From 19d3c68d0d01c78cd109afad6b9f2274a60a2592 Mon Sep 17 00:00:00 2001
From: Miroslav <mgrepl@redhat.com>
Date: Nov 16 2011 13:20:04 +0000
Subject: - Add ssh_dontaudit_search_home_dir

- Changes to allow namespace_init_t to work
- Add interface to allow exec of mongod, add port definition for mongod port, 27017
- Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t
- Allow spamd and clamd to steam connect to each other
- Add policy label for passwd.OLD
- More fixes for postfix and postfix maildro
- Add ftp support for mozilla plugins
- Useradd now needs to manage policy since it calls libsemanage
- Fix devicekit_manage_log_files() interface
- Allow colord to execute ifconfig
- Allow accountsd to read /sys
- Allow mysqld-safe to execute shell
- Allow openct to stream connect to pcscd
- Add label for /var/run/nm-dns-dnsmasq\.conf
- Allow networkmanager to chat with virtd_t

---

diff --git a/policy-F16.patch b/policy-F16.patch
index 24fcf61..8275a64 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -226,7 +226,7 @@ index 4705ab6..0f0bb47 100644
 +gen_tunable(allow_console_login,false)
 +
 diff --git a/policy/mcs b/policy/mcs
-index df8e0fa..92b6177 100644
+index df8e0fa..09eea90 100644
 --- a/policy/mcs
 +++ b/policy/mcs
 @@ -69,16 +69,32 @@ gen_levels(1,mcs_num_cats)
@@ -266,7 +266,23 @@ index df8e0fa..92b6177 100644
  
  # New filesystem object labels must be dominated by the relabeling subject
  # clearance, also the objects are single-level.
-@@ -101,6 +117,9 @@ mlsconstrain process { ptrace }
+@@ -87,10 +103,13 @@ mlsconstrain file { create relabelto }
+ 
+ # new file labels must be dominated by the relabeling subject clearance
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
+-	( h1 dom h2 );
++	(( h1 dom h2 ) or ( t1 == mcswriteall ));
++
++mlsconstrain { file lnk_file fifo_file } { create relabelto }
++	( l2 eq h2 );
+ 
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
+-	(( h1 dom h2 ) and ( l2 eq h2 ));
++	( h1 dom h2 );
+ 
+ mlsconstrain process { transition dyntransition }
+ 	(( h1 dom h2 ) or ( t1 == mcssetcats ));
+@@ -101,6 +120,9 @@ mlsconstrain process { ptrace }
  mlsconstrain process { sigkill sigstop }
  	(( h1 dom h2 ) or ( t1 == mcskillall ));
  
@@ -276,7 +292,7 @@ index df8e0fa..92b6177 100644
  #
  # MCS policy for SELinux-enabled databases
  #
-@@ -144,4 +163,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+@@ -144,4 +166,21 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
  mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
  	( h1 dom h2 );
  
@@ -2790,7 +2806,7 @@ index d33daa8..8ba0f86 100644
 +	allow rpm_script_t $1:process sigchld;
 +')
 diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
-index 47a8f7d..17b5426 100644
+index 47a8f7d..a485d76 100644
 --- a/policy/modules/admin/rpm.te
 +++ b/policy/modules/admin/rpm.te
 @@ -1,10 +1,11 @@
@@ -3002,17 +3018,15 @@ index 47a8f7d..17b5426 100644
  	tzdata_domtrans(rpm_t)
  	tzdata_domtrans(rpm_script_t)
  ')
-@@ -377,8 +417,9 @@ optional_policy(`
+@@ -377,7 +417,7 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	unconfined_domain(rpm_script_t)
 +	unconfined_domain_noaudit(rpm_script_t)
  	unconfined_domtrans(rpm_script_t)
-+	unconfined_execmem_domtrans(rpm_script_t)
  
  	optional_policy(`
- 		java_domtrans_unconfined(rpm_script_t)
 diff --git a/policy/modules/admin/sectoolm.te b/policy/modules/admin/sectoolm.te
 index c8ef84b..eb4bd05 100644
 --- a/policy/modules/admin/sectoolm.te
@@ -3547,7 +3561,7 @@ index 7bddc02..2b59ed0 100644
 +
 +/var/db/sudo(/.*)?		gen_context(system_u:object_r:sudo_db_t,s0)
 diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 975af1a..634c47a 100644
+index 975af1a..748db5b 100644
 --- a/policy/modules/admin/sudo.if
 +++ b/policy/modules/admin/sudo.if
 @@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -3558,9 +3572,11 @@ index 975af1a..634c47a 100644
  		attribute sudodomain;
  	')
  
-@@ -47,26 +48,11 @@ template(`sudo_role_template',`
+@@ -46,27 +47,13 @@ template(`sudo_role_template',`
+ 	domain_role_change_exemption($1_sudo_t)
  	ubac_constrained($1_sudo_t)
  	role $2 types $1_sudo_t;
++	userdom_home_manager($1_sudo_t)
  
 -	##############################
 -	#
@@ -3589,7 +3605,7 @@ index 975af1a..634c47a 100644
  
  	allow $1_sudo_t $3:key search;
  
-@@ -76,88 +62,19 @@ template(`sudo_role_template',`
+@@ -76,88 +63,19 @@ template(`sudo_role_template',`
  	# By default, revert to the calling domain when a shell is executed.
  	corecmd_shell_domtrans($1_sudo_t, $3)
  	corecmd_bin_domtrans($1_sudo_t, $3)
@@ -3684,7 +3700,7 @@ index 975af1a..634c47a 100644
  ')
  
  ########################################
-@@ -177,3 +94,22 @@ interface(`sudo_sigchld',`
+@@ -177,3 +95,22 @@ interface(`sudo_sigchld',`
  
  	allow $1 sudodomain:process sigchld;
  ')
@@ -3708,10 +3724,10 @@ index 975af1a..634c47a 100644
 +	can_exec($1, sudo_exec_t)
 +')
 diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index 2731fa1..71bf5e8 100644
+index 2731fa1..9ce39dd 100644
 --- a/policy/modules/admin/sudo.te
 +++ b/policy/modules/admin/sudo.te
-@@ -7,3 +7,112 @@ attribute sudodomain;
+@@ -7,3 +7,104 @@ attribute sudodomain;
  
  type sudo_exec_t;
  application_executable_file(sudo_exec_t)
@@ -3809,14 +3825,6 @@ index 2731fa1..71bf5e8 100644
 +userdom_search_admin_dir(sudodomain)
 +userdom_manage_all_users_keys(sudodomain)
 +
-+tunable_policy(`use_nfs_home_dirs',`
-+	fs_manage_nfs_files(sudodomain)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+	fs_manage_cifs_files(sudodomain)
-+')
-+
 +optional_policy(`
 +	dbus_system_bus_client(sudodomain)
 +')
@@ -4194,7 +4202,7 @@ index 81fb26f..66cf96c 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..cc0406f 100644
+index 441cf22..6bcfc8c 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -4421,7 +4429,15 @@ index 441cf22..cc0406f 100644
  auth_manage_shadow(useradd_t)
  auth_relabel_shadow(useradd_t)
  auth_etc_filetrans_shadow(useradd_t)
-@@ -498,21 +517,11 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -495,24 +514,19 @@ seutil_read_file_contexts(useradd_t)
+ seutil_read_default_contexts(useradd_t)
+ seutil_domtrans_semanage(useradd_t)
+ seutil_domtrans_setfiles(useradd_t)
++seutil_domtrans_loadpolicy(useradd_t)
++seutil_manage_bin_policy(useradd_t)
++seutil_manage_module_store(useradd_t)
++seutil_get_semanage_trans_lock(useradd_t)
++seutil_get_semanage_read_lock(useradd_t)
  
  userdom_use_unpriv_users_fds(useradd_t)
  # Add/remove user home directories
@@ -4550,7 +4566,7 @@ index 283ff0d..53f9ba1 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
-index 46ea44f..f7183ef 100644
+index 46ea44f..49ce279 100644
 --- a/policy/modules/apps/cdrecord.te
 +++ b/policy/modules/apps/cdrecord.te
 @@ -56,7 +56,7 @@ logging_send_syslog_msg(cdrecord_t)
@@ -4562,6 +4578,19 @@ index 46ea44f..f7183ef 100644
  userdom_read_user_home_content_files(cdrecord_t)
  
  # Handle nfs home dirs
+@@ -109,11 +109,7 @@ tunable_policy(`cdrecord_read_content',`
+ 	userdom_dontaudit_read_user_home_content_files(cdrecord_t)
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	files_search_mnt(cdrecord_t)
+-	fs_read_nfs_files(cdrecord_t)
+-	fs_read_nfs_symlinks(cdrecord_t)
+-')
++userdom_home_manager(cdrecord_t)
+ 
+ optional_policy(`
+ 	resmgr_stream_connect(cdrecord_t)
 diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc
 new file mode 100644
 index 0000000..5901e21
@@ -4715,10 +4744,10 @@ index 0000000..1553356
 +')
 diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
 new file mode 100644
-index 0000000..6c642a2
+index 0000000..acb325c
 --- /dev/null
 +++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,180 @@
+@@ -0,0 +1,175 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@@ -4813,11 +4842,6 @@ index 0000000..6c642a2
 +sysnet_dns_name_resolve(chrome_sandbox_t)
 +
 +optional_policy(`
-+	execmem_exec(chrome_sandbox_t)
-+	execmem_execmod(chrome_sandbox_t)
-+')
-+
-+optional_policy(`
 +	gnome_rw_inherited_config(chrome_sandbox_t)
 +	gnome_read_home_config(chrome_sandbox_t)
 +')
@@ -5052,215 +5076,6 @@ index cd70958..e8c94b1 100644
 -optional_policy(`
 -	nscd_socket_use(evolution_webcal_t)
 -')
-diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
-new file mode 100644
-index 0000000..5e09952
---- /dev/null
-+++ b/policy/modules/apps/execmem.fc
-@@ -0,0 +1,49 @@
-+
-+/usr/bin/aticonfig	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/darcs 		--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/dosbox		--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/haddock.*  	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/hasktags   	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/plasma-desktop	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/runghc	   	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/runhaskell	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/sbcl	     	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/skype		--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/bin/valgrind	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/sbin/vboxadd-service 	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/sbin/VBox.* 	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+ifdef(`distro_gentoo',`
-+/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+')
-+/usr/lib/chromium-browser/chromium-browser  gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/erlang/erts-[^/]+/bin/beam.smp --	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/R/bin/exec/R	   	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/usr/libexec/ghc-[^/]+/.*bin  --	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/libexec/ghc-[^/]+/ghc.*  --	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/ghc-[^/]+/ghc.*  --	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/ia32el/ia32x_loader 	--	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/virtualbox/VirtualBox  --	gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/opt/real/(.*/)?realplay\.bin	    --	gen_context(system_u:object_r:execmem_exec_t,s0)
-+/opt/secondlife-install/bin/SLPlugin --	gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/opt/real/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/usr/local/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/usr/lib/gimp/[^/]+/plug-ins/help-browser -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib/thunderbird-[^/]+/thunderbird-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Application -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+
-+/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/local/Wolfram/Mathematica(/.*)?MathKernel	  -- gen_context(system_u:object_r:execmem_exec_t,s0)
-diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
-new file mode 100644
-index 0000000..e23f640
---- /dev/null
-+++ b/policy/modules/apps/execmem.if
-@@ -0,0 +1,132 @@
-+## <summary>execmem domain</summary>
-+
-+########################################
-+## <summary>
-+##	Execute the execmem program
-+##	in the caller domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`execmem_exec',`
-+	gen_require(`
-+		type execmem_exec_t;
-+	')
-+
-+	can_exec($1, execmem_exec_t)
-+')
-+
-+#######################################
-+## <summary>
-+##	The role template for the execmem module.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	This template creates a derived domains which are used
-+##	for execmem applications.
-+##	</p>
-+## </desc>
-+## <param name="role_prefix">
-+##	<summary>
-+##	The prefix of the user domain (e.g., user
-+##	is the prefix for user_t).
-+##	</summary>
-+## </param>
-+## <param name="user_role">
-+##	<summary>
-+##	The role associated with the user domain.
-+##	</summary>
-+## </param>
-+## <param name="user_domain">
-+##	<summary>
-+##	The type of the user domain.
-+##	</summary>
-+## </param>
-+#
-+template(`execmem_role_template',`
-+	gen_require(`
-+		type execmem_exec_t;
-+	')
-+
-+	type $1_execmem_t;
-+	domain_type($1_execmem_t)
-+	domain_entry_file($1_execmem_t, execmem_exec_t)
-+	role $2 types $1_execmem_t;
-+
-+	userdom_unpriv_usertype($1, $1_execmem_t)
-+	userdom_manage_tmp_role($2, $1_execmem_t)
-+	userdom_manage_tmpfs_role($2, $1_execmem_t)
-+
-+	allow $1_execmem_t self:process { execmem execstack };
-+	allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
-+	domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
-+
-+	files_execmod_tmp($1_execmem_t)
-+
-+	allow $3 execmem_exec_t:file execmod;
-+	allow $1_execmem_t execmem_exec_t:file execmod;
-+
-+	# needed by plasma-desktop
-+	optional_policy(`
-+		gnome_read_usr_config($1_execmem_t)
-+	')
-+	
-+	optional_policy(`
-+		mozilla_execmod_user_home_files($1_execmem_t)
-+	')
-+
-+	optional_policy(`
-+		nsplugin_rw_shm($1_execmem_t)
-+		nsplugin_rw_semaphores($1_execmem_t)
-+	')
-+
-+	optional_policy(`
-+		xserver_role($2, $1_execmem_t)
-+	')
-+')
-+
-+########################################
-+## <summary>
-+##	Execute a execmem_exec file
-+##	in the specified domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="target_domain">
-+##	<summary>
-+##	The type of the new process.
-+##	</summary>
-+## </param>
-+#
-+interface(`execmem_domtrans',`
-+	gen_require(`
-+		type execmem_exec_t;
-+	')
-+
-+	domtrans_pattern($1, execmem_exec_t, $2)
-+')
-+
-+########################################
-+## <summary>
-+##	Execmod the execmem_exec applications
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`execmem_execmod',`
-+	gen_require(`
-+		type execmem_exec_t;
-+	')
-+
-+	allow $1 execmem_exec_t:file execmod;
-+')
-+
-diff --git a/policy/modules/apps/execmem.te b/policy/modules/apps/execmem.te
-new file mode 100644
-index 0000000..a7d37e2
---- /dev/null
-+++ b/policy/modules/apps/execmem.te
-@@ -0,0 +1,10 @@
-+policy_module(execmem, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type execmem_exec_t alias unconfined_execmem_exec_t;
-+application_executable_file(execmem_exec_t)
-+
 diff --git a/policy/modules/apps/firewallgui.fc b/policy/modules/apps/firewallgui.fc
 new file mode 100644
 index 0000000..ce498b3
@@ -5409,18 +5224,47 @@ index ac4f509..4b7b763 100644
  ')
  
 diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
-index 6e4add5..10a2ce4 100644
+index 6e4add5..5c81832 100644
 --- a/policy/modules/apps/gift.te
 +++ b/policy/modules/apps/gift.te
-@@ -132,7 +132,7 @@ miscfiles_read_localization(giftd_t)
+@@ -70,17 +70,7 @@ sysnet_read_config(gift_t)
+ # giftui looks in .icons, .themes.
+ userdom_dontaudit_read_user_home_content_files(gift_t)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(gift_t)
+-	fs_manage_nfs_files(gift_t)
+-	fs_manage_nfs_symlinks(gift_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(gift_t)
+-	fs_manage_cifs_files(gift_t)
+-	fs_manage_cifs_symlinks(gift_t)
+-')
++userdom_home_manager(gift_t)
+ 
+ optional_policy(`
+ 	nscd_socket_use(gift_t)
+@@ -132,16 +122,5 @@ miscfiles_read_localization(giftd_t)
  
  sysnet_read_config(giftd_t)
  
 -userdom_use_user_terminals(giftd_t)
+-
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(giftd_t)
+-	fs_manage_nfs_files(giftd_t)
+-	fs_manage_nfs_symlinks(giftd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(giftd_t)
+-	fs_manage_cifs_files(giftd_t)
+-	fs_manage_cifs_symlinks(giftd_t)
+-')
 +userdom_use_inherited_user_terminals(giftd_t)
- 
- tunable_policy(`use_nfs_home_dirs',`
- 	fs_manage_nfs_dirs(giftd_t)
++userdom_home_manager(gitd_t)
 diff --git a/policy/modules/apps/gnome.fc b/policy/modules/apps/gnome.fc
 index 00a19e3..9f6139c 100644
 --- a/policy/modules/apps/gnome.fc
@@ -5474,10 +5318,10 @@ index 00a19e3..9f6139c 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..deab06c 100644
+index f5afe78..8fe4b66 100644
 --- a/policy/modules/apps/gnome.if
 +++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,786 @@
+@@ -1,44 +1,819 @@
  ## <summary>GNU network object model environment (GNOME)</summary>
  
 -############################################################
@@ -5552,6 +5396,8 @@ index f5afe78..deab06c 100644
 +	ubac_constrained($1_gkeyringd_t)
 +	domain_user_exemption_target($1_gkeyringd_t)
 +
++	userdom_home_manager($1_gkeyringd_t)
++
 +	role $2 types $1_gkeyringd_t;
 +
 +	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
@@ -5780,6 +5626,37 @@ index f5afe78..deab06c 100644
 +
 +########################################
 +## <summary>
++##	Create objects in a Gnome cache home directory
++##	with an automatic type transition to
++##	a specified private type.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private_type">
++##	<summary>
++##	The type of the object to create.
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The class of the object to be created.
++##	</summary>
++## </param>
++#
++interface(`gnome_config_filetrans',`
++	gen_require(`
++		type config_home_t;
++	')
++
++	filetrans_pattern($1, config_home_t, $2, $3, $4)
++	userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
 +##	Read generic cache home files (.cache)
 +## </summary>
 +## <param name="domain">
@@ -6283,7 +6160,7 @@ index f5afe78..deab06c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -46,37 +788,117 @@ interface(`gnome_role',`
+@@ -46,37 +821,117 @@ interface(`gnome_role',`
  ##	</summary>
  ## </param>
  #
@@ -6411,7 +6288,7 @@ index f5afe78..deab06c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -84,37 +906,53 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +939,53 @@ template(`gnome_read_gconf_config',`
  ##	</summary>
  ## </param>
  #
@@ -6476,7 +6353,7 @@ index f5afe78..deab06c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -122,17 +960,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +993,17 @@ interface(`gnome_stream_connect_gconf',`
  ##	</summary>
  ## </param>
  #
@@ -6498,7 +6375,7 @@ index f5afe78..deab06c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -140,51 +978,299 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1011,299 @@ interface(`gnome_domtrans_gconfd',`
  ##	</summary>
  ## </param>
  #
@@ -6815,7 +6692,7 @@ index f5afe78..deab06c 100644
 +    type_transition $1 gkeyringd_exec_t:process $2;
 +')
 diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..45b4ca9 100644
+index 2505654..14d7e30 100644
 --- a/policy/modules/apps/gnome.te
 +++ b/policy/modules/apps/gnome.te
 @@ -5,12 +5,29 @@ policy_module(gnome, 2.1.0)
@@ -6893,7 +6770,7 @@ index 2505654..45b4ca9 100644
  ##############################
  #
  # Local Policy
-@@ -75,3 +113,168 @@ optional_policy(`
+@@ -75,3 +113,151 @@ optional_policy(`
  	xserver_use_xdm_fds(gconfd_t)
  	xserver_rw_xdm_pipes(gconfd_t)
  ')
@@ -6937,15 +6814,7 @@ index 2505654..45b4ca9 100644
 +	policykit_read_reload(gconfdefaultsm_t)
 +')
 +
-+tunable_policy(`use_nfs_home_dirs',`
-+	fs_manage_nfs_dirs(gconfdefaultsm_t)
-+	fs_manage_nfs_files(gconfdefaultsm_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+	fs_manage_cifs_dirs(gconfdefaultsm_t)
-+	fs_manage_cifs_files(gconfdefaultsm_t)
-+')
++userdom_home_manager(gconfdefaultsm_t)
 +
 +#######################################
 +#
@@ -7017,6 +6886,7 @@ index 2505654..45b4ca9 100644
 +
 +dev_read_rand(gkeyringd_domain)
 +dev_read_urand(gkeyringd_domain)
++dev_read_sysfs(gkeyringd_domain)
 +
 +files_read_etc_files(gkeyringd_domain)
 +files_read_usr_files(gkeyringd_domain)
@@ -7052,16 +6922,6 @@ index 2505654..45b4ca9 100644
 +
 +userdom_use_inherited_user_terminals(gnome_domain)
 +
-+tunable_policy(`use_nfs_home_dirs',`
-+	fs_getattr_nfs(gkeyringd_domain)
-+	fs_manage_nfs_dirs(gkeyringd_domain)
-+	fs_manage_nfs_files(gkeyringd_domain)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+	fs_manage_cifs_dirs(gkeyringd_domain)
-+	fs_manage_cifs_files(gkeyringd_domain)
-+')
 diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
 index e9853d4..6864b58 100644
 --- a/policy/modules/apps/gpg.fc
@@ -7147,7 +7007,7 @@ index 40e0a2a..93d212c 100644
  ## <summary>
  ##	Send generic signals to user gpg processes.
 diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..401a4ec 100644
+index 9050e8c..80f8c31 100644
 --- a/policy/modules/apps/gpg.te
 +++ b/policy/modules/apps/gpg.te
 @@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -7205,7 +7065,7 @@ index 9050e8c..401a4ec 100644
  
  manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
  manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
-@@ -123,11 +139,14 @@ logging_send_syslog_msg(gpg_t)
+@@ -123,22 +139,26 @@ logging_send_syslog_msg(gpg_t)
  
  miscfiles_read_localization(gpg_t)
  
@@ -7222,21 +7082,25 @@ index 9050e8c..401a4ec 100644
  
  mta_write_config(gpg_t)
  
-@@ -142,20 +161,33 @@ tunable_policy(`use_samba_home_dirs',`
- ')
- 
- optional_policy(`
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(gpg_t)
+-	fs_manage_nfs_files(gpg_t)
++userdom_home_manager(gpg_t)
++
++optional_policy(`
 +	gnome_read_config(gpg_t)
 +	gnome_stream_connect_gkeyringd(gpg_t)
-+')
-+
+ ')
+ 
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(gpg_t)
+-	fs_manage_cifs_files(gpg_t)
 +optional_policy(`
 +	mta_read_spool(gpg_t)
-+')
-+
-+optional_policy(`
- 	mozilla_read_user_home_files(gpg_t)
- 	mozilla_write_user_home_files(gpg_t)
+ ')
+ 
+ optional_policy(`
+@@ -147,15 +167,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -7260,7 +7124,7 @@ index 9050e8c..401a4ec 100644
  ########################################
  #
  # GPG helper local policy
-@@ -191,7 +223,7 @@ files_read_etc_files(gpg_helper_t)
+@@ -191,7 +215,7 @@ files_read_etc_files(gpg_helper_t)
  
  auth_use_nsswitch(gpg_helper_t)
  
@@ -7269,7 +7133,7 @@ index 9050e8c..401a4ec 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -205,11 +237,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -205,11 +229,12 @@ tunable_policy(`use_samba_home_dirs',`
  #
  # GPG agent local policy
  #
@@ -7283,7 +7147,7 @@ index 9050e8c..401a4ec 100644
  allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
  
  # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
-@@ -239,19 +272,20 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
+@@ -239,34 +264,25 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
  miscfiles_read_localization(gpg_agent_t)
  
  # Write to the user domain tty.
@@ -7306,7 +7170,23 @@ index 9050e8c..401a4ec 100644
  	userdom_manage_user_home_content_dirs(gpg_agent_t)
  	userdom_manage_user_home_content_files(gpg_agent_t)
  ')
-@@ -332,6 +366,10 @@ miscfiles_read_localization(gpg_pinentry_t)
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(gpg_agent_t)
+-	fs_manage_nfs_files(gpg_agent_t)
+-	fs_manage_nfs_symlinks(gpg_agent_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(gpg_agent_t)
+-	fs_manage_cifs_files(gpg_agent_t)
+-	fs_manage_cifs_symlinks(gpg_agent_t)
+-')
++userdom_home_manager(gpg_agent_t)
+ 
+ optional_policy(`
+ 	mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
+@@ -332,13 +348,15 @@ miscfiles_read_localization(gpg_pinentry_t)
  # for .Xauthority
  userdom_read_user_home_content_files(gpg_pinentry_t)
  userdom_read_user_tmpfs_files(gpg_pinentry_t)
@@ -7315,18 +7195,19 @@ index 9050e8c..401a4ec 100644
 +userdom_signull_unpriv_users(gpg_pinentry_t)
 +userdom_use_user_terminals(gpg_pinentry_t)
  
- tunable_policy(`use_nfs_home_dirs',`
- 	fs_read_nfs_files(gpg_pinentry_t)
-@@ -342,11 +380,21 @@ tunable_policy(`use_samba_home_dirs',`
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_read_nfs_files(gpg_pinentry_t)
+-')
++userdom_home_reader(gpg_pinentry_t)
+ 
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_files(gpg_pinentry_t)
++optional_policy(`
++	gnome_read_home_config(gpg_pinentry_t)
  ')
  
  optional_policy(`
-+	gnome_read_home_config(gpg_pinentry_t)
-+')
-+
-+optional_policy(`
- 	dbus_session_bus_client(gpg_pinentry_t)
- 	dbus_system_bus_client(gpg_pinentry_t)
+@@ -347,6 +365,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -7339,7 +7220,7 @@ index 9050e8c..401a4ec 100644
  	pulseaudio_exec(gpg_pinentry_t)
  	pulseaudio_rw_home_files(gpg_pinentry_t)
  	pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -356,4 +404,28 @@ optional_policy(`
+@@ -356,4 +380,28 @@ optional_policy(`
  
  optional_policy(`
  	xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -7422,7 +7303,7 @@ index 4f9dc90..81a0fc6 100644
 +	relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
  ')
 diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
-index 66beb80..b69a628 100644
+index 66beb80..4bc18b6 100644
 --- a/policy/modules/apps/irc.te
 +++ b/policy/modules/apps/irc.te
 @@ -24,6 +24,30 @@ userdom_user_home_content(irc_tmp_t)
@@ -7456,20 +7337,27 @@ index 66beb80..b69a628 100644
  # Local policy
  #
  
-@@ -84,7 +108,7 @@ seutil_use_newrole_fds(irc_t)
+@@ -84,20 +108,75 @@ seutil_use_newrole_fds(irc_t)
  sysnet_read_config(irc_t)
  
  # Write to the user domain tty.
 -userdom_use_user_terminals(irc_t)
 +userdom_use_inherited_user_terminals(irc_t)
  
- tunable_policy(`use_nfs_home_dirs',`
- 	fs_manage_nfs_dirs(irc_t)
-@@ -101,3 +125,78 @@ tunable_policy(`use_samba_home_dirs',`
- optional_policy(`
- 	nis_use_ypbind(irc_t)
- ')
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(irc_t)
+-	fs_manage_nfs_files(irc_t)
+-	fs_manage_nfs_symlinks(irc_t)
++userdom_home_manager(irc_t)
 +
++optional_policy(`
++	nis_use_ypbind(irc_t)
+ ')
+ 
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(irc_t)
+-	fs_manage_cifs_files(irc_t)
+-	fs_manage_cifs_symlinks(irc_t)
 +########################################
 +#
 +# Irssi personal declarations.
@@ -7527,162 +7415,13 @@ index 66beb80..b69a628 100644
 +	corenet_tcp_connect_all_ports(irssi_t)
 +	corenet_sendrecv_generic_server_packets(irssi_t)
 +	corenet_sendrecv_all_client_packets(irssi_t)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs', `
-+	fs_manage_nfs_dirs(irssi_t)
-+	fs_manage_nfs_files(irssi_t)
-+	fs_manage_nfs_symlinks(irssi_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs', `
-+	fs_manage_cifs_dirs(irssi_t)
-+	fs_manage_cifs_files(irssi_t)
-+	fs_manage_cifs_symlinks(irssi_t)
-+')
-+
-+optional_policy(`
-+	automount_dontaudit_getattr_tmp_dirs(irssi_t)
-+')
-diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
-index 86c1768..5d2130c 100644
---- a/policy/modules/apps/java.fc
-+++ b/policy/modules/apps/java.fc
-@@ -5,10 +5,13 @@
- /opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
- /opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
- /opt/matlab.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:java_exec_t,s0)
-+/opt/local/MATLAB.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-+/opt/MATLAB.*/bin.*/MATLAB.* --	gen_context(system_u:object_r:java_exec_t,s0)
- 
- #
- # /usr
- #
-+/usr/Aptana[^/]*/AptanaStudio	--	gen_context(system_u:object_r:java_exec_t,s0)
- /usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
- /usr/bin/fastjar	--	gen_context(system_u:object_r:java_exec_t,s0)
- /usr/bin/frysk		--	gen_context(system_u:object_r:java_exec_t,s0)
-@@ -27,12 +30,14 @@
- /usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
- /usr/lib/opera(/.*)?/opera --	gen_context(system_u:object_r:java_exec_t,s0)
- /usr/lib/opera(/.*)?/works --	gen_context(system_u:object_r:java_exec_t,s0)
--/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
- 
- /usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
- 
- /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
- 
-+/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)?	--	gen_context(system_u:object_r:java_exec_t,s0)
-+/opt/ibm(/.*)?/eclipse/plugins(/.*)?	--	gen_context(system_u:object_r:java_exec_t,s0)
-+
- ifdef(`distro_redhat',`
- /usr/java/eclipse[^/]*/eclipse	--	gen_context(system_u:object_r:java_exec_t,s0)
- ')
-diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
-index e6d84e8..7c398c0 100644
---- a/policy/modules/apps/java.if
-+++ b/policy/modules/apps/java.if
-@@ -72,7 +72,8 @@ template(`java_role_template',`
- 
- 	domain_interactive_fd($1_java_t)
- 
--	userdom_manage_user_tmpfs_files($1_java_t)
-+	userdom_unpriv_usertype($1, $1_java_t)
-+	userdom_manage_tmpfs_role($2, $1_java_t)
- 
- 	allow $1_java_t self:process { ptrace signal getsched execmem execstack };
- 
-@@ -82,7 +83,7 @@ template(`java_role_template',`
- 
- 	domtrans_pattern($3, java_exec_t, $1_java_t)
- 
--	corecmd_bin_domtrans($1_java_t, $3)
-+	corecmd_bin_domtrans($1_java_t, $1_t)
- 
- 	dev_dontaudit_append_rand($1_java_t)
- 
-@@ -105,7 +106,7 @@ template(`java_role_template',`
- ##	</summary>
- ## </param>
- #
--template(`java_domtrans',`
-+interface(`java_domtrans',`
- 	gen_require(`
- 		type java_t, java_exec_t;
- 	')
-@@ -179,6 +180,10 @@ interface(`java_run_unconfined',`
- 
- 	java_domtrans_unconfined($1)
- 	role $2 types unconfined_java_t;
-+
-+	optional_policy(`
-+		nsplugin_role_notrans($2, unconfined_java_t)
-+	')
  ')
  
