diff --git a/policy-F16.patch b/policy-F16.patch
index 94909b5..414e56d 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -925,14 +925,16 @@ index 4f7bd3c..b5c346f 100644
+ #unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..2f3bab7 100644
+index 7090dae..1297962 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
-@@ -116,17 +116,13 @@ miscfiles_read_localization(logrotate_t)
+@@ -116,17 +116,15 @@ miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
-userdom_use_user_terminals(logrotate_t)
++systemd_exec_systemctl(logrotate_t)
++
+userdom_use_inherited_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
@@ -949,7 +951,15 @@ index 7090dae..2f3bab7 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -166,6 +162,11 @@ optional_policy(`
+@@ -162,10 +160,19 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ callweaver_stream_connect(logrotate_t)
++')
++
++optional_policy(`
+ consoletype_exec(logrotate_t)
')
optional_policy(`
@@ -961,7 +971,7 @@ index 7090dae..2f3bab7 100644
cups_domtrans(logrotate_t)
')
-@@ -203,7 +204,6 @@ optional_policy(`
+@@ -203,7 +210,6 @@ optional_policy(`
psad_domtrans(logrotate_t)
')
@@ -969,7 +979,7 @@ index 7090dae..2f3bab7 100644
optional_policy(`
samba_exec_log(logrotate_t)
')
-@@ -228,3 +228,14 @@ optional_policy(`
+@@ -228,3 +234,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -2349,7 +2359,7 @@ index 0948921..f198119 100644
admin_pattern($1, shorewall_tmp_t)
')
diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
-index c17b6a6..d412305 100644
+index c17b6a6..8ddae98 100644
--- a/policy/modules/admin/shorewall.te
+++ b/policy/modules/admin/shorewall.te
@@ -58,6 +58,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
@@ -2362,7 +2372,7 @@ index c17b6a6..d412305 100644
kernel_read_kernel_sysctls(shorewall_t)
kernel_read_network_state(shorewall_t)
-@@ -80,13 +83,18 @@ fs_getattr_all_fs(shorewall_t)
+@@ -80,13 +83,20 @@ fs_getattr_all_fs(shorewall_t)
init_rw_utmp(shorewall_t)
@@ -2375,6 +2385,8 @@ index c17b6a6..d412305 100644
-userdom_dontaudit_list_user_home_dirs(shorewall_t)
+userdom_dontaudit_list_admin_dir(shorewall_t)
++userdom_use_inherited_user_ttys(shorewall_t)
++userdom_use_inherited_user_ptys(shorewall_t)
+
+optional_policy(`
+ brctl_domtrans(shorewall_t)
@@ -5036,7 +5048,7 @@ index f5afe78..bf930fc 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..93e68ff 100644
+index 2505654..d27f79b 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -5,12 +5,26 @@ policy_module(gnome, 2.1.0)
@@ -5111,7 +5123,7 @@ index 2505654..93e68ff 100644
##############################
#
# Local Policy
-@@ -75,3 +110,165 @@ optional_policy(`
+@@ -75,3 +110,167 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -5186,6 +5198,8 @@ index 2505654..93e68ff 100644
+files_read_etc_files(gnomesystemmm_t)
+files_read_usr_files(gnomesystemmm_t)
+
++fs_getattr_xattr_fs(gnomesystemmm_t)
++
+miscfiles_read_localization(gnomesystemmm_t)
+
+userdom_read_all_users_state(gnomesystemmm_t)
@@ -6413,7 +6427,7 @@ index 9a6d67d..c499e03 100644
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
+')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2a91fa8..5f272f7 100644
+index 2a91fa8..85a9491 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0)
@@ -6502,7 +6516,7 @@ index 2a91fa8..5f272f7 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +289,194 @@ optional_policy(`
+@@ -266,3 +289,198 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -6595,7 +6609,7 @@ index 2a91fa8..5f272f7 100644
+
+miscfiles_read_localization(mozilla_plugin_t)
+miscfiles_read_fonts(mozilla_plugin_t)
-+miscfiles_read_certs(mozilla_plugin_t)
++miscfiles_read_generic_certs(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
+
@@ -6678,6 +6692,10 @@ index 2a91fa8..5f272f7 100644
+')
+
+optional_policy(`
++ pcscd_stream_connect(mozilla_plugin_t)
++')
++
++optional_policy(`
+ xserver_read_xdm_pid(mozilla_plugin_t)
+ xserver_stream_connect(mozilla_plugin_t)
+ xserver_use_user_fonts(mozilla_plugin_t)
@@ -7407,10 +7425,10 @@ index 0000000..37449c0
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..d3500a4
+index 0000000..24c9669
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,324 @@
+@@ -0,0 +1,328 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -7602,6 +7620,10 @@ index 0000000..d3500a4
+')
+
+optional_policy(`
++ gpm_getattr_gpmctl(nsplugin_t)
++')
++
++optional_policy(`
+ mozilla_execute_user_home_files(nsplugin_t)
+ mozilla_read_user_home_files(nsplugin_t)
+ mozilla_write_user_home_files(nsplugin_t)
@@ -8784,10 +8806,10 @@ index 0000000..0fedd57
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..c06a38c
+index 0000000..10e2b3e
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,484 @@
+@@ -0,0 +1,486 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -8907,6 +8929,7 @@ index 0000000..c06a38c
+# sandbox local policy
+#
+
++allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
+allow sandbox_domain self:fifo_file manage_file_perms;
+allow sandbox_domain self:sem create_sem_perms;
+allow sandbox_domain self:shm create_shm_perms;
@@ -8964,7 +8987,7 @@ index 0000000..c06a38c
+
+allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
+
-+allow sandbox_x_domain self:process { signal_perms getsched setsched setpgid execstack execmem };
++allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack execmem };
+dontaudit sandbox_x_domain sandbox_x_domain:process signal;
+dontaudit sandbox_x_domain sandbox_xserver_t:process signal;
+
@@ -8989,6 +9012,7 @@ index 0000000..c06a38c
+kernel_getattr_proc(sandbox_x_domain)
+kernel_read_network_state(sandbox_x_domain)
+kernel_read_system_state(sandbox_x_domain)
++kernel_dontaudit_search_kernel_sysctl(sandbox_x_domain)
+
+domain_dontaudit_read_all_domains_state(sandbox_x_domain)
+
@@ -9287,10 +9311,23 @@ index 1f2cde4..7227631 100644
#
# /usr
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
-index 320df26..f505865 100644
+index 320df26..bd8db22 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
-@@ -64,6 +64,10 @@ template(`screen_role_template',`
+@@ -50,7 +50,7 @@ template(`screen_role_template',`
+ allow $1_screen_t self:udp_socket create_socket_perms;
+ # Internal screen networking
+ allow $1_screen_t self:fd use;
+- allow $1_screen_t self:unix_stream_socket create_socket_perms;
++ allow $1_screen_t self:unix_stream_socket { create_socket_perms connectto };
+ allow $1_screen_t self:unix_dgram_socket create_socket_perms;
+
+ manage_dirs_pattern($1_screen_t, screen_tmp_t, screen_tmp_t)
