diff --git a/policy-F16.patch b/policy-F16.patch
index 01d3a37..1d7ce0d 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -322,10 +322,18 @@ index 63ef90e..a535b31 100644
')
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
-index 1392679..c94911d 100644
+index 1392679..e75873a 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
-@@ -206,3 +206,21 @@ interface(`alsa_read_lib',`
+@@ -148,6 +148,7 @@ interface(`alsa_manage_home_files',`
+
+ userdom_search_user_home_dirs($1)
+ allow $1 alsa_home_t:file manage_file_perms;
++ alsa_filetrans_home_content(unpriv_userdomain)
+ ')
+
+ ########################################
+@@ -206,3 +207,47 @@ interface(`alsa_read_lib',`
files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
')
@@ -340,12 +348,38 @@ index 1392679..c94911d 100644
+##
+##
+#
++interface(`alsa_filetrans_home_content',`
++ gen_require(`
++ type alsa_home_t;
++ ')
++
++ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
++')
++
++########################################
++##
++## Transition to alsa named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`alsa_filetrans_named_content',`
+ gen_require(`
+ type alsa_home_t;
++ type alsa_etc_rw_t;
++ type alsa_var_lib_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
++ files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
++ files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
++ files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
++ files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf")
++ files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
++ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
+')
diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
index e3e0701..3fd0282 100644
@@ -3658,7 +3692,7 @@ index 7bddc02..2b59ed0 100644
+
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 975af1a..2aa37b4 100644
+index 975af1a..634c47a 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -3669,23 +3703,38 @@ index 975af1a..2aa37b4 100644
attribute sudodomain;
')
-@@ -47,6 +48,15 @@ template(`sudo_role_template',`
+@@ -47,26 +48,11 @@ template(`sudo_role_template',`
ubac_constrained($1_sudo_t)
role $2 types $1_sudo_t;
+- ##############################
+- #
+- # Local Policy
+- #
+ type $1_sudo_tmp_t;
+ files_tmp_file($1_sudo_tmp_t)
-+
+
+- # Use capabilities.
+- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+- allow $1_sudo_t self:process { setexec setrlimit };
+- allow $1_sudo_t self:fd use;
+- allow $1_sudo_t self:fifo_file rw_fifo_file_perms;
+- allow $1_sudo_t self:shm create_shm_perms;
+- allow $1_sudo_t self:sem create_sem_perms;
+- allow $1_sudo_t self:msgq create_msgq_perms;
+- allow $1_sudo_t self:msg { send receive };
+- allow $1_sudo_t self:unix_dgram_socket create_socket_perms;
+- allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+- allow $1_sudo_t self:unix_dgram_socket sendto;
+- allow $1_sudo_t self:unix_stream_socket connectto;
+- allow $1_sudo_t self:key manage_key_perms;
+ allow $1_sudo_t $1_sudo_tmp_t:file manage_file_perms;
+ files_tmp_filetrans($1_sudo_t, $1_sudo_tmp_t, file)
-+
-+ manage_dirs_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
-+ manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
-+
- ##############################
- #
- # Local Policy
-@@ -76,6 +86,11 @@ template(`sudo_role_template',`
+
+ allow $1_sudo_t $3:key search;
+
+@@ -76,88 +62,19 @@ template(`sudo_role_template',`
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $3)
corecmd_bin_domtrans($1_sudo_t, $3)
@@ -3697,50 +3746,90 @@ index 975af1a..2aa37b4 100644
allow $3 $1_sudo_t:fd use;
allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
allow $3 $1_sudo_t:process signal_perms;
-@@ -113,12 +128,15 @@ template(`sudo_role_template',`
- term_getattr_pty_fs($1_sudo_t)
- term_relabel_all_ttys($1_sudo_t)
- term_relabel_all_ptys($1_sudo_t)
-+ term_getattr_pty_fs($1_sudo_t)
+- kernel_read_kernel_sysctls($1_sudo_t)
+- kernel_read_system_state($1_sudo_t)
+- kernel_link_key($1_sudo_t)
+-
+- corecmd_read_bin_symlinks($1_sudo_t)
+- corecmd_exec_all_executables($1_sudo_t)
+-
+- dev_getattr_fs($1_sudo_t)
+- dev_read_urand($1_sudo_t)
+- dev_rw_generic_usb_dev($1_sudo_t)
+- dev_read_sysfs($1_sudo_t)
+-
+- domain_use_interactive_fds($1_sudo_t)
+- domain_sigchld_interactive_fds($1_sudo_t)
+- domain_getattr_all_entry_files($1_sudo_t)
+-
+- files_read_etc_files($1_sudo_t)
+- files_read_var_files($1_sudo_t)
+- files_read_usr_symlinks($1_sudo_t)
+- files_getattr_usr_files($1_sudo_t)
+- # for some PAM modules and for cwd
+- files_dontaudit_search_home($1_sudo_t)
+- files_list_tmp($1_sudo_t)
+-
+- fs_search_auto_mountpoints($1_sudo_t)
+- fs_getattr_xattr_fs($1_sudo_t)
+-
+- selinux_validate_context($1_sudo_t)
+- selinux_compute_relabel_context($1_sudo_t)
+-
+- term_getattr_pty_fs($1_sudo_t)
+- term_relabel_all_ttys($1_sudo_t)
+- term_relabel_all_ptys($1_sudo_t)
+-
auth_run_chk_passwd($1_sudo_t, $2)
- # sudo stores a token in the pam_pid directory
- auth_manage_pam_pid($1_sudo_t)
+- # sudo stores a token in the pam_pid directory
+- auth_manage_pam_pid($1_sudo_t)
auth_use_nsswitch($1_sudo_t)
-+ application_signal($1_sudo_t)
-+
- init_rw_utmp($1_sudo_t)
-
- logging_send_audit_msgs($1_sudo_t)
-@@ -126,7 +144,7 @@ template(`sudo_role_template',`
-
- miscfiles_read_localization($1_sudo_t)
-
+- init_rw_utmp($1_sudo_t)
+-
+- logging_send_audit_msgs($1_sudo_t)
+- logging_send_syslog_msg($1_sudo_t)
+-
+- miscfiles_read_localization($1_sudo_t)
+-
- seutil_search_default_contexts($1_sudo_t)
-+ seutil_read_default_contexts($1_sudo_t)
- seutil_libselinux_linked($1_sudo_t)
-
- userdom_spec_domtrans_all_users($1_sudo_t)
-@@ -135,12 +153,13 @@ template(`sudo_role_template',`
- userdom_manage_user_tmp_files($1_sudo_t)
- userdom_manage_user_tmp_symlinks($1_sudo_t)
- userdom_use_user_terminals($1_sudo_t)
-+ userdom_signal_all_users($1_sudo_t)
- # for some PAM modules and for cwd
+- seutil_libselinux_linked($1_sudo_t)
+-
+- userdom_spec_domtrans_all_users($1_sudo_t)
+- userdom_manage_user_home_content_files($1_sudo_t)
+- userdom_manage_user_home_content_symlinks($1_sudo_t)
+- userdom_manage_user_tmp_files($1_sudo_t)
+- userdom_manage_user_tmp_symlinks($1_sudo_t)
+- userdom_use_user_terminals($1_sudo_t)
+- # for some PAM modules and for cwd
- userdom_dontaudit_search_user_home_content($1_sudo_t)
-+ userdom_search_user_home_content($1_sudo_t)
-+ userdom_search_admin_dir($1_sudo_t)
-+ userdom_manage_all_users_keys($1_sudo_t)
-
+-
- ifdef(`hide_broken_symptoms', `
- dontaudit $1_sudo_t $3:socket_class_set { read write };
- ')
+-
+- tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_files($1_sudo_t)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_files($1_sudo_t)
+- ')
+-
+- optional_policy(`
+- dbus_system_bus_client($1_sudo_t)
+- ')
+-
+- optional_policy(`
+- fprintd_dbus_chat($1_sudo_t)
+- ')
+-
+ mta_role($2, $1_sudo_t)
+ ')
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_sudo_t)
-@@ -177,3 +196,22 @@ interface(`sudo_sigchld',`
+ ########################################
+@@ -177,3 +94,22 @@ interface(`sudo_sigchld',`
allow $1 sudodomain:process sigchld;
')
@@ -3764,10 +3853,10 @@ index 975af1a..2aa37b4 100644
+ can_exec($1, sudo_exec_t)
+')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index 2731fa1..3443ba2 100644
+index 2731fa1..22beabf 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
-@@ -7,3 +7,7 @@ attribute sudodomain;
+@@ -7,3 +7,110 @@ attribute sudodomain;
type sudo_exec_t;
application_executable_file(sudo_exec_t)
@@ -3775,6 +3864,109 @@ index 2731fa1..3443ba2 100644
+type sudo_db_t;
+files_type(sudo_db_t)
+
++manage_dirs_pattern(sudodomain, sudo_db_t, sudo_db_t)
++manage_files_pattern(sudodomain, sudo_db_t, sudo_db_t)
++
++##############################
++#
++# Local Policy
++#
++
++# Use capabilities.
