diff --git a/policy-F14.patch b/policy-F14.patch
index 384f625..c9db2fc 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -8291,7 +8291,7 @@ index 3517db2..bd4c23d 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 5302dac..2bf2d69 100644
+index 5302dac..c0b844e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -8375,7 +8375,32 @@ index 5302dac..2bf2d69 100644
## Execute generic files in /etc.
##
##
-@@ -3086,6 +3138,7 @@ interface(`files_getattr_home_dir',`
+@@ -2605,6 +2657,24 @@ interface(`files_read_etc_runtime_files',`
+
+ ########################################
+ ##
++## Do not audit attempts to set the attributes of the etc_runtime files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_dontaudit_setattr_etc_runtime_files',`
++ gen_require(`
++ type etc_runtime_t;
++ ')
++
++ dontaudit $1 etc_runtime_t:file setattr;
++')
++
++########################################
++##
+ ## Do not audit attempts to read files
+ ## in /etc that are dynamically
+ ## created on boot, such as mtab.
+@@ -3086,6 +3156,7 @@ interface(`files_getattr_home_dir',`
')
allow $1 home_root_t:dir getattr;
@@ -8383,7 +8408,7 @@ index 5302dac..2bf2d69 100644
')
########################################
-@@ -3106,6 +3159,7 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3106,6 +3177,7 @@ interface(`files_dontaudit_getattr_home_dir',`
')
dontaudit $1 home_root_t:dir getattr;
@@ -8391,7 +8416,7 @@ index 5302dac..2bf2d69 100644
')
########################################
-@@ -3347,6 +3401,24 @@ interface(`files_list_mnt',`
+@@ -3347,6 +3419,24 @@ interface(`files_list_mnt',`
allow $1 mnt_t:dir list_dir_perms;
')
@@ -8416,7 +8441,7 @@ index 5302dac..2bf2d69 100644
########################################
##
## Mount a filesystem on /mnt.
-@@ -3420,6 +3492,24 @@ interface(`files_read_mnt_files',`
+@@ -3420,6 +3510,24 @@ interface(`files_read_mnt_files',`
read_files_pattern($1, mnt_t, mnt_t)
')
@@ -8441,7 +8466,7 @@ index 5302dac..2bf2d69 100644
########################################
##
## Create, read, write, and delete symbolic links in /mnt.
-@@ -3711,6 +3801,100 @@ interface(`files_read_world_readable_sockets',`
+@@ -3711,6 +3819,100 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -8542,7 +8567,7 @@ index 5302dac..2bf2d69 100644
########################################
##
## Allow the specified type to associate
-@@ -3896,6 +4080,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3896,6 +4098,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
@@ -8575,7 +8600,7 @@ index 5302dac..2bf2d69 100644
## Manage temporary files and directories in /tmp.
##
##
-@@ -4109,6 +4319,13 @@ interface(`files_purge_tmp',`
+@@ -4109,6 +4337,13 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -8589,7 +8614,7 @@ index 5302dac..2bf2d69 100644
')
########################################
-@@ -4718,6 +4935,24 @@ interface(`files_read_var_files',`
+@@ -4718,6 +4953,24 @@ interface(`files_read_var_files',`
########################################
##
@@ -8614,7 +8639,7 @@ index 5302dac..2bf2d69 100644
## Read and write files in the /var directory.
##
##
-@@ -5053,6 +5288,24 @@ interface(`files_manage_mounttab',`
+@@ -5053,6 +5306,24 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -8639,7 +8664,7 @@ index 5302dac..2bf2d69 100644
## Search the locks directory (/var/lock).
##
##
-@@ -5138,12 +5391,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5138,12 +5409,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -8656,7 +8681,7 @@ index 5302dac..2bf2d69 100644
')
########################################
-@@ -5317,6 +5570,43 @@ interface(`files_search_pids',`
+@@ -5317,6 +5588,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -8700,7 +8725,7 @@ index 5302dac..2bf2d69 100644
########################################
##
## Do not audit attempts to search
-@@ -5524,6 +5814,26 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5524,6 +5832,26 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -8727,7 +8752,7 @@ index 5302dac..2bf2d69 100644