+@@ -61,9 +61,14 @@ template(`screen_role_template',`
+ # Create fifo
+ manage_fifo_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
+ manage_dirs_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
++ manage_sock_files_pattern($1_screen_t, screen_var_run_t, screen_var_run_t)
files_pid_filetrans($1_screen_t, screen_var_run_t, dir)
allow $1_screen_t screen_home_t:dir list_dir_perms;
@@ -9301,15 +9338,18 @@ index 320df26..f505865 100644
read_files_pattern($1_screen_t, screen_home_t, screen_home_t)
read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
-@@ -73,6 +77,7 @@ template(`screen_role_template',`
+@@ -71,8 +76,10 @@ template(`screen_role_template',`
+
+ domtrans_pattern($3, screen_exec_t, $1_screen_t)
allow $3 $1_screen_t:process { signal sigchld };
++ dontaudit $3 $1_screen_t:unix_stream_socket { read write };
allow $1_screen_t $3:process signal;
+ manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_home_t, screen_home_t)
manage_files_pattern($3, screen_home_t, screen_home_t)
manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
-@@ -81,8 +86,6 @@ template(`screen_role_template',`
+@@ -81,8 +88,6 @@ template(`screen_role_template',`
relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
@@ -9318,7 +9358,7 @@ index 320df26..f505865 100644
manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
kernel_read_system_state($1_screen_t)
-@@ -112,6 +115,7 @@ template(`screen_role_template',`
+@@ -112,6 +117,7 @@ template(`screen_role_template',`
# for SSP
dev_read_urand($1_screen_t)
@@ -9326,15 +9366,6 @@ index 320df26..f505865 100644
domain_use_interactive_fds($1_screen_t)
files_search_tmp($1_screen_t)
-@@ -137,7 +141,7 @@ template(`screen_role_template',`
-
- seutil_read_config($1_screen_t)
-
-- userdom_use_user_terminals($1_screen_t)
-+ userdom_use_inherited_user_terminals($1_screen_t)
- userdom_create_user_pty($1_screen_t)
- userdom_user_home_domtrans($1_screen_t, $3)
- userdom_setattr_user_ptys($1_screen_t)
diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
index 1dc7a85..787df80 100644
--- a/policy/modules/apps/seunshare.if
@@ -10243,10 +10274,10 @@ index ced285a..2e50976 100644
+ ')
+')
diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
-index 13b2cea..45731eb 100644
+index 13b2cea..bf46ac1 100644
--- a/policy/modules/apps/userhelper.te
+++ b/policy/modules/apps/userhelper.te
-@@ -6,9 +6,61 @@ policy_module(userhelper, 1.6.0)
+@@ -6,9 +6,63 @@ policy_module(userhelper, 1.6.0)
#
attribute userhelper_type;
@@ -10283,6 +10314,8 @@ index 13b2cea..45731eb 100644
+
+corecmd_exec_bin(consolehelper_domain)
+
++dev_getattr_all_chr_files(consolehelper_domain)
++
+files_read_config_files(consolehelper_domain)
+files_read_usr_files(consolehelper_domain)
+
@@ -10648,7 +10681,7 @@ index 223ad43..d400ef6 100644
# Reading dotfiles...
# cjp: ?
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..0d54b2c 100644
+index 34c9d01..1240d65 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -10857,9 +10890,12 @@ index 34c9d01..0d54b2c 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -373,7 +381,6 @@ ifdef(`distro_suse', `
+@@ -372,8 +380,9 @@ ifdef(`distro_suse', `
+ /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -11274,7 +11310,7 @@ index 6cf8784..5b25039 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index e9313fb..1d51170 100644
+index e9313fb..a09c590 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -11438,174 +11474,7 @@ index e9313fb..1d51170 100644
')
########################################
-@@ -841,6 +896,166 @@ interface(`dev_manage_all_dev_nodes',`
-
- ########################################
- ## <summary>
-+## Check generic block device nodes
-+## for read permission.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_check_read_generic_blk_dev_nodes',`
-+ gen_require(`
-+ attribute device_node;
-+ type device_t;
-+ ')
-+
-+ allow $1 { device_t device_node }:blk_file read;
-+')
-+
-+########################################
-+## <summary>
-+## Check generic block device nodes
-+## for write permission.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_check_write_generic_blk_dev_nodes',`
-+ gen_require(`
-+ attribute device_node;
-+ type device_t;
-+ ')
-+
-+ allow $1 { device_t device_node }:blk_file write;
-+')
-+
-+########################################
-+## <summary>
-+## Check all character device nodes
-+## for read permission.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_check_read_all_chr_dev_nodes',`
-+ gen_require(`
-+ attribute device_node, memory_raw_read;
-+ type device_t;
-+ ')
-+
-+ allow $1 { device_t device_node }:chr_file read;
-+ typeattribute $1 memory_raw_read;
-+')
-+
-+########################################
-+## <summary>
-+## Check all character device nodes
-+## for write permission.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_check_write_all_chr_dev_nodes',`
-+ gen_require(`
-+ attribute device_node, memory_raw_write;
-+ type device_t;
-+ ')
-+
-+ allow $1 { device_t device_node }:chr_file write;
-+ typeattribute $1 memory_raw_write;
-+')
-+
-+########################################
-+## <summary>
-+## Create all character device_nodes.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_create_all_chr_dev_nodes',`
-+ gen_require(`
-+ attribute device_node;
-+ type device_t;
-+ ')
-+
-+ create_chr_files_pattern($1, device_t, device_node)
-+')
-+
-+########################################
-+## <summary>
-+## Create all block device_nodes.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_create_all_blk_dev_nodes',`
-+ gen_require(`
-+ attribute device_node;
-+ type device_t;
-+ ')
-+
-+ create_blk_files_pattern($1, device_t, device_node)
-+')
-+
-+########################################
-+## <summary>
-+## Set attributes of all character
-+## device_nodes.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_setattr_all_chr_dev_nodes',`
-+ gen_require(`
-+ type device_t;
-+ attribute device_node;
-+ ')
-+
-+ setattr_chr_files_pattern($1, device_t, { device_t device_node })
-+')
-+
-+########################################
-+## <summary>
-+## Set attributes of all block
-+## device_nodes.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`dev_setattr_all_blk_dev_nodes',`
-+ gen_require(`
-+ type device_t;
-+ attribute device_node;
-+ ')
-+
-+ setattr_blk_files_pattern($1, device_t, { device_t device_node })
-+')
-+
-+########################################
-+## <summary>
- ## Dontaudit getattr for generic device files.