- ########################################
-diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
-index 167950d..27d37b0 100644
---- a/policy/modules/apps/java.te
-+++ b/policy/modules/apps/java.te
-@@ -82,18 +82,20 @@ dev_read_urand(java_t)
- dev_read_rand(java_t)
- dev_dontaudit_append_rand(java_t)
- 
-+files_read_etc_files(java_t)
- files_read_usr_files(java_t)
- files_search_home(java_t)
- files_search_var_lib(java_t)
- files_read_etc_runtime_files(java_t)
- # Read global fonts and font config
--files_read_etc_files(java_t)
- 
- fs_getattr_xattr_fs(java_t)
- fs_dontaudit_rw_tmpfs_files(java_t)
- 
- logging_send_syslog_msg(java_t)
- 
-+auth_use_nsswitch(java_t)
++userdom_home_manager(irssi_t)
 +
- miscfiles_read_localization(java_t)
- # Read global fonts and font config
- miscfiles_read_fonts(java_t)
-@@ -123,14 +125,6 @@ tunable_policy(`allow_java_execstack',`
- ')
- 
  optional_policy(`
--	nis_use_ypbind(java_t)
--')
--
--optional_policy(`
--	nscd_socket_use(java_t)
--')
--
--optional_policy(`
- 	xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
- ')
- 
-@@ -143,14 +137,21 @@ optional_policy(`
- 	# execheap is needed for itanium/BEA jrocket
- 	allow unconfined_java_t self:process { execstack execmem execheap };
- 
-+	init_dbus_chat_script(unconfined_java_t)
-+
- 	files_execmod_all_files(unconfined_java_t)
- 
- 	init_dbus_chat_script(unconfined_java_t)
- 
- 	unconfined_domain_noaudit(unconfined_java_t)
- 	unconfined_dbus_chat(unconfined_java_t)
-+	userdom_unpriv_usertype(unconfined, unconfined_java_t)
- 
- 	optional_policy(`
- 		rpm_domtrans(unconfined_java_t)
- 	')
-+
-+	optional_policy(`
-+        wine_domtrans(unconfined_java_t)
-+    ')
+-	nis_use_ypbind(irc_t)
++	automount_dontaudit_getattr_tmp_dirs(irssi_t)
  ')
 diff --git a/policy/modules/apps/kde.fc b/policy/modules/apps/kde.fc
 new file mode 100644
@@ -7944,44 +7683,6 @@ index 0bac996..ca2388d 100644
 -userdom_use_user_terminals(lockdev_t)
 +userdom_use_inherited_user_terminals(lockdev_t)
  
-diff --git a/policy/modules/apps/mono.if b/policy/modules/apps/mono.if
-index 7b08e13..b2b83ad 100644
---- a/policy/modules/apps/mono.if
-+++ b/policy/modules/apps/mono.if
-@@ -40,16 +40,16 @@ template(`mono_role_template',`
- 	domain_interactive_fd($1_mono_t)
- 	application_type($1_mono_t)
- 
--	allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
--
--	allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
-+	allow $1_mono_t self:process { signal getsched execheap execmem execstack };
-+	allow $3 $1_mono_t:process { getattr noatsecure signal_perms };
- 
- 	domtrans_pattern($3, mono_exec_t, $1_mono_t)
- 
- 	fs_dontaudit_rw_tmpfs_files($1_mono_t)
- 	corecmd_bin_domtrans($1_mono_t, $1_t)
- 
--	userdom_manage_user_tmpfs_files($1_mono_t)
-+	userdom_unpriv_usertype($1, $1_mono_t)
-+	userdom_manage_tmpfs_role($2, $1_mono_t)
- 
- 	optional_policy(`
- 		xserver_role($1_r, $1_mono_t)
-diff --git a/policy/modules/apps/mono.te b/policy/modules/apps/mono.te
-index dff0f12..ecab36d 100644
---- a/policy/modules/apps/mono.te
-+++ b/policy/modules/apps/mono.te
-@@ -15,7 +15,7 @@ init_system_domain(mono_t, mono_exec_t)
- # Local policy
- #
- 
--allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
-+allow mono_t self:process { signal getsched execheap execmem execstack };
- 
- init_dbus_chat_script(mono_t)
- 
 diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
 index 93ac529..35b51ab 100644
 --- a/policy/modules/apps/mozilla.fc
@@ -8170,7 +7871,7 @@ index fbb5c5a..b9b8ac2 100644
 +	dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
  ')
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..69e2534 100644
+index 2e9318b..add01a5 100644
 --- a/policy/modules/apps/mozilla.te
 +++ b/policy/modules/apps/mozilla.te
 @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -8213,7 +7914,7 @@ index 2e9318b..69e2534 100644
  logging_send_syslog_msg(mozilla_t)
  
  miscfiles_read_fonts(mozilla_t)
-@@ -165,14 +172,18 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+@@ -165,27 +172,21 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
  # Browse the web, connect to printer
  sysnet_dns_name_resolve(mozilla_t)
  
@@ -8228,14 +7929,26 @@ index 2e9318b..69e2534 100644
 -	allow mozilla_t self:process { execmem execstack };
 +tunable_policy(`allow_execstack',`
 +	allow mozilla_t self:process execstack;
-+')
-+
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(mozilla_t)
+-	fs_manage_nfs_files(mozilla_t)
+-	fs_manage_nfs_symlinks(mozilla_t)
 +tunable_policy(`deny_execmem',`',`
 +	allow mozilla_t self:process execmem;
  ')
  
- tunable_policy(`use_nfs_home_dirs',`
-@@ -262,6 +273,7 @@ optional_policy(`
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(mozilla_t)
+-	fs_manage_cifs_files(mozilla_t)
+-	fs_manage_cifs_symlinks(mozilla_t)
+-')
++userdom_home_manager(mozilla_t)
+ 
+ # Uploads, local html
+ tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
+@@ -262,6 +263,7 @@ optional_policy(`
  optional_policy(`
  	gnome_stream_connect_gconf(mozilla_t)
  	gnome_manage_config(mozilla_t)
@@ -8243,7 +7956,7 @@ index 2e9318b..69e2534 100644
  ')
  
  optional_policy(`
-@@ -278,7 +290,8 @@ optional_policy(`
+@@ -278,7 +280,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -8253,7 +7966,7 @@ index 2e9318b..69e2534 100644
  ')
  
  optional_policy(`
-@@ -296,16 +309,19 @@ optional_policy(`
+@@ -296,16 +299,19 @@ optional_policy(`
  # mozilla_plugin local policy
  #
  
@@ -8277,7 +7990,7 @@ index 2e9318b..69e2534 100644
  
  can_exec(mozilla_plugin_t, mozilla_home_t)
  read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
-@@ -313,8 +329,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+@@ -313,8 +319,10 @@ read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
  manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
  manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
  manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -8290,7 +8003,7 @@ index 2e9318b..69e2534 100644
  
  manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
  manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -332,11 +350,9 @@ kernel_request_load_module(mozilla_plugin_t)
+@@ -332,11 +340,9 @@ kernel_request_load_module(mozilla_plugin_t)
  corecmd_exec_bin(mozilla_plugin_t)
  corecmd_exec_shell(mozilla_plugin_t)
  
@@ -8304,17 +8017,19 @@ index 2e9318b..69e2534 100644
  corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
  corenet_tcp_connect_http_port(mozilla_plugin_t)
  corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-@@ -344,6 +360,9 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
+@@ -344,6 +350,11 @@ corenet_tcp_connect_squid_port(mozilla_plugin_t)
  corenet_tcp_connect_ipp_port(mozilla_plugin_t)
  corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
  corenet_tcp_connect_speech_port(mozilla_plugin_t)
 +corenet_tcp_connect_streaming_port(mozilla_plugin_t)
++corenet_tcp_connect_ftp_port(mozilla_plugin_t)
++corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
 +corenet_tcp_bind_generic_node(mozilla_plugin_t)
 +corenet_udp_bind_generic_node(mozilla_plugin_t)
  
  dev_read_rand(mozilla_plugin_t)
  dev_read_urand(mozilla_plugin_t)
-@@ -385,20 +404,26 @@ term_getattr_all_ttys(mozilla_plugin_t)
+@@ -385,33 +396,29 @@ term_getattr_all_ttys(mozilla_plugin_t)
  term_getattr_all_ptys(mozilla_plugin_t)
  
  userdom_rw_user_tmpfs_files(mozilla_plugin_t)
@@ -8343,8 +8058,22 @@ index 2e9318b..69e2534 100644
 +	allow mozilla_plugin_t self:process execstack;
  ')
  
- tunable_policy(`use_nfs_home_dirs',`
-@@ -425,7 +450,13 @@ optional_policy(`
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(mozilla_plugin_t)
+-	fs_manage_nfs_files(mozilla_plugin_t)
+-	fs_manage_nfs_symlinks(mozilla_plugin_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(mozilla_plugin_t)
+-	fs_manage_cifs_files(mozilla_plugin_t)
+-	fs_manage_cifs_symlinks(mozilla_plugin_t)
+-')
++userdom_home_manager(mozilla_plugin_t)
+ 
+ optional_policy(`
+ 	alsa_read_rw_config(mozilla_plugin_t)
+@@ -425,7 +432,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -8358,7 +8087,7 @@ index 2e9318b..69e2534 100644
  ')
  
  optional_policy(`
-@@ -438,7 +469,14 @@ optional_policy(`
+@@ -438,7 +451,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -8374,7 +8103,7 @@ index 2e9318b..69e2534 100644
  ')
  
  optional_policy(`
-@@ -446,10 +484,27 @@ optional_policy(`
+@@ -446,10 +466,27 @@ optional_policy(`
  	pulseaudio_stream_connect(mozilla_plugin_t)
  	pulseaudio_setattr_home_dir(mozilla_plugin_t)
  	pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -8447,7 +8176,7 @@ index d8ea41d..8bdc526 100644
 +	domtrans_pattern($1, mplayer_exec_t, $2)
 +')
 diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
-index 072a210..8b1fa1b 100644
+index 072a210..320963b 100644
 --- a/policy/modules/apps/mplayer.te
 +++ b/policy/modules/apps/mplayer.te
 @@ -32,6 +32,7 @@ files_config_file(mplayer_etc_t)
@@ -8458,7 +8187,7 @@ index 072a210..8b1fa1b 100644
  userdom_user_home_content(mplayer_home_t)
  
  type mplayer_tmpfs_t;
-@@ -76,7 +77,7 @@ storage_raw_read_removable_device(mencoder_t)
+@@ -76,13 +77,14 @@ storage_raw_read_removable_device(mencoder_t)
  
  miscfiles_read_localization(mencoder_t)
  
@@ -8467,7 +8196,14 @@ index 072a210..8b1fa1b 100644
  # Handle removable media, /tmp, and /home
  userdom_list_user_tmp(mencoder_t)
  userdom_read_user_tmp_files(mencoder_t)
-@@ -91,7 +92,7 @@ ifndef(`enable_mls',`
+ userdom_read_user_tmp_symlinks(mencoder_t)
+ userdom_read_user_home_content_files(mencoder_t)
+ userdom_read_user_home_content_symlinks(mencoder_t)
++userdom_home_manager(mencoder_t)
+ 
+ # Read content to encode
+ ifndef(`enable_mls',`
+@@ -91,7 +93,7 @@ ifndef(`enable_mls',`
  	fs_read_removable_symlinks(mencoder_t)
  ')
  
@@ -8476,7 +8212,54 @@ index 072a210..8b1fa1b 100644
  	allow mencoder_t self:process execmem;
  ')
  
-@@ -159,6 +160,7 @@ manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+@@ -103,46 +105,6 @@ tunable_policy(`allow_mplayer_execstack',`
+ 	allow mencoder_t self:process { execmem execstack };
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(mencoder_t)
+-	fs_manage_nfs_files(mencoder_t)
+-	fs_manage_nfs_symlinks(mencoder_t)
+-
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(mencoder_t)
+-	fs_manage_cifs_files(mencoder_t)
+-	fs_manage_cifs_symlinks(mencoder_t)
+-
+-')
+-
+-# Read content to encode
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_list_auto_mountpoints(mencoder_t)
+-	files_list_home(mencoder_t)
+-	fs_read_nfs_files(mencoder_t)
+-	fs_read_nfs_symlinks(mencoder_t)
+-
+-',`
+-	files_dontaudit_list_home(mencoder_t)
+-	fs_dontaudit_list_auto_mountpoints(mencoder_t)
+-	fs_dontaudit_read_nfs_files(mencoder_t)
+-	fs_dontaudit_list_nfs(mencoder_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_list_auto_mountpoints(mencoder_t)
+-	files_list_home(mencoder_t)
+-	fs_read_cifs_files(mencoder_t)
+-	fs_read_cifs_symlinks(mencoder_t)
+-',`
+-	files_dontaudit_list_home(mencoder_t)
+-	fs_dontaudit_list_auto_mountpoints(mencoder_t)
+-	fs_dontaudit_read_cifs_files(mencoder_t)
+-	fs_dontaudit_list_cifs(mencoder_t)
+-')
+-
+ ########################################
+ #
+ # mplayer local policy
+@@ -159,6 +121,7 @@ manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
  manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
  manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
  userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir)
@@ -8484,7 +8267,7 @@ index 072a210..8b1fa1b 100644
  
  manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
  manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
-@@ -225,10 +227,14 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
+@@ -225,10 +188,14 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
  fs_search_auto_mountpoints(mplayer_t)
  fs_list_inotifyfs(mplayer_t)
  
@@ -8500,7 +8283,15 @@ index 072a210..8b1fa1b 100644
  # Read media files
  userdom_list_user_tmp(mplayer_t)
  userdom_read_user_tmp_files(mplayer_t)
-@@ -246,7 +252,7 @@ ifdef(`enable_mls',`',`
+@@ -236,6 +203,7 @@ userdom_read_user_tmp_symlinks(mplayer_t)
+ userdom_read_user_home_content_files(mplayer_t)
+ userdom_read_user_home_content_symlinks(mplayer_t)
+ userdom_write_user_tmp_sockets(mplayer_t)
++userdom_home_manager(mplayer_t)
+ 
+ xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+ 
+@@ -246,7 +214,7 @@ ifdef(`enable_mls',`',`
  	fs_read_removable_symlinks(mplayer_t)
  ')
  
@@ -8509,7 +8300,55 @@ index 072a210..8b1fa1b 100644
  	allow mplayer_t self:process execmem;
  ')
  
-@@ -305,7 +311,7 @@ optional_policy(`
+@@ -258,54 +226,19 @@ tunable_policy(`allow_mplayer_execstack',`
+ 	allow mplayer_t self:process { execmem execstack };
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(mplayer_t)
+-	fs_manage_nfs_files(mplayer_t)
+-	fs_manage_nfs_symlinks(mplayer_t)
+-')
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(mplayer_t)
+-	fs_manage_cifs_files(mplayer_t)
+-	fs_manage_cifs_symlinks(mplayer_t)
+-')
+-
+ # Legacy domain issues
+ tunable_policy(`allow_mplayer_execstack',`
+ 	allow mplayer_t mplayer_tmpfs_t:file execute;
+ ')
+ 
+-# Read songs
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_list_auto_mountpoints(mplayer_t)
+-	files_list_home(mplayer_t)
+-	fs_read_nfs_files(mplayer_t)
+-	fs_read_nfs_symlinks(mplayer_t)
+-
+-',`
+-	files_dontaudit_list_home(mplayer_t)
+-	fs_dontaudit_list_auto_mountpoints(mplayer_t)
+-	fs_dontaudit_read_nfs_files(mplayer_t)
+-	fs_dontaudit_list_nfs(mplayer_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_list_auto_mountpoints(mplayer_t)
+-	files_list_home(mplayer_t)
+-	fs_read_cifs_files(mplayer_t)
+-	fs_read_cifs_symlinks(mplayer_t)
+-',`
+-	files_dontaudit_list_home(mplayer_t)
+-	fs_dontaudit_list_auto_mountpoints(mplayer_t)
+-	fs_dontaudit_read_cifs_files(mplayer_t)
+-	fs_dontaudit_list_cifs(mplayer_t)
+-')
++userdom_home_manager(mplayer_t)
+ 
+ optional_policy(`
+ 	alsa_read_rw_config(mplayer_t)
  ')
  
  optional_policy(`
@@ -9122,10 +8961,10 @@ index 0000000..fce899a
 +')
 diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
 new file mode 100644
-index 0000000..3b6b4cb
+index 0000000..cc6b555
 --- /dev/null
 +++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,335 @@
+@@ -0,0 +1,327 @@
 +policy_module(nsplugin, 1.0.0)
 +
 +########################################
@@ -9336,10 +9175,6 @@ index 0000000..3b6b4cb
 +')
 +
 +optional_policy(`
-+	unconfined_execmem_signull(nsplugin_t)
-+')
-+
-+optional_policy(`
 +	sandbox_read_tmpfs_files(nsplugin_t)
 +')
 +
@@ -9457,171 +9292,6 @@ index 0000000..3b6b4cb
 +	pulseaudio_manage_home_files(nsplugin_t)
 +	pulseaudio_setattr_home_dir(nsplugin_t)
 +')
-+
-+optional_policy(`
-+	unconfined_execmem_exec(nsplugin_t)
-+')
-diff --git a/policy/modules/apps/openoffice.fc b/policy/modules/apps/openoffice.fc
-new file mode 100644
-index 0000000..4428be4
---- /dev/null
-+++ b/policy/modules/apps/openoffice.fc
-@@ -0,0 +1,3 @@
-+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
-+/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
-+
-diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if
-new file mode 100644
-index 0000000..792bf9c
---- /dev/null
-+++ b/policy/modules/apps/openoffice.if
-@@ -0,0 +1,124 @@
-+## <summary>Openoffice</summary>
-+
-+#######################################
-+## <summary>
-+##	The per role template for the openoffice module.
-+## </summary>
-+## <param name="user_domain">
-+##	<summary>
-+##	The type of the user domain.
-+##	</summary>
-+## </param>
-+#
-+interface(`openoffice_plugin_role',`
-+	gen_require(`
-+		type openoffice_exec_t;
-+		type openoffice_t;
-+	')
-+	
-+	########################################
-+	#
-+	# Local policy
-+	#
-+
-+	domtrans_pattern($1, openoffice_exec_t, openoffice_t)
-+	allow $1 openoffice_t:process { signal sigkill };
-+')
-+
-+#######################################
-+## <summary>
-+##	role for openoffice
-+## </summary>
-+## <desc>
-+##	<p>
-+##	This template creates a derived domains which are used
-+##	for java applications.
-+##	</p>
-+## </desc>
-+## <param name="role_prefix">
-+##	<summary>
-+##	The prefix of the user domain (e.g., user
-+##	is the prefix for user_t).
-+##	</summary>
-+## </param>
-+## <param name="user_role">
-+##	<summary>
-+##	The role associated with the user domain.
-+##	</summary>
-+## </param>
-+## <param name="user_domain">
-+##	<summary>
-+##	The type of the user domain.
-+##	</summary>
-+## </param>
-+#
-+interface(`openoffice_role_template',`
-+	gen_require(`
-+		type openoffice_exec_t;
-+	')
-+
-+	role $2 types $1_openoffice_t;
-+
-+	type $1_openoffice_t;
-+	domain_type($1_openoffice_t)
-+	domain_entry_file($1_openoffice_t, openoffice_exec_t)
-+	domain_interactive_fd($1_openoffice_t)
-+
-+	userdom_unpriv_usertype($1, $1_openoffice_t)
-+	userdom_exec_user_home_content_files($1_openoffice_t)
-+
-+	allow $1_openoffice_t self:process { getsched sigkill execmem execstack };
-+
-+	allow $3 $1_openoffice_t:process { getattr signal_perms noatsecure siginh rlimitinh };
-+	allow $1_openoffice_t $3:tcp_socket { read write };
-+
-+	domtrans_pattern($3, openoffice_exec_t, $1_openoffice_t)
-+
-+	dev_read_urand($1_openoffice_t)
-+	dev_read_rand($1_openoffice_t)
-+
-+	fs_dontaudit_rw_tmpfs_files($1_openoffice_t)
-+
-+	allow $3 $1_openoffice_t:process { signal sigkill };
-+	allow $1_openoffice_t $3:unix_stream_socket connectto;
-+
-+	optional_policy(`
-+		xserver_role($2, $1_openoffice_t)
-+	')
-+')
-+
-+########################################
-+## <summary>
-+##	Execute openoffice_exec_t 
-+##	in the specified domain.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	Execute a openoffice_exec_t
-+##	in the specified domain.  
-+##	</p>
-+##	<p>
-+##	No interprocess communication (signals, pipes,
-+##	etc.) is provided by this interface since
-+##	the domains are not owned by this module.
-+##	</p>
-+## </desc>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="target_domain">
-+##	<summary>
-+##	The type of the new process.
-+##	</summary>
-+## </param>
-+#
-+interface(`openoffice_exec_domtrans',`
-+	gen_require(`
-+		type openoffice_exec_t;
-+	')
-+
-+	allow $2 openoffice_exec_t:file entrypoint;
-+	domtrans_pattern($1, openoffice_exec_t, $2)
-+')
-diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te
-new file mode 100644
-index 0000000..a842371
---- /dev/null
-+++ b/policy/modules/apps/openoffice.te
-@@ -0,0 +1,16 @@
-+policy_module(openoffice, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type openoffice_t;
-+type openoffice_exec_t;
-+application_domain(openoffice_t, openoffice_exec_t)
-+
-+########################################
-+#
-+# Unconfined java local policy
-+#
-+
 diff --git a/policy/modules/apps/podsleuth.te b/policy/modules/apps/podsleuth.te
 index ccc15ab..9f88c3a 100644
 --- a/policy/modules/apps/podsleuth.te
@@ -9733,18 +9403,24 @@ index f40c64d..aa9e8e2 100644
 +	userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
  ')
 diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
-index d1eace5..5314e57 100644
+index d1eace5..3411497 100644
 --- a/policy/modules/apps/pulseaudio.te
 +++ b/policy/modules/apps/pulseaudio.te
-@@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -43,8 +43,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+ 
  manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
  manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
++manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
  userdom_search_user_home_dirs(pulseaudio_t)
-+userdom_search_admin_dir(pulseaudio_t)
  
++# ~/.esd_auth - maybe we should label this pulseaudit_home_t?
++userdom_read_user_home_content_files(pulseaudio_t)
++userdom_search_admin_dir(pulseaudio_t)
++
  manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
  manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
-@@ -53,7 +54,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+ manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+@@ -53,7 +58,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
  manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
  manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
  manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
@@ -9753,7 +9429,7 @@ index d1eace5..5314e57 100644
  
  can_exec(pulseaudio_t, pulseaudio_exec_t)
  
-@@ -85,8 +86,8 @@ fs_rw_anon_inodefs_files(pulseaudio_t)
+@@ -85,8 +90,8 @@ fs_rw_anon_inodefs_files(pulseaudio_t)
  fs_getattr_tmpfs(pulseaudio_t)
  fs_list_inotifyfs(pulseaudio_t)
  
@@ -9764,7 +9440,7 @@ index d1eace5..5314e57 100644
  
  auth_use_nsswitch(pulseaudio_t)
  
-@@ -94,10 +95,29 @@ logging_send_syslog_msg(pulseaudio_t)
+@@ -94,10 +99,29 @@ logging_send_syslog_msg(pulseaudio_t)
  
  miscfiles_read_localization(pulseaudio_t)
  
@@ -9798,7 +9474,7 @@ index d1eace5..5314e57 100644
  
  optional_policy(`
  	bluetooth_stream_connect(pulseaudio_t)
-@@ -127,10 +147,24 @@ optional_policy(`
+@@ -127,10 +151,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -9823,7 +9499,7 @@ index d1eace5..5314e57 100644
  	policykit_domtrans_auth(pulseaudio_t)
  	policykit_read_lib(pulseaudio_t)
  	policykit_read_reload(pulseaudio_t)
-@@ -148,3 +182,7 @@ optional_policy(`
+@@ -148,3 +186,7 @@ optional_policy(`
  	xserver_read_xdm_pid(pulseaudio_t)
  	xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
  ')
@@ -11010,7 +10686,7 @@ index c8254dd..340a2d7 100644
  /var/run/screen(/.*)?			gen_context(system_u:object_r:screen_var_run_t,s0)
 +/var/run/tmux(/.*)?			gen_context(system_u:object_r:screen_var_run_t,s0)
 diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
-index a57e81e..f9fbc60 100644
+index a57e81e..b0b3ce6 100644
 --- a/policy/modules/apps/screen.if
 +++ b/policy/modules/apps/screen.if
 @@ -25,6 +25,7 @@ template(`screen_role_template',`
@@ -11021,7 +10697,7 @@ index a57e81e..f9fbc60 100644
  	')
  
  	########################################
-@@ -32,51 +33,18 @@ template(`screen_role_template',`
+@@ -32,51 +33,20 @@ template(`screen_role_template',`
  	# Declarations
  	#
  
@@ -11066,7 +10742,8 @@ index a57e81e..f9fbc60 100644
 -	read_lnk_files_pattern($1_screen_t, screen_home_t, screen_home_t)
 -
 -	allow $1_screen_t $3:process signal;
--
++	userdom_home_reader($1_screen_t)
+ 
  	domtrans_pattern($3, screen_exec_t, $1_screen_t)
  	allow $3 $1_screen_t:process { signal sigchld };
  	dontaudit $3 $1_screen_t:unix_stream_socket { read write };
@@ -11076,7 +10753,7 @@ index a57e81e..f9fbc60 100644
  
  	manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
  	manage_dirs_pattern($3, screen_home_t, screen_home_t)
-@@ -87,77 +55,22 @@ template(`screen_role_template',`
+@@ -87,77 +57,22 @@ template(`screen_role_template',`
  	relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
  
  	manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
@@ -11155,7 +10832,7 @@ index a57e81e..f9fbc60 100644
  	')
  ')
 diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
-index 553bc73..b3b144c 100644
+index 553bc73..0bd13e3 100644
 --- a/policy/modules/apps/screen.te
 +++ b/policy/modules/apps/screen.te
 @@ -5,6 +5,8 @@ policy_module(screen, 2.3.1)
@@ -11167,7 +10844,7 @@ index 553bc73..b3b144c 100644
  type screen_exec_t;
  application_executable_file(screen_exec_t)
  
-@@ -24,3 +26,101 @@ typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t
+@@ -24,3 +26,92 @@ typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t
  typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
  files_pid_file(screen_var_run_t)
  ubac_constrained(screen_var_run_t)
@@ -11260,15 +10937,6 @@ index 553bc73..b3b144c 100644
 +userdom_setattr_user_ptys(screen_domain)
 +userdom_setattr_user_ttys(screen_domain)
 +
-+tunable_policy(`use_samba_home_dirs',`
-+	fs_read_cifs_symlinks(screen_domain)
-+	fs_list_cifs(screen_domain)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+	fs_list_nfs(screen_domain)
-+	fs_read_nfs_symlinks(screen_domain)
-+')
 diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
 index 1dc7a85..a01511f 100644
 --- a/policy/modules/apps/seunshare.if
@@ -11627,7 +11295,7 @@ index 3cfb128..d49274d 100644
 +	gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
 +')
 diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..546f5a5 100644
+index 2533ea0..7942965 100644
 --- a/policy/modules/apps/telepathy.te
 +++ b/policy/modules/apps/telepathy.te
 @@ -26,12 +26,18 @@ attribute telepathy_executable;
@@ -11675,18 +11343,30 @@ index 2533ea0..546f5a5 100644
  corenet_all_recvfrom_netlabel(telepathy_gabble_t)
  corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
  corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
-@@ -112,6 +130,10 @@ optional_policy(`
- 	dbus_system_bus_client(telepathy_gabble_t)
+@@ -98,18 +116,14 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ 	corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
  ')
  
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(telepathy_gabble_t)
+-	fs_manage_nfs_files(telepathy_gabble_t)
+-')
++userdom_home_manager(telepathy_gabble_t)
+ 
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(telepathy_gabble_t)
+-	fs_manage_cifs_files(telepathy_gabble_t)
 +optional_policy(`
++	dbus_system_bus_client(telepathy_gabble_t)
+ ')
+ 
+ optional_policy(`
+-	dbus_system_bus_client(telepathy_gabble_t)
 +	gnome_manage_home_config(telepathy_gabble_t)
-+')
-+
+ ')
+ 
  #######################################
- #
- # Telepathy Idle local policy.
-@@ -147,10 +169,13 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -147,10 +161,13 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
  
  allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
  
@@ -11700,19 +11380,26 @@ index 2533ea0..546f5a5 100644
  
  files_read_etc_files(telepathy_logger_t)
  files_read_usr_files(telepathy_logger_t)
-@@ -168,6 +193,11 @@ tunable_policy(`use_samba_home_dirs',`
- 	fs_manage_cifs_files(telepathy_logger_t)
- ')
+@@ -158,14 +175,11 @@ files_search_pids(telepathy_logger_t)
+ 
+ fs_getattr_all_fs(telepathy_logger_t)
  