## Read all process ID files.
##
##
-@@ -5541,6 +5851,7 @@ interface(`files_read_all_pids',`
+@@ -5541,6 +5869,7 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -8735,7 +8760,7 @@ index 5302dac..2bf2d69 100644
')
########################################
-@@ -5826,3 +6137,247 @@ interface(`files_unconfined',`
+@@ -5826,3 +6155,247 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -18797,10 +18822,10 @@ index 9bd812b..c808b31 100644
')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..a50a8a7 100644
+index fdaeeba..1f6f6f3 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
-@@ -96,6 +96,10 @@ optional_policy(`
+@@ -96,10 +96,18 @@ optional_policy(`
')
optional_policy(`
@@ -18811,6 +18836,14 @@ index fdaeeba..a50a8a7 100644
dbus_system_bus_client(dnsmasq_t)
')
+ optional_policy(`
++ ppp_read_pid_files(dnsmasq_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(dnsmasq_t)
+ ')
+
diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
index bfc880b..9a1dcba 100644
--- a/policy/modules/services/dovecot.fc
@@ -18893,7 +18926,7 @@ index e1d7dc5..ee51a19 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..396f956 100644
+index cbe14e4..dd7fe41 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -18959,6 +18992,15 @@ index cbe14e4..396f956 100644
postgresql_stream_connect(dovecot_t)
')
+@@ -179,7 +189,7 @@ optional_policy(`
+ # dovecot auth local policy
+ #
+
+-allow dovecot_auth_t self:capability { chown dac_override setgid setuid };
++allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid };
+ allow dovecot_auth_t self:process { signal_perms getcap setcap };
+ allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
+ allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
@@ -242,6 +252,7 @@ optional_policy(`
')
@@ -20348,6 +20390,18 @@ index 7d97298..d6b2959 100644
- allow $1 gpmctl_t:sock_file setattr;
+ allow $1 gpmctl_t:sock_file setattr_sock_file_perms;
')
+diff --git a/policy/modules/services/gpm.te b/policy/modules/services/gpm.te
+index a627b34..c899c61 100644
+--- a/policy/modules/services/gpm.te
++++ b/policy/modules/services/gpm.te
+@@ -69,6 +69,7 @@ miscfiles_read_localization(gpm_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(gpm_t)
+ userdom_dontaudit_search_user_home_dirs(gpm_t)
++userdom_use_user_terminals(gpm_t)
+
+ optional_policy(`
+ seutil_sigchld_newrole(gpm_t)
diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
index 03742d8..7b9c543 100644
--- a/policy/modules/services/gpsd.te
@@ -23240,7 +23294,7 @@ index 343cee3..2f948ad 100644
+ ')
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..36e64e9 100644
+index 64268e4..a765618 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
@@ -23254,13 +23308,14 @@ index 64268e4..36e64e9 100644
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
-@@ -50,22 +50,9 @@ ubac_constrained(user_mail_tmp_t)
+@@ -50,22 +50,11 @@ ubac_constrained(user_mail_tmp_t)
# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
-allow system_mail_t self:fifo_file rw_fifo_file_perms;
--
+
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
++append_files_pattern(system_mail_t, mail_home_t, mail_home_t)
read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
@@ -23277,7 +23332,7 @@ index 64268e4..36e64e9 100644
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
-@@ -82,6 +69,9 @@ init_use_script_ptys(system_mail_t)
+@@ -82,6 +71,9 @@ init_use_script_ptys(system_mail_t)
userdom_use_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
@@ -23287,7 +23342,7 @@ index 64268e4..36e64e9 100644
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,17 +82,28 @@ optional_policy(`
+@@ -92,17 +84,28 @@ optional_policy(`
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -23317,7 +23372,7 @@ index 64268e4..36e64e9 100644
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
-@@ -111,6 +112,8 @@ optional_policy(`
+@@ -111,6 +114,8 @@ optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
@@ -23326,7 +23381,7 @@ index 64268e4..36e64e9 100644
')
optional_policy(`
-@@ -124,12 +127,8 @@ optional_policy(`
+@@ -124,12 +129,8 @@ optional_policy(`
')
optional_policy(`
@@ -23340,7 +23395,7 @@ index 64268e4..36e64e9 100644
')
optional_policy(`
-@@ -146,6 +145,10 @@ optional_policy(`
+@@ -146,6 +147,10 @@ optional_policy(`
')
optional_policy(`
@@ -23351,7 +23406,7 @@ index 64268e4..36e64e9 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,18 +161,6 @@ optional_policy(`
+@@ -158,18 +163,6 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -23370,7 +23425,7 @@ index 64268e4..36e64e9 100644
')
optional_policy(`
-@@ -189,6 +180,10 @@ optional_policy(`
+@@ -189,6 +182,10 @@ optional_policy(`
')
optional_policy(`
@@ -23381,7 +23436,7 @@ index 64268e4..36e64e9 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,7 +194,7 @@ optional_policy(`
+@@ -199,7 +196,7 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -23390,7 +23445,7 @@ index 64268e4..36e64e9 100644
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
')
-@@ -220,7 +215,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,7 +217,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -23400,7 +23455,7 @@ index 64268e4..36e64e9 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -249,11 +245,16 @@ optional_policy(`
+@@ -249,11 +247,16 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -23417,7 +23472,7 @@ index 64268e4..36e64e9 100644
domain_use_interactive_fds(user_mail_t)
userdom_use_user_terminals(user_mail_t)
-@@ -292,3 +293,42 @@ optional_policy(`
