diff --git a/policy-F16.patch b/policy-F16.patch
index 59703ba..2e87799 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -32212,7 +32212,7 @@ index 8581040..2367841 100644
allow $1 nagios_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..f1eff62 100644
+index bf64a4c..8a9789c 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -79,6 +79,7 @@ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
@@ -32284,7 +32284,15 @@ index bf64a4c..f1eff62 100644
dev_read_sysfs(nrpe_t)
dev_read_urand(nrpe_t)
-@@ -270,12 +273,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -211,6 +214,7 @@ domain_read_all_domains_state(nrpe_t)
+
+ files_read_etc_runtime_files(nrpe_t)
+ files_read_etc_files(nrpe_t)
++files_read_usr_files(nrpe_t)
+
+ fs_getattr_all_fs(nrpe_t)
+ fs_search_auto_mountpoints(nrpe_t)
+@@ -270,12 +274,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -32297,7 +32305,7 @@ index bf64a4c..f1eff62 100644
kernel_read_kernel_sysctls(nagios_mail_plugin_t)
corecmd_read_bin_files(nagios_mail_plugin_t)
-@@ -299,7 +300,7 @@ optional_policy(`
+@@ -299,7 +301,7 @@ optional_policy(`
optional_policy(`
postfix_stream_connect_master(nagios_mail_plugin_t)
@@ -32306,7 +32314,7 @@ index bf64a4c..f1eff62 100644
')
######################################
-@@ -310,6 +311,9 @@ optional_policy(`
+@@ -310,6 +312,9 @@ optional_policy(`
# needed by ioctl()
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
@@ -32316,7 +32324,7 @@ index bf64a4c..f1eff62 100644
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,7 +327,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -323,7 +328,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
@@ -32324,7 +32332,7 @@ index bf64a4c..f1eff62 100644
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
-@@ -340,6 +343,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +344,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@@ -32333,7 +32341,7 @@ index bf64a4c..f1eff62 100644
')
optional_policy(`
-@@ -363,7 +368,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -363,7 +369,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@@ -40048,7 +40056,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..2c24007 100644
+index e30bb63..941f823 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -40082,7 +40090,7 @@ index e30bb63..2c24007 100644
# smbd Local policy
#
-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
-+allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_admin sys_resource lease dac_override dac_read_search };
++allow smbd_t self:capability { chown fowner kill setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
@@ -41756,7 +41764,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..80b2f2e 100644
+index 22adaca..68ad7a7 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -41958,7 +41966,7 @@ index 22adaca..80b2f2e 100644
libs_read_lib_files($1_ssh_agent_t)
-@@ -393,14 +408,11 @@ template(`ssh_role_template',`
+@@ -393,14 +408,13 @@ template(`ssh_role_template',`
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
@@ -41971,10 +41979,12 @@ index 22adaca..80b2f2e 100644
- allow $3 $1_ssh_agent_t:fd use;
- allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
- allow $3 $1_ssh_agent_t:process sigchld;
++
++ ssh_run_keygen($3,$2)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +489,9 @@ interface(`ssh_read_pipes',`
+@@ -477,8 +491,9 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@@ -41985,7 +41995,7 @@ index 22adaca..80b2f2e 100644
########################################
## <summary>
## Read and write a ssh server unnamed pipe.
-@@ -494,7 +507,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +509,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -41994,7 +42004,7 @@ index 22adaca..80b2f2e 100644
')
########################################
-@@ -586,6 +599,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +601,24 @@ interface(`ssh_domtrans',`
