diff --git a/policy-F14.patch b/policy-F14.patch
index bf785d7..a168177 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -304,10 +304,10 @@ index f76ed8a..9a9526a 100644
optional_policy(`
diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
-index 2c2cdb6..b95a47f 100644
+index 2c2cdb6..73b3814 100644
--- a/policy/modules/admin/brctl.if
+++ b/policy/modules/admin/brctl.if
-@@ -18,3 +18,22 @@ interface(`brctl_domtrans',`
+@@ -18,3 +18,28 @@ interface(`brctl_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, brctl_exec_t, brctl_t)
')
@@ -318,9 +318,15 @@ index 2c2cdb6..b95a47f 100644
+##
+##
+##
-+## Domain allowed access.
++## Domain allowed to transition.
++##
++##
++##
++##
++## Role allowed access.
+##
+##
++##
+#
+interface(`brctl_run',`
+ gen_require(`
@@ -868,6 +874,31 @@ index 7077413..70edcd6 100644
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
+/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
+diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if
+index 47c4723..4866a08 100644
+--- a/policy/modules/admin/readahead.if
++++ b/policy/modules/admin/readahead.if
+@@ -1 +1,20 @@
+ ## Readahead, read files into page cache for improved performance
++
++########################################
++##
++## Transition to the readahead domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`readahead_domtrans',`
++ gen_require(`
++ type readahead_t, readahead_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, readahead_exec_t, readahead_t)
++')
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index 2df2f1d..c1aaa79 100644
--- a/policy/modules/admin/readahead.te
@@ -1446,6 +1477,18 @@ index 3863241..5280124 100644
+optional_policy(`
xserver_dontaudit_write_log(shutdown_t)
')
+diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te
+index f48e9dd..b72049a 100644
+--- a/policy/modules/admin/smoltclient.te
++++ b/policy/modules/admin/smoltclient.te
+@@ -46,6 +46,7 @@ fs_list_auto_mountpoints(smoltclient_t)
+
+ files_getattr_generic_locks(smoltclient_t)
+ files_read_etc_files(smoltclient_t)
++files_read_etc_runtime_files(smoltclient_t)
+ files_read_usr_files(smoltclient_t)
+
+ auth_use_nsswitch(smoltclient_t)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 8c5fa3c..1a46f56 100644
--- a/policy/modules/admin/su.if
@@ -1821,7 +1864,7 @@ index 0000000..5ef90cd
+
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..4e92e87
+index 0000000..0958247
--- /dev/null
+++ b/policy/modules/apps/chrome.te
@@ -0,0 +1,92 @@
@@ -1898,7 +1941,7 @@ index 0000000..4e92e87
+
+optional_policy(`
+ gnome_rw_inherited_config(chrome_sandbox_t)
-+ gnome_list_home_config(chrome_sandbox_t)
++ gnome_read_home_config(chrome_sandbox_t)
+')
+
+optional_policy(`
@@ -3873,7 +3916,7 @@ index 9a6d67d..b0c1197 100644
## mozilla over dbus.
##
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..d4cb9c4 100644
+index cbf4bec..25171a6 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -3946,7 +3989,7 @@ index cbf4bec..d4cb9c4 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,125 @@ optional_policy(`
+@@ -266,3 +291,127 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -4013,6 +4056,8 @@ index cbf4bec..d4cb9c4 100644
+
+fs_getattr_tmpfs(mozilla_plugin_t)
+
++application_dontaudit_signull(mozilla_plugin_t)
++
+miscfiles_read_localization(mozilla_plugin_t)
+miscfiles_read_fonts(mozilla_plugin_t)
+
@@ -5217,7 +5262,7 @@ index 5c2680c..db96581 100644
+ sandbox_manage_tmpfs_files(pulseaudio_t)
+')
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
-index c1d5f50..f4e1572 100644
+index c1d5f50..989f88c 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -157,6 +157,24 @@ interface(`qemu_domtrans',`
@@ -5245,7 +5290,26 @@ index c1d5f50..f4e1572 100644
## Execute qemu in the qemu domain.
##
##
-@@ -275,6 +293,67 @@ interface(`qemu_domtrans_unconfined',`
+@@ -169,6 +187,7 @@ interface(`qemu_domtrans',`
+ ## The role to allow the qemu domain.
+ ##
+ ##
++##
+ #
+ interface(`qemu_run',`
+ gen_require(`
+@@ -177,10 +196,6 @@ interface(`qemu_run',`
+
+ qemu_domtrans($1)
+ role $2 types qemu_t;
+-
+- optional_policy(`
+- samba_run_smb(qemu_t, $2, $3)
+- ')
+ ')
+
+ ########################################
+@@ -275,6 +290,67 @@ interface(`qemu_domtrans_unconfined',`
########################################
##
@@ -5313,7 +5377,7 @@ index c1d5f50..f4e1572 100644
## Manage qemu temporary dirs.
##
##
-@@ -308,3 +387,24 @@ interface(`qemu_manage_tmp_files',`
+@@ -308,3 +384,24 @@ interface(`qemu_manage_tmp_files',`
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
@@ -6296,17 +6360,16 @@ index e9134f0..3d2ef30 100644
files_getattr_all_sockets(locate_t)
diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc
new file mode 100644
-index 0000000..809bb65
+index 0000000..7866118
--- /dev/null
+++ b/policy/modules/apps/telepathy.fc
-@@ -0,0 +1,15 @@
+@@ -0,0 +1,14 @@
+HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
+
+/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
-+
+/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
+/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0)
+/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
@@ -8283,7 +8346,7 @@ index 3517db2..bd4c23d 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 5302dac..c0b844e 100644
+index 5302dac..3966eab 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -8299,7 +8362,7 @@ index 5302dac..c0b844e 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1446,6 +1444,42 @@ interface(`files_dontaudit_search_all_mountpoints',`
+@@ -1446,6 +1444,60 @@ interface(`files_dontaudit_search_all_mountpoints',`
########################################
##
@@ -8339,10 +8402,28 @@ index 5302dac..c0b844e 100644
+
+########################################
+##
++## Write all file type directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_write_all_dirs',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ allow $1 file_type:dir write;
++')
++
++########################################
++##
## List the contents of the root directory.
##
##
-@@ -2435,6 +2469,24 @@ interface(`files_delete_etc_files',`
+@@ -2435,6 +2487,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -8367,7 +8448,7 @@ index 5302dac..c0b844e 100644
## Execute generic files in /etc.
##
##
-@@ -2605,6 +2657,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2605,6 +2675,24 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -8392,7 +8473,7 @@ index 5302dac..c0b844e 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -3086,6 +3156,7 @@ interface(`files_getattr_home_dir',`
+@@ -3086,6 +3174,7 @@ interface(`files_getattr_home_dir',`
')
allow $1 home_root_t:dir getattr;
@@ -8400,7 +8481,7 @@ index 5302dac..c0b844e 100644
')
########################################
-@@ -3106,6 +3177,7 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3106,6 +3195,7 @@ interface(`files_dontaudit_getattr_home_dir',`
')
dontaudit $1 home_root_t:dir getattr;
@@ -8408,7 +8489,7 @@ index 5302dac..c0b844e 100644
')
########################################
-@@ -3347,6 +3419,24 @@ interface(`files_list_mnt',`
+@@ -3347,6 +3437,24 @@ interface(`files_list_mnt',`
allow $1 mnt_t:dir list_dir_perms;
')
@@ -8433,7 +8514,7 @@ index 5302dac..c0b844e 100644
########################################
##
## Mount a filesystem on /mnt.
-@@ -3420,6 +3510,24 @@ interface(`files_read_mnt_files',`
+@@ -3420,6 +3528,24 @@ interface(`files_read_mnt_files',`
read_files_pattern($1, mnt_t, mnt_t)
')
@@ -8458,7 +8539,7 @@ index 5302dac..c0b844e 100644
########################################
##
## Create, read, write, and delete symbolic links in /mnt.
-@@ -3711,6 +3819,100 @@ interface(`files_read_world_readable_sockets',`
+@@ -3711,6 +3837,100 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -8559,7 +8640,7 @@ index 5302dac..c0b844e 100644
########################################
##
## Allow the specified type to associate
-@@ -3896,6 +4098,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3896,6 +4116,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
@@ -8592,7 +8673,7 @@ index 5302dac..c0b844e 100644
## Manage temporary files and directories in /tmp.
##
##
-@@ -4109,6 +4337,13 @@ interface(`files_purge_tmp',`
+@@ -4109,6 +4355,13 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -8606,7 +8687,7 @@ index 5302dac..c0b844e 100644
')
########################################
-@@ -4718,6 +4953,24 @@ interface(`files_read_var_files',`
+@@ -4718,6 +4971,24 @@ interface(`files_read_var_files',`
########################################
##
@@ -8631,7 +8712,7 @@ index 5302dac..c0b844e 100644
## Read and write files in the /var directory.
##
##
-@@ -5053,6 +5306,24 @@ interface(`files_manage_mounttab',`
+@@ -5053,6 +5324,24 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -8656,7 +8737,7 @@ index 5302dac..c0b844e 100644
## Search the locks directory (/var/lock).
##
##
-@@ -5138,12 +5409,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5138,12 +5427,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -8673,7 +8754,7 @@ index 5302dac..c0b844e 100644
')
########################################
-@@ -5317,6 +5588,43 @@ interface(`files_search_pids',`
+@@ -5317,6 +5606,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -8717,10 +8798,28 @@ index 5302dac..c0b844e 100644
########################################
##
## Do not audit attempts to search
-@@ -5524,6 +5832,26 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5524,6 +5850,44 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
++## Relable all pid directories
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabel_all_pid_dirs',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ relabel_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++##
+## manage all pidfile directories
+## in the /var/run directory.
+##
@@ -8744,15 +8843,52 @@ index 5302dac..c0b844e 100644
## Read all process ID files.
##
##
-@@ -5541,6 +5869,7 @@ interface(`files_read_all_pids',`
+@@ -5541,6 +5905,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
+ read_lnk_files_pattern($1, pidfile, pidfile)
++')
++
++########################################
++##
++## Relable all pid files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabel_all_pid_files',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ relabel_files_pattern($1, pidfile, pidfile)
++')
++
++########################################
++##
++## manage all pidfiles
++## in the /var/run directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_manage_all_pids',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ manage_files_pattern($1,pidfile,pidfile)
')
########################################
-@@ -5826,3 +6155,247 @@ interface(`files_unconfined',`
+@@ -5826,3 +6228,247 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -9057,7 +9193,7 @@ index 59bae6a..2e55e71 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 437a42a..c0e1d3a 100644
+index 437a42a..54a884b 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -9423,7 +9559,16 @@ index 437a42a..c0e1d3a 100644
## Relabel character nodes on tmpfs filesystems.
##
##
-@@ -4662,3 +4872,24 @@ interface(`fs_unconfined',`
+@@ -4252,6 +4462,8 @@ interface(`fs_mount_all_fs',`
+ ')
+
+ allow $1 filesystem_type:filesystem mount;
++# Mount checks write access on the dir
++ allow $1 filesystem_type:dir write;
+ ')
+
+ ########################################
+@@ -4662,3 +4874,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -13444,7 +13589,7 @@ index c9e1a44..6918ff2 100644
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 08dfa0c..410ff39 100644
+index 08dfa0c..b9fc802 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0)
@@ -13807,12 +13952,13 @@ index 08dfa0c..410ff39 100644
libs_read_lib_files(httpd_t)
-@@ -416,34 +508,70 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,34 +508,71 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
+tunable_policy(`httpd_setrlimit',`
+ allow httpd_t self:process setrlimit;
++ allow httpd_t self:capability sys_resource;
+')
+
tunable_policy(`allow_httpd_anon_write',`
@@ -13880,7 +14026,7 @@ index 08dfa0c..410ff39 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +584,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +585,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -13891,7 +14037,7 @@ index 08dfa0c..410ff39 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,8 +598,12 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,8 +599,12 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -13906,7 +14052,7 @@ index 08dfa0c..410ff39 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -475,6 +611,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -475,6 +612,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -13919,7 +14065,7 @@ index 08dfa0c..410ff39 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +626,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +627,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -13936,7 +14082,7 @@ index 08dfa0c..410ff39 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -500,8 +651,10 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -500,8 +652,10 @@ tunable_policy(`httpd_ssi_exec',`
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
@@ -13947,7 +14093,7 @@ index 08dfa0c..410ff39 100644
')
optional_policy(`
-@@ -513,7 +666,13 @@ optional_policy(`
+@@ -513,7 +667,13 @@ optional_policy(`
')
optional_policy(`
@@ -13962,7 +14108,7 @@ index 08dfa0c..410ff39 100644
')
optional_policy(`
-@@ -528,7 +687,7 @@ optional_policy(`
+@@ -528,7 +688,7 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -13971,7 +14117,7 @@ index 08dfa0c..410ff39 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +696,12 @@ optional_policy(`
+@@ -537,8 +697,12 @@ optional_policy(`
')
optional_policy(`
@@ -13985,7 +14131,7 @@ index 08dfa0c..410ff39 100644
')
')
-@@ -556,7 +719,13 @@ optional_policy(`
+@@ -556,7 +720,13 @@ optional_policy(`
')
optional_policy(`
@@ -13999,7 +14145,7 @@ index 08dfa0c..410ff39 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +736,7 @@ optional_policy(`
+@@ -567,6 +737,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -14007,7 +14153,7 @@ index 08dfa0c..410ff39 100644
')
optional_policy(`
-@@ -577,6 +747,16 @@ optional_policy(`
+@@ -577,6 +748,16 @@ optional_policy(`
')
optional_policy(`
@@ -14024,7 +14170,7 @@ index 08dfa0c..410ff39 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +771,11 @@ optional_policy(`
+@@ -591,6 +772,11 @@ optional_policy(`
')
optional_policy(`
@@ -14036,7 +14182,7 @@ index 08dfa0c..410ff39 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +788,10 @@ optional_policy(`
+@@ -603,6 +789,10 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -14047,7 +14193,7 @@ index 08dfa0c..410ff39 100644
########################################
#
# Apache helper local policy
-@@ -618,6 +807,10 @@ logging_send_syslog_msg(httpd_helper_t)
+@@ -618,6 +808,10 @@ logging_send_syslog_msg(httpd_helper_t)
userdom_use_user_terminals(httpd_helper_t)
@@ -14058,7 +14204,7 @@ index 08dfa0c..410ff39 100644
########################################
#
# Apache PHP script local policy
-@@ -654,28 +847,27 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +848,27 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -14099,7 +14245,7 @@ index 08dfa0c..410ff39 100644
')
########################################
-@@ -699,17 +891,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +892,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -14125,7 +14271,7 @@ index 08dfa0c..410ff39 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +937,20 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,10 +938,20 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -14147,7 +14293,7 @@ index 08dfa0c..410ff39 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +976,25 @@ optional_policy(`
+@@ -769,6 +977,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -14173,7 +14319,7 @@ index 08dfa0c..410ff39 100644
########################################
#
# Apache system script local policy
-@@ -792,9 +1018,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
+@@ -792,9 +1019,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -14187,7 +14333,7 @@ index 08dfa0c..410ff39 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +1033,33 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,6 +1034,33 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -14221,7 +14367,7 @@ index 08dfa0c..410ff39 100644
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -822,7 +1079,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,7 +1080,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -14230,7 +14376,7 @@ index 08dfa0c..410ff39 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -830,6 +1087,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -830,6 +1088,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -14251,7 +14397,7 @@ index 08dfa0c..410ff39 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1113,20 @@ optional_policy(`
+@@ -842,10 +1114,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -14272,7 +14418,7 @@ index 08dfa0c..410ff39 100644
')
########################################
-@@ -891,11 +1172,21 @@ optional_policy(`
+@@ -891,11 +1173,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -18586,7 +18732,7 @@ index f706b99..ab2edfc 100644
+ files_list_pids($1)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..184b4b5 100644
+index f231f17..8d467c4 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
@@ -18614,7 +18760,7 @@ index f231f17..184b4b5 100644
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_files(devicekit_disk_t)
-@@ -178,17 +182,27 @@ optional_policy(`
+@@ -178,25 +182,37 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -18643,14 +18789,26 @@ index f231f17..184b4b5 100644
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
-@@ -212,12 +226,14 @@ dev_rw_generic_usb_dev(devicekit_power_t)
+
++kernel_read_fs_sysctls(devicekit_power_t)
+ kernel_read_network_state(devicekit_power_t)
+ kernel_read_system_state(devicekit_power_t)
+ kernel_rw_hotplug_sysctls(devicekit_power_t)
+ kernel_rw_kernel_sysctl(devicekit_power_t)
++kernel_rw_vm_sysctls(devicekit_power_t)
+ kernel_search_debugfs(devicekit_power_t)
+ kernel_write_proc_files(devicekit_power_t)
+
+@@ -212,12 +228,16 @@ dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
+dev_read_rand(devicekit_power_t)
++dev_getattr_all_chr_files(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_files(devicekit_power_t)
++files_read_etc_runtime_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
fs_list_inotifyfs(devicekit_power_t)
@@ -18658,7 +18816,7 @@ index f231f17..184b4b5 100644
term_use_all_terms(devicekit_power_t)
-@@ -225,8 +241,11 @@ auth_use_nsswitch(devicekit_power_t)
+@@ -225,8 +245,11 @@ auth_use_nsswitch(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
@@ -18670,7 +18828,7 @@ index f231f17..184b4b5 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -261,6 +280,10 @@ optional_policy(`
+@@ -261,6 +284,10 @@ optional_policy(`
')
optional_policy(`
@@ -18681,7 +18839,7 @@ index f231f17..184b4b5 100644
hal_domtrans_mac(devicekit_power_t)
hal_manage_log(devicekit_power_t)
hal_manage_pid_dirs(devicekit_power_t)
-@@ -269,6 +292,10 @@ optional_policy(`
+@@ -269,6 +296,10 @@ optional_policy(`
')
optional_policy(`
@@ -18692,7 +18850,19 @@ index f231f17..184b4b5 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -280,5 +307,9 @@ optional_policy(`
+@@ -276,9 +307,21 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mount_exec(devicekit_power_t)
++')
++
++optional_policy(`
++ readahead_domtrans(devicekit_power_t)
++')
++
++optional_policy(`
+ udev_read_db(devicekit_power_t)
')
optional_policy(`
@@ -23286,7 +23456,7 @@ index 343cee3..2f948ad 100644
+ ')
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..a765618 100644
+index 64268e4..7521b9e 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
@@ -23300,14 +23470,13 @@ index 64268e4..a765618 100644
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
-@@ -50,22 +50,11 @@ ubac_constrained(user_mail_tmp_t)
+@@ -50,22 +50,9 @@ ubac_constrained(user_mail_tmp_t)
# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
-allow system_mail_t self:fifo_file rw_fifo_file_perms;
-
+-
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
-+append_files_pattern(system_mail_t, mail_home_t, mail_home_t)
read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
@@ -23324,7 +23493,7 @@ index 64268e4..a765618 100644
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
-@@ -82,6 +71,9 @@ init_use_script_ptys(system_mail_t)
+@@ -82,6 +69,9 @@ init_use_script_ptys(system_mail_t)
userdom_use_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
@@ -23334,7 +23503,7 @@ index 64268e4..a765618 100644
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,17 +84,28 @@ optional_policy(`
+@@ -92,17 +82,28 @@ optional_policy(`
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -23364,7 +23533,7 @@ index 64268e4..a765618 100644
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
-@@ -111,6 +114,8 @@ optional_policy(`
+@@ -111,6 +112,8 @@ optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
@@ -23373,7 +23542,7 @@ index 64268e4..a765618 100644
')
optional_policy(`
-@@ -124,12 +129,8 @@ optional_policy(`
+@@ -124,12 +127,8 @@ optional_policy(`
')
optional_policy(`
@@ -23387,7 +23556,7 @@ index 64268e4..a765618 100644
')
optional_policy(`
-@@ -146,6 +147,10 @@ optional_policy(`
+@@ -146,6 +145,10 @@ optional_policy(`
')
optional_policy(`
@@ -23398,7 +23567,7 @@ index 64268e4..a765618 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,18 +163,6 @@ optional_policy(`
+@@ -158,18 +161,6 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -23417,7 +23586,7 @@ index 64268e4..a765618 100644
')
optional_policy(`
-@@ -189,6 +182,10 @@ optional_policy(`
+@@ -189,6 +180,10 @@ optional_policy(`
')
optional_policy(`
@@ -23428,7 +23597,7 @@ index 64268e4..a765618 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,7 +196,7 @@ optional_policy(`
+@@ -199,7 +194,7 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -23437,7 +23606,7 @@ index 64268e4..a765618 100644
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
')
-@@ -220,7 +217,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,7 +215,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -23447,7 +23616,7 @@ index 64268e4..a765618 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -249,11 +247,16 @@ optional_policy(`
+@@ -249,11 +245,16 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -23464,7 +23633,7 @@ index 64268e4..a765618 100644
domain_use_interactive_fds(user_mail_t)
userdom_use_user_terminals(user_mail_t)
-@@ -292,3 +295,42 @@ optional_policy(`
+@@ -292,3 +293,44 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -23477,6 +23646,8 @@ index 64268e4..a765618 100644
+allow user_mail_domain self:fifo_file rw_fifo_file_perms;
+allow user_mail_domain mta_exec_type:file entrypoint;
+
++append_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
++
+read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t)
+
+can_exec(user_mail_domain, mta_exec_type)
@@ -26623,7 +26794,7 @@ index 55e62d2..c114a40 100644
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..7391f7e 100644
+index 46bee12..ff521d5 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -50,7 +50,7 @@ template(`postfix_domain_template',`
@@ -26777,7 +26948,7 @@ index 46bee12..7391f7e 100644
')
########################################
-@@ -621,3 +661,98 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +661,103 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -26866,6 +27037,11 @@ index 46bee12..7391f7e 100644
+## Domain allowed to transition.
+##
+##
++##
++##
++## The role to be allowed the iptables domain.
++##
++##
+##
+#
+interface(`postfix_run_postdrop',`
@@ -27421,7 +27597,7 @@ index ad15fde..6f55445 100644
allow $1 postgrey_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
-index b524673..29e0761 100644
+index b524673..9d90fb3 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -66,7 +66,6 @@ interface(`ppp_sigchld',`
@@ -27460,7 +27636,17 @@ index b524673..29e0761 100644
allow $1 pppd_var_run_t:file manage_file_perms;
')
-@@ -353,16 +353,17 @@ interface(`ppp_initrc_domtrans',`
+@@ -348,21 +348,27 @@ interface(`ppp_initrc_domtrans',`
+ ## Domain allowed access.
+ ##
+ ##
++##
++##
++## Role allowed access.
++##
++##
+ ##
+ #
interface(`ppp_admin',`
gen_require(`
type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
@@ -27483,7 +27669,7 @@ index b524673..29e0761 100644
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pppd_initrc_exec_t system_r;
-@@ -374,6 +375,7 @@ interface(`ppp_admin',`
+@@ -374,6 +380,7 @@ interface(`ppp_admin',`
logging_list_logs($1)
admin_pattern($1, pppd_log_t)
@@ -27491,7 +27677,7 @@ index b524673..29e0761 100644
admin_pattern($1, pppd_lock_t)
files_list_etc($1)
-@@ -386,9 +388,6 @@ interface(`ppp_admin',`
+@@ -386,9 +393,6 @@ interface(`ppp_admin',`
files_list_pids($1)
admin_pattern($1, pppd_var_run_t)
@@ -30105,7 +30291,7 @@ index 779fa44..0155ca7 100644
remotelogin_domtrans(rlogind_t)
remotelogin_signal(rlogind_t)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
-index cda37bb..28e7576 100644
+index cda37bb..484e552 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -32,7 +32,11 @@ interface(`rpc_stub',`
@@ -30139,7 +30325,7 @@ index cda37bb..28e7576 100644
')
########################################
-@@ -246,6 +250,26 @@ interface(`rpc_domtrans_rpcd',`
+@@ -246,6 +250,32 @@ interface(`rpc_domtrans_rpcd',`
allow rpcd_t $1:process signal;
')
@@ -30150,9 +30336,15 @@ index cda37bb..28e7576 100644
+##
+##
+##
-+## The role to be allowed the rpcd domain.
++## Domain allowed to transition.
+##
+##
++##
++##
++## Role allowed access.
++##
++##
++##
+#
+interface(`rpc_run_rpcd',`
+ gen_require(`
@@ -30166,7 +30358,7 @@ index cda37bb..28e7576 100644
#######################################
##
## Execute domain in rpcd domain.
-@@ -282,7 +306,7 @@ interface(`rpc_read_nfs_content',`
+@@ -282,7 +312,7 @@ interface(`rpc_read_nfs_content',`
allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
@@ -30175,7 +30367,7 @@ index cda37bb..28e7576 100644
')
########################################
-@@ -375,7 +399,7 @@ interface(`rpc_search_nfs_state_data',`
+@@ -375,7 +405,7 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
@@ -30184,7 +30376,7 @@ index cda37bb..28e7576 100644
')
########################################
-@@ -414,4 +438,5 @@ interface(`rpc_manage_nfs_state_data',`
+@@ -414,4 +444,5 @@ interface(`rpc_manage_nfs_state_data',`
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
@@ -37743,16 +37935,34 @@ index f9a06d2..3d407c6 100644
files_read_etc_files(zos_remote_t)
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
-index ac50333..108595b 100644
+index ac50333..42784aa 100644
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
-@@ -130,3 +130,21 @@ interface(`application_signull',`
+@@ -130,3 +130,39 @@ interface(`application_signull',`
allow $1 application_domain_type:process signull;
')
+
+########################################
+##
++## Dontaudit signull sent to all application domains.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`application_dontaudit_signull',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ dontaudit $1 application_domain_type:process signull;
++')
++
++########################################
++##
+## Send signal to all application domains.
+##
+##
@@ -38800,7 +39010,7 @@ index df3fa64..73dc579 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 8a105fd..e858520 100644
+index 8a105fd..2b0a437 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -38929,7 +39139,7 @@ index 8a105fd..e858520 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +220,81 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +220,89 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -38986,6 +39196,14 @@ index 8a105fd..e858520 100644
+ init_read_script_state(init_t)
+
+ seutil_read_file_contexts(init_t)
++
++ # Permissions for systemd-tmpfiles, needs its own policy.
++ files_relabel_all_pid_files(init_t)
++ files_relabel_all_pid_files(init_t)
++ files_manage_all_pids(init_t)
++ files_manage_generic_locks(init_t)
++ files_manage_generic_tmp_dirs(init_t)
++ files_manage_generic_tmp_files(init_t)
+')
+
optional_policy(`
@@ -39011,7 +39229,7 @@ index 8a105fd..e858520 100644
')
optional_policy(`
-@@ -199,10 +302,19 @@ optional_policy(`
+@@ -199,10 +310,19 @@ optional_policy(`
')
optional_policy(`
@@ -39031,7 +39249,7 @@ index 8a105fd..e858520 100644
unconfined_domain(init_t)
')
-@@ -212,7 +324,7 @@ optional_policy(`
+@@ -212,7 +332,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -39040,7 +39258,7 @@ index 8a105fd..e858520 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,6 +353,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,6 +361,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -39048,7 +39266,7 @@ index 8a105fd..e858520 100644
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -258,11 +371,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +379,23 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -39072,7 +39290,7 @@ index 8a105fd..e858520 100644
corecmd_exec_all_executables(initrc_t)
-@@ -291,6 +416,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +424,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -39080,7 +39298,7 @@ index 8a105fd..e858520 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +424,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +432,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -39096,7 +39314,7 @@ index 8a105fd..e858520 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -323,8 +449,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +457,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -39108,7 +39326,7 @@ index 8a105fd..e858520 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +468,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +476,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -39122,7 +39340,7 @@ index 8a105fd..e858520 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +483,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +491,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -39131,7 +39349,7 @@ index 8a105fd..e858520 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +497,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +505,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -39139,7 +39357,7 @@ index 8a105fd..e858520 100644
selinux_get_enforce_mode(initrc_t)
-@@ -380,6 +515,7 @@ auth_read_pam_pid(initrc_t)
+@@ -380,6 +523,7 @@ auth_read_pam_pid(initrc_t)
auth_delete_pam_pid(initrc_t)
auth_delete_pam_console_data(initrc_t)
auth_use_nsswitch(initrc_t)
@@ -39147,7 +39365,7 @@ index 8a105fd..e858520 100644
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
-@@ -394,13 +530,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +538,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -39163,7 +39381,7 @@ index 8a105fd..e858520 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +610,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +618,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -39172,7 +39390,7 @@ index 8a105fd..e858520 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -519,6 +656,19 @@ ifdef(`distro_redhat',`
+@@ -519,6 +664,19 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -39192,7 +39410,7 @@ index 8a105fd..e858520 100644
')
optional_policy(`
-@@ -526,10 +676,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +684,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -39210,7 +39428,7 @@ index 8a105fd..e858520 100644
')
optional_policy(`
-@@ -544,6 +701,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +709,35 @@ ifdef(`distro_suse',`
')
')
@@ -39246,7 +39464,7 @@ index 8a105fd..e858520 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +742,8 @@ optional_policy(`
+@@ -556,6 +750,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -39255,7 +39473,7 @@ index 8a105fd..e858520 100644