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(telepathy_logger_t)
+-	fs_manage_nfs_files(telepathy_logger_t)
+-')
++userdom_home_manager(telepathy_logger_t)
+ 
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(telepathy_logger_t)
+-	fs_manage_cifs_files(telepathy_logger_t)
 +optional_policy(`
 +	# ~/.config/dconf/user
 +	gnome_manage_home_config(telepathy_logger_t)
-+')
-+
+ ')
+ 
  #######################################
- #
- # Telepathy Mission-Control local policy.
-@@ -176,6 +206,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -176,6 +190,12 @@ tunable_policy(`use_samba_home_dirs',`
  manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
  manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
  userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
@@ -11725,10 +11412,15 @@ index 2533ea0..546f5a5 100644
  
  dev_read_rand(telepathy_mission_control_t)
  
-@@ -194,6 +230,26 @@ tunable_policy(`use_samba_home_dirs',`
- 	fs_manage_cifs_files(telepathy_mission_control_t)
- ')
+@@ -184,14 +204,26 @@ fs_getattr_all_fs(telepathy_mission_control_t)
+ files_read_etc_files(telepathy_mission_control_t)
+ files_read_usr_files(telepathy_mission_control_t)
  
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(telepathy_mission_control_t)
+-	fs_manage_nfs_files(telepathy_mission_control_t)
++userdom_home_manager(telepathy_mission_control_t)
++
 +optional_policy(`
 +	dbus_system_bus_client(telepathy_mission_control_t)
 +
@@ -11741,18 +11433,19 @@ index 2533ea0..546f5a5 100644
 +	optional_policy(`
 +		networkmanager_dbus_chat(telepathy_mission_control_t)
 +	')
-+')
-+
+ ')
+ 
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(telepathy_mission_control_t)
+-	fs_manage_cifs_files(telepathy_mission_control_t)
 +# ~/.cache/.mc_connections.
 +optional_policy(`
 +	manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
 +	gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
-+')
-+
+ ')
+ 
  #######################################
- #
- # Telepathy Butterfly and Haze local policy.
-@@ -205,8 +261,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+@@ -205,8 +237,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
  manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
  manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
  manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
@@ -11764,7 +11457,7 @@ index 2533ea0..546f5a5 100644
  
  corenet_all_recvfrom_netlabel(telepathy_msn_t)
  corenet_all_recvfrom_unlabeled(telepathy_msn_t)
-@@ -228,6 +287,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t)
+@@ -228,6 +263,8 @@ corecmd_read_bin_symlinks(telepathy_msn_t)
  files_read_etc_files(telepathy_msn_t)
  files_read_usr_files(telepathy_msn_t)
  
@@ -11773,7 +11466,7 @@ index 2533ea0..546f5a5 100644
  libs_exec_ldconfig(telepathy_msn_t)
  
  logging_send_syslog_msg(telepathy_msn_t)
-@@ -246,6 +307,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -246,6 +283,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
  ')
  
  optional_policy(`
@@ -11784,7 +11477,7 @@ index 2533ea0..546f5a5 100644
  	dbus_system_bus_client(telepathy_msn_t)
  
  	optional_policy(`
-@@ -361,14 +426,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+@@ -361,14 +402,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
  allow telepathy_domain self:tcp_socket create_socket_perms;
  allow telepathy_domain self:udp_socket create_socket_perms;
  
@@ -11803,7 +11496,7 @@ index 2533ea0..546f5a5 100644
  miscfiles_read_localization(telepathy_domain)
  
  optional_policy(`
-@@ -376,5 +443,23 @@ optional_policy(`
+@@ -376,5 +419,23 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -12014,11 +11707,34 @@ index 0000000..01584ce
 +	gnome_read_generic_data_home_files(thumb_t)
 +	gnome_manage_gstreamer_home_files(thumb_t)
 +') 
+diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
+index f50789e..9ba6da8 100644
+--- a/policy/modules/apps/thunderbird.te
++++ b/policy/modules/apps/thunderbird.te
+@@ -114,17 +114,7 @@ xserver_read_xdm_tmp_files(thunderbird_t)
+ xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
+ 
+ # Access ~/.thunderbird
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(thunderbird_t)
+-	fs_manage_nfs_files(thunderbird_t)
+-	fs_manage_nfs_symlinks(thunderbird_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(thunderbird_t)
+-	fs_manage_cifs_files(thunderbird_t)
+-	fs_manage_cifs_symlinks(thunderbird_t)
+-')
++userdom_home_manager(thunderbird_t)
+ 
+ tunable_policy(`mail_read_content && use_nfs_home_dirs',`
+ 	files_list_home(thunderbird_t)
 diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
-index 11fe4f2..98bfbf3 100644
+index 11fe4f2..38318b9 100644
 --- a/policy/modules/apps/tvtime.te
 +++ b/policy/modules/apps/tvtime.te
-@@ -73,7 +73,7 @@ fs_search_auto_mountpoints(tvtime_t)
+@@ -73,20 +73,11 @@ fs_search_auto_mountpoints(tvtime_t)
  miscfiles_read_localization(tvtime_t)
  miscfiles_read_fonts(tvtime_t)
  
@@ -12027,6 +11743,20 @@ index 11fe4f2..98bfbf3 100644
  userdom_read_user_home_content_files(tvtime_t)
  
  # X access, Home files
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(tvtime_t)
+-	fs_manage_nfs_files(tvtime_t)
+-	fs_manage_nfs_symlinks(tvtime_t)
+-')
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(tvtime_t)
+-	fs_manage_cifs_files(tvtime_t)
+-	fs_manage_cifs_symlinks(tvtime_t)
+-')
++userdom_home_manager(tvtime_t)
+ 
+ optional_policy(`
+ 	xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
 diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
 index d2ab7cb..ddb34f1 100644
 --- a/policy/modules/apps/uml.if
@@ -12554,7 +12284,7 @@ index be9246b..e3de8fa 100644
  tunable_policy(`wine_mmap_zero_ignore',`
  	dontaudit wine_t self:memprotect mmap_zero;
 diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
-index 8bfe97d..95a3d06 100644
+index 8bfe97d..356e2a1 100644
 --- a/policy/modules/apps/wireshark.te
 +++ b/policy/modules/apps/wireshark.te
 @@ -15,6 +15,7 @@ ubac_constrained(wireshark_t)
@@ -12583,17 +12313,29 @@ index 8bfe97d..95a3d06 100644
  miscfiles_read_fonts(wireshark_t)
  miscfiles_read_localization(wireshark_t)
  
-@@ -106,10 +109,6 @@ tunable_policy(`use_samba_home_dirs',`
- 	fs_manage_cifs_symlinks(wireshark_t)
- ')
+@@ -94,21 +97,7 @@ sysnet_read_config(wireshark_t)
+ 
+ userdom_manage_user_home_content_files(wireshark_t)
  
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(wireshark_t)
+-	fs_manage_nfs_files(wireshark_t)
+-	fs_manage_nfs_symlinks(wireshark_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(wireshark_t)
+-	fs_manage_cifs_files(wireshark_t)
+-	fs_manage_cifs_symlinks(wireshark_t)
+-')
+-
 -optional_policy(`
 -	nscd_socket_use(wireshark_t)
 -')
--
++userdom_home_manager(wireshark_t)
+ 
  # Manual transition from userhelper
  optional_policy(`
- 	userhelper_use_fd(wireshark_t)
 diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
 index b3efef7..50c1a74 100644
 --- a/policy/modules/apps/wm.if
@@ -12660,7 +12402,7 @@ index 223ad43..d95e720 100644
  	rsync_exec(yam_t)
  ')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..7bcafea 100644
+index 3fae11a..0b0896b 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -97,8 +97,6 @@ ifdef(`distro_redhat',`
@@ -12830,7 +12572,7 @@ index 3fae11a..7bcafea 100644
  /usr/share/e16/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,6 +295,7 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +295,19 @@ ifdef(`distro_gentoo',`
  /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
@@ -12838,9 +12580,10 @@ index 3fae11a..7bcafea 100644
  /usr/share/shorewall-perl(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall-shell(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
-@@ -293,8 +303,10 @@ ifdef(`distro_gentoo',`
+ /usr/share/shorewall6-lite(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
  /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
++/usr/share/tucan.*/tucan.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 +/usr/share/virtualbox/.*\.sh 		gen_context(system_u:object_r:bin_t,s0)
 +/usr/share/wicd/daemon(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -12850,7 +12593,7 @@ index 3fae11a..7bcafea 100644
  
  ifdef(`distro_gentoo', `
  /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +318,11 @@ ifdef(`distro_redhat', `
+@@ -306,10 +319,11 @@ ifdef(`distro_redhat', `
  /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
  
@@ -12864,7 +12607,7 @@ index 3fae11a..7bcafea 100644
  /usr/lib/vmware-tools/(s)?bin32(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/vmware-tools/(s)?bin64(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +332,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +333,11 @@ ifdef(`distro_redhat', `
  /usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/createrepo(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -12876,7 +12619,7 @@ index 3fae11a..7bcafea 100644
  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,7 +378,7 @@ ifdef(`distro_redhat', `
+@@ -363,7 +379,7 @@ ifdef(`distro_redhat', `
  ifdef(`distro_suse', `
  /usr/lib/cron/run-crons		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/samba/classic/.*	--	gen_context(system_u:object_r:bin_t,s0)
@@ -12885,7 +12628,7 @@ index 3fae11a..7bcafea 100644
  /usr/share/apache2/[^/]*	--	gen_context(system_u:object_r:bin_t,s0)
  ')
  
-@@ -375,8 +390,9 @@ ifdef(`distro_suse', `
+@@ -375,8 +391,9 @@ ifdef(`distro_suse', `
  /var/ftp/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
  /var/lib/asterisk/agi-bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -12896,7 +12639,7 @@ index 3fae11a..7bcafea 100644
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
  /var/qmail/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +401,4 @@ ifdef(`distro_suse', `
+@@ -385,3 +402,4 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -12972,19 +12715,6 @@ index 9e9263a..650e796 100644
  	manage_files_pattern($1, bin_t, exec_type)
  	manage_lnk_files_pattern($1, bin_t, bin_t)
  ')
-diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
-index 23a1c3c..9527971 100644
---- a/policy/modules/kernel/corecommands.te
-+++ b/policy/modules/kernel/corecommands.te
-@@ -13,7 +13,7 @@ attribute exec_type;
- #
- # bin_t is the type of files in the system bin/sbin directories.
- #
--type bin_t alias { ls_exec_t sbin_t };
-+type bin_t alias { ls_exec_t sbin_t java_exec_t execmem_exec_t mono_exec_t };
- corecmd_executable_file(bin_t)
- dev_associate(bin_t)	#For /dev/MAKEDEV
- 
 diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
 index 4f3b542..cf422f4 100644
 --- a/policy/modules/kernel/corenetwork.if.in
@@ -14147,7 +13877,7 @@ index 4f3b542..cf422f4 100644
  	corenet_udp_recvfrom_labeled($1, $2)
  	corenet_raw_recvfrom_labeled($1, $2)
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..1541989 100644
+index 99b71cb..9c48de6 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -11,11 +11,15 @@ attribute netif_type;
@@ -14287,7 +14017,7 @@ index 99b71cb..1541989 100644
  network_port(ipmi, udp,623,s0, udp,664,s0)
  network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
  network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +172,25 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +172,26 @@ network_port(iscsi, tcp,3260,s0)
  network_port(isns, tcp,3205,s0, udp,3205,s0)
  network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
  network_port(jabber_interserver, tcp,5269,s0)
@@ -14311,12 +14041,13 @@ index 99b71cb..1541989 100644
 +network_port(matahari, tcp,49000,s0, udp,49000,s0)
  network_port(memcache, tcp,11211,s0, udp,11211,s0)
  network_port(mmcc, tcp,5050,s0, udp,5050,s0)
++network_port(mongod, tcp,27017,s0)
  network_port(monopd, tcp,1234,s0)
 +network_port(movaz_ssc, tcp,5252,s0)
  network_port(mpd, tcp,6600,s0)
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
  network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +200,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,21 +201,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
  network_port(nessus, tcp,1241,s0)
  network_port(netport, tcp,3129,s0, udp,3129,s0)
  network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -14349,7 +14080,7 @@ index 99b71cb..1541989 100644
  network_port(prelude, tcp,4690,s0, udp,4690,s0)
  network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
  network_port(printer, tcp,515,s0)
-@@ -179,30 +237,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -179,30 +238,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
  network_port(radius, udp,1645,s0, udp,1812,s0)
  network_port(radsec, tcp,2083,s0)
  network_port(razor, tcp,2703,s0)
@@ -14389,7 +14120,7 @@ index 99b71cb..1541989 100644
  network_port(tcs, tcp, 30003, s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
-@@ -215,9 +278,11 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +279,11 @@ network_port(uucpd, tcp,540,s0)
  network_port(varnishd, tcp,6081-6082,s0)
  network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
  network_port(virt_migration, tcp,49152-49216,s0)
@@ -14402,7 +14133,7 @@ index 99b71cb..1541989 100644
  network_port(xdmcp, udp,177,s0, tcp,177,s0)
  network_port(xen, tcp,8002,s0)
  network_port(xfs, tcp,7100,s0)
-@@ -229,6 +294,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +295,7 @@ network_port(zookeeper_client, tcp,2181,s0)
  network_port(zookeeper_election, tcp,3888,s0)
  network_port(zookeeper_leader, tcp,2888,s0)
  network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -14410,7 +14141,7 @@ index 99b71cb..1541989 100644
  network_port(zope, tcp,8021,s0)
  
  # Defaults for reserved ports.	Earlier portcon entries take precedence;
-@@ -238,6 +304,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +305,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
  portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
  portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
  portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -14423,7 +14154,7 @@ index 99b71cb..1541989 100644
  
  ########################################
  #
-@@ -282,9 +354,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +355,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -14487,7 +14218,7 @@ index 35fed4f..51ad69a 100644
  
  #
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 6cf8784..12bd6fc 100644
+index 6cf8784..b48524e 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
 @@ -15,11 +15,13 @@
@@ -14515,7 +14246,7 @@ index 6cf8784..12bd6fc 100644
  /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -126,6 +130,7 @@ ifdef(`distro_suse', `
+@@ -126,12 +130,14 @@ ifdef(`distro_suse', `
  /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/watchdog		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -14523,7 +14254,14 @@ index 6cf8784..12bd6fc 100644
  /dev/winradio.		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/z90crypt		-c	gen_context(system_u:object_r:crypt_device_t,s0)
  /dev/zero		-c	gen_context(system_u:object_r:zero_device_t,s0)
-@@ -187,8 +192,6 @@ ifdef(`distro_suse', `
+ 
+ /dev/bus/usb/.*/[0-9]+	-c	gen_context(system_u:object_r:usb_device_t,s0)
+ 
++/dev/ati/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
+ 
+@@ -187,8 +193,6 @@ ifdef(`distro_suse', `
  /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
  /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
  
@@ -14532,7 +14270,7 @@ index 6cf8784..12bd6fc 100644
  ifdef(`distro_redhat',`
  # originally from named.fc
  /var/named/chroot/dev	-d	gen_context(system_u:object_r:device_t,s0)
-@@ -196,3 +199,8 @@ ifdef(`distro_redhat',`
+@@ -196,3 +200,8 @@ ifdef(`distro_redhat',`
  /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
  /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
  ')
@@ -18493,7 +18231,7 @@ index 22821ff..20251b0 100644
  ########################################
  #
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..e5652a1 100644
+index 97fcdac..6342520 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -18739,7 +18477,32 @@ index 97fcdac..e5652a1 100644
  #######################################
  ## <summary>
  ##	Create, read, write, and delete dirs
-@@ -2080,6 +2222,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2025,6 +2167,24 @@ interface(`fs_read_fusefs_symlinks',`
+ 
+ ########################################
+ ## <summary>
++##	Manage symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_manage_fusefs_symlinks',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++## <summary>
+ ##	Get the attributes of an hugetlbfs
+ ##	filesystem.
+ ## </summary>
+@@ -2080,6 +2240,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
  
  ########################################
  ## <summary>
@@ -18764,7 +18527,7 @@ index 97fcdac..e5652a1 100644
  ##	Read and write hugetlbfs files.
  ## </summary>
  ## <param name="domain">
-@@ -2148,6 +2308,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,6 +2326,7 @@ interface(`fs_list_inotifyfs',`
  	')
  
  	allow $1 inotifyfs_t:dir list_dir_perms;
@@ -18772,7 +18535,7 @@ index 97fcdac..e5652a1 100644
  ')
  
  ########################################
-@@ -2480,6 +2641,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2659,7 @@ interface(`fs_read_nfs_files',`
  		type nfs_t;
  	')
  
@@ -18780,7 +18543,7 @@ index 97fcdac..e5652a1 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	read_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2518,6 +2680,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2698,7 @@ interface(`fs_write_nfs_files',`
  		type nfs_t;
  	')
  
@@ -18788,7 +18551,7 @@ index 97fcdac..e5652a1 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	write_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2544,6 +2707,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2725,25 @@ interface(`fs_exec_nfs_files',`
  
  ########################################
  ## <summary>
@@ -18814,7 +18577,7 @@ index 97fcdac..e5652a1 100644
  ##	Append files
  ##	on a NFS filesystem.
  ## </summary>
-@@ -2584,6 +2766,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +2784,42 @@ interface(`fs_dontaudit_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -18857,7 +18620,7 @@ index 97fcdac..e5652a1 100644
  ##	Do not audit attempts to read or
  ##	write files on a NFS filesystem.
  ## </summary>
-@@ -2598,7 +2816,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2834,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
  		type nfs_t;
  	')
  
@@ -18866,7 +18629,7 @@ index 97fcdac..e5652a1 100644
  ')
  
  ########################################
-@@ -2736,7 +2954,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +2972,7 @@ interface(`fs_search_removable',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -18875,7 +18638,7 @@ index 97fcdac..e5652a1 100644
  ##	</summary>
  ## </param>
  #
-@@ -2772,7 +2990,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +3008,7 @@ interface(`fs_read_removable_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -18884,7 +18647,7 @@ index 97fcdac..e5652a1 100644
  ##	</summary>
  ## </param>
  #
-@@ -2965,6 +3183,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3201,7 @@ interface(`fs_manage_nfs_dirs',`
  		type nfs_t;
  	')
  
@@ -18892,7 +18655,7 @@ index 97fcdac..e5652a1 100644
  	allow $1 nfs_t:dir manage_dir_perms;
  ')
  
-@@ -3005,6 +3224,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3242,7 @@ interface(`fs_manage_nfs_files',`
  		type nfs_t;
  	')
  
@@ -18900,7 +18663,7 @@ index 97fcdac..e5652a1 100644
  	manage_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3045,6 +3265,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3283,7 @@ interface(`fs_manage_nfs_symlinks',`
  		type nfs_t;
  	')
  
@@ -18908,7 +18671,7 @@ index 97fcdac..e5652a1 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3958,6 +4179,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4197,42 @@ interface(`fs_dontaudit_list_tmpfs',`
  
  ########################################
  ## <summary>
@@ -18951,7 +18714,7 @@ index 97fcdac..e5652a1 100644
  ##	Create, read, write, and delete
  ##	tmpfs directories
  ## </summary>
-@@ -4175,6 +4432,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4450,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  
  ########################################
  ## <summary>
@@ -18976,7 +18739,7 @@ index 97fcdac..e5652a1 100644
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4251,6 +4526,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4251,6 +4544,25 @@ interface(`fs_manage_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -19002,7 +18765,7 @@ index 97fcdac..e5652a1 100644
  ##	Read and write, create and delete symbolic
  ##	links on tmpfs filesystems.
  ## </summary>
-@@ -4457,6 +4751,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4769,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -19011,7 +18774,7 @@ index 97fcdac..e5652a1 100644
  ')
  
  ########################################
-@@ -4503,7 +4799,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4817,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -19020,7 +18783,7 @@ index 97fcdac..e5652a1 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4866,3 +5162,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5180,24 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -21209,7 +20972,7 @@ index be4de58..7e8b6ec 100644
  init_exec(secadm_t)
  
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..cfea862 100644
+index 2be17d2..de3c13e 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
 @@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
@@ -21268,7 +21031,15 @@ index 2be17d2..cfea862 100644
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -27,19 +70,107 @@ optional_policy(`
+@@ -23,23 +66,115 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	blueman_dbus_chat(staff_t)
++')
++
++optional_policy(`
+ 	dbadm_role_change(staff_r)
  ')
  
  optional_policy(`
@@ -21378,7 +21149,7 @@ index 2be17d2..cfea862 100644
  ')
  
  optional_policy(`
-@@ -48,10 +179,52 @@ optional_policy(`
+@@ -48,10 +183,52 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21431,17 +21202,6 @@ index 2be17d2..cfea862 100644
  	xserver_role(staff_r, staff_t)
  ')
  
-@@ -61,6 +234,10 @@ ifndef(`distro_redhat',`
- 	')
- 
- 	optional_policy(`
-+		blueman_dbus_chat(staff_t)
-+	')
-+
-+	optional_policy(`
- 		bluetooth_role(staff_r, staff_t)
- 	')
- 
 @@ -89,18 +266,10 @@ ifndef(`distro_redhat',`
  	')
  
@@ -22000,10 +21760,10 @@ index 0000000..0e8654b
 +/usr/sbin/xrdp-sesman   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
 diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
 new file mode 100644
-index 0000000..8b2cdf3
+index 0000000..bac0dc0
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,687 @@
+@@ -0,0 +1,595 @@
 +## <summary>Unconfiend user role</summary>
 +
 +########################################
@@ -22226,42 +21986,6 @@ index 0000000..8b2cdf3
 +
 +########################################
 +## <summary>
-+##	Send a SIGNULL signal to the unconfined execmem domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`unconfined_execmem_signull',`
-+	gen_require(`
-+		type unconfined_execmem_t;
-+	')
-+
-+	allow $1 unconfined_execmem_t:process signull;
-+')
-+
-+########################################
-+## <summary>
-+##	Send a signal to the unconfined execmem domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`unconfined_execmem_signal',`
-+	gen_require(`
-+		type unconfined_execmem_t;
-+	')
-+
-+	allow $1 unconfined_execmem_t:process signal;
-+')
-+
-+########################################
-+## <summary>
 +##	Send generic signals to the unconfined domain.
 +## </summary>
 +## <param name="domain">
@@ -22563,62 +22287,6 @@ index 0000000..8b2cdf3
 +
 +########################################
 +## <summary>
-+##	Read and write to unconfined execmem shared memory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+#
-+interface(`unconfined_execmem_rw_shm',`
-+	gen_require(`
-+		type unconfined_execmem_t;
-+	')
-+
-+	allow $1 unconfined_execmem_t:shm rw_shm_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Transition to the unconfined_execmem domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`unconfined_execmem_domtrans',`
-+
-+	gen_require(`
-+		type unconfined_execmem_t;
-+	')
-+
-+	execmem_domtrans($1, unconfined_execmem_t)
-+')
-+
-+########################################
-+## <summary>
-+##	execute the execmem applications
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`unconfined_execmem_exec',`
-+
-+	gen_require(`
-+		type execmem_exec_t;
-+	')
-+
-+	can_exec($1, execmem_exec_t)
-+')
-+
-+########################################
-+## <summary>
 +##	Allow apps to set rlimits on userdomain
 +## </summary>
 +## <param name="domain">
@@ -22693,10 +22361,10 @@ index 0000000..8b2cdf3
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..4ce2685
+index 0000000..11ad8fb
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,401 @@
+@@ -0,0 +1,394 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -23019,13 +22687,6 @@ index 0000000..4ce2685
 +')
 +
 +optional_policy(`
-+	mono_role_template(unconfined, unconfined_r, unconfined_t)
-+	unconfined_domain_noaudit(unconfined_mono_t)
-+	role system_r types unconfined_mono_t;
-+')
-+
-+
-+optional_policy(`
 +	mozilla_role_plugin(unconfined_r)
 +
 +	tunable_policy(`unconfined_mozilla_plugin_transition', `
@@ -23099,10 +22760,10 @@ index 0000000..4ce2685
 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 +
 diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..9db5ebd 100644
+index e5bfdd4..454e627 100644
 --- a/policy/modules/roles/unprivuser.te
 +++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,97 @@ role user_r;
+@@ -12,15 +12,101 @@ role user_r;
  
  userdom_unpriv_user_template(user)
  
@@ -23125,6 +22786,10 @@ index e5bfdd4..9db5ebd 100644
  ')
  
  optional_policy(`
++	blueman_dbus_chat(user_t)
++')
++
++optional_policy(`
 +	colord_dbus_chat(user_t)
 +')
 +
@@ -23200,17 +22865,6 @@ index e5bfdd4..9db5ebd 100644
  	vlock_run(user_t, user_r)
  ')
  
-@@ -34,6 +116,10 @@ ifndef(`distro_redhat',`
- 	')
- 
- 	optional_policy(`
-+		blueman_dbus_chat(staff_t)
-+	')
-+
-+	optional_policy(`
- 		bluetooth_role(user_r, user_t)
- 	')
- 
 @@ -62,19 +148,11 @@ ifndef(`distro_redhat',`
  	')
  
@@ -23283,7 +22937,7 @@ index 0ecc786..3e7e984 100644
  userdom_dontaudit_search_user_home_dirs(webadm_t)
  
 diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
-index e88b95f..b1ea76e 100644
+index e88b95f..6f176f9 100644
 --- a/policy/modules/roles/xguest.te
 +++ b/policy/modules/roles/xguest.te
 @@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
@@ -23353,10 +23007,17 @@ index e88b95f..b1ea76e 100644
  	')
  ')
  
-@@ -76,23 +86,98 @@ optional_policy(`
+@@ -76,23 +86,101 @@ optional_policy(`
  ')
  
  optional_policy(`
++	tunable_policy(`xguest_use_bluetooth',`
++		blueman_dbus_chat(xguest_t)
++	')
++')
++
++
++optional_policy(`
 +	chrome_role(xguest_r, xguest_usertype)
 +')
 +
@@ -23371,15 +23032,10 @@ index e88b95f..b1ea76e 100644
 +
 +optional_policy(`
 +	gnome_role(xguest_r, xguest_t)
- ')
- 
- optional_policy(`
--	mozilla_role(xguest_r, xguest_t)
-+	gnomeclock_dontaudit_dbus_chat(xguest_t)
 +')
 +
 +optional_policy(`
-+	mono_role_template(xguest, xguest_r, xguest_t)
++	gnomeclock_dontaudit_dbus_chat(xguest_t)
 +')
 +
 +optional_policy(`
@@ -23388,9 +23044,10 @@ index e88b95f..b1ea76e 100644
 +
 +optional_policy(`
 +	nsplugin_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mozilla_role(xguest_r, xguest_t)
 +	pcscd_read_pub_files(xguest_usertype)
 +	pcscd_stream_connect(xguest_usertype)
 +')
@@ -23439,7 +23096,7 @@ index e88b95f..b1ea76e 100644
 +		corenet_tcp_connect_speech_port(xguest_usertype)
 +		corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
 +		corenet_tcp_connect_transproxy_port(xguest_usertype)
- 	')
++	')
 +
 +	#optional_policy(`
 +	#	telepathy_dbus_session_role(xguest_r, xguest_t)
@@ -23449,7 +23106,7 @@ index e88b95f..b1ea76e 100644
 +optional_policy(`
 +	gen_require(`
 +		type mozilla_t;
-+	')
+ 	')
 +
 +	allow xguest_t mozilla_t:process transition;
 +	role xguest_r types mozilla_t;
@@ -24162,7 +23819,7 @@ index c0f858d..5770f1a 100644
  	accountsd_manage_lib_files($1)
  ')
 diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
-index 1632f10..a538582 100644
+index 1632f10..6ede64d 100644
 --- a/policy/modules/services/accountsd.te
 +++ b/policy/modules/services/accountsd.te
 @@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
@@ -24184,7 +23841,13 @@ index 1632f10..a538582 100644
  allow accountsd_t self:fifo_file rw_fifo_file_perms;
  
  manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
-@@ -32,10 +35,12 @@ files_read_usr_files(accountsd_t)
+@@ -28,14 +31,18 @@ kernel_read_kernel_sysctls(accountsd_t)
+ 
+ corecmd_exec_bin(accountsd_t)
+ 
++dev_read_sysfs(accountsd_t)
++
+ files_read_usr_files(accountsd_t)
  files_read_mnt_files(accountsd_t)
  
  fs_list_inotifyfs(accountsd_t)
@@ -24197,7 +23860,7 @@ index 1632f10..a538582 100644
  
  miscfiles_read_localization(accountsd_t)
  
-@@ -55,3 +60,8 @@ optional_policy(`
+@@ -55,3 +62,8 @@ optional_policy(`
  optional_policy(`
  	policykit_dbus_chat(accountsd_t)
  ')
@@ -25490,7 +25153,7 @@ index 6480167..2ad693a 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..7cb2fe5 100644
+index 3136c6a..2ef8fef 100644
 --- a/policy/modules/services/apache.te
 +++ b/policy/modules/services/apache.te
 @@ -18,136 +18,211 @@ policy_module(apache, 2.2.1)
@@ -26511,7 +26174,7 @@ index 3136c6a..7cb2fe5 100644
  ')
  
  ########################################
-@@ -891,11 +1269,137 @@ optional_policy(`
+@@ -891,11 +1269,135 @@ optional_policy(`
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -26535,7 +26198,7 @@ index 3136c6a..7cb2fe5 100644
 +	userdom_read_user_home_content_files(httpd_t)
 +	userdom_read_user_home_content_files(httpd_suexec_t)
 +	userdom_read_user_home_content_files(httpd_user_script_t)
- ')
++')
 +
 +########################################
 +#
@@ -26649,9 +26312,7 @@ index 3136c6a..7cb2fe5 100644
 +	allow httpd_t httpd_content_type:dir list_dir_perms;
 +	read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
 +	read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
-+')
-+
-+
+ ')
 diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
 index cd07b96..9b7742f 100644
 --- a/policy/modules/services/apcupsd.fc
@@ -26744,7 +26405,7 @@ index 1ea99b2..9427dd5 100644
 +	stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
  ')
 diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..f8de34e 100644
+index 1c8c27e..01d69d4 100644
 --- a/policy/modules/services/apm.te
 +++ b/policy/modules/services/apm.te
 @@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -26833,7 +26494,20 @@ index 1c8c27e..f8de34e 100644
  ',`
  	# for ifconfig which is run all the time
  	kernel_dontaudit_search_sysctl(apmd_t)
-@@ -201,7 +213,8 @@ optional_policy(`
+@@ -181,6 +193,12 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	devicekit_manage_pid_files(apmd_t)
++	devicekit_manage_log_files(apmd_t)
++	devicekit_relabel_log_files(apmd_t)
++')
++
++optional_policy(`
+ 	dbus_system_bus_client(apmd_t)
+ 
+ 	optional_policy(`
+@@ -201,7 +219,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26843,7 +26517,7 @@ index 1c8c27e..f8de34e 100644
  ')
  
  optional_policy(`
-@@ -209,8 +222,9 @@ optional_policy(`
+@@ -209,8 +228,9 @@ optional_policy(`
  	pcmcia_domtrans_cardctl(apmd_t)
  ')
  
@@ -26854,7 +26528,7 @@ index 1c8c27e..f8de34e 100644
  ')
  
  optional_policy(`
-@@ -219,10 +233,6 @@ optional_policy(`
+@@ -219,10 +239,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -27604,10 +27278,10 @@ index 0000000..d694c0a
 +')
 diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te
 new file mode 100644
-index 0000000..fde1531
+index 0000000..12ef44c
 --- /dev/null
 +++ b/policy/modules/services/blueman.te
-@@ -0,0 +1,37 @@
+@@ -0,0 +1,38 @@
 +policy_module(blueman, 1.0.0)
 +
 +########################################
@@ -27636,6 +27310,7 @@ index 0000000..fde1531
 +files_read_etc_files(blueman_t)
 +files_read_usr_files(blueman_t)
 +
++auth_use_nsswitch(blueman_t)
 +auth_read_passwd(blueman_t)
 +
 +logging_send_syslog_msg(blueman_t)
@@ -29963,7 +29638,7 @@ index 1f11572..717fb8d 100644
  
  	init_labeled_script_domtrans($1, clamd_initrc_exec_t)
 diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..8cd02e2 100644
+index f758323..4bc077f 100644
 --- a/policy/modules/services/clamav.te
 +++ b/policy/modules/services/clamav.te
 @@ -1,9 +1,16 @@
@@ -30023,30 +29698,42 @@ index f758323..8cd02e2 100644
  corenet_sendrecv_clamd_server_packets(clamd_t)
  
  dev_read_rand(clamd_t)
-@@ -127,12 +139,16 @@ logging_send_syslog_msg(clamd_t)
+@@ -127,13 +139,6 @@ logging_send_syslog_msg(clamd_t)
  
  miscfiles_read_localization(clamd_t)
  
 -cron_use_fds(clamd_t)
 -cron_use_system_job_fds(clamd_t)
 -cron_rw_pipes(clamd_t)
-+optional_policy(`
+-
+-mta_read_config(clamd_t)
+-mta_send_mail(clamd_t)
+-
+ optional_policy(`
+ 	amavis_read_lib_files(clamd_t)
+ 	amavis_read_spool_files(clamd_t)
+@@ -142,13 +147,30 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
 +	cron_use_fds(clamd_t)
 +	cron_use_system_job_fds(clamd_t)
 +	cron_rw_pipes(clamd_t)
 +')
++
++optional_policy(`
+ 	exim_read_spool_files(clamd_t)
+ ')
  
--mta_read_config(clamd_t)
--mta_send_mail(clamd_t)
 +optional_policy(`
 +	mta_read_config(clamd_t)
 +	mta_send_mail(clamd_t)
 +')
- 
- optional_policy(`
- 	amavis_read_lib_files(clamd_t)
-@@ -147,8 +163,10 @@ optional_policy(`
- 
++
++optional_policy(`
++	spamd_stream_connect(clamd_t)
++')
++
  tunable_policy(`clamd_use_jit',`
  	allow clamd_t self:process execmem;
 -', `
@@ -30057,7 +29744,7 @@ index f758323..8cd02e2 100644
  ')
  
  ########################################
-@@ -178,10 +196,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +200,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
  
  # log files (own logfiles only)
  manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -30076,7 +29763,7 @@ index f758323..8cd02e2 100644
  corenet_all_recvfrom_unlabeled(freshclam_t)
  corenet_all_recvfrom_netlabel(freshclam_t)
  corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +213,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +217,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
  corenet_tcp_sendrecv_all_ports(freshclam_t)
  corenet_tcp_sendrecv_clamd_port(freshclam_t)
  corenet_tcp_connect_http_port(freshclam_t)
@@ -30084,7 +29771,7 @@ index f758323..8cd02e2 100644
  corenet_sendrecv_http_client_packets(freshclam_t)
  
  dev_read_rand(freshclam_t)
-@@ -207,16 +232,18 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,16 +236,18 @@ miscfiles_read_localization(freshclam_t)
  
  clamav_stream_connect(freshclam_t)
  
@@ -30107,7 +29794,7 @@ index f758323..8cd02e2 100644
  ########################################
  #
  # clamscam local policy
-@@ -242,15 +269,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,15 +273,29 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
  manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
  allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
  
@@ -30137,7 +29824,7 @@ index f758323..8cd02e2 100644
  
  files_read_etc_files(clamscan_t)
  files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +305,15 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +309,15 @@ miscfiles_read_public_files(clamscan_t)
  
  clamav_stream_connect(clamscan_t)
  
@@ -30236,10 +29923,10 @@ index 0000000..f2968f8
 +/var/run/iwhd\.pid               --      gen_context(system_u:object_r:iwhd_var_run_t,s0)
 diff --git a/policy/modules/services/cloudform.if b/policy/modules/services/cloudform.if
 new file mode 100644
-index 0000000..917f8d4
+index 0000000..6451167
 --- /dev/null
 +++ b/policy/modules/services/cloudform.if
-@@ -0,0 +1,23 @@
+@@ -0,0 +1,40 @@
 +## <summary>cloudform policy</summary>
 +
 +#######################################
@@ -30261,14 +29948,31 @@ index 0000000..917f8d4
 +    type $1_t, cloudform_domain;
 +    type $1_exec_t;
 +    init_daemon_domain($1_t, $1_exec_t)
++')
 +
++######################################
++## <summary>
++##	Execute mongod in the caller domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++template(`cloudform_exec_mongod',`
++    gen_require(`
++	type mogod_exec_t;
++    ')
++
++    can_exec($1, mogod_exec_t)
 +')
 diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
 new file mode 100644
-index 0000000..5c0c84f
+index 0000000..4f0bd8d
 --- /dev/null
 +++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,223 @@
+@@ -0,0 +1,218 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@@ -30408,12 +30112,7 @@ index 0000000..5c0c84f
 +dev_read_rand(iwhd_t)
 +dev_read_urand(iwhd_t)
 +
-+tunable_policy(`use_nfs_home_dirs',`
-+    fs_list_auto_mountpoints(iwhd_t)
-+    fs_manage_nfs_dirs(iwhd_t)
-+    fs_manage_nfs_files(iwhd_t)
-+    fs_manage_nfs_symlinks(iwhd_t)
-+')
++userdom_home_manager(iwhd_t)
 +
 +########################################
 +#
@@ -30443,7 +30142,7 @@ index 0000000..5c0c84f
 +files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
 +
 +corenet_tcp_bind_generic_node(mongod_t)
-+corenet_tcp_bind_generic_port(mongod_t)
++corenet_tcp_bind_mongod_port(mongod_t)
 +
 +files_read_usr_files(mongod_t)
 +
@@ -31279,7 +30978,7 @@ index 0000000..2ee2be0
 +')
 +
 diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..6ff206b 100644
+index 74505cc..e7c70b5 100644
 --- a/policy/modules/services/colord.te
 +++ b/policy/modules/services/colord.te
 @@ -23,6 +23,7 @@ files_type(colord_var_lib_t)
@@ -31314,7 +31013,7 @@ index 74505cc..6ff206b 100644
  dev_read_video_dev(colord_t)
  dev_write_video_dev(colord_t)
  dev_rw_printer(colord_t)
-@@ -65,19 +73,31 @@ files_list_mnt(colord_t)
+@@ -65,21 +73,23 @@ files_list_mnt(colord_t)
  files_read_etc_files(colord_t)
  files_read_usr_files(colord_t)
  
@@ -31332,21 +31031,21 @@ index 74505cc..6ff206b 100644
  
  miscfiles_read_localization(colord_t)
  
- sysnet_dns_name_resolve(colord_t)
- 
+-sysnet_dns_name_resolve(colord_t)
 +userdom_rw_user_tmpfs_files(colord_t)
-+
- tunable_policy(`use_nfs_home_dirs',`
-+	fs_getattr_nfs(colord_t)
- 	fs_read_nfs_files(colord_t)
- ')
  
- tunable_policy(`use_samba_home_dirs',`
-+	fs_getattr_cifs(colord_t)
- 	fs_read_cifs_files(colord_t)
- ')
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_read_nfs_files(colord_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_files(colord_t)
+-')
++userdom_home_reader(colord_t)
  
-@@ -89,6 +109,10 @@ optional_policy(`
+ optional_policy(`
+ 	cups_read_config(colord_t)
+@@ -89,6 +99,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31357,8 +31056,15 @@ index 74505cc..6ff206b 100644
  	policykit_dbus_chat(colord_t)
  	policykit_domtrans_auth(colord_t)
  	policykit_read_lib(colord_t)
-@@ -98,3 +122,9 @@ optional_policy(`
+@@ -96,5 +110,16 @@ optional_policy(`
+ ')
+ 
  optional_policy(`
++	sysnet_exec_ifconfig(colord_t)
++	sysnet_dns_name_resolve(colord_t)
++')
++
++optional_policy(`
  	udev_read_db(colord_t)
  ')
 +
@@ -31479,7 +31185,7 @@ index fd15dfe..d33cc41 100644
 +	ps_process_pattern($1, consolekit_t)
 +')
 diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
-index e67a003..5b322ca 100644
+index e67a003..d45381d 100644
 --- a/policy/modules/services/consolekit.te
 +++ b/policy/modules/services/consolekit.te
 @@ -15,12 +15,16 @@ logging_log_file(consolekit_log_t)
@@ -31500,7 +31206,7 @@ index e67a003..5b322ca 100644
  allow consolekit_t self:process { getsched signal };
  allow consolekit_t self:fifo_file rw_fifo_file_perms;
  allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
-@@ -69,11 +73,15 @@ logging_send_audit_msgs(consolekit_t)
+@@ -69,17 +73,23 @@ logging_send_audit_msgs(consolekit_t)
  
  miscfiles_read_localization(consolekit_t)
  
@@ -31514,26 +31220,22 @@ index e67a003..5b322ca 100644
  userdom_read_user_tmp_files(consolekit_t)
  
 -hal_ptrace(consolekit_t)
--
- tunable_policy(`use_nfs_home_dirs',`
- 	fs_read_nfs_files(consolekit_t)
- ')
-@@ -83,6 +91,14 @@ tunable_policy(`use_samba_home_dirs',`
- ')
++userdom_home_reader(consolekit_t)
  
- optional_policy(`
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_read_nfs_files(consolekit_t)
++optional_policy(`
 +	cron_read_system_job_lib_files(consolekit_t)
-+')
-+
+ ')
+ 
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_files(consolekit_t)
 +optional_policy(`
 +	hal_ptrace(consolekit_t)
-+')
-+
-+optional_policy(`
- 	dbus_system_domain(consolekit_t, consolekit_exec_t)
+ ')
  
- 	optional_policy(`
-@@ -99,6 +115,10 @@ optional_policy(`
+ optional_policy(`
+@@ -99,6 +109,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31544,7 +31246,7 @@ index e67a003..5b322ca 100644
  	policykit_dbus_chat(consolekit_t)
  	policykit_domtrans_auth(consolekit_t)
  	policykit_read_lib(consolekit_t)
-@@ -106,9 +126,10 @@ optional_policy(`
+@@ -106,9 +120,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31557,7 +31259,7 @@ index e67a003..5b322ca 100644
  	xserver_read_xdm_pid(consolekit_t)
  	xserver_read_user_xauth(consolekit_t)
  	xserver_non_drawing_client(consolekit_t)
-@@ -125,5 +146,8 @@ optional_policy(`
+@@ -125,5 +140,8 @@ optional_policy(`
  
  optional_policy(`
  	#reading .Xauthity
@@ -32445,7 +32147,7 @@ index 35241ed..7a0913c 100644
 +	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
  ')
 diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..258a3d7 100644
+index f7583ab..a2e960c 100644
 --- a/policy/modules/services/cron.te
 +++ b/policy/modules/services/cron.te
 @@ -10,18 +10,18 @@ gen_require(`
@@ -32647,7 +32349,7 @@ index f7583ab..258a3d7 100644
  	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
  	# via redirection of standard out.
  	optional_policy(`
-@@ -250,11 +279,31 @@ tunable_policy(`fcron_crond', `
+@@ -250,11 +279,27 @@ tunable_policy(`fcron_crond', `
  ')
  
  optional_policy(`
@@ -32672,14 +32374,10 @@ index f7583ab..258a3d7 100644
 +')
 +
 +optional_policy(`
-+	mono_domtrans(crond_t)
-+')
-+
-+optional_policy(`
  	amanda_search_var_lib(crond_t)
  ')
  
-@@ -264,6 +313,8 @@ optional_policy(`
+@@ -264,6 +309,8 @@ optional_policy(`
  
  optional_policy(`
  	hal_dbus_chat(crond_t)
@@ -32688,7 +32386,7 @@ index f7583ab..258a3d7 100644
  ')
  
  optional_policy(`
-@@ -286,15 +337,25 @@ optional_policy(`
+@@ -286,15 +333,25 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32714,7 +32412,7 @@ index f7583ab..258a3d7 100644
  allow system_cronjob_t self:process { signal_perms getsched setsched };
  allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
  allow system_cronjob_t self:passwd rootok;
-@@ -306,10 +367,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -306,10 +363,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
  
  # This is to handle /var/lib/misc directory.  Used currently
  # by prelink var/lib files for cron 
@@ -32735,7 +32433,7 @@ index f7583ab..258a3d7 100644
  # The entrypoint interface is not used as this is not
  # a regular entrypoint.  Since crontab files are
  # not directly executed, crond must ensure that
-@@ -329,6 +399,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -329,6 +395,7 @@ allow crond_t system_cronjob_t:fd use;
  allow system_cronjob_t crond_t:fd use;
  allow system_cronjob_t crond_t:fifo_file rw_file_perms;
  allow system_cronjob_t crond_t:process sigchld;
@@ -32743,7 +32441,7 @@ index f7583ab..258a3d7 100644
  
  # Write /var/lock/makewhatis.lock.
  allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -340,9 +411,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -340,9 +407,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
  filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
  files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
  
@@ -32758,7 +32456,7 @@ index f7583ab..258a3d7 100644
  
  kernel_read_kernel_sysctls(system_cronjob_t)
  kernel_read_system_state(system_cronjob_t)
-@@ -365,6 +440,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -365,6 +436,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
  dev_getattr_all_blk_files(system_cronjob_t)
  dev_getattr_all_chr_files(system_cronjob_t)
  dev_read_urand(system_cronjob_t)
@@ -32766,7 +32464,7 @@ index f7583ab..258a3d7 100644
  
  fs_getattr_all_fs(system_cronjob_t)
  fs_getattr_all_files(system_cronjob_t)
-@@ -391,6 +467,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -391,6 +463,7 @@ files_dontaudit_search_pids(system_cronjob_t)
  # Access other spool directories like
  # /var/spool/anacron and /var/spool/slrnpull.
  files_manage_generic_spool(system_cronjob_t)
@@ -32774,7 +32472,7 @@ index f7583ab..258a3d7 100644
  
  init_use_script_fds(system_cronjob_t)
  init_read_utmp(system_cronjob_t)
-@@ -413,8 +490,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -413,8 +486,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
  
  seutil_read_config(system_cronjob_t)
  
@@ -32786,7 +32484,7 @@ index f7583ab..258a3d7 100644
  	# via redirection of standard out.
  	optional_policy(`
  		rpm_manage_log(system_cronjob_t)
-@@ -439,6 +518,8 @@ optional_policy(`
+@@ -439,6 +514,8 @@ optional_policy(`
  	apache_read_config(system_cronjob_t)
  	apache_read_log(system_cronjob_t)
  	apache_read_sys_content(system_cronjob_t)
@@ -32795,7 +32493,7 @@ index f7583ab..258a3d7 100644
  ')
  
  optional_policy(`
-@@ -446,6 +527,14 @@ optional_policy(`
+@@ -446,6 +523,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32810,7 +32508,7 @@ index f7583ab..258a3d7 100644
  	ftp_read_log(system_cronjob_t)
  ')
  
-@@ -456,15 +545,25 @@ optional_policy(`
+@@ -456,6 +541,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32821,12 +32519,7 @@ index f7583ab..258a3d7 100644
  	lpd_list_spool(system_cronjob_t)
  ')
  
- optional_policy(`
-+	mono_domtrans(system_cronjob_t)
-+')
-+
-+optional_policy(`
- 	mrtg_append_create_logs(system_cronjob_t)
+@@ -464,7 +553,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32836,7 +32529,7 @@ index f7583ab..258a3d7 100644
  ')
  
  optional_policy(`
-@@ -480,7 +579,7 @@ optional_policy(`
+@@ -480,7 +571,7 @@ optional_policy(`
  	prelink_manage_lib(system_cronjob_t)
  	prelink_manage_log(system_cronjob_t)
  	prelink_read_cache(system_cronjob_t)
@@ -32845,7 +32538,7 @@ index f7583ab..258a3d7 100644
  ')
  
  optional_policy(`
-@@ -495,6 +594,7 @@ optional_policy(`
+@@ -495,6 +586,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_manage_lib_files(system_cronjob_t)
@@ -32853,7 +32546,7 @@ index f7583ab..258a3d7 100644
  ')
  
  optional_policy(`
-@@ -502,7 +602,13 @@ optional_policy(`
+@@ -502,7 +594,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32867,7 +32560,7 @@ index f7583ab..258a3d7 100644
  	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
  ')
  
-@@ -595,9 +701,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +693,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
  #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
  
  list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -33406,7 +33099,7 @@ index 305ddf4..2746e6f 100644
  
  	admin_pattern($1, ptal_etc_t)
 diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..825cafb 100644
+index 0f28095..3bc4cfd 100644
 --- a/policy/modules/services/cups.te
 +++ b/policy/modules/services/cups.te
 @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -33570,7 +33263,7 @@ index 0f28095..825cafb 100644
  	policykit_dbus_chat(cupsd_config_t)
  	userdom_read_all_users_state(cupsd_config_t)
  ')
-@@ -587,13 +613,17 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,23 +613,22 @@ auth_use_nsswitch(cups_pdf_t)
  
  miscfiles_read_localization(cups_pdf_t)
  miscfiles_read_fonts(cups_pdf_t)
@@ -33584,24 +33277,26 @@ index 0f28095..825cafb 100644
  
 -lpd_manage_spool(cups_pdf_t)
 -
+-
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_search_auto_mountpoints(cups_pdf_t)
+-	fs_manage_nfs_dirs(cups_pdf_t)
+-	fs_manage_nfs_files(cups_pdf_t)
 +optional_policy(`
 +	lpd_manage_spool(cups_pdf_t)
-+')
- 
- tunable_policy(`use_nfs_home_dirs',`
- 	fs_search_auto_mountpoints(cups_pdf_t)
-@@ -606,6 +636,10 @@ tunable_policy(`use_samba_home_dirs',`
- 	fs_manage_cifs_files(cups_pdf_t)
  ')
  
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(cups_pdf_t)
+-	fs_manage_cifs_files(cups_pdf_t)
++userdom_home_manager(cups_pdf_t)
++
 +optional_policy(`
 +	gnome_read_config(cups_pdf_t)
-+')
-+
+ ')
+ 
  ########################################
- #
- # HPLIP local policy
-@@ -639,7 +673,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +664,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
  manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
  
  manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -33610,7 +33305,7 @@ index 0f28095..825cafb 100644
  
  manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
  files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +719,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +710,7 @@ domain_use_interactive_fds(hplip_t)
  files_read_etc_files(hplip_t)
  files_read_etc_runtime_files(hplip_t)
  files_read_usr_files(hplip_t)
@@ -33618,7 +33313,7 @@ index 0f28095..825cafb 100644
  
  logging_send_syslog_msg(hplip_t)
  
-@@ -696,8 +731,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +722,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
  userdom_dontaudit_search_user_home_dirs(hplip_t)
  userdom_dontaudit_search_user_home_content(hplip_t)
  
@@ -33832,7 +33527,7 @@ index 81eba14..d0ab56c 100644
  /usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:dbusd_exec_t,s0)
  /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
 diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 1a1becd..3558f18 100644
+index 1a1becd..115133d 100644
 --- a/policy/modules/services/dbus.if
 +++ b/policy/modules/services/dbus.if
 @@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -33847,7 +33542,7 @@ index 1a1becd..3558f18 100644
  	')
  
  	##############################
-@@ -52,8 +52,7 @@ template(`dbus_role_template',`
+@@ -52,117 +52,41 @@ template(`dbus_role_template',`
  	#
  
  	type $1_dbusd_t, session_bus_type;
@@ -33857,7 +33552,10 @@ index 1a1becd..3558f18 100644
  	ubac_constrained($1_dbusd_t)
  	role $2 types $1_dbusd_t;
  
-@@ -62,107 +61,30 @@ template(`dbus_role_template',`
++	userdom_home_manager($1_dbusd_t)
++
+ 	##############################
+ 	#
  	# Local policy
  	#
  
@@ -33956,9 +33654,9 @@ index 1a1becd..3558f18 100644
 -	seutil_read_default_contexts($1_dbusd_t)
 -
 -	term_use_all_terms($1_dbusd_t)
--
--	userdom_read_user_home_content_files($1_dbusd_t)
  
+-	userdom_read_user_home_content_files($1_dbusd_t)
+-
 -	ifdef(`hide_broken_symptoms', `
 -		dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
 -	')
@@ -33975,7 +33673,7 @@ index 1a1becd..3558f18 100644
  ')
  
  #######################################
-@@ -181,11 +103,12 @@ interface(`dbus_system_bus_client',`
+@@ -181,11 +105,12 @@ interface(`dbus_system_bus_client',`
  		type system_dbusd_t, system_dbusd_t;
  		type system_dbusd_var_run_t, system_dbusd_var_lib_t;
  		class dbus send_msg;
@@ -33989,7 +33687,7 @@ index 1a1becd..3558f18 100644
  
  	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
  	files_search_var_lib($1)
-@@ -198,6 +121,34 @@ interface(`dbus_system_bus_client',`
+@@ -198,6 +123,34 @@ interface(`dbus_system_bus_client',`
  
  #######################################
  ## <summary>
@@ -34024,7 +33722,7 @@ index 1a1becd..3558f18 100644
  ##	Template for creating connections to
  ##	a user DBUS.
  ## </summary>
-@@ -218,6 +169,8 @@ interface(`dbus_session_bus_client',`
+@@ -218,6 +171,8 @@ interface(`dbus_session_bus_client',`
  
  	# For connecting to the bus
  	allow $1 session_bus_type:unix_stream_socket connectto;
@@ -34033,7 +33731,7 @@ index 1a1becd..3558f18 100644
  ')
  
  ########################################
-@@ -322,6 +275,11 @@ interface(`dbus_connect_session_bus',`
+@@ -322,6 +277,11 @@ interface(`dbus_connect_session_bus',`
  ##	Allow a application domain to be started
  ##	by the session dbus.
  ## </summary>
@@ -34045,7 +33743,7 @@ index 1a1becd..3558f18 100644
  ## <param name="domain">
  ##	<summary>
  ##	Type to be used as a domain.
-@@ -336,13 +294,13 @@ interface(`dbus_connect_session_bus',`
+@@ -336,13 +296,13 @@ interface(`dbus_connect_session_bus',`
  #
  interface(`dbus_session_domain',`
  	gen_require(`
@@ -34063,7 +33761,7 @@ index 1a1becd..3558f18 100644
  ')
  
  ########################################
-@@ -421,27 +379,16 @@ interface(`dbus_system_bus_unconfined',`
+@@ -421,27 +381,16 @@ interface(`dbus_system_bus_unconfined',`
  #
  interface(`dbus_system_domain',`
  	gen_require(`
@@ -34093,7 +33791,7 @@ index 1a1becd..3558f18 100644
  ')
  
  ########################################
-@@ -464,26 +411,25 @@ interface(`dbus_use_system_bus_fds',`
+@@ -464,26 +413,25 @@ interface(`dbus_use_system_bus_fds',`
  
  ########################################
  ## <summary>
@@ -34126,7 +33824,7 @@ index 1a1becd..3558f18 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -491,10 +437,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -491,10 +439,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
  ##	</summary>
  ## </param>
  #
@@ -34182,7 +33880,7 @@ index 1a1becd..3558f18 100644
 +	dontaudit $1 session_bus_type:dbus send_msg;
  ')
 diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..f0266a9 100644
+index 1bff6ee..c9396db 100644
 --- a/policy/modules/services/dbus.te
 +++ b/policy/modules/services/dbus.te
 @@ -10,6 +10,7 @@ gen_require(`
@@ -34244,17 +33942,11 @@ index 1bff6ee..f0266a9 100644
  
  logging_send_audit_msgs(system_dbusd_t)
  logging_send_syslog_msg(system_dbusd_t)
-@@ -136,11 +143,33 @@ seutil_sigchld_newrole(system_dbusd_t)
+@@ -136,11 +143,27 @@ seutil_sigchld_newrole(system_dbusd_t)
  userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
  userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
  
-+tunable_policy(`use_nfs_home_dirs',`
-+    fs_read_nfs_files(system_dbusd_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+    fs_read_cifs_files(system_dbusd_t)
-+')
++userdom_home_reader(system_dbusd_t)
 +
  optional_policy(`
  	bind_domtrans(system_dbusd_t)
@@ -34278,7 +33970,7 @@ index 1bff6ee..f0266a9 100644
  	policykit_dbus_chat(system_dbusd_t)
  	policykit_domtrans_auth(system_dbusd_t)
  	policykit_search_lib(system_dbusd_t)
-@@ -151,12 +180,166 @@ optional_policy(`
+@@ -151,12 +174,156 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34334,9 +34026,9 @@ index 1bff6ee..f0266a9 100644
 +')
 +
 +########################################
- #
-+# session_bus_type rules
 +#
++# session_bus_type rules
+ #
 +dontaudit session_bus_type self:capability sys_resource;
 +allow session_bus_type self:process { getattr sigkill signal };
 +dontaudit session_bus_type self:process { ptrace setrlimit };
@@ -34411,17 +34103,7 @@ index 1bff6ee..f0266a9 100644
 +userdom_manage_user_home_content_dirs(session_bus_type)
 +userdom_manage_user_home_content_files(session_bus_type)
 +userdom_user_home_dir_filetrans_user_home_content(session_bus_type, { dir file })
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+	fs_manage_nfs_dirs(session_bus_type)
-+	fs_manage_nfs_files(session_bus_type)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+	fs_manage_cifs_dirs(session_bus_type)
-+	fs_manage_cifs_files(session_bus_type)
-+')
-+
+ 
 +optional_policy(`
 +	gnome_read_gconf_home_files(session_bus_type)
 +')
@@ -34429,7 +34111,7 @@ index 1bff6ee..f0266a9 100644
 +optional_policy(`
 +	hal_dbus_chat(session_bus_type)
 +')
- 
++
 +optional_policy(`
 +	xserver_search_xdm_lib(session_bus_type)
 +	xserver_use_xdm_fds(session_bus_type)
@@ -34717,7 +34399,7 @@ index 418a5a0..c25fbdc 100644
  /var/run/udisks(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
  /var/run/upower(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..b62f5a9 100644
+index f706b99..7cdc0f5 100644
 --- a/policy/modules/services/devicekit.if
 +++ b/policy/modules/services/devicekit.if
 @@ -5,9 +5,9 @@
@@ -34866,7 +34548,7 @@ index f706b99..b62f5a9 100644
  ########################################
  ## <summary>
  ##	Read devicekit PID files.
-@@ -139,22 +252,52 @@ interface(`devicekit_read_pid_files',`
+@@ -139,22 +252,92 @@ interface(`devicekit_read_pid_files',`
  
  ########################################
  ## <summary>
@@ -34874,27 +34556,65 @@ index f706b99..b62f5a9 100644
 -##	an devicekit environment
 +##	Do not audit attempts to read
 +##	devicekit PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`devicekit_dontaudit_read_pid_files',`
++	gen_require(` 
++		type devicekit_var_run_t;
++	')
++
++	dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
++')
++
++
++########################################
++## <summary>
++##	Manage devicekit PID files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
 -## <param name="role">
 +#
-+interface(`devicekit_dontaudit_read_pid_files',`
-+	gen_require(` 
++interface(`devicekit_manage_pid_files',`
++	gen_require(`
 +		type devicekit_var_run_t;
 +	')
 +
-+	dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
++	files_search_pids($1)
++	rw_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
++	manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
 +')
 +
++#######################################
++## <summary>
++##  Relabel devicekit LOG files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`devicekit_relabel_log_files',`
++    gen_require(`
++        type devicekit_var_log_t;
++    ')
++
++    logging_search_logs($1)
++    relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
++')
 +
 +########################################
 +## <summary>
-+##	Manage devicekit PID files.
++##	Manage devicekit LOG files.
 +## </summary>
 +## <param name="domain">
  ##	<summary>
@@ -34904,14 +34624,15 @@ index f706b99..b62f5a9 100644
  ## </param>
 -## <param name="terminal">
 +#
-+interface(`devicekit_manage_pid_files',`
++interface(`devicekit_manage_log_files',`
 +	gen_require(`
-+		type devicekit_var_run_t;
++		type devicekit_var_log_t;
 +	')
 +
-+	files_search_pids($1)
-+	rw_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
-+	manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
++	logging_search_logs($1)
++	manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
++	#logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
++	#logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
 +')
 +
 +########################################
@@ -34926,7 +34647,7 @@ index f706b99..b62f5a9 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -165,21 +308,44 @@ interface(`devicekit_admin',`
+@@ -165,21 +348,46 @@ interface(`devicekit_admin',`
  		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
  	')
  