+@@ -292,3 +295,42 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -24012,11 +24067,14 @@ index da5b33d..3b620e3 100644
optional_policy(`
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
-index 386543b..d15cc4b 100644
+index 386543b..e0aab89 100644
--- a/policy/modules/services/networkmanager.fc
+++ b/policy/modules/services/networkmanager.fc
-@@ -2,6 +2,10 @@
+@@ -1,7 +1,13 @@
+ /etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
++/etc/NetworkManager(/.*) gen_context(system_u:object_r:NetworkManager_etc_t,s0)
++/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
@@ -24124,10 +24182,23 @@ index 2324d9e..8069487 100644
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
+')
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..02ae4e0 100644
+index 0619395..a074153 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
-@@ -35,7 +35,7 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
+ type NetworkManager_initrc_exec_t;
+ init_script_file(NetworkManager_initrc_exec_t)
+
++type NetworkManager_etc_t;
++files_config_file(NetworkManager_etc_t)
++
++type NetworkManager_etc_rw_t;
++files_config_file(NetworkManager_etc_rw_t)
++
+ type NetworkManager_log_t;
+ logging_log_file(NetworkManager_log_t)
+
+@@ -35,7 +41,7 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
@@ -24136,7 +24207,7 @@ index 0619395..02ae4e0 100644
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
-@@ -44,7 +44,7 @@ allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
+@@ -44,7 +50,7 @@ allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
@@ -24145,7 +24216,19 @@ index 0619395..02ae4e0 100644
allow NetworkManager_t self:udp_socket create_socket_perms;
allow NetworkManager_t self:packet_socket create_socket_perms;
-@@ -55,6 +55,7 @@ can_exec(NetworkManager_t, NetworkManager_exec_t)
+@@ -52,9 +58,19 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
+
+ can_exec(NetworkManager_t, NetworkManager_exec_t)
+
++list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
++read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
++read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
++
++manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
++filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, file)
++
++logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
++
manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
@@ -24153,7 +24236,7 @@ index 0619395..02ae4e0 100644
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -141,22 +142,32 @@ sysnet_domtrans_ifconfig(NetworkManager_t)
+@@ -141,22 +157,32 @@ sysnet_domtrans_ifconfig(NetworkManager_t)
sysnet_domtrans_dhcpc(NetworkManager_t)
sysnet_signal_dhcpc(NetworkManager_t)
sysnet_read_dhcpc_pid(NetworkManager_t)
@@ -24186,7 +24269,7 @@ index 0619395..02ae4e0 100644
')
optional_policy(`
-@@ -172,12 +183,14 @@ optional_policy(`
+@@ -172,12 +198,14 @@ optional_policy(`
')
optional_policy(`
@@ -24202,7 +24285,7 @@ index 0619395..02ae4e0 100644
optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
')
-@@ -202,6 +215,13 @@ optional_policy(`
+@@ -202,6 +230,13 @@ optional_policy(`
')
optional_policy(`
@@ -24216,7 +24299,7 @@ index 0619395..02ae4e0 100644
iptables_domtrans(NetworkManager_t)
')
-@@ -263,6 +283,7 @@ optional_policy(`
+@@ -263,6 +298,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -27346,7 +27429,7 @@ index ad15fde..6f55445 100644
allow $1 postgrey_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
-index b524673..09699d1 100644
+index b524673..29e0761 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -66,7 +66,6 @@ interface(`ppp_sigchld',`
@@ -27367,14 +27450,16 @@ index b524673..09699d1 100644
optional_policy(`
ddclient_run(pppd_t, $2)
-@@ -281,6 +279,7 @@ interface(`ppp_read_pid_files',`
+@@ -281,7 +279,8 @@ interface(`ppp_read_pid_files',`
type pppd_var_run_t;
')
+- allow $1 pppd_var_run_t:file read_file_perms;
+ files_search_pids($1)
- allow $1 pppd_var_run_t:file read_file_perms;
++ read_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
')
+ ########################################
@@ -299,6 +298,7 @@ interface(`ppp_manage_pid_files',`
type pppd_var_run_t;
')
@@ -34884,16 +34969,18 @@ index 3eca020..62e349a 100644
+')
diff --git a/policy/modules/services/vnstatd.fc b/policy/modules/services/vnstatd.fc
new file mode 100644
-index 0000000..7667c31
+index 0000000..4d81b99
--- /dev/null
+++ b/policy/modules/services/vnstatd.fc
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,8 @@
+
+/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0)
+
+/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
+
+/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0)
++
++/var/run/vnstat\.pid gen_context(system_u:object_r:vnstatd_var_run_t,s0)
diff --git a/policy/modules/services/vnstatd.if b/policy/modules/services/vnstatd.if
new file mode 100644
index 0000000..b9104b7
@@ -35046,10 +35133,10 @@ index 0000000..b9104b7
+')
diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
new file mode 100644
-index 0000000..8ec07ff
+index 0000000..d861cf6
--- /dev/null
+++ b/policy/modules/services/vnstatd.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,72 @@
+policy_module(vnstatd, 1.0.0)
+
+########################################
@@ -35066,6 +35153,9 @@ index 0000000..8ec07ff
+type vnstatd_var_lib_t;
+files_type(vnstatd_var_lib_t)
+
++type vnstatd_var_run_t;
++files_pid_file(vnstatd_var_run_t)
++
+type vnstat_t;
+type vnstat_exec_t;
+application_domain(vnstat_t, vnstat_exec_t)
@@ -35079,6 +35169,10 @@ index 0000000..8ec07ff
+allow vnstatd_t self:fifo_file rw_fifo_file_perms;
+allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
++manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
++files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file })
++
+manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
@@ -37730,7 +37824,7 @@ index 1c4b1e7..2997dd7 100644
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index bea0ade..c411b5e 100644
+index bea0ade..ce67a96 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -37794,7 +37888,7 @@ index bea0ade..c411b5e 100644
auth_use_pam($1)
init_rw_utmp($1)
-@@ -151,8 +165,38 @@ interface(`auth_login_pgm_domain',`
+@@ -151,8 +165,39 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -37804,6 +37898,7 @@ index bea0ade..c411b5e 100644
+ userdom_read_user_home_content_symlinks($1)
+ userdom_delete_user_tmp_files($1)
+ userdom_search_admin_dir($1)
++ userdom_stream_connect($1)
+
+ optional_policy(`
+ afs_rw_udp_sockets($1)
@@ -37835,7 +37930,7 @@ index bea0ade..c411b5e 100644
')
')
-@@ -365,13 +409,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -365,13 +410,15 @@ interface(`auth_domtrans_chk_passwd',`
')
optional_policy(`
@@ -37852,7 +37947,7 @@ index bea0ade..c411b5e 100644
')
########################################
-@@ -418,6 +464,7 @@ interface(`auth_run_chk_passwd',`
+@@ -418,6 +465,7 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -37860,7 +37955,7 @@ index bea0ade..c411b5e 100644
')
########################################
-@@ -694,7 +741,7 @@ interface(`auth_relabel_shadow',`
+@@ -694,7 +742,7 @@ interface(`auth_relabel_shadow',`
')
files_search_etc($1)
@@ -37869,7 +37964,7 @@ index bea0ade..c411b5e 100644
typeattribute $1 can_relabelto_shadow_passwords;
')
-@@ -736,6 +783,25 @@ interface(`auth_rw_faillog',`
+@@ -736,6 +784,25 @@ interface(`auth_rw_faillog',`
allow $1 faillog_t:file rw_file_perms;
')
@@ -37895,7 +37990,7 @@ index bea0ade..c411b5e 100644
#######################################
##
## Read the last logins log.
-@@ -874,6 +940,26 @@ interface(`auth_exec_pam',`
+@@ -874,6 +941,26 @@ interface(`auth_exec_pam',`
########################################
##
@@ -37922,7 +38017,7 @@ index bea0ade..c411b5e 100644
## Manage var auth files. Used by various other applications
## and pam applets etc.
##
-@@ -1500,6 +1586,8 @@ interface(`auth_manage_login_records',`
+@@ -1500,6 +1587,8 @@ interface(`auth_manage_login_records',`
#
interface(`auth_use_nsswitch',`
@@ -37931,7 +38026,7 @@ index bea0ade..c411b5e 100644
files_list_var_lib($1)
# read /etc/nsswitch.conf
-@@ -1531,7 +1619,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1620,15 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
@@ -38713,7 +38808,7 @@ index 8419a01..5865dba 100644
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 698c11e..d92e0c3 100644
+index 698c11e..63030ba 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,27 @@ gen_require(`
@@ -38842,7 +38937,7 @@ index 698c11e..d92e0c3 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +220,79 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +220,81 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -38861,10 +38956,12 @@ index 698c11e..d92e0c3 100644
+ kernel_list_unlabeled(init_t)
+ kernel_read_network_state(init_t)
+ kernel_rw_kernel_sysctl(init_t)
++ kernel_rw_net_sysctls(init_t)
+ kernel_read_all_sysctls(init_t)
+ kernel_unmount_debugfs(init_t)
+
+ dev_write_kmsg(init_t)
++ dev_write_urand(init_t)
+ dev_rw_autofs(init_t)
+ dev_manage_generic_dirs(init_t)
+ dev_manage_generic_files(init_t)
@@ -38922,7 +39019,7 @@ index 698c11e..d92e0c3 100644
')
optional_policy(`
-@@ -199,10 +300,19 @@ optional_policy(`
+@@ -199,10 +302,19 @@ optional_policy(`
')
optional_policy(`
@@ -38942,7 +39039,7 @@ index 698c11e..d92e0c3 100644
unconfined_domain(init_t)
')
-@@ -212,7 +322,7 @@ optional_policy(`
+@@ -212,7 +324,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -38951,7 +39048,7 @@ index 698c11e..d92e0c3 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,6 +351,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,6 +353,7 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -38959,7 +39056,7 @@ index 698c11e..d92e0c3 100644
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -258,11 +369,23 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,11 +371,23 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -38983,7 +39080,7 @@ index 698c11e..d92e0c3 100644
corecmd_exec_all_executables(initrc_t)
-@@ -291,6 +414,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +416,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -38991,7 +39088,7 @@ index 698c11e..d92e0c3 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +422,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +424,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -39007,7 +39104,7 @@ index 698c11e..d92e0c3 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -323,8 +447,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +449,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -39019,7 +39116,7 @@ index 698c11e..d92e0c3 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +466,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +468,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -39033,7 +39130,7 @@ index 698c11e..d92e0c3 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +481,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +483,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -39042,7 +39139,7 @@ index 698c11e..d92e0c3 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +495,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +497,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -39050,7 +39147,7 @@ index 698c11e..d92e0c3 100644
