index 9dec06c..b991ec7 100644
- allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
- ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
--
-- init_labeled_script_domtrans($1, virtd_initrc_exec_t)
-- domain_system_change_exemption($1)
-- role_transition $2 virtd_initrc_exec_t system_r;
-- allow $2 system_r;
--
-- fs_search_tmpfs($1)
-- admin_pattern($1, virt_tmpfs_type)
+ type $1_t, svirt_lxc_domain;
+ domain_type($1_t)
+ domain_user_exemption_target($1_t)
@@ -85568,9 +85850,33 @@ index 9dec06c..b991ec7 100644
+ mcs_constrained($1_t)
+ role system_r types $1_t;
+- init_labeled_script_domtrans($1, virtd_initrc_exec_t)
+- domain_system_change_exemption($1)
+- role_transition $2 virtd_initrc_exec_t system_r;
+- allow $2 system_r;
++ kernel_read_system_state($1_t)
++')
+
+- fs_search_tmpfs($1)
+- admin_pattern($1, virt_tmpfs_type)
++########################################
++##
++## Make the specified type usable as a lxc domain
++##
++##
++##
++## Type to be used as a lxc domain
++##
++##
++#
++template(`virt_lxc_domain',`
++ gen_require(`
++ attribute svirt_lxc_domain;
++ ')
+
- files_search_tmp($1)
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
-+ kernel_read_system_state($1_t)
++ typeattribute $1 svirt_lxc_domain;
+')
- files_search_etc($1)
@@ -85655,7 +85961,7 @@ index 9dec06c..b991ec7 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..e780b1b 100644
+index 1f22fba..64e638c 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -86524,7 +86830,7 @@ index 1f22fba..e780b1b 100644
+# virtual domains common policy
+#
+allow virt_domain self:capability2 compromise_kernel;
-+allow virt_domain self:process { setrlimit signal_perms getsched };
++allow virt_domain self:process { setrlimit signal_perms getsched setsched };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
+allow virt_domain self:shm create_shm_perms;
+allow virt_domain self:unix_stream_socket create_stream_socket_perms;
@@ -87957,10 +88263,17 @@ index 1e3aec0..d17ff39 100644
+
')
diff --git a/wdmd.te b/wdmd.te
-index ebbdaf6..956f8f0 100644
+index ebbdaf6..144c0e7 100644
--- a/wdmd.te
+++ b/wdmd.te
-@@ -51,10 +51,8 @@ auth_use_nsswitch(wdmd_t)
+@@ -45,16 +45,15 @@ corecmd_exec_shell(wdmd_t)
+ dev_read_watchdog(wdmd_t)
+ dev_write_watchdog(wdmd_t)
+
++fs_getattr_all_fs(wdmd_t)
+ fs_read_anon_inodefs_files(wdmd_t)
+
+ auth_use_nsswitch(wdmd_t)
logging_send_syslog_msg(wdmd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b22aa16..97e7a85 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 23%{?dist}
+Release: 26%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -526,6 +526,93 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Apr 5 2013 Miroslav Grepl 3.12.1-26
+- Try to label on controlC devices up to 30 correctly
+- Add mount_rw_pid_files() interface
+- Add additional mount/umount interfaces needed by mock
+- fsadm_t sends audit messages in reads kernel_ipc_info when doing livecd-iso-to-disk
+- Fix tabs
+- Allow initrc_domain to search rgmanager lib files
+- Add more fixes which make mock working together with confined users
+ * Allow mock_t to manage rpm files
+ * Allow mock_t to read rpm log files
+ * Allow mock to setattr on tmpfs, devpts
+ * Allow mount/umount filesystems
+- Add rpm_read_log() interface
+- yum-cron runs rpm from within it.
