From 0685f04414489e714886309f376a4f0b28374465 Mon Sep 17 00:00:00 2001
From: Miroslav <mgrepl@redhat.com>
Date: Nov 28 2011 20:21:23 +0000
Subject: - Add fs_read_fusefs_dirs interface

- Allow mailman to read /dev/urandom
- Allow clamd to read spamd pid file
- Allow mount to read /dev/urandom
- Add use_fusefs_home_dirs also for system_dbus_t

---

diff --git a/policy-F16.patch b/policy-F16.patch
index 9e336fa..e147e6f 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -18609,7 +18609,7 @@ index 22821ff..20251b0 100644
  ########################################
  #
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..50b0acf 100644
+index 97fcdac..630ff53 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -18855,7 +18855,33 @@ index 97fcdac..50b0acf 100644
  #######################################
  ## <summary>
  ##	Create, read, write, and delete dirs
-@@ -1984,6 +2126,25 @@ interface(`fs_manage_fusefs_files',`
+@@ -1886,6 +2028,25 @@ interface(`fs_dontaudit_list_fusefs',`
+ 	dontaudit $1 fusefs_t:dir list_dir_perms;
+ ')
+ 
++#######################################
++## <summary>
++##  Do not audit attempts to list the contents
++##  of directories on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain to not audit.
++##  </summary>
++## </param>
++#
++interface(`fs_read_fusefs_dirs',`
++    gen_require(`
++        type fusefs_t;
++    ')
++
++	list_dirs_pattern($1, fusefs_t, fusefs_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Create, read, write, and delete directories
+@@ -1984,6 +2145,25 @@ interface(`fs_manage_fusefs_files',`
  	manage_files_pattern($1, fusefs_t, fusefs_t)
  ')
  
@@ -18881,7 +18907,7 @@ index 97fcdac..50b0acf 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to create,
-@@ -2080,6 +2241,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2080,6 +2260,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
  
  ########################################
  ## <summary>
@@ -18906,7 +18932,7 @@ index 97fcdac..50b0acf 100644
  ##	Read and write hugetlbfs files.
  ## </summary>
  ## <param name="domain">
-@@ -2148,6 +2327,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,6 +2346,7 @@ interface(`fs_list_inotifyfs',`
  	')
  
  	allow $1 inotifyfs_t:dir list_dir_perms;
@@ -18914,7 +18940,7 @@ index 97fcdac..50b0acf 100644
  ')
  
  ########################################
-@@ -2480,6 +2660,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2679,7 @@ interface(`fs_read_nfs_files',`
  		type nfs_t;
  	')
  
@@ -18922,7 +18948,7 @@ index 97fcdac..50b0acf 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	read_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2518,6 +2699,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2718,7 @@ interface(`fs_write_nfs_files',`
  		type nfs_t;
  	')
  
@@ -18930,7 +18956,7 @@ index 97fcdac..50b0acf 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	write_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2544,6 +2726,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2745,25 @@ interface(`fs_exec_nfs_files',`
  
  ########################################
  ## <summary>
@@ -18956,7 +18982,7 @@ index 97fcdac..50b0acf 100644
  ##	Append files
  ##	on a NFS filesystem.
  ## </summary>
-@@ -2584,6 +2785,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +2804,42 @@ interface(`fs_dontaudit_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -18999,7 +19025,7 @@ index 97fcdac..50b0acf 100644
  ##	Do not audit attempts to read or
  ##	write files on a NFS filesystem.
  ## </summary>
-@@ -2598,7 +2835,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2854,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
  		type nfs_t;
  	')
  
@@ -19008,7 +19034,7 @@ index 97fcdac..50b0acf 100644
  ')
  
  ########################################
-@@ -2736,7 +2973,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +2992,7 @@ interface(`fs_search_removable',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -19017,7 +19043,7 @@ index 97fcdac..50b0acf 100644
  ##	</summary>
  ## </param>
  #
-@@ -2772,7 +3009,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +3028,7 @@ interface(`fs_read_removable_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -19026,7 +19052,7 @@ index 97fcdac..50b0acf 100644
  ##	</summary>
  ## </param>
  #
-@@ -2965,6 +3202,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3221,7 @@ interface(`fs_manage_nfs_dirs',`
  		type nfs_t;
  	')
  
@@ -19034,7 +19060,7 @@ index 97fcdac..50b0acf 100644
  	allow $1 nfs_t:dir manage_dir_perms;
  ')
  