- ## </summary>
- ## <param name="domain">
-@@ -920,7 +1135,7 @@ interface(`dev_filetrans',`
+@@ -920,7 +975,7 @@ interface(`dev_filetrans',`
type device_t;
')
@@ -11614,7 +11483,15 @@ index e9313fb..1d51170 100644
dev_associate($2)
files_associate_tmp($2)
-@@ -1178,6 +1393,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1006,6 +1061,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
+ interface(`dev_getattr_all_chr_files',`
+ gen_require(`
+ attribute device_node;
++ type device_t;
+ ')
+
+ getattr_chr_files_pattern($1, device_t, device_node)
+@@ -1178,6 +1234,42 @@ interface(`dev_create_all_chr_files',`
########################################
## <summary>
@@ -11657,7 +11534,7 @@ index e9313fb..1d51170 100644
## Delete all block device files.
## </summary>
## <param name="domain">
-@@ -2663,7 +2914,7 @@ interface(`dev_write_misc',`
+@@ -2663,7 +2755,7 @@ interface(`dev_write_misc',`
## </summary>
## <param name="domain">
## <summary>
@@ -11666,7 +11543,7 @@ index e9313fb..1d51170 100644
## </summary>
## </param>
#
-@@ -3192,24 +3443,6 @@ interface(`dev_rw_printer',`
+@@ -3192,24 +3284,6 @@ interface(`dev_rw_printer',`
########################################
## <summary>
@@ -11691,7 +11568,7 @@ index e9313fb..1d51170 100644
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
-@@ -3793,6 +4026,24 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3793,6 +3867,24 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
## <summary>
@@ -11716,7 +11593,7 @@ index e9313fb..1d51170 100644
## Search the sysfs directories.
## </summary>
## <param name="domain">
-@@ -3884,25 +4135,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3884,25 +3976,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
########################################
## <summary>
@@ -11742,7 +11619,7 @@ index e9313fb..1d51170 100644
## Read hardware state information.
## </summary>
## <desc>
-@@ -3954,6 +4186,42 @@ interface(`dev_rw_sysfs',`
+@@ -3954,6 +4027,42 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
@@ -11785,7 +11662,7 @@ index e9313fb..1d51170 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4514,6 +4782,24 @@ interface(`dev_rwx_vmware',`
+@@ -4514,6 +4623,24 @@ interface(`dev_rwx_vmware',`
########################################
## <summary>
@@ -11810,7 +11687,7 @@ index e9313fb..1d51170 100644
## Write to watchdog devices.
## </summary>
## <param name="domain">
-@@ -4748,3 +5034,772 @@ interface(`dev_unconfined',`
+@@ -4748,3 +4875,772 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -15816,7 +15693,7 @@ index a9b8982..57c4a6a 100644
+/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 3723150..8320396 100644
+index 3723150..b7b777d 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@@ -15828,41 +15705,7 @@ index 3723150..8320396 100644
typeattribute $1 fixed_disk_raw_read;
')
-@@ -152,6 +154,33 @@ interface(`storage_raw_write_fixed_disk',`
-
- ########################################
- ## <summary>
-+## Directly check for write from a
-+## fixed disk. This is extremly
-+## dangerous as it can bypass the
-+## SELinux protections for filesystem
-+## objects, and should only be used
-+## by trusted domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`storage_raw_check_write_fixed_disk',`
-+ gen_require(`
-+ attribute fixed_disk_raw_write;
-+ type fixed_disk_device_t;
-+ ')
-+
-+ dev_list_all_dev_nodes($1)
-+ allow $1 fixed_disk_device_t:blk_file write;
-+ allow $1 fixed_disk_device_t:chr_file write;
-+ typeattribute $1 fixed_disk_raw_write;
-+')
-+
-+########################################
-+## <summary>
- ## Do not audit attempts made by the caller to write
- ## fixed disk device nodes.
- ## </summary>
-@@ -203,7 +232,10 @@ interface(`storage_create_fixed_disk_dev',`
+@@ -203,7 +205,10 @@ interface(`storage_create_fixed_disk_dev',`
type fixed_disk_device_t;
')
@@ -15873,40 +15716,7 @@ index 3723150..8320396 100644
dev_add_entry_generic_dirs($1)
')
-@@ -474,6 +506,32 @@ interface(`storage_write_scsi_generic',`
-
- ########################################
- ## <summary>
-+## Directly check for write from any
-+## SCSI device. This is extremly
-+## dangerous as it can bypass the
-+## SELinux protections for filesystem
-+## objects, and should only be used
-+## by trusted domains.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`storage_check_write_scsi_generic',`
-+ gen_require(`
-+ attribute scsi_generic_write;
-+ type scsi_generic_device_t;
-+ ')
-+
-+ dev_list_all_dev_nodes($1)
-+ allow $1 scsi_generic_device_t:chr_file write;
-+ typeattribute $1 scsi_generic_write;
-+')
-+
-+########################################
-+## <summary>
- ## Set attributes of the device nodes
- ## for the SCSI generic inerface.
