diff --git a/policy-F16.patch b/policy-F16.patch
index b1d4625..05c483c 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -364,6 +364,21 @@ index 63ef90e..a535b31 100644
seutil_sigchld_newrole(acct_t)
')
+diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
+index d362d9c..10261ed 100644
+--- a/policy/modules/admin/alsa.fc
++++ b/policy/modules/admin/alsa.fc
+@@ -11,8 +11,10 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
+ /sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
+
+ /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
++/usr/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
+
+ /usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
++/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
+
+ /usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+ /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
index 1392679..407f9f7 100644
--- a/policy/modules/admin/alsa.if
@@ -569,20 +584,24 @@ index 0bfc958..af95b7a 100644
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index 7a6f06f..58b782e 100644
+index 7a6f06f..39f1adf 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
-@@ -1,8 +1,8 @@
+@@ -1,9 +1,11 @@
-
+/etc/default/grub -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
-/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
-+/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+-/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/usr/sbin/grub.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/sur/sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
++/usr/sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index 63eb96b..d7a6063 100644
--- a/policy/modules/admin/bootloader.if
@@ -847,6 +866,15 @@ index 6b02433..1e28e62 100644
optional_policy(`
apache_exec_modules(certwatch_t)
+diff --git a/policy/modules/admin/consoletype.fc b/policy/modules/admin/consoletype.fc
+index b7f053b..5d4fc31 100644
+--- a/policy/modules/admin/consoletype.fc
++++ b/policy/modules/admin/consoletype.fc
+@@ -1,2 +1,4 @@
+
+ /sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0)
++
++/usr/sbin/consoletype -- gen_context(system_u:object_r:consoletype_exec_t,s0)
diff --git a/policy/modules/admin/consoletype.if b/policy/modules/admin/consoletype.if
index 0f57d3b..655d07f 100644
--- a/policy/modules/admin/consoletype.if
@@ -951,6 +979,15 @@ index 5e062bc..3cbfffb 100644
+optional_policy(`
+ modutils_read_module_deps(ddcprobe_t)
+')
+diff --git a/policy/modules/admin/dmesg.fc b/policy/modules/admin/dmesg.fc
+index d6cc2d9..0685b19 100644
+--- a/policy/modules/admin/dmesg.fc
++++ b/policy/modules/admin/dmesg.fc
+@@ -1,2 +1,4 @@
+
+ /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
++
++/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 72bc6d8..1f55eba 100644
--- a/policy/modules/admin/dmesg.te
@@ -1202,10 +1239,10 @@ index c4d8998..bd59f2e 100644
+ xserver_stream_connect(firstboot_t)
')
diff --git a/policy/modules/admin/kdump.fc b/policy/modules/admin/kdump.fc
-index c66934f..1aa1205 100644
+index c66934f..b1d31d0 100644
--- a/policy/modules/admin/kdump.fc
+++ b/policy/modules/admin/kdump.fc
-@@ -1,5 +1,7 @@
+@@ -1,5 +1,13 @@
/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
@@ -1213,6 +1250,12 @@ index c66934f..1aa1205 100644
+
/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
++
++/usr/lib/systemd/system/kdump.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
++/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
++/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
++
diff --git a/policy/modules/admin/kdump.if b/policy/modules/admin/kdump.if
index 4198ff5..419c7a9 100644
--- a/policy/modules/admin/kdump.if
@@ -1329,6 +1372,16 @@ index 9dd6880..4b7fa27 100644
userdom_read_user_tmpfs_files(kismet_t)
optional_policy(`
+diff --git a/policy/modules/admin/kudzu.fc b/policy/modules/admin/kudzu.fc
+index dd88f74..3317a0c 100644
+--- a/policy/modules/admin/kudzu.fc
++++ b/policy/modules/admin/kudzu.fc
+@@ -2,4 +2,5 @@
+ /sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+ /sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+
++/usr/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
+ /usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
index 4f7bd3c..9143343 100644
--- a/policy/modules/admin/kudzu.te
@@ -1801,14 +1854,19 @@ index ec29391..28c9672 100644
optional_policy(`
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
-index 407078f..a818e14 100644
+index 407078f..b5a91f8 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
-@@ -8,7 +8,7 @@
+@@ -6,9 +6,12 @@
+
+ /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0)
++/usr/bin/ping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
++/usr/bin/tracepath.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
-/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0)
++/usr/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0)
+/usr/sbin/fping.* -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
@@ -2277,11 +2335,15 @@ index af55369..5d940f8 100644
+ miscfiles_read_man_pages(prelink_t)
+')
diff --git a/policy/modules/admin/quota.fc b/policy/modules/admin/quota.fc
-index f387230..e13dbdd 100644
+index f387230..98adfd2 100644
--- a/policy/modules/admin/quota.fc
+++ b/policy/modules/admin/quota.fc
-@@ -10,10 +10,14 @@ HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+@@ -8,12 +8,18 @@ HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
+
+ /sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
++/usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
++
/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
-/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
@@ -2433,16 +2495,22 @@ index 5dd42f5..bef4392 100644
+ dbus_connect_system_bus(quota_nld_t)
+')
diff --git a/policy/modules/admin/readahead.fc b/policy/modules/admin/readahead.fc
-index 7077413..6bc0fa8 100644
+index 7077413..8aa9c0e 100644
--- a/policy/modules/admin/readahead.fc
+++ b/policy/modules/admin/readahead.fc
-@@ -1,3 +1,7 @@
- /usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+@@ -1,3 +1,12 @@
+-/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
++/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
++
++/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
++
/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
++/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
++
++/usr/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
++
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
-+/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
-+/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
+/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if
index 47c4723..64c8889 100644
@@ -3082,6 +3150,20 @@ index c8ef84b..eb4bd05 100644
optional_policy(`
mount_exec(sectoolm_t)
+diff --git a/policy/modules/admin/shorewall.fc b/policy/modules/admin/shorewall.fc
+index 48d1363..4a5b930 100644
+--- a/policy/modules/admin/shorewall.fc
++++ b/policy/modules/admin/shorewall.fc
+@@ -7,6 +7,9 @@
+ /sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+ /sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
+
++/usr/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
++/usr/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
++
+ /var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+ /var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+ /var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
index 781ad7e..f7b8881 100644
--- a/policy/modules/admin/shorewall.if
@@ -3224,6 +3306,24 @@ index 95bce88..95065c3 100644
optional_policy(`
hostname_exec(shorewall_t)
+diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
+index 97671a3..eb84cd0 100644
+--- a/policy/modules/admin/shutdown.fc
++++ b/policy/modules/admin/shutdown.fc
+@@ -2,6 +2,11 @@
+
+ /lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+-/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+
+-/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
++/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
++
++/usr/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
++
++/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
++
++/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
index d0604cf..95c53c5 100644
--- a/policy/modules/admin/shutdown.if
@@ -3517,6 +3617,15 @@ index fe1c377..724df48 100644
fstools_domtrans(sosreport_t)
')
+diff --git a/policy/modules/admin/su.fc b/policy/modules/admin/su.fc
+index 688abc2..3d89250 100644
+--- a/policy/modules/admin/su.fc
++++ b/policy/modules/admin/su.fc
+@@ -3,3 +3,4 @@
+
+ /usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
+ /usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
++/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 8c5fa3c..ce3d33a 100644
--- a/policy/modules/admin/su.if
@@ -5331,10 +5440,10 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..8fe4b66 100644
+index f5afe78..9b1de02 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,819 @@
+@@ -1,44 +1,862 @@
## GNU network object model environment (GNOME)
-############################################################
@@ -5397,13 +5506,13 @@ index f5afe78..8fe4b66 100644
+interface(`gnome_role_gkeyringd',`
+ gen_require(`
+ attribute gkeyringd_domain;
-+ attribute gnome_domain;
++ attribute gnomedomain;
+ type gnome_home_t;
+ type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
+ class dbus send_msg;
+ ')
+
-+ type $1_gkeyringd_t, gnome_domain, gkeyringd_domain;
++ type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
+ typealias $1_gkeyringd_t alias gkeyringd_$1_t;
+ application_domain($1_gkeyringd_t, gkeyringd_exec_t)
+ ubac_constrained($1_gkeyringd_t)
@@ -5600,10 +5709,10 @@ index f5afe78..8fe4b66 100644
+#
+interface(`gnome_signal_all',`
+ gen_require(`
-+ attribute gnome_domain;
++ attribute gnomedomain;
+ ')
+
-+ allow $1 gnome_domain:process signal;
++ allow $1 gnomedomain:process signal;
+')
+
+########################################
@@ -6099,24 +6208,43 @@ index f5afe78..8fe4b66 100644
+## Manage generic gnome home files.
+##
+##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_manage_generic_home_files',`
++ gen_require(`
++ type gnome_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_files_pattern($1, gnome_home_t, gnome_home_t)
++')
++
++########################################
++##
++## Manage generic gnome home directories.
++##
++##
##
-## Role allowed access
+## Domain allowed access.
##
##
+#
-+interface(`gnome_manage_generic_home_files',`
++interface(`gnome_manage_generic_home_dirs',`
+ gen_require(`
+ type gnome_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
-+ manage_files_pattern($1, gnome_home_t, gnome_home_t)
++ allow $1 gnome_home_t:dir manage_dir_perms;
+')
+
+########################################
+##
-+## Manage generic gnome home directories.
++## Append gconf home files
+##
##
##
@@ -6126,106 +6254,105 @@ index f5afe78..8fe4b66 100644
##
#
-interface(`gnome_role',`
-+interface(`gnome_manage_generic_home_dirs',`
++interface(`gnome_append_gconf_home_files',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
- type gconf_tmp_t;
-+ type gnome_home_t;
++ type gconf_home_t;
')
- role $1 types gconfd_t;
--
++ append_files_pattern($1, gconf_home_t, gconf_home_t)
++')
++
++########################################
++##
++## manage gconf home files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_manage_gconf_home_files',`
++ gen_require(`
++ type gconf_home_t;
++ ')
+
- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
- allow gconfd_t $2:fd use;
- allow gconfd_t $2:fifo_file write;
- allow gconfd_t $2:unix_stream_socket connectto;
-+ userdom_search_user_home_dirs($1)
-+ allow $1 gnome_home_t:dir manage_dir_perms;
++ allow $1 gconf_home_t:dir list_dir_perms;
++ manage_files_pattern($1, gconf_home_t, gconf_home_t)
+')
- ps_process_pattern($2, gconfd_t)
+########################################
+##
-+## Append gconf home files
++## Connect to gnome over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
++##
++##
++## The type of the user domain.
++##
++##
+#
-+interface(`gnome_append_gconf_home_files',`
++interface(`gnome_stream_connect',`
+ gen_require(`
-+ type gconf_home_t;
++ attribute gnome_home_type;
+ ')
- #gnome_stream_connect_gconf_template($1, $2)
- read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
- allow $2 gconfd_t:unix_stream_socket connectto;
-+ append_files_pattern($1, gconf_home_t, gconf_home_t)
++ # Connect to pulseaudit server
++ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
')
########################################
##
-## Execute gconf programs in
-## in the caller domain.
-+## manage gconf home files
++## list gnome homedir content (.config)
##
##
##
-@@ -46,37 +821,117 @@ interface(`gnome_role',`
+@@ -46,37 +864,92 @@ interface(`gnome_role',`
##
##
#
-interface(`gnome_exec_gconf',`
-+interface(`gnome_manage_gconf_home_files',`
++interface(`gnome_list_home_config',`
gen_require(`
- type gconfd_exec_t;
-+ type gconf_home_t;
++ type config_home_t;
')
- can_exec($1, gconfd_exec_t)
-+ allow $1 gconf_home_t:dir list_dir_perms;
-+ manage_files_pattern($1, gconf_home_t, gconf_home_t)
++ allow $1 config_home_t:dir list_dir_perms;
')
########################################
##
-## Read gconf config files.
-+## Connect to gnome over an unix stream socket.
++## Set attributes of gnome homedir content (.config)
##
+-##
+##
-+##
-+## Domain allowed access.
-+##
-+##
- ##
##
-+## The type of the user domain.
-+##
-+##
-+#
-+interface(`gnome_stream_connect',`
-+ gen_require(`
-+ attribute gnome_home_type;
-+ ')
-+
-+ # Connect to pulseaudit server
-+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
-+')
-+
-+########################################
-+##
-+## list gnome homedir content (.config)
-+##
-+##
-+##
## Domain allowed access.
##
##
#
-template(`gnome_read_gconf_config',`
-+interface(`gnome_list_home_config',`
++interface(`gnome_setattr_home_config',`
gen_require(`
- type gconf_etc_t;
+ type config_home_t;
@@ -6234,12 +6361,13 @@ index f5afe78..8fe4b66 100644
- allow $1 gconf_etc_t:dir list_dir_perms;
- read_files_pattern($1, gconf_etc_t, gconf_etc_t)
- files_search_etc($1)
-+ allow $1 config_home_t:dir list_dir_perms;
++ setattr_dirs_pattern($1, config_home_t, config_home_t)
++ userdom_search_user_home_dirs($1)
+')
+
+########################################
+##
-+## Set attributes of gnome homedir content (.config)
++## read gnome homedir content (.config)
+##
+##
+##
@@ -6247,39 +6375,38 @@ index f5afe78..8fe4b66 100644
+##
+##
+#
-+interface(`gnome_setattr_home_config',`
++interface(`gnome_read_home_config',`
+ gen_require(`
+ type config_home_t;
+ ')
+
-+ setattr_dirs_pattern($1, config_home_t, config_home_t)
-+ userdom_search_user_home_dirs($1)
++ list_dirs_pattern($1, config_home_t, config_home_t)
++ read_files_pattern($1, config_home_t, config_home_t)
++ read_lnk_files_pattern($1, config_home_t, config_home_t)
+')
+
-+########################################
++#######################################
+##
-+## read gnome homedir content (.config)
++## delete gnome homedir content (.config)
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
-+interface(`gnome_read_home_config',`
-+ gen_require(`
-+ type config_home_t;
-+ ')
++interface(`gnome_delete_home_config',`
++ gen_require(`
++ type config_home_t;
++ ')
+
-+ list_dirs_pattern($1, config_home_t, config_home_t)
-+ read_files_pattern($1, config_home_t, config_home_t)
-+ read_lnk_files_pattern($1, config_home_t, config_home_t)
++ delete_files_pattern($1, config_home_t, config_home_t)
')
#######################################
##
-## Create, read, write, and delete gconf config files.
-+## delete gnome homedir content (.config)
++## setattr gnome homedir content (.config)
+##
+##
+##
@@ -6287,12 +6414,12 @@ index f5afe78..8fe4b66 100644
+##
+##
+#
-+interface(`gnome_delete_home_config',`
++interface(`gnome_setattr_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
-+ delete_files_pattern($1, config_home_t, config_home_t)
++ setattr_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
@@ -6301,7 +6428,7 @@ index f5afe78..8fe4b66 100644
##
##
##
-@@ -84,37 +939,53 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +957,53 @@ template(`gnome_read_gconf_config',`
##
##
#
@@ -6366,7 +6493,7 @@ index f5afe78..8fe4b66 100644
##
##
##
-@@ -122,17 +993,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1011,17 @@ interface(`gnome_stream_connect_gconf',`
##
##
#
@@ -6388,7 +6515,7 @@ index f5afe78..8fe4b66 100644
##
##
##
-@@ -140,51 +1011,299 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1029,299 @@ interface(`gnome_domtrans_gconfd',`
##
##
#
@@ -6705,15 +6832,13 @@ index f5afe78..8fe4b66 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..14d7e30 100644
+index 2505654..3c5d792 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
-@@ -5,12 +5,29 @@ policy_module(gnome, 2.1.0)
- # Declarations
+@@ -6,11 +6,28 @@ policy_module(gnome, 2.1.0)
#
--attribute gnomedomain;
-+attribute gnome_domain;
+ attribute gnomedomain;
+attribute gnome_home_type;
+attribute gkeyringd_domain;
@@ -6740,15 +6865,7 @@ index 2505654..14d7e30 100644
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -23,19 +40,40 @@ typealias gconf_tmp_t alias unconfined_gconf_tmp_t;
- files_tmp_file(gconf_tmp_t)
- ubac_constrained(gconf_tmp_t)
-
--type gconfd_t, gnomedomain;
-+type gconfd_t, gnome_domain;
- type gconfd_exec_t;
- typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
- typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+@@ -30,12 +47,33 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
application_domain(gconfd_t, gconfd_exec_t)
ubac_constrained(gconfd_t)
@@ -6931,9 +7048,9 @@ index 2505654..14d7e30 100644
+ ssh_read_user_home_files(gkeyringd_domain)
+')
+
-+domain_use_interactive_fds(gnome_domain)
++domain_use_interactive_fds(gnomedomain)
+
-+userdom_use_inherited_user_terminals(gnome_domain)
++userdom_use_inherited_user_terminals(gnomedomain)
+
diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
index e9853d4..6864b58 100644
@@ -6953,7 +7070,7 @@ index e9853d4..6864b58 100644
+/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
+/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
-index 40e0a2a..93d212c 100644
+index 40e0a2a..46cc164 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -54,15 +54,16 @@ interface(`gpg_role',`
@@ -6975,12 +7092,31 @@ index 40e0a2a..93d212c 100644
dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
')
')
-@@ -85,6 +86,43 @@ interface(`gpg_domtrans',`
+@@ -85,6 +86,62 @@ interface(`gpg_domtrans',`
domtrans_pattern($1, gpg_exec_t, gpg_t)
')
+######################################
+##
++## Execute gpg in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gpg_exec',`
++ gen_require(`
++ type gpg_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, gpg_exec_t)
++')
++
++######################################
++##
+## Transition to a gpg web domain.