-@@ -3005,6 +3243,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3262,7 @@ interface(`fs_manage_nfs_files',`
  		type nfs_t;
  	')
  
@@ -19042,7 +19068,7 @@ index 97fcdac..50b0acf 100644
  	manage_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3045,6 +3284,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3303,7 @@ interface(`fs_manage_nfs_symlinks',`
  		type nfs_t;
  	')
  
@@ -19050,7 +19076,7 @@ index 97fcdac..50b0acf 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3958,6 +4198,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4217,42 @@ interface(`fs_dontaudit_list_tmpfs',`
  
  ########################################
  ## <summary>
@@ -19093,7 +19119,7 @@ index 97fcdac..50b0acf 100644
  ##	Create, read, write, and delete
  ##	tmpfs directories
  ## </summary>
-@@ -4175,6 +4451,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4470,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  
  ########################################
  ## <summary>
@@ -19118,7 +19144,7 @@ index 97fcdac..50b0acf 100644
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4251,6 +4545,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4251,6 +4564,25 @@ interface(`fs_manage_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -19144,7 +19170,7 @@ index 97fcdac..50b0acf 100644
  ##	Read and write, create and delete symbolic
  ##	links on tmpfs filesystems.
  ## </summary>
-@@ -4457,6 +4770,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4789,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -19153,7 +19179,7 @@ index 97fcdac..50b0acf 100644
  ')
  
  ########################################
-@@ -4503,7 +4818,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4837,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -19162,7 +19188,7 @@ index 97fcdac..50b0acf 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4866,3 +5181,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5200,24 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -29495,7 +29521,7 @@ index 1f11572..9eb2461 100644
  	')
  
 diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..4bc077f 100644
+index f758323..4c06224 100644
 --- a/policy/modules/services/clamav.te
 +++ b/policy/modules/services/clamav.te
 @@ -1,9 +1,16 @@
@@ -29569,7 +29595,7 @@ index f758323..4bc077f 100644
  optional_policy(`
  	amavis_read_lib_files(clamd_t)
  	amavis_read_spool_files(clamd_t)
-@@ -142,13 +147,30 @@ optional_policy(`
+@@ -142,13 +147,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29589,6 +29615,7 @@ index f758323..4bc077f 100644
 +
 +optional_policy(`
 +	spamd_stream_connect(clamd_t)
++	spamd_read_pid(clamd_t)
 +')
 +
  tunable_policy(`clamd_use_jit',`
@@ -29601,7 +29628,7 @@ index f758323..4bc077f 100644
  ')
  
  ########################################
-@@ -178,10 +200,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +201,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
  
  # log files (own logfiles only)
  manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -29620,7 +29647,7 @@ index f758323..4bc077f 100644
  corenet_all_recvfrom_unlabeled(freshclam_t)
  corenet_all_recvfrom_netlabel(freshclam_t)
  corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +217,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +218,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
  corenet_tcp_sendrecv_all_ports(freshclam_t)
  corenet_tcp_sendrecv_clamd_port(freshclam_t)
  corenet_tcp_connect_http_port(freshclam_t)
@@ -29628,7 +29655,7 @@ index f758323..4bc077f 100644
  corenet_sendrecv_http_client_packets(freshclam_t)
  
  dev_read_rand(freshclam_t)
-@@ -207,16 +236,18 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +237,18 @@ miscfiles_read_localization(freshclam_t)
  
  clamav_stream_connect(freshclam_t)
  
@@ -29651,7 +29678,7 @@ index f758323..4bc077f 100644
  ########################################
  #
  # clamscam local policy
-@@ -242,15 +273,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +274,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
  manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
  allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
  
@@ -29681,7 +29708,7 @@ index f758323..4bc077f 100644
  
  files_read_etc_files(clamscan_t)
  files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +309,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +310,15 @@ miscfiles_read_public_files(clamscan_t)
  
  clamav_stream_connect(clamscan_t)
  