+- Allow tuned to transition to dmidecode
+- Allow firewalld to do net_admin
+- Allow mock to unmont tmpfs_t
+- Fix virt_sigkill() interface
+- Add additional fixes for mock. Mainly caused by mount running in mock_t
+- Allow mock to write sysfs_t and mount pid files
+- Add mailman_domain to mailman_template()
+- Allow openvswitch to execute shell
+- Allow qpidd to use kerberos
+- Allow mailman to use fusefs, needs back port to RHEL6
+- Allow apache and its scripts to use anon_inodefs
+- Add alias for git_user_content_t and git_sys_content_t so that RHEL6 will update to RHEL7
+- Realmd needs to connect to samba ports, needs back port to F18 also
+- Allow colord to read /run/initial-setup-
+- Allow sanlock-helper to send sigkill to virtd which is registred to sanlock
+- Add virt_kill() interface
+- Add rgmanager_search_lib() interface
+- Allow wdmd to getattr on all filesystems. Back ported from RHEL6
+
+* Tue Apr 2 2013 Miroslav Grepl 3.12.1-25
+- Allow realmd to create tmp files
+- FIx ircssi_home_t type to irssi_home_t
+- Allow adcli running as realmd_t to connect to ldap port
+- Allow NetworkManager to transition to ipsec_t, for running strongswan
+- Make openshift_initrc_t an lxc_domain
+- Allow gssd to manage user_tmp_t files
+- Fix handling of irclogs in users homedir
+- Fix labeling for drupal an wp-content in subdirs of /var/www/html
+- Allow abrt to read utmp_t file
+- Fix openshift policy to transition lnk_file, sock-file an fifo_file when created in a tmpfs_t, needs back port to RHEL6
+- fix labeling for (oo|rhc)-restorer-wrapper.sh
+- firewalld needs to be able to write to network sysctls
+- Fix mozilla_plugin_dontaudit_rw_sem() interface
+- Dontaudit generic ipc read/write to a mozilla_plugin for sandbox_x domains
+- Add mozilla_plugin_dontaudit_rw_sem() interface
+- Allow svirt_lxc_t to transition to openshift domains
+- Allow condor domains block_suspend and dac_override caps
+- Allow condor_master to read passd
+- Allow condor_master to read system state
+- Allow NetworkManager to transition to ipsec_t, for running strongswan
+- Lots of access required by lvm_t to created encrypted usb device
+- Allow xdm_t to dbus communicate with systemd_localed_t
+- Label strongswan content as ipsec_exec_mgmt_t for now
+- Allow users to dbus chat with systemd_localed
+- Fix handling of .xsession-errors in xserver.if, so kde will work
+- Might be a bug but we are seeing avc's about people status on init_t:service
+- Make sure we label content under /var/run/lock as <>
+- Allow daemon and systemprocesses to search init_var_run_t directory
+- Add boolean to allow xdm to write xauth data to the home directory
+- Allow mount to write keys for the unconfined domain
+
+* Tue Mar 26 2013 Miroslav Grepl 3.12.1-24
+- Add labeling for /usr/share/pki
+- Allow programs that read var_run_t symlinks also read var_t symlinks
+- Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports
+- Fix labeling for /etc/dhcp directory
+- add missing systemd_stub_unit_file() interface
+- Add files_stub_var() interface
+- Add lables for cert_t directories
+- Make localectl set-x11-keymap working at all
+- Allow abrt to manage mock build environments to catch build problems.
+- Allow virt_domains to setsched for running gdb on itself
+- Allow thumb_t to execute user home content
+- Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000
+- Allow certwatch to execut /usr/bin/httpd
+- Allow cgred to send signal perms to itself, needs back port to RHEL6
+- Allow openshift_cron_t to look at quota
+- Allow cups_t to read inhered tmpfs_t from the kernel
+- Allow yppasswdd to use NIS
+- Tuned wants sys_rawio capability
+- Add ftpd_use_fusefs boolean
+- Allow dirsrvadmin_t to signal itself
+
* Wed Mar 20 2013 Miroslav Grepl 3.12.1-23
- Allow localectl to read /etc/X11/xorg.conf.d directory
- Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors""