diff --git a/policy-F16.patch b/policy-F16.patch
index 4be4049..09afdb9 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -5511,6 +5511,34 @@ index 6e4add5..5c81832 100644
-')
+userdom_use_inherited_user_terminals(giftd_t)
+userdom_home_manager(gitd_t)
+diff --git a/policy/modules/apps/gitosis.te b/policy/modules/apps/gitosis.te
+index 4a2e63b..104206a 100644
+--- a/policy/modules/apps/gitosis.te
++++ b/policy/modules/apps/gitosis.te
+@@ -5,6 +5,13 @@ policy_module(gitosis, 1.2.0)
+ # Declarations
+ #
+
++##
++##
++## Allow gitisis daemon to send mail
++##
++##
++gen_tunable(gitosis_can_sendmail, false)
++
+ type gitosis_t;
+ type gitosis_exec_t;
+ application_domain(gitosis_t, gitosis_exec_t)
+@@ -39,3 +46,9 @@ files_search_var_lib(gitosis_t)
+ miscfiles_read_localization(gitosis_t)
+
+ sysnet_read_config(gitosis_t)
++
++corenet_tcp_bind_all_ports(nginx_t)
++
++tunable_policy(`gitosis_can_sendmail',`
++ mta_send_mail(gitosis_t)
++')
diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
index 00a19e3..9f6139c 100644
--- a/policy/modules/apps/gnome.fc
@@ -10229,7 +10257,7 @@ index 268d691..da3a26d 100644
+ domain_entry_file($1, qemu_exec_t)
+')
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
-index 1813e16..606d712 100644
+index 1813e16..abee89e 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -40,9 +40,7 @@ gen_tunable(qemu_use_nfs, true)
@@ -10250,7 +10278,7 @@ index 1813e16..606d712 100644
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
-@@ -99,6 +98,13 @@ optional_policy(`
+@@ -99,6 +98,17 @@ optional_policy(`
')
optional_policy(`
@@ -10260,11 +10288,15 @@ index 1813e16..606d712 100644
+')
+
+optional_policy(`
++ virt_domtrans_bridgehelper(qemu_t)
++')
++
++optional_policy(`
+ virt_manage_home_files(qemu_t)
virt_manage_images(qemu_t)
virt_append_log(qemu_t)
')
-@@ -111,18 +117,3 @@ optional_policy(`
+@@ -111,18 +121,3 @@ optional_policy(`
xserver_read_xdm_pid(qemu_t)
xserver_stream_connect(qemu_t)
')
@@ -12947,7 +12979,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..c2ef1eb 100644
+index 3fae11a..3f5d339 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,7 +1,7 @@
@@ -12959,10 +12991,12 @@ index 3fae11a..c2ef1eb 100644
/bin/.* gen_context(system_u:object_r:bin_t,s0)
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -71,6 +71,11 @@ ifdef(`distro_redhat',`
+@@ -71,6 +71,13 @@ ifdef(`distro_redhat',`
/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/etc/redhat-lsb(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+/etc/lxdm/LoginReady -- gen_context(system_u:object_r:bin_t,s0)
+/etc/lxdm/Post.* -- gen_context(system_u:object_r:bin_t,s0)
+/etc/lxdm/Pre.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -12971,7 +13005,7 @@ index 3fae11a..c2ef1eb 100644
/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
/etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -97,8 +102,6 @@ ifdef(`distro_redhat',`
+@@ -97,8 +104,6 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -12980,7 +13014,7 @@ index 3fae11a..c2ef1eb 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -130,18 +133,14 @@ ifdef(`distro_debian',`
+@@ -130,18 +135,14 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -13001,7 +13035,7 @@ index 3fae11a..c2ef1eb 100644
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -152,7 +151,7 @@ ifdef(`distro_gentoo',`
+@@ -152,7 +153,7 @@ ifdef(`distro_gentoo',`
#
# /sbin
#
@@ -13010,7 +13044,7 @@ index 3fae11a..c2ef1eb 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +167,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +169,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -13018,7 +13052,7 @@ index 3fae11a..c2ef1eb 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,67 +179,92 @@ ifdef(`distro_gentoo',`
+@@ -179,67 +181,92 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -13156,7 +13190,7 @@ index 3fae11a..c2ef1eb 100644
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -247,11 +272,18 @@ ifdef(`distro_gentoo',`
+@@ -247,11 +274,18 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -13176,7 +13210,7 @@ index 3fae11a..c2ef1eb 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -267,6 +299,10 @@ ifdef(`distro_gentoo',`
+@@ -267,6 +301,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -13187,7 +13221,7 @@ index 3fae11a..c2ef1eb 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,15 +322,19 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +324,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -13208,7 +13242,7 @@ index 3fae11a..c2ef1eb 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +346,11 @@ ifdef(`distro_redhat', `
+@@ -306,10 +348,11 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -13222,7 +13256,7 @@ index 3fae11a..c2ef1eb 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +360,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +362,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -13234,7 +13268,7 @@ index 3fae11a..c2ef1eb 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,7 +406,7 @@ ifdef(`distro_redhat', `
+@@ -363,7 +408,7 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -13243,7 +13277,7 @@ index 3fae11a..c2ef1eb 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -375,8 +418,9 @@ ifdef(`distro_suse', `
+@@ -375,8 +420,9 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -13255,7 +13289,7 @@ index 3fae11a..c2ef1eb 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +429,12 @@ ifdef(`distro_suse', `
+@@ -385,3 +431,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -13339,6 +13373,19 @@ index 9e9263a..650e796 100644
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
+diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
+index 23a1c3c..5354925 100644
+--- a/policy/modules/kernel/corecommands.te
++++ b/policy/modules/kernel/corecommands.te
+@@ -13,7 +13,7 @@ attribute exec_type;
+ #
+ # bin_t is the type of files in the system bin/sbin directories.
+ #
+-type bin_t alias { ls_exec_t sbin_t };
++type bin_t alias { ls_exec_t sbin_t execmem_exec_t java_exec_t mono_exec_t };
+ corecmd_executable_file(bin_t)
+ dev_associate(bin_t) #For /dev/MAKEDEV
+
diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc
index f9b25c1..9af1f7a 100644
--- a/policy/modules/kernel/corenetwork.fc
@@ -14607,7 +14654,7 @@ index 4f3b542..f4e36ee 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..9399e7e 100644
+index 99b71cb..63b5c4a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,15 @@ attribute netif_type;
@@ -14716,7 +14763,7 @@ index 99b71cb..9399e7e 100644
network_port(distccd, tcp,3632,s0)
+network_port(dogtag, tcp,7390,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
-+network_port(dnssec, tcp,8995,s0)
++network_port(dnssec, tcp,8955,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
+network_port(epmd, tcp,4369,s0, udp,4369,s0)
+network_port(festival, tcp,1314,s0)
@@ -14859,7 +14906,7 @@ index 99b71cb..9399e7e 100644
network_port(traceroute, udp,64000-64010,s0)
network_port(transproxy, tcp,8081,s0)
network_port(ups, tcp,3493,s0)
-@@ -215,9 +283,11 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +283,12 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -14868,11 +14915,12 @@ index 99b71cb..9399e7e 100644
network_port(wccp, udp,2048,s0)
+network_port(websm, tcp,9090,s0, udp,9090,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
++network_port(winshadow, tcp, 3261, s0, udp, 3261,s0)
+network_port(wsicopy, tcp, 3378, s0, udp, 3378,s0)
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -229,6 +299,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +300,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -14880,7 +14928,7 @@ index 99b71cb..9399e7e 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -238,6 +309,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +310,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -14893,7 +14941,7 @@ index 99b71cb..9399e7e 100644
########################################
#
-@@ -282,9 +359,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +360,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -15027,7 +15075,7 @@ index 6cf8784..2354089 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index f820f3b..f27e256 100644
+index f820f3b..790494f 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -15765,7 +15813,7 @@ index f820f3b..f27e256 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4784,3 +5216,842 @@ interface(`dev_unconfined',`
+@@ -4784,3 +5216,843 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -15985,6 +16033,7 @@ index f820f3b..f27e256 100644
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event17")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event18")
+ filetrans_pattern($1, device_t, event_device_t, chr_file, "event19")
++ filetrans_pattern($1, device_t, event_device_t, chr_file, "event20")
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0")
+ filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1")
@@ -17202,7 +17251,7 @@ index c19518a..04ef731 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..a8532db 100644
+index ff006ea..b733da8 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -17342,7 +17391,7 @@ index ff006ea..a8532db 100644
')
########################################
-@@ -1660,6 +1746,24 @@ interface(`files_delete_root_dir_entry',`
+@@ -1660,6 +1746,42 @@ interface(`files_delete_root_dir_entry',`
########################################
##
@@ -17364,10 +17413,28 @@ index ff006ea..a8532db 100644
+
+########################################
+##
++## Relabel a rootfs filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_relabel_rootfs',`
++ gen_require(`
++ type root_t;
++ ')
++
++ allow $1 root_t:filesystem relabel_file_perms;
++')
++
++########################################
++##
## Unmount a rootfs filesystem.
##
##
-@@ -1678,6 +1782,24 @@ interface(`files_unmount_rootfs',`
+@@ -1678,6 +1800,24 @@ interface(`files_unmount_rootfs',`
########################################
##
@@ -17392,7 +17459,7 @@ index ff006ea..a8532db 100644
## Get attributes of the /boot directory.
##
##
-@@ -1848,7 +1970,7 @@ interface(`files_boot_filetrans',`
+@@ -1848,7 +1988,7 @@ interface(`files_boot_filetrans',`
type boot_t;
')
@@ -17401,7 +17468,7 @@ index ff006ea..a8532db 100644
')
########################################
-@@ -2372,6 +2494,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2372,6 +2512,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -17426,7 +17493,7 @@ index ff006ea..a8532db 100644
##########################################
##
## Manage generic directories in /etc
-@@ -2451,7 +2591,7 @@ interface(`files_read_etc_files',`
+@@ -2451,7 +2609,7 @@ interface(`files_read_etc_files',`
##
##
##
@@ -17435,7 +17502,7 @@ index ff006ea..a8532db 100644
##
##
#
-@@ -2507,6 +2647,25 @@ interface(`files_manage_etc_files',`
+@@ -2507,6 +2665,25 @@ interface(`files_manage_etc_files',`
########################################
##
@@ -17461,7 +17528,7 @@ index ff006ea..a8532db 100644
## Delete system configuration files in /etc.
##
##
-@@ -2525,6 +2684,24 @@ interface(`files_delete_etc_files',`
+@@ -2525,6 +2702,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -17486,7 +17553,7 @@ index ff006ea..a8532db 100644
## Execute generic files in /etc.
##
##
-@@ -2624,7 +2801,7 @@ interface(`files_etc_filetrans',`
+@@ -2624,7 +2819,7 @@ interface(`files_etc_filetrans',`
type etc_t;
')
@@ -17495,7 +17562,7 @@ index ff006ea..a8532db 100644
')
########################################
-@@ -2680,24 +2857,6 @@ interface(`files_delete_boot_flag',`
+@@ -2680,24 +2875,6 @@ interface(`files_delete_boot_flag',`
########################################
##
@@ -17520,7 +17587,7 @@ index ff006ea..a8532db 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -2738,6 +2897,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2738,6 +2915,24 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -17545,7 +17612,7 @@ index ff006ea..a8532db 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -2775,6 +2952,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2775,6 +2970,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -17553,7 +17620,7 @@ index ff006ea..a8532db 100644
')
########################################
-@@ -2796,6 +2974,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -2796,6 +2992,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -17561,7 +17628,7 @@ index ff006ea..a8532db 100644
')
########################################
-@@ -3364,7 +3543,7 @@ interface(`files_home_filetrans',`
+@@ -3364,7 +3561,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
@@ -17570,7 +17637,7 @@ index ff006ea..a8532db 100644
')
########################################
-@@ -3502,20 +3681,38 @@ interface(`files_list_mnt',`
+@@ -3502,20 +3699,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -17614,7 +17681,7 @@ index ff006ea..a8532db 100644
')
########################################
-@@ -3804,7 +4001,7 @@ interface(`files_kernel_modules_filetrans',`
+@@ -3804,7 +4019,7 @@ interface(`files_kernel_modules_filetrans',`
type modules_object_t;
')
@@ -17623,7 +17690,7 @@ index ff006ea..a8532db 100644
')
########################################
-@@ -3900,6 +4097,99 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,6 +4115,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -17723,7 +17790,7 @@ index ff006ea..a8532db 100644
########################################
##
## Allow the specified type to associate
-@@ -3945,7 +4235,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -3945,7 +4253,7 @@ interface(`files_getattr_tmp_dirs',`
##
##
##
@@ -17732,7 +17799,7 @@ index ff006ea..a8532db 100644
##
##
#
-@@ -4017,7 +4307,7 @@ interface(`files_list_tmp',`
+@@ -4017,7 +4325,7 @@ interface(`files_list_tmp',`
##
##
##
@@ -17741,12 +17808,14 @@ index ff006ea..a8532db 100644
##
##
#
-@@ -4029,6 +4319,24 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,9 +4337,27 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
+-########################################
+#######################################
-+##
+ ##
+-## Remove entries from the tmp directory.
+## Allow read and write to the tmp directory (/tmp).
+##
+##
@@ -17763,16 +17832,18 @@ index ff006ea..a8532db 100644
+ allow $1 tmp_t:dir rw_dir_perms;
+')
+
- ########################################
- ##
- ## Remove entries from the tmp directory.
-@@ -4085,17 +4393,43 @@ interface(`files_manage_generic_tmp_dirs',`
++########################################
++##
++## Remove entries from the tmp directory.
+ ##
+ ##
+ ##
+@@ -4085,6 +4411,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
--## Manage temporary files and directories in /tmp.
+## Allow shared library text relocations in tmp files.
- ##
++##
+##
+##
+## Allow shared library text relocations in tmp files.
@@ -17781,16 +17852,14 @@ index ff006ea..a8532db 100644
+## This is added to support java policy.
+##
+##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
- #
--interface(`files_manage_generic_tmp_files',`
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_execmod_tmp',`
- gen_require(`
-- type tmp_t;
++ gen_require(`
+ attribute tmpfile;
+ ')
+
@@ -17799,21 +17868,10 @@ index ff006ea..a8532db 100644
+
+########################################
+##
-+## Manage temporary files and directories in /tmp.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_tmp_files',`
-+ gen_require(`
-+ type tmp_t;
- ')
-
- manage_files_pattern($1, tmp_t, tmp_t)
-@@ -4139,6 +4473,42 @@ interface(`files_rw_generic_tmp_sockets',`
+ ## Manage temporary files and directories in /tmp.
+ ##
+ ##
+@@ -4139,6 +4491,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
@@ -17856,7 +17914,7 @@ index ff006ea..a8532db 100644
## Set the attributes of all tmp directories.
##
##
-@@ -4202,7 +4572,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4202,7 +4590,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
@@ -17865,7 +17923,7 @@ index ff006ea..a8532db 100644
##
##
#
-@@ -4262,7 +4632,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4650,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
@@ -17874,7 +17932,7 @@ index ff006ea..a8532db 100644
##
##
#
-@@ -4318,7 +4688,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4706,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -17883,7 +17941,7 @@ index ff006ea..a8532db 100644
')
########################################
-@@ -4342,6 +4712,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4730,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -17900,7 +17958,7 @@ index ff006ea..a8532db 100644
')
########################################
-@@ -4681,7 +5061,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5079,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -17909,7 +17967,7 @@ index ff006ea..a8532db 100644
')
########################################
-@@ -4914,6 +5294,24 @@ interface(`files_list_var',`
+@@ -4914,6 +5312,24 @@ interface(`files_list_var',`
########################################
##
@@ -17934,7 +17992,7 @@ index ff006ea..a8532db 100644
## Create, read, write, and delete directories
## in the /var directory.
##
-@@ -5084,7 +5482,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5500,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -17943,7 +18001,7 @@ index ff006ea..a8532db 100644
')
########################################
-@@ -5219,7 +5617,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5635,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -17952,7 +18010,7 @@ index ff006ea..a8532db 100644
')
########################################
-@@ -5259,6 +5657,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5259,6 +5675,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -17978,7 +18036,7 @@ index ff006ea..a8532db 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5304,6 +5721,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5739,25 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -18004,7 +18062,7 @@ index ff006ea..a8532db 100644
## Search the locks directory (/var/lock).
##
##
-@@ -5317,6 +5753,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5771,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -18013,7 +18071,7 @@ index ff006ea..a8532db 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5774,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5792,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -18029,7 +18087,7 @@ index ff006ea..a8532db 100644
##
##
##
-@@ -5349,12 +5789,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5807,30 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -18062,7 +18120,7 @@ index ff006ea..a8532db 100644
')
########################################
-@@ -5373,6 +5831,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +5849,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -18070,7 +18128,7 @@ index ff006ea..a8532db 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +5844,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +5862,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
##
##
@@ -18078,7 +18136,7 @@ index ff006ea..a8532db 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +5870,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +5888,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -18087,7 +18145,7 @@ index ff006ea..a8532db 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +5886,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +5904,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -18104,7 +18162,7 @@ index ff006ea..a8532db 100644
')
########################################
-@@ -5452,7 +5910,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +5928,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -18113,7 +18171,7 @@ index ff006ea..a8532db 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +5951,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +5969,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -18122,7 +18180,7 @@ index ff006ea..a8532db 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +5973,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +5991,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -18131,7 +18189,7 @@ index ff006ea..a8532db 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +6005,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +6023,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -18142,7 +18200,7 @@ index ff006ea..a8532db 100644
')
########################################
-@@ -5608,6 +6066,43 @@ interface(`files_search_pids',`
+@@ -5608,6 +6084,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -18186,7 +18244,7 @@ index ff006ea..a8532db 100644
########################################
##
## Do not audit attempts to search
-@@ -5629,6 +6124,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5629,6 +6142,25 @@ interface(`files_dontaudit_search_pids',`
########################################
##
@@ -18212,7 +18270,7 @@ index ff006ea..a8532db 100644
## List the contents of the runtime process
## ID directories (/var/run).
##
-@@ -5736,7 +6250,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6268,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -18221,7 +18279,7 @@ index ff006ea..a8532db 100644
')
########################################
-@@ -5815,29 +6329,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,29 +6347,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -18255,7 +18313,7 @@ index ff006ea..a8532db 100644
##
##
##
-@@ -5845,42 +6355,35 @@ interface(`files_read_all_pids',`
+@@ -5845,42 +6373,35 @@ interface(`files_read_all_pids',`
##
##
#
@@ -18305,7 +18363,7 @@ index ff006ea..a8532db 100644
##
##
##
-@@ -5888,20 +6391,17 @@ interface(`files_delete_all_pids',`
+@@ -5888,20 +6409,17 @@ interface(`files_delete_all_pids',`
##
##
#
@@ -18329,7 +18387,7 @@ index ff006ea..a8532db 100644
##
##
##
-@@ -5909,56 +6409,59 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5909,56 +6427,59 @@ interface(`files_delete_all_pid_dirs',`
##
##
#
@@ -18405,7 +18463,7 @@ index ff006ea..a8532db 100644
##
##
##
-@@ -5966,18 +6469,17 @@ interface(`files_list_spool',`
+@@ -5966,18 +6487,17 @@ interface(`files_list_spool',`
##
##
#
@@ -18428,7 +18486,7 @@ index ff006ea..a8532db 100644
##
##
##
-@@ -5985,19 +6487,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -5985,19 +6505,18 @@ interface(`files_manage_generic_spool_dirs',`
##
##
#
@@ -18453,7 +18511,7 @@ index ff006ea..a8532db 100644
##
##
##
-@@ -6005,50 +6506,313 @@ interface(`files_read_generic_spool',`
+@@ -6005,31 +6524,294 @@ interface(`files_read_generic_spool',`
##
##
#
@@ -18487,28 +18545,17 @@ index ff006ea..a8532db 100644
-##
-##
-##
--##
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
--##
--##
- #
--interface(`files_spool_filetrans',`
++#
+interface(`files_mounton_all_poly_members',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute polymember;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3)
++ ')
++
+ allow $1 polymember:dir mounton;
- ')
-
- ########################################
- ##
--## Allow access to manage all polyinstantiated
--## directories on the system.
++')
++
++########################################
++##
+## Delete all process IDs.
+##
+##
@@ -18768,29 +18815,19 @@ index ff006ea..a8532db 100644
+##
+##
+##
-+##
-+## Object class(es) (single or set including {}) for which this
-+## the transition will occur.
-+##
-+##
-+#
-+interface(`files_spool_filetrans',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Allow access to manage all polyinstantiated
-+## directories on the system.
- ##
- ##
##
-@@ -6117,3 +6881,302 @@ interface(`files_unconfined',`
+ ## Object class(es) (single or set including {}) for which this
+ ## the transition will occur.
+@@ -6042,7 +6824,7 @@ interface(`files_spool_filetrans',`
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+- filetrans_pattern($1, var_spool_t, $2, $3)
++ filetrans_pattern($1, var_spool_t, $2, $3, $4)
+ ')
+
+ ########################################
+@@ -6117,3 +6899,302 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -21279,7 +21316,7 @@ index 7d45d15..22c9cfe 100644
+
+/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 01dd2f1..7a8e118 100644
+index 01dd2f1..c9ac6c7 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
@@ -21332,7 +21369,32 @@ index 01dd2f1..7a8e118 100644
')
########################################
-@@ -462,6 +485,24 @@ interface(`term_list_ptys',`
+@@ -384,6 +407,24 @@ interface(`term_getattr_pty_fs',`
+
+ ########################################
+ ##
++## Relabel a pty filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`term_relabel_pty_fs',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ allow $1 devpts_t:filesystem relabel_file_perms;
++')
++
++########################################
++##
+ ## Do not audit attempts to get the
+ ## attributes of the /dev/pts directory.
+ ##
+@@ -462,6 +503,24 @@ interface(`term_list_ptys',`
########################################
##
@@ -21357,7 +21419,7 @@ index 01dd2f1..7a8e118 100644
## Do not audit attempts to read the
## /dev/pts directory.
##
-@@ -616,6 +657,7 @@ interface(`term_dontaudit_use_generic_ptys',`
+@@ -616,6 +675,7 @@ interface(`term_dontaudit_use_generic_ptys',`
type devpts_t;
')
@@ -21365,7 +21427,7 @@ index 01dd2f1..7a8e118 100644
dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
')
-@@ -860,6 +902,26 @@ interface(`term_use_all_ptys',`
+@@ -860,6 +920,26 @@ interface(`term_use_all_ptys',`
########################################
##
@@ -21392,7 +21454,7 @@ index 01dd2f1..7a8e118 100644
## Do not audit attempts to read or write any ptys.
##
##
-@@ -873,7 +935,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -873,7 +953,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@@ -21401,7 +21463,7 @@ index 01dd2f1..7a8e118 100644
')
########################################
-@@ -921,7 +983,7 @@ interface(`term_getattr_all_user_ptys',`
+@@ -921,7 +1001,7 @@ interface(`term_getattr_all_user_ptys',`
##
##
##
@@ -21410,7 +21472,7 @@ index 01dd2f1..7a8e118 100644
##
##
#
-@@ -1240,7 +1302,28 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1240,7 +1320,28 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -21440,7 +21502,7 @@ index 01dd2f1..7a8e118 100644
')
########################################
-@@ -1256,11 +1339,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1256,11 +1357,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -21454,7 +21516,7 @@ index 01dd2f1..7a8e118 100644
')
########################################
-@@ -1277,10 +1362,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1277,10 +1380,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -21467,7 +21529,7 @@ index 01dd2f1..7a8e118 100644
')
########################################
-@@ -1358,7 +1445,27 @@ interface(`term_use_all_ttys',`
+@@ -1358,7 +1463,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -21496,7 +21558,7 @@ index 01dd2f1..7a8e118 100644
')
########################################
-@@ -1377,7 +1484,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1377,7 +1502,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -21505,7 +21567,7 @@ index 01dd2f1..7a8e118 100644
')
########################################
-@@ -1485,7 +1592,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1485,7 +1610,7 @@ interface(`term_use_all_user_ttys',`
##
##
##
@@ -21514,7 +21576,7 @@ index 01dd2f1..7a8e118 100644
##
##
#
-@@ -1493,3 +1600,426 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1493,3 +1618,426 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -26396,7 +26458,7 @@ index 6480167..2ad693a 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..6bbf626 100644
+index 3136c6a..5cadd2e 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,136 +18,233 @@ policy_module(apache, 2.2.1)
@@ -26820,12 +26882,13 @@ index 3136c6a..6bbf626 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +500,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +500,16 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
+corenet_udp_bind_generic_node(httpd_t)
corenet_tcp_bind_http_port(httpd_t)
++corenet_udp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
+corenet_tcp_bind_ntop_port(httpd_t)
+corenet_tcp_bind_jboss_management_port(httpd_t)
@@ -26837,7 +26900,7 @@ index 3136c6a..6bbf626 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +517,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +518,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -26853,7 +26916,7 @@ index 3136c6a..6bbf626 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +530,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +531,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -26861,7 +26924,7 @@ index 3136c6a..6bbf626 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +542,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +543,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -26965,7 +27028,7 @@ index 3136c6a..6bbf626 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,25 +649,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,25 +650,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -27023,7 +27086,7 @@ index 3136c6a..6bbf626 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +707,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +708,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -27040,7 +27103,7 @@ index 3136c6a..6bbf626 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +731,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +732,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -27061,7 +27124,7 @@ index 3136c6a..6bbf626 100644
')
optional_policy(`
-@@ -513,7 +755,13 @@ optional_policy(`
+@@ -513,7 +756,13 @@ optional_policy(`
')
optional_policy(`
@@ -27076,7 +27139,7 @@ index 3136c6a..6bbf626 100644
')
optional_policy(`
-@@ -528,7 +776,19 @@ optional_policy(`
+@@ -528,7 +777,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -27097,7 +27160,7 @@ index 3136c6a..6bbf626 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +797,13 @@ optional_policy(`
+@@ -537,8 +798,13 @@ optional_policy(`
')
optional_policy(`
@@ -27112,7 +27175,7 @@ index 3136c6a..6bbf626 100644
')
')
-@@ -556,7 +821,21 @@ optional_policy(`
+@@ -556,7 +822,21 @@ optional_policy(`
')
optional_policy(`
@@ -27134,7 +27197,7 @@ index 3136c6a..6bbf626 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +846,7 @@ optional_policy(`
+@@ -567,6 +847,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -27142,7 +27205,7 @@ index 3136c6a..6bbf626 100644
')
optional_policy(`
-@@ -577,6 +857,20 @@ optional_policy(`
+@@ -577,6 +858,20 @@ optional_policy(`
')
optional_policy(`
@@ -27163,7 +27226,7 @@ index 3136c6a..6bbf626 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +885,11 @@ optional_policy(`
+@@ -591,6 +886,11 @@ optional_policy(`
')
optional_policy(`
@@ -27175,7 +27238,7 @@ index 3136c6a..6bbf626 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +902,12 @@ optional_policy(`
+@@ -603,6 +903,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -27188,7 +27251,7 @@ index 3136c6a..6bbf626 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +921,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +922,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -27201,7 +27264,7 @@ index 3136c6a..6bbf626 100644
########################################
#
-@@ -654,28 +963,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +964,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -27245,7 +27308,7 @@ index 3136c6a..6bbf626 100644
')
########################################
-@@ -685,6 +996,8 @@ optional_policy(`
+@@ -685,6 +997,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -27254,7 +27317,7 @@ index 3136c6a..6bbf626 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1012,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1013,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -27280,7 +27343,7 @@ index 3136c6a..6bbf626 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1058,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1059,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -27313,7 +27376,7 @@ index 3136c6a..6bbf626 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1105,25 @@ optional_policy(`
+@@ -769,6 +1106,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -27339,7 +27402,7 @@ index 3136c6a..6bbf626 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1144,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1145,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -27357,7 +27420,7 @@ index 3136c6a..6bbf626 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1163,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1164,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -27414,7 +27477,7 @@ index 3136c6a..6bbf626 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1214,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1215,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -27445,7 +27508,7 @@ index 3136c6a..6bbf626 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1249,20 @@ optional_policy(`
+@@ -842,10 +1250,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -27466,7 +27529,7 @@ index 3136c6a..6bbf626 100644
')
########################################
-@@ -891,11 +1308,135 @@ optional_policy(`
+@@ -891,11 +1309,135 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -28228,20 +28291,22 @@ index a7a0e71..5352ef6 100644
')
diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
-index 59aa54f..159f74f 100644
+index 59aa54f..643afce 100644
--- a/policy/modules/services/bind.fc
+++ b/policy/modules/services/bind.fc
-@@ -5,6 +5,10 @@
+@@ -4,6 +4,12 @@
+ /etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-
++/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
++
+/lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
+
+/usr/lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
-+
+
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
- /usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
diff --git a/policy/modules/services/bind.if b/policy/modules/services/bind.if
index 44a1e3d..776e2ed 100644
--- a/policy/modules/services/bind.if
@@ -32405,10 +32470,10 @@ index 0000000..40a0157
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
-index 0000000..ca71d08
+index 0000000..ab1d55b
--- /dev/null
+++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,81 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -32441,7 +32506,8 @@ index 0000000..ca71d08
+#
+# collectd local policy
+#
-+allow collectd_t self:process { fork };
++allow collectd_t self:capability ipc_lock;
++allow collectd_t self:process fork;
+
+allow collectd_t self:fifo_file rw_fifo_file_perms;
+allow collectd_t self:unix_stream_socket create_stream_socket_perms;
@@ -33251,7 +33317,7 @@ index 2eefc08..32a4a69 100644
+
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..7a0913c 100644
+index 35241ed..9ac0000 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -12,6 +12,11 @@
@@ -33506,7 +33572,32 @@ index 35241ed..7a0913c 100644
## Inherit and use a file descriptor
## from the cron daemon.
##
-@@ -377,6 +419,47 @@ interface(`cron_read_pipes',`
+@@ -359,6 +401,24 @@ interface(`cron_sigchld',`
+
+ ########################################
+ ##
++## Send a generic signal to cron daemon.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cron_signal',`
++ gen_require(`
++ type crond_t;
++ ')
++
++ allow $1 crond_t:process signal;
++')
++
++########################################
++##
+ ## Read a cron daemon unnamed pipe.
+ ##
+ ##
+@@ -377,6 +437,47 @@ interface(`cron_read_pipes',`
########################################
##
@@ -33554,7 +33645,7 @@ index 35241ed..7a0913c 100644
## Do not audit attempts to write cron daemon unnamed pipes.
##
##
-@@ -390,6 +473,7 @@ interface(`cron_dontaudit_write_pipes',`
+@@ -390,6 +491,7 @@ interface(`cron_dontaudit_write_pipes',`
type crond_t;
')
@@ -33562,7 +33653,7 @@ index 35241ed..7a0913c 100644
dontaudit $1 crond_t:fifo_file write;
')
-@@ -408,7 +492,43 @@ interface(`cron_rw_pipes',`
+@@ -408,7 +510,43 @@ interface(`cron_rw_pipes',`
type crond_t;
')
@@ -33607,7 +33698,7 @@ index 35241ed..7a0913c 100644
')
########################################
-@@ -468,6 +588,25 @@ interface(`cron_search_spool',`
+@@ -468,6 +606,25 @@ interface(`cron_search_spool',`
########################################
##
@@ -33633,7 +33724,7 @@ index 35241ed..7a0913c 100644
## Manage pid files used by cron
##
##
-@@ -481,6 +620,7 @@ interface(`cron_manage_pid_files',`
+@@ -481,6 +638,7 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
@@ -33641,7 +33732,7 @@ index 35241ed..7a0913c 100644
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
-@@ -536,7 +676,7 @@ interface(`cron_write_system_job_pipes',`
+@@ -536,7 +694,7 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
@@ -33650,7 +33741,7 @@ index 35241ed..7a0913c 100644
')
########################################
-@@ -554,7 +694,7 @@ interface(`cron_rw_system_job_pipes',`
+@@ -554,7 +712,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
@@ -33659,7 +33750,7 @@ index 35241ed..7a0913c 100644
')
########################################
-@@ -587,11 +727,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+@@ -587,11 +745,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -33675,7 +33766,7 @@ index 35241ed..7a0913c 100644
')
########################################
-@@ -627,7 +770,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +788,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -33724,7 +33815,7 @@ index 35241ed..7a0913c 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..d382f40 100644
+index f7583ab..8946846 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -33924,7 +34015,7 @@ index f7583ab..d382f40 100644
logging_send_syslog_msg(crond_t)
logging_set_loginuid(crond_t)
-@@ -220,8 +258,11 @@ miscfiles_read_localization(crond_t)
+@@ -220,20 +258,23 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
@@ -33936,11 +34027,19 @@ index f7583ab..d382f40 100644
ifdef(`distro_debian',`
# pam_limits is used
-@@ -233,7 +274,7 @@ ifdef(`distro_debian',`
- ')
+ allow crond_t self:process setrlimit;
+
+- optional_policy(`
+- # Debian logcheck has the home dir set to its cache
+- logwatch_search_cache_dir(crond_t)
+- ')
')
-ifdef(`distro_redhat', `
++optional_policy(`
++ logwatch_search_cache_dir(crond_t)
++')
++
+ifdef(`distro_redhat',`
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
@@ -36391,10 +36490,18 @@ index f706b99..d41e4fe 100644
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..4f7e166 100644
+index f231f17..6c1a7eb 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
-@@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
+@@ -16,6 +16,7 @@ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
+ type devicekit_disk_t;
+ type devicekit_disk_exec_t;
+ dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
++init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t)
+
+ type devicekit_tmp_t;
+ files_tmp_file(devicekit_tmp_t)
+@@ -26,6 +27,9 @@ files_pid_file(devicekit_var_run_t)
type devicekit_var_lib_t;
files_type(devicekit_var_lib_t)
@@ -36404,7 +36511,7 @@ index f231f17..4f7e166 100644
########################################
#
# DeviceKit local policy
-@@ -62,7 +65,8 @@ optional_policy(`
+@@ -62,7 +66,8 @@ optional_policy(`
# DeviceKit disk local policy
#
@@ -36414,7 +36521,7 @@ index f231f17..4f7e166 100644
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -75,10 +79,13 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -75,10 +80,13 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
@@ -36428,7 +36535,7 @@ index f231f17..4f7e166 100644
kernel_getattr_message_if(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
-@@ -97,6 +104,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
+@@ -97,6 +105,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
@@ -36436,7 +36543,7 @@ index f231f17..4f7e166 100644
domain_getattr_all_pipes(devicekit_disk_t)
domain_getattr_all_sockets(devicekit_disk_t)
-@@ -105,14 +113,17 @@ domain_read_all_domains_state(devicekit_disk_t)
+@@ -105,14 +114,17 @@ domain_read_all_domains_state(devicekit_disk_t)
files_dontaudit_read_all_symlinks(devicekit_disk_t)
files_getattr_all_sockets(devicekit_disk_t)
@@ -36455,7 +36562,7 @@ index f231f17..4f7e166 100644
fs_list_inotifyfs(devicekit_disk_t)
fs_manage_fusefs_dirs(devicekit_disk_t)
fs_mount_all_fs(devicekit_disk_t)
-@@ -127,10 +138,12 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -127,10 +139,12 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
@@ -36469,7 +36576,7 @@ index f231f17..4f7e166 100644
miscfiles_read_localization(devicekit_disk_t)
userdom_read_all_users_state(devicekit_disk_t)
-@@ -178,55 +191,84 @@ optional_policy(`
+@@ -178,55 +192,84 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -36559,7 +36666,7 @@ index f231f17..4f7e166 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,7 +277,12 @@ optional_policy(`
+@@ -235,7 +278,12 @@ optional_policy(`
')
optional_policy(`
@@ -36572,7 +36679,7 @@ index f231f17..4f7e166 100644
')
optional_policy(`
-@@ -261,14 +308,21 @@ optional_policy(`
+@@ -261,14 +309,21 @@ optional_policy(`
')
optional_policy(`
@@ -36595,7 +36702,7 @@ index f231f17..4f7e166 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +330,30 @@ optional_policy(`
+@@ -276,9 +331,30 @@ optional_policy(`
')
optional_policy(`
@@ -37883,13 +37990,13 @@ index fdaeeba..b1ea136 100644
')
diff --git a/policy/modules/services/dnssec.fc b/policy/modules/services/dnssec.fc
new file mode 100755
-index 0000000..06b9b19
+index 0000000..9e231a8
--- /dev/null
+++ b/policy/modules/services/dnssec.fc
@@ -0,0 +1,3 @@
-+/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
++/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
+
-+/var/run/dnssec-triggerd(/.*)? gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
++/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
diff --git a/policy/modules/services/dnssec.if b/policy/modules/services/dnssec.if
new file mode 100755
index 0000000..a9dbcf2
@@ -37968,10 +38075,10 @@ index 0000000..a9dbcf2
+')
diff --git a/policy/modules/services/dnssec.te b/policy/modules/services/dnssec.te
new file mode 100755
-index 0000000..0d3ca7a
+index 0000000..8aa75f3
--- /dev/null
+++ b/policy/modules/services/dnssec.te
-@@ -0,0 +1,58 @@
+@@ -0,0 +1,60 @@
+policy_module(dnssec, 1.0.0)
+
+########################################
@@ -38008,6 +38115,7 @@ index 0000000..0d3ca7a
+
+corenet_tcp_bind_generic_node(dnssec_trigger_t)
+corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
++corenet_tcp_connect_rndc_port(dnssec_trigger_t)
+
+dev_read_urand(dnssec_trigger_t)
+
@@ -38027,6 +38135,7 @@ index 0000000..0d3ca7a
+
+optional_policy(`
+ bind_read_config(dnssec_trigger_t)
++ bind_read_dnssec_keys(dnssec_trigger_t)
+')
+
+
@@ -39997,10 +40106,10 @@ index 0000000..06462d4
+')
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
new file mode 100644
-index 0000000..2e4b1aa
+index 0000000..60fcddb
--- /dev/null
+++ b/policy/modules/services/firewalld.te
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,72 @@
+
+policy_module(firewalld,1.0.0)
+
@@ -40045,6 +40154,8 @@ index 0000000..2e4b1aa
+
+corecmd_exec_bin(firewalld_t)
+
++dev_read_urand(firewalld_t)
++
+domain_use_interactive_fds(firewalld_t)
+
+files_read_etc_files(firewalld_t)
@@ -50688,14 +50799,12 @@ index 0000000..eebfda8
+
diff --git a/policy/modules/services/obex.if b/policy/modules/services/obex.if
new file mode 100644
-index 0000000..2d78f06
+index 0000000..d3b9544
--- /dev/null
+++ b/policy/modules/services/obex.if
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,77 @@
+## SELinux policy for obex-data-server
+
-+
-+
+########################################
+##
+## Transition to obex.
@@ -50735,6 +50844,42 @@ index 0000000..2d78f06
+ allow $1 obex_t:dbus send_msg;
+ allow obex_t $1:dbus send_msg;
+')
++
++#######################################
++##
++## Role access for obex domains
++## that executes via dbus-session
++##
++##
++##
++## The role associated with the user domain.
++##
++##
++##
++##
++## The type of the user domain.
++##
++##
++##
++##
++## User domain prefix to be used.
++##
++##
++#
++template(`obex_role',`
++ gen_require(`
++ type obex_t, obex_exec_t;
++ ')
++
++ role $1 types obex_t;
++
++ allow $2 obex_t:process signal_perms;
++ ps_process_pattern($2, obex_t)
++
++ dbus_session_domain($3, obex_exec_t, obex_t)
++
++ obex_dbus_chat($2)
++')
diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
new file mode 100644
index 0000000..4a6f24c
@@ -51079,7 +51224,7 @@ index d883214..d6afa87 100644
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index 8b550f4..6b73075 100644
+index 8b550f4..117a7ac 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
@@ -51163,7 +51308,7 @@ index 8b550f4..6b73075 100644
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
-@@ -112,21 +122,21 @@ sysnet_exec_ifconfig(openvpn_t)
+@@ -112,21 +122,23 @@ sysnet_exec_ifconfig(openvpn_t)
sysnet_manage_config(openvpn_t)
sysnet_etc_filetrans_config(openvpn_t)
@@ -51171,6 +51316,8 @@ index 8b550f4..6b73075 100644
+userdom_use_inherited_user_terminals(openvpn_t)
+userdom_read_home_certs(openvpn_t)
+userdom_attach_admin_tun_iface(openvpn_t)
++userdom_read_inherited_user_tmp_files(openvpn_t)
++userdom_read_inherited_user_home_content_files(openvpn_t)
tunable_policy(`openvpn_enable_homedirs',`
- userdom_read_user_home_content_files(openvpn_t)
@@ -51193,7 +51340,7 @@ index 8b550f4..6b73075 100644
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
-@@ -138,3 +148,7 @@ optional_policy(`
+@@ -138,3 +150,7 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
@@ -51772,10 +51919,10 @@ index 0000000..548d0a2
+')
diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
new file mode 100644
-index 0000000..ad76682
+index 0000000..44c7098
--- /dev/null
+++ b/policy/modules/services/piranha.te
-@@ -0,0 +1,300 @@
+@@ -0,0 +1,302 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -51965,7 +52112,9 @@ index 0000000..ad76682
+
+corecmd_exec_bin(piranha_pulse_t)
+corecmd_exec_shell(piranha_pulse_t)
-+consoletype_exec(piranha_pulse_t)
++optional_policy(`
++ consoletype_exec(piranha_pulse_t)
++')
+
+corenet_udp_bind_apertus_ldp_port(piranha_pulse_t)
+corenet_udp_bind_cma_port(piranha_pulse_t)
@@ -58116,7 +58265,7 @@ index de37806..3e870b7 100644
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
-index 93c896a..8c29c39 100644
+index 93c896a..407bb05 100644
--- a/policy/modules/services/rhcs.te
+++ b/policy/modules/services/rhcs.te
@@ -6,13 +6,22 @@ policy_module(rhcs, 1.1.0)
@@ -58308,6 +58457,15 @@ index 93c896a..8c29c39 100644
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
+@@ -182,7 +236,7 @@ kernel_read_system_state(qdiskd_t)
+ kernel_read_software_raid_state(qdiskd_t)
+ kernel_getattr_core_if(qdiskd_t)
+
+-corecmd_getattr_bin_files(qdiskd_t)
++corecmd_exec_bin(qdiskd_t)
+ corecmd_exec_shell(qdiskd_t)
+
+ dev_read_sysfs(qdiskd_t)
@@ -199,6 +253,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_pipes(qdiskd_t)
files_read_etc_files(qdiskd_t)
@@ -66306,7 +66464,7 @@ index 32a3c13..e3d91ad 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..246df1a 100644
+index 2124b6a..d9da85a 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -1,5 +1,6 @@
@@ -66318,11 +66476,12 @@ index 2124b6a..246df1a 100644
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +13,43 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +13,44 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
++/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
+
+/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -66366,7 +66525,7 @@ index 2124b6a..246df1a 100644
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..e6bb21e 100644
+index 7c5d8d8..cd38850 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -13,39 +13,45 @@
@@ -66478,7 +66637,7 @@ index 7c5d8d8..e6bb21e 100644
##
#
interface(`virt_domtrans',`
-@@ -114,9 +126,28 @@ interface(`virt_domtrans',`
+@@ -114,9 +126,45 @@ interface(`virt_domtrans',`
domtrans_pattern($1, virtd_exec_t, virtd_t)
')
@@ -66501,6 +66660,23 @@ index 7c5d8d8..e6bb21e 100644
+ domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
+')
+
++########################################
++##
++## Transition to virt_bridgehelper.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++interface(`virt_domtrans_bridgehelper',`
++ gen_require(`
++ type virt_bridgehelper_t, virt_bridgehelper_exec_t;
++ ')
++
++ domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
++')
++
#######################################
##
-## Connect to virt over an unix domain stream socket.
@@ -66508,7 +66684,7 @@ index 7c5d8d8..e6bb21e 100644
##
##
##
-@@ -164,13 +195,13 @@ interface(`virt_attach_tun_iface',`
+@@ -164,13 +212,13 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
@@ -66524,7 +66700,7 @@ index 7c5d8d8..e6bb21e 100644
')
########################################
-@@ -185,13 +216,13 @@ interface(`virt_read_config',`
+@@ -185,13 +233,13 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
@@ -66540,7 +66716,7 @@ index 7c5d8d8..e6bb21e 100644
')
########################################
-@@ -231,6 +262,24 @@ interface(`virt_read_content',`
+@@ -231,6 +279,24 @@ interface(`virt_read_content',`
########################################
##
@@ -66565,7 +66741,7 @@ index 7c5d8d8..e6bb21e 100644
## Read virt PID files.
##
##
-@@ -269,6 +318,36 @@ interface(`virt_manage_pid_files',`
+@@ -269,6 +335,36 @@ interface(`virt_manage_pid_files',`
########################################
##
@@ -66602,7 +66778,7 @@ index 7c5d8d8..e6bb21e 100644
## Search virt lib directories.
##
##
-@@ -308,6 +387,24 @@ interface(`virt_read_lib_files',`
+@@ -308,6 +404,24 @@ interface(`virt_read_lib_files',`
########################################
##
@@ -66627,7 +66803,7 @@ index 7c5d8d8..e6bb21e 100644
## Create, read, write, and delete
## virt lib files.
##
-@@ -352,9 +449,9 @@ interface(`virt_read_log',`
+@@ -352,9 +466,9 @@ interface(`virt_read_log',`
## virt log files.
##
##
@@ -66639,7 +66815,7 @@ index 7c5d8d8..e6bb21e 100644
##
#
interface(`virt_append_log',`
-@@ -408,6 +505,7 @@ interface(`virt_read_images',`
+@@ -408,6 +522,7 @@ interface(`virt_read_images',`
read_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
read_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -66647,7 +66823,7 @@ index 7c5d8d8..e6bb21e 100644
tunable_policy(`virt_use_nfs',`
fs_list_nfs($1)
-@@ -424,6 +522,24 @@ interface(`virt_read_images',`
+@@ -424,6 +539,24 @@ interface(`virt_read_images',`
########################################
##
@@ -66672,7 +66848,7 @@ index 7c5d8d8..e6bb21e 100644
## Create, read, write, and delete
## svirt cache files.
##
-@@ -433,15 +549,15 @@ interface(`virt_read_images',`
+@@ -433,15 +566,15 @@ interface(`virt_read_images',`
##
##
#
@@ -66693,7 +66869,7 @@ index 7c5d8d8..e6bb21e 100644
')
########################################
-@@ -466,6 +582,7 @@ interface(`virt_manage_images',`
+@@ -466,6 +599,7 @@ interface(`virt_manage_images',`
manage_files_pattern($1, virt_image_type, virt_image_type)
read_lnk_files_pattern($1, virt_image_type, virt_image_type)
rw_blk_files_pattern($1, virt_image_type, virt_image_type)
@@ -66701,7 +66877,7 @@ index 7c5d8d8..e6bb21e 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs($1)
-@@ -500,10 +617,19 @@ interface(`virt_manage_images',`
+@@ -500,10 +634,19 @@ interface(`virt_manage_images',`
interface(`virt_admin',`
gen_require(`
type virtd_t, virtd_initrc_exec_t;
@@ -66722,7 +66898,7 @@ index 7c5d8d8..e6bb21e 100644
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -515,4 +641,231 @@ interface(`virt_admin',`
+@@ -515,4 +658,231 @@ interface(`virt_admin',`
virt_manage_lib_files($1)
virt_manage_log($1)
@@ -66730,7 +66906,7 @@ index 7c5d8d8..e6bb21e 100644
+ virt_manage_images($1)
+
+ allow $1 virt_domain:process signal_perms;
-+')
+ ')
+
+########################################
+##
@@ -66760,7 +66936,7 @@ index 7c5d8d8..e6bb21e 100644
+ optional_policy(`
+ ptchown_run(svirt_t, $2)
+ ')
- ')
++')
+
+########################################
+##
@@ -66955,7 +67131,7 @@ index 7c5d8d8..e6bb21e 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..c0eaf5e 100644
+index 3eca020..fe37c85 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,84 @@ policy_module(virt, 1.4.0)
@@ -67109,7 +67285,7 @@ index 3eca020..c0eaf5e 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -97,6 +138,27 @@ ifdef(`enable_mls',`
+@@ -97,6 +138,34 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
')
@@ -67117,6 +67293,13 @@ index 3eca020..c0eaf5e 100644
+type virt_qmf_exec_t;
+init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
+
++type virt_bridgehelper_t;
++domain_type(virt_bridgehelper_t)
++
++type virt_bridgehelper_exec_t;
++domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
++role system_r types virt_bridgehelper_t;
++
+########################################
+#
+# Declarations
@@ -67137,7 +67320,7 @@ index 3eca020..c0eaf5e 100644
########################################
#
# svirt local policy
-@@ -104,15 +166,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +173,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@@ -67154,7 +67337,7 @@ index 3eca020..c0eaf5e 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -130,9 +189,13 @@ corenet_tcp_connect_all_ports(svirt_t)
+@@ -130,9 +196,13 @@ corenet_tcp_connect_all_ports(svirt_t)
dev_list_sysfs(svirt_t)
@@ -67168,7 +67351,7 @@ index 3eca020..c0eaf5e 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +210,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +217,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -67184,7 +67367,7 @@ index 3eca020..c0eaf5e 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +227,24 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +234,28 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -67206,10 +67389,14 @@ index 3eca020..c0eaf5e 100644
+')
+
+optional_policy(`
++ virt_domtrans_bridgehelper(svirt_t)
++')
++
++optional_policy(`
xen_rw_image_files(svirt_t)
')
-@@ -173,22 +253,40 @@ optional_policy(`
+@@ -173,22 +264,40 @@ optional_policy(`
# virtd local policy
#
@@ -67257,7 +67444,7 @@ index 3eca020..c0eaf5e 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -199,9 +297,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -199,9 +308,18 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -67278,7 +67465,7 @@ index 3eca020..c0eaf5e 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +324,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +335,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -67294,7 +67481,7 @@ index 3eca020..c0eaf5e 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +352,33 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +363,33 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -67329,7 +67516,7 @@ index 3eca020..c0eaf5e 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +386,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +397,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -67348,7 +67535,7 @@ index 3eca020..c0eaf5e 100644
mcs_process_set_categories(virtd_t)
-@@ -276,6 +412,8 @@ term_use_ptmx(virtd_t)
+@@ -276,6 +423,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -67357,14 +67544,14 @@ index 3eca020..c0eaf5e 100644
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -285,16 +423,31 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +434,31 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-
-+selinux_validate_context(virtd_t)
+
++selinux_validate_context(virtd_t)
+
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -67389,7 +67576,7 @@ index 3eca020..c0eaf5e 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +466,10 @@ optional_policy(`
+@@ -313,6 +477,10 @@ optional_policy(`
')
optional_policy(`
@@ -67400,7 +67587,7 @@ index 3eca020..c0eaf5e 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -326,6 +483,14 @@ optional_policy(`
+@@ -326,6 +494,14 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -67415,7 +67602,7 @@ index 3eca020..c0eaf5e 100644
')
optional_policy(`
-@@ -334,11 +499,14 @@ optional_policy(`
+@@ -334,11 +510,14 @@ optional_policy(`
dnsmasq_kill(virtd_t)
dnsmasq_read_pid_files(virtd_t)
dnsmasq_signull(virtd_t)
@@ -67430,7 +67617,7 @@ index 3eca020..c0eaf5e 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -360,11 +528,11 @@ optional_policy(`
+@@ -360,11 +539,11 @@ optional_policy(`
')
optional_policy(`
@@ -67447,7 +67634,7 @@ index 3eca020..c0eaf5e 100644
')
optional_policy(`
-@@ -394,20 +562,36 @@ optional_policy(`
+@@ -394,20 +573,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -67487,7 +67674,7 @@ index 3eca020..c0eaf5e 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -418,10 +602,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +613,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -67500,7 +67687,7 @@ index 3eca020..c0eaf5e 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +614,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +625,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -67513,7 +67700,7 @@ index 3eca020..c0eaf5e 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,25 +627,365 @@ files_search_all(virt_domain)
+@@ -440,25 +638,386 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -67521,12 +67708,12 @@ index 3eca020..c0eaf5e 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -67713,6 +67900,7 @@ index 3eca020..c0eaf5e 100644
+
+files_read_etc_files(virtd_lxc_t)
+files_read_usr_files(virtd_lxc_t)
++files_relabel_rootfs(virtd_lxc_t)
+files_mounton_non_security(virtd_lxc_t)
+files_mount_all_file_type_fs(virtd_lxc_t)
+files_unmount_all_file_type_fs(virtd_lxc_t)
@@ -67734,6 +67922,7 @@ index 3eca020..c0eaf5e 100644
+
+term_use_generic_ptys(virtd_lxc_t)
+term_use_ptmx(virtd_lxc_t)
++term_relabel_pty_fs(virtd_lxc_t)
+
+auth_use_nsswitch(virtd_lxc_t)
+
@@ -67742,6 +67931,7 @@ index 3eca020..c0eaf5e 100644
+miscfiles_read_localization(virtd_lxc_t)
+
+seutil_domtrans_setfiles(virtd_lxc_t)
++seutil_read_default_contexts(virtd_lxc_t)
+
+sysnet_domtrans_ifconfig(virtd_lxc_t)
+
@@ -67756,12 +67946,12 @@ index 3eca020..c0eaf5e 100644
+#
+allow svirt_lxc_domain self:capability { kill setuid setgid dac_override };
+
++allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
+allow virtd_t svirt_lxc_domain:process { signal_perms };
+allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
-+
+allow svirt_lxc_domain virtd_lxc_t:fd use;
+allow svirt_lxc_domain virtd_lxc_var_run_t:dir search_dir_perms;
-+dontaudit svirt_lxc_domain virtd_lxc_t:unix_stream_socket { read write };
++allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
+
+allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
+allow svirt_lxc_domain self:fifo_file manage_file_perms;
@@ -67882,6 +68072,24 @@ index 3eca020..c0eaf5e 100644
+logging_send_syslog_msg(virt_qmf_t)
+
+miscfiles_read_localization(virt_qmf_t)
++
++########################################
++#
++# virt_bridgehelper local policy
++#
++allow virt_bridgehelper_t self:process { setcap getcap };
++allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
++allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
++allow virt_bridgehelper_t self:tun_socket create_socket_perms;
++allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
++
++kernel_read_network_state(virt_bridgehelper_t)
++
++corenet_rw_tun_tap_dev(virt_bridgehelper_t)
++
++files_read_etc_files(virt_bridgehelper_t)
++
++userdom_use_inherited_user_ptys(virt_bridgehelper_t)
diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc
index 11533cc..4d81b99 100644
--- a/policy/modules/services/vnstatd.fc
@@ -68309,7 +68517,7 @@ index 4966c94..cb2e1a3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..86143cf 100644
+index 130ced9..4c198c1 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -68547,7 +68755,7 @@ index 130ced9..86143cf 100644
')
allow $2 self:shm create_shm_perms;
-@@ -456,11 +495,22 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +495,24 @@ template(`xserver_user_x_domain_template',`
allow $2 xauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file read_file_perms;
@@ -68560,6 +68768,8 @@ index 130ced9..86143cf 100644
+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c")
+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth")
+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped.old")
+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".dmrc")
+
# for when /tmp/.X11-unix is created by the system
@@ -68572,7 +68782,7 @@ index 130ced9..86143cf 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +522,26 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +524,26 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -68601,7 +68811,7 @@ index 130ced9..86143cf 100644
')
########################################
-@@ -517,6 +573,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +575,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -68609,7 +68819,7 @@ index 130ced9..86143cf 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -547,6 +604,42 @@ interface(`xserver_domtrans_xauth',`
+@@ -547,6 +606,42 @@ interface(`xserver_domtrans_xauth',`
domtrans_pattern($1, xauth_exec_t, xauth_t)
')
@@ -68652,7 +68862,7 @@ index 130ced9..86143cf 100644
########################################
##
## Create a Xauthority file in the user home directory.
-@@ -598,6 +691,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +693,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -68660,7 +68870,7 @@ index 130ced9..86143cf 100644
')
########################################
-@@ -615,7 +709,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +711,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -68669,7 +68879,7 @@ index 130ced9..86143cf 100644
')
########################################
-@@ -638,6 +732,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +734,25 @@ interface(`xserver_rw_console',`
########################################
##
@@ -68695,7 +68905,7 @@ index 130ced9..86143cf 100644
## Use file descriptors for xdm.
##
##
-@@ -651,7 +764,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +766,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -68704,7 +68914,7 @@ index 130ced9..86143cf 100644
')
########################################
-@@ -670,7 +783,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +785,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -68713,7 +68923,7 @@ index 130ced9..86143cf 100644
')
########################################
-@@ -688,7 +801,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +803,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -68722,7 +68932,7 @@ index 130ced9..86143cf 100644
')
########################################
-@@ -703,12 +816,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +818,11 @@ interface(`xserver_rw_xdm_pipes',`
##
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -68736,7 +68946,7 @@ index 130ced9..86143cf 100644
')
########################################
-@@ -724,11 +836,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +838,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -68770,7 +68980,7 @@ index 130ced9..86143cf 100644
')
########################################
-@@ -752,6 +884,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -752,6 +886,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
##
@@ -68796,7 +69006,7 @@ index 130ced9..86143cf 100644
## Set the attributes of XDM temporary directories.
##
##
-@@ -765,7 +916,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +918,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -68805,7 +69015,7 @@ index 130ced9..86143cf 100644
')
########################################
-@@ -805,7 +956,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +958,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -68833,7 +69043,7 @@ index 130ced9..86143cf 100644
')
########################################
-@@ -828,6 +998,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -828,6 +1000,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
##
@@ -68858,7 +69068,7 @@ index 130ced9..86143cf 100644
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -897,7 +1085,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1087,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -68867,7 +69077,7 @@ index 130ced9..86143cf 100644
')
########################################
-@@ -916,7 +1104,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1106,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -68876,7 +69086,7 @@ index 130ced9..86143cf 100644
')
########################################
-@@ -963,6 +1151,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1153,45 @@ interface(`xserver_read_xkb_libs',`
########################################
##
@@ -68922,7 +69132,7 @@ index 130ced9..86143cf 100644
## Read xdm temporary files.
##
##
-@@ -976,7 +1203,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1205,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -68931,7 +69141,7 @@ index 130ced9..86143cf 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1265,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1267,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
##
@@ -68974,7 +69184,7 @@ index 130ced9..86143cf 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
##
-@@ -1052,7 +1315,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1317,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -68983,7 +69193,7 @@ index 130ced9..86143cf 100644
')
########################################
-@@ -1070,8 +1333,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1335,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -68995,7 +69205,7 @@ index 130ced9..86143cf 100644
')
########################################
-@@ -1185,6 +1450,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1452,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -69022,7 +69232,7 @@ index 130ced9..86143cf 100644
')
########################################
-@@ -1210,7 +1495,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1497,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -69031,7 +69241,7 @@ index 130ced9..86143cf 100644
##
##
##
-@@ -1220,13 +1505,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1507,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -69056,7 +69266,7 @@ index 130ced9..86143cf 100644
')
########################################
-@@ -1243,10 +1538,462 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1540,462 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -70885,7 +71095,7 @@ index 3defaa1..2ad2488 100644
/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
-index 21ae664..3e448dd 100644
+index 21ae664..cb3a098 100644
--- a/policy/modules/services/zarafa.if
+++ b/policy/modules/services/zarafa.if
@@ -42,6 +42,8 @@ template(`zarafa_domain_template',`
@@ -70897,7 +71107,7 @@ index 21ae664..3e448dd 100644
')
######################################
-@@ -118,3 +120,24 @@ interface(`zarafa_stream_connect_server',`
+@@ -118,3 +120,25 @@ interface(`zarafa_stream_connect_server',`
files_search_var_lib($1)
stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
')
@@ -70920,10 +71130,11 @@ index 21ae664..3e448dd 100644
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
++ manage_lnk_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
+')
diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
-index 9fb4747..92c156b 100644
+index 9fb4747..bd73b2a 100644
--- a/policy/modules/services/zarafa.te
+++ b/policy/modules/services/zarafa.te
@@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@@ -70937,7 +71148,7 @@ index 9fb4747..92c156b 100644
zarafa_domain_template(monitor)
zarafa_domain_template(server)
-@@ -57,6 +61,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
+@@ -57,6 +61,21 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
corenet_tcp_bind_generic_node(zarafa_gateway_t)
corenet_tcp_bind_pop_port(zarafa_gateway_t)
@@ -70954,11 +71165,22 @@ index 9fb4747..92c156b 100644
+
+manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
++manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
+
#######################################
#
# zarafa-ical local policy
-@@ -107,7 +125,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
+@@ -93,7 +112,8 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
+
+ manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
+ manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
+-files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir })
++manage_lnk_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
++files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file })
+
+ stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
+
+@@ -107,7 +127,6 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t)
files_read_usr_files(zarafa_server_t)
@@ -70966,7 +71188,7 @@ index 9fb4747..92c156b 100644
logging_send_audit_msgs(zarafa_server_t)
sysnet_dns_name_resolve(zarafa_server_t)
-@@ -138,6 +155,32 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t)
+@@ -138,6 +157,32 @@ corenet_tcp_connect_smtp_port(zarafa_spooler_t)
########################################
#
@@ -70999,7 +71221,7 @@ index 9fb4747..92c156b 100644
# zarafa domains local policy
#
-@@ -152,10 +195,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
+@@ -152,10 +197,13 @@ stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var
read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
@@ -71737,7 +71959,7 @@ index 28ad538..29f3011 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..11dfd81 100644
+index 73554ec..7b6edd5 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -71749,7 +71971,7 @@ index 73554ec..11dfd81 100644
logging_send_audit_msgs($1)
logging_send_syslog_msg($1)
-@@ -78,8 +80,18 @@ interface(`auth_use_pam',`
+@@ -78,8 +80,19 @@ interface(`auth_use_pam',`
')
optional_policy(`
@@ -71764,11 +71986,12 @@ index 73554ec..11dfd81 100644
+ systemd_dbus_chat_logind($1)
+ systemd_use_fds_logind($1)
+ systemd_write_inherited_logind_sessions_pipes($1)
++ systemd_read_logind_sessions_files($1)
+ ')
')
########################################
-@@ -95,9 +107,13 @@ interface(`auth_use_pam',`
+@@ -95,9 +108,13 @@ interface(`auth_use_pam',`
interface(`auth_login_pgm_domain',`
gen_require(`
type var_auth_t, auth_cache_t;
@@ -71782,7 +72005,7 @@ index 73554ec..11dfd81 100644
domain_subj_id_change_exemption($1)
domain_role_change_exemption($1)
domain_obj_id_change_exemption($1)
-@@ -105,14 +121,17 @@ interface(`auth_login_pgm_domain',`
+@@ -105,14 +122,17 @@ interface(`auth_login_pgm_domain',`
# Needed for pam_selinux_permit to cleanup properly
domain_read_all_domains_state($1)
@@ -71800,7 +72023,7 @@ index 73554ec..11dfd81 100644
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -120,16 +139,29 @@ interface(`auth_login_pgm_domain',`
+@@ -120,16 +140,29 @@ interface(`auth_login_pgm_domain',`
manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
files_var_filetrans($1, auth_cache_t, dir)
@@ -71831,7 +72054,7 @@ index 73554ec..11dfd81 100644
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -145,6 +177,8 @@ interface(`auth_login_pgm_domain',`
+@@ -145,6 +178,8 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -71840,7 +72063,7 @@ index 73554ec..11dfd81 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,13 +189,87 @@ interface(`auth_login_pgm_domain',`
+@@ -155,13 +190,87 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -71930,7 +72153,7 @@ index 73554ec..11dfd81 100644
## Use the login program as an entry point program.
##
##
-@@ -368,13 +476,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -368,13 +477,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -71947,7 +72170,7 @@ index 73554ec..11dfd81 100644
')
########################################
-@@ -421,6 +531,25 @@ interface(`auth_run_chk_passwd',`
+@@ -421,6 +532,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -71973,7 +72196,7 @@ index 73554ec..11dfd81 100644
')
########################################
-@@ -440,7 +569,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -440,7 +570,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -71981,7 +72204,7 @@ index 73554ec..11dfd81 100644
')
########################################
-@@ -637,6 +765,10 @@ interface(`auth_manage_shadow',`
+@@ -637,6 +766,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -71992,7 +72215,7 @@ index 73554ec..11dfd81 100644
')
#######################################
-@@ -736,7 +868,50 @@ interface(`auth_rw_faillog',`
+@@ -736,7 +869,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -72044,7 +72267,7 @@ index 73554ec..11dfd81 100644
')
#######################################
-@@ -932,9 +1107,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1108,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -72078,7 +72301,7 @@ index 73554ec..11dfd81 100644
')
########################################
-@@ -1387,6 +1583,25 @@ interface(`auth_setattr_login_records',`
+@@ -1387,6 +1584,25 @@ interface(`auth_setattr_login_records',`
########################################
##
@@ -72104,7 +72327,7 @@ index 73554ec..11dfd81 100644
## Read login records files (/var/log/wtmp).
##
##
-@@ -1537,37 +1752,49 @@ interface(`auth_manage_login_records',`
+@@ -1537,37 +1753,49 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -72164,7 +72387,7 @@ index 73554ec..11dfd81 100644
##
##
##
-@@ -1575,87 +1802,192 @@ interface(`auth_relabel_login_records',`
+@@ -1575,87 +1803,192 @@ interface(`auth_relabel_login_records',`
## Domain allowed access.
##
##
@@ -74031,7 +74254,7 @@ index 94fd8dd..5a52670 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..26fe806 100644
+index 29a9565..75822e6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -74226,18 +74449,17 @@ index 29a9565..26fe806 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,16 +252,142 @@ tunable_policy(`init_upstart',`
+@@ -186,16 +252,146 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
+storage_raw_rw_fixed_disk(init_t)
+
- optional_policy(`
-- auth_rw_login_records(init_t)
++optional_policy(`
+ modutils_domtrans_insmod(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
@@ -74343,10 +74565,15 @@ index 29a9565..26fe806 100644
+auth_rw_login_records(init_t)
+
+optional_policy(`
-+ lvm_rw_pipes(init_t)
++ systemd_filetrans_named_content(init_t)
+')
+
-+optional_policy(`
+ optional_policy(`
+- auth_rw_login_records(init_t)
++ lvm_rw_pipes(init_t)
+ ')
+
+ optional_policy(`
+ consolekit_manage_log(init_t)
+')
+
@@ -74354,24 +74581,24 @@ index 29a9565..26fe806 100644
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- nscd_socket_use(init_t)
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+ # The master process of dovecot will manage this file.
+ dovecot_dontaudit_unlink_lib_files(initrc_t)
- ')
-
- optional_policy(`
-- nscd_socket_use(init_t)
++')
++
++optional_policy(`
+ plymouthd_stream_connect(init_t)
+ plymouthd_exec_plymouth(init_t)
')
optional_policy(`
-@@ -203,6 +395,17 @@ optional_policy(`
+@@ -203,6 +399,17 @@ optional_policy(`
')
optional_policy(`
@@ -74389,7 +74616,7 @@ index 29a9565..26fe806 100644
unconfined_domain(init_t)
')
-@@ -212,7 +415,8 @@ optional_policy(`
+@@ -212,7 +419,8 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -74399,7 +74626,7 @@ index 29a9565..26fe806 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +445,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +449,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -74415,7 +74642,7 @@ index 29a9565..26fe806 100644
init_write_initctl(initrc_t)
-@@ -258,20 +465,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +469,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -74452,7 +74679,7 @@ index 29a9565..26fe806 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +498,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +502,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -74460,7 +74687,7 @@ index 29a9565..26fe806 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +509,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +513,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -74471,7 +74698,7 @@ index 29a9565..26fe806 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,17 +520,16 @@ dev_manage_generic_files(initrc_t)
+@@ -298,17 +524,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -74491,7 +74718,7 @@ index 29a9565..26fe806 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -316,6 +537,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +541,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -74499,7 +74726,7 @@ index 29a9565..26fe806 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +545,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +549,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -74511,7 +74738,7 @@ index 29a9565..26fe806 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +564,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +568,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -74525,7 +74752,7 @@ index 29a9565..26fe806 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,9 +579,12 @@ fs_mount_all_fs(initrc_t)
+@@ -351,9 +583,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -74539,7 +74766,7 @@ index 29a9565..26fe806 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -363,6 +594,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +598,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -74547,7 +74774,7 @@ index 29a9565..26fe806 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +606,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +610,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -74555,7 +74782,7 @@ index 29a9565..26fe806 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +627,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +631,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -74577,7 +74804,7 @@ index 29a9565..26fe806 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +690,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +694,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -74588,7 +74815,7 @@ index 29a9565..26fe806 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +714,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +718,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -74597,7 +74824,7 @@ index 29a9565..26fe806 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +729,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +733,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -74605,7 +74832,7 @@ index 29a9565..26fe806 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +759,35 @@ ifdef(`distro_redhat',`
+@@ -522,8 +763,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -74641,7 +74868,7 @@ index 29a9565..26fe806 100644
')
optional_policy(`
-@@ -531,10 +795,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +799,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -74664,7 +74891,7 @@ index 29a9565..26fe806 100644
')
optional_policy(`
-@@ -549,6 +825,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +829,39 @@ ifdef(`distro_suse',`
')
')
@@ -74704,7 +74931,7 @@ index 29a9565..26fe806 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +870,8 @@ optional_policy(`
+@@ -561,6 +874,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -74713,7 +74940,7 @@ index 29a9565..26fe806 100644
')
optional_policy(`
-@@ -577,6 +888,7 @@ optional_policy(`
+@@ -577,6 +892,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -74721,7 +74948,7 @@ index 29a9565..26fe806 100644
')
optional_policy(`
-@@ -589,6 +901,17 @@ optional_policy(`
+@@ -589,6 +905,17 @@ optional_policy(`
')
optional_policy(`
@@ -74739,7 +74966,7 @@ index 29a9565..26fe806 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +928,13 @@ optional_policy(`
+@@ -605,9 +932,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -74753,7 +74980,7 @@ index 29a9565..26fe806 100644
')
optional_policy(`
-@@ -632,6 +959,10 @@ optional_policy(`
+@@ -632,6 +963,10 @@ optional_policy(`
')
optional_policy(`
@@ -74764,7 +74991,7 @@ index 29a9565..26fe806 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +980,11 @@ optional_policy(`
+@@ -649,6 +984,11 @@ optional_policy(`
')
optional_policy(`
@@ -74776,7 +75003,7 @@ index 29a9565..26fe806 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1025,7 @@ optional_policy(`
+@@ -689,6 +1029,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -74784,7 +75011,7 @@ index 29a9565..26fe806 100644
')
optional_policy(`
-@@ -706,7 +1043,13 @@ optional_policy(`
+@@ -706,7 +1047,13 @@ optional_policy(`
')
optional_policy(`
@@ -74798,7 +75025,7 @@ index 29a9565..26fe806 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1072,10 @@ optional_policy(`
+@@ -729,6 +1076,10 @@ optional_policy(`
')
optional_policy(`
@@ -74809,7 +75036,7 @@ index 29a9565..26fe806 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1085,20 @@ optional_policy(`
+@@ -738,10 +1089,20 @@ optional_policy(`
')
optional_policy(`
@@ -74830,7 +75057,7 @@ index 29a9565..26fe806 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1107,10 @@ optional_policy(`
+@@ -750,6 +1111,10 @@ optional_policy(`
')
optional_policy(`
@@ -74841,7 +75068,7 @@ index 29a9565..26fe806 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1132,6 @@ optional_policy(`
+@@ -771,8 +1136,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -74850,7 +75077,7 @@ index 29a9565..26fe806 100644
')
optional_policy(`
-@@ -781,6 +1140,10 @@ optional_policy(`
+@@ -781,6 +1144,10 @@ optional_policy(`
')
optional_policy(`
@@ -74861,7 +75088,7 @@ index 29a9565..26fe806 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -790,10 +1153,12 @@ optional_policy(`
+@@ -790,10 +1157,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -74874,7 +75101,7 @@ index 29a9565..26fe806 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1170,6 @@ optional_policy(`
+@@ -805,7 +1174,6 @@ optional_policy(`
')
optional_policy(`
@@ -74882,7 +75109,7 @@ index 29a9565..26fe806 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1179,25 @@ optional_policy(`
+@@ -815,11 +1183,25 @@ optional_policy(`
')
optional_policy(`
@@ -74909,7 +75136,7 @@ index 29a9565..26fe806 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1207,18 @@ optional_policy(`
+@@ -829,6 +1211,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -74928,7 +75155,7 @@ index 29a9565..26fe806 100644
')
optional_policy(`
-@@ -844,6 +1234,10 @@ optional_policy(`
+@@ -844,6 +1238,10 @@ optional_policy(`
')
optional_policy(`
@@ -74939,7 +75166,7 @@ index 29a9565..26fe806 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1248,161 @@ optional_policy(`
+@@ -854,3 +1252,161 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -75521,24 +75748,28 @@ index f3e1b57..d7fd7fb 100644
')
diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc
-index 14d9670..7742cf4 100644
+index 14d9670..16d4a57 100644
--- a/policy/modules/system/iscsi.fc
+++ b/policy/modules/system/iscsi.fc
-@@ -1,7 +1,12 @@
+@@ -1,7 +1,16 @@
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
++
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
++
/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
++/var/log/iscsiuio\.log.* gen_context(system_u:object_r:iscsi_log_t,s0)
++
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
+
+/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
-index ddbd8be..65b5762 100644
+index ddbd8be..fad18e0 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t)
@@ -75557,7 +75788,11 @@ index ddbd8be..65b5762 100644
corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
-@@ -78,6 +78,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
+@@ -75,9 +75,12 @@ corenet_tcp_sendrecv_all_ports(iscsid_t)
+ corenet_tcp_connect_http_port(iscsid_t)
+ corenet_tcp_connect_iscsi_port(iscsid_t)
+ corenet_tcp_connect_isns_port(iscsid_t)
++corenet_tcp_connect_winshadow_port(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
@@ -77559,7 +77794,7 @@ index 703944c..1d3a6a9 100644
#
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
-index 532181a..5944521 100644
+index 532181a..68931fb 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -10,10 +10,8 @@ ifdef(`distro_gentoo',`
@@ -77573,17 +77808,19 @@ index 532181a..5944521 100644
/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-@@ -22,3 +20,14 @@ ifdef(`distro_gentoo',`
+@@ -22,3 +20,16 @@ ifdef(`distro_gentoo',`
/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0)
/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
+
-+/usr/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
++/usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0)
++
++/usr/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
+/usr/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-+/usr/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
-+/usr/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
++/usr/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
++/usr/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
+/usr/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-+/usr/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
++/usr/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
+/usr/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
+
+/usr/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
@@ -78806,7 +79043,7 @@ index 2cc4bda..bd86c17 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 170e2c7..b85fc73 100644
+index 170e2c7..6c56785 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -199,6 +199,10 @@ interface(`seutil_run_newrole',`
