++##
++## Allow amavis to use JIT compiler
++##
++##
++gen_tunable(amavis_use_jit, false)
++
+ type amavis_t;
+ type amavis_exec_t;
+ domain_type(amavis_t)
+@@ -38,7 +45,7 @@ type amavis_quarantine_t;
files_type(amavis_quarantine_t)
type amavis_spool_t;
@@ -1575,7 +1662,7 @@ index 5a9b451..e36eab0 100644
########################################
#
-@@ -49,7 +49,7 @@ allow amavis_t self:capability { kill chown dac_override setgid setuid };
+@@ -49,7 +56,7 @@ allow amavis_t self:capability { kill chown dac_override setgid setuid };
dontaudit amavis_t self:capability sys_tty_config;
allow amavis_t self:process { signal sigchld sigkill signull };
allow amavis_t self:fifo_file rw_fifo_file_perms;
@@ -1584,7 +1671,7 @@ index 5a9b451..e36eab0 100644
allow amavis_t self:unix_dgram_socket create_socket_perms;
allow amavis_t self:tcp_socket { listen accept };
allow amavis_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -75,9 +75,11 @@ filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
+@@ -75,9 +82,11 @@ filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
files_search_spool(amavis_t)
# tmp files
@@ -1597,7 +1684,15 @@ index 5a9b451..e36eab0 100644
# var/lib files for amavis
manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
-@@ -125,20 +127,24 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t)
+@@ -107,7 +116,6 @@ kernel_dontaudit_read_system_state(amavis_t)
+ corecmd_exec_bin(amavis_t)
+ corecmd_exec_shell(amavis_t)
+
+-corenet_all_recvfrom_unlabeled(amavis_t)
+ corenet_all_recvfrom_netlabel(amavis_t)
+ corenet_tcp_sendrecv_generic_if(amavis_t)
+ corenet_tcp_sendrecv_generic_node(amavis_t)
+@@ -125,20 +133,24 @@ corenet_tcp_bind_amavisd_recv_port(amavis_t)
corenet_udp_bind_generic_port(amavis_t)
corenet_dontaudit_udp_bind_all_ports(amavis_t)
corenet_tcp_connect_razor_port(amavis_t)
@@ -1623,7 +1718,7 @@ index 5a9b451..e36eab0 100644
# uses uptime which reads utmp - redhat bug 561383
init_read_utmp(amavis_t)
init_stream_connect_script(amavis_t)
-@@ -148,21 +154,21 @@ logging_send_syslog_msg(amavis_t)
+@@ -148,21 +160,27 @@ logging_send_syslog_msg(amavis_t)
miscfiles_read_generic_certs(amavis_t)
miscfiles_read_localization(amavis_t)
@@ -1638,7 +1733,12 @@ index 5a9b451..e36eab0 100644
-cron_rw_pipes(amavis_t)
-
-mta_read_config(amavis_t)
--
++tunable_policy(`amavis_use_jit',`
++ allow amavis_t self:process execmem;
++',`
++ dontaudit amavis_t self:process execmem;
++')
+
optional_policy(`
clamav_stream_connect(amavis_t)
clamav_domtrans_clamscan(amavis_t)
@@ -1653,7 +1753,7 @@ index 5a9b451..e36eab0 100644
')
optional_policy(`
-@@ -171,11 +177,16 @@ optional_policy(`
+@@ -171,11 +189,16 @@ optional_policy(`
')
optional_policy(`
@@ -1670,7 +1770,7 @@ index 5a9b451..e36eab0 100644
')
optional_policy(`
-@@ -188,6 +199,10 @@ optional_policy(`
+@@ -188,6 +211,10 @@ optional_policy(`
')
optional_policy(`
@@ -2622,7 +2722,7 @@ index 6480167..d30bdbf 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index a36a01d..8ce7893 100644
+index a36a01d..8203991 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.3.2)
@@ -2963,7 +3063,7 @@ index a36a01d..8ce7893 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -362,6 +523,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -362,8 +523,10 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -2971,9 +3071,11 @@ index a36a01d..8ce7893 100644
+kernel_read_network_state(httpd_t)
+kernel_search_network_sysctl(httpd_t)
- corenet_all_recvfrom_unlabeled(httpd_t)
+-corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -372,11 +536,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+ corenet_tcp_sendrecv_generic_if(httpd_t)
