diff --git a/policy/modules/apps/slocate.te b/policy/modules/apps/slocate.te
index 41487e7..7c09093 100644
--- a/policy/modules/apps/slocate.te
+++ b/policy/modules/apps/slocate.te
@@ -39,11 +39,13 @@ dev_getattr_all_chr_files(locate_t)
files_list_all(locate_t)
files_getattr_all_files(locate_t)
+files_getattr_all_sockets(locate_t)
files_read_etc_runtime_files(locate_t)
files_read_etc_files(locate_t)
fs_getattr_all_fs(locate_t)
-fs_getattr_all_dirs(locate_t)
+fs_getattr_all_files(locate_t)
+fs_list_all(locate_t)
libs_use_shared_libs(locate_t)
libs_use_ld_so(locate_t)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index fde29f6..4406a42 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -278,6 +278,25 @@ interface(`term_setattr_console',`
########################################
##
+## Relabel from and to the console type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`term_relabel_console',`
+ gen_require(`
+ type console_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 console_device_t:chr_file { relabelfrom relabelto };
+')
+
+########################################
+##
## Create the console device (/dev/console).
##
##
@@ -1052,7 +1071,7 @@ interface(`term_write_all_user_ttys',`
')
dev_list_all_dev_nodes($1)
- allow $1 ttynode:chr_file { getattr write };
+ allow $1 ttynode:chr_file { getattr write append };
')
########################################
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index 34bc07e..4612cf0 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
@@ -28,7 +28,6 @@ dontaudit arpwatch_t self:capability sys_tty_config;
allow arpwatch_t self:process signal_perms;
allow arpwatch_t self:unix_dgram_socket create_socket_perms;
allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
-allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
allow arpwatch_t self:udp_socket create_socket_perms;
allow arpwatch_t self:packet_socket create_socket_perms;
@@ -71,6 +70,8 @@ files_read_etc_files(arpwatch_t)
files_read_usr_files(arpwatch_t)
files_search_var_lib(arpwatch_t)
+auth_use_nsswitch(arpwatch_t)
+
libs_use_ld_so(arpwatch_t)
libs_use_shared_libs(arpwatch_t)
@@ -78,8 +79,6 @@ logging_send_syslog_msg(arpwatch_t)
miscfiles_read_localization(arpwatch_t)
-sysnet_read_config(arpwatch_t)
-
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
userdom_dontaudit_search_sysadm_home_dirs(arpwatch_t)
@@ -92,14 +91,6 @@ ifdef(`targeted_policy',`
')
optional_policy(`
- nis_use_ypbind(arpwatch_t)
-')
-
-optional_policy(`
- corecmd_search_bin(arpwatch_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(arpwatch_t)
')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index 27d6129..6cf2f98 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -18,7 +18,7 @@ files_pid_file(avahi_var_run_t)
# Local policy
#
-allow avahi_t self:capability { dac_override setgid chown kill setuid sys_chroot };
+allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
dontaudit avahi_t self:capability sys_tty_config;
allow avahi_t self:process { setrlimit signal_perms setcap };
allow avahi_t self:fifo_file { read write };
@@ -75,8 +75,6 @@ logging_send_syslog_msg(avahi_t)
miscfiles_read_localization(avahi_t)
-sysnet_read_config(avahi_t)
-
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index df62800..95936e5 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -145,6 +145,7 @@ optional_policy(`
optional_policy(`
snmp_read_snmp_var_lib_files(cyrus_t)
+ snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
')
optional_policy(`
diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if
index e7344da..eb26d54 100644
--- a/policy/modules/services/mailman.if
+++ b/policy/modules/services/mailman.if
@@ -255,6 +255,24 @@ interface(`mailman_read_data_symlinks',`
#######################################
##
+## Append to mailman logs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mailman_append_log',`
+ gen_require(`
+ type mailman_log_t;
+ ')
+
+ append_files_pattern($1,mailman_log_t,mailman_log_t)
+')
+
+#######################################
+##
## Create, read, write, and delete
## mailman logs.
##
diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
index 5aa9107..dfb48ea 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -60,6 +60,25 @@ interface(`networkmanager_rw_routing_sockets',`
########################################
##
+## Execute NetworkManager with a domain transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`networkmanager_domtrans',`
+ gen_require(`
+ type NetworkManager_t, NetworkManager_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1,NetworkManager_exec_t,NetworkManager_t)
+')
+
+########################################
+##
## Send and receive messages from
## NetworkManager over dbus.
##