@@ -34972,10 +34693,12 @@ index f706b99..b62f5a9 100644
 +#
 +interface(`devicekit_filetrans_named_content',`
 +	gen_require(`
-+		type devicekit_var_run_t;
++		type devicekit_var_run_t, devicekit_var_log_t;
 +	')
 +
 +	files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
++	#logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
++	#logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
  ')
 diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
 index f231f17..f277ea6 100644
@@ -36573,7 +36296,7 @@ index e1d7dc5..0557be0 100644
  	admin_pattern($1, dovecot_var_run_t)
  
 diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index acf6d4f..2fbb869 100644
+index acf6d4f..194f170 100644
 --- a/policy/modules/services/dovecot.te
 +++ b/policy/modules/services/dovecot.te
 @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -36648,7 +36371,23 @@ index acf6d4f..2fbb869 100644
  corenet_tcp_bind_sieve_port(dovecot_t)
  corenet_tcp_connect_all_ports(dovecot_t)
  corenet_tcp_connect_postgresql_port(dovecot_t)
-@@ -160,6 +167,15 @@ optional_policy(`
+@@ -135,6 +142,7 @@ files_dontaudit_list_default(dovecot_t)
+ # Dovecot now has quota support and it uses getmntent() to find the mountpoints.
+ files_read_etc_runtime_files(dovecot_t)
+ files_search_all_mountpoints(dovecot_t)
++files_read_var_lib_files(dovecot_t)
+ 
+ init_getattr_utmp(dovecot_t)
+ 
+@@ -145,6 +153,7 @@ logging_send_syslog_msg(dovecot_t)
+ miscfiles_read_generic_certs(dovecot_t)
+ miscfiles_read_localization(dovecot_t)
+ 
++userdom_home_manager(dovecot_t)
+ userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+ userdom_manage_user_home_content_dirs(dovecot_t)
+ userdom_manage_user_home_content_files(dovecot_t)
+@@ -160,6 +169,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36664,7 +36403,7 @@ index acf6d4f..2fbb869 100644
  	postgresql_stream_connect(dovecot_t)
  ')
  
-@@ -180,8 +196,8 @@ optional_policy(`
+@@ -180,8 +198,8 @@ optional_policy(`
  # dovecot auth local policy
  #
  
@@ -36675,7 +36414,7 @@ index acf6d4f..2fbb869 100644
  allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
  allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
  allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +206,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +208,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
  
  read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
  
@@ -36685,7 +36424,7 @@ index acf6d4f..2fbb869 100644
  manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
  manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
  files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,9 +220,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -201,9 +222,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
  kernel_read_all_sysctls(dovecot_auth_t)
  kernel_read_system_state(dovecot_auth_t)
  
@@ -36698,16 +36437,17 @@ index acf6d4f..2fbb869 100644
  dev_read_urand(dovecot_auth_t)
  
  auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -218,6 +240,8 @@ files_read_var_lib_files(dovecot_auth_t)
+@@ -216,7 +240,8 @@ files_read_usr_files(dovecot_auth_t)
+ files_read_usr_symlinks(dovecot_auth_t)
+ files_read_var_lib_files(dovecot_auth_t)
  files_search_tmp(dovecot_auth_t)
- files_read_var_lib_files(dovecot_t)
- 
-+fs_getattr_xattr_fs(dovecot_auth_t)
+-files_read_var_lib_files(dovecot_t)
 +
++fs_getattr_xattr_fs(dovecot_auth_t)
+ 
  init_rw_utmp(dovecot_auth_t)
  
- miscfiles_read_localization(dovecot_auth_t)
-@@ -236,6 +260,8 @@ optional_policy(`
+@@ -236,6 +261,8 @@ optional_policy(`
  optional_policy(`
  	mysql_search_db(dovecot_auth_t)
  	mysql_stream_connect(dovecot_auth_t)
@@ -36716,7 +36456,7 @@ index acf6d4f..2fbb869 100644
  ')
  
  optional_policy(`
-@@ -243,6 +269,8 @@ optional_policy(`
+@@ -243,6 +270,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36725,7 +36465,7 @@ index acf6d4f..2fbb869 100644
  	postfix_search_spool(dovecot_auth_t)
  ')
  
-@@ -250,23 +278,42 @@ optional_policy(`
+@@ -250,23 +279,42 @@ optional_policy(`
  #
  # dovecot deliver local policy
  #
@@ -36770,14 +36510,32 @@ index acf6d4f..2fbb869 100644
  
  miscfiles_read_localization(dovecot_deliver_t)
  
-@@ -302,5 +349,19 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -283,24 +331,22 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+ userdom_manage_user_home_content_sockets(dovecot_deliver_t)
+ userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(dovecot_deliver_t)
+-	fs_manage_nfs_files(dovecot_deliver_t)
+-	fs_manage_nfs_symlinks(dovecot_deliver_t)
+-	fs_manage_nfs_dirs(dovecot_t)
+-	fs_manage_nfs_files(dovecot_t)
+-	fs_manage_nfs_symlinks(dovecot_t)
+-')
++userdom_home_manager(dovecot_deliver_t)
+ 
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(dovecot_deliver_t)
+-	fs_manage_cifs_files(dovecot_deliver_t)
+-	fs_manage_cifs_symlinks(dovecot_deliver_t)
+-	fs_manage_cifs_dirs(dovecot_t)
+-	fs_manage_cifs_files(dovecot_t)
+-	fs_manage_cifs_symlinks(dovecot_t)
++optional_policy(`
++	gnome_manage_data(dovecot_deliver_t)
  ')
  
  optional_policy(`
-+	gnome_manage_data(dovecot_deliver_t)
-+')
-+
-+optional_policy(`
  	mta_manage_spool(dovecot_deliver_t)
 +	mta_read_queue(dovecot_deliver_t)
 +')
@@ -37774,7 +37532,7 @@ index f590a1f..18bdd33 100644
 +	admin_pattern($1, fail2ban_tmp_t)
  ')
 diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..2599f96 100644
+index 2a69e5e..c7a0911 100644
 --- a/policy/modules/services/fail2ban.te
 +++ b/policy/modules/services/fail2ban.te
 @@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t)
@@ -37828,7 +37586,17 @@ index 2a69e5e..2599f96 100644
  
  files_read_etc_files(fail2ban_t)
  files_read_etc_runtime_files(fail2ban_t)
-@@ -94,5 +107,38 @@ optional_policy(`
+@@ -85,6 +98,9 @@ miscfiles_read_localization(fail2ban_t)
+ 
+ mta_send_mail(fail2ban_t)
+ 
++sysnet_manage_config(fail2ban_t)
++sysnet_filetrans_named_content(fail2ban_t)
++
+ optional_policy(`
+ 	apache_read_log(fail2ban_t)
+ ')
+@@ -94,5 +110,38 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38461,7 +38229,7 @@ index 9d3201b..41c2c99 100644
 +	ftp_systemctl($1)
  ')
 diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..3bc14c3 100644
+index 8a74a83..6c4a30d 100644
 --- a/policy/modules/services/ftp.te
 +++ b/policy/modules/services/ftp.te
 @@ -40,6 +40,13 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -38704,15 +38472,28 @@ index 8a74a83..3bc14c3 100644
  ')
  
  tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,7 +455,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,19 +455,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
  tunable_policy(`sftpd_full_access',`
  	allow sftpd_t self:capability { dac_override dac_read_search };
  	fs_read_noxattr_fs_files(sftpd_t)
 -	auth_manage_all_files_except_shadow(sftpd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	# allow read access to /home by default
+-	fs_list_cifs(sftpd_t)
+-	fs_read_cifs_files(sftpd_t)
+-	fs_read_cifs_symlinks(sftpd_t)
 +	files_manage_non_security_files(sftpd_t)
  ')
  
- tunable_policy(`use_samba_home_dirs',`
+-tunable_policy(`use_nfs_home_dirs',`
+-	# allow read access to /home by default
+-	fs_list_nfs(sftpd_t)
+-	fs_read_nfs_files(sftpd_t)
+-	fs_read_nfs_symlinks(ftpd_t)
+-')
++userdom_home_reader(sftpd_t)
 diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
 index 99a94de..6dbc203 100644
 --- a/policy/modules/services/gatekeeper.te
@@ -38750,10 +38531,10 @@ index 54f0737..44a9663 100644
 +/var/www/git/gitweb\.cgi		gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
 +/var/www/gitweb-caching/gitweb\.cgi		gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
 diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
-index 458aac6..27945d1 100644
+index 458aac6..9077b2d 100644
 --- a/policy/modules/services/git.if
 +++ b/policy/modules/services/git.if
-@@ -1 +1,542 @@
+@@ -1 +1,515 @@
 -## <summary>GIT revision control system</summary>
 +## <summary>Fast Version Control System.</summary>
 +## <desc>
@@ -38966,17 +38747,7 @@ index 458aac6..27945d1 100644
 +	userdom_search_user_home_dirs($1)
 +	files_search_var_lib($1)
 +
-+	tunable_policy(`use_nfs_home_dirs',`
-+		fs_exec_nfs_files($1)
-+		fs_manage_nfs_dirs($1)
-+		fs_manage_nfs_files($1)
-+	')
-+
-+	tunable_policy(`use_samba_home_dirs',`
-+		fs_exec_cifs_files($1)
-+		fs_manage_cifs_dirs($1)
-+		fs_manage_cifs_files($1)
-+	')
++	userdom_home_manager($1)
 +
 +	tunable_policy(`git_system_use_cifs',`
 +		fs_exec_cifs_files($1)
@@ -39080,15 +38851,7 @@ index 458aac6..27945d1 100644
 +	userdom_search_user_home_dirs($1)
 +	files_search_var_lib($1)
 +
-+	tunable_policy(`use_nfs_home_dirs',`
-+		fs_list_nfs($1)
-+		fs_read_nfs_files($1)
-+	')
-+
-+	tunable_policy(`use_samba_home_dirs',`
-+		fs_list_cifs($1)
-+		fs_read_cifs_files($1)
-+	')
++	userdom_home_reader($1)
 +
 +	tunable_policy(`git_system_use_cifs',`
 +		fs_list_cifs($1)
@@ -39120,16 +38883,7 @@ index 458aac6..27945d1 100644
 +	list_dirs_pattern($1, git_session_content_t, git_session_content_t)
 +	read_files_pattern($1, git_session_content_t, git_session_content_t)
 +	userdom_search_user_home_dirs($1)
-+
-+	tunable_policy(`use_nfs_home_dirs',`
-+		fs_list_nfs($1)
-+		fs_read_nfs_files($1)
-+	')
-+
-+	tunable_policy(`use_samba_home_dirs',`
-+		fs_list_cifs($1)
-+		fs_read_cifs_files($1)
-+	')
++	userdom_home_reader($1)
 +')
 +
 +#######################################
@@ -39298,10 +39052,10 @@ index 458aac6..27945d1 100644
 +	userdom_search_user_home_dirs($1)
 +')
 diff --git a/policy/modules/services/git.te b/policy/modules/services/git.te
-index 7382f85..2ef543c 100644
+index 7382f85..fa32fcf 100644
 --- a/policy/modules/services/git.te
 +++ b/policy/modules/services/git.te
-@@ -1,8 +1,197 @@
+@@ -1,8 +1,189 @@
 -policy_module(git, 1.0)
 +policy_module(git, 1.0.3)
 +
@@ -39325,10 +39079,9 @@ index 7382f85..2ef543c 100644
 +##	</p>
 +## </desc>
 +gen_tunable(git_system_use_nfs, false)
- 
- ########################################
- #
--# Declarations
++
++########################################
++#
 +# Git daemon global private declarations.
 +#
 +
@@ -39342,7 +39095,7 @@ index 7382f85..2ef543c 100644
 +role git_shell_r;
 +
 +########################################
- #
++#
 +# Git daemon system private declarations.
 +#
 +
@@ -39412,8 +39165,7 @@ index 7382f85..2ef543c 100644
 +optional_policy(`
 +	automount_dontaudit_getattr_tmp_dirs(git_domains)
 +')
- 
--apache_content_template(git)
++
 +optional_policy(`
 +	nis_use_ypbind(git_domains)
 +')
@@ -39473,21 +39225,15 @@ index 7382f85..2ef543c 100644
 +	corenet_sendrecv_generic_server_packets(git_session_t)
 +')
 +
-+tunable_policy(`use_nfs_home_dirs',`
-+	fs_list_nfs(git_session_t)
-+	fs_read_nfs_files(git_session_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+	fs_list_cifs(git_session_t)
-+	fs_read_cifs_files(git_session_t)
-+')
-+
-+########################################
-+#
++userdom_home_reader(git_session_t)
+ 
+ ########################################
+ #
+-# Declarations
 +# cgi git Declarations
-+#
-+
+ #
+ 
+-apache_content_template(git)
 +optional_policy(`
 +	apache_content_template(git)
 +	git_read_all_content_files(httpd_git_script_t)
@@ -40695,6 +40441,28 @@ index c234b32..6c0a73d 100644
 +optional_policy(`
 +	sysnet_dns_name_resolve(hddtemp_t)
 +')
+diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te
+index 5fc89c4..738c3e2 100644
+--- a/policy/modules/services/i18n_input.te
++++ b/policy/modules/services/i18n_input.te
+@@ -74,16 +74,7 @@ sysnet_read_config(i18n_input_t)
+ 
+ userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
+ userdom_read_user_home_content_files(i18n_input_t)
+-
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_read_nfs_files(i18n_input_t)
+-	fs_read_nfs_symlinks(i18n_input_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_files(i18n_input_t)
+-	fs_read_cifs_symlinks(i18n_input_t)
+-')
++userdom_home_reader(i18n_input_t)
+ 
+ optional_policy(`
+ 	canna_stream_connect(i18n_input_t)
 diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if
 index ecab47a..6ba84cf 100644
 --- a/policy/modules/services/icecast.if
@@ -43062,7 +42830,7 @@ index a4f32f5..32824fb 100644
  		type lpr_t, lpr_exec_t;
  	')
 diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
-index 93c14ca..f28acd2 100644
+index 93c14ca..27d96e1 100644
 --- a/policy/modules/services/lpd.te
 +++ b/policy/modules/services/lpd.te
 @@ -6,9 +6,9 @@ policy_module(lpd, 1.12.0)
@@ -43150,21 +42918,25 @@ index 93c14ca..f28acd2 100644
  	# Send SIGHUP to lpd.
  	allow lpr_t lpd_t:process signal;
  
-@@ -308,12 +309,14 @@ tunable_policy(`use_lpd_server',`
+@@ -307,17 +308,7 @@ tunable_policy(`use_lpd_server',`
+ 	read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
  ')
  
- tunable_policy(`use_nfs_home_dirs',`
-+	files_list_home(lpr_t)
- 	fs_list_auto_mountpoints(lpr_t)
- 	fs_read_nfs_files(lpr_t)
- 	fs_read_nfs_symlinks(lpr_t)
- ')
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_list_auto_mountpoints(lpr_t)
+-	fs_read_nfs_files(lpr_t)
+-	fs_read_nfs_symlinks(lpr_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_list_auto_mountpoints(lpr_t)
+-	fs_read_cifs_files(lpr_t)
+-	fs_read_cifs_symlinks(lpr_t)
+-')
++userdom_home_reader(lpr_t)
  
- tunable_policy(`use_samba_home_dirs',`
-+	files_list_home(lpr_t)
- 	fs_list_auto_mountpoints(lpr_t)
- 	fs_read_cifs_files(lpr_t)
- 	fs_read_cifs_symlinks(lpr_t)
+ optional_policy(`
+ 	cups_read_config(lpr_t)
 diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
 index 14ad189..2b8efd8 100644
 --- a/policy/modules/services/mailman.fc
@@ -44529,10 +44301,10 @@ index 0000000..1d76fb8
 +')
 diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
 new file mode 100644
-index 0000000..b1107b5
+index 0000000..4389219
 --- /dev/null
 +++ b/policy/modules/services/mock.te
-@@ -0,0 +1,250 @@
+@@ -0,0 +1,251 @@
 +policy_module(mock,1.0.0)
 +
 +## <desc>
@@ -44662,6 +44434,7 @@ index 0000000..b1107b5
 +files_search_home(mock_t)
 +
 +tunable_policy(`mock_enable_homedirs',`
++	userdom_manage_user_home_content_dirs(mock_t)
 +	userdom_manage_user_home_content_files(mock_t)
 +')
 +
@@ -44919,7 +44692,7 @@ index d72276f..cb8c563 100644
  	mpd_initrc_domtrans($1)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
-index 7f68872..e4ac35e 100644
+index 7f68872..36ff69d 100644
 --- a/policy/modules/services/mpd.te
 +++ b/policy/modules/services/mpd.te
 @@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -44932,27 +44705,18 @@ index 7f68872..e4ac35e 100644
  
  manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
  manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
-@@ -103,6 +106,19 @@ logging_send_syslog_msg(mpd_t)
+@@ -103,6 +106,10 @@ logging_send_syslog_msg(mpd_t)
  
  miscfiles_read_localization(mpd_t)
  
 +userdom_read_home_audio_files(mpd_t)
 +userdom_read_user_tmpfs_files(mpd_t)
-+
-+tunable_policy(`use_samba_home_dirs',`
-+    fs_read_cifs_files(mpd_t)
-+    fs_read_cifs_symlinks(mpd_t)
-+')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+    fs_read_nfs_files(mpd_t)
-+    fs_read_nfs_symlinks(mpd_t)
-+')
++userdom_home_reader(mpd_t)
 +
  optional_policy(`
  	alsa_read_rw_config(mpd_t)
  ')
-@@ -122,5 +138,14 @@ optional_policy(`
+@@ -122,5 +129,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -45011,7 +44775,7 @@ index 256166a..2320c87 100644
 +/var/spool/mqueue\.in(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
  /var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..e5519fd 100644
+index 343cee3..867dfac 100644
 --- a/policy/modules/services/mta.if
 +++ b/policy/modules/services/mta.if
 @@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -45097,7 +44861,7 @@ index 343cee3..e5519fd 100644
  ########################################
  ## <summary>
  ##	Make the specified type by a system MTA.
-@@ -306,7 +337,6 @@ interface(`mta_mailserver_sender',`
+@@ -306,10 +337,11 @@ interface(`mta_mailserver_sender',`
  interface(`mta_mailserver_delivery',`
  	gen_require(`
  		attribute mailserver_delivery;
@@ -45105,7 +44869,12 @@ index 343cee3..e5519fd 100644
  	')
  
  	typeattribute $1 mailserver_delivery;
-@@ -330,12 +360,6 @@ interface(`mta_mailserver_user_agent',`
++
++	userdom_home_manager($1)
+ ')
+ 
+ #######################################
+@@ -330,12 +362,6 @@ interface(`mta_mailserver_user_agent',`
  	')
  
  	typeattribute $1 mta_user_agent;
@@ -45118,7 +44887,7 @@ index 343cee3..e5519fd 100644
  ')
  
  ########################################
-@@ -350,9 +374,8 @@ interface(`mta_mailserver_user_agent',`
+@@ -350,9 +376,8 @@ interface(`mta_mailserver_user_agent',`
  #
  interface(`mta_send_mail',`
  	gen_require(`
@@ -45129,7 +44898,7 @@ index 343cee3..e5519fd 100644
  	')
  
  	allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-@@ -391,12 +414,17 @@ interface(`mta_send_mail',`
+@@ -391,12 +416,17 @@ interface(`mta_send_mail',`
  #
  interface(`mta_sendmail_domtrans',`
  	gen_require(`
@@ -45149,7 +44918,7 @@ index 343cee3..e5519fd 100644
  ')
  
  ########################################
-@@ -409,7 +437,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -409,7 +439,6 @@ interface(`mta_sendmail_domtrans',`
  ##	</summary>
  ## </param>
  #
@@ -45157,7 +44926,7 @@ index 343cee3..e5519fd 100644
  interface(`mta_signal_system_mail',`
  	gen_require(`
  		type system_mail_t;
-@@ -420,6 +447,24 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +449,24 @@ interface(`mta_signal_system_mail',`
  
  ########################################
  ## <summary>
@@ -45182,7 +44951,7 @@ index 343cee3..e5519fd 100644
  ##	Execute sendmail in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -438,6 +483,26 @@ interface(`mta_sendmail_exec',`
+@@ -438,6 +485,26 @@ interface(`mta_sendmail_exec',`
  
  ########################################
  ## <summary>
@@ -45209,7 +44978,7 @@ index 343cee3..e5519fd 100644
  ##	Read mail server configuration.
  ## </summary>
  ## <param name="domain">
-@@ -474,7 +539,8 @@ interface(`mta_write_config',`
+@@ -474,7 +541,8 @@ interface(`mta_write_config',`
  		type etc_mail_t;
  	')
  
@@ -45219,7 +44988,7 @@ index 343cee3..e5519fd 100644
  ')
  
  ########################################
-@@ -494,6 +560,7 @@ interface(`mta_read_aliases',`
+@@ -494,6 +562,7 @@ interface(`mta_read_aliases',`
  
  	files_search_etc($1)
  	allow $1 etc_aliases_t:file read_file_perms;
@@ -45227,7 +44996,7 @@ index 343cee3..e5519fd 100644
  ')
  
  ########################################
-@@ -532,7 +599,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -532,7 +601,7 @@ interface(`mta_etc_filetrans_aliases',`
  		type etc_aliases_t;
  	')
  
@@ -45236,7 +45005,7 @@ index 343cee3..e5519fd 100644
  ')
  
  ########################################
-@@ -552,7 +619,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +621,7 @@ interface(`mta_rw_aliases',`
  	')
  
  	files_search_etc($1)
@@ -45245,7 +45014,7 @@ index 343cee3..e5519fd 100644
  ')
  
  #######################################
-@@ -646,8 +713,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +715,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
  
  	files_dontaudit_search_spool($1)
  	dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -45256,7 +45025,7 @@ index 343cee3..e5519fd 100644
  ')
  
  #######################################
-@@ -677,7 +744,26 @@ interface(`mta_spool_filetrans',`
+@@ -677,7 +746,26 @@ interface(`mta_spool_filetrans',`
  	')
  
  	files_search_spool($1)
@@ -45284,7 +45053,7 @@ index 343cee3..e5519fd 100644
  ')
  
  ########################################
-@@ -697,8 +783,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +785,8 @@ interface(`mta_rw_spool',`
  
  	files_search_spool($1)
  	allow $1 mail_spool_t:dir list_dir_perms;
@@ -45295,7 +45064,7 @@ index 343cee3..e5519fd 100644
  	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  ')
  
-@@ -838,7 +924,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +926,7 @@ interface(`mta_dontaudit_rw_queue',`
  	')
  
  	dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -45304,7 +45073,7 @@ index 343cee3..e5519fd 100644
  ')
  
  ########################################
-@@ -864,6 +950,36 @@ interface(`mta_manage_queue',`
+@@ -864,6 +952,36 @@ interface(`mta_manage_queue',`
  
  #######################################
  ## <summary>
@@ -45341,7 +45110,7 @@ index 343cee3..e5519fd 100644
  ##	Read sendmail binary.
  ## </summary>
  ## <param name="domain">
-@@ -899,3 +1015,114 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +1017,114 @@ interface(`mta_rw_user_mail_stream_sockets',`
  
  	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
  ')
@@ -45457,7 +45226,7 @@ index 343cee3..e5519fd 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..65fd01f 100644
+index 64268e4..7f55b85 100644
 --- a/policy/modules/services/mta.te
 +++ b/policy/modules/services/mta.te
 @@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@@ -45646,7 +45415,7 @@ index 64268e4..65fd01f 100644
  ########################################
  #
  # Mailserver delivery local policy
-@@ -220,7 +228,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,28 +228,21 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  
@@ -45656,7 +45425,21 @@ index 64268e4..65fd01f 100644
  
  read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
  
-@@ -242,6 +251,10 @@ optional_policy(`
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(mailserver_delivery)
+-	fs_manage_cifs_files(mailserver_delivery)
+-	fs_manage_cifs_symlinks(mailserver_delivery)
+-')
+-
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(mailserver_delivery)
+-	fs_manage_nfs_files(mailserver_delivery)
+-	fs_manage_nfs_symlinks(mailserver_delivery)
+-')
+-
+ optional_policy(`
+ 	dovecot_manage_spool(mailserver_delivery)
+ 	dovecot_domtrans_deliver(mailserver_delivery)
  ')
  
  optional_policy(`
@@ -45667,7 +45450,7 @@ index 64268e4..65fd01f 100644
  	# so MTA can access /var/lib/mailman/mail/wrapper
  	files_search_var_lib(mailserver_delivery)
  
-@@ -249,16 +262,25 @@ optional_policy(`
+@@ -249,16 +250,25 @@ optional_policy(`
  	mailman_read_data_symlinks(mailserver_delivery)
  ')
  
@@ -45695,7 +45478,7 @@ index 64268e4..65fd01f 100644
  # Create dead.letter in user home directories.
  userdom_manage_user_home_content_files(user_mail_t)
  userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -277,6 +299,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
+@@ -277,6 +287,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
  # files in an appropriate place for mta_user_agent
  userdom_read_user_tmp_files(mta_user_agent)
  
@@ -45704,7 +45487,7 @@ index 64268e4..65fd01f 100644
  tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_files(user_mail_t)
  	fs_manage_cifs_symlinks(user_mail_t)
-@@ -292,3 +316,47 @@ optional_policy(`
+@@ -292,3 +304,47 @@ optional_policy(`
  	postfix_read_config(user_mail_t)
  	postfix_list_spool(user_mail_t)
  ')
@@ -46214,7 +45997,7 @@ index e9c0982..ac7e846 100644
 +	mysql_stream_connect($1)
  ')
 diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
-index 0a0d63c..d19d2d2 100644
+index 0a0d63c..8fcabd8 100644
 --- a/policy/modules/services/mysql.te
 +++ b/policy/modules/services/mysql.te
 @@ -6,9 +6,9 @@ policy_module(mysql, 1.12.0)
@@ -46282,7 +46065,13 @@ index 0a0d63c..d19d2d2 100644
  allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
  
  read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
-@@ -175,21 +179,27 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -170,26 +174,33 @@ kernel_read_system_state(mysqld_safe_t)
+ kernel_read_kernel_sysctls(mysqld_safe_t)
+ 
+ corecmd_exec_bin(mysqld_safe_t)
++corecmd_exec_shell(mysqld_safe_t)
+ 
+ dev_list_sysfs(mysqld_safe_t)
  
  domain_read_all_domains_state(mysqld_safe_t)
  
@@ -46723,7 +46512,7 @@ index 74da57f..b94bb3b 100644
  /usr/sbin/nessusd	--	gen_context(system_u:object_r:nessusd_exec_t,s0)
  
 diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
-index 386543b..47e1b41 100644
+index 386543b..8e8f911 100644
 --- a/policy/modules/services/networkmanager.fc
 +++ b/policy/modules/services/networkmanager.fc
 @@ -1,6 +1,15 @@
@@ -46743,7 +46532,7 @@ index 386543b..47e1b41 100644
  
  /usr/libexec/nm-dispatcher.action --	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
  
-@@ -16,7 +25,8 @@
+@@ -16,11 +25,13 @@
  /var/lib/wicd(/.*)?			gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
  /var/lib/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
  
@@ -46753,6 +46542,11 @@ index 386543b..47e1b41 100644
  /var/log/wpa_supplicant.*	--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
  