@@ -79022,7 +79259,7 @@ index 170e2c7..b85fc73 100644
## Full management of the semanage
## module store.
##
-@@ -1149,3 +1313,198 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1149,3 +1313,107 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -79115,117 +79352,34 @@ index 170e2c7..b85fc73 100644
+#
+interface(`seutil_setfiles',`
+
-+ gen_require(`
-+ type policy_src_t, policy_config_t;
-+ type file_context_t, default_context_t;
-+ ')
-+
-+ allow $1 self:capability { dac_override dac_read_search fowner };
-+ dontaudit $1 self:capability sys_tty_config;
-+ allow $1 self:fifo_file rw_file_perms;
-+ dontaudit $1 self:dir relabelfrom;
-+ dontaudit $1 self:file relabelfrom;
-+ dontaudit $1 self:lnk_file relabelfrom;
-+
-+
-+ allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
-+ allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
-+ allow $1 { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
-+
-+ logging_send_audit_msgs($1)
-+
-+ kernel_read_system_state($1)
-+ kernel_relabelfrom_unlabeled_dirs($1)
-+ kernel_relabelfrom_unlabeled_files($1)
-+ kernel_relabelfrom_unlabeled_symlinks($1)
-+ kernel_relabelfrom_unlabeled_pipes($1)
-+ kernel_relabelfrom_unlabeled_sockets($1)
-+ kernel_use_fds($1)
-+ kernel_rw_pipes($1)
-+ kernel_rw_unix_dgram_sockets($1)
-+ kernel_dontaudit_list_all_proc($1)
-+ kernel_read_all_sysctls($1)
-+ kernel_read_network_state_symlinks($1)
-+
-+ dev_relabel_all_dev_nodes($1)
++ gen_require(`
++ attribute setfiles_domain;
++ ')
++ typeattribute $1 setfiles_domain;
+
-+ domain_use_interactive_fds($1)
-+ domain_read_all_domains_state($1)
-+
-+ files_read_etc_runtime_files($1)
-+ files_read_etc_files($1)
-+ files_list_all($1)
+ files_relabel_all_files($1)
-+ files_list_isid_type_dirs($1)
-+ files_read_isid_type_files($1)
-+ files_dontaudit_read_all_symlinks($1)
-+
-+ fs_getattr_xattr_fs($1)
-+ fs_list_all($1)
-+ fs_getattr_all_files($1)
-+ fs_search_auto_mountpoints($1)
-+ fs_relabelfrom_noxattr_fs($1)
+
+ mls_file_read_all_levels($1)
+ mls_file_write_all_levels($1)
+ mls_file_upgrade($1)
+ mls_file_downgrade($1)
+
-+ selinux_validate_context($1)
-+ selinux_compute_access_vector($1)
-+ selinux_compute_create_context($1)
-+ selinux_compute_relabel_context($1)
-+ selinux_compute_user_contexts($1)
-+
-+ term_use_all_inherited_terms($1)
-+
+ # this is to satisfy the assertion:
+ auth_relabelto_shadow($1)
-+
-+ init_use_fds($1)
-+ init_use_script_fds($1)
-+ init_use_script_ptys($1)
-+ init_exec_script_files($1)
-+
-+ logging_send_syslog_msg($1)
-+
-+ miscfiles_read_localization($1)
-+
-+ seutil_libselinux_linked($1)
-+
-+ userdom_use_all_users_fds($1)
-+ # for config files in a home directory
-+ userdom_read_user_home_content_files($1)
-+
-+ ifdef(`distro_debian',`
-+ # udev tmpfs is populated with static device nodes
-+ # and then relabeled afterwards; thus
-+ # /dev/console has the tmpfs type
-+ fs_rw_tmpfs_chr_files($1)
-+ ')
-+
-+ ifdef(`distro_redhat',`
-+ fs_rw_tmpfs_chr_files($1)
-+ fs_rw_tmpfs_blk_files($1)
-+ fs_relabel_tmpfs_blk_file($1)
-+ fs_relabel_tmpfs_chr_file($1)
-+ ')
-+
-+ ifdef(`distro_ubuntu',`
-+ optional_policy(`
-+ unconfined_domain($1)
-+ ')
-+ ')
-+
-+ optional_policy(`
-+ hotplug_use_fds($1)
-+ ')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..ac8b214 100644
+index 7ed9819..a5062f7 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
-@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
+@@ -11,6 +11,7 @@ gen_require(`
+
+ attribute can_write_binary_policy;
+ attribute can_relabelto_binary_policy;
++attribute setfiles_domain;
+
+ #
+ # selinux_config_t is the type applied to
+@@ -22,6 +23,9 @@ attribute can_relabelto_binary_policy;
type selinux_config_t;
files_type(selinux_config_t)
@@ -79235,7 +79389,7 @@ index 7ed9819..ac8b214 100644
type checkpolicy_t, can_write_binary_policy;
type checkpolicy_exec_t;
application_domain(checkpolicy_t, checkpolicy_exec_t)
-@@ -57,8 +60,13 @@ domain_interactive_fd(newrole_t)
+@@ -57,8 +61,13 @@ domain_interactive_fd(newrole_t)
# policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration.
#
@@ -79251,7 +79405,7 @@ index 7ed9819..ac8b214 100644
neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
#neverallow ~can_write_binary_policy policy_config_t:file { write append };
-@@ -74,7 +82,6 @@ type restorecond_t;
+@@ -74,7 +83,6 @@ type restorecond_t;
type restorecond_exec_t;
init_daemon_domain(restorecond_t, restorecond_exec_t)
domain_obj_id_change_exemption(restorecond_t)
@@ -79259,7 +79413,7 @@ index 7ed9819..ac8b214 100644
type restorecond_var_run_t;
files_pid_file(restorecond_var_run_t)
-@@ -88,26 +95,36 @@ role system_r types run_init_t;
+@@ -88,26 +96,36 @@ role system_r types run_init_t;
type semanage_t;
type semanage_exec_t;
application_domain(semanage_t, semanage_exec_t)
@@ -79298,7 +79452,7 @@ index 7ed9819..ac8b214 100644
########################################
#
# Checkpolicy local policy
-@@ -139,7 +156,7 @@ term_use_console(checkpolicy_t)
+@@ -139,7 +157,7 @@ term_use_console(checkpolicy_t)
init_use_fds(checkpolicy_t)
init_use_script_ptys(checkpolicy_t)
@@ -79307,7 +79461,7 @@ index 7ed9819..ac8b214 100644
userdom_use_all_users_fds(checkpolicy_t)
ifdef(`distro_ubuntu',`
-@@ -176,13 +193,15 @@ term_list_ptys(load_policy_t)
+@@ -176,13 +194,15 @@ term_list_ptys(load_policy_t)
init_use_script_fds(load_policy_t)
init_use_script_ptys(load_policy_t)
@@ -79324,7 +79478,7 @@ index 7ed9819..ac8b214 100644
ifdef(`distro_ubuntu',`
optional_policy(`
-@@ -204,7 +223,7 @@ ifdef(`hide_broken_symptoms',`
+@@ -204,7 +224,7 @@ ifdef(`hide_broken_symptoms',`
# Newrole local policy
#
@@ -79333,7 +79487,7 @@ index 7ed9819..ac8b214 100644
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
-@@ -216,7 +235,7 @@ allow newrole_t self:msgq create_msgq_perms;
+@@ -216,7 +236,7 @@ allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -79342,7 +79496,7 @@ index 7ed9819..ac8b214 100644
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -233,6 +252,7 @@ domain_use_interactive_fds(newrole_t)
+@@ -233,6 +253,7 @@ domain_use_interactive_fds(newrole_t)
# for when the user types "exec newrole" at the command line:
domain_sigchld_interactive_fds(newrole_t)
@@ -79350,7 +79504,7 @@ index 7ed9819..ac8b214 100644
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
files_read_var_symlinks(newrole_t)
-@@ -260,25 +280,30 @@ term_relabel_all_ptys(newrole_t)
+@@ -260,25 +281,30 @@ term_relabel_all_ptys(newrole_t)
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -79387,7 +79541,7 @@ index 7ed9819..ac8b214 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(newrole_t)
-@@ -312,6 +337,10 @@ kernel_use_fds(restorecond_t)
+@@ -312,6 +338,10 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -79398,7 +79552,7 @@ index 7ed9819..ac8b214 100644
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_dontaudit_list_nfs(restorecond_t)
fs_getattr_xattr_fs(restorecond_t)
-@@ -323,8 +352,8 @@ selinux_compute_create_context(restorecond_t)
+@@ -323,8 +353,8 @@ selinux_compute_create_context(restorecond_t)
selinux_compute_relabel_context(restorecond_t)
selinux_compute_user_contexts(restorecond_t)
@@ -79409,7 +79563,7 @@ index 7ed9819..ac8b214 100644
auth_use_nsswitch(restorecond_t)
locallogin_dontaudit_use_fds(restorecond_t)
-@@ -335,6 +364,8 @@ miscfiles_read_localization(restorecond_t)
+@@ -335,6 +365,8 @@ miscfiles_read_localization(restorecond_t)
seutil_libselinux_linked(restorecond_t)
@@ -79418,7 +79572,7 @@ index 7ed9819..ac8b214 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -353,16 +384,19 @@ optional_policy(`
+@@ -353,16 +385,19 @@ optional_policy(`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -79439,7 +79593,7 @@ index 7ed9819..ac8b214 100644
dev_dontaudit_list_all_dev_nodes(run_init_t)
domain_use_interactive_fds(run_init_t)
-@@ -380,6 +414,8 @@ selinux_compute_create_context(run_init_t)
+@@ -380,6 +415,8 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@@ -79448,7 +79602,7 @@ index 7ed9819..ac8b214 100644
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
auth_domtrans_upd_passwd(run_init_t)
-@@ -388,6 +424,7 @@ auth_dontaudit_read_shadow(run_init_t)
+@@ -388,6 +425,7 @@ auth_dontaudit_read_shadow(run_init_t)
init_spec_domtrans_script(run_init_t)
# for utmp
init_rw_utmp(run_init_t)
@@ -79456,7 +79610,7 @@ index 7ed9819..ac8b214 100644
logging_send_syslog_msg(run_init_t)
-@@ -396,7 +433,7 @@ miscfiles_read_localization(run_init_t)
+@@ -396,7 +434,7 @@ miscfiles_read_localization(run_init_t)
seutil_libselinux_linked(run_init_t)
seutil_read_default_contexts(run_init_t)
@@ -79465,7 +79619,7 @@ index 7ed9819..ac8b214 100644
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
-@@ -405,6 +442,19 @@ ifndef(`direct_sysadm_daemon',`
+@@ -405,6 +443,19 @@ ifndef(`direct_sysadm_daemon',`
')
')
@@ -79485,7 +79639,7 @@ index 7ed9819..ac8b214 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -420,67 +470,29 @@ optional_policy(`
+@@ -420,67 +471,29 @@ optional_policy(`
# semodule local policy
#
@@ -79562,7 +79716,7 @@ index 7ed9819..ac8b214 100644
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
-@@ -493,112 +505,60 @@ ifdef(`distro_ubuntu',`
+@@ -493,112 +506,159 @@ ifdef(`distro_ubuntu',`
')
')
@@ -79594,9 +79748,15 @@ index 7ed9819..ac8b214 100644
-kernel_rw_unix_dgram_sockets(setfiles_t)
-kernel_dontaudit_list_all_proc(setfiles_t)
-kernel_dontaudit_list_all_sysctls(setfiles_t)
--
++init_dontaudit_use_fds(setsebool_t)
+
-dev_relabel_all_dev_nodes(setfiles_t)
--
++# Bug in semanage
++seutil_domtrans_setfiles(setsebool_t)
++seutil_manage_file_contexts(setsebool_t)
++seutil_manage_default_contexts(setsebool_t)
++seutil_manage_config(setsebool_t)
+
-domain_use_interactive_fds(setfiles_t)
-domain_dontaudit_search_all_domains_state(setfiles_t)
-
@@ -79605,73 +79765,163 @@ index 7ed9819..ac8b214 100644
-files_list_all(setfiles_t)
-files_relabel_all_files(setfiles_t)
-files_read_usr_symlinks(setfiles_t)
--
++########################################
++#
++# Setfiles mac local policy
++#
++seutil_setfiles(setfiles_mac_t)
++allow setfiles_mac_t self:capability2 mac_admin;
++kernel_relabelto_unlabeled(setfiles_mac_t)
+
-fs_getattr_xattr_fs(setfiles_t)
-fs_list_all(setfiles_t)
-fs_search_auto_mountpoints(setfiles_t)
-fs_relabelfrom_noxattr_fs(setfiles_t)
--
++optional_policy(`
++ files_dontaudit_write_isid_chr_files(setfiles_mac_t)
++ livecd_dontaudit_leaks(setfiles_mac_t)
++ livecd_rw_tmp_files(setfiles_mac_t)
++ dev_dontaudit_write_all_chr_files(setfiles_mac_t)
++')
+
-mls_file_read_all_levels(setfiles_t)
-mls_file_write_all_levels(setfiles_t)
-mls_file_upgrade(setfiles_t)
-mls_file_downgrade(setfiles_t)
--
++optional_policy(`
++ unconfined_domain(setfiles_mac_t)
++')
+
-selinux_validate_context(setfiles_t)
-selinux_compute_access_vector(setfiles_t)
-selinux_compute_create_context(setfiles_t)
-selinux_compute_relabel_context(setfiles_t)
-selinux_compute_user_contexts(setfiles_t)
--
++########################################
++#
++# Setfiles local policy
++#
+
-term_use_all_ttys(setfiles_t)
-term_use_all_ptys(setfiles_t)
-term_use_unallocated_ttys(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
++seutil_setfiles(setfiles_t)
++# During boot in Rawhide
++term_use_generic_ptys(setfiles_t)
-# this is to satisfy the assertion:
-auth_relabelto_shadow(setfiles_t)
-+# Bug in semanage
-+seutil_domtrans_setfiles(setsebool_t)
-+seutil_manage_file_contexts(setsebool_t)
-+seutil_manage_default_contexts(setsebool_t)
-+seutil_manage_config(setsebool_t)
++# needs to be able to read symlinks to make restorecon on symlink working
++files_read_all_symlinks(setfiles_t)
-init_use_fds(setfiles_t)
-init_use_script_fds(setfiles_t)
-init_use_script_ptys(setfiles_t)
-init_exec_script_files(setfiles_t)
--
++optional_policy(`
++ devicekit_dontaudit_read_pid_files(setfiles_t)
++ devicekit_dontaudit_rw_log(setfiles_t)
++')
+
-logging_send_syslog_msg(setfiles_t)
-+########################################
-+#
-+# Setfiles local policy
-+#
++ifdef(`hide_broken_symptoms',`
++ optional_policy(`
++ hal_dontaudit_leaks(setfiles_t)
++ ')
-miscfiles_read_localization(setfiles_t)
-+seutil_setfiles(setfiles_t)
-+# During boot in Rawhide
-+term_use_generic_ptys(setfiles_t)
++ optional_policy(`
++ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
++ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
++ ')
++')
-seutil_libselinux_linked(setfiles_t)
-+seutil_setfiles(setfiles_mac_t)
-+allow setfiles_mac_t self:capability2 mac_admin;
-+kernel_relabelto_unlabeled(setfiles_mac_t)
++ifdef(`distro_ubuntu',`
++ optional_policy(`
++ unconfined_domain(setfiles_t)
++ ')
++')
-userdom_use_all_users_fds(setfiles_t)
--# for config files in a home directory
++########################################
++#
++# Setfiles common policy
++#
++allow setfiles_domain self:capability { dac_override dac_read_search fowner };
++dontaudit setfiles_domain self:capability sys_tty_config;
++allow setfiles_domain self:fifo_file rw_file_perms;
++dontaudit setfiles_domain self:dir relabelfrom;
++dontaudit setfiles_domain self:file relabelfrom;
++dontaudit setfiles_domain self:lnk_file relabelfrom;
++
++allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
++allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
++allow setfiles_domain { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
++
++logging_send_audit_msgs(setfiles_domain)
++
++kernel_read_system_state(setfiles_domain)
++kernel_relabelfrom_unlabeled_dirs(setfiles_domain)
++kernel_relabelfrom_unlabeled_files(setfiles_domain)
++kernel_relabelfrom_unlabeled_symlinks(setfiles_domain)
++kernel_relabelfrom_unlabeled_pipes(setfiles_domain)
++kernel_relabelfrom_unlabeled_sockets(setfiles_domain)
++kernel_use_fds(setfiles_domain)
++kernel_rw_pipes(setfiles_domain)
++kernel_rw_unix_dgram_sockets(setfiles_domain)
++kernel_dontaudit_list_all_proc(setfiles_domain)
++kernel_read_all_sysctls(setfiles_domain)
++kernel_read_network_state_symlinks(setfiles_domain)
++
++dev_relabel_all_dev_nodes(setfiles_domain)
++
++domain_use_interactive_fds(setfiles_domain)
++domain_read_all_domains_state(setfiles_domain)
++
++files_read_etc_runtime_files(setfiles_domain)
++files_read_etc_files(setfiles_domain)
++files_list_all(setfiles_domain)
++files_list_isid_type_dirs(setfiles_domain)
++files_read_isid_type_files(setfiles_domain)
++files_dontaudit_read_all_symlinks(setfiles_domain)
++
++fs_getattr_all_fs(setfiles_domain)
++fs_list_all(setfiles_domain)
++fs_getattr_all_files(setfiles_domain)
++fs_search_auto_mountpoints(setfiles_domain)
++fs_relabelfrom_noxattr_fs(setfiles_domain)
++
++selinux_validate_context(setfiles_domain)
++selinux_compute_access_vector(setfiles_domain)
++selinux_compute_create_context(setfiles_domain)
++selinux_compute_relabel_context(setfiles_domain)
++selinux_compute_user_contexts(setfiles_domain)