+##
+##
@@ -7667,6 +7803,16 @@ index a0be4ef..a3d8afd 100644
+ rpm_transition_script(livecd_t)
+ rpm_domtrans(livecd_t)
+')
+diff --git a/policy/modules/apps/loadkeys.fc b/policy/modules/apps/loadkeys.fc
+index 8549f9f..c475618 100644
+--- a/policy/modules/apps/loadkeys.fc
++++ b/policy/modules/apps/loadkeys.fc
+@@ -1,3 +1,5 @@
+
+ /bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
+ /bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
++/usr/bin/loadkeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
++/usr/bin/unikeys -- gen_context(system_u:object_r:loadkeys_exec_t,s0)
diff --git a/policy/modules/apps/loadkeys.if b/policy/modules/apps/loadkeys.if
index b55edd0..7b8d952 100644
--- a/policy/modules/apps/loadkeys.if
@@ -7779,7 +7925,7 @@ index 93ac529..800b5c8 100644
+
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..aa15d05 100644
+index fbb5c5a..e187982 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -7817,13 +7963,14 @@ index fbb5c5a..aa15d05 100644
')
########################################
-@@ -197,12 +207,23 @@ interface(`mozilla_domtrans',`
+@@ -197,12 +207,29 @@ interface(`mozilla_domtrans',`
#
interface(`mozilla_domtrans_plugin',`
gen_require(`
- type mozilla_plugin_t, mozilla_plugin_exec_t, mozilla_plugin_tmpfs_t;
+ type mozilla_plugin_t, mozilla_plugin_exec_t;
+ type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
++ type mozilla_plugin_rw_t;
class dbus send_msg;
')
@@ -7839,10 +7986,15 @@ index fbb5c5a..aa15d05 100644
+
+ ps_process_pattern($1, mozilla_plugin_t)
+ allow $1 mozilla_plugin_t:process signal_perms;
++
++ list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
++ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
++ read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
++ can_exec($1, mozilla_plugin_rw_t)
')
########################################
-@@ -228,6 +249,27 @@ interface(`mozilla_run_plugin',`
+@@ -228,6 +255,27 @@ interface(`mozilla_run_plugin',`
mozilla_domtrans_plugin($1)
role $2 types mozilla_plugin_t;
@@ -7870,7 +8022,7 @@ index fbb5c5a..aa15d05 100644
')
########################################
-@@ -269,9 +311,27 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -269,9 +317,27 @@ interface(`mozilla_rw_tcp_sockets',`
allow $1 mozilla_t:tcp_socket rw_socket_perms;
')
@@ -7899,7 +8051,7 @@ index fbb5c5a..aa15d05 100644
##
##
##
-@@ -279,28 +339,48 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +345,48 @@ interface(`mozilla_rw_tcp_sockets',`
##
##
#
@@ -7956,7 +8108,7 @@ index fbb5c5a..aa15d05 100644
+ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..344f2e4 100644
+index 2e9318b..fc7a18e 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -23,8 +23,9 @@ type mozilla_conf_t;
@@ -8065,7 +8217,7 @@ index 2e9318b..344f2e4 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -296,16 +301,19 @@ optional_policy(`
+@@ -296,25 +301,32 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -8088,8 +8240,11 @@ index 2e9318b..344f2e4 100644
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
can_exec(mozilla_plugin_t, mozilla_home_t)
- read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
-@@ -313,8 +321,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+-read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
++manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
++manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
++manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -8102,7 +8257,7 @@ index 2e9318b..344f2e4 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -322,6 +332,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -322,6 +334,10 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -8113,7 +8268,7 @@ index 2e9318b..344f2e4 100644
can_exec(mozilla_plugin_t, mozilla_exec_t)
kernel_read_kernel_sysctls(mozilla_plugin_t)
-@@ -332,11 +346,9 @@ kernel_request_load_module(mozilla_plugin_t)
+@@ -332,11 +348,9 @@ kernel_request_load_module(mozilla_plugin_t)
corecmd_exec_bin(mozilla_plugin_t)
corecmd_exec_shell(mozilla_plugin_t)
@@ -8127,7 +8282,7 @@ index 2e9318b..344f2e4 100644
corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-@@ -344,6 +356,11 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
+@@ -344,6 +358,11 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
@@ -8139,7 +8294,7 @@ index 2e9318b..344f2e4 100644
dev_read_rand(mozilla_plugin_t)
dev_read_urand(mozilla_plugin_t)
-@@ -385,33 +402,30 @@ term_getattr_all_ttys(mozilla_plugin_t)
+@@ -385,33 +404,30 @@ term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
userdom_rw_user_tmpfs_files(mozilla_plugin_t)
@@ -8184,7 +8339,7 @@ index 2e9318b..344f2e4 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -425,7 +439,13 @@ optional_policy(`
+@@ -425,7 +441,13 @@ optional_policy(`
')
optional_policy(`
@@ -8198,7 +8353,7 @@ index 2e9318b..344f2e4 100644
')
optional_policy(`
-@@ -438,18 +458,89 @@ optional_policy(`
+@@ -438,18 +460,88 @@ optional_policy(`
')
optional_policy(`
@@ -8245,8 +8400,6 @@ index 2e9318b..344f2e4 100644
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
-+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
-+
+dev_search_sysfs(mozilla_plugin_config_t)
+dev_read_urand(mozilla_plugin_config_t)
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
@@ -8286,6 +8439,7 @@ index 2e9318b..344f2e4 100644
+userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)
+userdom_read_user_home_content_files(mozilla_plugin_config_t)
+userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t)
++userdom_use_inherited_user_ptys(mozilla_plugin_config_t)
+
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
+
@@ -8583,10 +8737,10 @@ index 0000000..8d7c751
+')
diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te
new file mode 100644
-index 0000000..a337d62
+index 0000000..5ddf179
--- /dev/null
+++ b/policy/modules/apps/namespace.te
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,44 @@
+policy_module(namespace,1.0.0)
+
+########################################
@@ -8618,6 +8772,8 @@ index 0000000..a337d62
+files_read_etc_files(namespace_init_t)
+files_polyinstantiate_all(namespace_init_t)
+
++mcs_file_write_all(namespace_init_t)
++
+auth_use_nsswitch(namespace_init_t)
+
+miscfiles_read_localization(namespace_init_t)
@@ -11461,7 +11617,7 @@ index 3cfb128..d49274d 100644
+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..7942965 100644
+index 2533ea0..a36ed88 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -26,12 +26,18 @@ attribute telepathy_executable;
@@ -11565,7 +11721,7 @@ index 2533ea0..7942965 100644
')
#######################################
-@@ -176,6 +190,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -176,6 +190,13 @@ tunable_policy(`use_samba_home_dirs',`
manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
@@ -11575,10 +11731,11 @@ index 2533ea0..7942965 100644
+manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
+filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file })
+gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir)
++gnome_manage_home_config(telepathy_mission_control_t)
dev_read_rand(telepathy_mission_control_t)
-@@ -184,14 +204,26 @@ fs_getattr_all_fs(telepathy_mission_control_t)
+@@ -184,14 +205,26 @@ fs_getattr_all_fs(telepathy_mission_control_t)
files_read_etc_files(telepathy_mission_control_t)
files_read_usr_files(telepathy_mission_control_t)
@@ -11611,7 +11768,7 @@ index 2533ea0..7942965 100644
')
#######################################
-@@ -205,8 +237,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+@@ -205,8 +238,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
@@ -11623,7 +11780,7 @@ index 2533ea0..7942965 100644
corenet_all_recvfrom_netlabel(telepathy_msn_t)
corenet_all_recvfrom_unlabeled(telepathy_msn_t)
-@@ -228,6 +263,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t)
+@@ -228,6 +264,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t)
files_read_etc_files(telepathy_msn_t)
files_read_usr_files(telepathy_msn_t)
@@ -11632,7 +11789,7 @@ index 2533ea0..7942965 100644
libs_exec_ldconfig(telepathy_msn_t)
logging_send_syslog_msg(telepathy_msn_t)
-@@ -246,6 +283,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -246,6 +284,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
')
optional_policy(`
@@ -11643,7 +11800,7 @@ index 2533ea0..7942965 100644
dbus_system_bus_client(telepathy_msn_t)
optional_policy(`
-@@ -361,14 +402,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+@@ -361,14 +403,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
allow telepathy_domain self:tcp_socket create_socket_perms;
allow telepathy_domain self:udp_socket create_socket_perms;
@@ -11662,7 +11819,7 @@ index 2533ea0..7942965 100644
miscfiles_read_localization(telepathy_domain)
optional_policy(`
-@@ -376,5 +419,23 @@ optional_policy(`
+@@ -376,5 +420,23 @@ optional_policy(`
')
optional_policy(`
@@ -12569,9 +12726,18 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..c82360e 100644
+index 3fae11a..5d00aa0 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
+@@ -1,7 +1,7 @@
+ #
+ # /bin
+ #
+-/bin -d gen_context(system_u:object_r:bin_t,s0)
++/bin gen_context(system_u:object_r:bin_t,s0)
+ /bin/.* gen_context(system_u:object_r:bin_t,s0)
+ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -12581,7 +12747,7 @@ index 3fae11a..c82360e 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -130,18 +128,15 @@ ifdef(`distro_debian',`
+@@ -130,18 +128,14 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -12591,7 +12757,7 @@ index 3fae11a..c82360e 100644
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
+-
-/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
-/lib64/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
-
@@ -12602,7 +12768,16 @@ index 3fae11a..c82360e 100644
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +163,7 @@ ifdef(`distro_gentoo',`
+@@ -152,7 +146,7 @@ ifdef(`distro_gentoo',`
+ #
+ # /sbin
+ #
+-/sbin -d gen_context(system_u:object_r:bin_t,s0)
++/sbin gen_context(system_u:object_r:bin_t,s0)
+ /sbin/.* gen_context(system_u:object_r:bin_t,s0)
+ /sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
+ /sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
+@@ -168,6 +162,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -12610,7 +12785,7 @@ index 3fae11a..c82360e 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -179,6 +175,8 @@ ifdef(`distro_gentoo',`
+@@ -179,67 +174,90 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -12619,7 +12794,34 @@ index 3fae11a..c82360e 100644
#
# /usr
#
-@@ -198,48 +196,51 @@ ifdef(`distro_gentoo',`
++/usr/bin -d gen_context(system_u:object_r:bin_t,s0)
+ /usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/.* gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
+-/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+-/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+ /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
++/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0)
@@ -12666,7 +12868,7 @@ index 3fae11a..c82360e 100644
-
-/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib/chromium-browser/chrome -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/chromium-browser(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ConsoleKit/run-session\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -12687,10 +12889,12 @@ index 3fae11a..c82360e 100644
+/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/yaboot/addnote -- gen_context(system_u:object_r:bin_t,s0)
@@ -12698,6 +12902,10 @@ index 3fae11a..c82360e 100644
+/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/udev/devices/MAKEDEV -l gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
@@ -12713,7 +12921,7 @@ index 3fae11a..c82360e 100644
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -247,9 +248,13 @@ ifdef(`distro_gentoo',`
+@@ -247,11 +265,18 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -12727,8 +12935,13 @@ index 3fae11a..c82360e 100644
+/usr/local/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0)
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
++/usr/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
++/usr/sbin/nologin -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -267,6 +272,10 @@ ifdef(`distro_gentoo',`
+ /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -267,6 +292,10 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -12739,7 +12952,7 @@ index 3fae11a..c82360e 100644
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,15 +295,19 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +315,19 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -12760,7 +12973,7 @@ index 3fae11a..c82360e 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +319,11 @@ ifdef(`distro_redhat', `
+@@ -306,10 +339,11 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -12774,7 +12987,7 @@ index 3fae11a..c82360e 100644
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +333,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +353,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -12786,7 +12999,7 @@ index 3fae11a..c82360e 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,7 +379,7 @@ ifdef(`distro_redhat', `
+@@ -363,7 +399,7 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -12795,7 +13008,7 @@ index 3fae11a..c82360e 100644
/usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
')
-@@ -375,8 +391,8 @@ ifdef(`distro_suse', `
+@@ -375,8 +411,8 @@ ifdef(`distro_suse', `
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -12806,7 +13019,7 @@ index 3fae11a..c82360e 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +401,12 @@ ifdef(`distro_suse', `
+@@ -385,3 +421,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -12890,6 +13103,17 @@ index 9e9263a..650e796 100644
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
+diff --git a/policy/modules/kernel/corenetwork.fc b/policy/modules/kernel/corenetwork.fc
+index f9b25c1..9af1f7a 100644
+--- a/policy/modules/kernel/corenetwork.fc
++++ b/policy/modules/kernel/corenetwork.fc
+@@ -8,3 +8,6 @@
+
+ /lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+ /lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
++
++/usr/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
++/usr/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 4f3b542..f4e36ee 100644
--- a/policy/modules/kernel/corenetwork.if.in
@@ -14494,10 +14718,10 @@ index 35fed4f..51ad69a 100644
#
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 6cf8784..b48524e 100644
+index 6cf8784..26c13f2 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
-@@ -15,11 +15,13 @@
+@@ -15,12 +15,14 @@
/dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
@@ -14507,10 +14731,12 @@ index 6cf8784..b48524e 100644
/dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+-/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0)
- /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/dmfm.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
@@ -57,8 +59,10 @@
/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -14546,7 +14772,7 @@ index 6cf8784..b48524e 100644
ifdef(`distro_redhat',`
# originally from named.fc
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
-@@ -196,3 +200,8 @@ ifdef(`distro_redhat',`
+@@ -196,3 +200,13 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@@ -14555,6 +14781,11 @@ index 6cf8784..b48524e 100644
+# /sys
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
++
++/usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0)
++/usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
++/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
++/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index f820f3b..cc3f02e 100644
--- a/policy/modules/kernel/devices.if
@@ -16514,7 +16745,7 @@ index fae1ab1..facd6a8 100644
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
+dontaudit domain self:capability sys_ptrace;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c19518a..12e8e9c 100644
+index c19518a..04ef731 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -16591,7 +16822,15 @@ index c19518a..12e8e9c 100644
#
# /run
#
-@@ -214,7 +230,6 @@ HOME_ROOT/lost\+found/.* <>
+@@ -206,6 +222,7 @@ HOME_ROOT/lost\+found/.* <>
+
+ /usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /usr/lost\+found/.* <>
++/usr/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
+
+ /usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
+
+@@ -214,7 +231,6 @@ HOME_ROOT/lost\+found/.* <>
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
@@ -16599,7 +16838,7 @@ index c19518a..12e8e9c 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -230,17 +245,20 @@ ifndef(`distro_redhat',`
+@@ -230,17 +246,20 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -16621,7 +16860,7 @@ index c19518a..12e8e9c 100644
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <>
-@@ -257,3 +275,5 @@ ifndef(`distro_redhat',`
+@@ -257,3 +276,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
@@ -18535,6 +18774,19 @@ index 22821ff..4486d80 100644
########################################
#
+diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
+index cda5588..e89e4bf 100644
+--- a/policy/modules/kernel/filesystem.fc
++++ b/policy/modules/kernel/filesystem.fc
+@@ -14,3 +14,8 @@
+ # for systemd systems:
+ /sys/fs/cgroup -d gen_context(system_u:object_r:cgroup_t,s0)
+ /sys/fs/cgroup/.* <>
++
++/usr/lib/udev/devices/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
++/usr/lib/udev/devices/hugepages/.* <>
++/usr/lib/udev/devices/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
++/usr/lib/udev/devices/shm/.* <>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 97fcdac..6342520 100644
--- a/policy/modules/kernel/filesystem.if
@@ -20069,7 +20321,7 @@ index d70e0b3..99ff2ac 100644
')
}
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
-index 57c4a6a..5e2a7de 100644
+index 57c4a6a..9b4bc77 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -28,7 +28,7 @@
@@ -20081,6 +20333,13 @@ index 57c4a6a..5e2a7de 100644
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+@@ -81,3 +81,6 @@ ifdef(`distro_redhat', `
+
+ /lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
++
++/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 1700ef2..850d168 100644
--- a/policy/modules/kernel/storage.if
@@ -20472,7 +20731,7 @@ index 1700ef2..850d168 100644
+ dev_filetrans($1, removable_device_t, chr_file, "rio500")
+')
diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 7d45d15..eeb5889 100644
+index 7d45d15..22c9cfe 100644
--- a/policy/modules/kernel/terminal.fc
+++ b/policy/modules/kernel/terminal.fc
@@ -14,11 +14,12 @@
@@ -20485,16 +20744,18 @@ index 7d45d15..eeb5889 100644
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
/dev/ttySG.* -c gen_context(system_u:object_r:tty_device_t,s0)
+/dev/ttyUSB[0-9]+ -c gen_context(system_u:object_r:usbtty_device_t,s0)
-+/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
++/dev/vport[0-9]p[0-9]+ -c gen_context(system_u:object_r:virtio_device_t,s0)
/dev/xvc[^/]* -c gen_context(system_u:object_r:tty_device_t,s0)
/dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0)
-@@ -41,3 +42,5 @@ ifdef(`distro_gentoo',`