')
optional_policy(`
-@@ -572,6 +760,7 @@ optional_policy(`
+@@ -572,6 +768,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -39263,7 +39481,7 @@ index 8a105fd..e858520 100644
')
optional_policy(`
-@@ -584,6 +773,11 @@ optional_policy(`
+@@ -584,6 +781,11 @@ optional_policy(`
')
optional_policy(`
@@ -39275,7 +39493,7 @@ index 8a105fd..e858520 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -600,6 +794,9 @@ optional_policy(`
+@@ -600,6 +802,9 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -39285,7 +39503,7 @@ index 8a105fd..e858520 100644
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -701,7 +898,13 @@ optional_policy(`
+@@ -701,7 +906,13 @@ optional_policy(`
')
optional_policy(`
@@ -39299,7 +39517,7 @@ index 8a105fd..e858520 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +927,10 @@ optional_policy(`
+@@ -724,6 +935,10 @@ optional_policy(`
')
optional_policy(`
@@ -39310,7 +39528,7 @@ index 8a105fd..e858520 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -745,6 +952,10 @@ optional_policy(`
+@@ -745,6 +960,10 @@ optional_policy(`
')
optional_policy(`
@@ -39321,7 +39539,7 @@ index 8a105fd..e858520 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +977,6 @@ optional_policy(`
+@@ -766,8 +985,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -39330,7 +39548,7 @@ index 8a105fd..e858520 100644
')
optional_policy(`
-@@ -776,14 +985,21 @@ optional_policy(`
+@@ -776,14 +993,21 @@ optional_policy(`
')
optional_policy(`
@@ -39352,7 +39570,7 @@ index 8a105fd..e858520 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1021,19 @@ optional_policy(`
+@@ -805,11 +1029,19 @@ optional_policy(`
')
optional_policy(`
@@ -39373,7 +39591,7 @@ index 8a105fd..e858520 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1043,25 @@ optional_policy(`
+@@ -819,6 +1051,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -39399,7 +39617,7 @@ index 8a105fd..e858520 100644
')
optional_policy(`
-@@ -844,3 +1087,55 @@ optional_policy(`
+@@ -844,3 +1095,55 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -41202,7 +41420,7 @@ index 8b5c196..3490497 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index fca6947..cfb8758 100644
+index fca6947..c960661 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -41252,7 +41470,7 @@ index fca6947..cfb8758 100644
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -46,60 +68,94 @@ can_exec(mount_t, mount_exec_t)
+@@ -46,60 +68,95 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -41319,6 +41537,7 @@ index fca6947..cfb8758 100644
# For reading cert files
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
++files_write_all_dirs(mount_t)
-fs_getattr_xattr_fs(mount_t)
-fs_getattr_cifs(mount_t)
@@ -41354,7 +41573,7 @@ index fca6947..cfb8758 100644
term_use_all_terms(mount_t)
-@@ -108,6 +164,8 @@ auth_use_nsswitch(mount_t)
+@@ -108,6 +165,8 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -41363,7 +41582,7 @@ index fca6947..cfb8758 100644
logging_send_syslog_msg(mount_t)
-@@ -118,6 +176,12 @@ sysnet_use_portmap(mount_t)
+@@ -118,6 +177,12 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -41376,7 +41595,7 @@ index fca6947..cfb8758 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -133,10 +197,17 @@ ifdef(`distro_ubuntu',`
+@@ -133,10 +198,17 @@ ifdef(`distro_ubuntu',`
')
')
@@ -41394,7 +41613,7 @@ index fca6947..cfb8758 100644
')
optional_policy(`
-@@ -166,6 +237,8 @@ optional_policy(`
+@@ -166,6 +238,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -41403,7 +41622,7 @@ index fca6947..cfb8758 100644
')
optional_policy(`
-@@ -173,6 +246,25 @@ optional_policy(`
+@@ -173,6 +247,24 @@ optional_policy(`
')
optional_policy(`
@@ -41418,7 +41637,6 @@ index fca6947..cfb8758 100644
+ ')
+')
+
-+
+optional_policy(`
+ hal_write_log(mount_t)
+ hal_use_fds(mount_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e946d68..493bce8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,11 +21,12 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
patch: policy-F14.patch
+patch2: telepathy_removal.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -203,6 +204,7 @@ Based off of reference policy: Checked out revision 2.20091117
%prep
%setup -n serefpolicy-%{version} -q
%patch -p1
+%patch2 -p1
%install
mkdir selinux_config
@@ -470,6 +472,10 @@ exit 0
%endif
%changelog
+* Fri Oct 15 2010 Dan Walsh 3.9.7-2
+- Fixup for the latest version of upowed
+- Dontaudit sandbox sending SIGNULL to desktop apps
+
* Wed Oct 13 2010 Dan Walsh 3.9.7-1
- Update to upstream