+ corenet_udp_sendrecv_generic_if(httpd_t)
+@@ -372,11 +535,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -2994,7 +3096,7 @@ index a36a01d..8ce7893 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -385,9 +557,14 @@ dev_rw_crypto(httpd_t)
+@@ -385,9 +556,14 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -3009,7 +3111,7 @@ index a36a01d..8ce7893 100644
# execute perl
corecmd_exec_bin(httpd_t)
corecmd_exec_shell(httpd_t)
-@@ -398,59 +575,112 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -398,59 +574,112 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -3127,7 +3229,7 @@ index a36a01d..8ce7893 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -461,27 +691,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -461,27 +690,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -3191,7 +3293,7 @@ index a36a01d..8ce7893 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -491,7 +755,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -491,7 +754,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -3214,7 +3316,7 @@ index a36a01d..8ce7893 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -511,9 +790,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -511,9 +789,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -3235,7 +3337,7 @@ index a36a01d..8ce7893 100644
')
optional_policy(`
-@@ -525,6 +814,9 @@ optional_policy(`
+@@ -525,6 +813,9 @@ optional_policy(`
')
optional_policy(`
@@ -3245,7 +3347,7 @@ index a36a01d..8ce7893 100644
cobbler_search_lib(httpd_t)
')
-@@ -540,6 +832,24 @@ optional_policy(`
+@@ -540,6 +831,24 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -3270,7 +3372,7 @@ index a36a01d..8ce7893 100644
optional_policy(`
dbus_system_bus_client(httpd_t)
-@@ -549,13 +859,24 @@ optional_policy(`
+@@ -549,13 +858,24 @@ optional_policy(`
')
optional_policy(`
@@ -3296,7 +3398,7 @@ index a36a01d..8ce7893 100644
')
optional_policy(`
-@@ -568,7 +889,21 @@ optional_policy(`
+@@ -568,7 +888,21 @@ optional_policy(`
')
optional_policy(`
@@ -3318,7 +3420,7 @@ index a36a01d..8ce7893 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -579,6 +914,7 @@ optional_policy(`
+@@ -579,6 +913,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -3326,7 +3428,7 @@ index a36a01d..8ce7893 100644
')
optional_policy(`
-@@ -589,6 +925,33 @@ optional_policy(`
+@@ -589,6 +924,33 @@ optional_policy(`
')
optional_policy(`
@@ -3360,7 +3462,7 @@ index a36a01d..8ce7893 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -603,6 +966,11 @@ optional_policy(`
+@@ -603,6 +965,11 @@ optional_policy(`
')
optional_policy(`
@@ -3372,7 +3474,7 @@ index a36a01d..8ce7893 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -615,6 +983,12 @@ optional_policy(`
+@@ -615,6 +982,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -3385,7 +3487,7 @@ index a36a01d..8ce7893 100644
########################################
#
# Apache helper local policy
-@@ -628,7 +1002,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -628,7 +1001,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -3398,7 +3500,7 @@ index a36a01d..8ce7893 100644
########################################
#
-@@ -666,28 +1044,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -666,28 +1043,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -3442,7 +3544,7 @@ index a36a01d..8ce7893 100644
')
########################################
-@@ -697,6 +1077,7 @@ optional_policy(`