@@ -30735,10 +30762,10 @@ index 0000000..ed13d1e
 +
 diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
 new file mode 100644
-index 0000000..e4d7098
+index 0000000..ca71d08
 --- /dev/null
 +++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,79 @@
+@@ -0,0 +1,80 @@
 +policy_module(collectd, 1.0.0)
 +
 +########################################
@@ -30812,7 +30839,8 @@ index 0000000..e4d7098
 +
 +optional_policy(`
 +	apache_content_template(collectd)
-+	
++
++	files_search_var_lib(httpd_collectd_script_t)	
 +	read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
 +	list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
 +	miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
@@ -33687,7 +33715,7 @@ index 1a1becd..0aa5aaf 100644
 +	dontaudit $1 session_bus_type:dbus send_msg;
  ')
 diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..f0266a9 100644
+index 1bff6ee..ad305bc 100644
 --- a/policy/modules/services/dbus.te
 +++ b/policy/modules/services/dbus.te
 @@ -10,6 +10,7 @@ gen_require(`
@@ -33749,10 +33777,16 @@ index 1bff6ee..f0266a9 100644
  
  logging_send_audit_msgs(system_dbusd_t)
  logging_send_syslog_msg(system_dbusd_t)
-@@ -136,11 +143,33 @@ seutil_sigchld_newrole(system_dbusd_t)
+@@ -136,11 +143,39 @@ seutil_sigchld_newrole(system_dbusd_t)
  userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
  userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
  
++tunable_policy(`use_fusefs_home_dirs',`
++    fs_read_fusefs_dirs(system_dbusd_t)
++    fs_read_fusefs_files(system_dbusd_t)
++    fs_read_fusefs_symlinks(system_dbusd_t)
++')
++
 +tunable_policy(`use_nfs_home_dirs',`
 +    fs_read_nfs_files(system_dbusd_t)
 +')
@@ -33783,7 +33817,7 @@ index 1bff6ee..f0266a9 100644
  	policykit_dbus_chat(system_dbusd_t)
  	policykit_domtrans_auth(system_dbusd_t)
  	policykit_search_lib(system_dbusd_t)
-@@ -151,12 +180,166 @@ optional_policy(`
+@@ -151,12 +186,166 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33921,7 +33955,7 @@ index 1bff6ee..f0266a9 100644
 +	fs_manage_nfs_dirs(session_bus_type)
 +	fs_manage_nfs_files(session_bus_type)
 +')
-+
+ 
 +tunable_policy(`use_samba_home_dirs',`
 +	fs_manage_cifs_dirs(session_bus_type)
 +	fs_manage_cifs_files(session_bus_type)
@@ -33934,7 +33968,7 @@ index 1bff6ee..f0266a9 100644
 +optional_policy(`
 +	hal_dbus_chat(session_bus_type)
 +')
- 
++
 +optional_policy(`
 +	xserver_search_xdm_lib(session_bus_type)
 +	xserver_use_xdm_fds(session_bus_type)
@@ -42487,7 +42521,7 @@ index 67c7fdd..d7338be 100644
  ## <summary>
  ##	Execute mailman CGI scripts in the 
 diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
-index af4d572..cea085e 100644
+index af4d572..0c0925e 100644
 --- a/policy/modules/services/mailman.te
 +++ b/policy/modules/services/mailman.te
 @@ -19,6 +19,9 @@ logging_log_file(mailman_log_t)
@@ -42500,7 +42534,7 @@ index af4d572..cea085e 100644
  mailman_domain_template(mail)
  init_daemon_domain(mailman_mail_t, mailman_mail_exec_t)
  
-@@ -61,14 +64,22 @@ optional_policy(`
+@@ -61,14 +64,24 @@ optional_policy(`
  # Mailman mail local policy
  #
  
@@ -42522,10 +42556,12 @@ index af4d572..cea085e 100644
 +corenet_tcp_connect_innd_port(mailman_mail_t)
 +corenet_tcp_connect_spamd_port(mailman_mail_t)
 +
++dev_read_urand(mailman_mail_t)
++
  files_search_spool(mailman_mail_t)
  
  fs_rw_anon_inodefs_files(mailman_mail_t)
-@@ -81,11 +92,16 @@ optional_policy(`
+@@ -81,11 +94,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42542,7 +42578,7 @@ index af4d572..cea085e 100644
  ')
  
  ########################################
-@@ -104,6 +120,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
+@@ -104,6 +122,8 @@ manage_lnk_files_pattern(mailman_queue_t, mailman_archive_t, mailman_archive_t)
  
  kernel_read_proc_symlinks(mailman_queue_t)
  