+@@ -41,3 +42,7 @@ ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/console -c gen_context(system_u:object_r:console_device_t,s0)
')
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
++
++/usr/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 01dd2f1..7a8e118 100644
--- a/policy/modules/kernel/terminal.if
@@ -21315,7 +21576,7 @@ index be4de58..7e8b6ec 100644
init_exec(secadm_t)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..de3c13e 100644
+index 2be17d2..8ea3385 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
@@ -21332,21 +21593,21 @@ index 2be17d2..de3c13e 100644
# Local policy
#
-+kernel_read_ring_buffer(staff_usertype)
-+kernel_getattr_core_if(staff_usertype)
-+kernel_getattr_message_if(staff_usertype)
-+kernel_read_software_raid_state(staff_usertype)
-+kernel_read_fs_sysctls(staff_usertype)
++kernel_read_ring_buffer(staff_t)
++kernel_getattr_core_if(staff_t)
++kernel_getattr_message_if(staff_t)
++kernel_read_software_raid_state(staff_t)
++kernel_read_fs_sysctls(staff_t)
+
-+fs_read_hugetlbfs_files(staff_usertype)
++fs_read_hugetlbfs_files(staff_t)
+
-+dev_read_cpuid(staff_usertype)
++dev_read_cpuid(staff_t)
+
-+domain_read_all_domains_state(staff_usertype)
-+domain_getattr_all_domains(staff_usertype)
++domain_read_all_domains_state(staff_t)
++domain_getattr_all_domains(staff_t)
+domain_obj_id_change_exemption(staff_t)
+
-+files_read_kernel_modules(staff_usertype)
++files_read_kernel_modules(staff_t)
+
+seutil_read_module_store(staff_t)
+seutil_run_newrole(staff_t, staff_r)
@@ -21354,14 +21615,14 @@ index 2be17d2..de3c13e 100644
+storage_read_scsi_generic(staff_t)
+storage_write_scsi_generic(staff_t)
+
-+term_use_unallocated_ttys(staff_usertype)
++term_use_unallocated_ttys(staff_t)
+
+auth_domtrans_pam_console(staff_t)
+
+init_dbus_chat(staff_t)
+init_dbus_chat_script(staff_t)
+
-+miscfiles_read_hwdata(staff_usertype)
++miscfiles_read_hwdata(staff_t)
+
+ifndef(`enable_mls',`
+ selinux_read_policy(staff_t)
@@ -21391,7 +21652,7 @@ index 2be17d2..de3c13e 100644
+')
+
+optional_policy(`
-+ chrome_role(staff_r, staff_usertype)
++ chrome_role(staff_r, staff_t)
+')
+
+optional_policy(`
@@ -21431,12 +21692,12 @@ index 2be17d2..de3c13e 100644
+')
+
+optional_policy(`
-+ mozilla_run_plugin(staff_usertype, staff_r)
++ mozilla_run_plugin(staff_t, staff_r)
+')
+
+optional_policy(`
-+ modutils_read_module_config(staff_usertype)
-+ modutils_read_module_deps(staff_usertype)
++ modutils_read_module_config(staff_t)
++ modutils_read_module_deps(staff_t)
+')
+
+optional_policy(`
@@ -21474,7 +21735,7 @@ index 2be17d2..de3c13e 100644
+')
+
+optional_policy(`
-+ rpm_dbus_chat(staff_usertype)
++ rpm_dbus_chat(staff_t)
+')
+
+optional_policy(`
@@ -21514,7 +21775,7 @@ index 2be17d2..de3c13e 100644
+#')
+
+optional_policy(`
-+ userhelper_console_role_template(staff, staff_r, staff_usertype)
++ userhelper_console_role_template(staff, staff_r, staff_t)
+')
+
+optional_policy(`
@@ -21592,7 +21853,7 @@ index 2be17d2..de3c13e 100644
')
+
+tunable_policy(`allow_execmod',`
-+ userdom_execmod_user_home_files(staff_usertype)
++ userdom_execmod_user_home_files(staff_t)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index e14b961..37bdf8d 100644
@@ -22705,7 +22966,7 @@ index 0000000..bac0dc0
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..35524d6
+index 0000000..90af157
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
@@ -0,0 +1,379 @@
@@ -22752,7 +23013,7 @@ index 0000000..35524d6
+userdom_manage_home_role(unconfined_r, unconfined_t)
+userdom_manage_tmp_role(unconfined_r, unconfined_t)
+userdom_manage_tmpfs_role(unconfined_r, unconfined_t)
-+userdom_unpriv_usertype(unconfined, unconfined_t)
++userdom_unpriv_type(unconfined_r, unconfined_t)
+
+type unconfined_exec_t;
+init_system_domain(unconfined_t, unconfined_exec_t)
@@ -22817,7 +23078,7 @@ index 0000000..35524d6
+')
+
+tunable_policy(`allow_execmod',`
-+ userdom_execmod_user_home_files(unconfined_usertype)
++ userdom_execmod_user_home_files(unconfined_t)
+')
+
+tunable_policy(`unconfined_login',`
@@ -22829,55 +23090,55 @@ index 0000000..35524d6
+
+optional_policy(`
+ gen_require(`
-+ attribute unconfined_usertype;
++ type unconfined_t;
+ ')
+
+ optional_policy(`
-+ abrt_dbus_chat(unconfined_usertype)
-+ abrt_run_helper(unconfined_usertype, unconfined_r)
++ abrt_dbus_chat(unconfined_t)
++ abrt_run_helper(unconfined_t, unconfined_r)
+ ')
+
+ optional_policy(`
-+ avahi_dbus_chat(unconfined_usertype)
++ avahi_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
-+ blueman_dbus_chat(unconfined_usertype)
++ blueman_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
-+ certmonger_dbus_chat(unconfined_usertype)
++ certmonger_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
-+ devicekit_dbus_chat(unconfined_usertype)
-+ devicekit_dbus_chat_disk(unconfined_usertype)
-+ devicekit_dbus_chat_power(unconfined_usertype)
++ devicekit_dbus_chat(unconfined_t)
++ devicekit_dbus_chat_disk(unconfined_t)
++ devicekit_dbus_chat_power(unconfined_t)
+ ')
+
+ optional_policy(`
-+ hal_dbus_chat(unconfined_usertype)
++ hal_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
-+ networkmanager_dbus_chat(unconfined_usertype)
++ networkmanager_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
-+ policykit_role(unconfined_r, unconfined_usertype)
++ policykit_role(unconfined_r, unconfined_t)
+ ')
+
+ optional_policy(`
-+ rtkit_scheduled(unconfined_usertype)
++ rtkit_scheduled(unconfined_t)
+ ')
+
+ optional_policy(`
-+ setroubleshoot_dbus_chat(unconfined_usertype)
++ setroubleshoot_dbus_chat(unconfined_t)
+ setroubleshoot_dbus_chat_fixit(unconfined_t)
+ ')
+
+ optional_policy(`
-+ sandbox_transition(unconfined_usertype, unconfined_r)
++ sandbox_transition(unconfined_t, unconfined_r)
+ ')
+
+ optional_policy(`
@@ -22889,9 +23150,9 @@ index 0000000..35524d6
+ type user_tmpfs_t;
+ ')
+
-+ xserver_rw_session(unconfined_usertype, user_tmpfs_t)
-+ xserver_run_xauth(unconfined_usertype, unconfined_r)
-+ xserver_dbus_chat_xdm(unconfined_usertype)
++ xserver_rw_session(unconfined_t, user_tmpfs_t)
++ xserver_run_xauth(unconfined_t, unconfined_r)
++ xserver_dbus_chat_xdm(unconfined_t)
+ ')
+')
+
@@ -22913,10 +23174,10 @@ index 0000000..35524d6
+')
+
+optional_policy(`
-+ chrome_role_notrans(unconfined_r, unconfined_usertype)
++ chrome_role_notrans(unconfined_r, unconfined_t)
+
+ tunable_policy(`unconfined_chrome_sandbox_transition',`
-+ chrome_domtrans_sandbox(unconfined_usertype)
++ chrome_domtrans_sandbox(unconfined_t)
+ ')
+')
+
@@ -22931,39 +23192,39 @@ index 0000000..35524d6
+ ')
+ ')
+
-+ init_dbus_chat(unconfined_usertype)
-+ init_dbus_chat_script(unconfined_usertype)
++ init_dbus_chat(unconfined_t)
++ init_dbus_chat_script(unconfined_t)
+
+ dbus_stub(unconfined_t)
+
+ optional_policy(`
-+ bluetooth_dbus_chat(unconfined_usertype)
++ bluetooth_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
-+ consolekit_dbus_chat(unconfined_usertype)
++ consolekit_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
-+ cups_dbus_chat_config(unconfined_usertype)
++ cups_dbus_chat_config(unconfined_t)
+ ')
+
+ optional_policy(`
-+ fprintd_dbus_chat(unconfined_usertype)
++ fprintd_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
-+ gnomeclock_dbus_chat(unconfined_usertype)
-+ gnome_dbus_chat_gconfdefault(unconfined_usertype)
++ gnomeclock_dbus_chat(unconfined_t)
++ gnome_dbus_chat_gconfdefault(unconfined_t)
+ gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
+ ')
+
+ optional_policy(`
-+ ipsec_mgmt_dbus_chat(unconfined_usertype)
++ ipsec_mgmt_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
-+ kerneloops_dbus_chat(unconfined_usertype)
++ kerneloops_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
@@ -22971,16 +23232,16 @@ index 0000000..35524d6
+ ')
+
+ optional_policy(`
-+ oddjob_dbus_chat(unconfined_usertype)
++ oddjob_dbus_chat(unconfined_t)
+ ')
+
+ optional_policy(`
-+ vpn_dbus_chat(unconfined_usertype)
++ vpn_dbus_chat(unconfined_t)
+ ')
+')
+
+optional_policy(`
-+ firewallgui_dbus_chat(unconfined_usertype)
++ firewallgui_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
@@ -23019,7 +23280,7 @@ index 0000000..35524d6
+ mozilla_role_plugin(unconfined_r)
+
+ tunable_policy(`unconfined_mozilla_plugin_transition', `
-+ mozilla_domtrans_plugin(unconfined_usertype)
++ mozilla_domtrans_plugin(unconfined_t)
+ ')
+')
+
@@ -23089,7 +23350,7 @@ index 0000000..35524d6
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..454e627 100644
+index e5bfdd4..77967bd 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -12,15 +12,101 @@ role user_r;
@@ -23097,13 +23358,13 @@ index e5bfdd4..454e627 100644
userdom_unpriv_user_template(user)
+fs_exec_noxattr(user_t)
-+fs_read_hugetlbfs_files(user_usertype)
++fs_read_hugetlbfs_files(user_t)
+
+storage_read_scsi_generic(user_t)
+storage_write_scsi_generic(user_t)
+
+tunable_policy(`allow_execmod',`
-+ userdom_execmod_user_home_files(user_usertype)
++ userdom_execmod_user_home_files(user_t)
+')
+
+optional_policy(`
@@ -23123,7 +23384,7 @@ index e5bfdd4..454e627 100644
+')
+
+optional_policy(`
-+ chrome_role(user_r, user_usertype)
++ chrome_role(user_r, user_t)
+')
+
+optional_policy(`
@@ -23140,7 +23401,7 @@ index e5bfdd4..454e627 100644
+')
+
+optional_policy(`
-+ mozilla_run_plugin(user_usertype, user_r)
++ mozilla_run_plugin(user_t, user_r)
+')
+
+optional_policy(`
@@ -23266,7 +23527,7 @@ index 0ecc786..3e7e984 100644
userdom_dontaudit_search_user_home_dirs(webadm_t)
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
-index e88b95f..0258e24 100644
+index e88b95f..9b6536a 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
@@ -23347,7 +23608,7 @@ index e88b95f..0258e24 100644
+
+
+optional_policy(`
-+ chrome_role(xguest_r, xguest_usertype)
++ chrome_role(xguest_r, xguest_t)
+')
+
+optional_policy(`
@@ -23369,12 +23630,12 @@ index e88b95f..0258e24 100644
+')
+
+optional_policy(`
-+ mozilla_run_plugin(xguest_usertype, xguest_r)
++ mozilla_run_plugin(xguest_t, xguest_r)
+')
+
+optional_policy(`
-+ pcscd_read_pub_files(xguest_usertype)
-+ pcscd_stream_connect(xguest_usertype)
++ pcscd_read_pub_files(xguest_t)
++ pcscd_stream_connect(xguest_t)
+')
+
+optional_policy(`
@@ -23383,44 +23644,42 @@ index e88b95f..0258e24 100644
optional_policy(`
tunable_policy(`xguest_connect_network',`
-+ kernel_read_network_state(xguest_usertype)
++ kernel_read_network_state(xguest_t)
+
networkmanager_dbus_chat(xguest_t)
-- corenet_tcp_connect_pulseaudio_port(xguest_t)
-- corenet_tcp_connect_ipp_port(xguest_t)
+ networkmanager_read_lib_files(xguest_t)
-+ corenet_tcp_connect_pulseaudio_port(xguest_usertype)
-+ corenet_all_recvfrom_unlabeled(xguest_usertype)
-+ corenet_all_recvfrom_netlabel(xguest_usertype)
-+ corenet_tcp_sendrecv_generic_if(xguest_usertype)
-+ corenet_raw_sendrecv_generic_if(xguest_usertype)
-+ corenet_tcp_sendrecv_generic_node(xguest_usertype)
-+ corenet_raw_sendrecv_generic_node(xguest_usertype)
-+ corenet_tcp_sendrecv_http_port(xguest_usertype)
-+ corenet_tcp_sendrecv_http_cache_port(xguest_usertype)
-+ corenet_tcp_sendrecv_squid_port(xguest_usertype)
-+ corenet_tcp_sendrecv_ftp_port(xguest_usertype)
-+ corenet_tcp_sendrecv_ipp_port(xguest_usertype)
-+ corenet_tcp_connect_http_port(xguest_usertype)
-+ corenet_tcp_connect_http_cache_port(xguest_usertype)
-+ corenet_tcp_connect_squid_port(xguest_usertype)
-+ corenet_tcp_connect_flash_port(xguest_usertype)
-+ corenet_tcp_connect_ftp_port(xguest_usertype)
-+ corenet_tcp_connect_ipp_port(xguest_usertype)
-+ corenet_tcp_connect_generic_port(xguest_usertype)
-+ corenet_tcp_connect_soundd_port(xguest_usertype)
-+ corenet_sendrecv_http_client_packets(xguest_usertype)
-+ corenet_sendrecv_http_cache_client_packets(xguest_usertype)
-+ corenet_sendrecv_squid_client_packets(xguest_usertype)
-+ corenet_sendrecv_ftp_client_packets(xguest_usertype)
-+ corenet_sendrecv_ipp_client_packets(xguest_usertype)
-+ corenet_sendrecv_generic_client_packets(xguest_usertype)
+ corenet_tcp_connect_pulseaudio_port(xguest_t)
++ corenet_all_recvfrom_unlabeled(xguest_t)
++ corenet_all_recvfrom_netlabel(xguest_t)
++ corenet_tcp_sendrecv_generic_if(xguest_t)
++ corenet_raw_sendrecv_generic_if(xguest_t)
++ corenet_tcp_sendrecv_generic_node(xguest_t)
++ corenet_raw_sendrecv_generic_node(xguest_t)
++ corenet_tcp_sendrecv_http_port(xguest_t)
++ corenet_tcp_sendrecv_http_cache_port(xguest_t)
++ corenet_tcp_sendrecv_squid_port(xguest_t)
++ corenet_tcp_sendrecv_ftp_port(xguest_t)
++ corenet_tcp_sendrecv_ipp_port(xguest_t)
++ corenet_tcp_connect_http_port(xguest_t)
++ corenet_tcp_connect_http_cache_port(xguest_t)
++ corenet_tcp_connect_squid_port(xguest_t)
++ corenet_tcp_connect_flash_port(xguest_t)
++ corenet_tcp_connect_ftp_port(xguest_t)
+ corenet_tcp_connect_ipp_port(xguest_t)
++ corenet_tcp_connect_generic_port(xguest_t)
++ corenet_tcp_connect_soundd_port(xguest_t)
++ corenet_sendrecv_http_client_packets(xguest_t)
++ corenet_sendrecv_http_cache_client_packets(xguest_t)
++ corenet_sendrecv_squid_client_packets(xguest_t)
++ corenet_sendrecv_ftp_client_packets(xguest_t)
++ corenet_sendrecv_ipp_client_packets(xguest_t)
++ corenet_sendrecv_generic_client_packets(xguest_t)
+ # Should not need other ports
-+ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype)
-+ corenet_dontaudit_tcp_bind_generic_port(xguest_usertype)
-+ corenet_tcp_connect_speech_port(xguest_usertype)
-+ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
-+ corenet_tcp_connect_transproxy_port(xguest_usertype)
++ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t)
++ corenet_dontaudit_tcp_bind_generic_port(xguest_t)
++ corenet_tcp_connect_speech_port(xguest_t)
++ corenet_tcp_sendrecv_transproxy_port(xguest_t)
++ corenet_tcp_connect_transproxy_port(xguest_t)
')
+
+ #optional_policy(`
@@ -23717,7 +23976,7 @@ index 0b827c5..d83d4dc 100644
+ dontaudit $1 abrt_t:sock_file write;
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..a1cbdb4 100644
+index 30861ec..e203cd3 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
@@ -23837,15 +24096,16 @@ index 30861ec..a1cbdb4 100644
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -104,6 +154,7 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +154,8 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
++dev_getattr_all_blk_files(abrt_t)
+dev_read_rand(abrt_t)
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +164,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +165,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -23855,7 +24115,7 @@ index 30861ec..a1cbdb4 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +173,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +174,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -23864,7 +24124,7 @@ index 30861ec..a1cbdb4 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,22 +185,26 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +186,26 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -23897,7 +24157,7 @@ index 30861ec..a1cbdb4 100644
')
optional_policy(`
-@@ -167,6 +225,7 @@ optional_policy(`
+@@ -167,6 +226,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -23905,7 +24165,7 @@ index 30861ec..a1cbdb4 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +237,35 @@ optional_policy(`
+@@ -178,12 +238,35 @@ optional_policy(`
')
optional_policy(`
@@ -23942,7 +24202,7 @@ index 30861ec..a1cbdb4 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +282,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +283,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -23971,7 +24231,7 @@ index 30861ec..a1cbdb4 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +305,128 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +306,128 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -24637,7 +24897,7 @@ index deca9d3..ae8c579 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..a9959fa 100644
+index 9e39aa5..c738795 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,13 +1,18 @@
@@ -24660,17 +24920,19 @@ index 9e39aa5..a9959fa 100644
/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
-@@ -16,6 +21,9 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+@@ -16,6 +21,11 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
++
++/usr/lib/systemd/system/httpd.?\.service -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
+
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -24,16 +32,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+@@ -24,16 +34,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -24695,7 +24957,7 @@ index 9e39aa5..a9959fa 100644
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-@@ -43,8 +52,9 @@ ifdef(`distro_suse', `
+@@ -43,8 +54,9 @@ ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -24707,7 +24969,7 @@ index 9e39aa5..a9959fa 100644
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -54,9 +64,11 @@ ifdef(`distro_suse', `
+@@ -54,9 +66,11 @@ ifdef(`distro_suse', `
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -24719,7 +24981,7 @@ index 9e39aa5..a9959fa 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,20 +85,25 @@ ifdef(`distro_suse', `
+@@ -73,20 +87,26 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -24744,14 +25006,15 @@ index 9e39aa5..a9959fa 100644
/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/suphp\.log -- gen_context(system_u:object_r:httpd_log_t,s0)
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -105,7 +122,27 @@ ifdef(`distro_debian', `
+@@ -104,8 +124,26 @@ ifdef(`distro_debian', `
+ /var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
- /var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/www/html(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -27155,15 +27418,17 @@ index a7a0e71..5352ef6 100644
')
diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
-index 59aa54f..f944a65 100644
+index 59aa54f..159f74f 100644
--- a/policy/modules/services/bind.fc
+++ b/policy/modules/services/bind.fc
-@@ -5,6 +5,8 @@
+@@ -5,6 +5,10 @@
/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
+/lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
+
++/usr/lib/systemd/system/named.service -- gen_context(system_u:object_r:named_unit_file_t,s0)
++
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
@@ -27766,7 +28031,7 @@ index 3e45431..a726c09 100644
admin_pattern($1, bluetooth_var_lib_t)
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
-index 215b86b..619518f 100644
+index 215b86b..2bb14b2 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.3.0)
@@ -27784,19 +28049,7 @@ index 215b86b..619518f 100644
type bluetooth_conf_rw_t;
files_type(bluetooth_conf_rw_t)
-@@ -99,6 +100,11 @@ kernel_request_load_module(bluetooth_t)
- #search debugfs - redhat bug 548206
- kernel_search_debugfs(bluetooth_t)
-
-+ifdef(`hide_broken_symptoms', `
-+ kernel_rw_unlabeled_socket(bluetooth_t)
-+ dev_rw_generic_chr_files(bluetooth_t)
-+')
-+
- corenet_all_recvfrom_unlabeled(bluetooth_t)
- corenet_all_recvfrom_netlabel(bluetooth_t)
- corenet_tcp_sendrecv_generic_if(bluetooth_t)
-@@ -147,6 +153,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
+@@ -147,6 +148,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
optional_policy(`
@@ -27807,7 +28060,7 @@ index 215b86b..619518f 100644