++
++term_use_all_inherited_terms(setfiles_domain)
++
++init_use_fds(setfiles_domain)
++init_use_script_fds(setfiles_domain)
++init_use_script_ptys(setfiles_domain)
++init_exec_script_files(setfiles_domain)
++
++logging_send_syslog_msg(setfiles_domain)
++
++miscfiles_read_localization(setfiles_domain)
++
++seutil_libselinux_linked(setfiles_domain)
++
++userdom_use_all_users_fds(setfiles_domain)
+ # for config files in a home directory
-userdom_read_user_home_content_files(setfiles_t)
-+# needs to be able to read symlinks to make restorecon on symlink working
-+files_read_all_symlinks(setfiles_t)
++userdom_read_user_home_content_files(setfiles_domain)
--ifdef(`distro_debian',`
-- # udev tmpfs is populated with static device nodes
-- # and then relabeled afterwards; thus
-- # /dev/console has the tmpfs type
+ ifdef(`distro_debian',`
+ # udev tmpfs is populated with static device nodes
+ # and then relabeled afterwards; thus
+ # /dev/console has the tmpfs type
- fs_rw_tmpfs_chr_files(setfiles_t)
-+optional_policy(`
-+ files_dontaudit_write_isid_chr_files(setfiles_mac_t)
-+ livecd_dontaudit_leaks(setfiles_mac_t)
-+ livecd_rw_tmp_files(setfiles_mac_t)
-+ dev_dontaudit_write_all_chr_files(setfiles_mac_t)
++ fs_rw_tmpfs_chr_files(setfiles_domain)
')
-ifdef(`distro_redhat', `
@@ -79679,21 +79929,16 @@ index 7ed9819..ac8b214 100644
- fs_rw_tmpfs_blk_files(setfiles_t)
- fs_relabel_tmpfs_blk_file(setfiles_t)
- fs_relabel_tmpfs_chr_file(setfiles_t)
-+optional_policy(`
-+ devicekit_dontaudit_read_pid_files(setfiles_t)
-+ devicekit_dontaudit_rw_log(setfiles_t)
- ')
-
+-')
+-
-ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(setfiles_t)
- ')
-+optional_policy(`
-+ hal_dontaudit_leaks(setfiles_t)
- ')
-
- ifdef(`hide_broken_symptoms',`
- optional_policy(`
+-')
+-
+-ifdef(`hide_broken_symptoms',`
+- optional_policy(`
- udev_dontaudit_rw_dgram_sockets(setfiles_t)
- ')
-
@@ -79701,14 +79946,17 @@ index 7ed9819..ac8b214 100644
- optional_policy(`
- unconfined_dontaudit_read_pipes(setfiles_t)
- unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
-+ setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
-+ setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
- ')
+- ')
++ifdef(`distro_redhat',`
++ fs_rw_tmpfs_chr_files(setfiles_domain)
++ fs_rw_tmpfs_blk_files(setfiles_domain)
++ fs_relabel_tmpfs_blk_file(setfiles_domain)
++ fs_relabel_tmpfs_chr_file(setfiles_domain)
')
optional_policy(`
- hotplug_use_fds(setfiles_t)
-+ unconfined_domain(setfiles_mac_t)
++ hotplug_use_fds(setfiles_domain)
')
diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
index bea4629..06e2834 100644
@@ -80395,10 +80643,10 @@ index 0000000..0d3e625
+/var/run/initramfs(/.*)? <>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..19ba4e1
+index 0000000..a142bb1
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,546 @@
+@@ -0,0 +1,567 @@
+## SELinux policy for systemd components
+
+#######################################
@@ -80668,6 +80916,7 @@ index 0000000..19ba4e1
+ allow $1 systemd_logind_t:dbus send_msg;
+ allow systemd_logind_t $1:dbus send_msg;
+ ps_process_pattern(systemd_logind_t, $1)
++ allow systemd_logind_t $1:process signal;
+')
+
+#######################################
@@ -80945,12 +81194,32 @@ index 0000000..19ba4e1
+')
+
+
++########################################
++##
++## Transition to systemd named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_filetrans_named_content',`
++ gen_require(`
++ type systemd_passwd_var_run_t;
++ ')
++
++ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
++ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
++')
++
++
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..abd1c1a
+index 0000000..d63eb5e
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,395 @@
+@@ -0,0 +1,391 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -81080,6 +81349,7 @@ index 0000000..abd1c1a
+optional_policy(`
+ cron_dbus_chat_crond(systemd_logind_t)
+ cron_read_state_crond(systemd_logind_t)
++ cron_signal(systemd_logind_t)
+')
+
+optional_policy(`
@@ -81157,7 +81427,6 @@ index 0000000..abd1c1a
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
+
+kernel_read_network_state(systemd_tmpfiles_t)
-+files_delete_kernel_modules(systemd_tmpfiles_t)
+
+dev_write_kmsg(systemd_tmpfiles_t)
+dev_relabel_all_sysfs(systemd_tmpfiles_t)
@@ -81181,11 +81450,7 @@ index 0000000..abd1c1a
+files_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_manage_all_locks(systemd_tmpfiles_t)
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
-+files_delete_all_pid_sockets(systemd_tmpfiles_t)
-+files_delete_all_pid_pipes(systemd_tmpfiles_t)
-+files_delete_boot_flag(systemd_tmpfiles_t)
-+files_delete_usr_dirs(systemd_tmpfiles_t)
-+files_delete_usr_files(systemd_tmpfiles_t)
++files_delete_all_non_security_files(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
+files_manage_generic_tmp_files(systemd_tmpfiles_t)
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
@@ -81848,7 +82113,7 @@ index ce2fbb9..8b34dbc 100644
-/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-')
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 416e668..bb3d52b 100644
+index 416e668..0515074 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -12,53 +12,63 @@
@@ -81874,7 +82139,8 @@ index 416e668..bb3d52b 100644
+ allow $1 self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
# Transition to myself, to make get_ordered_context_list happy.
- allow $1 self:process transition;
+- allow $1 self:process transition;
++ allow $1 self:process { dyntransition transition };
# Write access is for setting attributes under /proc/self/attr.
allow $1 self:file rw_file_perms;
@@ -82636,7 +82902,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..6843ef8 100644
+index 4b2878a..aa2d1cb 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -82652,7 +82918,7 @@ index 4b2878a..6843ef8 100644
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
-@@ -43,79 +45,133 @@ template(`userdom_base_user_template',`
+@@ -43,79 +45,134 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -82808,6 +83074,7 @@ index 4b2878a..6843ef8 100644
+ miscfiles_read_public_files($1_usertype)
+
+ systemd_dbus_chat_logind($1_usertype)
++ systemd_read_logind_sessions_files($1_usertype)
- tunable_policy(`allow_execmem',`
+ tunable_policy(`deny_execmem',`', `
@@ -82837,7 +83104,7 @@ index 4b2878a..6843ef8 100644
')
#######################################
-@@ -149,6 +205,8 @@ interface(`userdom_ro_home_role',`
+@@ -149,6 +206,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -82846,7 +83113,7 @@ index 4b2878a..6843ef8 100644
##############################
#
# Domain access to home dir
-@@ -166,27 +224,6 @@ interface(`userdom_ro_home_role',`
+@@ -166,27 +225,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -82874,7 +83141,7 @@ index 4b2878a..6843ef8 100644
')
#######################################
-@@ -218,8 +255,11 @@ interface(`userdom_ro_home_role',`
+@@ -218,8 +256,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -82886,7 +83153,7 @@ index 4b2878a..6843ef8 100644
##############################
#
# Domain access to home dir
-@@ -228,43 +268,47 @@ interface(`userdom_manage_home_role',`
+@@ -228,43 +269,47 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -82950,7 +83217,7 @@ index 4b2878a..6843ef8 100644
')
')
-@@ -286,17 +330,63 @@ interface(`userdom_manage_home_role',`
+@@ -286,17 +331,64 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -82967,6 +83234,7 @@ index 4b2878a..6843ef8 100644
- manage_lnk_files_pattern($2, user_tmp_t, user_tmp_t)
- manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
- manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
++ allow $2 user_tmp_type:dir mounton;
+ manage_dirs_pattern($2, user_tmp_type, user_tmp_type)
+ manage_files_pattern($2, user_tmp_type, user_tmp_type)
+ manage_lnk_files_pattern($2, user_tmp_type, user_tmp_type)
@@ -83019,7 +83287,7 @@ index 4b2878a..6843ef8 100644
')
#######################################
-@@ -316,6 +406,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -316,6 +408,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -83027,7 +83295,7 @@ index 4b2878a..6843ef8 100644
files_search_tmp($1)
')
-@@ -347,59 +438,62 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -347,59 +440,62 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
@@ -83122,7 +83390,7 @@ index 4b2878a..6843ef8 100644
')
#######################################
-@@ -430,6 +524,7 @@ template(`userdom_xwindows_client_template',`
+@@ -430,6 +526,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -83130,7 +83398,7 @@ index 4b2878a..6843ef8 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -462,8 +557,8 @@ template(`userdom_change_password_template',`
+@@ -462,8 +559,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -83141,7 +83409,7 @@ index 4b2878a..6843ef8 100644
')
')
-@@ -490,7 +585,7 @@ template(`userdom_common_user_template',`
+@@ -490,7 +587,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -83150,7 +83418,7 @@ index 4b2878a..6843ef8 100644
##############################
#
-@@ -500,73 +595,83 @@ template(`userdom_common_user_template',`
+@@ -500,73 +597,83 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -83276,7 +83544,7 @@ index 4b2878a..6843ef8 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +679,113 @@ template(`userdom_common_user_template',`
+@@ -574,67 +681,113 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -83411,7 +83679,7 @@ index 4b2878a..6843ef8 100644
')
optional_policy(`
-@@ -650,40 +801,52 @@ template(`userdom_common_user_template',`
+@@ -650,40 +803,52 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -83475,7 +83743,7 @@ index 4b2878a..6843ef8 100644
')
')
-@@ -712,13 +875,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +877,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
@@ -83507,7 +83775,7 @@ index 4b2878a..6843ef8 100644
userdom_change_password_template($1)
-@@ -730,78 +906,82 @@ template(`userdom_login_user_template', `
+@@ -730,78 +908,82 @@ template(`userdom_login_user_template', `
allow $1_t self:capability { setgid chown fowner };
dontaudit $1_t self:capability { sys_nice fsetid };
@@ -83624,7 +83892,7 @@ index 4b2878a..6843ef8 100644
')
')
-@@ -833,6 +1013,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1015,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -83634,7 +83902,7 @@ index 4b2878a..6843ef8 100644
##############################
#
# Local policy
-@@ -874,45 +1057,114 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1059,118 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -83695,6 +83963,10 @@ index 4b2878a..6843ef8 100644
+ gnome_role_gkeyringd($1, $1_r, $1_usertype)
+ # cjp: telepathy F15 bugs
+ telepathy_role($1_r, $1_t, $1)
++ ')
++
++ optional_policy(`
++ obex_role($1_r, $1_t, $1)
')
optional_policy(`
@@ -83760,7 +84032,7 @@ index 4b2878a..6843ef8 100644
')
')
-@@ -947,7 +1199,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1205,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -83769,7 +84041,7 @@ index 4b2878a..6843ef8 100644
userdom_common_user_template($1)
##############################
-@@ -956,12 +1208,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1214,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -83787,7 +84059,7 @@ index 4b2878a..6843ef8 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,23 +1233,60 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1239,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -83857,7 +84129,7 @@ index 4b2878a..6843ef8 100644
')
# Run pppd in pppd_t by default for user
-@@ -1003,7 +1295,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1301,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -83868,7 +84140,7 @@ index 4b2878a..6843ef8 100644
')
')
-@@ -1039,7 +1333,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1339,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -83877,7 +84149,7 @@ index 4b2878a..6843ef8 100644
')
##############################
-@@ -1065,7 +1359,11 @@ template(`userdom_admin_user_template',`
+@@ -1065,7 +1365,11 @@ template(`userdom_admin_user_template',`
# $1_t local policy
#
@@ -83890,7 +84162,7 @@ index 4b2878a..6843ef8 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1372,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1378,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -83900,7 +84172,7 @@ index 4b2878a..6843ef8 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1389,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1395,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -83908,7 +84180,7 @@ index 4b2878a..6843ef8 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1407,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1413,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -83922,7 +84194,7 @@ index 4b2878a..6843ef8 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1424,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1430,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -83965,7 +84237,7 @@ index 4b2878a..6843ef8 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1465,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1471,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -83974,7 +84246,7 @@ index 4b2878a..6843ef8 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1526,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1532,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -83983,7 +84255,7 @@ index 4b2878a..6843ef8 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1540,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1546,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -83994,7 +84266,7 @@ index 4b2878a..6843ef8 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1553,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1559,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -84023,7 +84295,7 @@ index 4b2878a..6843ef8 100644
')
optional_policy(`
-@@ -1251,12 +1581,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1587,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -84039,7 +84311,7 @@ index 4b2878a..6843ef8 100644
')
optional_policy(`
-@@ -1279,11 +1609,60 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1615,60 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -84100,7 +84372,7 @@ index 4b2878a..6843ef8 100644
ubac_constrained($1)
')
-@@ -1395,6 +1774,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1780,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -84108,11 +84380,15 @@ index 4b2878a..6843ef8 100644
files_search_home($1)
')
-@@ -1441,6 +1821,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,11 +1827,19 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
-+
+-')
+
+-########################################
+-##
+-## Do not audit attempts to list user home subdirectories.