  /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ /var/run/nm-dhclient.*			gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/nm-dns-dnsmasq\.conf	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+ /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
 index 2324d9e..8666a3c 100644
 --- a/policy/modules/services/networkmanager.if
@@ -48529,7 +48323,7 @@ index bb4fae5..044486c 100644
 +	admin_pattern($1, oidentd_config_t)
 +')
 diff --git a/policy/modules/services/oident.te b/policy/modules/services/oident.te
-index 8845174..98f541f 100644
+index 8845174..58148ed 100644
 --- a/policy/modules/services/oident.te
 +++ b/policy/modules/services/oident.te
 @@ -26,10 +26,10 @@ files_config_file(oidentd_config_t)
@@ -48547,6 +48341,25 @@ index 8845174..98f541f 100644
  allow oidentd_t self:unix_dgram_socket { create connect };
  
  allow oidentd_t oidentd_config_t:file read_file_perms;
+@@ -59,17 +59,8 @@ miscfiles_read_localization(oidentd_t)
+ sysnet_read_config(oidentd_t)
+ 
+ oident_read_user_content(oidentd_t)
++userdom_home_reader(oidentd_t)
+ 
+ optional_policy(`
+ 	nis_use_ypbind(oidentd_t)
+ ')
+-
+-tunable_policy(`use_samba_home_dirs', `
+-	fs_list_cifs(oidentd_t)
+- 	fs_read_cifs_files(oidentd_t)
+-')
+-
+-tunable_policy(`use_nfs_home_dirs', `
+-	fs_list_nfs(oidentd_t)
+- 	fs_read_nfs_files(oidentd_t)
+-')
 diff --git a/policy/modules/services/openct.if b/policy/modules/services/openct.if
 index 9d0a67b..9197ef0 100644
 --- a/policy/modules/services/openct.if
@@ -48575,6 +48388,36 @@ index 9d0a67b..9197ef0 100644
  ## </param>
  #
  interface(`openct_domtrans',`
+diff --git a/policy/modules/services/openct.te b/policy/modules/services/openct.te
+index 7f8fdc2..047d985 100644
+--- a/policy/modules/services/openct.te
++++ b/policy/modules/services/openct.te
+@@ -23,12 +23,13 @@ allow openct_t self:process signal_perms;
+ manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+ manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+-files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
+ 
+ kernel_read_kernel_sysctls(openct_t)
+ kernel_list_proc(openct_t)
+ kernel_read_proc_symlinks(openct_t)
+ 
++can_exec(openct_t, openct_exec_t)
++
+ dev_read_sysfs(openct_t)
+ # openct asks for this
+ dev_rw_usbfs(openct_t)
+@@ -50,7 +51,9 @@ miscfiles_read_localization(openct_t)
+ userdom_dontaudit_use_unpriv_user_fds(openct_t)
+ userdom_dontaudit_search_user_home_dirs(openct_t)
+ 
+-openct_exec(openct_t)
++optional_policy(`
++	pcscd_stream_connect(openct_t)
++')
+ 
+ optional_policy(`
+ 	seutil_sigchld_newrole(openct_t)
 diff --git a/policy/modules/services/openvpn.if b/policy/modules/services/openvpn.if
 index d883214..d6afa87 100644
 --- a/policy/modules/services/openvpn.if
@@ -50054,10 +49897,39 @@ index 48ff1e8..be00a65 100644
 +	allow $1 policykit_auth_t:process signal;
  ')
 diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
-index 1e7169d..9cdbfa8 100644
+index 1e7169d..a16f7d7 100644
 --- a/policy/modules/services/policykit.te
 +++ b/policy/modules/services/policykit.te
-@@ -24,6 +24,9 @@ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
+@@ -5,47 +5,69 @@ policy_module(policykit, 1.1.0)
+ # Declarations
+ #
+ 
+-type policykit_t alias polkit_t;
+-type policykit_exec_t alias polkit_exec_t;
++attribute policykit_domain;
++
++type policykit_t, policykit_domain;
++type policykit_exec_t;
+ init_daemon_domain(policykit_t, policykit_exec_t)
+ 
+-type policykit_auth_t alias polkit_auth_t;
+-type policykit_auth_exec_t alias polkit_auth_exec_t;
++type policykit_auth_t, policykit_domain;
++type policykit_auth_exec_t;
+ init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
+ 
+-type policykit_grant_t alias polkit_grant_t;
+-type policykit_grant_exec_t alias polkit_grant_exec_t;
++type policykit_grant_t, policykit_domain;
++type policykit_grant_exec_t;
+ init_system_domain(policykit_grant_t, policykit_grant_exec_t)
+ 
+-type policykit_resolve_t alias polkit_resolve_t;
+-type policykit_resolve_exec_t alias polkit_resolve_exec_t;
++type policykit_resolve_t, policykit_domain;
++type policykit_resolve_exec_t;
+ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
+ 
  type policykit_reload_t alias polkit_reload_t;
  files_type(policykit_reload_t)
  
@@ -50067,7 +49939,27 @@ index 1e7169d..9cdbfa8 100644
  type policykit_var_lib_t alias polkit_var_lib_t;
  files_type(policykit_var_lib_t)
  
-@@ -35,11 +38,11 @@ files_pid_file(policykit_var_run_t)
+ type policykit_var_run_t alias polkit_var_run_t;
+ files_pid_file(policykit_var_run_t)
+ 
++#######################################
++#
++# policykit_domain local policy
++#
++
++allow policykit_domain self:process getattr;
++allow policykit_domain self:fifo_file rw_fifo_file_perms;
++
++dev_read_sysfs(policykit_domain)
++
++#auth_use_nsswitch(policykit_domain)
++
++logging_send_syslog_msg(policykit_domain)
++
++miscfiles_read_localization(policykit_domain)
++
+ ########################################
+ #
  # policykit local policy
  #
  
@@ -50075,15 +49967,22 @@ index 1e7169d..9cdbfa8 100644
 -allow policykit_t self:process getattr;
 -allow policykit_t self:fifo_file rw_file_perms;
 +allow policykit_t self:capability { dac_override dac_read_search setgid setuid };
-+allow policykit_t self:process { getsched getattr signal };
-+allow policykit_t self:fifo_file rw_fifo_file_perms;
++allow policykit_t self:process { getsched signal };
  allow policykit_t self:unix_dgram_socket create_socket_perms;
 -allow policykit_t self:unix_stream_socket create_stream_socket_perms;
 +allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
  
  policykit_domtrans_auth(policykit_t)
  
-@@ -56,10 +59,16 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+ can_exec(policykit_t, policykit_exec_t)
+ corecmd_exec_bin(policykit_t)
+ 
++dev_read_sysfs(policykit_t)
++
+ rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
+ 
+ policykit_domtrans_resolve(policykit_t)
+@@ -56,56 +78,101 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
  manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
  files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
  
@@ -50100,19 +49999,18 @@ index 1e7169d..9cdbfa8 100644
  
  auth_use_nsswitch(policykit_t)
  
-@@ -67,45 +76,92 @@ logging_send_syslog_msg(policykit_t)
- 
- miscfiles_read_localization(policykit_t)
- 
+-logging_send_syslog_msg(policykit_t)
 +userdom_getattr_all_users(policykit_t)
- userdom_read_all_users_state(policykit_t)
++userdom_read_all_users_state(policykit_t)
 +userdom_dontaudit_search_admin_dir(policykit_t)
 +
 +optional_policy(`
 +	dbus_system_domain(policykit_t, policykit_exec_t)
-+
+ 
+-miscfiles_read_localization(policykit_t)
 +	init_dbus_chat(policykit_t)
-+
+ 
+-userdom_read_all_users_state(policykit_t)
 +	optional_policy(`
 +		consolekit_dbus_chat(policykit_t)
 +	')
@@ -50141,8 +50039,7 @@ index 1e7169d..9cdbfa8 100644
 -allow policykit_auth_t self:fifo_file rw_file_perms;
 +allow policykit_auth_t self:capability { ipc_lock setgid setuid };
 +dontaudit policykit_auth_t self:capability sys_tty_config;
-+allow policykit_auth_t self:process { getattr getsched signal };
-+allow policykit_auth_t self:fifo_file rw_fifo_file_perms;
++allow policykit_auth_t self:process { getsched signal };
 +
  allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
  allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
@@ -50175,17 +50072,17 @@ index 1e7169d..9cdbfa8 100644
  files_read_etc_files(policykit_auth_t)
  files_read_usr_files(policykit_auth_t)
 +files_search_home(policykit_auth_t)
-+
-+fs_getattr_all_fs(polkit_auth_t)
-+fs_search_tmpfs(polkit_auth_t)
  
- auth_use_nsswitch(policykit_auth_t)
+-auth_use_nsswitch(policykit_auth_t)
++fs_getattr_all_fs(policykit_auth_t)
++fs_search_tmpfs(policykit_auth_t)
+ 
+-logging_send_syslog_msg(policykit_auth_t)
 +auth_rw_var_auth(policykit_auth_t)
++auth_use_nsswitch(policykit_auth_t)
 +auth_domtrans_chk_passwd(policykit_auth_t)
  
- logging_send_syslog_msg(policykit_auth_t)
- 
- miscfiles_read_localization(policykit_auth_t)
+-miscfiles_read_localization(policykit_auth_t)
 +miscfiles_read_fonts(policykit_auth_t)
 +miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
  
@@ -50199,7 +50096,7 @@ index 1e7169d..9cdbfa8 100644
  	dbus_session_bus_client(policykit_auth_t)
  
  	optional_policy(`
-@@ -118,6 +174,14 @@ optional_policy(`
+@@ -118,14 +185,21 @@ optional_policy(`
  	hal_read_state(policykit_auth_t)
  ')
  
@@ -50214,17 +50111,27 @@ index 1e7169d..9cdbfa8 100644
  ########################################
  #
  # polkit_grant local policy
-@@ -125,7 +189,8 @@ optional_policy(`
+ #
  
  allow policykit_grant_t self:capability setuid;
- allow policykit_grant_t self:process getattr;
+-allow policykit_grant_t self:process getattr;
 -allow policykit_grant_t self:fifo_file rw_file_perms;
-+allow policykit_grant_t self:fifo_file rw_fifo_file_perms;
 +
  allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
  allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -155,9 +220,12 @@ miscfiles_read_localization(policykit_grant_t)
+@@ -145,19 +219,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
+ files_read_etc_files(policykit_grant_t)
+ files_read_usr_files(policykit_grant_t)
+ 
+-auth_use_nsswitch(policykit_grant_t)
+ auth_domtrans_chk_passwd(policykit_grant_t)
+-
+-logging_send_syslog_msg(policykit_grant_t)
+-
+-miscfiles_read_localization(policykit_grant_t)
++auth_use_nsswitch(policykit_grant_t)
+ 
  userdom_read_all_users_state(policykit_grant_t)
  
  optional_policy(`
@@ -50238,20 +50145,34 @@ index 1e7169d..9cdbfa8 100644
  		consolekit_dbus_chat(policykit_grant_t)
  	')
  ')
-@@ -167,9 +235,10 @@ optional_policy(`
+@@ -167,9 +240,8 @@ optional_policy(`
  # polkit_resolve local policy
  #
  
 -allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
-+allow policykit_resolve_t self:capability { setuid sys_nice };
- allow policykit_resolve_t self:process getattr;
+-allow policykit_resolve_t self:process getattr;
 -allow policykit_resolve_t self:fifo_file rw_file_perms;
-+allow policykit_resolve_t self:fifo_file rw_fifo_file_perms;
++allow policykit_resolve_t self:capability { setuid sys_nice };
 +
  allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
  allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -207,4 +276,3 @@ optional_policy(`
+@@ -185,13 +257,9 @@ corecmd_search_bin(policykit_resolve_t)
+ files_read_etc_files(policykit_resolve_t)
+ files_read_usr_files(policykit_resolve_t)
+ 
+-mcs_ptrace_all(policykit_resolve_t)
+-
+ auth_use_nsswitch(policykit_resolve_t)
+ 
+-logging_send_syslog_msg(policykit_resolve_t)
+-
+-miscfiles_read_localization(policykit_resolve_t)
++mcs_ptrace_all(policykit_resolve_t)
+ 
+ userdom_read_all_users_state(policykit_resolve_t)
+ 
+@@ -207,4 +275,3 @@ optional_policy(`
  	kernel_search_proc(policykit_resolve_t)
  	hal_read_state(policykit_resolve_t)
  ')
@@ -50475,10 +50396,10 @@ index 0000000..7dc2c0c
 +')
 diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te
 new file mode 100644
-index 0000000..89ab1b6
+index 0000000..d958b53
 --- /dev/null
 +++ b/policy/modules/services/polipo.te
-@@ -0,0 +1,159 @@
+@@ -0,0 +1,149 @@
 +policy_module(polipo, 1.0.0)
 +
 +########################################
@@ -50627,17 +50548,7 @@ index 0000000..89ab1b6
 +	logging_send_syslog_msg(polipo_session_t)
 +')
 +
-+tunable_policy(`use_nfs_home_dirs',`
-+	fs_manage_nfs_files(polipo_session_t)
-+',`
-+	fs_dontaudit_manage_nfs_files(polipo_session_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+	fs_manage_cifs_files(polipo_session_t)
-+',`
-+	fs_dontaudit_manage_cifs_files(polipo_session_t)
-+')
++userdom_home_manager(polipo_session_t)
 diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
 index 333a1fe..e599723 100644
 --- a/policy/modules/services/portmap.te
@@ -50804,7 +50715,7 @@ index a3e85c9..c0e0959 100644
  /var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
  /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
 diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..e50a72c 100644
+index 46bee12..2216f6a 100644
 --- a/policy/modules/services/postfix.if
 +++ b/policy/modules/services/postfix.if
 @@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -51049,7 +50960,7 @@ index 46bee12..e50a72c 100644
  ')
  
  ########################################
-@@ -621,3 +701,136 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +701,154 @@ interface(`postfix_domtrans_user_mail_handler',`
  
  	typeattribute $1 postfix_user_domtrans;
  ')
@@ -51169,6 +51080,24 @@ index 46bee12..e50a72c 100644
 +
 +########################################
 +## <summary>
++##	Execute postfix exec in the users domain
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`postfix_exec',`
++	gen_require(`
++		type postfix_exec_t;
++	')
++
++	can_exec($1, postfix_exec_t)
++')
++
++########################################
++## <summary>
 +##	Transition to postfix named content
 +## </summary>
 +## <param name="domain">
@@ -51187,7 +51116,7 @@ index 46bee12..e50a72c 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 +')
 diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..3a59bac 100644
+index a32c4b3..94e68b2 100644
 --- a/policy/modules/services/postfix.te
 +++ b/policy/modules/services/postfix.te
 @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -51294,7 +51223,15 @@ index a32c4b3..3a59bac 100644
  
  manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
  manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-@@ -150,6 +164,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -138,6 +152,7 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_
+ 
+ delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ 
+ kernel_read_all_sysctls(postfix_master_t)
+@@ -150,6 +165,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
  corenet_udp_sendrecv_generic_node(postfix_master_t)
  corenet_tcp_sendrecv_all_ports(postfix_master_t)
  corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -51304,7 +51241,7 @@ index a32c4b3..3a59bac 100644
  corenet_tcp_bind_generic_node(postfix_master_t)
  corenet_tcp_bind_amavisd_send_port(postfix_master_t)
  corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -167,6 +184,10 @@ corecmd_exec_bin(postfix_master_t)
+@@ -167,6 +185,10 @@ corecmd_exec_bin(postfix_master_t)
  domain_use_interactive_fds(postfix_master_t)
  
  files_read_usr_files(postfix_master_t)
@@ -51315,7 +51252,7 @@ index a32c4b3..3a59bac 100644
  
  term_dontaudit_search_ptys(postfix_master_t)
  
-@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
+@@ -220,13 +242,17 @@ allow postfix_bounce_t self:capability dac_read_search;
  allow postfix_bounce_t self:tcp_socket create_socket_perms;
  
  allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -51334,7 +51271,7 @@ index a32c4b3..3a59bac 100644
  manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
  manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
  manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -243,12 +268,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t,
+@@ -243,12 +269,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t,
  
  rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
  write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
@@ -51352,7 +51289,7 @@ index a32c4b3..3a59bac 100644
  allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
  
  corecmd_exec_bin(postfix_cleanup_t)
-@@ -264,8 +294,8 @@ optional_policy(`
+@@ -264,8 +295,8 @@ optional_policy(`
  # Postfix local local policy
  #
  
@@ -51362,7 +51299,7 @@ index a32c4b3..3a59bac 100644
  
  # connect to master process
  stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
-@@ -273,6 +303,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,6 +304,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
  # for .forward - maybe we need a new type for it?
  rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
  
@@ -51371,7 +51308,7 @@ index a32c4b3..3a59bac 100644
  allow postfix_local_t postfix_spool_t:file rw_file_perms;
  
  corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +318,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +319,15 @@ mta_read_aliases(postfix_local_t)
  mta_delete_spool(postfix_local_t)
  # For reading spamassasin
  mta_read_config(postfix_local_t)
@@ -51390,7 +51327,7 @@ index a32c4b3..3a59bac 100644
  
  optional_policy(`
  	clamav_search_lib(postfix_local_t)
-@@ -297,6 +334,10 @@ optional_policy(`
+@@ -297,6 +335,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -51401,7 +51338,7 @@ index a32c4b3..3a59bac 100644
  #	for postalias
  	mailman_manage_data_files(postfix_local_t)
  	mailman_append_log(postfix_local_t)
-@@ -304,9 +345,22 @@ optional_policy(`
+@@ -304,9 +346,22 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -51424,7 +51361,7 @@ index a32c4b3..3a59bac 100644
  ########################################
  #
  # Postfix map local policy
-@@ -372,6 +426,7 @@ optional_policy(`
+@@ -372,6 +427,7 @@ optional_policy(`
  # Postfix pickup local policy
  #
  
@@ -51432,7 +51369,7 @@ index a32c4b3..3a59bac 100644
  allow postfix_pickup_t self:tcp_socket create_socket_perms;
  
  stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
-@@ -379,19 +434,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,19 +435,26 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
  rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
  rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
  
@@ -51460,7 +51397,7 @@ index a32c4b3..3a59bac 100644
  
  write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
  
-@@ -401,6 +463,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +464,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
  
  domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
  
@@ -51469,7 +51406,7 @@ index a32c4b3..3a59bac 100644
  optional_policy(`
  	dovecot_domtrans_deliver(postfix_pipe_t)
  ')
-@@ -420,6 +484,7 @@ optional_policy(`
+@@ -420,6 +485,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_domtrans_client(postfix_pipe_t)
@@ -51477,7 +51414,7 @@ index a32c4b3..3a59bac 100644
  ')
  
  optional_policy(`
-@@ -436,11 +501,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +502,17 @@ allow postfix_postdrop_t self:capability sys_resource;
  allow postfix_postdrop_t self:tcp_socket create;
  allow postfix_postdrop_t self:udp_socket create_socket_perms;
  
@@ -51495,7 +51432,7 @@ index a32c4b3..3a59bac 100644
  corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
  corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
  
-@@ -487,8 +558,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +559,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
  domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
  
  # to write the mailq output, it really should not need read access!
@@ -51506,7 +51443,7 @@ index a32c4b3..3a59bac 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -507,6 +578,8 @@ optional_policy(`
+@@ -507,6 +579,8 @@ optional_policy(`
  # Postfix qmgr local policy
  #
  
@@ -51515,7 +51452,7 @@ index a32c4b3..3a59bac 100644
  stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
  
  rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +592,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +593,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
  
  allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
  allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -51528,7 +51465,7 @@ index a32c4b3..3a59bac 100644
  
  corecmd_exec_bin(postfix_qmgr_t)
  
-@@ -539,7 +616,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +617,9 @@ postfix_list_spool(postfix_showq_t)
  
  allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
  allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -51539,7 +51476,16 @@ index a32c4b3..3a59bac 100644
  
  # to write the mailq output, it really should not need read access!
  term_use_all_ptys(postfix_showq_t)
-@@ -565,6 +644,14 @@ optional_policy(`
+@@ -558,6 +638,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+ 
+ allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
+ 
++rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++
+ files_search_all_mountpoints(postfix_smtp_t)
+ 
+ optional_policy(`
+@@ -565,6 +647,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -51554,7 +51500,7 @@ index a32c4b3..3a59bac 100644
  	milter_stream_connect_all(postfix_smtp_t)
  ')
  
-@@ -588,10 +675,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +678,16 @@ corecmd_exec_bin(postfix_smtpd_t)
  
  # for OpenSSL certificates
  files_read_usr_files(postfix_smtpd_t)
@@ -51571,7 +51517,7 @@ index a32c4b3..3a59bac 100644
  ')
  
  optional_policy(`
-@@ -599,6 +692,10 @@ optional_policy(`
+@@ -599,6 +695,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -51582,7 +51528,7 @@ index a32c4b3..3a59bac 100644
  	postgrey_stream_connect(postfix_smtpd_t)
  ')
  
-@@ -611,8 +708,8 @@ optional_policy(`
+@@ -611,8 +711,8 @@ optional_policy(`
  # Postfix virtual local policy
  #
  
@@ -51592,7 +51538,7 @@ index a32c4b3..3a59bac 100644
  
  allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
  
-@@ -630,3 +727,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +730,8 @@ mta_delete_spool(postfix_virtual_t)
  # For reading spamassasin
  mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
@@ -52492,7 +52438,7 @@ index b64b02f..166e9c3 100644
 +	read_files_pattern($1, procmail_home_t, procmail_home_t)
 +')
 diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..6451f82 100644
+index 29b9295..4c188f9 100644
 --- a/policy/modules/services/procmail.te
 +++ b/policy/modules/services/procmail.te
 @@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -52546,7 +52492,26 @@ index 29b9295..6451f82 100644
  
  mta_manage_spool(procmail_t)
  mta_read_queue(procmail_t)
-@@ -125,6 +138,11 @@ optional_policy(`
+@@ -97,17 +110,7 @@ ifdef(`hide_broken_symptoms',`
+ 	mta_dontaudit_rw_queue(procmail_t)
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(procmail_t)
+-	fs_manage_nfs_files(procmail_t)
+-	fs_manage_nfs_symlinks(procmail_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(procmail_t)
+-	fs_manage_cifs_files(procmail_t)
+-	fs_manage_cifs_symlinks(procmail_t)
+-')
++userdom_home_manager(procmail_t)
+ 
+ optional_policy(`
+ 	clamav_domtrans_clamscan(procmail_t)
+@@ -125,6 +128,11 @@ optional_policy(`
  	postfix_read_spool_files(procmail_t)
  	postfix_read_local_state(procmail_t)
  	postfix_read_master_state(procmail_t)
@@ -54321,10 +54286,10 @@ index f04a595..d6a6e1a 100644
 +	read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
 +')
 diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
-index 852840b..cc1775e 100644
+index 852840b..9405f78 100644
 --- a/policy/modules/services/razor.te
 +++ b/policy/modules/services/razor.te
-@@ -5,118 +5,135 @@ policy_module(razor, 2.2.0)
+@@ -5,118 +5,125 @@ policy_module(razor, 2.2.0)
  # Declarations
  #
  
@@ -54440,34 +54405,22 @@ index 852840b..cc1775e 100644
 +	files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
 +
 +	auth_use_nsswitch(razor_t)
-+
-+	logging_send_syslog_msg(razor_t)
-+
-+	userdom_search_user_home_dirs(razor_t)
-+	userdom_use_inherited_user_terminals(razor_t)
-+
-+	tunable_policy(`use_nfs_home_dirs',`
-+		fs_manage_nfs_dirs(razor_t)
-+		fs_manage_nfs_files(razor_t)
-+		fs_manage_nfs_symlinks(razor_t)
-+	')
  
 -type razor_etc_t;
 -files_config_file(razor_etc_t)
-+	tunable_policy(`use_samba_home_dirs',`
-+		fs_manage_cifs_dirs(razor_t)
-+		fs_manage_cifs_files(razor_t)
-+		fs_manage_cifs_symlinks(razor_t)
-+	')
++	logging_send_syslog_msg(razor_t)
  
 -type razor_home_t;
 -typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
 -typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
 -userdom_user_home_content(razor_home_t)
--
++	userdom_search_user_home_dirs(razor_t)
++	userdom_use_inherited_user_terminals(razor_t)
+ 
 -type razor_log_t;
 -logging_log_file(razor_log_t)
--
++	userdom_home_manager(razor_t)
+ 
 -type razor_tmp_t;
 -typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
 -typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
@@ -54573,7 +54526,7 @@ index 852840b..cc1775e 100644
 +	')
  ')
 diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
-index 0a76027..adc198d 100644
+index 0a76027..a475797 100644
 --- a/policy/modules/services/remotelogin.te
 +++ b/policy/modules/services/remotelogin.te
 @@ -10,9 +10,6 @@ domain_interactive_fd(remote_login_t)
@@ -54615,7 +54568,7 @@ index 0a76027..adc198d 100644
  
  miscfiles_read_localization(remote_login_t)
  
-@@ -87,9 +82,11 @@ userdom_search_user_home_content(remote_login_t)
+@@ -87,34 +82,28 @@ userdom_search_user_home_content(remote_login_t)
  # since very weak authentication is used.
  userdom_signal_unpriv_users(remote_login_t)
  userdom_spec_domtrans_unpriv_users(remote_login_t)
@@ -54627,9 +54580,19 @@ index 0a76027..adc198d 100644
 +userdom_manage_user_tmp_files(remote_login_t)
 +userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
  
- tunable_policy(`use_nfs_home_dirs',`
- 	fs_read_nfs_files(remote_login_t)
-@@ -106,15 +103,15 @@ optional_policy(`
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_read_nfs_files(remote_login_t)
+-	fs_read_nfs_symlinks(remote_login_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_files(remote_login_t)
+-	fs_read_cifs_symlinks(remote_login_t)
+-')
++userdom_home_reader(remote_login_t)
+ 
+ optional_policy(`
+ 	alsa_domtrans(remote_login_t)
  ')
  
  optional_policy(`
@@ -56503,7 +56466,7 @@ index 63e78c6..fdd8228 100644
  		type rlogind_home_t;
  	')
 diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
-index 779fa44..4bcaacc 100644
+index 779fa44..91c8ee8 100644
 --- a/policy/modules/services/rlogin.te
 +++ b/policy/modules/services/rlogin.te
 @@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
@@ -56543,7 +56506,7 @@ index 779fa44..4bcaacc 100644
  
  files_read_etc_files(rlogind_t)
  files_read_etc_runtime_files(rlogind_t)
-@@ -88,9 +88,10 @@ seutil_read_config(rlogind_t)
+@@ -88,29 +88,24 @@ seutil_read_config(rlogind_t)
  userdom_setattr_user_ptys(rlogind_t)
  # cjp: this is egregious
  userdom_read_user_home_content_files(rlogind_t)
@@ -56554,10 +56517,25 @@ index 779fa44..4bcaacc 100644
 +userdom_manage_user_tmp_files(rlogind_t)
 +userdom_tmp_filetrans_user_tmp(rlogind_t, file)
 +userdom_use_user_terminals(rlogind_t)
++userdom_home_reader(rlogind_t)
  
  rlogin_read_home_content(rlogind_t)
  
-@@ -112,5 +113,10 @@ optional_policy(`
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_list_nfs(rlogind_t)
+-	fs_read_nfs_files(rlogind_t)
+-	fs_read_nfs_symlinks(rlogind_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_list_cifs(rlogind_t)
+-	fs_read_cifs_files(rlogind_t)
+-	fs_read_cifs_symlinks(rlogind_t)
+-')
+-
+ optional_policy(`
+ 	kerberos_keytab_template(rlogind, rlogind_t)
+ 	kerberos_manage_host_rcache(rlogind_t)
  ')
  
  optional_policy(`
@@ -57049,17 +57027,28 @@ index d6d76e1..9cb5e25 100644
 +	nis_use_ypbind(rpcbind_t)
 +')
 diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
-index 0b405d1..49a4283 100644
+index 0b405d1..cdf9184 100644
 --- a/policy/modules/services/rshd.te
 +++ b/policy/modules/services/rshd.te
-@@ -66,6 +66,7 @@ seutil_read_config(rshd_t)
+@@ -66,16 +66,9 @@ seutil_read_config(rshd_t)
  seutil_read_default_contexts(rshd_t)
  
  userdom_search_user_home_content(rshd_t)
 +userdom_manage_tmp_role(system_r, rshd_t)
  
- tunable_policy(`use_nfs_home_dirs',`
- 	fs_read_nfs_files(rshd_t)
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_read_nfs_files(rshd_t)
+-	fs_read_nfs_symlinks(rshd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_files(rshd_t)
+-	fs_read_cifs_symlinks(rshd_t)
+-')
++userdom_home_reader(rshd_t)
+ 
+ optional_policy(`
+ 	kerberos_keytab_template(rshd, rshd_t)
 diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if
 index 3386f29..b28cae5 100644
 --- a/policy/modules/services/rsync.if
@@ -59541,7 +59530,7 @@ index c954f31..85e8212 100644
 +	admin_pattern($1, spamd_var_run_t)
  ')
 diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..a370364 100644
+index ec1eb1e..fdb471a 100644
 --- a/policy/modules/services/spamassassin.te
 +++ b/policy/modules/services/spamassassin.te
 @@ -6,56 +6,101 @@ policy_module(spamassassin, 2.4.0)
@@ -59683,7 +59672,14 @@ index ec1eb1e..a370364 100644
  
  type spamd_tmp_t;
  files_tmp_file(spamd_tmp_t)
-@@ -108,6 +153,7 @@ kernel_read_kernel_sysctls(spamassassin_t)
+@@ -102,12 +147,14 @@ manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+ manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+ manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
+ userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, { dir file lnk_file sock_file fifo_file })
++userdom_home_manager(spamassassin_t)
+ 
+ kernel_read_kernel_sysctls(spamassassin_t)
+ 
  dev_read_urand(spamassassin_t)
  
  fs_search_auto_mountpoints(spamassassin_t)
@@ -59691,7 +59687,7 @@ index ec1eb1e..a370364 100644
  
  # this should probably be removed
  corecmd_list_bin(spamassassin_t)
-@@ -148,6 +194,9 @@ tunable_policy(`spamassassin_can_network',`
+@@ -148,6 +195,9 @@ tunable_policy(`spamassassin_can_network',`
  	corenet_udp_sendrecv_all_ports(spamassassin_t)
  	corenet_tcp_connect_all_ports(spamassassin_t)
  	corenet_sendrecv_all_client_packets(spamassassin_t)
@@ -59701,7 +59697,26 @@ index ec1eb1e..a370364 100644
  
  	sysnet_read_config(spamassassin_t)
  ')
-@@ -184,6 +233,8 @@ optional_policy(`
+@@ -158,18 +208,6 @@ tunable_policy(`spamd_enable_home_dirs',`
+ 	userdom_manage_user_home_content_symlinks(spamd_t)
+ ')
+ 
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(spamassassin_t)
+-	fs_manage_nfs_files(spamassassin_t)
+-	fs_manage_nfs_symlinks(spamassassin_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(spamassassin_t)
+-	fs_manage_cifs_files(spamassassin_t)
+-	fs_manage_cifs_symlinks(spamassassin_t)
+-')
+-
+ optional_policy(`
+ 	# Write pid file and socket in ~/.evolution/cache/tmp
+ 	evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
+@@ -184,6 +222,8 @@ optional_policy(`
  optional_policy(`
  	mta_read_config(spamassassin_t)
  	sendmail_stub(spamassassin_t)
@@ -59710,7 +59725,7 @@ index ec1eb1e..a370364 100644
  ')
  
  ########################################
-@@ -206,15 +257,32 @@ allow spamc_t self:unix_stream_socket connectto;
+@@ -206,15 +246,32 @@ allow spamc_t self:unix_stream_socket connectto;
  allow spamc_t self:tcp_socket create_stream_socket_perms;
  allow spamc_t self:udp_socket create_socket_perms;
  
@@ -59743,7 +59758,7 @@ index ec1eb1e..a370364 100644
  
  corenet_all_recvfrom_unlabeled(spamc_t)
  corenet_all_recvfrom_netlabel(spamc_t)
-@@ -226,6 +294,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
+@@ -226,6 +283,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
  corenet_udp_sendrecv_all_ports(spamc_t)
  corenet_tcp_connect_all_ports(spamc_t)
  corenet_sendrecv_all_client_packets(spamc_t)
@@ -59751,7 +59766,7 @@ index ec1eb1e..a370364 100644
  
  fs_search_auto_mountpoints(spamc_t)
  
-@@ -244,9 +313,14 @@ files_read_usr_files(spamc_t)
+@@ -244,9 +302,14 @@ files_read_usr_files(spamc_t)
  files_dontaudit_search_var(spamc_t)
  # cjp: this may be removable:
  files_list_home(spamc_t)
@@ -59766,22 +59781,11 @@ index ec1eb1e..a370364 100644
  miscfiles_read_localization(spamc_t)
  
  # cjp: this should probably be removed:
-@@ -254,27 +328,46 @@ seutil_read_config(spamc_t)
+@@ -254,27 +317,35 @@ seutil_read_config(spamc_t)
  
  sysnet_read_config(spamc_t)
  
-+tunable_policy(`use_nfs_home_dirs',`
-+	fs_manage_nfs_dirs(spamc_t)
-+	fs_manage_nfs_files(spamc_t)
-+	fs_manage_nfs_symlinks(spamc_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+	fs_manage_cifs_dirs(spamc_t)
-+	fs_manage_cifs_files(spamc_t)
-+	fs_manage_cifs_symlinks(spamc_t)
-+')
-+
++userdom_home_manager(spamc_t)
 +
  optional_policy(`
 -	# Allow connection to spamd socket above
@@ -59819,7 +59823,7 @@ index ec1eb1e..a370364 100644
  ')
  
  ########################################
-@@ -286,7 +379,7 @@ optional_policy(`
+@@ -286,7 +357,7 @@ optional_policy(`
  # setuids to the user running spamc.  Comment this if you are not
  # using this ability.
  