@@ -42551,7 +42587,7 @@ index af4d572..cea085e 100644
  auth_domtrans_chk_passwd(mailman_queue_t)
  
  files_dontaudit_search_pids(mailman_queue_t)
-@@ -125,4 +143,4 @@ optional_policy(`
+@@ -125,4 +145,4 @@ optional_policy(`
  
  optional_policy(`
  	su_exec(mailman_queue_t)
@@ -58304,7 +58340,7 @@ index 6b3abf9..a785741 100644
 +/var/spool/MD-Quarantine(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
 +/var/spool/MIMEDefang(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
 diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
-index c954f31..c7cadcb 100644
+index c954f31..d5e959d 100644
 --- a/policy/modules/services/spamassassin.if
 +++ b/policy/modules/services/spamassassin.if
 @@ -14,6 +14,7 @@
@@ -58423,7 +58459,7 @@ index c954f31..c7cadcb 100644
  	allow $1 spamd_tmp_t:file read_file_perms;
  ')
  
-@@ -223,5 +291,72 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
+@@ -223,5 +291,91 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
  		type spamd_tmp_t;
  	')
  
@@ -58431,6 +58467,25 @@ index c954f31..c7cadcb 100644
 +	dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
 +')
 +
++#######################################
++## <summary>
++##  Read spamd pid file.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to connect.
++##  </summary>
++## </param>
++#
++interface(`spamd_read_pid',`
++    gen_require(`
++        type spamd_t, spamd_var_run_t;
++    ')
++
++    files_search_pids($1)
++    read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
++')
++
 +########################################
 +## <summary>
 +##	Connect to run spamd.
@@ -72156,7 +72211,7 @@ index 8b5c196..da41726 100644
 +    role $2 types showmount_t;
  ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 15832c7..bb2ac39 100644
+index 15832c7..2596ae0 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
 @@ -17,17 +17,29 @@ type mount_exec_t;
@@ -72233,7 +72288,7 @@ index 15832c7..bb2ac39 100644
  kernel_dontaudit_write_debugfs_dirs(mount_t)
  kernel_dontaudit_write_proc_dirs(mount_t)
  # To load binfmt_misc kernel module
-@@ -57,65 +88,93 @@ kernel_request_load_module(mount_t)
+@@ -57,65 +88,94 @@ kernel_request_load_module(mount_t)
  # required for mount.smbfs
  corecmd_exec_bin(mount_t)
  
@@ -72242,6 +72297,7 @@ index 15832c7..bb2ac39 100644
  dev_list_all_dev_nodes(mount_t)
 +dev_read_usbfs(mount_t)
 +dev_read_rand(mount_t)
++dev_read_urand(mount_t)
  dev_read_sysfs(mount_t)
  dev_dontaudit_write_sysfs_dirs(mount_t)
  dev_rw_lvm_control(mount_t)
@@ -72336,7 +72392,7 @@ index 15832c7..bb2ac39 100644
  
  logging_send_syslog_msg(mount_t)
  
-@@ -126,6 +185,8 @@ sysnet_use_portmap(mount_t)
+@@ -126,6 +186,8 @@ sysnet_use_portmap(mount_t)
  seutil_read_config(mount_t)
  
  userdom_use_all_users_fds(mount_t)
@@ -72345,7 +72401,7 @@ index 15832c7..bb2ac39 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -141,26 +202,28 @@ ifdef(`distro_ubuntu',`
+@@ -141,26 +203,28 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -72384,7 +72440,7 @@ index 15832c7..bb2ac39 100644
  	corenet_tcp_bind_generic_port(mount_t)
  	corenet_udp_bind_generic_port(mount_t)
  	corenet_tcp_bind_reserved_port(mount_t)
-@@ -174,6 +237,8 @@ optional_policy(`
+@@ -174,6 +238,8 @@ optional_policy(`
  	fs_search_rpc(mount_t)
  
  	rpc_stub(mount_t)
@@ -72393,7 +72449,7 @@ index 15832c7..bb2ac39 100644
  ')
  
  optional_policy(`
-@@ -181,6 +246,28 @@ optional_policy(`
+@@ -181,6 +247,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -72422,7 +72478,7 @@ index 15832c7..bb2ac39 100644
  	ifdef(`hide_broken_symptoms',`
  		# for a bug in the X server
  		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -188,21 +275,87 @@ optional_policy(`
+@@ -188,21 +276,87 @@ optional_policy(`
  	')
  ')
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d77d15e..dc18443 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 61%{?dist}
+Release: 62%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,13 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Nov 28 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-62
+- Add fs_read_fusefs_dirs interface
+- Allow mailman to read /dev/urandom
+- Allow clamd to read spamd pid file
+- Allow mount to read /dev/urandom
+- Add use_fusefs_home_dirs also for system_dbus_t
+
 * Fri Nov 25 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-61
 - Needs to require new version policycoreutils