++allow sudodomain self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
++allow sudodomain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow sudodomain self:process { setexec setrlimit };
++allow sudodomain self:fd use;
++allow sudodomain self:fifo_file rw_fifo_file_perms;
++allow sudodomain self:shm create_shm_perms;
++allow sudodomain self:sem create_sem_perms;
++allow sudodomain self:msgq create_msgq_perms;
++allow sudodomain self:msg { send receive };
++allow sudodomain self:unix_dgram_socket create_socket_perms;
++allow sudodomain self:unix_stream_socket create_stream_socket_perms;
++allow sudodomain self:unix_dgram_socket sendto;
++allow sudodomain self:unix_stream_socket connectto;
++allow sudodomain self:key manage_key_perms;
++
++kernel_read_kernel_sysctls(sudodomain)
++kernel_read_system_state(sudodomain)
++kernel_link_key(sudodomain)
++
++corecmd_read_bin_symlinks(sudodomain)
++corecmd_exec_all_executables(sudodomain)
++
++dev_getattr_fs(sudodomain)
++dev_read_urand(sudodomain)
++dev_rw_generic_usb_dev(sudodomain)
++dev_read_sysfs(sudodomain)
++
++domain_use_interactive_fds(sudodomain)
++domain_sigchld_interactive_fds(sudodomain)
++domain_getattr_all_entry_files(sudodomain)
++
++files_read_etc_files(sudodomain)
++files_read_var_files(sudodomain)
++files_read_usr_symlinks(sudodomain)
++files_getattr_usr_files(sudodomain)
++# for some PAM modules and for cwd
++files_dontaudit_search_home(sudodomain)
++files_list_tmp(sudodomain)
++
++fs_search_auto_mountpoints(sudodomain)
++fs_getattr_xattr_fs(sudodomain)
++
++selinux_validate_context(sudodomain)
++selinux_compute_relabel_context(sudodomain)
++
++term_getattr_pty_fs(sudodomain)
++term_relabel_all_ttys(sudodomain)
++term_relabel_all_ptys(sudodomain)
++term_getattr_pty_fs(sudodomain)
++
++#auth_run_chk_passwd(sudodomain)
++# sudo stores a token in the pam_pid directory
++auth_manage_pam_pid(sudodomain)
++#auth_use_nsswitch(sudodomain)
++
++application_signal(sudodomain)
++
++init_rw_utmp(sudodomain)
++
++logging_send_audit_msgs(sudodomain)
++logging_send_syslog_msg(sudodomain)
++
++miscfiles_read_localization(sudodomain)
++
++seutil_read_default_contexts(sudodomain)
++seutil_libselinux_linked(sudodomain)
++
++userdom_spec_domtrans_all_users(sudodomain)
++userdom_manage_user_home_content_files(sudodomain)
++userdom_manage_user_home_content_symlinks(sudodomain)
++userdom_manage_user_tmp_files(sudodomain)
++userdom_manage_user_tmp_symlinks(sudodomain)
++userdom_use_user_terminals(sudodomain)
++userdom_signal_all_users(sudodomain)
++# for some PAM modules and for cwd
++userdom_search_user_home_content(sudodomain)
++userdom_search_admin_dir(sudodomain)
++userdom_manage_all_users_keys(sudodomain)
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_files(sudodomain)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_files(sudodomain)
++')
++
++optional_policy(`
++ dbus_system_bus_client(sudodomain)
++')
++
++optional_policy(`
++ fprintd_dbus_chat(sudodomain)
++')
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
index d5aaf0e..6b16aef 100644
--- a/policy/modules/admin/sxid.te
@@ -4136,7 +4328,7 @@ index 81fb26f..66cf96c 100644
##
##
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..772a68e 100644
+index 441cf22..cd9d876 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -4147,7 +4339,7 @@ index 441cf22..772a68e 100644
selinux_get_fs_mount(chfn_t)
selinux_validate_context(chfn_t)
-@@ -79,18 +80,17 @@ selinux_compute_create_context(chfn_t)
+@@ -79,18 +80,18 @@ selinux_compute_create_context(chfn_t)
selinux_compute_relabel_context(chfn_t)
selinux_compute_user_contexts(chfn_t)
@@ -4155,6 +4347,7 @@ index 441cf22..772a68e 100644
-term_use_all_ptys(chfn_t)
+term_use_all_inherited_ttys(chfn_t)
+term_use_all_inherited_ptys(chfn_t)
++term_getattr_all_ptys(chfn_t)