dbus_system_bus_client(bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
-@@ -190,7 +200,6 @@ allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
+@@ -190,7 +195,6 @@ allow bluetooth_helper_t self:fifo_file rw_fifo_file_perms;
allow bluetooth_helper_t self:shm create_shm_perms;
allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow bluetooth_helper_t self:tcp_socket create_socket_perms;
@@ -27815,7 +28068,7 @@ index 215b86b..619518f 100644
allow bluetooth_helper_t bluetooth_t:socket { read write };
-@@ -220,6 +229,8 @@ files_read_etc_runtime_files(bluetooth_helper_t)
+@@ -220,6 +224,8 @@ files_read_etc_runtime_files(bluetooth_helper_t)
files_read_usr_files(bluetooth_helper_t)
files_dontaudit_list_default(bluetooth_helper_t)
@@ -27824,7 +28077,7 @@ index 215b86b..619518f 100644
locallogin_dontaudit_use_fds(bluetooth_helper_t)
logging_send_syslog_msg(bluetooth_helper_t)
-@@ -236,9 +247,5 @@ optional_policy(`
+@@ -236,9 +242,5 @@ optional_policy(`
')
optional_policy(`
@@ -28257,10 +28510,10 @@ index 048abbf..7368f57 100644
sysnet_read_config(httpd_bugzilla_script_t)
diff --git a/policy/modules/services/cachefilesd.fc b/policy/modules/services/cachefilesd.fc
new file mode 100644
-index 0000000..24d9837
+index 0000000..a561ce0
--- /dev/null
+++ b/policy/modules/services/cachefilesd.fc
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,34 @@
+###############################################################################
+#
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
@@ -28284,10 +28537,15 @@ index 0000000..24d9837
+# MLS sensitivity: s0
+# MCS categories:
+
-+/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
++
++/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
++
++/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
++
++/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
++
+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
-+/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
+
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefiles_var_t,s0)
diff --git a/policy/modules/services/cachefilesd.if b/policy/modules/services/cachefilesd.if
@@ -28992,6 +29250,18 @@ index 1d25efe..1b16191 100644
logging_log_filetrans(canna_t, canna_log_t, { file dir })
manage_dirs_pattern(canna_t, canna_var_lib_t, canna_var_lib_t)
+diff --git a/policy/modules/services/ccs.fc b/policy/modules/services/ccs.fc
+index 8a7177d..bc4f6e7 100644
+--- a/policy/modules/services/ccs.fc
++++ b/policy/modules/services/ccs.fc
+@@ -2,5 +2,7 @@
+
+ /sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
+
++/usr/sbin/ccsd -- gen_context(system_u:object_r:ccs_exec_t,s0)
++
+ /var/run/cluster/ccsd\.pid -- gen_context(system_u:object_r:ccs_var_run_t,s0)
+ /var/run/cluster/ccsd\.sock -s gen_context(system_u:object_r:ccs_var_run_t,s0)
diff --git a/policy/modules/services/ccs.if b/policy/modules/services/ccs.if
index 6ee2cc8..3105b09 100644
--- a/policy/modules/services/ccs.if
@@ -29462,6 +29732,20 @@ index 0000000..1ba0484
+
+sysnet_dns_name_resolve(cfengine_monitord_t)
+sysnet_domtrans_ifconfig(cfengine_monitord_t)
+diff --git a/policy/modules/services/cgroup.fc b/policy/modules/services/cgroup.fc
+index b6bb46c..645d203 100644
+--- a/policy/modules/services/cgroup.fc
++++ b/policy/modules/services/cgroup.fc
+@@ -11,5 +11,9 @@
+ /sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
+ /sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
+
++/usr/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfig_exec_t,s0)
++/usr/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t,s0)
++/usr/sbin/cgclear -- gen_context(system_u:object_r:cgclear_exec_t,s0)
++
+ /var/log/cgrulesengd\.log -- gen_context(system_u:object_r:cgred_log_t,s0)
+ /var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t,s0)
diff --git a/policy/modules/services/cgroup.if b/policy/modules/services/cgroup.if
index 33facaf..225e70c 100644
--- a/policy/modules/services/cgroup.if
@@ -29586,15 +29870,17 @@ index dad226c..084063b 100644
miscfiles_read_localization(cgred_t)
diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc
-index fd8cd0b..45096d8 100644
+index fd8cd0b..c11cd2f 100644
--- a/policy/modules/services/chronyd.fc
+++ b/policy/modules/services/chronyd.fc
-@@ -2,8 +2,12 @@
+@@ -2,8 +2,14 @@
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
+/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
+
++/usr/lib/systemd/system/chronyd.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
++
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
@@ -31942,6 +32228,18 @@ index 838dec7..59d0f96 100644
miscfiles_read_localization(courier_pop_t)
+diff --git a/policy/modules/services/cpucontrol.fc b/policy/modules/services/cpucontrol.fc
+index 789c8c7..d1723f5 100644
+--- a/policy/modules/services/cpucontrol.fc
++++ b/policy/modules/services/cpucontrol.fc
+@@ -3,6 +3,7 @@
+
+ /sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
+
++/usr/sbin/microcode_ctl -- gen_context(system_u:object_r:cpucontrol_exec_t,s0)
+ /usr/sbin/cpufreqd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+ /usr/sbin/cpuspeed -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
+ /usr/sbin/powernowd -- gen_context(system_u:object_r:cpuspeed_exec_t,s0)
diff --git a/policy/modules/services/cpucontrol.te b/policy/modules/services/cpucontrol.te
index 13d2f63..861fad7 100644
--- a/policy/modules/services/cpucontrol.te
@@ -31978,18 +32276,19 @@ index 13d2f63..861fad7 100644
')
diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
-index 2eefc08..6ea5693 100644
+index 2eefc08..32a4a69 100644
--- a/policy/modules/services/cron.fc
+++ b/policy/modules/services/cron.fc
-@@ -2,6 +2,7 @@
+@@ -2,6 +2,8 @@
/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/lib/systemd/system/crond\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0)
++/usr/lib/systemd/system/crond\.service -- gen_context(system_u:object_r:crond_unit_file_t,s0)
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
-@@ -14,14 +15,15 @@
+@@ -14,14 +16,15 @@
/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -32007,7 +32306,7 @@ index 2eefc08..6ea5693 100644
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
/var/spool/cron/[^/]* -- <>
-@@ -45,3 +47,5 @@ ifdef(`distro_suse', `
+@@ -45,3 +48,5 @@ ifdef(`distro_suse', `
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -33346,10 +33645,18 @@ index 0000000..284fbae
+ sysnet_domtrans_ifconfig(ctdbd_t)
+')
diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
-index 1b492ed..c79454d 100644
+index 1b492ed..ac5dae0 100644
--- a/policy/modules/services/cups.fc
+++ b/policy/modules/services/cups.fc
-@@ -28,11 +28,8 @@
+@@ -20,6 +20,7 @@
+ /etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+ /lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
++/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+
+ /opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+
+@@ -28,11 +29,8 @@
# keep as separate lines to ensure proper sorting
/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
@@ -33361,7 +33668,7 @@ index 1b492ed..c79454d 100644
/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-@@ -56,6 +53,7 @@
+@@ -56,6 +54,7 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -33369,7 +33676,7 @@ index 1b492ed..c79454d 100644
/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
-@@ -64,10 +62,16 @@
+@@ -64,10 +63,16 @@
/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
@@ -33886,14 +34193,16 @@ index a8b93c0..831ce70 100644
type dante_var_run_t;
files_pid_file(dante_var_run_t)
diff --git a/policy/modules/services/dbus.fc b/policy/modules/services/dbus.fc
-index 81eba14..d0ab56c 100644
+index 81eba14..b8cbe47 100644
--- a/policy/modules/services/dbus.fc
+++ b/policy/modules/services/dbus.fc
-@@ -3,7 +3,6 @@
+@@ -3,7 +3,8 @@
/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
-/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
++
++/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
@@ -34746,17 +35055,18 @@ index 8ba9425..b10da2c 100644
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc
-index 418a5a0..c25fbdc 100644
+index 418a5a0..1041039 100644
--- a/policy/modules/services/devicekit.fc
+++ b/policy/modules/services/devicekit.fc
-@@ -2,13 +2,19 @@
+@@ -1,3 +1,7 @@
++/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
++
++/usr/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
++
+ /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
- /usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
-+/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
- /usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
-
- /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+@@ -8,7 +12,12 @@
/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
@@ -35303,14 +35613,16 @@ index f231f17..f277ea6 100644
+ xserver_stream_connect(devicekit_power_t)
+')
diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc
-index 767e0c7..4fbde9d 100644
+index 767e0c7..c8306c2 100644
--- a/policy/modules/services/dhcp.fc
+++ b/policy/modules/services/dhcp.fc
-@@ -1,8 +1,10 @@
+@@ -1,8 +1,12 @@
-/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
+
+/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
++
++/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
@@ -36261,15 +36573,17 @@ index dc1056c..bd60100 100644
+
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
-index b886676..ab3af9c 100644
+index b886676..2b4d0f6 100644
--- a/policy/modules/services/dnsmasq.fc
+++ b/policy/modules/services/dnsmasq.fc
-@@ -1,12 +1,14 @@
+@@ -1,12 +1,16 @@
/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0)
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
+/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
+
++/usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
++
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
@@ -36923,16 +37237,19 @@ index acf6d4f..47969fe 100644
')
diff --git a/policy/modules/services/drbd.fc b/policy/modules/services/drbd.fc
new file mode 100644
-index 0000000..f96c4f2
+index 0000000..60c19b9
--- /dev/null
+++ b/policy/modules/services/drbd.fc
-@@ -0,0 +1,9 @@
+@@ -0,0 +1,12 @@
+
+/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
+/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
+
+/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0)
+
++/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0)
++/usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0)
++
+/var/lib/drbd(/.*)? gen_context(system_u:object_r:drbd_var_lib_t,s0)
+
+
@@ -38494,20 +38811,23 @@ index 7df52c7..8512254 100644
+ policykit_dbus_chat_auth(fprintd_t)
')
diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc
-index 69dcd2a..80eefd3 100644
+index 69dcd2a..030dbb6 100644
--- a/policy/modules/services/ftp.fc
+++ b/policy/modules/services/ftp.fc
-@@ -6,6 +6,9 @@
+@@ -6,6 +6,12 @@
/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/proftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
+/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
++/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
#
# /usr
#
-@@ -29,3 +32,4 @@
+@@ -29,3 +35,4 @@
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
@@ -39625,34 +39945,32 @@ index 7382f85..fa32fcf 100644
+gen_user(git_shell_u, user, git_shell_r, s0, s0)
diff --git a/policy/modules/services/glance.fc b/policy/modules/services/glance.fc
new file mode 100644
-index 0000000..7d27335
+index 0000000..657d8f5
--- /dev/null
+++ b/policy/modules/services/glance.fc
-@@ -0,0 +1,14 @@
+@@ -0,0 +1,13 @@
+
-+/usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0)
++/etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0)
+
-+/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0)
++/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0)
++
++/usr/bin/glance-api -- gen_context(system_u:object_r:glance_api_exec_t,s0)
++/usr/bin/glance-registry -- gen_context(system_u:object_r:glance_registry_exec_t,s0)
+
+/var/lib/glance(/.*)? gen_context(system_u:object_r:glance_var_lib_t,s0)
+
+/var/log/glance(/.*)? gen_context(system_u:object_r:glance_log_t,s0)
+
+/var/run/glance(/.*)? gen_context(system_u:object_r:glance_var_run_t,s0)
-+
-+/etc/rc\.d/init\.d/openstack-glance-api -- gen_context(system_u:object_r:glance_api_initrc_exec_t,s0)
-+
-+/etc/rc\.d/init\.d/openstack-glance-registry -- gen_context(system_u:object_r:glance_registry_initrc_exec_t,s0)
diff --git a/policy/modules/services/glance.if b/policy/modules/services/glance.if
new file mode 100644
-index 0000000..8cc6d17
+index 0000000..8f0f77b
--- /dev/null
+++ b/policy/modules/services/glance.if
-@@ -0,0 +1,276 @@
+@@ -0,0 +1,268 @@
+
+## policy for glance
+
-+
+########################################
+##
+## Transition to glance.
@@ -39691,7 +40009,6 @@ index 0000000..8cc6d17
+ domtrans_pattern($1, glance_api_exec_t, glance_api_t)
+')
+
-+
+########################################
+##
+## Read glance's log files.
@@ -39887,13 +40204,9 @@ index 0000000..8cc6d17
+#
+interface(`glance_admin',`
+ gen_require(`
-+ type glance_registry_t;
-+ type glance_api_t;
-+ type glance_log_t;
-+ type glance_var_lib_t;
-+ type glance_var_run_t;
-+ type glance_registry_initrc_exec_t;
-+ type glance_api_initrc_exec_t;
++ type glance_registry_t, glance_api_t, glance_log_t;
++ type glance_var_lib_t, glance_var_run_t;
++ type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
+ ')
+
+ allow $1 glance_registry_t:process signal_perms;
@@ -39922,15 +40235,13 @@ index 0000000..8cc6d17
+
+ files_search_pids($1)
+ admin_pattern($1, glance_var_run_t)
-+
+')
-+
diff --git a/policy/modules/services/glance.te b/policy/modules/services/glance.te
new file mode 100644
-index 0000000..34385c9
+index 0000000..4afb81f
--- /dev/null
+++ b/policy/modules/services/glance.te
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,104 @@
+policy_module(glance, 1.0.0)
+
+########################################
@@ -40014,7 +40325,6 @@ index 0000000..34385c9
+corenet_tcp_bind_generic_node(glance_registry_t)
+corenet_tcp_bind_glance_registry_port(glance_registry_t)
+
-+
+########################################
+#
+# glance-api local policy
@@ -40077,10 +40387,10 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..a1d38a3 100644
+index 4fde46b..a250b06 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -14,19 +14,26 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+@@ -14,19 +14,28 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
# gnomeclock local policy
#
@@ -40104,15 +40414,16 @@ index 4fde46b..a1d38a3 100644
+files_read_etc_runtime_files(gnomeclock_t)
files_read_usr_files(gnomeclock_t)
--auth_use_nsswitch(gnomeclock_t)
+fs_getattr_xattr_fs(gnomeclock_t)
++
+ auth_use_nsswitch(gnomeclock_t)
-clock_domtrans(gnomeclock_t)
-+auth_use_nsswitch(gnomeclock_t)
++logging_send_syslog_msg(gnomeclock_t)
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,10 +42,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +44,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -42524,10 +42835,10 @@ index 0000000..4aac893
+
+sysnet_dns_name_resolve(l2tpd_t)
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
-index c62f23e..f8a4301 100644
+index c62f23e..63e3be1 100644
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
-@@ -1,6 +1,10 @@
+@@ -1,6 +1,12 @@
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
@@ -42535,11 +42846,13 @@ index c62f23e..f8a4301 100644
+
+/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+
-+/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
++/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
-@@ -15,3 +19,4 @@ ifdef(`distro_debian',`
+@@ -15,3 +21,4 @@ ifdef(`distro_debian',`
/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
@@ -43652,46 +43965,41 @@ index 0000000..5b84980
+')
diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc
new file mode 100644
-index 0000000..7f36870
+index 0000000..ea9dc7a
--- /dev/null
+++ b/policy/modules/services/matahari.fc
-@@ -0,0 +1,30 @@
-+/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/matahari-sysconfig gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
-+
-+/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
-+
-+/usr/sbin/matahari-dbus-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
-+
-+/usr/sbin/matahari-qmf-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
-+
-+/usr/sbin/matahari-qmf-sysconfigd -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0)
+@@ -0,0 +1,25 @@
++/etc/rc\.d/init\.d/matahari-host gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/matahari-net gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/matahari-service gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/matahari-sysconfig gen_context(system_u:object_r:matahari_initrc_exec_t,s0)
++
++/usr/sbin/matahari-dbus-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
++/usr/sbin/matahari-dbus-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
++/usr/sbin/matahari-dbus-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
+
-+/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
++/usr/sbin/matahari-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
+
-+/usr/sbin/matahari-dbus-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
++/usr/sbin/matahari-netd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
+
++/usr/sbin/matahari-qmf-hostd -- gen_context(system_u:object_r:matahari_hostd_exec_t,s0)
+/usr/sbin/matahari-qmf-networkd -- gen_context(system_u:object_r:matahari_netd_exec_t,s0)
++/usr/sbin/matahari-qmf-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
++/usr/sbin/matahari-qmf-sysconfigd -- gen_context(system_u:object_r:matahari_sysconfigd_exec_t,s0)
+
-+/usr/sbin/matahari-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
-+
-+/usr/sbin/matahari-dbus-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
-+
-+/usr/sbin/matahari-qmf-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
++/usr/sbin/matahari-serviced -- gen_context(system_u:object_r:matahari_serviced_exec_t,s0)
+
-+/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0)
++/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0)
+
-+/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0)
-+/var/run/matahari\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0)
-+/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0)
++/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0)
++/var/run/matahari\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0)
++/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0)
diff --git a/policy/modules/services/matahari.if b/policy/modules/services/matahari.if
new file mode 100644
-index 0000000..0d771fd
+index 0000000..2e8b6d8
--- /dev/null
+++ b/policy/modules/services/matahari.if
-@@ -0,0 +1,250 @@
+@@ -0,0 +1,244 @@
+## policy for matahari
+
+######################################
@@ -43718,7 +44026,6 @@ index 0000000..0d771fd
+ type matahari_$1_t, matahari_domain;
+ type matahari_$1_exec_t;
+ init_daemon_domain(matahari_$1_t, matahari_$1_exec_t)
-+
+')
+
+########################################
@@ -43798,7 +44105,6 @@ index 0000000..0d771fd
+ manage_dirs_pattern($1, matahari_var_lib_t, matahari_var_lib_t)
+')
+
-+
+########################################
+##
+## Read matahari PID files.