########################################
## <summary>
@@ -42019,7 +42029,7 @@ index 22adaca..80b2f2e 100644
## Execute the ssh client in the caller domain.
## </summary>
## <param name="domain">
-@@ -618,7 +649,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +651,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -42028,7 +42038,7 @@ index 22adaca..80b2f2e 100644
files_search_pids($1)
')
-@@ -680,6 +711,32 @@ interface(`ssh_domtrans_keygen',`
+@@ -680,6 +713,32 @@ interface(`ssh_domtrans_keygen',`
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
@@ -42061,7 +42071,7 @@ index 22adaca..80b2f2e 100644
########################################
## <summary>
## Read ssh server keys
-@@ -695,7 +752,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +754,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -42070,7 +42080,7 @@ index 22adaca..80b2f2e 100644
')
######################################
-@@ -735,3 +792,21 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +794,21 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -42093,7 +42103,7 @@ index 22adaca..80b2f2e 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..7f14c83 100644
+index 2dad3c8..594aa01 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -42422,7 +42432,7 @@ index 2dad3c8..7f14c83 100644
') dnl endif TODO
########################################
-@@ -322,14 +369,18 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,14 +369,19 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -42438,11 +42448,12 @@ index 2dad3c8..7f14c83 100644
+manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
+manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t)
+userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
++userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir)
+
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -353,7 +404,7 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -353,7 +405,7 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@@ -49359,7 +49370,7 @@ index cc83689..3388f34 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..55561ae 100644
+index ea29513..819a8d5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -50078,7 +50089,15 @@ index ea29513..55561ae 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -810,11 +1103,19 @@ optional_policy(`
+@@ -800,7 +1093,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- udev_rw_db(initrc_t)
+ udev_manage_pid_files(initrc_t)
+ udev_manage_rules_files(initrc_t)
+ ')
+@@ -810,11 +1102,19 @@ optional_policy(`
')
optional_policy(`
@@ -50099,7 +50118,7 @@ index ea29513..55561ae 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1125,25 @@ optional_policy(`
+@@ -824,6 +1124,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -50125,7 +50144,7 @@ index ea29513..55561ae 100644
')
optional_policy(`
-@@ -849,3 +1169,42 @@ optional_policy(`
+@@ -849,3 +1168,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -53434,7 +53453,7 @@ index 170e2c7..0aa893a 100644
+')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..1d43b4b 100644
+index 7ed9819..5ae4038 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -53617,7 +53636,7 @@ index 7ed9819..1d43b4b 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -353,7 +382,7 @@ optional_policy(`
+@@ -353,16 +382,19 @@ optional_policy(`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -53626,7 +53645,11 @@ index 7ed9819..1d43b4b 100644
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -363,6 +392,7 @@ dontaudit run_init_t self:capability { dac_override dac_read_search };
+ # the failed access to the current directory
+ dontaudit run_init_t self:capability { dac_override dac_read_search };
+
++kernel_dontaudit_getattr_core_if(run_init_t)
++
corecmd_exec_bin(run_init_t)
corecmd_exec_shell(run_init_t)
@@ -53634,7 +53657,7 @@ index 7ed9819..1d43b4b 100644