@@ -59828,7 +59832,7 @@ index ec1eb1e..a370364 100644
  dontaudit spamd_t self:capability sys_tty_config;
  allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow spamd_t self:fd use;
-@@ -302,10 +395,17 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -302,10 +373,17 @@ allow spamd_t self:unix_dgram_socket sendto;
  allow spamd_t self:unix_stream_socket connectto;
  allow spamd_t self:tcp_socket create_stream_socket_perms;
  allow spamd_t self:udp_socket create_socket_perms;
@@ -59847,7 +59851,7 @@ index ec1eb1e..a370364 100644
  files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
  
  manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -314,11 +414,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -314,11 +392,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
  
  # var/lib files for spamd
  allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -59865,7 +59869,7 @@ index ec1eb1e..a370364 100644
  
  kernel_read_all_sysctls(spamd_t)
  kernel_read_system_state(spamd_t)
-@@ -367,22 +471,27 @@ files_read_var_lib_files(spamd_t)
+@@ -367,23 +449,23 @@ files_read_var_lib_files(spamd_t)
  
  init_dontaudit_rw_utmp(spamd_t)
  
@@ -59881,23 +59885,23 @@ index ec1eb1e..a370364 100644
 -
  userdom_use_unpriv_users_fds(spamd_t)
  userdom_search_user_home_dirs(spamd_t)
++userdom_home_manager(spamd_t)
  
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_files(spamd_t)
 +optional_policy(`
-+	exim_manage_spool_dirs(spamd_t)
-+	exim_manage_spool_files(spamd_t)
-+')
-+
- tunable_policy(`use_nfs_home_dirs',`
-+	fs_manage_nfs_dirs(spamd_t)
- 	fs_manage_nfs_files(spamd_t)
++	clamav_stream_connect(spamd_t)
  ')
  
- tunable_policy(`use_samba_home_dirs',`
-+	fs_manage_cifs_dirs(spamd_t)
- 	fs_manage_cifs_files(spamd_t)
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_files(spamd_t)
++optional_policy(`
++	exim_manage_spool_dirs(spamd_t)
++	exim_manage_spool_files(spamd_t)
  ')
  
-@@ -399,7 +508,9 @@ optional_policy(`
+ optional_policy(`
+@@ -399,7 +481,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59907,7 +59911,7 @@ index ec1eb1e..a370364 100644
  	dcc_stream_connect_dccifd(spamd_t)
  ')
  
-@@ -408,25 +519,17 @@ optional_policy(`
+@@ -408,25 +492,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59935,7 +59939,7 @@ index ec1eb1e..a370364 100644
  	postgresql_stream_connect(spamd_t)
  ')
  
-@@ -437,6 +540,10 @@ optional_policy(`
+@@ -437,6 +513,10 @@ optional_policy(`
  
  optional_policy(`
  	razor_domtrans(spamd_t)
@@ -59946,7 +59950,7 @@ index ec1eb1e..a370364 100644
  ')
  
  optional_policy(`
-@@ -451,3 +558,51 @@ optional_policy(`
+@@ -451,3 +531,51 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(spamd_t)
  ')
@@ -60137,7 +60141,7 @@ index 078bcd7..2d60774 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..5439f7e 100644
+index 22adaca..d6a4b77 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
 @@ -32,10 +32,10 @@
@@ -60289,7 +60293,7 @@ index 22adaca..5439f7e 100644
  
  	files_read_etc_files($1_t)
  	files_read_etc_runtime_files($1_t)
-@@ -243,13 +271,17 @@ template(`ssh_server_template', `
+@@ -243,21 +271,13 @@ template(`ssh_server_template', `
  
  	miscfiles_read_localization($1_t)
  
@@ -60301,15 +60305,19 @@ index 22adaca..5439f7e 100644
  	# Allow checking users mail at login
  	mta_getattr_spool($1_t)
  
-+	tunable_policy(`use_fusefs_home_dirs',`
-+		fs_manage_fusefs_dirs($1_t)
-+		fs_manage_fusefs_files($1_t)
-+	')
-+
- 	tunable_policy(`use_nfs_home_dirs',`
- 		fs_read_nfs_files($1_t)
- 		fs_read_nfs_symlinks($1_t)
-@@ -268,6 +300,14 @@ template(`ssh_server_template', `
+-	tunable_policy(`use_nfs_home_dirs',`
+-		fs_read_nfs_files($1_t)
+-		fs_read_nfs_symlinks($1_t)
+-	')
+-
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_read_cifs_files($1_t)
+-	')
++	userdom_home_manager($1_t)
+ 
+ 	optional_policy(`
+ 		kerberos_use($1_t)
+@@ -268,6 +288,14 @@ template(`ssh_server_template', `
  		files_read_var_lib_symlinks($1_t)
  		nx_spec_domtrans_server($1_t)
  	')
@@ -60324,7 +60332,7 @@ index 22adaca..5439f7e 100644
  ')
  
  ########################################
-@@ -290,11 +330,11 @@ template(`ssh_server_template', `
+@@ -290,11 +318,11 @@ template(`ssh_server_template', `
  ##	User domain for the role
  ##	</summary>
  ## </param>
@@ -60337,7 +60345,7 @@ index 22adaca..5439f7e 100644
  		type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
  		type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
  		type ssh_agent_tmp_t;
-@@ -327,17 +367,20 @@ template(`ssh_role_template',`
+@@ -327,17 +355,20 @@ template(`ssh_role_template',`
  
  	# allow ps to show ssh
  	ps_process_pattern($3, ssh_t)
@@ -60359,7 +60367,7 @@ index 22adaca..5439f7e 100644
  
  	##############################
  	#
-@@ -359,7 +402,7 @@ template(`ssh_role_template',`
+@@ -359,7 +390,7 @@ template(`ssh_role_template',`
  	stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
  
  	# Allow the user shell to signal the ssh program.
@@ -60368,7 +60376,7 @@ index 22adaca..5439f7e 100644
  
  	# allow ps to show ssh
  	ps_process_pattern($3, $1_ssh_agent_t)
-@@ -381,7 +424,6 @@ template(`ssh_role_template',`
+@@ -381,7 +412,6 @@ template(`ssh_role_template',`
  
  	files_read_etc_files($1_ssh_agent_t)
  	files_read_etc_runtime_files($1_ssh_agent_t)
@@ -60376,7 +60384,7 @@ index 22adaca..5439f7e 100644
  
  	libs_read_lib_files($1_ssh_agent_t)
  
-@@ -393,14 +435,13 @@ template(`ssh_role_template',`
+@@ -393,28 +423,15 @@ template(`ssh_role_template',`
  	seutil_dontaudit_read_config($1_ssh_agent_t)
  
  	# Write to the user domain tty.
@@ -60389,18 +60397,32 @@ index 22adaca..5439f7e 100644
 -	allow $3 $1_ssh_agent_t:fd use;
 -	allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
 -	allow $3 $1_ssh_agent_t:process sigchld;
-+
+-
+-	tunable_policy(`use_nfs_home_dirs',`
+-		fs_manage_nfs_files($1_ssh_agent_t)
+ 
+-		# transition back to normal privs upon exec
+-		fs_nfs_domtrans($1_ssh_agent_t, $3)
+-	')
 +	ssh_exec_keygen($3)
  
- 	tunable_policy(`use_nfs_home_dirs',`
- 		fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +518,27 @@ interface(`ssh_read_pipes',`
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_manage_cifs_files($1_ssh_agent_t)
+-
+-		# transition back to normal privs upon exec
+-		fs_cifs_domtrans($1_ssh_agent_t, $3)
+-	')
++	userdom_home_manager($1_ssh_agent_t)
+ 
+ 	optional_policy(`
+ 		nis_use_ypbind($1_ssh_agent_t)
+@@ -477,8 +494,27 @@ interface(`ssh_read_pipes',`
  		type sshd_t;
  	')
  
 -	allow $1 sshd_t:fifo_file { getattr read };
 +	allow $1 sshd_t:fifo_file read_fifo_file_perms;
-+')
+ ')
 +
 +######################################
 +## <summary>
@@ -60418,12 +60440,12 @@ index 22adaca..5439f7e 100644
 +    ')
 +
 +    allow $1 sshd_t:unix_dgram_socket rw_stream_socket_perms;
- ')
++')
 +
  ########################################
  ## <summary>
  ##	Read and write a ssh server unnamed pipe.
-@@ -494,7 +554,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +530,7 @@ interface(`ssh_rw_pipes',`
  		type sshd_t;
  	')
  
@@ -60432,7 +60454,7 @@ index 22adaca..5439f7e 100644
  ')
  
  ########################################
-@@ -586,6 +646,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +622,24 @@ interface(`ssh_domtrans',`
  
  ########################################
  ## <summary>
@@ -60457,7 +60479,7 @@ index 22adaca..5439f7e 100644
  ##	Execute the ssh client in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -618,7 +696,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +672,7 @@ interface(`ssh_setattr_key_files',`
  		type sshd_key_t;
  	')
  
@@ -60466,7 +60488,7 @@ index 22adaca..5439f7e 100644
  	files_search_pids($1)
  ')
  
-@@ -643,6 +721,24 @@ interface(`ssh_agent_exec',`
+@@ -643,6 +697,42 @@ interface(`ssh_agent_exec',`
  
  ########################################
  ## <summary>
@@ -60488,10 +60510,28 @@ index 22adaca..5439f7e 100644
 +
 +########################################
 +## <summary>
++##	Dontaudit search ssh home directory
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ssh_dontaudit_search_user_home_dir',`
++	gen_require(`
++		type ssh_home_t;
++	')
++
++	dontaudit $1 ssh_home_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
  ##	Read ssh home directory content
  ## </summary>
  ## <param name="domain">
-@@ -682,6 +778,50 @@ interface(`ssh_domtrans_keygen',`
+@@ -682,6 +772,50 @@ interface(`ssh_domtrans_keygen',`
  
  ########################################
  ## <summary>
@@ -60542,7 +60582,7 @@ index 22adaca..5439f7e 100644
  ##	Read ssh server keys
  ## </summary>
  ## <param name="domain">
-@@ -695,7 +835,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +829,7 @@ interface(`ssh_dontaudit_read_server_keys',`
  		type sshd_key_t;
  	')
  
@@ -60551,7 +60591,7 @@ index 22adaca..5439f7e 100644
  ')
  
  ######################################
-@@ -735,3 +875,81 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +869,81 @@ interface(`ssh_delete_tmp',`
  	files_search_tmp($1)
  	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
  ')
@@ -60634,7 +60674,7 @@ index 22adaca..5439f7e 100644
 +	userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..02e70c9 100644
+index 2dad3c8..e93db05 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0)
@@ -60790,7 +60830,7 @@ index 2dad3c8..02e70c9 100644
  dev_read_urand(ssh_t)
  
  fs_getattr_all_fs(ssh_t)
-@@ -162,21 +186,28 @@ logging_read_generic_logs(ssh_t)
+@@ -162,31 +186,29 @@ logging_read_generic_logs(ssh_t)
  auth_use_nsswitch(ssh_t)
  
  miscfiles_read_localization(ssh_t)
@@ -60810,22 +60850,31 @@ index 2dad3c8..02e70c9 100644
 +userdom_write_user_tmp_files(ssh_t)
 +userdom_read_user_home_content_symlinks(ssh_t)
 +userdom_read_home_certs(ssh_t)
++userdom_home_manager(ssh_t)
  
  tunable_policy(`allow_ssh_keysign',`
 -	domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
 -	allow ssh_keysign_t ssh_t:fd use;
 -	allow ssh_keysign_t ssh_t:process sigchld;
 -	allow ssh_keysign_t ssh_t:fifo_file rw_file_perms;
+-')
+-
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(ssh_t)
+-	fs_manage_nfs_files(ssh_t)
 +	domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-+')
-+
+ ')
+ 
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(ssh_t)
+-	fs_manage_cifs_files(ssh_t)
 +tunable_policy(`use_fusefs_home_dirs',`
 +	fs_manage_fusefs_dirs(ssh_t)
 +	fs_manage_fusefs_files(ssh_t)
  ')
  
- tunable_policy(`use_nfs_home_dirs',`
-@@ -196,10 +227,15 @@ tunable_policy(`user_tcp_server',`
+ # for port forwarding
+@@ -196,10 +218,15 @@ tunable_policy(`user_tcp_server',`
  ')
  
  optional_policy(`
@@ -60841,7 +60890,7 @@ index 2dad3c8..02e70c9 100644
  ##############################
  #
  # ssh_keysign_t local policy
-@@ -209,19 +245,14 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,19 +236,14 @@ tunable_policy(`allow_ssh_keysign',`
  	allow ssh_keysign_t self:capability { setgid setuid };
  	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
  
@@ -60863,7 +60912,7 @@ index 2dad3c8..02e70c9 100644
  #################################
  #
  # sshd local policy
-@@ -232,33 +263,44 @@ optional_policy(`
+@@ -232,33 +254,44 @@ optional_policy(`
  # so a tunnel can point to another ssh tunnel
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
@@ -60917,7 +60966,7 @@ index 2dad3c8..02e70c9 100644
  ')
  
  optional_policy(`
-@@ -266,11 +308,24 @@ optional_policy(`
+@@ -266,11 +299,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -60943,7 +60992,7 @@ index 2dad3c8..02e70c9 100644
  ')
  
  optional_policy(`
-@@ -284,6 +339,15 @@ optional_policy(`
+@@ -284,6 +330,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -60959,7 +61008,7 @@ index 2dad3c8..02e70c9 100644
  	unconfined_shell_domtrans(sshd_t)
  ')
  
-@@ -292,26 +356,26 @@ optional_policy(`
+@@ -292,26 +347,26 @@ optional_policy(`
  ')
  
  ifdef(`TODO',`
@@ -61005,7 +61054,7 @@ index 2dad3c8..02e70c9 100644
  ') dnl endif TODO
  
  ########################################
-@@ -322,19 +386,26 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +377,26 @@ tunable_policy(`ssh_sysadm_login',`
  # ssh_keygen_t is the type of the ssh-keygen program when run at install time
  # and by sysadm_t
  
@@ -61033,7 +61082,7 @@ index 2dad3c8..02e70c9 100644
  dev_read_urand(ssh_keygen_t)
  
  term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,15 +422,91 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,15 +413,84 @@ auth_use_nsswitch(ssh_keygen_t)
  logging_send_syslog_msg(ssh_keygen_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -61116,14 +61165,7 @@ index 2dad3c8..02e70c9 100644
 +    fs_read_cifs_symlinks(chroot_user_t)
 +')
 +
-+tunable_policy(`use_nfs_home_dirs',`
-+    fs_read_nfs_files(chroot_user_t)
-+    fs_read_nfs_symlinks(chroot_user_t)
-+')
-+
-+tunable_policy(`use_fusefs_home_dirs',`
-+    fs_read_fusefs_files(chroot_user_t)
-+')
++userdom_home_manager(chroot_user_t)
 +
 +optional_policy(`
 +    ssh_rw_dgram_sockets(chroot_user_t)
@@ -61205,7 +61247,7 @@ index 941380a..4afc698 100644
  	# Allow sssd_t to restart the apache service
  	sssd_initrc_domtrans($1)
 diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..5c32a99 100644
+index 8ffa257..eb8979d 100644
 --- a/policy/modules/services/sssd.te
 +++ b/policy/modules/services/sssd.te
 @@ -17,6 +17,7 @@ files_pid_file(sssd_public_t)
@@ -61292,7 +61334,7 @@ index 8ffa257..5c32a99 100644
  
  optional_policy(`
  	dbus_system_bus_client(sssd_t)
-@@ -87,4 +106,28 @@ optional_policy(`
+@@ -87,4 +106,18 @@ optional_policy(`
  
  optional_policy(`
  	kerberos_manage_host_rcache(sssd_t)
@@ -61301,23 +61343,13 @@ index 8ffa257..5c32a99 100644
 +
 +optional_policy(`
 +	dirsrv_stream_connect(sssd_t)
-+')
+ ')
 +
 +optional_policy(`
 +	ldap_stream_connect(sssd_t)
- ')
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+	fs_read_nfs_files(sssd_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+	fs_read_cifs_files(sssd_t)
 +')
 +
-+tunable_policy(`use_fusefs_home_dirs',`
-+	fs_read_fusefs_files(sssd_t)
-+')
++userdom_home_reader(sssd_t)
 +
 +
 +
@@ -63409,7 +63441,7 @@ index 7c5d8d8..3fd8f12 100644
 +')
 +
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..3619ec3 100644
+index 3eca020..30c47b0 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
 @@ -5,56 +5,84 @@ policy_module(virt, 1.4.0)
@@ -63853,16 +63885,22 @@ index 3eca020..3619ec3 100644
  	dbus_system_bus_client(virtd_t)
  
  	optional_policy(`
-@@ -329,16 +485,23 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	dmidecode_domtrans(virtd_t)
+@@ -326,6 +482,14 @@ optional_policy(`
+ 	optional_policy(`
+ 		hal_dbus_chat(virtd_t)
+ 	')
++
++	optional_policy(`
++		networkmanager_dbus_chat(virtd_t)
++	')
 +')
 +
 +optional_policy(`
- 	dnsmasq_domtrans(virtd_t)
- 	dnsmasq_signal(virtd_t)
++	dmidecode_domtrans(virtd_t)
+ ')
+ 
+ optional_policy(`
+@@ -334,11 +498,14 @@ optional_policy(`
  	dnsmasq_kill(virtd_t)
  	dnsmasq_read_pid_files(virtd_t)
  	dnsmasq_signull(virtd_t)
@@ -63877,7 +63915,7 @@ index 3eca020..3619ec3 100644
  
  	# Manages /etc/sysconfig/system-config-firewall
  	iptables_manage_config(virtd_t)
-@@ -360,11 +523,11 @@ optional_policy(`
+@@ -360,11 +527,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -63894,7 +63932,7 @@ index 3eca020..3619ec3 100644
  ')
  
  optional_policy(`
-@@ -394,20 +557,36 @@ optional_policy(`
+@@ -394,20 +561,36 @@ optional_policy(`
  # virtual domains common policy
  #
  
@@ -63934,7 +63972,7 @@ index 3eca020..3619ec3 100644
  corecmd_exec_bin(virt_domain)
  corecmd_exec_shell(virt_domain)
  
-@@ -418,10 +597,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +601,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
  corenet_tcp_sendrecv_all_ports(virt_domain)
  corenet_tcp_bind_generic_node(virt_domain)
  corenet_tcp_bind_vnc_port(virt_domain)
@@ -63947,7 +63985,7 @@ index 3eca020..3619ec3 100644
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -429,10 +609,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +613,12 @@ dev_write_sound(virt_domain)
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -63960,7 +63998,7 @@ index 3eca020..3619ec3 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -440,25 +622,362 @@ files_search_all(virt_domain)
+@@ -440,25 +626,358 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -64187,10 +64225,6 @@ index 3eca020..3619ec3 100644
 +
 +sysnet_domtrans_ifconfig(virtd_lxc_t)
 +
-+optional_policy(`
-+	execmem_exec(virtd_lxc_t)
-+')
-+
 +#optional_policy(`
 +#	unconfined_shell_domtrans(virtd_lxc_t)
 +#	unconfined_signal(virtd_t)
@@ -65945,7 +65979,7 @@ index 130ced9..b6fb17a 100644
 +	userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..743ea2b 100644
+index 143c893..ab908aa 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,27 +26,50 @@ gen_require(`
@@ -66131,7 +66165,7 @@ index 143c893..743ea2b 100644
  files_tmpfs_file(xserver_tmpfs_t)
  ubac_constrained(xserver_tmpfs_t)
  
-@@ -234,10 +279,17 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+@@ -234,17 +279,30 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
  
  allow xdm_t iceauth_home_t:file read_file_perms;
  
@@ -66142,18 +66176,16 @@ index 143c893..743ea2b 100644
 -userdom_use_user_terminals(iceauth_t)
 +userdom_use_inherited_user_terminals(iceauth_t)
  userdom_read_user_tmp_files(iceauth_t)
+-
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_files(iceauth_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_files(iceauth_t)
 +userdom_read_all_users_state(iceauth_t)
++userdom_home_manager(iceauth_t)
 +
-+tunable_policy(`use_fusefs_home_dirs',`
-+	fs_manage_fusefs_files(iceauth_t)
-+')
- 
- tunable_policy(`use_nfs_home_dirs',`
- 	fs_manage_nfs_files(iceauth_t)
-@@ -247,52 +299,113 @@ tunable_policy(`use_samba_home_dirs',`
- 	fs_manage_cifs_files(iceauth_t)
- ')
- 
 +ifdef(`hide_broken_symptoms',`
 +	dev_dontaudit_read_urand(iceauth_t)
 +	dev_dontaudit_rw_dri(iceauth_t)
@@ -66169,10 +66201,10 @@ index 143c893..743ea2b 100644
 +	optional_policy(`
 +		mozilla_dontaudit_rw_user_home_files(iceauth_t)
 +	')
-+')
-+
+ ')
+ 
  ########################################
- #
+@@ -252,45 +310,82 @@ tunable_policy(`use_samba_home_dirs',`
  # Xauth local policy
  #
  
@@ -66236,6 +66268,8 @@ index 143c893..743ea2b 100644
  
  xserver_rw_xdm_tmp_files(xauth_t)
  
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_files(xauth_t)
 +ifdef(`hide_broken_symptoms',`
 +	fs_dontaudit_rw_anon_inodefs_files(xauth_t)
 +	fs_dontaudit_list_inotifyfs(xauth_t)
@@ -66243,21 +66277,16 @@ index 143c893..743ea2b 100644
 +	userdom_manage_user_tmp_files(xauth_t)
 +	dev_dontaudit_rw_generic_dev_nodes(xauth_t)
 +	miscfiles_read_fonts(xauth_t)
-+')
-+
+ ')
+ 
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_files(xauth_t)
 +tunable_policy(`use_fusefs_home_dirs',`
 +	fs_manage_fusefs_files(xauth_t)
 +')
 +
- tunable_policy(`use_nfs_home_dirs',`
- 	fs_manage_nfs_files(xauth_t)
-+	fs_read_nfs_symlinks(xauth_t)
- ')
- 
- tunable_policy(`use_samba_home_dirs',`
- 	fs_manage_cifs_files(xauth_t)
- ')
- 
++userdom_home_manager(xauth_t)
++
 +ifdef(`hide_broken_symptoms',`
 +	term_dontaudit_use_unallocated_ttys(xauth_t)
 +	dev_dontaudit_rw_dri(xauth_t)
@@ -66265,12 +66294,10 @@ index 143c893..743ea2b 100644
 +
 +optional_policy(`
 +	nx_var_lib_filetrans(xauth_t, xauth_home_t, file)
-+')
-+
+ ')
+ 
  optional_policy(`
- 	ssh_sigchld(xauth_t)
- 	ssh_read_pipes(xauth_t)
-@@ -305,19 +418,40 @@ optional_policy(`
+@@ -305,19 +400,40 @@ optional_policy(`
  #
  
  allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
@@ -66314,7 +66341,7 @@ index 143c893..743ea2b 100644
  
  # Allow gdm to run gdm-binary
  can_exec(xdm_t, xdm_exec_t)
-@@ -325,43 +459,63 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -325,43 +441,63 @@ can_exec(xdm_t, xdm_exec_t)
  allow xdm_t xdm_lock_t:file manage_file_perms;
  files_lock_filetrans(xdm_t, xdm_lock_t, file)
  
@@ -66384,7 +66411,7 @@ index 143c893..743ea2b 100644
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -370,18 +524,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -370,18 +506,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -66412,7 +66439,7 @@ index 143c893..743ea2b 100644
  
  corenet_all_recvfrom_unlabeled(xdm_t)
  corenet_all_recvfrom_netlabel(xdm_t)
-@@ -393,38 +555,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -393,38 +537,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -66466,7 +66493,7 @@ index 143c893..743ea2b 100644
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -435,9 +608,24 @@ files_list_mnt(xdm_t)
+@@ -435,9 +590,25 @@ files_list_mnt(xdm_t)
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -66476,6 +66503,7 @@ index 143c893..743ea2b 100644
 +files_dontaudit_getattr_all_dirs(xdm_t)
 +files_dontaudit_getattr_all_symlinks(xdm_t)
 +files_dontaudit_getattr_all_tmp_sockets(xdm_t)
++files_dontaudit_all_access_check(xdm_t)
  
  fs_getattr_all_fs(xdm_t)
  fs_search_auto_mountpoints(xdm_t)
@@ -66491,7 +66519,7 @@ index 143c893..743ea2b 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +634,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +617,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -66531,7 +66559,7 @@ index 143c893..743ea2b 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -476,9 +673,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,24 +656,48 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -66540,6 +66568,7 @@ index 143c893..743ea2b 100644
 +userdom_manage_user_tmp_files(xdm_t)
 +userdom_manage_user_tmp_sockets(xdm_t)
 +userdom_manage_tmpfs_role(system_r, xdm_t)
++userdom_home_manager(xdm_t)
 +
 +application_signal(xdm_t)
  
@@ -66561,8 +66590,16 @@ index 143c893..743ea2b 100644
 +')
  
  tunable_policy(`use_nfs_home_dirs',`
- 	fs_manage_nfs_dirs(xdm_t)
-@@ -494,6 +712,14 @@ tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_nfs_dirs(xdm_t)
+-	fs_manage_nfs_files(xdm_t)
+-	fs_manage_nfs_symlinks(xdm_t)
+ 	fs_exec_nfs_files(xdm_t)
+ ')
+ 
+ tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(xdm_t)
+-	fs_manage_cifs_files(xdm_t)
+-	fs_manage_cifs_symlinks(xdm_t)
  	fs_exec_cifs_files(xdm_t)
  ')
  
@@ -66577,7 +66614,7 @@ index 143c893..743ea2b 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -507,11 +733,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +711,21 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
@@ -66599,7 +66636,7 @@ index 143c893..743ea2b 100644
  ')
  
  optional_policy(`
-@@ -519,12 +755,63 @@ optional_policy(`
+@@ -519,12 +733,63 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -66663,7 +66700,7 @@ index 143c893..743ea2b 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -542,28 +829,69 @@ optional_policy(`
+@@ -542,28 +807,69 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -66742,7 +66779,7 @@ index 143c893..743ea2b 100644
  ')
  
  optional_policy(`
-@@ -575,6 +903,14 @@ optional_policy(`
+@@ -575,6 +881,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -66757,7 +66794,7 @@ index 143c893..743ea2b 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -600,6 +936,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -600,6 +914,7 @@ allow xserver_t input_xevent_t:x_event send;
  # NVIDIA Needs execstack
  
  allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
@@ -66765,7 +66802,7 @@ index 143c893..743ea2b 100644
  dontaudit xserver_t self:capability chown;
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
-@@ -613,8 +950,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +928,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -66781,7 +66818,7 @@ index 143c893..743ea2b 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +977,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +955,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -66803,7 +66840,7 @@ index 143c893..743ea2b 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +997,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +975,7 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -66811,7 +66848,7 @@ index 143c893..743ea2b 100644
  
  # Run helper programs in xserver_t.
  corecmd_exec_bin(xserver_t)
-@@ -672,21 +1024,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,21 +1002,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -66842,7 +66879,7 @@ index 143c893..743ea2b 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -697,8 +1056,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1034,13 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -66856,7 +66893,7 @@ index 143c893..743ea2b 100644
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1075,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1053,6 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -66865,7 +66902,7 @@ index 143c893..743ea2b 100644
  locallogin_use_fds(xserver_t)
  
  logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1082,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1060,12 @@ logging_send_audit_msgs(xserver_t)
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -66880,7 +66917,7 @@ index 143c893..743ea2b 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1141,40 @@ optional_policy(`
+@@ -778,16 +1119,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -66922,7 +66959,7 @@ index 143c893..743ea2b 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -796,6 +1183,10 @@ optional_policy(`
+@@ -796,6 +1161,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -66933,7 +66970,7 @@ index 143c893..743ea2b 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -811,10 +1202,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1180,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -66947,7 +66984,7 @@ index 143c893..743ea2b 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1213,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1191,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -66956,29 +66993,25 @@ index 143c893..743ea2b 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -835,6 +1226,9 @@ init_use_fds(xserver_t)
+@@ -835,26 +1204,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
 +userdom_read_all_users_state(xserver_t)
-+
-+xserver_use_user_fonts(xserver_t)
++userdom_home_manager(xserver_t)
  