@@ -43910,12 +44216,9 @@ index 0000000..0d771fd
+#
+interface(`matahari_admin',`
+ gen_require(`
-+ type matahari_initrc_exec_t;
-+ type matahari_hostd_t;
-+ type matahari_netd_t;
-+ type matahari_serviced_t;
-+ type matahari_var_lib_t;
-+ type matahari_var_run_t;
++ type matahari_initrc_exec_t, matahari_hostd_t;
++ type matahari_netd_t, matahari_serviced_t;
++ type matahari_var_lib_t, matahari_var_run_t;
+ ')
+
+ init_labeled_script_domtrans($1, matahari_initrc_exec_t)
@@ -43940,11 +44243,10 @@ index 0000000..0d771fd
+
+ files_search_pids($1)
+ admin_pattern($1, matahari_var_run_t)
-+
+')
diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te
new file mode 100644
-index 0000000..372ed05
+index 0000000..4ea6ac3
--- /dev/null
+++ b/policy/modules/services/matahari.te
@@ -0,0 +1,97 @@
@@ -44027,7 +44329,7 @@ index 0000000..372ed05
+# matahari domain local policy
+#
+
-+allow matahari_domain self:process { signal };
++allow matahari_domain self:process signal;
+
+allow matahari_domain self:fifo_file rw_fifo_file_perms;
+allow matahari_domain self:unix_stream_socket create_stream_socket_perms;
@@ -45109,7 +45411,7 @@ index 7f68872..36ff69d 100644
+ xserver_dontaudit_read_xdm_pid(mpd_t)
+')
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
-index 256166a..2320c87 100644
+index 256166a..71e7a36 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
@@ -1,4 +1,6 @@
@@ -45120,24 +45422,27 @@ index 256166a..2320c87 100644
/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-@@ -11,20 +13,25 @@ ifdef(`distro_redhat',`
+@@ -11,20 +13,26 @@ ifdef(`distro_redhat',`
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
')
+-/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/dead.letter -- gen_context(system_u:object_r:mail_home_t,s0)
+/root/.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
-+
- /usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++
+/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -45603,7 +45908,7 @@ index 343cee3..867dfac 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..7f55b85 100644
+index 64268e4..a7d94de 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@@ -45864,7 +46169,7 @@ index 64268e4..7f55b85 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(user_mail_t)
fs_manage_cifs_symlinks(user_mail_t)
-@@ -292,3 +304,47 @@ optional_policy(`
+@@ -292,3 +304,49 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -45892,6 +46197,8 @@ index 64268e4..7f55b85 100644
+kernel_read_network_state(user_mail_domain)
+kernel_request_load_module(user_mail_domain)
+
++dev_read_urand(user_mail_domain)
++
+files_read_usr_files(user_mail_domain)
+
+optional_policy(`
@@ -46889,10 +47196,10 @@ index 74da57f..b94bb3b 100644
/usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
-index 386543b..8e8f911 100644
+index 386543b..ea4e5e6 100644
--- a/policy/modules/services/networkmanager.fc
+++ b/policy/modules/services/networkmanager.fc
-@@ -1,6 +1,15 @@
+@@ -1,6 +1,17 @@
/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -46906,10 +47213,18 @@ index 386543b..8e8f911 100644
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+
+/lib/systemd/system/NetworkManager\.service -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
++
++/usr/lib/systemd/system/NetworkManager\.service -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
-@@ -16,11 +25,13 @@
+@@ -12,15 +23,19 @@
+ /usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+ /usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+ /usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
++/usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
@@ -47295,7 +47610,7 @@ index 0619395..e5fb258 100644
########################################
diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc
-index 15448d5..3587f6a 100644
+index 15448d5..62284bf 100644
--- a/policy/modules/services/nis.fc
+++ b/policy/modules/services/nis.fc
@@ -1,5 +1,5 @@
@@ -47317,7 +47632,7 @@ index 15448d5..3587f6a 100644
/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
-@@ -19,3 +19,8 @@
+@@ -19,3 +19,13 @@
/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
@@ -47326,6 +47641,11 @@ index 15448d5..3587f6a 100644
+/lib/systemd/system/ypserv\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
++
++/usr/lib/systemd/system/ypbind\.service -- gen_context(system_u:object_r:ypbind_unit_file_t,s0)
++/usr/lib/systemd/system/ypserv\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
++/usr/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
++/usr/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
index abe3f7f..d3595cf 100644
--- a/policy/modules/services/nis.if
@@ -48218,15 +48538,17 @@ index ded9fb6..9d1e60a 100644
manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t)
files_pid_filetrans(ntop_t, ntop_var_run_t, file)
diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc
-index e79dccc..50202ef 100644
+index e79dccc..82a62e9 100644
--- a/policy/modules/services/ntp.fc
+++ b/policy/modules/services/ntp.fc
-@@ -10,6 +10,8 @@
+@@ -10,6 +10,10 @@
/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+/lib/systemd/system/ntpd\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
+
++/usr/lib/systemd/system/ntpd\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
++
/usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
@@ -48364,6 +48686,18 @@ index c61adc8..09bb140 100644
auth_use_nsswitch(ntpd_t)
+diff --git a/policy/modules/services/nut.fc b/policy/modules/services/nut.fc
+index 0a929ef..371119d 100644
+--- a/policy/modules/services/nut.fc
++++ b/policy/modules/services/nut.fc
+@@ -3,6 +3,7 @@
+ /sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+
+ /usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
++/usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+ /usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
+
+ /var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
diff --git a/policy/modules/services/nut.te b/policy/modules/services/nut.te
index ff962dd..c856c64 100644
--- a/policy/modules/services/nut.te
@@ -49806,15 +50140,20 @@ index 0000000..1c69a1a
+
+sysnet_read_config(piranha_domain)
diff --git a/policy/modules/services/plymouthd.fc b/policy/modules/services/plymouthd.fc
-index 5702ca4..08528da 100644
+index 5702ca4..498d856 100644
--- a/policy/modules/services/plymouthd.fc
+++ b/policy/modules/services/plymouthd.fc
-@@ -5,3 +5,5 @@
+@@ -2,6 +2,10 @@
+
+ /sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
+
++/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
++
++/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
++
/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
-+
-+#/var/log/boot\.log -- gen_context(system_u:object_r:plymouthd_var_log_t,s0)
diff --git a/policy/modules/services/plymouthd.if b/policy/modules/services/plymouthd.if
index 9759ed8..34b79af 100644
--- a/policy/modules/services/plymouthd.if
@@ -50938,6 +51277,19 @@ index 0000000..d958b53
+')
+
+userdom_home_manager(polipo_session_t)
+diff --git a/policy/modules/services/portmap.fc b/policy/modules/services/portmap.fc
+index 76f5834..bebd9aa 100644
+--- a/policy/modules/services/portmap.fc
++++ b/policy/modules/services/portmap.fc
+@@ -1,6 +1,8 @@
+
+ /sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
+
++/usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
++
+ ifdef(`distro_debian',`
+ /sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
+ /sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
index 333a1fe..e599723 100644
--- a/policy/modules/services/portmap.te
@@ -50984,10 +51336,10 @@ index 333a1fe..e599723 100644
optional_policy(`
diff --git a/policy/modules/services/portreserve.fc b/policy/modules/services/portreserve.fc
-index 4313a6f..1d9fa76 100644
+index 4313a6f..cc334a3 100644
--- a/policy/modules/services/portreserve.fc
+++ b/policy/modules/services/portreserve.fc
-@@ -1,6 +1,7 @@
+@@ -1,7 +1,10 @@
-/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
-/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
@@ -50997,6 +51349,9 @@ index 4313a6f..1d9fa76 100644
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
++/usr/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
++
+ /var/run/portreserve(/.*)? gen_context(system_u:object_r:portreserve_var_run_t,s0)
diff --git a/policy/modules/services/portreserve.if b/policy/modules/services/portreserve.if
index 7719d16..d283895 100644
--- a/policy/modules/services/portreserve.if
@@ -51509,7 +51864,7 @@ index 46bee12..1fbe0fa 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..149da7a 100644
+index a32c4b3..c24aed3 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -51889,18 +52244,19 @@ index a32c4b3..149da7a 100644
')
optional_policy(`
-@@ -599,6 +689,10 @@ optional_policy(`
+@@ -599,6 +689,11 @@ optional_policy(`
')
optional_policy(`
+ milter_stream_connect_all(postfix_smtpd_t)
++ spamassassin_read_pid_files(postfix_smtpd_t)
+')
+
+optional_policy(`
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +705,6 @@ optional_policy(`
+@@ -611,7 +706,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -51908,7 +52264,7 @@ index a32c4b3..149da7a 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +723,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +724,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -52249,25 +52605,39 @@ index db843e2..4389e81 100644
type postgrey_var_lib_t;
files_type(postgrey_var_lib_t)
diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
-index 2d82c6d..adf5731 100644
+index 2d82c6d..fdee468 100644
--- a/policy/modules/services/ppp.fc
+++ b/policy/modules/services/ppp.fc
-@@ -11,11 +11,14 @@
+@@ -11,19 +11,26 @@
# Fix /etc/ppp {up,down} family scripts (see man pppd)
/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
+
++/usr/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
#
# /sbin
#
+-/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
+/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
- /sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
++/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
+
+ #
+ # /usr
+ #
++/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
++/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
+ /usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
++/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
+ /usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
+-/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
#
-@@ -34,5 +37,7 @@
+ # /var
+@@ -34,5 +41,7 @@
# Fix pptp sockets
/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
@@ -52562,6 +52932,18 @@ index 2af42e7..20f5d6b 100644
files_read_etc_files(pptp_t)
+diff --git a/policy/modules/services/prelude.fc b/policy/modules/services/prelude.fc
+index 3bd847a..a52b025 100644
+--- a/policy/modules/services/prelude.fc
++++ b/policy/modules/services/prelude.fc
+@@ -5,6 +5,7 @@
+
+ /sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
+
++/usr/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
+ /usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0)
+ /usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
+ /usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
diff --git a/policy/modules/services/prelude.if b/policy/modules/services/prelude.if
index 2316653..b295b91 100644
--- a/policy/modules/services/prelude.if
@@ -54446,27 +54828,26 @@ index cb7ecb5..3df1532 100644
+')
diff --git a/policy/modules/services/rabbitmq.fc b/policy/modules/services/rabbitmq.fc
new file mode 100644
-index 0000000..7908e1d
+index 0000000..594c110
--- /dev/null
+++ b/policy/modules/services/rabbitmq.fc
@@ -0,0 +1,7 @@
+
-+/usr/lib64/erlang/erts-5.8.5/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
+/usr/lib64/erlang/erts-5.8.5/bin/beam.* -- gen_context(system_u:object_r:rabbitmq_beam_exec_t,s0)
-+#/usr/lib64/erlang/lib/os_mon-2.2.7/priv/bin/cpu_sup -- gen_context(system_u:object_r:rabbitmq_cpu_sup_exec_t,s0)
++/usr/lib64/erlang/erts-5.8.5/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
+
-+/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
+/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
++
++/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
diff --git a/policy/modules/services/rabbitmq.if b/policy/modules/services/rabbitmq.if
new file mode 100644
-index 0000000..f15d8c3
+index 0000000..491bd1f
--- /dev/null
+++ b/policy/modules/services/rabbitmq.if
-@@ -0,0 +1,23 @@
+@@ -0,0 +1,21 @@
+
+## policy for rabbitmq
+
-+
+########################################
+##
+## Transition to rabbitmq.
@@ -54485,10 +54866,9 @@ index 0000000..f15d8c3
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
+')
-+
diff --git a/policy/modules/services/rabbitmq.te b/policy/modules/services/rabbitmq.te
new file mode 100644
-index 0000000..55aaca1
+index 0000000..591ca32
--- /dev/null
+++ b/policy/modules/services/rabbitmq.te
@@ -0,0 +1,86 @@
@@ -54521,7 +54901,7 @@ index 0000000..55aaca1
+allow rabbitmq_beam_t self:process { setsched signal signull };
+
+allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
-+allow rabbitmq_beam_t self:tcp_socket { accept listen };
++allow rabbitmq_beam_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
@@ -54559,7 +54939,7 @@ index 0000000..55aaca1
+
+domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
+
-+allow rabbitmq_epmd_t self:process { signal };
++allow rabbitmq_epmd_t self:process signal;
+
+allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
+allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
@@ -54972,6 +55352,15 @@ index 852840b..9405f78 100644
+ milter_manage_spamass_state(razor_t)
+ ')
')
+diff --git a/policy/modules/services/rdisc.fc b/policy/modules/services/rdisc.fc
+index dee4adc..a7e4bc7 100644
+--- a/policy/modules/services/rdisc.fc
++++ b/policy/modules/services/rdisc.fc
+@@ -1,2 +1,4 @@
+
+ /sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
++
++/usr/sbin/rdisc -- gen_context(system_u:object_r:rdisc_exec_t,s0)
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
index 0a76027..a475797 100644
--- a/policy/modules/services/remotelogin.te
@@ -55058,6 +55447,18 @@ index 0a76027..a475797 100644
unconfined_shell_domtrans(remote_login_t)
')
+diff --git a/policy/modules/services/resmgr.fc b/policy/modules/services/resmgr.fc
+index af810b9..9c544e5 100644
+--- a/policy/modules/services/resmgr.fc
++++ b/policy/modules/services/resmgr.fc
+@@ -3,5 +3,7 @@
+
+ /sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
+
++/usr/sbin/resmgrd -- gen_context(system_u:object_r:resmgrd_exec_t,s0)
++
+ /var/run/\.resmgr_socket -s gen_context(system_u:object_r:resmgrd_var_run_t,s0)
+ /var/run/resmgr\.pid -- gen_context(system_u:object_r:resmgrd_var_run_t,s0)
diff --git a/policy/modules/services/resmgr.if b/policy/modules/services/resmgr.if
index d457736..eabdd78 100644
--- a/policy/modules/services/resmgr.if
@@ -55817,13 +56218,15 @@ index 93c896a..8c29c39 100644
+')
diff --git a/policy/modules/services/rhev.fc b/policy/modules/services/rhev.fc
new file mode 100644
-index 0000000..4e7605a
+index 0000000..9a8524d
--- /dev/null
+++ b/policy/modules/services/rhev.fc
-@@ -0,0 +1,3 @@
+@@ -0,0 +1,5 @@
+/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
+
+/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
++
++/var/log/rhev-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0)
diff --git a/policy/modules/services/rhev.if b/policy/modules/services/rhev.if
new file mode 100644
index 0000000..bf11e25
@@ -55908,10 +56311,10 @@ index 0000000..bf11e25
+')
diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
new file mode 100644
-index 0000000..1ec5e7c
+index 0000000..b5168a0
--- /dev/null
+++ b/policy/modules/services/rhev.te
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,106 @@
+policy_module(rhev,1.0)
+
+########################################
@@ -55926,10 +56329,12 @@ index 0000000..1ec5e7c
+type rhev_agentd_var_run_t;
+files_pid_file(rhev_agentd_var_run_t)
+
-+# WHY IS USED /TMP DIRECTORY
+type rhev_agentd_tmp_t;
+files_tmp_file(rhev_agentd_tmp_t)
+
++type rhev_agentd_log_t;
++logging_log_file(rhev_agentd_log_t)
++
+########################################
+#
+# rhev_agentd_t local policy
@@ -55946,6 +56351,8 @@ index 0000000..1ec5e7c
+manage_sock_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
+files_pid_filetrans(rhev_agentd_t, rhev_agentd_var_run_t, { dir file sock_file })
+
++manage_files_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t)
++
+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
+manage_files_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
+files_tmp_filetrans(rhev_agentd_t, rhev_agentd_tmp_t, { file dir })
@@ -55988,13 +56395,32 @@ index 0000000..1ec5e7c
+')
+
+optional_policy(`
-+ userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
++ xserver_dbus_chat_xdm(rhev_agentd_t)
+')
+
++######################################
++#
++# rhev_agentd_t consolehelper local policy
++#
++
+optional_policy(`
-+ xserver_dbus_chat_xdm(rhev_agentd_t)
-+')
++ userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
++
++ allow rhev_agentd_consolehelper_t rhev_agentd_log_t:file append;
+
++ can_exec(rhev_agentd_consolehelper_t, rhev_agentd_exec_t)
++ kernel_read_system_state(rhev_agentd_consolehelper_t)
++
++ term_use_virtio_console(rhev_agentd_consolehelper_t)
++
++ optional_policy(`
++ dbus_session_bus_client(rhev_agentd_consolehelper_t)
++ ')
++
++ optional_policy(`
++ unconfined_dbus_chat(rhev_agentd_consolehelper_t)
++ ')
++')
diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if
index 96efae7..793a29f 100644
--- a/policy/modules/services/rhgb.if
@@ -56021,7 +56447,7 @@ index 0f262a7..4d10897 100644
manage_dirs_pattern(rhgb_t, rhgb_tmpfs_t, rhgb_tmpfs_t)
diff --git a/policy/modules/services/rhsmcertd.fc b/policy/modules/services/rhsmcertd.fc
new file mode 100644
-index 0000000..5094d93
+index 0000000..b2a8835
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.fc
@@ -0,0 +1,12 @@
@@ -56030,19 +56456,19 @@ index 0000000..5094d93
+
+/usr/bin/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_exec_t,s0)
+
-+/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0)
-+
-+/var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0)
++/var/lib/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_lib_t,s0)
+
+/var/lock/subsys/rhsmcertd -- gen_context(system_u:object_r:rhsmcertd_lock_t,s0)
+
-+/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0)
++/var/log/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_log_t,s0)
++
++/var/run/rhsm(/.*)? gen_context(system_u:object_r:rhsmcertd_var_run_t,s0)
diff --git a/policy/modules/services/rhsmcertd.if b/policy/modules/services/rhsmcertd.if
new file mode 100644
-index 0000000..61d0a4c
+index 0000000..6572600
--- /dev/null
+++ b/policy/modules/services/rhsmcertd.if
-@@ -0,0 +1,308 @@
+@@ -0,0 +1,300 @@
+
+## Subscription Management Certificate Daemon policy
+
@@ -56065,7 +56491,6 @@ index 0000000..61d0a4c
+ domtrans_pattern($1, rhsmcertd_exec_t, rhsmcertd_t)
+')
+
-+
+########################################
+##
+## Execute rhsmcertd server in the rhsmcertd domain.
@@ -56084,7 +56509,6 @@ index 0000000..61d0a4c
+ init_labeled_script_domtrans($1, rhsmcertd_initrc_exec_t)
+')
+
-+
+########################################
+##
+## Read rhsmcertd's log files.
@@ -56221,7 +56645,6 @@ index 0000000..61d0a4c
+ manage_dirs_pattern($1, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+')
+
-+
+########################################
+##
+## Read rhsmcertd PID files.