- ## </summary>
-@@ -807,3 +865,304 @@ interface(`storage_unconfined',`
+@@ -807,3 +812,358 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -16040,6 +15850,50 @@ index 3723150..8320396 100644
+ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc7)
+ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc8)
+ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc9)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd0)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd1)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd2)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd3)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd4)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd5)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd6)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd7)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd8)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdd9)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde0)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde1)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde2)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde3)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde4)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde5)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde6)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde7)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde8)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sde9)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf0)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf1)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf2)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf3)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf4)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf5)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf6)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf7)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf8)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdf9)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg0)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg1)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg2)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg3)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg4)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg5)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg6)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg7)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg8)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdg9)
+ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-0)
+ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-1)
+ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-2)
@@ -16185,6 +16039,16 @@ index 3723150..8320396 100644
+ dev_filetrans($1, scsi_generic_device_t, chr_file, sg7)
+ dev_filetrans($1, scsi_generic_device_t, chr_file, sg8)
+ dev_filetrans($1, scsi_generic_device_t, chr_file, sg9)
++ dev_filetrans($1, removable_device_t, blk_file, sr0)
++ dev_filetrans($1, removable_device_t, blk_file, sr1)
++ dev_filetrans($1, removable_device_t, blk_file, sr2)
++ dev_filetrans($1, removable_device_t, blk_file, sr3)
++ dev_filetrans($1, removable_device_t, blk_file, sr4)
++ dev_filetrans($1, removable_device_t, blk_file, sr5)
++ dev_filetrans($1, removable_device_t, blk_file, sr6)
++ dev_filetrans($1, removable_device_t, blk_file, sr7)
++ dev_filetrans($1, removable_device_t, blk_file, sr8)
++ dev_filetrans($1, removable_device_t, blk_file, sr9)
+ dev_filetrans($1, removable_device_t, blk_file, sjcd)
+ dev_filetrans($1, removable_device_t, blk_file, sonycd)
+ dev_filetrans($1, tape_device_t, chr_file, tape0)
@@ -19149,10 +19013,10 @@ index e88b95f..4b5f106 100644
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
-index 1bd5812..0380c60 100644
+index 1bd5812..58e01b0 100644
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
-@@ -15,6 +15,14 @@
+@@ -15,6 +15,13 @@
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -19162,11 +19026,10 @@ index 1bd5812..0380c60 100644
/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+
+# ABRT retrace server
-+/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
++/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
++/usr/bin/coredump2packages\.py -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
+
-+/usr/share/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-+/usr/share/abrt-retrace/worker\.py -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-+/usr/share/abrt-retrace/coredump2packages\.py -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
++/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
index 0b827c5..c3b3a95 100644
--- a/policy/modules/services/abrt.if
@@ -19326,7 +19189,7 @@ index 0b827c5..c3b3a95 100644
+ manage_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..0944e25 100644
+index 30861ec..3cdc81e 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0)
@@ -19578,7 +19441,7 @@ index 30861ec..0944e25 100644
+manage_files_pattern(abrt_retrace_worker_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
+manage_lnk_files_pattern(abrt_retrace_worker_t, abrt_retrace_cache_t, abrt_retrace_cache_t)
+
-+allow abrt_retrace_worker_t abrt_etc_t:file r_file_perms;
++allow abrt_retrace_worker_t abrt_etc_t:file read_file_perms;
+
+can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+
@@ -20986,7 +20849,7 @@ index 6480167..1440827 100644
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, web)
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..5bbc3c3 100644
+index 3136c6a..02f0378 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -21366,7 +21229,7 @@ index 3136c6a..5bbc3c3 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,6 +492,12 @@ files_read_etc_files(httpd_t)
+@@ -402,6 +492,13 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -21374,12 +21237,13 @@ index 3136c6a..5bbc3c3 100644
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
++manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
libs_read_lib_files(httpd_t)
-@@ -416,34 +512,74 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,34 +513,74 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -21456,7 +21320,7 @@ index 3136c6a..5bbc3c3 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +592,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +593,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -21467,7 +21331,7 @@ index 3136c6a..5bbc3c3 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,15 +606,27 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,15 +607,27 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -21497,7 +21361,7 @@ index 3136c6a..5bbc3c3 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +636,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +637,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -21514,7 +21378,7 @@ index 3136c6a..5bbc3c3 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +660,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +661,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -21535,7 +21399,7 @@ index 3136c6a..5bbc3c3 100644
')
optional_policy(`
-@@ -513,7 +684,13 @@ optional_policy(`
+@@ -513,7 +685,13 @@ optional_policy(`
')
optional_policy(`
@@ -21550,7 +21414,7 @@ index 3136c6a..5bbc3c3 100644
')
optional_policy(`
-@@ -528,7 +705,18 @@ optional_policy(`
+@@ -528,7 +706,18 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -21570,7 +21434,7 @@ index 3136c6a..5bbc3c3 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +725,13 @@ optional_policy(`
+@@ -537,8 +726,13 @@ optional_policy(`
')
optional_policy(`
@@ -21585,7 +21449,7 @@ index 3136c6a..5bbc3c3 100644
')
')
-@@ -556,7 +749,13 @@ optional_policy(`
+@@ -556,7 +750,13 @@ optional_policy(`
')
optional_policy(`
@@ -21599,7 +21463,7 @@ index 3136c6a..5bbc3c3 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +766,7 @@ optional_policy(`
+@@ -567,6 +767,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -21607,7 +21471,7 @@ index 3136c6a..5bbc3c3 100644
')
optional_policy(`
-@@ -577,6 +777,16 @@ optional_policy(`
+@@ -577,6 +778,16 @@ optional_policy(`