selinux_get_enforce_mode(initrc_t)
-@@ -380,6 +513,7 @@ auth_read_pam_pid(initrc_t)
+@@ -380,6 +515,7 @@ auth_read_pam_pid(initrc_t)
auth_delete_pam_pid(initrc_t)
auth_delete_pam_console_data(initrc_t)
auth_use_nsswitch(initrc_t)
@@ -39058,7 +39155,7 @@ index 698c11e..d92e0c3 100644
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
-@@ -394,13 +528,14 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +530,14 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -39074,7 +39171,7 @@ index 698c11e..d92e0c3 100644
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -473,7 +608,7 @@ ifdef(`distro_redhat',`
+@@ -473,7 +610,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -39083,7 +39180,7 @@ index 698c11e..d92e0c3 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -519,6 +654,19 @@ ifdef(`distro_redhat',`
+@@ -519,6 +656,19 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -39103,7 +39200,7 @@ index 698c11e..d92e0c3 100644
')
optional_policy(`
-@@ -526,10 +674,17 @@ ifdef(`distro_redhat',`
+@@ -526,10 +676,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -39121,7 +39218,7 @@ index 698c11e..d92e0c3 100644
')
optional_policy(`
-@@ -544,6 +699,35 @@ ifdef(`distro_suse',`
+@@ -544,6 +701,35 @@ ifdef(`distro_suse',`
')
')
@@ -39157,7 +39254,7 @@ index 698c11e..d92e0c3 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -556,6 +740,8 @@ optional_policy(`
+@@ -556,6 +742,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -39166,7 +39263,7 @@ index 698c11e..d92e0c3 100644
')
optional_policy(`
-@@ -572,6 +758,7 @@ optional_policy(`
+@@ -572,6 +760,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -39174,7 +39271,7 @@ index 698c11e..d92e0c3 100644
')
optional_policy(`
-@@ -584,6 +771,11 @@ optional_policy(`
+@@ -584,6 +773,11 @@ optional_policy(`
')
optional_policy(`
@@ -39186,7 +39283,7 @@ index 698c11e..d92e0c3 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -600,6 +792,9 @@ optional_policy(`
+@@ -600,6 +794,9 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -39196,7 +39293,7 @@ index 698c11e..d92e0c3 100644
optional_policy(`
consolekit_dbus_chat(initrc_t)
-@@ -701,7 +896,13 @@ optional_policy(`
+@@ -701,7 +898,13 @@ optional_policy(`
')
optional_policy(`
@@ -39210,7 +39307,7 @@ index 698c11e..d92e0c3 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -724,6 +925,10 @@ optional_policy(`
+@@ -724,6 +927,10 @@ optional_policy(`
')
optional_policy(`
@@ -39221,7 +39318,7 @@ index 698c11e..d92e0c3 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -745,6 +950,10 @@ optional_policy(`
+@@ -745,6 +952,10 @@ optional_policy(`
')
optional_policy(`
@@ -39232,7 +39329,7 @@ index 698c11e..d92e0c3 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -766,8 +975,6 @@ optional_policy(`
+@@ -766,8 +977,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -39241,7 +39338,7 @@ index 698c11e..d92e0c3 100644
')
optional_policy(`
-@@ -776,14 +983,21 @@ optional_policy(`
+@@ -776,14 +985,21 @@ optional_policy(`
')
optional_policy(`
@@ -39263,7 +39360,7 @@ index 698c11e..d92e0c3 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1019,19 @@ optional_policy(`
+@@ -805,11 +1021,19 @@ optional_policy(`
')
optional_policy(`
@@ -39284,7 +39381,7 @@ index 698c11e..d92e0c3 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1041,25 @@ optional_policy(`
+@@ -819,6 +1043,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -39310,7 +39407,7 @@ index 698c11e..d92e0c3 100644
')
optional_policy(`
-@@ -844,3 +1085,55 @@ optional_policy(`
+@@ -844,3 +1087,55 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -39870,7 +39967,7 @@ index 57c645b..7682697 100644
dev_read_framebuffer(kdump_t)
dev_read_sysfs(kdump_t)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 9df8c4d..1d2236b 100644
+index 9df8c4d..0199a7d 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -129,15 +129,13 @@ ifdef(`distro_redhat',`
@@ -39932,7 +40029,7 @@ index 9df8c4d..1d2236b 100644
') dnl end distro_redhat
#
-@@ -319,14 +315,149 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+@@ -319,14 +315,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -40084,6 +40181,7 @@ index 9df8c4d..1d2236b 100644
+/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.dll -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index d97d16d..8b174c8 100644
--- a/policy/modules/system/libraries.if
@@ -40293,7 +40391,7 @@ index 3fb1915..26e9f79 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 362614c..ca6409c 100644
+index 362614c..c5757eb 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,10 @@
@@ -40311,7 +40409,7 @@ index 362614c..ca6409c 100644
/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-+/var/lib/syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
++/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
ifdef(`distro_suse', `
@@ -41112,7 +41210,7 @@ index 8b5c196..3490497 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index fca6947..8848e14 100644
+index fca6947..cfb8758 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -41339,7 +41437,7 @@ index fca6947..8848e14 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -180,13 +272,36 @@ optional_policy(`
+@@ -180,13 +272,40 @@ optional_policy(`
')
')
@@ -41352,6 +41450,10 @@ index fca6947..8848e14 100644
+ lvm_domtrans(mount_t)
+')
+
++optional_policy(`
++ rhcs_stream_connect_gfs_controld(mount_t)
++')
++
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
@@ -41376,7 +41478,7 @@ index fca6947..8848e14 100644