@@ -56322,11 +56745,8 @@ index 0000000..61d0a4c
+#
+interface(`rhsmcertd_admin',`
+ gen_require(`
-+ type rhsmcertd_t;
-+ type rhsmcertd_initrc_exec_t;
-+ type rhsmcertd_log_t;
-+ type rhsmcertd_var_lib_t;
-+ type rhsmcertd_var_run_t;
++ type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t;
++ type rhsmcertd_var_lib_t, rhsmcertd_var_run_t;
+ ')
+
+ allow $1 rhsmcertd_t:process signal_perms;
@@ -56348,9 +56768,7 @@ index 0000000..61d0a4c
+
+ files_search_pids($1)
+ admin_pattern($1, rhsmcertd_var_run_t)
-+
+')
-+
diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
new file mode 100644
index 0000000..4d1d0c7
@@ -57011,20 +57429,38 @@ index 30c4b75..e07c2ff 100644
init_labeled_script_domtrans($1, roundup_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
-index 5c70c0c..f9f0f54 100644
+index 5c70c0c..5a75e95 100644
--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
-@@ -6,6 +6,9 @@
+@@ -6,6 +6,12 @@
/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
+/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
+/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
+
++/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
++/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
++
#
# /sbin
#
-@@ -29,3 +32,5 @@
+@@ -15,12 +21,14 @@
+ #
+ # /usr
+ #
++/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+ /usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+ /usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
+ /usr/sbin/rpc\.mountd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+ /usr/sbin/rpc\.nfsd -- gen_context(system_u:object_r:nfsd_exec_t,s0)
+ /usr/sbin/rpc\.rquotad -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+ /usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
++/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
+
+ #
+ # /var
+@@ -29,3 +37,5 @@
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
@@ -57367,13 +57803,15 @@ index b1468ed..372f918 100644
')
diff --git a/policy/modules/services/rpcbind.fc b/policy/modules/services/rpcbind.fc
-index f5c47d6..5a965e9 100644
+index f5c47d6..482b584 100644
--- a/policy/modules/services/rpcbind.fc
+++ b/policy/modules/services/rpcbind.fc
-@@ -2,6 +2,7 @@
+@@ -2,6 +2,9 @@
/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
++/usr/sbin/rpcbind -- gen_context(system_u:object_r:rpcbind_exec_t,s0)
++
+/var/cache/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
/var/lib/rpcbind(/.*)? gen_context(system_u:object_r:rpcbind_var_lib_t,s0)
@@ -57776,10 +58214,10 @@ index a07b2f4..ee39810 100644
+
+userdom_getattr_user_terminals(rwho_t)
diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
-index 69a6074..596dbb3 100644
+index 69a6074..8ed95f2 100644
--- a/policy/modules/services/samba.fc
+++ b/policy/modules/services/samba.fc
-@@ -11,6 +11,8 @@
+@@ -11,9 +11,13 @@
/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
@@ -57788,7 +58226,12 @@ index 69a6074..596dbb3 100644
#
# /usr
#
-@@ -36,6 +38,8 @@
++/usr/lib/systemd/system/smb.service -- gen_context(system_u:object_r:samba_unit_file_t,s0)
++
+ /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
+ /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
+ /usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
+@@ -36,6 +40,8 @@
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
@@ -57797,7 +58240,7 @@ index 69a6074..596dbb3 100644
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
-@@ -51,3 +55,7 @@
+@@ -51,3 +57,7 @@
/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
@@ -58082,7 +58525,7 @@ index 82cb169..48c023e 100644
+ samba_systemctl($1)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..bac0112 100644
+index e30bb63..5d2dfe7 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
@@ -58318,16 +58761,17 @@ index e30bb63..bac0112 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +695,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +695,8 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
-allow swat_t smbd_var_run_t:file { lock unlink };
+read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
++stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +710,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +711,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -58342,7 +58786,7 @@ index e30bb63..bac0112 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +730,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +731,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -58350,7 +58794,7 @@ index e30bb63..bac0112 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +775,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +776,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -58359,7 +58803,7 @@ index e30bb63..bac0112 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -783,7 +806,7 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -783,7 +807,7 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
@@ -58368,7 +58812,7 @@ index e30bb63..bac0112 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -806,15 +829,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +830,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -58390,7 +58834,7 @@ index e30bb63..bac0112 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +857,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +858,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -58398,7 +58842,7 @@ index e30bb63..bac0112 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -850,10 +875,14 @@ domain_use_interactive_fds(winbind_t)
+@@ -850,10 +876,14 @@ domain_use_interactive_fds(winbind_t)
files_read_etc_files(winbind_t)
files_read_usr_symlinks(winbind_t)
@@ -58413,7 +58857,7 @@ index e30bb63..bac0112 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -863,6 +892,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
+@@ -863,6 +893,12 @@ userdom_manage_user_home_content_pipes(winbind_t)
userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
@@ -58426,7 +58870,7 @@ index e30bb63..bac0112 100644
optional_policy(`
kerberos_use(winbind_t)
')
-@@ -904,7 +939,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +940,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -58435,7 +58879,7 @@ index e30bb63..bac0112 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,6 +957,18 @@ optional_policy(`
+@@ -922,6 +958,18 @@ optional_policy(`
#
optional_policy(`
@@ -58454,7 +58898,7 @@ index e30bb63..bac0112 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +979,12 @@ optional_policy(`
+@@ -932,9 +980,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -58637,7 +59081,7 @@ index 0000000..0d53457
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..96adff5
+index 0000000..64d3e6a
--- /dev/null
+++ b/policy/modules/services/sanlock.te
@@ -0,0 +1,100 @@
@@ -58687,7 +59131,7 @@ index 0000000..96adff5
+#
+# sanlock local policy
+#
-+allow sanlock_t self:capability { kill sys_nice ipc_lock };
++allow sanlock_t self:capability { sys_nice ipc_lock };
+allow sanlock_t self:process { setsched signull };
+
+allow sanlock_t self:fifo_file rw_fifo_file_perms;
@@ -58711,11 +59155,11 @@ index 0000000..96adff5
+
+dev_read_urand(sanlock_t)
+
-+logging_send_syslog_msg(sanlock_t)
-+
+init_read_utmp(sanlock_t)
+init_dontaudit_write_utmp(sanlock_t)
+
++logging_send_syslog_msg(sanlock_t)
++
+miscfiles_read_localization(sanlock_t)
+
+tunable_policy(`sanlock_use_nfs',`
@@ -58928,10 +59372,10 @@ index 0000000..40d0049
+
diff --git a/policy/modules/services/sblim.te b/policy/modules/services/sblim.te
new file mode 100644
-index 0000000..c4d9192
+index 0000000..7fad050
--- /dev/null
+++ b/policy/modules/services/sblim.te
-@@ -0,0 +1,108 @@
+@@ -0,0 +1,105 @@
+policy_module(sblim, 1.0.0)
+
+########################################
@@ -58956,11 +59400,8 @@ index 0000000..c4d9192
+#
+# sblim_gatherd local policy
+#
-+
-+#needed by ps
-+allow sblim_gatherd_t self:capability { kill dac_override };
++allow sblim_gatherd_t self:capability dac_override;
+allow sblim_gatherd_t self:process signal;
-+
+allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
+allow sblim_gatherd_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -58979,6 +59420,8 @@ index 0000000..c4d9192
+
+fs_getattr_all_fs(sblim_gatherd_t)
+
++sysnet_dns_name_resolve(sblim_gatherd_t)
++
+term_getattr_pty_fs(sblim_gatherd_t)
+
+init_read_utmp(sblim_gatherd_t)
@@ -58995,7 +59438,6 @@ index 0000000..c4d9192
+
+optional_policy(`
+ ssh_signull(sblim_gatherd_t)
-+ sysnet_dns_name_resolve(sblim_gatherd_t)
+')
+
+optional_policy(`
@@ -59039,7 +59481,6 @@ index 0000000..c4d9192
+files_read_etc_files(sblim_domain)
+
+miscfiles_read_localization(sblim_domain)
-+
diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc
index a86ec50..ef4199b 100644
--- a/policy/modules/services/sendmail.fc
@@ -59052,7 +59493,7 @@ index a86ec50..ef4199b 100644
/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if
-index 7e94c7c..e918b16 100644
+index 7e94c7c..ca74cd9 100644
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
@@ -51,10 +51,24 @@ interface(`sendmail_domtrans',`
@@ -59101,13 +59542,32 @@ index 7e94c7c..e918b16 100644
')
########################################
-@@ -295,3 +309,54 @@ interface(`sendmail_run_unconfined',`
+@@ -295,3 +309,73 @@ interface(`sendmail_run_unconfined',`
sendmail_domtrans_unconfined($1)
role $2 types unconfined_sendmail_t;
')
+
+########################################
+##
++## Set the attributes of sendmail pid files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`sendmail_setattr_pid_files',`
++ gen_require(`
++ type sendmail_var_run_t;
++ ')
++
++ allow $1 sendmail_var_run_t:file setattr_file_perms;
++ files_search_pids($1)
++')
++
++########################################
++##
+## All of the rules required to administrate
+## an sendmail environment
+##
@@ -60692,7 +61152,7 @@ index 078bcd7..84d29ee 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..e494f5c 100644
+index 22adaca..c2efd25 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -60970,7 +61430,32 @@ index 22adaca..e494f5c 100644
optional_policy(`
nis_use_ypbind($1_ssh_agent_t)
-@@ -477,8 +494,27 @@ interface(`ssh_read_pipes',`
+@@ -464,6 +481,24 @@ interface(`ssh_signal',`
+
+ ########################################
+ ##
++## Send a null signal to sshd processes.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`ssh_signull',`
++ gen_require(`
++ type sshd_t;
++ ')
++
++ allow $1 sshd_t:process signull;
++')
++
++########################################
++##
+ ## Read a ssh server unnamed pipe.
+ ##
+ ##
+@@ -477,8 +512,27 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@@ -60999,7 +61484,7 @@ index 22adaca..e494f5c 100644
########################################
##
## Read and write a ssh server unnamed pipe.
-@@ -494,7 +530,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +548,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -61008,7 +61493,7 @@ index 22adaca..e494f5c 100644
')
########################################
-@@ -586,6 +622,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +640,24 @@ interface(`ssh_domtrans',`
########################################
##
@@ -61033,7 +61518,7 @@ index 22adaca..e494f5c 100644
## Execute the ssh client in the caller domain.
##
##
-@@ -618,7 +672,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +690,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -61042,7 +61527,7 @@ index 22adaca..e494f5c 100644
files_search_pids($1)
')
-@@ -643,6 +697,42 @@ interface(`ssh_agent_exec',`
+@@ -643,6 +715,42 @@ interface(`ssh_agent_exec',`
########################################
##
@@ -61085,7 +61570,7 @@ index 22adaca..e494f5c 100644
## Read ssh home directory content
##
##
-@@ -682,6 +772,50 @@ interface(`ssh_domtrans_keygen',`
+@@ -682,6 +790,50 @@ interface(`ssh_domtrans_keygen',`
########################################
##
@@ -61136,7 +61621,7 @@ index 22adaca..e494f5c 100644
## Read ssh server keys
##
##
-@@ -695,7 +829,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +847,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -61145,29 +61630,11 @@ index 22adaca..e494f5c 100644
')
######################################
-@@ -735,3 +869,81 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +887,63 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
+
-+########################################
-+##
-+## Send a null signal to sshd processes.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`ssh_signull',`
-+ gen_require(`
-+ type sshd_t;
-+ ')
-+
-+ allow $1 sshd_t:process signull;
-+')
-+
+#####################################
+##
+## Allow domain dyntransition to chroot_user_t domain.
@@ -62701,14 +63168,13 @@ index d4349e9..f14d337 100644
')
diff --git a/policy/modules/services/uuidd.fc b/policy/modules/services/uuidd.fc
new file mode 100644
-index 0000000..c184667
+index 0000000..d810232
--- /dev/null
+++ b/policy/modules/services/uuidd.fc
-@@ -0,0 +1,9 @@
+@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0)
+
-+
+/usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0)
+
+/var/lib/libuuid(/.*)? gen_context(system_u:object_r:uuidd_var_lib_t,s0)
@@ -62716,10 +63182,10 @@ index 0000000..c184667
+/var/run/uuidd(/.*)? gen_context(system_u:object_r:uuidd_var_run_t,s0)
diff --git a/policy/modules/services/uuidd.if b/policy/modules/services/uuidd.if
new file mode 100644
-index 0000000..c82f178
+index 0000000..adf79eb
--- /dev/null
+++ b/policy/modules/services/uuidd.if
-@@ -0,0 +1,196 @@
+@@ -0,0 +1,194 @@
+## policy for uuidd
+
+########################################
@@ -62893,10 +63359,8 @@ index 0000000..c82f178
+#
+interface(`uuidd_admin',`
+ gen_require(`
-+ type uuidd_t;
-+ type uuidd_initrc_exec_t;
-+ type uuidd_var_lib_t;
-+ type uuidd_var_run_t;
++ type uuidd_t, uuidd_initrc_exec_t;
++ type uuidd_var_run_t, uuidd_var_lib_t;
+ ')
+
+ allow $1 uuidd_t:process signal_perms;
@@ -62918,10 +63382,10 @@ index 0000000..c82f178
+')
diff --git a/policy/modules/services/uuidd.te b/policy/modules/services/uuidd.te
new file mode 100644
-index 0000000..ac053f3
+index 0000000..04589dc
--- /dev/null
+++ b/policy/modules/services/uuidd.te
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,44 @@
+policy_module(uuidd, 1.0.0)
+
+########################################
@@ -62946,9 +63410,8 @@ index 0000000..ac053f3
+#
+# uuidd local policy
+#
-+allow uuidd_t self:capability { setuid };
-+allow uuidd_t self:process { signal };
-+
++allow uuidd_t self:capability setuid;
++allow uuidd_t self:process signal;
+allow uuidd_t self:fifo_file rw_fifo_file_perms;
+allow uuidd_t self:unix_stream_socket create_stream_socket_perms;
+allow uuidd_t self:udp_socket create_socket_perms;
@@ -62967,7 +63430,6 @@ index 0000000..ac053f3
+files_read_etc_files(uuidd_t)
+
+miscfiles_read_localization(uuidd_t)
-+
diff --git a/policy/modules/services/varnishd.if b/policy/modules/services/varnishd.if
index 93975d6..7a665ff 100644
--- a/policy/modules/services/varnishd.if
@@ -63037,48 +63499,29 @@ index f9310f3..7a350f1 100644
#
diff --git a/policy/modules/services/vdagent.fc b/policy/modules/services/vdagent.fc
new file mode 100644
-index 0000000..71d9784
+index 0000000..2ba852c
--- /dev/null
+++ b/policy/modules/services/vdagent.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,10 @@
++/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
+
-+/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
++/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0)
++/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0)
+
+/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0)
+/var/run/spice-vdagentd.\pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0)
+
-+/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0)
-+/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0)
-+
+
+
diff --git a/policy/modules/services/vdagent.if b/policy/modules/services/vdagent.if
new file mode 100644
-index 0000000..57471cc
+index 0000000..6467d91
--- /dev/null
+++ b/policy/modules/services/vdagent.if
-@@ -0,0 +1,131 @@
+@@ -0,0 +1,128 @@
+
+## policy for vdagent
+
-+#####################################
-+##
-+## Getattr on vdagent executable.
-+##
-+##
-+##
-+## Domain allowed to transition.
-+##
-+##
-+#
-+interface(`vdagent_getattr_exec',`
-+ gen_require(`
-+ type vdagent_exec_t;
-+ ')
-+
-+ allow $1 vdagent_exec_t:file getattr;
-+')
-+
+########################################
+##
+## Execute a domain transition to run vdagent.
@@ -63097,6 +63540,24 @@ index 0000000..57471cc
+ domtrans_pattern($1, vdagent_exec_t, vdagent_t)
+')
+
++#####################################
++##
++## Getattr on vdagent executable.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`vdagent_getattr_exec',`
++ gen_require(`
++ type vdagent_exec_t;
++ ')
++
++ allow $1 vdagent_exec_t:file getattr;
++')
++
+#######################################
+##
+## Get the attributes of vdagent logs.