dev_dontaudit_list_all_dev_nodes(run_init_t)
domain_use_interactive_fds(run_init_t)
-@@ -380,6 +410,8 @@ selinux_compute_create_context(run_init_t)
+@@ -380,6 +412,8 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@@ -53643,7 +53666,15 @@ index 7ed9819..1d43b4b 100644
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
auth_domtrans_upd_passwd(run_init_t)
-@@ -396,7 +428,7 @@ miscfiles_read_localization(run_init_t)
+@@ -388,6 +422,7 @@ auth_dontaudit_read_shadow(run_init_t)
+ init_spec_domtrans_script(run_init_t)
+ # for utmp
+ init_rw_utmp(run_init_t)
++init_dontaudit_getattr_initctl(run_init_t)
+
+ logging_send_syslog_msg(run_init_t)
+
+@@ -396,7 +431,7 @@ miscfiles_read_localization(run_init_t)
seutil_libselinux_linked(run_init_t)
seutil_read_default_contexts(run_init_t)
@@ -53652,7 +53683,7 @@ index 7ed9819..1d43b4b 100644
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
-@@ -405,6 +437,15 @@ ifndef(`direct_sysadm_daemon',`
+@@ -405,6 +440,19 @@ ifndef(`direct_sysadm_daemon',`
')
')
@@ -53662,13 +53693,17 @@ index 7ed9819..1d43b4b 100644
+')
+
+optional_policy(`
++ gpm_dontaudit_getattr_gpmctl(run_init_t)
++')
++
++optional_policy(`
+ rpm_domtrans(run_init_t)
+')
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -420,61 +461,22 @@ optional_policy(`
+@@ -420,61 +468,22 @@ optional_policy(`
# semodule local policy
#
@@ -53678,22 +53713,22 @@ index 7ed9819..1d43b4b 100644
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-allow semanage_t policy_config_t:file rw_file_perms;
--
++seutil_semanage_policy(semanage_t)
++allow semanage_t self:fifo_file rw_fifo_file_perms;
+
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
--
++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-
-corecmd_exec_bin(semanage_t)
-+seutil_semanage_policy(semanage_t)
-+allow semanage_t self:fifo_file rw_fifo_file_perms;
-
+-
-dev_read_urand(semanage_t)
-+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-
+-
-domain_use_interactive_fds(semanage_t)
-
-files_read_etc_files(semanage_t)
@@ -53715,13 +53750,13 @@ index 7ed9819..1d43b4b 100644
-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
-+# Admins are creating pp files in random locations
-+auth_read_all_files_except_shadow(semanage_t)
-
+-
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
--
++# Admins are creating pp files in random locations
++auth_read_all_files_except_shadow(semanage_t)
+
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
@@ -53738,7 +53773,7 @@ index 7ed9819..1d43b4b 100644
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -487,118 +489,69 @@ ifdef(`distro_debian',`
+@@ -487,118 +496,69 @@ ifdef(`distro_debian',`
files_read_var_lib_symlinks(semanage_t)
')
@@ -53787,19 +53822,13 @@ index 7ed9819..1d43b4b 100644
-
-domain_use_interactive_fds(setfiles_t)
-domain_dontaudit_search_all_domains_state(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
-
+-
-files_read_etc_runtime_files(setfiles_t)
-files_read_etc_files(setfiles_t)
-files_list_all(setfiles_t)
-files_relabel_all_files(setfiles_t)
-files_read_usr_symlinks(setfiles_t)
-+# Bug in semanage
-+seutil_domtrans_setfiles(setsebool_t)
-+seutil_manage_file_contexts(setsebool_t)
-+seutil_manage_default_contexts(setsebool_t)
-+seutil_manage_config(setsebool_t)
-
+-
-fs_getattr_xattr_fs(setfiles_t)
-fs_list_all(setfiles_t)
-fs_search_auto_mountpoints(setfiles_t)
@@ -53827,9 +53856,15 @@ index 7ed9819..1d43b4b 100644
-init_use_script_fds(setfiles_t)
-init_use_script_ptys(setfiles_t)
-init_exec_script_files(setfiles_t)
--
++init_dontaudit_use_fds(setsebool_t)
+
-logging_send_syslog_msg(setfiles_t)
--
++# Bug in semanage
++seutil_domtrans_setfiles(setsebool_t)
++seutil_manage_file_contexts(setsebool_t)
++seutil_manage_default_contexts(setsebool_t)
++seutil_manage_config(setsebool_t)
+