fs_getattr_xattr_fs(chfn_t)
fs_search_auto_mountpoints(chfn_t)
@@ -4170,7 +4363,7 @@ index 441cf22..772a68e 100644
# allow checking if a shell is executable
corecmd_check_exec_shell(chfn_t)
-@@ -105,6 +105,7 @@ files_dontaudit_search_home(chfn_t)
+@@ -105,6 +106,7 @@ files_dontaudit_search_home(chfn_t)
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(chfn_t)
@@ -4178,7 +4371,7 @@ index 441cf22..772a68e 100644
miscfiles_read_localization(chfn_t)
-@@ -118,6 +119,10 @@ userdom_use_unpriv_users_fds(chfn_t)
+@@ -118,6 +120,10 @@ userdom_use_unpriv_users_fds(chfn_t)
# on user home dir
userdom_dontaudit_search_user_home_content(chfn_t)
@@ -4189,17 +4382,18 @@ index 441cf22..772a68e 100644
########################################
#
# Crack local policy
-@@ -194,8 +199,7 @@ selinux_compute_create_context(groupadd_t)
+@@ -194,8 +200,8 @@ selinux_compute_create_context(groupadd_t)
selinux_compute_relabel_context(groupadd_t)
selinux_compute_user_contexts(groupadd_t)
-term_use_all_ttys(groupadd_t)
-term_use_all_ptys(groupadd_t)
+term_use_all_inherited_terms(groupadd_t)
++term_getattr_all_ptys(groupadd_t)
init_use_fds(groupadd_t)
init_read_utmp(groupadd_t)
-@@ -277,6 +281,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -277,6 +283,7 @@ kernel_read_kernel_sysctls(passwd_t)
# for SSP
dev_read_urand(passwd_t)
@@ -4207,13 +4401,14 @@ index 441cf22..772a68e 100644
fs_getattr_xattr_fs(passwd_t)
fs_search_auto_mountpoints(passwd_t)
-@@ -291,17 +296,18 @@ selinux_compute_create_context(passwd_t)
+@@ -291,17 +298,19 @@ selinux_compute_create_context(passwd_t)
selinux_compute_relabel_context(passwd_t)
selinux_compute_user_contexts(passwd_t)
-term_use_all_ttys(passwd_t)
-term_use_all_ptys(passwd_t)
+term_use_all_inherited_terms(passwd_t)
++term_getattr_all_ptys(passwd_t)
-auth_domtrans_chk_passwd(passwd_t)
auth_manage_shadow(passwd_t)
@@ -4230,7 +4425,7 @@ index 441cf22..772a68e 100644
domain_use_interactive_fds(passwd_t)
-@@ -311,6 +317,8 @@ files_search_var(passwd_t)
+@@ -311,6 +320,8 @@ files_search_var(passwd_t)
files_dontaudit_search_pids(passwd_t)
files_relabel_etc_files(passwd_t)
@@ -4239,7 +4434,7 @@ index 441cf22..772a68e 100644
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
-@@ -323,7 +331,7 @@ miscfiles_read_localization(passwd_t)
+@@ -323,7 +334,7 @@ miscfiles_read_localization(passwd_t)
seutil_dontaudit_search_config(passwd_t)
@@ -4248,7 +4443,7 @@ index 441cf22..772a68e 100644
userdom_use_unpriv_users_fds(passwd_t)
# make sure that getcon succeeds
userdom_getattr_all_users(passwd_t)
-@@ -332,6 +340,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +343,7 @@ userdom_read_user_tmp_files(passwd_t)
# user generally runs this from their home directory, so do not audit a search
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
@@ -4256,17 +4451,18 @@ index 441cf22..772a68e 100644
optional_policy(`
nscd_domtrans(passwd_t)
-@@ -381,8 +390,7 @@ dev_read_urand(sysadm_passwd_t)
+@@ -381,8 +393,8 @@ dev_read_urand(sysadm_passwd_t)
fs_getattr_xattr_fs(sysadm_passwd_t)
fs_search_auto_mountpoints(sysadm_passwd_t)
-term_use_all_ttys(sysadm_passwd_t)
-term_use_all_ptys(sysadm_passwd_t)
+term_use_all_inherited_terms(sysadm_passwd_t)
++term_getattr_all_ptys(sysadm_passwd_t)
auth_manage_shadow(sysadm_passwd_t)
auth_relabel_shadow(sysadm_passwd_t)
-@@ -426,7 +434,7 @@ optional_policy(`
+@@ -426,7 +438,7 @@ optional_policy(`
# Useradd local policy
#
@@ -4275,7 +4471,7 @@ index 441cf22..772a68e 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -448,8 +456,12 @@ corecmd_exec_shell(useradd_t)
+@@ -448,8 +460,12 @@ corecmd_exec_shell(useradd_t)
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(useradd_t)
@@ -4288,7 +4484,7 @@ index 441cf22..772a68e 100644
files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t)