')
optional_policy(`
@@ -21624,7 +21488,7 @@ index 3136c6a..5bbc3c3 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +801,11 @@ optional_policy(`
+@@ -591,6 +802,11 @@ optional_policy(`
')
optional_policy(`
@@ -21636,7 +21500,7 @@ index 3136c6a..5bbc3c3 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +818,11 @@ optional_policy(`
+@@ -603,6 +819,11 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -21648,7 +21512,7 @@ index 3136c6a..5bbc3c3 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +836,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +837,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -21661,7 +21525,7 @@ index 3136c6a..5bbc3c3 100644
########################################
#
-@@ -654,28 +878,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +879,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -21705,7 +21569,7 @@ index 3136c6a..5bbc3c3 100644
')
########################################
-@@ -699,17 +925,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +926,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -21731,7 +21595,7 @@ index 3136c6a..5bbc3c3 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +971,27 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +972,27 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -21760,7 +21624,7 @@ index 3136c6a..5bbc3c3 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1014,25 @@ optional_policy(`
+@@ -769,6 +1015,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -21786,7 +21650,7 @@ index 3136c6a..5bbc3c3 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1053,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1054,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -21804,7 +21668,7 @@ index 3136c6a..5bbc3c3 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1072,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1073,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -21861,7 +21725,7 @@ index 3136c6a..5bbc3c3 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1123,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1124,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -21892,7 +21756,7 @@ index 3136c6a..5bbc3c3 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1158,20 @@ optional_policy(`
+@@ -842,10 +1159,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -21913,7 +21777,7 @@ index 3136c6a..5bbc3c3 100644
')
########################################
-@@ -891,11 +1217,21 @@ optional_policy(`
+@@ -891,11 +1218,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -23439,6 +23303,452 @@ index 0000000..e7d2a5b
+dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)
+diff --git a/policy/modules/services/callweaver.fc b/policy/modules/services/callweaver.fc
+new file mode 100644
+index 0000000..3e15c63
+--- /dev/null
++++ b/policy/modules/services/callweaver.fc
+@@ -0,0 +1,11 @@
++/etc/rc\.d/init\.d/callweaver -- gen_context(system_u:object_r:callweaver_initrc_exec_t,s0)
++
++/usr/sbin/callweaver -- gen_context(system_u:object_r:callweaver_exec_t,s0)
++
++/var/lib/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_lib_t,s0)
++
++/var/log/callweaver(/.*)? gen_context(system_u:object_r:callweaver_log_t,s0)
++
++/var/run/callweaver(/.*)? gen_context(system_u:object_r:callweaver_var_run_t,s0)
++
++/var/spool/callweaver(/.*)? gen_context(system_u:object_r:callweaver_spool_t,s0)
+diff --git a/policy/modules/services/callweaver.if b/policy/modules/services/callweaver.if
+new file mode 100644
+index 0000000..c8d7b83
+--- /dev/null
++++ b/policy/modules/services/callweaver.if
+@@ -0,0 +1,338 @@
++## <summary>Open source PBX project.</summary>
++
++########################################
++## <summary>
++## Execute callweaver in the
++## callweaver domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`callweaver_domtrans',`
++ gen_require(`
++ type callweaver_t, callweaver_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, callweaver_exec_t, callweaver_t)
++')
++
++########################################
++## <summary>
++## Execute callweaver in the
++## callweaver domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`callweaver_initrc_domtrans',`
++ gen_require(`
++ type callweaver_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, callweaver_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## Read callweaver log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_read_log',`
++ gen_require(`
++ type callweaver_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, callweaver_log_t, callweaver_log_t)
++')
++
++########################################
++## <summary>
++## Append to callweaver log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_append_log',`
++ gen_require(`
++ type callweaver_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, callweaver_log_t, callweaver_log_t)
++')
++
++########################################
++## <summary>
++## Manage callweaver log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_manage_log',`
++ gen_require(`
++ type callweaver_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, callweaver_log_t, callweaver_log_t)
++ manage_files_pattern($1, callweaver_log_t, callweaver_log_t)
++ manage_lnk_files_pattern($1, callweaver_log_t, callweaver_log_t)
++')
++
++########################################
++## <summary>
++## Search callweaver lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_search_lib',`
++ gen_require(`
++ type callweaver_var_lib_t;
++ ')
++
++ allow $1 callweaver_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read callweaver lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_read_lib_files',`
++ gen_require(`
++ type callweaver_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage callweaver lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_manage_lib_files',`
++ gen_require(`
++ type callweaver_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage callweaver lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_manage_lib_dirs',`
++ gen_require(`
++ type callweaver_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, callweaver_var_lib_t, callweaver_var_lib_t)
++')
++
++
++########################################
++## <summary>
++## Read callweaver PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_read_pid_files',`
++ gen_require(`
++ type callweaver_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 callweaver_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Connect to callweaver over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_stream_connect',`
++ gen_require(`
++ type callweaver_t, callweaver_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, callweaver_var_run_t, callweaver_var_run_t, callweaver_t)
++')
++
++########################################
++## <summary>
++## Search callweaver spool directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_search_spool',`
++ gen_require(`
++ type callweaver_spool_t;
++ ')
++
++ allow $1 callweaver_spool_t:dir search_dir_perms;
++ files_search_spool($1)
++')
++
++########################################
++## <summary>
++## Read callweaver spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_read_spool_files',`
++ gen_require(`
++ type callweaver_spool_t;
++ ')
++
++ files_search_spool($1)
++ read_files_pattern($1, callweaver_spool_t callweaver_spool_t)
++')
++
++########################################
++## <summary>
++## Manage callweaver spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_manage_spool_files',`
++ gen_require(`
++ type callweaver_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_files_pattern($1, callweaver_spool_t, callweaver_spool_t)
++')
++
++########################################
++## <summary>
++## Manage callweaver spool dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`callweaver_manage_spool_dirs',`
++ gen_require(`
++ type callweaver_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_dirs_pattern($1, callweaver_spool_t, callweaver_spool_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an callweaver environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`callweaver_admin',`
++ gen_require(`
++ type callweaver_t;
++ type callweaver_initrc_exec_t;