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_list_nfs($1)
+ ')
@@ -84120,10 +84396,15 @@ index 4b2878a..6843ef8 100644
+ tunable_policy(`use_samba_home_dirs',`
+ fs_list_cifs($1)
+ ')
- ')
-
- ########################################
-@@ -1456,9 +1844,11 @@ interface(`userdom_list_user_home_dirs',`
++')
++
++########################################
++##
++## Do not audit attempts to list user home subdirectories.
+ ##
+ ##
+ ##
+@@ -1456,9 +1850,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -84135,7 +84416,7 @@ index 4b2878a..6843ef8 100644
')
########################################
-@@ -1515,6 +1905,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1911,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -84178,7 +84459,7 @@ index 4b2878a..6843ef8 100644
########################################
##
## Create directories in the home dir root with
-@@ -1589,6 +2015,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2021,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -84187,7 +84468,7 @@ index 4b2878a..6843ef8 100644
')
########################################
-@@ -1603,10 +2031,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2037,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -84202,7 +84483,7 @@ index 4b2878a..6843ef8 100644
')
########################################
-@@ -1649,6 +2079,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2085,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
##
@@ -84246,7 +84527,7 @@ index 4b2878a..6843ef8 100644
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1668,6 +2135,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2141,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
##
@@ -84272,7 +84553,7 @@ index 4b2878a..6843ef8 100644
## Mmap user home files.
##
##
-@@ -1698,14 +2184,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1698,14 +2190,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -84310,7 +84591,7 @@ index 4b2878a..6843ef8 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1716,11 +2224,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2230,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -84328,7 +84609,7 @@ index 4b2878a..6843ef8 100644
')
########################################
-@@ -1779,6 +2290,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2296,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
##
@@ -84389,7 +84670,7 @@ index 4b2878a..6843ef8 100644
## Do not audit attempts to write user home files.
##
##
-@@ -1810,8 +2375,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2381,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -84399,7 +84680,7 @@ index 4b2878a..6843ef8 100644
')
########################################
-@@ -1827,20 +2391,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2397,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -84413,18 +84694,19 @@ index 4b2878a..6843ef8 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
##
-@@ -1941,6 +2499,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+ ## Do not audit attempts to execute user home files.
+@@ -1941,6 +2505,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
##
@@ -84449,7 +84731,7 @@ index 4b2878a..6843ef8 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
##
-@@ -2008,7 +2584,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2590,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -84458,7 +84740,7 @@ index 4b2878a..6843ef8 100644
files_search_home($1)
')
-@@ -2039,7 +2615,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2621,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -84467,7 +84749,7 @@ index 4b2878a..6843ef8 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2158,11 +2734,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2158,11 +2740,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -84482,7 +84764,7 @@ index 4b2878a..6843ef8 100644
files_search_tmp($1)
')
-@@ -2182,7 +2758,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2764,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -84491,7 +84773,7 @@ index 4b2878a..6843ef8 100644
')
########################################
-@@ -2390,7 +2966,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2972,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -84500,7 +84782,7 @@ index 4b2878a..6843ef8 100644
files_search_tmp($1)
')
-@@ -2419,6 +2995,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +3001,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
@@ -84526,7 +84808,7 @@ index 4b2878a..6843ef8 100644
########################################
##
## Read user tmpfs files.
-@@ -2435,13 +3030,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3036,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -84542,7 +84824,7 @@ index 4b2878a..6843ef8 100644
##
##
##
-@@ -2462,7 +3058,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3064,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -84551,7 +84833,7 @@ index 4b2878a..6843ef8 100644
##
##
##
-@@ -2470,14 +3066,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3072,30 @@ interface(`userdom_rw_user_tmpfs_files',`
##
##
#
@@ -84586,7 +84868,7 @@ index 4b2878a..6843ef8 100644
')
########################################
-@@ -2572,6 +3184,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,6 +3190,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -84611,7 +84893,7 @@ index 4b2878a..6843ef8 100644
## Read and write a user domain pty.
##
##
-@@ -2590,22 +3220,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2590,22 +3226,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -84654,7 +84936,7 @@ index 4b2878a..6843ef8 100644
##
##
##
-@@ -2614,14 +3256,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3262,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -84692,7 +84974,7 @@ index 4b2878a..6843ef8 100644
')
########################################
-@@ -2640,8 +3301,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2640,36 +3307,32 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -84700,50 +84982,129 @@ index 4b2878a..6843ef8 100644
- dontaudit $1 user_devpts_t:chr_file rw_term_perms;
+ dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms;
-+')
-+
+ ')
+
+
-+########################################
-+##
+ ########################################
+ ##
+-## Execute a shell in all user domains. This
+-## is an explicit transition, requiring the
+-## caller to use setexeccon().
+## Get attributes of user domain tty and pty.
-+##
-+##
-+##
+ ##
+ ##
+ ##
+-## Domain allowed to transition.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`userdom_spec_domtrans_all_users',`
+interface(`userdom_getattr_user_terminals',`
-+ gen_require(`
+ gen_require(`
+- attribute userdomain;
+ type user_tty_device_t, user_devpts_t;
-+ ')
-+
+ ')
+
+- corecmd_shell_spec_domtrans($1, userdomain)
+- allow userdomain $1:fd use;
+- allow userdomain $1:fifo_file rw_file_perms;
+- allow userdomain $1:process sigchld;
+ allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
')
########################################
-@@ -2713,45 +3393,45 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+ ##
+-## Execute an Xserver session in all unprivileged user domains. This
++## Execute a shell in all user domains. This
+ ## is an explicit transition, requiring the
+ ## caller to use setexeccon().
+ ##
+@@ -2679,12 +3342,12 @@ interface(`userdom_spec_domtrans_all_users',`
+ ##
+ ##
+ #
+-interface(`userdom_xsession_spec_domtrans_all_users',`
++interface(`userdom_spec_domtrans_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+- xserver_xsession_spec_domtrans($1, userdomain)
++ corecmd_shell_spec_domtrans($1, userdomain)
+ allow userdomain $1:fd use;
+ allow userdomain $1:fifo_file rw_file_perms;
+ allow userdomain $1:process sigchld;
+@@ -2692,7 +3355,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
+
+ ########################################
+ ##
+-## Execute a shell in all unprivileged user domains. This
++## Execute an Xserver session in all unprivileged user domains. This
+ ## is an explicit transition, requiring the
+ ## caller to use setexeccon().
+ ##
+@@ -2702,20 +3365,20 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
+ ##
+ ##
+ #
+-interface(`userdom_spec_domtrans_unpriv_users',`
++interface(`userdom_xsession_spec_domtrans_all_users',`
+ gen_require(`
+- attribute unpriv_userdomain;
++ attribute userdomain;
+ ')
+
+- corecmd_shell_spec_domtrans($1, unpriv_userdomain)
+- allow unpriv_userdomain $1:fd use;
+- allow unpriv_userdomain $1:fifo_file rw_file_perms;
+- allow unpriv_userdomain $1:process sigchld;
++ xserver_xsession_spec_domtrans($1, userdomain)
++ allow userdomain $1:fd use;
++ allow userdomain $1:fifo_file rw_file_perms;
++ allow userdomain $1:process sigchld;
+ ')
+
+ ########################################
+ ##
+-## Execute an Xserver session in all unprivileged user domains. This
++## Execute a shell in all unprivileged user domains. This
+ ## is an explicit transition, requiring the
+ ## caller to use setexeccon().
+ ##
+@@ -2725,57 +3388,61 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+ ##
+ ##
+ #
+-interface(`userdom_xsession_spec_domtrans_unpriv_users',`
++interface(`userdom_spec_domtrans_unpriv_users',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
+- xserver_xsession_spec_domtrans($1, unpriv_userdomain)
++ corecmd_shell_spec_domtrans($1, unpriv_userdomain)
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
allow unpriv_userdomain $1:process sigchld;
')
--########################################
+-#######################################
+#####################################
##
--## Execute an Xserver session in all unprivileged user domains. This
--## is an explicit transition, requiring the
--## caller to use setexeccon().
+-## Read and write unpriviledged user SysV sempaphores.
+## Allow domain dyntrans to unpriv userdomain.
##
##
-##
--## Domain allowed to transition.
+-## Domain allowed access.
-##
+##
+## Domain allowed access.
+##
##
#
--interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+-interface(`userdom_rw_unpriv_user_semaphores',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
@@ -84752,17 +85113,13 @@ index 4b2878a..6843ef8 100644
+ attribute unpriv_userdomain;
+ ')
-- xserver_xsession_spec_domtrans($1, unpriv_userdomain)
-- allow unpriv_userdomain $1:fd use;
-- allow unpriv_userdomain $1:fifo_file rw_file_perms;
-- allow unpriv_userdomain $1:process sigchld;
+- allow $1 unpriv_userdomain:sem rw_sem_perms;
+ allow $1 unpriv_userdomain:process dyntransition;
')
--#######################################
-+########################################
+ ########################################
##
--## Read and write unpriviledged user SysV sempaphores.
+-## Manage unpriviledged user SysV sempaphores.
+## Execute an Xserver session in all unprivileged user domains. This
+## is an explicit transition, requiring the
+## caller to use setexeccon().
@@ -84774,47 +85131,44 @@ index 4b2878a..6843ef8 100644
##
##
#
--interface(`userdom_rw_unpriv_user_semaphores',`
+-interface(`userdom_manage_unpriv_user_semaphores',`
+interface(`userdom_xsession_spec_domtrans_unpriv_users',`
gen_require(`
attribute unpriv_userdomain;
')
-- allow $1 unpriv_userdomain:sem rw_sem_perms;
+- allow $1 unpriv_userdomain:sem create_sem_perms;
+ xserver_xsession_spec_domtrans($1, unpriv_userdomain)
+ allow unpriv_userdomain $1:fd use;
+ allow unpriv_userdomain $1:fifo_file rw_file_perms;
+ allow unpriv_userdomain $1:process sigchld;
')
- ########################################
-@@ -2772,25 +3452,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
- allow $1 unpriv_userdomain:sem create_sem_perms;
- ')
-
-#######################################
--##
++########################################
+ ##
-## Read and write unpriviledged user SysV shared
-## memory segments.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
++## Manage unpriviledged user SysV sempaphores.
+ ##
+ ##
+ ##
+@@ -2783,12 +3450,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+ ##
+ ##
+ #
-interface(`userdom_rw_unpriv_user_shared_mem',`
-- gen_require(`
-- attribute unpriv_userdomain;
-- ')
--
++interface(`userdom_manage_unpriv_user_semaphores',`
+ gen_require(`
+ attribute unpriv_userdomain;
+ ')
+
- allow $1 unpriv_userdomain:shm rw_shm_perms;
--')
--
++ allow $1 unpriv_userdomain:sem create_sem_perms;
+ ')
+
########################################
- ##
- ## Manage unpriviledged user SysV shared
-@@ -2852,7 +3513,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3519,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -84823,7 +85177,7 @@ index 4b2878a..6843ef8 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3529,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3535,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -84857,7 +85211,7 @@ index 4b2878a..6843ef8 100644
')
########################################
-@@ -2972,7 +3617,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3623,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -84866,7 +85220,7 @@ index 4b2878a..6843ef8 100644
')
########################################
-@@ -3027,7 +3672,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3678,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -84913,7 +85267,7 @@ index 4b2878a..6843ef8 100644
')
########################################
-@@ -3045,7 +3728,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3734,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -84922,7 +85276,7 @@ index 4b2878a..6843ef8 100644
')
########################################
-@@ -3064,6 +3747,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3753,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -84930,7 +85284,7 @@ index 4b2878a..6843ef8 100644
kernel_search_proc($1)
')
-@@ -3142,6 +3826,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3832,24 @@ interface(`userdom_signal_all_users',`
########################################
##
@@ -84955,7 +85309,7 @@ index 4b2878a..6843ef8 100644
## Send a SIGCHLD signal to all user domains.
##
##
-@@ -3160,6 +3862,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3868,24 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -84980,7 +85334,7 @@ index 4b2878a..6843ef8 100644
## Create keys for all user domains.
##
##
-@@ -3194,3 +3914,1254 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3920,1254 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 69de4f9..c31e4b5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 84%{?dist}
+Release: 85%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -483,6 +483,16 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Feb 13 2012 Miroslav Grepl 3.10.0-85
+- Allow firewalld to read urand
+- Alias java, execmem_mono to bin_t to allow third parties
+- Add label for kmod
+- /etc/redhat-lsb contains binaries
+- Add boolean to allow gitosis to send mail
+- Add filename transition also for "event20"
+- Allow systemd_tmpfiles_t to delete all file types
+- Allow collectd to ipc_lock
+
* Tue Feb 7 2012 Miroslav Grepl 3.10.0-84
- Add policy for grindengine MPI jobs