-@@ -460,6 +472,7 @@ fs_search_auto_mountpoints(useradd_t)
+@@ -460,6 +476,7 @@ fs_search_auto_mountpoints(useradd_t)
fs_getattr_xattr_fs(useradd_t)
mls_file_upgrade(useradd_t)
@@ -4296,17 +4492,18 @@ index 441cf22..772a68e 100644
# Allow access to context for shadow file
selinux_get_fs_mount(useradd_t)
-@@ -469,8 +482,7 @@ selinux_compute_create_context(useradd_t)
+@@ -469,8 +486,8 @@ selinux_compute_create_context(useradd_t)
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)
-term_use_all_ttys(useradd_t)
-term_use_all_ptys(useradd_t)
+term_use_all_inherited_terms(useradd_t)
++term_getattr_all_ptys(useradd_t)
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -498,21 +510,11 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -498,21 +515,11 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -20755,10 +20952,10 @@ index 2be17d2..2c588ca 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..f3980e0 100644
+index e14b961..f2aac71 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -24,20 +24,48 @@ ifndef(`enable_mls',`
+@@ -24,20 +24,52 @@ ifndef(`enable_mls',`
#
# Local policy
#
@@ -20802,12 +20999,16 @@ index e14b961..f3980e0 100644
+userdom_manage_tmp_role(sysadm_r, sysadm_t)
+
+optional_policy(`
++ alsa_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
+ ssh_filetrans_admin_home_content(sysadm_t)
+')
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,6 +83,7 @@ ifndef(`enable_mls',`
+@@ -55,6 +87,7 @@ ifndef(`enable_mls',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
@@ -20815,7 +21016,7 @@ index e14b961..f3980e0 100644
')
tunable_policy(`allow_ptrace',`
-@@ -67,9 +96,9 @@ optional_policy(`
+@@ -67,9 +100,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -20826,7 +21027,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
-@@ -98,6 +127,10 @@ optional_policy(`
+@@ -98,6 +131,10 @@ optional_policy(`
')
optional_policy(`
@@ -20837,7 +21038,7 @@ index e14b961..f3980e0 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -110,11 +143,19 @@ optional_policy(`
+@@ -110,11 +147,19 @@ optional_policy(`
')
optional_policy(`
@@ -20858,7 +21059,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
-@@ -128,6 +169,10 @@ optional_policy(`
+@@ -128,6 +173,10 @@ optional_policy(`
')
optional_policy(`
@@ -20869,7 +21070,7 @@ index e14b961..f3980e0 100644
dmesg_exec(sysadm_t)
')
-@@ -163,6 +208,13 @@ optional_policy(`
+@@ -163,6 +212,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -20883,7 +21084,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
-@@ -170,15 +222,20 @@ optional_policy(`
+@@ -170,15 +226,20 @@ optional_policy(`
')
optional_policy(`
@@ -20907,7 +21108,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
-@@ -198,22 +255,19 @@ optional_policy(`
+@@ -198,22 +259,19 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -20935,7 +21136,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
-@@ -225,25 +279,47 @@ optional_policy(`
+@@ -225,25 +283,47 @@ optional_policy(`
')
optional_policy(`
@@ -20983,7 +21184,7 @@ index e14b961..f3980e0 100644
portage_run(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
-@@ -253,19 +329,19 @@ optional_policy(`
+@@ -253,19 +333,19 @@ optional_policy(`
')
optional_policy(`
@@ -21007,7 +21208,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
-@@ -274,10 +350,7 @@ optional_policy(`
+@@ -274,10 +354,7 @@ optional_policy(`
optional_policy(`
rpm_run(sysadm_t, sysadm_r)
@@ -21019,7 +21220,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
-@@ -302,12 +375,18 @@ optional_policy(`
+@@ -302,12 +379,18 @@ optional_policy(`
')
optional_policy(`
@@ -21039,7 +21240,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
-@@ -332,7 +411,10 @@ optional_policy(`
+@@ -332,7 +415,10 @@ optional_policy(`
')
optional_policy(`