-miscfiles_read_localization(setfiles_t)
+########################################
+#
@@ -54753,26 +54788,29 @@ index 0000000..1e5b954
+ readahead_manage_pid_files(systemd_notify_t)
+')
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 0291685..ff75c28 100644
+index 0291685..7e94f4b 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
-@@ -11,6 +11,9 @@
+@@ -1,6 +1,6 @@
+-/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
+-/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
+-/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
++/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0)
++/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0)
++/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0)
- /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+@@ -21,4 +21,6 @@
-+/run/udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
-+/run/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
-+
- /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
- /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
- /sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
-@@ -22,3 +25,4 @@
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
- /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
++/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
++/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 025348a..8b50d5f 100644
+index 025348a..4e2ca03 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@@ -54793,26 +54831,29 @@ index 025348a..8b50d5f 100644
')
########################################
-@@ -185,12 +185,14 @@ interface(`udev_dontaudit_search_db',`
- interface(`udev_read_db',`
+@@ -160,10 +160,10 @@ interface(`udev_manage_rules_files',`
+ #
+ interface(`udev_dontaudit_search_db',`
gen_require(`
- type udev_tbl_t;
-+ type device_t;
+- type udev_tbl_t;
++ type udev_var_run_t;
')
- dev_list_all_dev_nodes($1)
- allow $1 udev_tbl_t:dir list_dir_perms;
- read_files_pattern($1, udev_tbl_t, udev_tbl_t)
- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
-+ allow $1 device_t:file read_file_perms;
+- dontaudit $1 udev_tbl_t:dir search_dir_perms;
++ dontaudit $1 udev_var_run_t:dir search_dir_perms;
')
########################################
-@@ -214,6 +216,24 @@ interface(`udev_rw_db',`
-
- ########################################
- ## <summary>
-+## Allow process to modify relabelto udev database
+@@ -183,19 +183,32 @@ interface(`udev_dontaudit_search_db',`
+ ## <infoflow type="read" weight="10"/>
+ #
+ interface(`udev_read_db',`
++ udev_read_pid_files($1)
++')
++
++########################################
++## <summary>
++## Allow process to modify list of devices.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -54820,21 +54861,73 @@ index 025348a..8b50d5f 100644
+## </summary>
+## </param>
+#
++interface(`udev_rw_db',`
+ gen_require(`
+- type udev_tbl_t;
++ type udev_var_run_t;
+ ')
+
++ files_search_pids($1)
+ dev_list_all_dev_nodes($1)
+- allow $1 udev_tbl_t:dir list_dir_perms;
+- read_files_pattern($1, udev_tbl_t, udev_tbl_t)
+- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
++ rw_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ ')
+
+ ########################################
+ ## <summary>
+-## Allow process to modify list of devices.
++## Allow process to modify relabelto udev database
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -203,13 +216,36 @@ interface(`udev_read_db',`
+ ## </summary>
+ ## </param>
+ #
+-interface(`udev_rw_db',`
+interface(`udev_relabelto_db',`
+ gen_require(`
-+ type udev_tbl_t;
++ type udev_var_run_t;
+ ')
+
-+ allow $1 udev_tbl_t:file relabelto_file_perms;
++ files_search_pids($1)
++ allow $1 udev_var_run_t:file relabelto_file_perms;
+')
+
+########################################
+## <summary>
- ## Create, read, write, and delete
- ## udev pid files.