@@ -63174,8 +63635,7 @@ index 0000000..57471cc
+#
+interface(`vdagent_admin',`
+ gen_require(`
-+ type vdagent_t;
-+ type vdagent_var_run_t;
++ type vdagent_t, vdagent_var_run_t;
+ ')
+
+ allow $1 vdagent_t:process signal_perms;
@@ -63186,9 +63646,7 @@ index 0000000..57471cc
+
+ files_search_pids($1)
+ admin_pattern($1, vdagent_var_run_t)
-+
+')
-+
diff --git a/policy/modules/services/vdagent.te b/policy/modules/services/vdagent.te
new file mode 100644
index 0000000..4fd2377
@@ -65013,14 +65471,14 @@ index 1174ad8..f4c4c1b 100644
+apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t)
diff --git a/policy/modules/services/wdmd.fc b/policy/modules/services/wdmd.fc
new file mode 100644
-index 0000000..2f21759
+index 0000000..ad47e05
--- /dev/null
+++ b/policy/modules/services/wdmd.fc
@@ -0,0 +1,6 @@
+
+/etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0)
+
-+/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0)
++/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0)
+
+/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
diff --git a/policy/modules/services/wdmd.if b/policy/modules/services/wdmd.if
@@ -65145,10 +65603,10 @@ index 0000000..955f1ac
+')
diff --git a/policy/modules/services/wdmd.te b/policy/modules/services/wdmd.te
new file mode 100644
-index 0000000..307c99e
+index 0000000..11b8863
--- /dev/null
+++ b/policy/modules/services/wdmd.te
-@@ -0,0 +1,51 @@
+@@ -0,0 +1,44 @@
+policy_module(wdmd,1.0.0)
+
+########################################
@@ -65181,25 +65639,18 @@ index 0000000..307c99e
+manage_sock_files_pattern(wdmd_t, wdmd_var_run_t, wdmd_var_run_t)
+files_pid_filetrans(wdmd_t, wdmd_var_run_t, { file dir sock_file })
+
++dev_read_watchdog(wdmd_t)
+dev_write_watchdog(wdmd_t)
+
+domain_use_interactive_fds(wdmd_t)
+
+files_read_etc_files(wdmd_t)
+
-+logging_send_syslog_msg(wdmd_t)
-+
-+miscfiles_read_localization(wdmd_t)
-+
+fs_read_anon_inodefs_files(wdmd_t)
+
-+gen_require(`
-+ type watchdog_device_t;
-+')
++logging_send_syslog_msg(wdmd_t)
+
-+#dev_read_watchdog(wdmd_t)
-+#============= wdmd_t ==============
-+allow wdmd_t watchdog_device_t:chr_file read;
++miscfiles_read_localization(wdmd_t)
diff --git a/policy/modules/services/xfs.if b/policy/modules/services/xfs.if
index aa6e5a8..42a0efb 100644
--- a/policy/modules/services/xfs.if
@@ -65356,7 +65807,7 @@ index 4966c94..cb2e1a3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..b6fb17a 100644
+index 130ced9..351ed06 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -65441,13 +65892,15 @@ index 130ced9..b6fb17a 100644
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -106,12 +116,24 @@ interface(`xserver_restricted_role',`
+@@ -106,12 +116,26 @@ interface(`xserver_restricted_role',`
xserver_create_xdm_tmp_sockets($2)
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
+ xserver_read_xdm_etc_files($2)
+ xserver_xdm_append_log($2)
+
++ term_use_virtio_console($2)
++
+ modutils_run_insmod(xserver_t, $1)
# Client write xserver shm
@@ -65466,7 +65919,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -143,13 +165,15 @@ interface(`xserver_role',`
+@@ -143,13 +167,15 @@ interface(`xserver_role',`
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
@@ -65484,7 +65937,7 @@ index 130ced9..b6fb17a 100644
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
-@@ -162,7 +186,6 @@ interface(`xserver_role',`
+@@ -162,7 +188,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -65492,7 +65945,7 @@ index 130ced9..b6fb17a 100644
')
#######################################
-@@ -197,7 +220,7 @@ interface(`xserver_ro_session',`
+@@ -197,7 +222,7 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -65501,7 +65954,7 @@ index 130ced9..b6fb17a 100644
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -227,7 +250,7 @@ interface(`xserver_rw_session',`
+@@ -227,7 +252,7 @@ interface(`xserver_rw_session',`
type xserver_t, xserver_tmpfs_t;
')
@@ -65510,7 +65963,7 @@ index 130ced9..b6fb17a 100644
allow $1 xserver_t:shm rw_shm_perms;
allow $1 xserver_tmpfs_t:file rw_file_perms;
')
-@@ -255,7 +278,7 @@ interface(`xserver_non_drawing_client',`
+@@ -255,7 +280,7 @@ interface(`xserver_non_drawing_client',`
allow $1 self:x_gc { create setattr };
@@ -65519,7 +65972,7 @@ index 130ced9..b6fb17a 100644
allow $1 xserver_t:unix_stream_socket connectto;
allow $1 xextension_t:x_extension { query use };
-@@ -291,13 +314,13 @@ interface(`xserver_user_client',`
+@@ -291,13 +316,13 @@ interface(`xserver_user_client',`
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -65537,7 +65990,7 @@ index 130ced9..b6fb17a 100644
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -342,19 +365,23 @@ interface(`xserver_user_client',`
+@@ -342,19 +367,23 @@ interface(`xserver_user_client',`
#
template(`xserver_common_x_domain_template',`
gen_require(`
@@ -65564,7 +66017,7 @@ index 130ced9..b6fb17a 100644
')
##############################
-@@ -386,6 +413,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +415,15 @@ template(`xserver_common_x_domain_template',`
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -65580,7 +66033,7 @@ index 130ced9..b6fb17a 100644
')
#######################################
-@@ -444,8 +480,9 @@ template(`xserver_object_types_template',`
+@@ -444,8 +482,9 @@ template(`xserver_object_types_template',`
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -65592,7 +66045,7 @@ index 130ced9..b6fb17a 100644
')
allow $2 self:shm create_shm_perms;
-@@ -456,11 +493,18 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +495,18 @@ template(`xserver_user_x_domain_template',`
allow $2 xauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file read_file_perms;
@@ -65613,7 +66066,7 @@ index 130ced9..b6fb17a 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +516,26 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +518,26 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -65642,7 +66095,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -517,6 +567,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +569,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -65650,7 +66103,7 @@ index 130ced9..b6fb17a 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -549,6 +600,24 @@ interface(`xserver_domtrans_xauth',`
+@@ -549,6 +602,24 @@ interface(`xserver_domtrans_xauth',`
########################################
##
@@ -65675,7 +66128,7 @@ index 130ced9..b6fb17a 100644
## Create a Xauthority file in the user home directory.
##
##
-@@ -598,6 +667,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +669,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -65683,7 +66136,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -615,7 +685,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +687,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -65692,7 +66145,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -638,6 +708,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +710,25 @@ interface(`xserver_rw_console',`
########################################
##
@@ -65718,7 +66171,7 @@ index 130ced9..b6fb17a 100644
## Use file descriptors for xdm.
##
##
-@@ -651,7 +740,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +742,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -65727,7 +66180,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -670,7 +759,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +761,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -65736,7 +66189,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -688,7 +777,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +779,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -65745,7 +66198,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -703,12 +792,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +794,11 @@ interface(`xserver_rw_xdm_pipes',`
##
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -65759,7 +66212,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -724,11 +812,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +814,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -65793,7 +66246,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -752,6 +860,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -752,6 +862,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
##
@@ -65819,7 +66272,7 @@ index 130ced9..b6fb17a 100644
## Set the attributes of XDM temporary directories.
##
##
-@@ -765,7 +892,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +894,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -65828,7 +66281,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -805,7 +932,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +934,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -65856,7 +66309,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -828,6 +974,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -828,6 +976,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
##
@@ -65881,7 +66334,7 @@ index 130ced9..b6fb17a 100644
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -897,7 +1061,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1063,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -65890,7 +66343,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -916,7 +1080,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1082,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -65899,7 +66352,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -963,6 +1127,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1129,45 @@ interface(`xserver_read_xkb_libs',`
########################################
##
@@ -65945,7 +66398,7 @@ index 130ced9..b6fb17a 100644
## Read xdm temporary files.
##
##
-@@ -976,7 +1179,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1181,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -65954,7 +66407,7 @@ index 130ced9..b6fb17a 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1241,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1243,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
##
@@ -65997,7 +66450,7 @@ index 130ced9..b6fb17a 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
##
-@@ -1052,7 +1291,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1293,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -66006,7 +66459,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -1070,8 +1309,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1311,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -66018,7 +66471,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -1185,6 +1426,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1428,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -66045,7 +66498,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -1210,7 +1471,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1473,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -66054,7 +66507,7 @@ index 130ced9..b6fb17a 100644
##
##
##
-@@ -1220,13 +1481,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1483,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -66079,7 +66532,7 @@ index 130ced9..b6fb17a 100644
')
########################################
-@@ -1243,10 +1514,458 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1516,458 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -68086,6 +68539,14 @@ index ade6c2c..2b78f0d 100644
manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
+diff --git a/policy/modules/services/zosremote.fc b/policy/modules/services/zosremote.fc
+index d719d0b..7a7fc61 100644
+--- a/policy/modules/services/zosremote.fc
++++ b/policy/modules/services/zosremote.fc
+@@ -1 +1,3 @@
+ /sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
++
++/usr/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0)
diff --git a/policy/modules/services/zosremote.if b/policy/modules/services/zosremote.if
index 702e768..13f0eef 100644
--- a/policy/modules/services/zosremote.if
@@ -68179,7 +68640,7 @@ index c6fdab7..41198a4 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..c547c84 100644
+index 28ad538..7a39e35 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,3 +1,5 @@
@@ -68195,13 +68656,38 @@ index 28ad538..c547c84 100644
+/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/passwd-? -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0)
+/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0)
+/etc/group-? -- gen_context(system_u:object_r:passwd_file_t,s0)
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
-@@ -30,6 +37,8 @@ ifdef(`distro_gentoo', `
+@@ -16,13 +23,22 @@ ifdef(`distro_suse', `
+ /sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ')
+
++/usr/bin/login -- gen_context(system_u:object_r:login_exec_t,s0)
++
+ /usr/kerberos/sbin/login\.krb5 -- gen_context(system_u:object_r:login_exec_t,s0)
+
+-/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
+-/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
++/usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
++/usr/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
++/usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
++/usr/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
++/usr/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ifdef(`distro_gentoo', `
+ /usr/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+ ')
++/usr/sbin/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
++/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
++
++/var/ace(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
+ /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
+
+@@ -30,6 +46,8 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -68210,14 +68696,14 @@ index 28ad538..c547c84 100644
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
-@@ -45,5 +54,4 @@ ifdef(`distro_gentoo', `
+@@ -45,5 +63,4 @@ ifdef(`distro_gentoo', `
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..5551d16 100644
+index 73554ec..11dfd81 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -68280,7 +68766,7 @@ index 73554ec..5551d16 100644
manage_files_pattern($1, var_auth_t, var_auth_t)
manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -120,16 +139,28 @@ interface(`auth_login_pgm_domain',`
+@@ -120,16 +139,29 @@ interface(`auth_login_pgm_domain',`
manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
files_var_filetrans($1, auth_cache_t, dir)
@@ -68291,12 +68777,13 @@ index 73554ec..5551d16 100644
+
# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
kernel_rw_afs_state($1)
-
++ kernel_search_network_sysctl($1)
++
+ tunable_policy(`authlogin_radius',`
+ corenet_udp_bind_all_unreserved_ports($1)
+ ')
+ corenet_tcp_connect_pki_ca_port($1)
-+
+
# for fingerprint readers
dev_rw_input_dev($1)
dev_rw_generic_usb_dev($1)
@@ -68310,7 +68797,7 @@ index 73554ec..5551d16 100644
selinux_get_fs_mount($1)
selinux_validate_context($1)
-@@ -145,6 +176,8 @@ interface(`auth_login_pgm_domain',`
+@@ -145,6 +177,8 @@ interface(`auth_login_pgm_domain',`
mls_process_set_level($1)
mls_fd_share_all_levels($1)
@@ -68319,7 +68806,7 @@ index 73554ec..5551d16 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -155,13 +188,87 @@ interface(`auth_login_pgm_domain',`
+@@ -155,13 +189,87 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -68409,7 +68896,7 @@ index 73554ec..5551d16 100644
## Use the login program as an entry point program.
##
##
-@@ -368,13 +475,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -368,13 +476,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -68426,7 +68913,7 @@ index 73554ec..5551d16 100644
')
########################################
-@@ -421,6 +530,25 @@ interface(`auth_run_chk_passwd',`
+@@ -421,6 +531,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -68452,7 +68939,7 @@ index 73554ec..5551d16 100644
')
########################################
-@@ -440,7 +568,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -440,7 +569,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -68460,7 +68947,7 @@ index 73554ec..5551d16 100644
')
########################################
-@@ -637,6 +764,10 @@ interface(`auth_manage_shadow',`
+@@ -637,6 +765,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -68471,7 +68958,7 @@ index 73554ec..5551d16 100644
')
#######################################
-@@ -736,7 +867,50 @@ interface(`auth_rw_faillog',`
+@@ -736,7 +868,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -68523,7 +69010,7 @@ index 73554ec..5551d16 100644
')
#######################################
-@@ -932,9 +1106,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1107,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -68557,7 +69044,7 @@ index 73554ec..5551d16 100644
')
########################################
-@@ -1387,6 +1582,25 @@ interface(`auth_setattr_login_records',`
+@@ -1387,6 +1583,25 @@ interface(`auth_setattr_login_records',`
########################################
##
@@ -68583,7 +69070,7 @@ index 73554ec..5551d16 100644
## Read login records files (/var/log/wtmp).
##
##
-@@ -1537,37 +1751,49 @@ interface(`auth_manage_login_records',`
+@@ -1537,37 +1752,49 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -68643,7 +69130,7 @@ index 73554ec..5551d16 100644
##
##
##
-@@ -1575,87 +1801,189 @@ interface(`auth_relabel_login_records',`
+@@ -1575,87 +1802,192 @@ interface(`auth_relabel_login_records',`
## Domain allowed access.
##
##
@@ -68693,6 +69180,9 @@ index 73554ec..5551d16 100644
+ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
+ files_etc_filetrans($1, passwd_file_t, file, "passwd.OLD")
+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
++ files_etc_filetrans($1, shadow_t, file, "group.lock")
++ files_etc_filetrans($1, shadow_t, file, "passwd.lock")
++ files_etc_filetrans($1, shadow_t, file, "passwd.adjunct")
+ files_etc_filetrans($1, shadow_t, file, "shadow")
+ files_etc_filetrans($1, shadow_t, file, "shadow-")
+ files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
@@ -69071,6 +69561,16 @@ index b7a5f00..93188ef 100644
+ samba_read_var_files(nsswitch_domain)
+ samba_dontaudit_write_var_files(nsswitch_domain)
')
+diff --git a/policy/modules/system/clock.fc b/policy/modules/system/clock.fc
+index c5e05ca..c9ddbee 100644
+--- a/policy/modules/system/clock.fc
++++ b/policy/modules/system/clock.fc
+@@ -3,3 +3,5 @@
+
+ /sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
+
++/usr/sbin/hwclock -- gen_context(system_u:object_r:hwclock_exec_t,s0)
++
diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
index e2f6d93..c78ccc6 100644
--- a/policy/modules/system/clock.if
@@ -69195,7 +69695,7 @@ index dcc5f1c..5610417 100644
daemontools_manage_svc(svc_start_t)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index a97a096..ab1e16a 100644
+index a97a096..368d3c2 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -1,4 +1,3 @@
@@ -69211,7 +69711,7 @@ index a97a096..ab1e16a 100644
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -36,6 +34,8 @@
+@@ -36,12 +34,51 @@
/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -69220,6 +69720,49 @@ index a97a096..ab1e16a 100644
/usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
++/usr/lib/systemd/systemd-fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++
++/usr/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/dump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/dumpe2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/e2fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/e2label -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/fdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/findfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/hdparm -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/install-mbr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/jfs_.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/losetup.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/lsraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/make_reiser4 -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkdosfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mke2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkraid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/mkreiserfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/raidautorun -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/raidstart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/reiserfs(ck|tune) -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/resize.*fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/scsi_info -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/usr/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+ /var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index c28da1c..10bc43c 100644
--- a/policy/modules/system/fstools.te
@@ -69304,6 +69847,19 @@ index c28da1c..10bc43c 100644
xen_append_log(fsadm_t)
xen_rw_image_files(fsadm_t)
')
+diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
+index e1a1848..909af45 100644
+--- a/policy/modules/system/getty.fc
++++ b/policy/modules/system/getty.fc
+@@ -3,6 +3,8 @@
+
+ /sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
+
++/usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
++
+ /var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
+ /var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0)
+
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index ede3231..c8c15bd 100644
--- a/policy/modules/system/getty.te
@@ -69330,6 +69886,15 @@ index ede3231..c8c15bd 100644
ppp_domtrans(getty_t)
')
+diff --git a/policy/modules/system/hostname.fc b/policy/modules/system/hostname.fc
+index 9dfecf7..6d00f5c 100644
+--- a/policy/modules/system/hostname.fc
++++ b/policy/modules/system/hostname.fc
+@@ -1,2 +1,4 @@
+
+ /bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
++
++/usr/bin/hostname -- gen_context(system_u:object_r:hostname_exec_t,s0)
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index c310775..d172193 100644
--- a/policy/modules/system/hostname.te
@@ -69382,6 +69947,19 @@ index c310775..d172193 100644
nis_use_ypbind(hostname_t)
')
+diff --git a/policy/modules/system/hotplug.fc b/policy/modules/system/hotplug.fc
+index caf736b..91c4c6f 100644
+--- a/policy/modules/system/hotplug.fc
++++ b/policy/modules/system/hotplug.fc
+@@ -7,5 +7,8 @@
+ /sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0)
+ /sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0)
+
++/usr/sbin/hotplug -- gen_context(system_u:object_r:hotplug_exec_t,s0)
++/usr/sbin/netplugd -- gen_context(system_u:object_r:hotplug_exec_t,s0)
++
+ /var/run/usb(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
+ /var/run/hotplug(/.*)? gen_context(system_u:object_r:hotplug_var_run_t,s0)
diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if
index 40eb10c..2a0a32c 100644
--- a/policy/modules/system/hotplug.if
@@ -69433,16 +70011,15 @@ index 1a3d970..0995a02 100644
')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 354ce93..b8b14b9 100644
+index 354ce93..32b31b4 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
-@@ -33,9 +33,24 @@ ifdef(`distro_gentoo', `
+@@ -33,9 +33,23 @@ ifdef(`distro_gentoo', `
#
# /sbin
#
+/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
+
-+
+#
+# systemd init scripts
+#
@@ -69461,17 +70038,31 @@ index 354ce93..b8b14b9 100644
ifdef(`distro_gentoo', `
/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
-@@ -55,6 +70,9 @@ ifdef(`distro_gentoo', `
+@@ -50,11 +64,23 @@ ifdef(`distro_gentoo', `
+ #
+ /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
++/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
++# because nowadays, /sbin/init is often a symlink to /sbin/upstart
++/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
++
++/usr/lib/systemd/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
++/usr/lib/systemd/fedora[^/]* -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
++
+ /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
+ /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0)
++/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
+
+/usr/share/system-config-services/system-config-services-mechanism\.py -- gen_context(system_u:object_r:initrc_exec_t,s0)
#
# /var
-@@ -76,3 +94,4 @@ ifdef(`distro_suse', `
+@@ -76,3 +102,4 @@ ifdef(`distro_suse', `
/var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0)
')
@@ -70407,7 +70998,7 @@ index 94fd8dd..ef5a3c8 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..4e87d49 100644
+index 29a9565..ddc7143 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -70607,11 +71198,12 @@ index 29a9565..4e87d49 100644
+storage_raw_rw_fixed_disk(init_t)
+
-+optional_policy(`
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ modutils_domtrans_insmod(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ postfix_exec(init_t)
+ mta_read_aliases(init_t)
+')
@@ -70718,12 +71310,11 @@ index 29a9565..4e87d49 100644
+auth_use_nsswitch(init_t)
+auth_rw_login_records(init_t)
+
- optional_policy(`
-- auth_rw_login_records(init_t)
++optional_policy(`
+ lvm_rw_pipes(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ consolekit_manage_log(init_t)
+')
+
@@ -71221,7 +71812,18 @@ index 29a9565..4e87d49 100644
')
optional_policy(`
-@@ -790,10 +1151,12 @@ optional_policy(`
+@@ -781,6 +1142,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ sendmail_setattr_pid_files(initrc_t)
++')
++
++optional_policy(`
+ # shorewall-init script run /var/lib/shorewall/firewall
+ shorewall_lib_domtrans(initrc_t)
+ ')
+@@ -790,10 +1155,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -71234,7 +71836,7 @@ index 29a9565..4e87d49 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1168,6 @@ optional_policy(`
+@@ -805,7 +1172,6 @@ optional_policy(`
')
optional_policy(`
@@ -71242,7 +71844,7 @@ index 29a9565..4e87d49 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1177,26 @@ optional_policy(`
+@@ -815,11 +1181,26 @@ optional_policy(`
')
optional_policy(`
@@ -71270,7 +71872,7 @@ index 29a9565..4e87d49 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1206,18 @@ optional_policy(`
+@@ -829,6 +1210,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -71289,7 +71891,7 @@ index 29a9565..4e87d49 100644
')
optional_policy(`
-@@ -844,6 +1233,10 @@ optional_policy(`
+@@ -844,6 +1237,10 @@ optional_policy(`
')
optional_policy(`
@@ -71300,7 +71902,7 @@ index 29a9565..4e87d49 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1247,160 @@ optional_policy(`
+@@ -854,3 +1251,160 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -71691,7 +72293,7 @@ index 55a6cd8..94e11eb 100644
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 05fb364..c054118 100644
+index 05fb364..dd07f08 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -1,7 +1,7 @@
@@ -71705,16 +72307,27 @@ index 05fb364..c054118 100644
/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-@@ -12,8 +12,4 @@
+@@ -12,8 +12,17 @@
/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
--
--/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+
++/usr/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+ /usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
++
++/usr/lib/systemd/system/iptables6?.service -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 7ba53db..db118e3 100644
--- a/policy/modules/system/iptables.if
@@ -71869,6 +72482,17 @@ index f3e1b57..d7fd7fb 100644
shorewall_read_config(iptables_t)
')
+diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc
+index 14d9670..4c9d1b4 100644
+--- a/policy/modules/system/iscsi.fc
++++ b/policy/modules/system/iscsi.fc
+@@ -5,3 +5,6 @@
+ /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
+ /var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
+ /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
++
++/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
++/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index ddbd8be..65b5762 100644
--- a/policy/modules/system/iscsi.te
@@ -71899,10 +72523,10 @@ index ddbd8be..65b5762 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 560dc48..ffb8797 100644
+index 560dc48..39aace9 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
-@@ -28,7 +28,9 @@ ifdef(`distro_redhat',`
+@@ -28,26 +28,23 @@ ifdef(`distro_redhat',`
# /etc
#
/etc/ld\.so\.cache -- gen_context(system_u:object_r:ld_so_cache_t,s0)
@@ -71912,9 +72536,11 @@ index 560dc48..ffb8797 100644
/etc/ppp/plugins/rp-pppoe\.so -- gen_context(system_u:object_r:lib_t,s0)
-@@ -37,17 +39,12 @@ ifdef(`distro_redhat',`
#
- /lib -d gen_context(system_u:object_r:lib_t,s0)
+ # /lib(64)?