@@ -21051,7 +21252,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
-@@ -343,19 +425,15 @@ optional_policy(`
+@@ -343,19 +429,15 @@ optional_policy(`
')
optional_policy(`
@@ -21073,7 +21274,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
-@@ -367,45 +445,45 @@ optional_policy(`
+@@ -367,45 +449,45 @@ optional_policy(`
')
optional_policy(`
@@ -21130,7 +21331,7 @@ index e14b961..f3980e0 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -418,10 +496,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +500,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21141,7 +21342,7 @@ index e14b961..f3980e0 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -439,6 +513,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +517,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -21149,7 +21350,7 @@ index e14b961..f3980e0 100644
')
optional_policy(`
-@@ -446,11 +521,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +525,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21172,8 +21373,9 @@ index e14b961..f3980e0 100644
+
+ optional_policy(`
+ mplayer_role(sysadm_r, sysadm_t)
-+ ')
-+
+ ')
+-')
+
+ optional_policy(`
+ pyzor_role(sysadm_r, sysadm_t)
+ ')
@@ -21212,9 +21414,8 @@ index e14b961..f3980e0 100644
+
+ optional_policy(`
+ wireshark_role(sysadm_r, sysadm_t)
- ')
--')
-
++ ')
++
+ optional_policy(`
+ xserver_role(sysadm_r, sysadm_t)
+ ')
@@ -21928,10 +22129,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..8d7dde1
+index 0000000..50c38f9
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,502 @@
+@@ -0,0 +1,498 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -22159,11 +22360,7 @@ index 0000000..8d7dde1
+')
+
+optional_policy(`
-+ ada_run(unconfined_t, unconfined_r)
-+')
-+
-+optional_policy(`
-+ alsa_run(unconfined_t, unconfined_r)
++ alsa_filetrans_named_content(unconfined_t)
+')
+
+optional_policy(`
@@ -73110,10 +73307,10 @@ index 0000000..79c358c
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..1449552
+index 0000000..a84b8e7
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,370 @@
+@@ -0,0 +1,371 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -73267,6 +73464,7 @@ index 0000000..1449552
+
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
++manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
+
@@ -78167,7 +78365,7 @@ index 4b2878a..34d01ef 100644
+ allow $1 unpriv_userdomain:sem rw_sem_perms;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..04d748b 100644
+index 9b4a930..d6c3860 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@@ -78220,7 +78418,7 @@ index 9b4a930..04d748b 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +98,78 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +98,77 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -78283,7 +78481,6 @@ index 9b4a930..04d748b 100644
+ alsa_read_rw_config(unpriv_userdomain)
+ alsa_manage_home_files(unpriv_userdomain)
+ alsa_relabel_home_files(unpriv_userdomain)
-+ alsa_filetrans_named_content(unpriv_userdomain)
+')
+
+optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 33deb32..dafe020 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 45.1%{?dist}
+Release: 46%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -176,8 +176,8 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts
%dir %{_sysconfdir}/selinux/%1/contexts/files \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \
-%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
-%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
%config %{_sysconfdir}/selinux/%1/contexts/files/media \
%dir %{_sysconfdir}/selinux/%1/contexts/users \
@@ -481,6 +481,9 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Oct 20 2011 Miroslav Grepl 3.10.0-46
+- Policy update should not modify local contexts
+
* Thu Oct 20 2011 Dan Walsh 3.10.0-45.1
- Remove ada policy