- ## </summary>
-@@ -231,3 +251,62 @@ interface(`udev_manage_pid_files',`
- files_search_var_lib($1)
++## Create, read, write, and delete
++## udev pid files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`udev_read_pid_files',`
+ gen_require(`
+- type udev_tbl_t;
++ type udev_var_run_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 udev_tbl_t:file rw_file_perms;
++ files_search_pids($1)
++ allow $1 udev_var_run_t:dir list_dir_perms;
++ read_files_pattern($1, udev_var_run_t, udev_var_run_t)
++ read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ ')
+
+ ########################################
+@@ -228,6 +264,65 @@ interface(`udev_manage_pid_files',`
+ type udev_var_run_t;
+ ')
+
+- files_search_var_lib($1)
++ files_search_pids($1)
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
+
@@ -54897,10 +54990,10 @@ index 025348a..8b50d5f 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..1cadaa2 100644
+index d88f7c3..b18dc17 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
-@@ -14,6 +14,8 @@ domain_entry_file(udev_t, udev_helper_exec_t)
+@@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t)
domain_interactive_fd(udev_t)
init_daemon_domain(udev_t, udev_exec_t)
@@ -54909,7 +55002,19 @@ index d88f7c3..1cadaa2 100644
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
-@@ -38,6 +40,12 @@ ifdef(`enable_mcs',`
+-type udev_tbl_t alias udev_tdb_t;
+-files_type(udev_tbl_t)
+-
+ type udev_rules_t;
+ files_type(udev_rules_t)
+
+ type udev_var_run_t;
+ files_pid_file(udev_var_run_t)
++typealias udev_var_run_t alias udev_tbl_t;
+
+ ifdef(`enable_mcs',`
+ kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
+@@ -38,6 +38,12 @@ ifdef(`enable_mcs',`
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
dontaudit udev_t self:capability sys_tty_config;
@@ -54922,7 +55027,7 @@ index d88f7c3..1cadaa2 100644
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
-@@ -52,6 +60,7 @@ allow udev_t self:unix_dgram_socket sendto;
+@@ -52,6 +58,7 @@ allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
@@ -54930,27 +55035,29 @@ index d88f7c3..1cadaa2 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -64,7 +73,8 @@ allow udev_t udev_etc_t:file read_file_perms;
+@@ -62,17 +69,16 @@ can_exec(udev_t, udev_helper_exec_t)
+ # read udev config
+ allow udev_t udev_etc_t:file read_file_perms;
- # create udev database in /dev/.udevdb
- allow udev_t udev_tbl_t:file manage_file_perms;
+-# create udev database in /dev/.udevdb
+-allow udev_t udev_tbl_t:file manage_file_perms;
-dev_filetrans(udev_t, udev_tbl_t, file)
-+allow udev_t udev_tbl_t:lnk_file manage_file_perms;
-+dev_filetrans(udev_t, udev_tbl_t, { file lnk_file } )
-
+-
list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
-@@ -72,7 +82,8 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
-files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
+files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
+allow udev_t udev_var_run_t:file mounton;
++dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
++
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
-@@ -87,6 +98,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
+@@ -87,6 +93,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
kernel_search_debugfs(udev_t)
@@ -54958,7 +55065,7 @@ index d88f7c3..1cadaa2 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -111,15 +123,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+@@ -111,15 +118,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
@@ -54980,7 +55087,7 @@ index d88f7c3..1cadaa2 100644
mcs_ptrace_all(udev_t)
-@@ -143,6 +160,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +155,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -54988,7 +55095,7 @@ index d88f7c3..1cadaa2 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -186,15 +204,16 @@ ifdef(`distro_redhat',`
+@@ -186,15 +199,16 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -55008,7 +55115,7 @@ index d88f7c3..1cadaa2 100644
')
optional_policy(`
-@@ -216,11 +235,16 @@ optional_policy(`
+@@ -216,11 +230,16 @@ optional_policy(`
')
optional_policy(`
@@ -55025,7 +55132,7 @@ index d88f7c3..1cadaa2 100644
')
optional_policy(`
-@@ -233,6 +257,10 @@ optional_policy(`
+@@ -233,6 +252,10 @@ optional_policy(`
')
optional_policy(`
@@ -55036,7 +55143,7 @@ index d88f7c3..1cadaa2 100644
lvm_domtrans(udev_t)
')
-@@ -259,6 +287,10 @@ optional_policy(`
+@@ -259,6 +282,10 @@ optional_policy(`
')
optional_policy(`
@@ -55047,7 +55154,7 @@ index d88f7c3..1cadaa2 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +305,11 @@ optional_policy(`
+@@ -273,6 +300,11 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6d3fe77..3ceed1a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,10 @@ exit 0
%endif
%changelog
+* Mon Apr 4 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-11
+- Fix label for /var/run/udev to udev_var_run_t
+- Mock needs to be able to read network state
+
* Fri Apr 1 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-10
- Add file_contexts.subs to handle /run and /run/lock
- Add other fixes relating to /run changes from F15 policy