+@@ -697,6 +1076,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -3450,7 +3552,7 @@ index a36a01d..8ce7893 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -711,19 +1092,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -711,19 +1091,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -3479,7 +3581,15 @@ index a36a01d..8ce7893 100644
files_read_usr_files(httpd_suexec_t)
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -752,13 +1141,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,7 +1128,6 @@ tunable_policy(`httpd_can_network_connect',`
+ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_suexec_t self:udp_socket create_socket_perms;
+
+- corenet_all_recvfrom_unlabeled(httpd_suexec_t)
+ corenet_all_recvfrom_netlabel(httpd_suexec_t)
+ corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
+ corenet_udp_sendrecv_generic_if(httpd_suexec_t)
+@@ -752,13 +1139,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -3512,7 +3622,7 @@ index a36a01d..8ce7893 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -781,6 +1188,25 @@ optional_policy(`
+@@ -781,6 +1186,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -3538,7 +3648,7 @@ index a36a01d..8ce7893 100644
########################################
#
# Apache system script local policy
-@@ -801,12 +1227,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -801,12 +1225,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -3556,7 +3666,7 @@ index a36a01d..8ce7893 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -815,18 +1246,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -815,18 +1244,49 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -3598,9 +3708,9 @@ index a36a01d..8ce7893 100644
- corenet_tcp_bind_all_nodes(httpd_sys_script_t)
- corenet_udp_bind_all_nodes(httpd_sys_script_t)
+- corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+ corenet_tcp_bind_generic_node(httpd_sys_script_t)
+ corenet_udp_bind_generic_node(httpd_sys_script_t)
- corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
corenet_all_recvfrom_netlabel(httpd_sys_script_t)
- corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
- corenet_udp_sendrecv_all_if(httpd_sys_script_t)
@@ -3613,7 +3723,7 @@ index a36a01d..8ce7893 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -834,14 +1297,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -834,14 +1294,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -3654,7 +3764,7 @@ index a36a01d..8ce7893 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -854,10 +1342,20 @@ optional_policy(`
+@@ -854,10 +1339,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -3675,7 +3785,7 @@ index a36a01d..8ce7893 100644
')
########################################
-@@ -873,7 +1371,6 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+@@ -873,7 +1368,6 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
@@ -3683,7 +3793,7 @@ index a36a01d..8ce7893 100644
logging_search_logs(httpd_rotatelogs_t)
-@@ -903,11 +1400,144 @@ optional_policy(`
+@@ -903,11 +1397,144 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -3916,7 +4026,7 @@ index e342775..1fedbe5 100644
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
')
diff --git a/apcupsd.te b/apcupsd.te
-index d052bf0..6c7828b 100644
+index d052bf0..08bd1c9 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -3929,7 +4039,15 @@ index d052bf0..6c7828b 100644
########################################
#
# apcupsd local policy
-@@ -76,24 +79,31 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
+@@ -53,7 +56,6 @@ kernel_read_system_state(apcupsd_t)
+ corecmd_exec_bin(apcupsd_t)
+ corecmd_exec_shell(apcupsd_t)
+
+-corenet_all_recvfrom_unlabeled(apcupsd_t)
+ corenet_all_recvfrom_netlabel(apcupsd_t)
+ corenet_tcp_sendrecv_generic_if(apcupsd_t)