++ type callweaver_log_t;
++ type callweaver_var_lib_t;
++ type callweaver_var_run_t;
++ type callweaver_spool_t;
++ ')
++
++ allow $1 callweaver_t:process { ptrace signal_perms };
++ ps_process_pattern($1, callweaver_t)
++
++ callweaver_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 callweaver_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ logging_search_logs($1)
++ admin_pattern($1, callweaver_log_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, callweaver_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, callweaver_var_run_t)
++
++ files_search_spool($1)
++ admin_pattern($1, callweaver_spool_t)
++')
+diff --git a/policy/modules/services/callweaver.te b/policy/modules/services/callweaver.te
+new file mode 100644
+index 0000000..a67f732
+--- /dev/null
++++ b/policy/modules/services/callweaver.te
+@@ -0,0 +1,79 @@
++policy_module(callweaver,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type callweaver_t;
++type callweaver_exec_t;
++init_daemon_domain(callweaver_t, callweaver_exec_t)
++
++permissive callweaver_t;
++
++type callweaver_initrc_exec_t;
++init_script_file(callweaver_initrc_exec_t)
++
++type callweaver_log_t;
++logging_log_file(callweaver_log_t)
++
++type callweaver_var_lib_t;
++files_type(callweaver_var_lib_t)
++
++type callweaver_var_run_t;
++files_pid_file(callweaver_var_run_t)
++
++type callweaver_spool_t;
++files_type(callweaver_spool_t)
++
++########################################
++#
++# callweaver local policy
++#
++
++allow callweaver_t self:capability { setuid sys_nice setgid };
++allow callweaver_t self:process { setsched signal };
++allow callweaver_t self:fifo_file rw_fifo_file_perms;
++allow callweaver_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
++manage_files_pattern(callweaver_t, callweaver_log_t, callweaver_log_t)
++logging_log_filetrans(callweaver_t, callweaver_log_t, { dir file } )
++
++manage_dirs_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
++manage_files_pattern(callweaver_t, callweaver_var_lib_t, callweaver_var_lib_t)
++files_var_lib_filetrans(callweaver_t, callweaver_var_lib_t, { dir file } )
++
++manage_dirs_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
++manage_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
++manage_sock_files_pattern(callweaver_t, callweaver_var_run_t, callweaver_var_run_t)
++files_pid_filetrans(callweaver_t, callweaver_var_run_t, { dir file sock_file })
++
++manage_dirs_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
++manage_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
++manage_lnk_files_pattern(callweaver_t, callweaver_spool_t, callweaver_spool_t)
++files_spool_filetrans(callweaver_t, callweaver_spool_t, { dir file })
++
++allow callweaver_t self:tcp_socket create_stream_socket_perms;
++allow callweaver_t self:udp_socket create_socket_perms;
++
++kernel_read_sysctl(callweaver_t)
++kernel_read_kernel_sysctls(callweaver_t)
++
++corenet_udp_bind_asterisk_port(callweaver_t)
++corenet_udp_bind_generic_port(callweaver_t)
++corenet_udp_bind_sip_port(callweaver_t)
++
++dev_manage_generic_symlinks(callweaver_t)
++
++domain_use_interactive_fds(callweaver_t)
++
++files_read_etc_files(callweaver_t)
++
++term_getattr_pty_fs(callweaver_t)
++term_use_generic_ptys(callweaver_t)
++term_use_ptmx(callweaver_t)
++
++auth_use_nsswitch(callweaver_t)
++
++miscfiles_read_localization(callweaver_t)
diff --git a/policy/modules/services/canna.fc b/policy/modules/services/canna.fc
index 5432d0e..f77df02 100644
--- a/policy/modules/services/canna.fc
@@ -25008,10 +25318,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..c0e81e5
+index 0000000..74788d2
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,107 @@
+@@ -0,0 +1,108 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -25072,6 +25382,7 @@ index 0000000..c0e81e5
+dev_read_urand(colord_t)
+dev_list_sysfs(colord_t)
+dev_rw_generic_usb_dev(colord_t)
++storage_getattr_fixed_disk_dev(colord_t)
+storage_read_scsi_generic(colord_t)
+storage_write_scsi_generic(colord_t)
+
@@ -27495,7 +27806,7 @@ index f706b99..f0c629f 100644
+ files_list_pids($1)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..bf57734 100644
+index f231f17..7cc036b 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
@@ -27521,7 +27832,15 @@ index f231f17..bf57734 100644
kernel_getattr_message_if(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
-@@ -105,14 +110,17 @@ domain_read_all_domains_state(devicekit_disk_t)
+@@ -97,6 +102,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
+ dev_manage_generic_files(devicekit_disk_t)
+ dev_getattr_all_chr_files(devicekit_disk_t)
+ dev_getattr_mtrr_dev(devicekit_disk_t)
++dev_rw_generic_blk_files(devicekit_disk_t)
+
+ domain_getattr_all_pipes(devicekit_disk_t)
+ domain_getattr_all_sockets(devicekit_disk_t)
+@@ -105,14 +111,17 @@ domain_read_all_domains_state(devicekit_disk_t)
files_dontaudit_read_all_symlinks(devicekit_disk_t)
files_getattr_all_sockets(devicekit_disk_t)
@@ -27540,7 +27859,7 @@ index f231f17..bf57734 100644
fs_list_inotifyfs(devicekit_disk_t)
fs_manage_fusefs_dirs(devicekit_disk_t)
fs_mount_all_fs(devicekit_disk_t)
-@@ -127,7 +135,7 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -127,7 +136,7 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
@@ -27549,7 +27868,7 @@ index f231f17..bf57734 100644
auth_use_nsswitch(devicekit_disk_t)
-@@ -178,33 +186,53 @@ optional_policy(`
+@@ -178,33 +187,53 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -27606,7 +27925,7 @@ index f231f17..bf57734 100644
domain_read_all_domains_state(devicekit_power_t)
dev_read_input(devicekit_power_t)
-@@ -212,21 +240,28 @@ dev_rw_generic_usb_dev(devicekit_power_t)
+@@ -212,21 +241,28 @@ dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
@@ -27636,7 +27955,7 @@ index f231f17..bf57734 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,6 +270,10 @@ optional_policy(`
+@@ -235,6 +271,10 @@ optional_policy(`
')
optional_policy(`
@@ -27647,7 +27966,7 @@ index f231f17..bf57734 100644
cron_initrc_domtrans(devicekit_power_t)
')
-@@ -261,14 +300,21 @@ optional_policy(`
+@@ -261,14 +301,21 @@ optional_policy(`
')
optional_policy(`
@@ -27670,7 +27989,7 @@ index f231f17..bf57734 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +322,25 @@ optional_policy(`
+@@ -276,9 +323,25 @@ optional_policy(`
')
optional_policy(`
@@ -28227,7 +28546,7 @@ index 0000000..9d8f5de
+')
diff --git a/policy/modules/services/dirsrv.te b/policy/modules/services/dirsrv.te
new file mode 100644
-index 0000000..da04e46
+index 0000000..61e618a
--- /dev/null
+++ b/policy/modules/services/dirsrv.te
@@ -0,0 +1,179 @@
@@ -28323,7 +28642,7 @@ index 0000000..da04e46
+
+kernel_read_system_state(dirsrv_t)
+
-+corecmd_search_sbin(dirsrv_t)
++corecmd_search_bin(dirsrv_t)
+
+corenet_all_recvfrom_unlabeled(dirsrv_t)
+corenet_all_recvfrom_netlabel(dirsrv_t)
@@ -31662,7 +31981,7 @@ index 9878499..9167dc9 100644
domain_system_change_exemption($1)
role_transition $2 jabberd_initrc_exec_t system_r;
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
-index da2127e..e141bc5 100644
+index da2127e..ae77997 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -5,13 +5,19 @@ policy_module(jabber, 1.8.0)
@@ -31746,19 +32065,19 @@ index da2127e..e141bc5 100644
-files_read_etc_files(jabberd_t)
-files_read_etc_runtime_files(jabberd_t)
-+miscfiles_read_certs(jabberd_router_t)
++miscfiles_read_generic_certs(jabberd_router_t)
++
++optional_policy(`
++ kerberos_use(jabberd_router_t)
++')
-fs_getattr_all_fs(jabberd_t)
-fs_search_auto_mountpoints(jabberd_t)
+optional_policy(`
-+ kerberos_use(jabberd_router_t)
++ nis_use_ypbind(jabberd_router_t)
+')
-logging_send_syslog_msg(jabberd_t)
-+optional_policy(`
-+ nis_use_ypbind(jabberd_router_t)
-+')
-+
+#####################################
+#
+# Local policy for other jabberd components
@@ -31776,17 +32095,16 @@ index da2127e..e141bc5 100644
optional_policy(`
- nis_use_ypbind(jabberd_t)
-+ seutil_sigchld_newrole(jabberd_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(jabberd_t)
')
optional_policy(`
-- seutil_sigchld_newrole(jabberd_t)
-+ udev_read_db(jabberd_t)
+ udev_read_db(jabberd_t)
')
-
--optional_policy(`
-- udev_read_db(jabberd_t)
--')
++