')
########################################
-@@ -195,6 +310,42 @@ optional_policy(`
+@@ -195,6 +314,42 @@ optional_policy(`
#
optional_policy(`
@@ -41925,7 +42027,7 @@ index 170e2c7..bbaa8cf 100644
+')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ff5d72d..edee963 100644
+index ff5d72d..51a1496 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -42089,15 +42191,15 @@ index ff5d72d..edee963 100644
-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
--
--corecmd_exec_bin(semanage_t)
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
--dev_read_urand(semanage_t)
+-corecmd_exec_bin(semanage_t)
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+-dev_read_urand(semanage_t)
+-
-domain_use_interactive_fds(semanage_t)
-
-files_read_etc_files(semanage_t)
@@ -42119,15 +42221,15 @@ index ff5d72d..edee963 100644
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
-+# Admins are creating pp files in random locations
-+auth_read_all_files_except_shadow(semanage_t)
-
+-
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
--
++# Admins are creating pp files in random locations
++auth_read_all_files_except_shadow(semanage_t)
+
-seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
@@ -42166,7 +42268,7 @@ index ff5d72d..edee963 100644
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -498,112 +492,50 @@ ifdef(`enable_mls',`
+@@ -498,112 +492,54 @@ ifdef(`enable_mls',`
userdom_read_user_tmp_files(semanage_t)
')
@@ -42241,54 +42343,56 @@ index ff5d72d..edee963 100644
-init_exec_script_files(setfiles_t)
-
-logging_send_syslog_msg(setfiles_t)
--
--miscfiles_read_localization(setfiles_t)
+init_dontaudit_use_fds(setsebool_t)
--seutil_libselinux_linked(setfiles_t)
+-miscfiles_read_localization(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
--userdom_use_all_users_fds(setfiles_t)
--# for config files in a home directory
--userdom_read_user_home_content_files(setfiles_t)
+-seutil_libselinux_linked(setfiles_t)
+########################################
+#
+# Setfiles local policy
+#
+-userdom_use_all_users_fds(setfiles_t)
+-# for config files in a home directory
+-userdom_read_user_home_content_files(setfiles_t)
++seutil_setfiles(setfiles_t)
++# During boot in Rawhide
++term_use_generic_ptys(setfiles_t)
+
-ifdef(`distro_debian',`
- # udev tmpfs is populated with static device nodes
- # and then relabeled afterwards; thus
- # /dev/console has the tmpfs type
- fs_rw_tmpfs_chr_files(setfiles_t)
-')
-+seutil_setfiles(setfiles_t)
-+# During boot in Rawhide
-+term_use_generic_ptys(setfiles_t)
++seutil_setfiles(setfiles_mac_t)
++allow setfiles_mac_t self:capability2 mac_admin;
++kernel_relabelto_unlabeled(setfiles_mac_t)
-ifdef(`distro_redhat', `
- fs_rw_tmpfs_chr_files(setfiles_t)
- fs_rw_tmpfs_blk_files(setfiles_t)
- fs_relabel_tmpfs_blk_file(setfiles_t)
- fs_relabel_tmpfs_chr_file(setfiles_t)
--')
-+seutil_setfiles(setfiles_mac_t)
-+allow setfiles_mac_t self:capability2 mac_admin;
-+kernel_relabelto_unlabeled(setfiles_mac_t)
++optional_policy(`
++ files_dontaudit_write_isid_chr_files(setfiles_mac_t)
++ livecd_dontaudit_leaks(setfiles_mac_t)
++ livecd_rw_tmp_files(setfiles_mac_t)
++ dev_dontaudit_write_all_chr_files(setfiles_mac_t)
+ ')
-ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(setfiles_t)
- ')
+optional_policy(`
-+ files_dontaudit_write_isid_chr_files(setfiles_mac_t)
-+ livecd_dontaudit_leaks(setfiles_mac_t)
-+ livecd_rw_tmp_files(setfiles_mac_t)
-+ dev_dontaudit_write_all_chr_files(setfiles_mac_t)
++ hal_dontaudit_leaks(setfiles_t)
')
ifdef(`hide_broken_symptoms',`
@@ -43965,7 +44069,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <>
+HOME_DIR/\.debug(/.*)? <>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 35f1476..8d157ff 100644
+index 35f1476..ad3b474 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -43979,7 +44083,7 @@ index 35f1476..8d157ff 100644
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
-@@ -43,69 +44,98 @@ template(`userdom_base_user_template',`
+@@ -43,69 +44,99 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -44098,6 +44202,7 @@ index 35f1476..8d157ff 100644
+ files_dontaudit_getattr_non_security_symlinks($1_usertype)
+ files_dontaudit_getattr_non_security_pipes($1_usertype)
+ files_dontaudit_getattr_non_security_sockets($1_usertype)
++ files_dontaudit_setattr_etc_runtime_files($1_usertype)
+
+ files_exec_usr_files($1_t)
+
@@ -44127,7 +44232,7 @@ index 35f1476..8d157ff 100644
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -116,6 +146,16 @@ template(`userdom_base_user_template',`
+@@ -116,6 +147,16 @@ template(`userdom_base_user_template',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -44144,7 +44249,7 @@ index 35f1476..8d157ff 100644
')
#######################################
-@@ -149,6 +189,8 @@ interface(`userdom_ro_home_role',`
+@@ -149,6 +190,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -44153,7 +44258,7 @@ index 35f1476..8d157ff 100644
##############################
#
# Domain access to home dir
-@@ -166,27 +208,6 @@ interface(`userdom_ro_home_role',`
+@@ -166,27 +209,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -44181,7 +44286,7 @@ index 35f1476..8d157ff 100644
')
#######################################
-@@ -218,8 +239,11 @@ interface(`userdom_ro_home_role',`
+@@ -218,8 +240,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -44193,7 +44298,7 @@ index 35f1476..8d157ff 100644
##############################
#
# Domain access to home dir
-@@ -228,17 +252,21 @@ interface(`userdom_manage_home_role',`