+ corenet_tcp_sendrecv_generic_node(apcupsd_t)
+@@ -76,24 +78,31 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
term_use_unallocated_ttys(apcupsd_t)
@@ -3962,6 +4080,14 @@ index d052bf0..6c7828b 100644
mta_send_mail(apcupsd_t)
mta_system_content(apcupsd_tmp_t)
')
+@@ -113,7 +122,6 @@ optional_policy(`
+ allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
+
+- corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
+ corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
+ corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
+ corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
diff --git a/apm.fc b/apm.fc
index 0123777..f2f0c35 100644
--- a/apm.fc
@@ -4140,10 +4266,18 @@ index 1c8c27e..35d798f 100644
optional_policy(`
diff --git a/apt.te b/apt.te
-index 8555315..c5a4ce3 100644
+index 8555315..5bb2477 100644
--- a/apt.te
+++ b/apt.te
-@@ -121,7 +121,7 @@ fs_getattr_all_fs(apt_t)
+@@ -94,7 +94,6 @@ kernel_read_kernel_sysctls(apt_t)
+ corecmd_exec_bin(apt_t)
+ corecmd_exec_shell(apt_t)
+
+-corenet_all_recvfrom_unlabeled(apt_t)
+ corenet_all_recvfrom_netlabel(apt_t)
+ corenet_tcp_sendrecv_generic_if(apt_t)
+ corenet_udp_sendrecv_generic_if(apt_t)
+@@ -121,7 +120,7 @@ fs_getattr_all_fs(apt_t)
term_create_pty(apt_t, apt_devpts_t)
term_list_ptys(apt_t)
@@ -4152,7 +4286,7 @@ index 8555315..c5a4ce3 100644
libs_exec_ld_so(apt_t)
libs_exec_lib_files(apt_t)
-@@ -134,7 +134,7 @@ seutil_use_newrole_fds(apt_t)
+@@ -134,7 +133,7 @@ seutil_use_newrole_fds(apt_t)
sysnet_read_config(apt_t)
@@ -4235,7 +4369,7 @@ index c804110..06a516f 100644
+ allow $1 arpwatch_unit_file_t:service all_service_perms;
')
diff --git a/arpwatch.te b/arpwatch.te
-index 804135f..d94d72e 100644
+index 804135f..762c50a 100644
--- a/arpwatch.te
+++ b/arpwatch.te
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
@@ -4256,7 +4390,7 @@ index 804135f..d94d72e 100644
manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
-@@ -47,8 +51,9 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
+@@ -47,12 +51,12 @@ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
kernel_read_network_state(arpwatch_t)
@@ -4267,7 +4401,11 @@ index 804135f..d94d72e 100644
kernel_read_proc_symlinks(arpwatch_t)
kernel_request_load_module(arpwatch_t)
-@@ -74,7 +79,6 @@ corecmd_read_bin_symlinks(arpwatch_t)
+-corenet_all_recvfrom_unlabeled(arpwatch_t)
+ corenet_all_recvfrom_netlabel(arpwatch_t)
+ corenet_tcp_sendrecv_generic_if(arpwatch_t)
+ corenet_udp_sendrecv_generic_if(arpwatch_t)
+@@ -74,7 +78,6 @@ corecmd_read_bin_symlinks(arpwatch_t)
domain_use_interactive_fds(arpwatch_t)
@@ -4295,7 +4433,7 @@ index b6168fd..313c6e4 100644
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/asterisk.te b/asterisk.te
-index 3b4613b..3bd044f 100644
+index 3b4613b..3ebeb4c 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -20,10 +20,11 @@ type asterisk_log_t;
@@ -4337,7 +4475,15 @@ index 3b4613b..3bd044f 100644
kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)
kernel_request_load_module(asterisk_t)
-@@ -109,9 +112,13 @@ corenet_tcp_bind_generic_port(asterisk_t)
+@@ -89,7 +92,6 @@ kernel_request_load_module(asterisk_t)
+ corecmd_exec_bin(asterisk_t)
+ corecmd_exec_shell(asterisk_t)
+
+-corenet_all_recvfrom_unlabeled(asterisk_t)
+ corenet_all_recvfrom_netlabel(asterisk_t)
+ corenet_tcp_sendrecv_generic_if(asterisk_t)
+ corenet_udp_sendrecv_generic_if(asterisk_t)
+@@ -109,9 +111,13 @@ corenet_tcp_bind_generic_port(asterisk_t)
corenet_udp_bind_generic_port(asterisk_t)
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)
@@ -4351,7 +4497,7 @@ index 3b4613b..3bd044f 100644
dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
-@@ -122,11 +129,11 @@ dev_read_urand(asterisk_t)
+@@ -122,11 +128,11 @@ dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
@@ -4364,7 +4510,7 @@ index 3b4613b..3bd044f 100644
fs_getattr_all_fs(asterisk_t)
fs_list_inotifyfs(asterisk_t)
-@@ -143,6 +150,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
+@@ -143,6 +149,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
@@ -4460,7 +4606,7 @@ index d80a16b..ef740ef 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index 39799db..8c012e9 100644
+index 39799db..3192298 100644
--- a/automount.te
+++ b/automount.te
@@ -22,6 +22,9 @@ type automount_tmp_t;
@@ -4481,7 +4627,15 @@ index 39799db..8c012e9 100644
files_search_boot(automount_t)
# Automount is slowly adding all mount functionality internally
files_search_all(automount_t)
-@@ -113,7 +117,6 @@ files_dontaudit_write_var_dirs(automount_t)
+@@ -79,7 +83,6 @@ fs_search_all(automount_t)
+ corecmd_exec_bin(automount_t)
+ corecmd_exec_shell(automount_t)
+
+-corenet_all_recvfrom_unlabeled(automount_t)
+ corenet_all_recvfrom_netlabel(automount_t)
+ corenet_tcp_sendrecv_generic_if(automount_t)
+ corenet_udp_sendrecv_generic_if(automount_t)
+@@ -113,7 +116,6 @@ files_dontaudit_write_var_dirs(automount_t)
files_getattr_all_dirs(automount_t)
files_list_mnt(automount_t)
files_getattr_home_dir(automount_t)
@@ -4489,7 +4643,7 @@ index 39799db..8c012e9 100644
files_read_etc_runtime_files(automount_t)
# for if the mount point is not labelled
files_getattr_isid_type_dirs(automount_t)
-@@ -143,10 +146,6 @@ logging_search_logs(automount_t)
+@@ -143,10 +145,6 @@ logging_search_logs(automount_t)
miscfiles_read_localization(automount_t)
miscfiles_read_generic_certs(automount_t)
@@ -4500,7 +4654,7 @@ index 39799db..8c012e9 100644
userdom_dontaudit_use_unpriv_user_fds(automount_t)
userdom_dontaudit_search_user_home_dirs(automount_t)
-@@ -155,6 +154,13 @@ optional_policy(`
+@@ -155,6 +153,13 @@ optional_policy(`
')
optional_policy(`
@@ -4588,7 +4742,7 @@ index 61c74bc..17b3ecc 100644
+ allow $1 avahi_unit_file_t:service all_service_perms;
')
diff --git a/avahi.te b/avahi.te
-index a7a0e71..a70fe55 100644
+index a7a0e71..65bbd77 100644
--- a/avahi.te
+++ b/avahi.te
@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
@@ -4602,7 +4756,7 @@ index a7a0e71..a70fe55 100644
########################################
#
-@@ -46,6 +50,7 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
+@@ -46,11 +50,11 @@ files_pid_filetrans(avahi_t, avahi_var_run_t, { dir file })
kernel_read_system_state(avahi_t)
kernel_read_kernel_sysctls(avahi_t)
kernel_read_network_state(avahi_t)
@@ -4610,7 +4764,12 @@ index a7a0e71..a70fe55 100644
corecmd_exec_bin(avahi_t)
corecmd_exec_shell(avahi_t)
-@@ -74,7 +79,6 @@ fs_list_inotifyfs(avahi_t)
+
+-corenet_all_recvfrom_unlabeled(avahi_t)
+ corenet_all_recvfrom_netlabel(avahi_t)
+ corenet_tcp_sendrecv_generic_if(avahi_t)
+ corenet_udp_sendrecv_generic_if(avahi_t)
+@@ -74,7 +78,6 @@ fs_list_inotifyfs(avahi_t)
domain_use_interactive_fds(avahi_t)
@@ -4618,7 +4777,16 @@ index a7a0e71..a70fe55 100644
files_read_etc_runtime_files(avahi_t)
files_read_usr_files(avahi_t)
-@@ -104,6 +108,10 @@ optional_policy(`
+@@ -92,6 +95,8 @@ sysnet_domtrans_ifconfig(avahi_t)
+ sysnet_manage_config(avahi_t)
+ sysnet_etc_filetrans_config(avahi_t)
+
++systemd_login_signull(avahi_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(avahi_t)
+ userdom_dontaudit_search_user_home_dirs(avahi_t)
+
+@@ -104,6 +109,10 @@ optional_policy(`
')
optional_policy(`
@@ -4660,10 +4828,18 @@ index 283ff0d..53f9ba1 100644
##
##