+#######################################
+#
+# Local policy for jabberd domains
@@ -35236,7 +35554,7 @@ index c358d8f..fec6a97 100644
allow $1 munin_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
-index f17583b..8f01394 100644
+index f17583b..6b17513 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -35392,7 +35710,7 @@ index f17583b..8f01394 100644
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+# needed by munin_* plugins
-+allow system_munin_plugin_t munin_log_t:file r_file_perms;
++allow system_munin_plugin_t munin_log_t:file read_file_perms;
+
kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t)
@@ -39287,7 +39605,7 @@ index 46bee12..37bd751 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..38fe95a 100644
+index 06e37d4..4276415 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
@@ -39477,7 +39795,14 @@ index 06e37d4..38fe95a 100644
########################################
#
# Postfix map local policy
-@@ -390,8 +429,8 @@ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_m
+@@ -385,13 +424,15 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
+ read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
++mcs_file_read_all(postfix_pickup_t)
++
+ ########################################
+ #
# Postfix pipe local policy
#
@@ -39487,7 +39812,7 @@ index 06e37d4..38fe95a 100644
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +440,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +442,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -39496,7 +39821,7 @@ index 06e37d4..38fe95a 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +461,7 @@ optional_policy(`
+@@ -420,6 +463,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -39504,7 +39829,7 @@ index 06e37d4..38fe95a 100644
')
optional_policy(`
-@@ -436,6 +478,9 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,6 +480,9 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -39514,7 +39839,7 @@ index 06e37d4..38fe95a 100644
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
postfix_list_spool(postfix_postdrop_t)
-@@ -487,8 +532,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +534,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -39525,7 +39850,7 @@ index 06e37d4..38fe95a 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -507,6 +552,8 @@ optional_policy(`
+@@ -507,6 +554,8 @@ optional_policy(`
# Postfix qmgr local policy
#
@@ -39534,7 +39859,7 @@ index 06e37d4..38fe95a 100644
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +566,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +568,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -39543,7 +39868,7 @@ index 06e37d4..38fe95a 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +586,7 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +588,7 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -39552,7 +39877,7 @@ index 06e37d4..38fe95a 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +635,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +637,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -39569,7 +39894,7 @@ index 06e37d4..38fe95a 100644
')
optional_policy(`
-@@ -611,8 +664,8 @@ optional_policy(`
+@@ -611,8 +666,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -39579,7 +39904,7 @@ index 06e37d4..38fe95a 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +683,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +685,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -40517,7 +40842,7 @@ index 2855a44..0456b11 100644
type puppet_tmp_t;
')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..ebb9b4d 100644
+index 64c5f95..0d94b62 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
@@ -40608,7 +40933,7 @@ index 64c5f95..ebb9b4d 100644
logging_send_syslog_msg(puppetmaster_t)
miscfiles_read_localization(puppetmaster_t)
-+miscfiles_read_certs(puppetmaster_t)
++miscfiles_read_generic_certs(puppetmaster_t)
+
+seutil_read_file_contexts(puppetmaster_t)
@@ -40618,15 +40943,15 @@ index 64c5f95..ebb9b4d 100644
+mta_send_mail(puppetmaster_t)
+
+optional_policy(`
-+ tunable_policy(`puppetmaster_use_db',`
-+ mysql_stream_connect(puppetmaster_t)
-+ ')
++ tunable_policy(`puppetmaster_use_db',`
++ mysql_stream_connect(puppetmaster_t)
++ ')
+')
+
+optional_policy(`
-+ tunable_policy(`puppetmaster_use_db',`
-+ postgresql_stream_connect(puppetmaster_t)
-+ ')
++ tunable_policy(`puppetmaster_use_db',`
++ postgresql_stream_connect(puppetmaster_t)
++ ')
+')
+
optional_policy(`
@@ -44599,10 +44924,10 @@ index adea9f9..d5b2d93 100644
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
-index 606a098..8b74d10 100644
+index 606a098..14535da 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
-@@ -73,16 +73,21 @@ files_read_etc_runtime_files(fsdaemon_t)
+@@ -73,19 +73,26 @@ files_read_etc_runtime_files(fsdaemon_t)
files_read_usr_files(fsdaemon_t)
# for config
files_read_etc_files(fsdaemon_t)
@@ -44624,6 +44949,11 @@ index 606a098..8b74d10 100644
term_dontaudit_search_ptys(fsdaemon_t)
++init_read_utmp(fsdaemon_t)
++
+ libs_exec_ld_so(fsdaemon_t)
+ libs_exec_lib_files(fsdaemon_t)
+
diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te
index 740994a..a92ba26 100644
--- a/policy/modules/services/smokeping.te
@@ -53590,7 +53920,7 @@ index cc83689..48662f1 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..22a5fdd 100644
+index ea29513..787ac51 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -53975,15 +54305,18 @@ index ea29513..22a5fdd 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +482,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -289,8 +480,10 @@ dev_write_framebuffer(initrc_t)
+ dev_read_realtime_clock(initrc_t)
+ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
++dev_setattr_generic_dirs(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
+dev_rw_generic_chr_files(initrc_t)
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +490,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +491,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -53999,7 +54332,7 @@ index ea29513..22a5fdd 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +508,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +509,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -54007,7 +54340,7 @@ index ea29513..22a5fdd 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +516,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +517,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -54019,7 +54352,7 @@ index ea29513..22a5fdd 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +535,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +536,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -54033,7 +54366,7 @@ index ea29513..22a5fdd 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +550,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +551,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -54042,7 +54375,7 @@ index ea29513..22a5fdd 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +564,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +565,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -54050,7 +54383,7 @@ index ea29513..22a5fdd 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +576,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +577,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -54058,7 +54391,7 @@ index ea29513..22a5fdd 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +597,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +598,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -54080,7 +54413,7 @@ index ea29513..22a5fdd 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +660,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +661,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -54091,7 +54424,7 @@ index ea29513..22a5fdd 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +684,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +685,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -54100,7 +54433,7 @@ index ea29513..22a5fdd 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +699,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +700,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -54108,7 +54441,7 @@ index ea29513..22a5fdd 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +729,29 @@ ifdef(`distro_redhat',`