+@@ -228,17 +253,21 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -44225,7 +44330,7 @@ index 35f1476..8d157ff 100644
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
-@@ -246,25 +274,23 @@ interface(`userdom_manage_home_role',`
+@@ -246,25 +275,23 @@ interface(`userdom_manage_home_role',`
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
@@ -44255,7 +44360,7 @@ index 35f1476..8d157ff 100644
')
')
-@@ -289,6 +315,8 @@ interface(`userdom_manage_tmp_role',`
+@@ -289,6 +316,8 @@ interface(`userdom_manage_tmp_role',`
type user_tmp_t;
')
@@ -44264,7 +44369,7 @@ index 35f1476..8d157ff 100644
files_poly_member_tmp($2, user_tmp_t)
manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
-@@ -297,6 +325,45 @@ interface(`userdom_manage_tmp_role',`
+@@ -297,6 +326,45 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -44310,7 +44415,7 @@ index 35f1476..8d157ff 100644
')
#######################################
-@@ -316,6 +383,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -316,6 +384,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -44318,7 +44423,7 @@ index 35f1476..8d157ff 100644
files_search_tmp($1)
')
-@@ -350,6 +418,8 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -350,6 +419,8 @@ interface(`userdom_manage_tmpfs_role',`
type user_tmpfs_t;
')
@@ -44327,7 +44432,7 @@ index 35f1476..8d157ff 100644
manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-@@ -360,46 +430,41 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -360,46 +431,41 @@ interface(`userdom_manage_tmpfs_role',`
#######################################
##
@@ -44396,7 +44501,7 @@ index 35f1476..8d157ff 100644
')
#######################################
-@@ -430,6 +495,7 @@ template(`userdom_xwindows_client_template',`
+@@ -430,6 +496,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -44404,7 +44509,7 @@ index 35f1476..8d157ff 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -490,7 +556,7 @@ template(`userdom_common_user_template',`
+@@ -490,7 +557,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -44413,7 +44518,7 @@ index 35f1476..8d157ff 100644
##############################
#
-@@ -500,73 +566,78 @@ template(`userdom_common_user_template',`
+@@ -500,73 +567,78 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -44531,7 +44636,7 @@ index 35f1476..8d157ff 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +645,110 @@ template(`userdom_common_user_template',`
+@@ -574,67 +646,110 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -44660,7 +44765,7 @@ index 35f1476..8d157ff 100644
')
optional_policy(`
-@@ -650,41 +764,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +765,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -44722,7 +44827,7 @@ index 35f1476..8d157ff 100644
')
#######################################
-@@ -712,13 +835,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +836,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
@@ -44754,7 +44859,7 @@ index 35f1476..8d157ff 100644
userdom_change_password_template($1)
-@@ -736,72 +872,71 @@ template(`userdom_login_user_template', `
+@@ -736,72 +873,71 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -44863,7 +44968,7 @@ index 35f1476..8d157ff 100644
')
')
-@@ -833,6 +968,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +969,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -44873,7 +44978,7 @@ index 35f1476..8d157ff 100644
##############################
#
# Local policy
-@@ -874,45 +1012,105 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1013,105 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -44990,7 +45095,7 @@ index 35f1476..8d157ff 100644
')
')
-@@ -947,7 +1145,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1146,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -44999,7 +45104,7 @@ index 35f1476..8d157ff 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1154,77 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1155,77 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -45107,7 +45212,7 @@ index 35f1476..8d157ff 100644
')
')
-@@ -1039,7 +1260,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1261,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -45116,7 +45221,7 @@ index 35f1476..8d157ff 100644
')
##############################
-@@ -1074,6 +1295,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1296,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -45126,7 +45231,7 @@ index 35f1476..8d157ff 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1312,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1313,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -45134,7 +45239,7 @@ index 35f1476..8d157ff 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1119,10 +1344,13 @@ template(`userdom_admin_user_template',`
+@@ -1119,10 +1345,13 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -45148,7 +45253,7 @@ index 35f1476..8d157ff 100644
fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t)
-@@ -1142,6 +1370,7 @@ template(`userdom_admin_user_template',`
+@@ -1142,6 +1371,7 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
modutils_domtrans_insmod($1_t)
@@ -45156,7 +45261,7 @@ index 35f1476..8d157ff 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1439,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1440,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -45165,7 +45270,7 @@ index 35f1476..8d157ff 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1237,6 +1468,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1469,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -45173,7 +45278,7 @@ index 35f1476..8d157ff 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1275,12 +1507,15 @@ template(`userdom_security_admin_template',`