+ #
+-/lib -d gen_context(system_u:object_r:lib_t,s0)
++/lib gen_context(system_u:object_r:lib_t,s0)
/lib/.* gen_context(system_u:object_r:lib_t,s0)
-/lib64 -d gen_context(system_u:object_r:lib_t,s0)
-/lib64/.* gen_context(system_u:object_r:lib_t,s0)
@@ -71938,7 +72564,20 @@ index 560dc48..ffb8797 100644
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
-@@ -119,64 +115,62 @@ ifdef(`distro_redhat',`
+@@ -111,6 +107,12 @@ ifdef(`distro_redhat',`
+ #
+ # /usr
+ #
++/usr/lib -d gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/.* gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
++
++/usr/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+ /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+@@ -119,64 +121,62 @@ ifdef(`distro_redhat',`
/usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
/usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
@@ -72037,7 +72676,7 @@ index 560dc48..ffb8797 100644
')
ifdef(`distro_gentoo',`
-@@ -195,7 +189,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+@@ -195,7 +195,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -72045,7 +72684,7 @@ index 560dc48..ffb8797 100644
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -203,86 +196,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+@@ -203,86 +202,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -72190,7 +72829,7 @@ index 560dc48..ffb8797 100644
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -303,8 +297,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -303,8 +303,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -72200,7 +72839,7 @@ index 560dc48..ffb8797 100644
') dnl end distro_redhat
#
-@@ -312,17 +305,154 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -312,17 +311,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
#
/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
@@ -72344,7 +72983,7 @@ index 560dc48..ffb8797 100644
+
+/usr/lib/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
@@ -72361,6 +73000,8 @@ index 560dc48..ffb8797 100644
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index 808ba93..4ff705d 100644
--- a/policy/modules/system/libraries.if
@@ -72543,15 +73184,18 @@ index e5836d3..eae9427 100644
- unconfined_domain(ldconfig_t)
-')
diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
-index be6a81b..9a27055 100644
+index be6a81b..a5303e9 100644
--- a/policy/modules/system/locallogin.fc
+++ b/policy/modules/system/locallogin.fc
-@@ -1,3 +1,5 @@
+@@ -1,3 +1,8 @@
+HOME_DIR/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0)
+/root/\.hushlogin -- gen_context(system_u:object_r:local_login_home_t,s0)
/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
++
++/usr/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
++/usr/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
index 0e3c2a9..40adf5a 100644
--- a/policy/modules/system/locallogin.if
@@ -72772,10 +73416,10 @@ index a0b379d..2291a13 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..cd16709 100644
+index 02f4c97..314efca 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
-@@ -17,6 +17,13 @@
+@@ -17,12 +17,26 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
@@ -72784,12 +73428,26 @@ index 02f4c97..cd16709 100644
+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
++/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++
+/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
++/usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
++/usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
++/usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
++/usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/usr/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
-@@ -38,7 +45,7 @@ ifdef(`distro_suse', `
+ /usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+-/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+ /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+ /var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+@@ -38,7 +52,7 @@ ifdef(`distro_suse', `
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
@@ -72798,7 +73456,7 @@ index 02f4c97..cd16709 100644
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-@@ -73,4 +80,8 @@ ifdef(`distro_redhat',`
+@@ -73,4 +87,8 @@ ifdef(`distro_redhat',`
/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -73255,7 +73913,7 @@ index b6ec597..5684c8a 100644
optional_policy(`
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..7b22111 100644
+index 879bb1e..1121047 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -28,20 +28,24 @@ ifdef(`distro_gentoo',`
@@ -73284,7 +73942,76 @@ index 879bb1e..7b22111 100644
/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -97,5 +101,7 @@ ifdef(`distro_gentoo',`
+@@ -88,8 +92,66 @@ ifdef(`distro_gentoo',`
+ #
+ # /usr
+ #
+-/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
+-/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
++/usr/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/dmsetup\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/e2fsadm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/kpartx -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvresize -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/multipathd -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/multipath\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvdata -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvmove -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvs -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/pvscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgcfgbackup -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgcfgrestore -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgchange -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgchange\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgck -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgcreate -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgexport -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgextend -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgimport -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgmerge -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgmknodes -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgreduce -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgremove -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgrename -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgs -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgscan -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgscan\.static -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgsplit -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/vgwrapper -- gen_context(system_u:object_r:lvm_exec_t,s0)
++
++/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
+
+ #
+ # /var
+@@ -97,5 +159,7 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -73594,19 +74321,21 @@ index a0a0ebf..5e4149d 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 172287e..ec1f0e8 100644
+index 172287e..88fc786 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
-@@ -9,7 +9,7 @@ ifdef(`distro_gentoo',`
+@@ -9,8 +9,9 @@ ifdef(`distro_gentoo',`
# /etc
#
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
-/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
+/etc/httpd/alias(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
++/etc/locale.conf -- gen_context(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
-@@ -34,7 +34,7 @@ ifdef(`distro_redhat',`
+
+@@ -34,7 +35,7 @@ ifdef(`distro_redhat',`
#
/usr/lib/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
@@ -73616,7 +74345,7 @@ index 172287e..ec1f0e8 100644
/usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
-index 926ba65..38de7a8 100644
+index 926ba65..b2d74f7 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -582,6 +582,26 @@ interface(`miscfiles_manage_man_pages',`
@@ -73654,7 +74383,7 @@ index 926ba65..38de7a8 100644
')
########################################
-@@ -769,3 +788,41 @@ interface(`miscfiles_manage_localization',`
+@@ -769,3 +788,42 @@ interface(`miscfiles_manage_localization',`
manage_lnk_files_pattern($1, locale_t, locale_t)
')
@@ -73681,6 +74410,7 @@ index 926ba65..38de7a8 100644
+ ')
+
+ files_etc_filetrans($1, locale_t, file, "localtime")
++ files_etc_filetrans($1, locale_t, file, "locale.conf")
+ files_var_filetrans($1, man_t, dir, "man")
+ files_etc_filetrans($1, locale_t, file, "timezone")
+ files_etc_filetrans($1, locale_t, file, "clock")
@@ -73709,7 +74439,7 @@ index 703944c..1d3a6a9 100644
#
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
-index 532181a..2410551 100644
+index 532181a..5944521 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -10,10 +10,8 @@ ifdef(`distro_gentoo',`
@@ -73723,6 +74453,21 @@ index 532181a..2410551 100644
/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
+@@ -22,3 +20,14 @@ ifdef(`distro_gentoo',`
+ /sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0)
+ /sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
+ /sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
++
++/usr/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
++/usr/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
++/usr/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
++/usr/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
++/usr/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0)
++/usr/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
++/usr/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
++
++/usr/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
++/usr/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 9c0faab..91360ac 100644
--- a/policy/modules/system/modutils.if
@@ -74044,10 +74789,10 @@ index a0eef20..6b39756 100644
ifdef(`distro_gentoo',`
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
-index 72c746e..704d2d7 100644
+index 72c746e..fa210cd 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
-@@ -1,4 +1,16 @@
+@@ -1,4 +1,21 @@
+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -74060,6 +74805,11 @@ index 72c746e..704d2d7 100644
+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+
+/usr/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
++/usr/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
++/usr/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
++
++/usr/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
++/usr/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/usr/sbin/showmount -- gen_context(system_u:object_r:showmount_exec_t,s0)
+
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
@@ -74673,6 +75423,14 @@ index 15832c7..aa18423 100644
+sysnet_dns_name_resolve(showmount_t)
+
+userdom_use_inherited_user_terminals(showmount_t)
+diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
+index b263a8a..9348c8c 100644
+--- a/policy/modules/system/netlabel.fc
++++ b/policy/modules/system/netlabel.fc
+@@ -1 +1,3 @@
+ /sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
++
++/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
index cbbda4a..8dcc346 100644
--- a/policy/modules/system/netlabel.te
@@ -74690,6 +75448,20 @@ index cbbda4a..8dcc346 100644
+
+userdom_use_inherited_user_terminals(netlabel_mgmt_t)
+
+diff --git a/policy/modules/system/pcmcia.fc b/policy/modules/system/pcmcia.fc
+index 9cf0e56..2b5260a 100644
+--- a/policy/modules/system/pcmcia.fc
++++ b/policy/modules/system/pcmcia.fc
+@@ -4,6 +4,9 @@
+ /sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
+ /sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
+
++/usr/sbin/cardctl -- gen_context(system_u:object_r:cardctl_exec_t,s0)
++/usr/sbin/cardmgr -- gen_context(system_u:object_r:cardmgr_exec_t,s0)
++
+ /var/lib/pcmcia(/.*)? gen_context(system_u:object_r:cardmgr_var_run_t,s0)
+
+ /var/run/cardmgr\.pid -- gen_context(system_u:object_r:cardmgr_var_run_t,s0)
diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
index 4d06ae3..e81b7ac 100644
--- a/policy/modules/system/pcmcia.te
@@ -74731,24 +75503,25 @@ index 4d06ae3..e81b7ac 100644
seutil_sigchld_newrole(cardmgr_t)
')
diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc
-index ed9c70d..7a6f23a 100644
+index ed9c70d..480267e 100644
--- a/policy/modules/system/raid.fc
+++ b/policy/modules/system/raid.fc
-@@ -1,6 +1,13 @@
+@@ -1,6 +1,14 @@
-/dev/.mdadm.map -- gen_context(system_u:object_r:mdadm_map_t,s0)
+/dev/.mdadm\.map -- gen_context(system_u:object_r:mdadm_var_run_t,s0)
+/dev/md(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
-+#669402
-+/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
- /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
-+
++/usr/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
++
+ /var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if
index b1a85b5..db0d815 100644
--- a/policy/modules/system/raid.if
@@ -74860,7 +75633,7 @@ index a19ecea..99c4da1 100644
')
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
-index 2cc4bda..167c358 100644
+index 2cc4bda..bd86c17 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -6,13 +6,13 @@
@@ -74880,7 +75653,7 @@ index 2cc4bda..167c358 100644
#
# /root
-@@ -32,17 +32,26 @@
+@@ -32,17 +32,27 @@
/usr/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0)
/usr/bin/newrole -- gen_context(system_u:object_r:newrole_exec_t,s0)
@@ -74888,6 +75661,7 @@ index 2cc4bda..167c358 100644
+/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
/usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
++/usr/sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0)
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
@@ -75814,6 +76588,17 @@ index 7ed9819..ac8b214 100644
- hotplug_use_fds(setfiles_t)
+ unconfined_domain(setfiles_mac_t)
')
+diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
+index bea4629..427e5f6 100644
+--- a/policy/modules/system/setrans.fc
++++ b/policy/modules/system/setrans.fc
+@@ -2,4 +2,6 @@
+
+ /sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
+
++/usr/sbin/mcstransd -- gen_context(system_u:object_r:setrans_exec_t,s0)
++
+ /var/run/setrans(/.*)? gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 1447687..cdc0223 100644
--- a/policy/modules/system/setrans.te
@@ -75827,7 +76612,7 @@ index 1447687..cdc0223 100644
type setrans_initrc_exec_t;
init_script_file(setrans_initrc_exec_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 694fd94..334e80e 100644
+index 694fd94..ff9af99 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -10,10 +10,10 @@
@@ -75844,7 +76629,28 @@ index 694fd94..334e80e 100644
/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
-@@ -64,3 +64,5 @@ ifdef(`distro_redhat',`
+@@ -48,6 +48,20 @@ ifdef(`distro_redhat',`
+ #
+ # /usr
+ #
++/usr/bin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++
++/usr/sbin/dhclient.* -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
++/usr/sbin/dhcdbd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
++/usr/sbin/dhcpcd -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
++/usr/sbin/ethtool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ifconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ip -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
++/usr/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
+ /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+
+ #
+@@ -64,3 +78,5 @@ ifdef(`distro_redhat',`
ifdef(`distro_gentoo',`
/var/lib/dhcpc(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
')
@@ -76423,23 +77229,32 @@ index 34d0ec5..8aa3908 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..db57bc7
+index 0000000..0d3e625
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,19 @@
-+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
-+
-+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
-+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
-+/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+@@ -0,0 +1,28 @@
++/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
++/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
++/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
++/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
++/usr/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
+/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
++/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
++/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
++/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
++
+
+/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
+/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
++/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
++/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
++/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
++/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
++
+/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_sessions_t,s0)
+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
@@ -76448,10 +77263,10 @@ index 0000000..db57bc7
+/var/run/initramfs(/.*)? <>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..5571350
+index 0000000..1688a39
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,503 @@
+@@ -0,0 +1,504 @@
+## SELinux policy for systemd components
+
+#######################################
@@ -76678,6 +77493,7 @@ index 0000000..5571350
+
+ allow $1 systemd_logind_t:dbus send_msg;
+ allow systemd_logind_t $1:dbus send_msg;
++ ps_process_pattern(systemd_logind_t, $1)
+')
+
+#######################################
@@ -76957,10 +77773,10 @@ index 0000000..5571350
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..b7da774
+index 0000000..9e08125
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,378 @@
+@@ -0,0 +1,381 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -77162,6 +77978,8 @@ index 0000000..b7da774
+
+dev_write_kmsg(systemd_tmpfiles_t)
+
++domain_obj_id_change_exemption(systemd_tmpfiles_t)
++
+# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
+fs_manage_tmpfs_dirs(systemd_tmpfiles_t)
+fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
@@ -77246,6 +78064,7 @@ index 0000000..b7da774
+ # we have /run/user/$USER/dconf
+ gnome_delete_home_config(systemd_tmpfiles_t)
+ gnome_delete_home_config_dirs(systemd_tmpfiles_t)
++ gnome_setattr_home_config_dirs(systemd_tmpfiles_t)
+')
+
+optional_policy(`
@@ -77340,7 +78159,7 @@ index 0000000..b7da774
+
+miscfiles_read_localization(systemctl_domain)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 0291685..397e4f6 100644
+index 0291685..0e9e2b6 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -1,6 +1,6 @@
@@ -77353,18 +78172,30 @@ index 0291685..397e4f6 100644
/etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
-@@ -15,10 +15,13 @@
- /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
- /sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
- /sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
+@@ -10,6 +10,7 @@
+ /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+ /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
+/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
- /sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
- /sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
- /sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
+
+ /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
+@@ -21,4 +22,17 @@
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
++/usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
++
++/usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
++/usr/lib/udev/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
++
+/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
@@ -78584,7 +79415,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..b7ed01c 100644
+index 4b2878a..17cc2fc 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -80908,7 +81739,7 @@ index 4b2878a..b7ed01c 100644
## Create keys for all user domains.
##
##
-@@ -3194,3 +3912,1205 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3912,1236 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -80965,6 +81796,38 @@ index 4b2878a..b7ed01c 100644
+ ubac_constrained($2)
+')
+
++#######################################
++##
++## Define this type as a Allow apps to set rlimits on userdomain
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++template(`userdom_unpriv_type',`
++ gen_require(`
++ attribute unpriv_userdomain, userdomain;
++ ')
++ typeattribute $2 unpriv_userdomain;
++ typeattribute $2 userdomain;
++
++ auth_use_nsswitch($2)
++ ubac_constrained($2)
++')
++
+########################################
+##
+## Connect to users over an unix stream socket.
@@ -82113,7 +82976,6 @@ index 4b2878a..b7ed01c 100644
+
+ typeattribute $1 userdom_home_manager_type;
+')
-+
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 9b4a930..ced52ff 100644
--- a/policy/modules/system/userdomain.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2c7dc94..245cbf7 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 64%{?dist}
+Release: 65%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -238,7 +238,7 @@ Based off of reference policy: Checked out revision 2.20091117
%setup -n serefpolicy-%{version} -q
%patch -p1
%patch1 -p1 -b .unconfined
-%patch2 -p1 -b .thumb
+#%patch2 -p1 -b .thumb
%install
mkdir selinux_config
@@ -470,6 +470,22 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Dec 6 2011 Miroslav Grepl 3.10.0-65
+- Fixes related to /bin, /sbin
+- Allow abrt to getattr on blk files
+- Add type for rhev-agent log file
+- Fix labeling for /dev/dmfm
+- Dontaudit wicd leaking
+- Allow systemd_logind_t to look at process info of apps that exchange dbus messages with it
+- Label /etc/locale.conf correctly
+- Allow user_mail_t to read /dev/random
+- Allow postfix-smtpd to read MIMEDefang
+- Add label for /var/log/suphp.log
+- Allow swat_t to connect and read/write nmbd_t sock_file
+- Allow systemd-tmpfiles to setattr for /run/user/gdm/dconf
+- Allow systemd-tmpfiles to change user identity in object contexts
+- More fixes for rhev_agentd_t consolehelper policy
+
* Thu Dec 1 2011 Miroslav Grepl 3.10.0-64
- Use fs_use_xattr for squashf
- Fix procs_type interface