+@@ -522,8 +730,29 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -54138,7 +54471,7 @@ index ea29513..22a5fdd 100644
')
optional_policy(`
-@@ -531,10 +759,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +760,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -54161,7 +54494,7 @@ index ea29513..22a5fdd 100644
')
optional_policy(`
-@@ -549,6 +789,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +790,39 @@ ifdef(`distro_suse',`
')
')
@@ -54201,7 +54534,7 @@ index ea29513..22a5fdd 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +834,8 @@ optional_policy(`
+@@ -561,6 +835,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -54210,7 +54543,7 @@ index ea29513..22a5fdd 100644
')
optional_policy(`
-@@ -577,6 +852,7 @@ optional_policy(`
+@@ -577,6 +853,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -54218,7 +54551,7 @@ index ea29513..22a5fdd 100644
')
optional_policy(`
-@@ -589,6 +865,11 @@ optional_policy(`
+@@ -589,6 +866,11 @@ optional_policy(`
')
optional_policy(`
@@ -54230,7 +54563,7 @@ index ea29513..22a5fdd 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +886,13 @@ optional_policy(`
+@@ -605,9 +887,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -54244,7 +54577,7 @@ index ea29513..22a5fdd 100644
')
optional_policy(`
-@@ -649,6 +934,11 @@ optional_policy(`
+@@ -649,6 +935,11 @@ optional_policy(`
')
optional_policy(`
@@ -54256,7 +54589,7 @@ index ea29513..22a5fdd 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +996,13 @@ optional_policy(`
+@@ -706,7 +997,13 @@ optional_policy(`
')
optional_policy(`
@@ -54270,7 +54603,7 @@ index ea29513..22a5fdd 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1025,10 @@ optional_policy(`
+@@ -729,6 +1026,10 @@ optional_policy(`
')
optional_policy(`
@@ -54281,7 +54614,7 @@ index ea29513..22a5fdd 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1038,20 @@ optional_policy(`
+@@ -738,10 +1039,20 @@ optional_policy(`
')
optional_policy(`
@@ -54302,7 +54635,7 @@ index ea29513..22a5fdd 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1060,10 @@ optional_policy(`
+@@ -750,6 +1061,10 @@ optional_policy(`
')
optional_policy(`
@@ -54313,7 +54646,7 @@ index ea29513..22a5fdd 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1085,6 @@ optional_policy(`
+@@ -771,8 +1086,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -54322,7 +54655,7 @@ index ea29513..22a5fdd 100644
')
optional_policy(`
-@@ -781,14 +1093,21 @@ optional_policy(`
+@@ -781,14 +1094,21 @@ optional_policy(`
')
optional_policy(`
@@ -54344,7 +54677,7 @@ index ea29513..22a5fdd 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1119,6 @@ optional_policy(`
+@@ -800,7 +1120,6 @@ optional_policy(`
')
optional_policy(`
@@ -54352,7 +54685,7 @@ index ea29513..22a5fdd 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1128,24 @@ optional_policy(`
+@@ -810,11 +1129,24 @@ optional_policy(`
')
optional_policy(`
@@ -54378,7 +54711,7 @@ index ea29513..22a5fdd 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1155,25 @@ optional_policy(`
+@@ -824,6 +1156,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -54404,7 +54737,7 @@ index ea29513..22a5fdd 100644
')
optional_policy(`
-@@ -849,3 +1199,42 @@ optional_policy(`
+@@ -849,3 +1200,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -58844,7 +59177,7 @@ index ff80d0a..95e705c 100644
+ role_transition $1 dhcpc_exec_t system_r;
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index df32316..0c5f46e 100644
+index df32316..5dfe875 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.1)
@@ -59036,7 +59369,7 @@ index df32316..0c5f46e 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +361,15 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +361,14 @@ ifdef(`distro_ubuntu',`
')
')
@@ -59045,14 +59378,13 @@ index df32316..0c5f46e 100644
+')
+
ifdef(`hide_broken_symptoms',`
-+
+ # caused by some bogus kernel code
+ dontaudit ifconfig_t self:capability sys_module;
+
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,12 +380,31 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,12 +379,31 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -59084,7 +59416,7 @@ index df32316..0c5f46e 100644
')
optional_policy(`
-@@ -355,3 +429,9 @@ optional_policy(`
+@@ -355,3 +428,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -59760,7 +60092,7 @@ index 025348a..4e2ca03 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..a90decc 100644
+index d88f7c3..5635614 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t)
@@ -59834,35 +60166,15 @@ index d88f7c3..a90decc 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -95,8 +101,19 @@ kernel_read_software_raid_state(udev_t)
-
- corecmd_exec_all_executables(udev_t)
+@@ -97,6 +103,7 @@ corecmd_exec_all_executables(udev_t)
-+dev_write_kmsg(udev_t)
dev_rw_sysfs(udev_t)
--dev_manage_all_dev_nodes(udev_t)
-+dev_read_raw_memory(udev_t)
-+dev_check_read_all_chr_dev_nodes(udev_t)
-+dev_check_read_generic_blk_dev_nodes(udev_t)
-+dev_check_write_all_chr_dev_nodes(udev_t)
-+dev_check_write_generic_blk_dev_nodes(udev_t)
-+dev_create_all_blk_dev_nodes(udev_t)
-+dev_create_all_chr_dev_nodes(udev_t)
-+dev_setattr_all_chr_dev_nodes(udev_t)
-+dev_setattr_all_blk_dev_nodes(udev_t)
+ dev_manage_all_dev_nodes(udev_t)
+dev_rw_generic_usb_dev(udev_t)
-+
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -105,21 +122,27 @@ dev_relabel_all_dev_nodes(udev_t)
- # preserved, instead of short circuiting the relabel
- dev_relabel_generic_symlinks(udev_t)
- dev_manage_generic_symlinks(udev_t)
-+dev_manage_generic_dirs(udev_t)
-
- domain_read_all_domains_state(udev_t)
- domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+@@ -111,15 +118,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
@@ -59884,21 +60196,7 @@ index d88f7c3..a90decc 100644
mcs_ptrace_all(udev_t)
-@@ -136,6 +159,13 @@ selinux_compute_create_context(udev_t)
- selinux_compute_relabel_context(udev_t)
- selinux_compute_user_contexts(udev_t)
-
-+storage_raw_read_fixed_disk(udev_t)
-+storage_read_scsi_generic(udev_t)
-+storage_raw_read_removable_device(udev_t)
-+storage_raw_write_removable_device(udev_t)
-+storage_raw_check_write_fixed_disk(udev_t)
-+storage_check_write_scsi_generic(udev_t)
-+
- auth_read_pam_console_data(udev_t)
- auth_domtrans_pam_console(udev_t)
- auth_use_nsswitch(udev_t)
-@@ -143,6 +173,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +155,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -59906,7 +60204,7 @@ index d88f7c3..a90decc 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -186,15 +217,16 @@ ifdef(`distro_redhat',`
+@@ -186,15 +199,16 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -59927,7 +60225,7 @@ index d88f7c3..a90decc 100644
')
optional_policy(`
-@@ -216,11 +248,16 @@ optional_policy(`
+@@ -216,11 +230,16 @@ optional_policy(`
')
optional_policy(`
@@ -59944,7 +60242,7 @@ index d88f7c3..a90decc 100644
')
optional_policy(`
-@@ -230,6 +267,15 @@ optional_policy(`
+@@ -230,6 +249,15 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -59960,7 +60258,7 @@ index d88f7c3..a90decc 100644
')
optional_policy(`
-@@ -259,6 +305,10 @@ optional_policy(`
+@@ -259,6 +287,10 @@ optional_policy(`
')
optional_policy(`
@@ -59971,7 +60269,7 @@ index d88f7c3..a90decc 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +323,11 @@ optional_policy(`
+@@ -273,6 +305,11 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6d583cf..629f001 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 21%{?dist}
+Release: 22%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,15 @@ exit 0
%endif
%changelog
+* Thu May 17 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-22
+- Allow logrotate to execute systemctl
+- Allow nsplugin_t to getattr on gpmctl
+- Fix dev_getattr_all_chr_files() interface
+- Allow shorewall to use inherited terms
+- Allow userhelper to getattr all chr_file devices
+- sandbox domains should be able to getattr and dontaudit search of sysctl_kernel_t
+- Fix labeling for ABRT Retrace Server
+
* Mon May 9 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-21
- Dontaudit sys_module for ifconfig
- Make telepathy and gkeyringd daemon working with confined users