+@@ -1275,12 +1508,15 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -45190,7 +45295,7 @@ index 35f1476..8d157ff 100644
')
########################################
-@@ -1391,6 +1626,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1391,6 +1627,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -45198,7 +45303,7 @@ index 35f1476..8d157ff 100644
files_search_home($1)
')
-@@ -1437,6 +1673,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1437,6 +1674,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -45213,7 +45318,7 @@ index 35f1476..8d157ff 100644
')
########################################
-@@ -1452,9 +1696,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1452,9 +1697,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -45225,7 +45330,7 @@ index 35f1476..8d157ff 100644
')
########################################
-@@ -1511,6 +1757,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1511,6 +1758,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -45268,7 +45373,7 @@ index 35f1476..8d157ff 100644
########################################
##
## Create directories in the home dir root with
-@@ -1585,6 +1867,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1585,6 +1868,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -45277,7 +45382,7 @@ index 35f1476..8d157ff 100644
')
########################################
-@@ -1599,10 +1883,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1599,10 +1884,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -45292,7 +45397,7 @@ index 35f1476..8d157ff 100644
')
########################################
-@@ -1645,34 +1931,53 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1645,34 +1932,53 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
##
@@ -45354,7 +45459,7 @@ index 35f1476..8d157ff 100644
gen_require(`
type user_home_dir_t, user_home_t;
')
-@@ -1696,12 +2001,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1696,12 +2002,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -45387,7 +45492,7 @@ index 35f1476..8d157ff 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1712,11 +2037,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1712,11 +2038,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -45405,7 +45510,7 @@ index 35f1476..8d157ff 100644
')
########################################
-@@ -1806,8 +2134,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1806,8 +2135,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -45415,7 +45520,7 @@ index 35f1476..8d157ff 100644
')
########################################
-@@ -1823,20 +2150,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1823,20 +2151,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -45440,7 +45545,7 @@ index 35f1476..8d157ff 100644
########################################
##
-@@ -2178,7 +2499,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2178,7 +2500,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -45449,7 +45554,7 @@ index 35f1476..8d157ff 100644
')
########################################
-@@ -2431,13 +2752,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2431,13 +2753,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -45465,7 +45570,7 @@ index 35f1476..8d157ff 100644
##
##
##
-@@ -2458,26 +2780,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2458,26 +2781,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -45492,7 +45597,7 @@ index 35f1476..8d157ff 100644
## Get the attributes of a user domain tty.
##
##
-@@ -2811,7 +3113,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2811,7 +3114,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -45501,7 +45606,7 @@ index 35f1476..8d157ff 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2827,11 +3129,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2827,11 +3130,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -45517,7 +45622,7 @@ index 35f1476..8d157ff 100644
')
########################################
-@@ -2913,7 +3217,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2913,7 +3218,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -45526,7 +45631,7 @@ index 35f1476..8d157ff 100644
')
########################################
-@@ -2968,7 +3272,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2968,7 +3273,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -45573,7 +45678,7 @@ index 35f1476..8d157ff 100644
')
########################################
-@@ -3005,6 +3347,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3005,6 +3348,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -45581,7 +45686,7 @@ index 35f1476..8d157ff 100644
kernel_search_proc($1)
')
-@@ -3135,3 +3478,854 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3135,3 +3479,854 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e0cb57e..47f2acb 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.6
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,15 @@ exit 0
%endif
%changelog
+* Tue Oct 12 2010 Dan Walsh 3.9.6-3
+-Mount command from a confined user generates setattr on /etc/mtab file, need to dontaudit this access
+- dovecot-auth_t needs ipc_lock
+- gpm needs to use the user terminal
+- Allow system_mail_t to append ~/dead.letter
+- Allow NetworkManager to edit /etc/NetworkManager/NetworkManager.conf
+- Add pid file to vnstatd
+- Allow mount to communicate with gfs_controld
+- Dontaudit hal leaks in setfiles
* Fri Oct 8 2010 Dan Walsh 3.9.6-2
- Lots of fixes for systemd