- tunable_policy(`use_nfs_home_dirs',`
- 	fs_manage_nfs_dirs(xserver_t)
-@@ -842,6 +1236,11 @@ tunable_policy(`use_nfs_home_dirs',`
- 	fs_manage_nfs_symlinks(xserver_t)
- ')
- 
-+tunable_policy(`use_fusefs_home_dirs',`
-+	fs_manage_fusefs_dirs(xserver_t)
-+	fs_manage_fusefs_files(xserver_t)
-+')
-+
- tunable_policy(`use_samba_home_dirs',`
- 	fs_manage_cifs_dirs(xserver_t)
- 	fs_manage_cifs_files(xserver_t)
-@@ -850,11 +1249,14 @@ tunable_policy(`use_samba_home_dirs',`
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_manage_nfs_dirs(xserver_t)
+-	fs_manage_nfs_files(xserver_t)
+-	fs_manage_nfs_symlinks(xserver_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(xserver_t)
+-	fs_manage_cifs_files(xserver_t)
+-	fs_manage_cifs_symlinks(xserver_t)
+-')
++xserver_use_user_fonts(xserver_t)
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -66995,7 +67028,7 @@ index 143c893..743ea2b 100644
  ')
  
  optional_policy(`
-@@ -862,6 +1264,10 @@ optional_policy(`
+@@ -862,6 +1226,10 @@ optional_policy(`
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -67006,7 +67039,7 @@ index 143c893..743ea2b 100644
  ########################################
  #
  # Rules common to all X window domains
-@@ -905,7 +1311,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1273,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -67015,7 +67048,7 @@ index 143c893..743ea2b 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -959,11 +1365,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1327,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -67047,7 +67080,7 @@ index 143c893..743ea2b 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -985,18 +1411,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1373,31 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -67089,7 +67122,6 @@ index 143c893..743ea2b 100644
 +
 +optional_policy(`
 +	unconfined_rw_shm(xserver_t)
-+	unconfined_execmem_rw_shm(xserver_t)
 +
 +	# xserver signals unconfined user on startx
 +	unconfined_signal(xserver_t)
@@ -67517,22 +67549,23 @@ index c6fdab7..41198a4 100644
  	cron_sigchld(application_domain_type)
  ')
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..02a592a 100644
+index 28ad538..bb64dec 100644
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
-@@ -5,7 +5,11 @@
+@@ -5,7 +5,12 @@
  /etc/group\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
  /etc/gshadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
  /etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
 +/etc/passwd\.adjunct.*	--	gen_context(system_u:object_r:shadow_t,s0)
  /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
 +/etc/passwd-?		--	gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/passwd\.OLD		--	gen_context(system_u:object_r:passwd_file_t,s0)
 +/etc/ptmptmp		--	gen_context(system_u:object_r:passwd_file_t,s0)
 +/etc/group-?		--	gen_context(system_u:object_r:passwd_file_t,s0)
  
  /sbin/pam_console_apply	 --	gen_context(system_u:object_r:pam_console_exec_t,s0)
  /sbin/pam_timestamp_check --	gen_context(system_u:object_r:pam_exec_t,s0)
-@@ -30,6 +34,7 @@ ifdef(`distro_gentoo', `
+@@ -30,6 +35,7 @@ ifdef(`distro_gentoo', `
  
  /var/lib/abl(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/lib/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
@@ -67540,14 +67573,14 @@ index 28ad538..02a592a 100644
  
  /var/log/btmp.*		--	gen_context(system_u:object_r:faillog_t,s0)
  /var/log/dmesg		--	gen_context(system_u:object_r:var_log_t,s0)
-@@ -45,5 +50,4 @@ ifdef(`distro_gentoo', `
+@@ -45,5 +51,4 @@ ifdef(`distro_gentoo', `
  /var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
  /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
 -/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..6355d14 100644
+index 73554ec..131195d 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -67964,7 +67997,7 @@ index 73554ec..6355d14 100644
  ##	</p>
  ## </desc>
  ## <param name="domain">
-@@ -1575,87 +1795,149 @@ interface(`auth_relabel_login_records',`
+@@ -1575,87 +1795,150 @@ interface(`auth_relabel_login_records',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -68019,6 +68052,7 @@ index 73554ec..6355d14 100644
 +	files_etc_filetrans($1, passwd_file_t, file, "group-")
 +	files_etc_filetrans($1, passwd_file_t, file, "passwd")
 +	files_etc_filetrans($1, passwd_file_t, file, "passwd-")
++	files_etc_filetrans($1, passwd_file_t, file, "passwd.OLD")
 +	files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
 +	files_etc_filetrans($1, shadow_t, file, "shadow")
 +	files_etc_filetrans($1, shadow_t, file, "shadow-")
@@ -68751,7 +68785,7 @@ index 354ce93..b8b14b9 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..5a963ef 100644
+index 94fd8dd..2409206 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -69064,7 +69098,7 @@ index 94fd8dd..5a963ef 100644
 +        type init_t;
 +    ')
 +
-+    dontaudit $1 init_t:unix_stream_socket { read write };
++    dontaudit $1 init_t:unix_stream_socket { getattr read write };
  ')
  
  ########################################
@@ -69681,7 +69715,7 @@ index 94fd8dd..5a963ef 100644
 +	read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..75f6d6b 100644
+index 29a9565..5ee6a57 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -16,6 +16,34 @@ gen_require(`
@@ -69875,7 +69909,7 @@ index 29a9565..75f6d6b 100644
  	corecmd_shell_domtrans(init_t, initrc_t)
  ',`
  	# Run the shell in the sysadm role for single-user mode.
-@@ -186,16 +251,139 @@ tunable_policy(`init_upstart',`
+@@ -186,16 +251,144 @@ tunable_policy(`init_upstart',`
  	sysadm_shell_domtrans(init_t)
  ')
  
@@ -69885,6 +69919,11 @@ index 29a9565..75f6d6b 100644
 +	modutils_domtrans_insmod(init_t)
 +')
 +
++optional_policy(`
++	postfix_exec(init_t)
++	mta_read_aliases(init_t)
++')
++
 +tunable_policy(`init_systemd',`
 +	allow init_t self:unix_dgram_socket { create_socket_perms sendto };
 +	allow init_t self:process { setsockcreate setfscreate setrlimit };
@@ -69987,16 +70026,16 @@ index 29a9565..75f6d6b 100644
 +auth_use_nsswitch(init_t)
 +auth_rw_login_records(init_t)
 +
-+optional_policy(`
-+	lvm_rw_pipes(init_t)
-+')
-+
  optional_policy(`
 -	auth_rw_login_records(init_t)
-+	consolekit_manage_log(init_t)
++	lvm_rw_pipes(init_t)
  ')
  
  optional_policy(`
++	consolekit_manage_log(init_t)
++')
++
++optional_policy(`
 +	dbus_connect_system_bus(init_t)
  	dbus_system_bus_client(init_t)
 +	dbus_delete_pid_files(init_t)
@@ -70017,7 +70056,7 @@ index 29a9565..75f6d6b 100644
  ')
  
  optional_policy(`
-@@ -203,6 +391,17 @@ optional_policy(`
+@@ -203,6 +396,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -70035,7 +70074,7 @@ index 29a9565..75f6d6b 100644
  	unconfined_domain(init_t)
  ')
  
-@@ -212,7 +411,8 @@ optional_policy(`
+@@ -212,7 +416,8 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -70045,7 +70084,7 @@ index 29a9565..75f6d6b 100644
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
-@@ -241,12 +441,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +446,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -70061,7 +70100,7 @@ index 29a9565..75f6d6b 100644
  
  init_write_initctl(initrc_t)
  
-@@ -258,20 +461,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +466,32 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -70098,7 +70137,7 @@ index 29a9565..75f6d6b 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +494,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +499,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -70106,7 +70145,7 @@ index 29a9565..75f6d6b 100644
  dev_write_kmsg(initrc_t)
  dev_write_rand(initrc_t)
  dev_write_urand(initrc_t)
-@@ -289,8 +505,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +510,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -70117,7 +70156,7 @@ index 29a9565..75f6d6b 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -298,13 +516,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +521,13 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -70133,7 +70172,7 @@ index 29a9565..75f6d6b 100644
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
-@@ -316,6 +534,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +539,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -70141,7 +70180,7 @@ index 29a9565..75f6d6b 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -323,8 +542,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +547,10 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -70153,7 +70192,7 @@ index 29a9565..75f6d6b 100644
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
-@@ -340,8 +561,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +566,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -70167,7 +70206,7 @@ index 29a9565..75f6d6b 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -351,8 +576,12 @@ fs_mount_all_fs(initrc_t)
+@@ -351,8 +581,12 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -70180,7 +70219,7 @@ index 29a9565..75f6d6b 100644
  mcs_ptrace_all(initrc_t)
  mcs_killall(initrc_t)
  mcs_process_set_categories(initrc_t)
-@@ -363,6 +592,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +597,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -70188,7 +70227,7 @@ index 29a9565..75f6d6b 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -374,6 +604,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +609,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -70196,7 +70235,7 @@ index 29a9565..75f6d6b 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -394,18 +625,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +630,17 @@ logging_read_audit_config(initrc_t)
  
  miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
@@ -70218,7 +70257,7 @@ index 29a9565..75f6d6b 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +688,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +693,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -70229,7 +70268,7 @@ index 29a9565..75f6d6b 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -478,7 +712,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +717,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -70238,7 +70277,7 @@ index 29a9565..75f6d6b 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -493,6 +727,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +732,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -70246,7 +70285,7 @@ index 29a9565..75f6d6b 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -522,8 +757,34 @@ ifdef(`distro_redhat',`
+@@ -522,8 +762,34 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -70281,7 +70320,7 @@ index 29a9565..75f6d6b 100644
  	')
  
  	optional_policy(`
-@@ -531,10 +792,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +797,22 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -70304,7 +70343,7 @@ index 29a9565..75f6d6b 100644
  	')
  
  	optional_policy(`
-@@ -549,6 +822,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +827,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -70344,7 +70383,7 @@ index 29a9565..75f6d6b 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +867,8 @@ optional_policy(`
+@@ -561,6 +872,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -70353,7 +70392,7 @@ index 29a9565..75f6d6b 100644
  ')
  
  optional_policy(`
-@@ -577,6 +885,7 @@ optional_policy(`
+@@ -577,6 +890,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -70361,7 +70400,7 @@ index 29a9565..75f6d6b 100644
  ')
  
  optional_policy(`
-@@ -589,6 +898,17 @@ optional_policy(`
+@@ -589,6 +903,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -70379,7 +70418,7 @@ index 29a9565..75f6d6b 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -605,9 +925,13 @@ optional_policy(`
+@@ -605,9 +930,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -70393,7 +70432,7 @@ index 29a9565..75f6d6b 100644
  	')
  
  	optional_policy(`
-@@ -632,6 +956,10 @@ optional_policy(`
+@@ -632,6 +961,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -70404,7 +70443,7 @@ index 29a9565..75f6d6b 100644
  	gpm_setattr_gpmctl(initrc_t)
  ')
  
-@@ -649,6 +977,11 @@ optional_policy(`
+@@ -649,6 +982,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -70416,7 +70455,7 @@ index 29a9565..75f6d6b 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -689,6 +1022,7 @@ optional_policy(`
+@@ -689,6 +1027,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -70424,7 +70463,7 @@ index 29a9565..75f6d6b 100644
  ')
  
  optional_policy(`
-@@ -706,7 +1040,13 @@ optional_policy(`
+@@ -706,7 +1045,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -70438,7 +70477,7 @@ index 29a9565..75f6d6b 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -729,6 +1069,10 @@ optional_policy(`
+@@ -729,6 +1074,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -70449,7 +70488,7 @@ index 29a9565..75f6d6b 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -738,10 +1082,20 @@ optional_policy(`
+@@ -738,10 +1087,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -70470,7 +70509,7 @@ index 29a9565..75f6d6b 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -750,6 +1104,10 @@ optional_policy(`
+@@ -750,6 +1109,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -70481,7 +70520,7 @@ index 29a9565..75f6d6b 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -771,8 +1129,6 @@ optional_policy(`
+@@ -771,8 +1134,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -70490,7 +70529,7 @@ index 29a9565..75f6d6b 100644
  ')
  
  optional_policy(`
-@@ -790,10 +1146,12 @@ optional_policy(`
+@@ -790,10 +1151,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -70503,7 +70542,7 @@ index 29a9565..75f6d6b 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1163,6 @@ optional_policy(`
+@@ -805,7 +1168,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -70511,7 +70550,7 @@ index 29a9565..75f6d6b 100644
  	udev_manage_pid_files(initrc_t)
  	udev_manage_rules_files(initrc_t)
  ')
-@@ -815,11 +1172,26 @@ optional_policy(`
+@@ -815,11 +1177,26 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -70539,7 +70578,7 @@ index 29a9565..75f6d6b 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1201,25 @@ optional_policy(`
+@@ -829,6 +1206,18 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -70548,13 +70587,6 @@ index 29a9565..75f6d6b 100644
 +	rpm_transition_script(initrc_t)
 +	
 +	optional_policy(`
-+		gen_require(`
-+			type unconfined_execmem_t, execmem_exec_t;		
-+		')
-+		init_system_domain(unconfined_execmem_t, execmem_exec_t)
-+	')
-+
-+	optional_policy(`
 +		rtkit_scheduled(initrc_t)
 +	')
 +')
@@ -70565,7 +70597,7 @@ index 29a9565..75f6d6b 100644
  ')
  
  optional_policy(`
-@@ -844,6 +1235,10 @@ optional_policy(`
+@@ -844,6 +1233,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -70576,7 +70608,7 @@ index 29a9565..75f6d6b 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -854,3 +1249,160 @@ optional_policy(`
+@@ -854,3 +1247,160 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -71175,10 +71207,20 @@ index ddbd8be..65b5762 100644
  domain_use_interactive_fds(iscsid_t)
  domain_dontaudit_read_all_domains_state(iscsid_t)
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 560dc48..4986f1b 100644
+index 560dc48..ffb8797 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
-@@ -37,17 +37,12 @@ ifdef(`distro_redhat',`
+@@ -28,7 +28,9 @@ ifdef(`distro_redhat',`
+ # /etc
+ #
+ /etc/ld\.so\.cache			--	gen_context(system_u:object_r:ld_so_cache_t,s0)
++/etc/ld\.so\.cache~			--	gen_context(system_u:object_r:ld_so_cache_t,s0)
+ /etc/ld\.so\.preload			--	gen_context(system_u:object_r:ld_so_cache_t,s0)
++/etc/ld\.so\.preload~			--	gen_context(system_u:object_r:ld_so_cache_t,s0)
+ 
+ /etc/ppp/plugins/rp-pppoe\.so 		--	gen_context(system_u:object_r:lib_t,s0)
+ 
+@@ -37,17 +39,12 @@ ifdef(`distro_redhat',`
  #
  /lib					-d	gen_context(system_u:object_r:lib_t,s0)
  /lib/.*						gen_context(system_u:object_r:lib_t,s0)
@@ -71196,7 +71238,7 @@ index 560dc48..4986f1b 100644
  ')
  
  ifdef(`distro_gentoo',`
-@@ -62,7 +57,6 @@ ifdef(`distro_gentoo',`
+@@ -62,7 +59,6 @@ ifdef(`distro_gentoo',`
  #
  /opt/.*\.so					gen_context(system_u:object_r:lib_t,s0)
  /opt/(.*/)?lib(/.*)?				gen_context(system_u:object_r:lib_t,s0)
@@ -71204,7 +71246,7 @@ index 560dc48..4986f1b 100644
  /opt/(.*/)?java/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
  /opt/(.*/)?jre.*/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /opt/(.*/)?jre/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
-@@ -119,64 +113,62 @@ ifdef(`distro_redhat',`
+@@ -119,64 +115,62 @@ ifdef(`distro_redhat',`
  /usr/(.*/)?java/.+\.jsa			--	gen_context(system_u:object_r:lib_t,s0)
  
  /usr/(.*/)?lib(/.*)?				gen_context(system_u:object_r:lib_t,s0)
@@ -71303,7 +71345,7 @@ index 560dc48..4986f1b 100644
  ')
  
  ifdef(`distro_gentoo',`
-@@ -195,7 +187,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
+@@ -195,7 +189,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
  /usr/lib/allegro/(.*/)?alleg-vga\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/firefox-[^/]*/plugins/nppdf.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -71311,7 +71353,7 @@ index 560dc48..4986f1b 100644
  /usr/lib/libFLAC\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/libfglrx_gamma\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/mozilla/plugins/nppdf\.so 	-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -203,86 +194,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
+@@ -203,86 +196,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
  /usr/lib/nx/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/nx/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/VBoxVMM\.so			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -71456,7 +71498,7 @@ index 560dc48..4986f1b 100644
  
  /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -303,8 +295,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -303,8 +297,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/.+\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/(.*/)?ADMPlugin\.apl	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -71466,7 +71508,7 @@ index 560dc48..4986f1b 100644
  ') dnl end distro_redhat
  
  #
-@@ -312,17 +303,154 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -312,17 +305,154 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  #
  /var/cache/ldconfig(/.*)?			gen_context(system_u:object_r:ldconfig_cache_t,s0)
  
@@ -71628,7 +71670,7 @@ index 560dc48..4986f1b 100644
 +/opt/google/picasa/.*\.yti	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/talkplugin/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..eb621fd 100644
+index 808ba93..4ff705d 100644
 --- a/policy/modules/system/libraries.if
 +++ b/policy/modules/system/libraries.if
 @@ -207,6 +207,23 @@ interface(`libs_search_lib',`
@@ -71711,7 +71753,7 @@ index 808ba93..eb621fd 100644
  ')
  
  ########################################
-@@ -534,3 +533,22 @@ interface(`lib_filetrans_shared_lib',`
+@@ -534,3 +533,24 @@ interface(`lib_filetrans_shared_lib',`
  interface(`files_lib_filetrans_shared_lib',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -71732,7 +71774,9 @@ index 808ba93..eb621fd 100644
 +	')
 +
 +	files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
++	files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
 +	files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload")
++	files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
 +')
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
 index e5836d3..eae9427 100644
@@ -71881,7 +71925,7 @@ index 0e3c2a9..40adf5a 100644
 +')
 +
 diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index a0b379d..37a5bb4 100644
+index a0b379d..2291a13 100644
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
 @@ -17,6 +17,9 @@ type local_login_tmp_t;
@@ -71935,20 +71979,27 @@ index a0b379d..37a5bb4 100644
  
  miscfiles_read_localization(local_login_t)
  
-@@ -156,6 +164,12 @@ tunable_policy(`use_samba_home_dirs',`
- 	fs_read_cifs_symlinks(local_login_t)
+@@ -146,14 +154,12 @@ tunable_policy(`console_login',`
+ 	term_relabel_console(local_login_t)
  ')
  
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_read_nfs_files(local_login_t)
+-	fs_read_nfs_symlinks(local_login_t)
+-')
++userdom_home_reader(local_login_t)
+ 
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_files(local_login_t)
+-	fs_read_cifs_symlinks(local_login_t)
 +tunable_policy(`allow_console_login',`
 +     term_use_console(local_login_t)
 +     term_relabel_console(local_login_t)
 +     term_setattr_console(local_login_t)
-+')
-+
- optional_policy(`
- 	alsa_domtrans(local_login_t)
  ')
-@@ -177,14 +191,6 @@ optional_policy(`
+ 
+ optional_policy(`
+@@ -177,14 +183,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -71963,7 +72014,7 @@ index a0b379d..37a5bb4 100644
  	unconfined_shell_domtrans(local_login_t)
  ')
  
-@@ -215,6 +221,7 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,6 +213,7 @@ allow sulogin_t self:sem create_sem_perms;
  allow sulogin_t self:msgq create_msgq_perms;
  allow sulogin_t self:msg { send receive };
  
@@ -71971,7 +72022,7 @@ index a0b379d..37a5bb4 100644
  kernel_read_system_state(sulogin_t)
  
  fs_search_auto_mountpoints(sulogin_t)
-@@ -223,13 +230,17 @@ fs_rw_tmpfs_chr_files(sulogin_t)
+@@ -223,13 +222,17 @@ fs_rw_tmpfs_chr_files(sulogin_t)
  files_read_etc_files(sulogin_t)
  # because file systems are not mounted:
  files_dontaudit_search_isid_type_dirs(sulogin_t)
@@ -71989,7 +72040,7 @@ index a0b379d..37a5bb4 100644
  seutil_read_config(sulogin_t)
  seutil_read_default_contexts(sulogin_t)
  
-@@ -238,14 +249,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -238,14 +241,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
  userdom_search_user_home_dirs(sulogin_t)
  userdom_use_user_ptys(sulogin_t)
  
@@ -72016,7 +72067,7 @@ index a0b379d..37a5bb4 100644
  	init_getpgid(sulogin_t)
  ', `
  	allow sulogin_t self:process setexec;
-@@ -256,11 +277,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +269,3 @@ ifdef(`sulogin_no_pam', `
  	selinux_compute_relabel_context(sulogin_t)
  	selinux_compute_user_contexts(sulogin_t)
  ')
@@ -73080,7 +73131,7 @@ index 9c0faab..91360ac 100644
 +	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
 +')
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index a0eef20..2273e1a 100644
+index a0eef20..6b39756 100644
 --- a/policy/modules/system/modutils.te
 +++ b/policy/modules/system/modutils.te
 @@ -1,9 +1,5 @@
@@ -73133,7 +73184,7 @@ index a0eef20..2273e1a 100644
  
  fs_getattr_xattr_fs(depmod_t)
  
-@@ -70,10 +73,11 @@ init_use_fds(depmod_t)
+@@ -70,10 +73,12 @@ init_use_fds(depmod_t)
  init_use_script_fds(depmod_t)
  init_use_script_ptys(depmod_t)
  
@@ -73143,19 +73194,26 @@ index a0eef20..2273e1a 100644
  files_list_home(depmod_t)
  userdom_read_user_home_content_files(depmod_t)
 +userdom_manage_user_tmp_files(depmod_t)
++userdom_home_reader(depmod_t)
  
  ifdef(`distro_ubuntu',`
  	optional_policy(`
-@@ -90,12 +94,15 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -81,12 +86,8 @@ ifdef(`distro_ubuntu',`
+ 	')
  ')
  
- optional_policy(`
-+	bootloader_rw_tmp_files(insmod_t)
-+')
-+
+-tunable_policy(`use_nfs_home_dirs',`
+-	fs_read_nfs_files(depmod_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_read_cifs_files(depmod_t)
 +optional_policy(`
- 	rpm_rw_pipes(depmod_t)
- 	rpm_manage_script_tmp_files(depmod_t)
++	bootloader_rw_tmp_files(insmod_t)
+ ')
+ 
+ optional_policy(`
+@@ -95,7 +96,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -73163,7 +73221,7 @@ index a0eef20..2273e1a 100644
  	unconfined_domain(depmod_t)
  ')
  
-@@ -104,11 +111,12 @@ optional_policy(`
+@@ -104,11 +104,12 @@ optional_policy(`
  # insmod local policy
  #
  
@@ -73177,7 +73235,7 @@ index a0eef20..2273e1a 100644
  
  # Read module config and dependency information
  list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
-@@ -118,6 +126,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+@@ -118,6 +119,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
  
  can_exec(insmod_t, insmod_exec_t)
  
@@ -73187,7 +73245,7 @@ index a0eef20..2273e1a 100644
  kernel_load_module(insmod_t)
  kernel_request_load_module(insmod_t)
  kernel_read_system_state(insmod_t)
-@@ -126,6 +137,7 @@ kernel_write_proc_files(insmod_t)
+@@ -126,6 +130,7 @@ kernel_write_proc_files(insmod_t)
  kernel_mount_debugfs(insmod_t)
  kernel_mount_kvmfs(insmod_t)
  kernel_read_debugfs(insmod_t)
@@ -73195,7 +73253,7 @@ index a0eef20..2273e1a 100644
  # Rules for /proc/sys/kernel/tainted
  kernel_read_kernel_sysctls(insmod_t)
  kernel_rw_kernel_sysctl(insmod_t)
-@@ -143,6 +155,7 @@ dev_rw_agp(insmod_t)
+@@ -143,6 +148,7 @@ dev_rw_agp(insmod_t)
  dev_read_sound(insmod_t)
  dev_write_sound(insmod_t)
  dev_rw_apm_bios(insmod_t)
@@ -73203,7 +73261,7 @@ index a0eef20..2273e1a 100644
  
  domain_signal_all_domains(insmod_t)
  domain_use_interactive_fds(insmod_t)
-@@ -161,11 +174,18 @@ files_write_kernel_modules(insmod_t)
+@@ -161,11 +167,18 @@ files_write_kernel_modules(insmod_t)
  
  fs_getattr_xattr_fs(insmod_t)
  fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -73222,7 +73280,7 @@ index a0eef20..2273e1a 100644
  
  logging_send_syslog_msg(insmod_t)
  logging_search_logs(insmod_t)
-@@ -174,41 +194,38 @@ miscfiles_read_localization(insmod_t)
+@@ -174,41 +187,38 @@ miscfiles_read_localization(insmod_t)
  
  seutil_read_file_contexts(insmod_t)
  
@@ -73273,7 +73331,7 @@ index a0eef20..2273e1a 100644
  ')
  
  optional_policy(`
-@@ -236,6 +253,10 @@ optional_policy(`
+@@ -236,6 +246,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -73284,7 +73342,7 @@ index a0eef20..2273e1a 100644
  	# cjp: why is this needed:
  	dev_rw_xserver_misc(insmod_t)
  
-@@ -296,7 +317,7 @@ logging_send_syslog_msg(update_modules_t)
+@@ -296,7 +310,7 @@ logging_send_syslog_msg(update_modules_t)
  
  miscfiles_read_localization(update_modules_t)
  
@@ -74574,7 +74632,7 @@ index 170e2c7..b85fc73 100644
 +	')
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..3ee9ea8 100644
+index 7ed9819..ac8b214 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -74837,7 +74895,7 @@ index 7ed9819..3ee9ea8 100644
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(run_init_t)
-@@ -420,61 +470,22 @@ optional_policy(`
+@@ -420,67 +470,29 @@ optional_policy(`
  # semodule local policy
  #
  
@@ -74845,13 +74903,9 @@ index 7ed9819..3ee9ea8 100644
 -allow semanage_t self:unix_stream_socket create_stream_socket_perms;
 -allow semanage_t self:unix_dgram_socket create_socket_perms;
 -allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-+seutil_semanage_policy(semanage_t)
-+allow semanage_t self:fifo_file rw_fifo_file_perms;
- 
+-
 -allow semanage_t policy_config_t:file rw_file_perms;
-+manage_dirs_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
-+manage_files_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
- 
+-
 -allow semanage_t semanage_tmp_t:dir manage_dir_perms;
 -allow semanage_t semanage_tmp_t:file manage_file_perms;
 -files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
@@ -74864,12 +74918,16 @@ index 7ed9819..3ee9ea8 100644
 -dev_read_urand(semanage_t)
 -
 -domain_use_interactive_fds(semanage_t)
--
++seutil_semanage_policy(semanage_t)
++allow semanage_t self:fifo_file rw_fifo_file_perms;
+ 
 -files_read_etc_files(semanage_t)
 -files_read_etc_runtime_files(semanage_t)
 -files_read_usr_files(semanage_t)
 -files_list_pids(semanage_t)
--
++manage_dirs_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
++manage_files_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
+ 
 -mls_file_write_all_levels(semanage_t)
 -mls_file_read_all_levels(semanage_t)
 -
@@ -74884,15 +74942,15 @@ index 7ed9819..3ee9ea8 100644
 -
 -# Running genhomedircon requires this for finding all users
 -auth_use_nsswitch(semanage_t)
-+# Admins are creating pp files in random locations
-+files_read_non_security_files(semanage_t)
- 
+-
 -locallogin_use_fds(semanage_t)
 -
 -logging_send_syslog_msg(semanage_t)
 -
 -miscfiles_read_localization(semanage_t)
--
++# Admins are creating pp files in random locations
++files_read_non_security_files(semanage_t)
+ 
 -seutil_libselinux_linked(semanage_t)
  seutil_manage_file_contexts(semanage_t)
  seutil_manage_config(semanage_t)
@@ -74907,22 +74965,14 @@ index 7ed9819..3ee9ea8 100644
  # netfilter_contexts:
  seutil_manage_default_contexts(semanage_t)
  
-@@ -482,6 +493,14 @@ seutil_manage_default_contexts(semanage_t)
+ # Handle pp files created in homedir and /tmp
  userdom_read_user_home_content_files(semanage_t)
  userdom_read_user_tmp_files(semanage_t)
++userdom_home_reader(semanage_t)
  
-+tunable_policy(`use_nfs_home_dirs',`
-+	fs_read_nfs_files(semanage_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+	fs_read_cifs_files(semanage_t)
-+')
-+
  ifdef(`distro_debian',`
  	files_read_var_lib_files(semanage_t)
- 	files_read_var_lib_symlinks(semanage_t)
-@@ -493,112 +512,60 @@ ifdef(`distro_ubuntu',`
+@@ -493,112 +505,60 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -74981,20 +75031,20 @@ index 7ed9819..3ee9ea8 100644
 -selinux_compute_create_context(setfiles_t)
 -selinux_compute_relabel_context(setfiles_t)
 -selinux_compute_user_contexts(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
- 
+-
 -term_use_all_ttys(setfiles_t)
 -term_use_all_ptys(setfiles_t)
 -term_use_unallocated_ttys(setfiles_t)
++init_dontaudit_use_fds(setsebool_t)
+ 
+-# this is to satisfy the assertion:
+-auth_relabelto_shadow(setfiles_t)
 +# Bug in semanage
 +seutil_domtrans_setfiles(setsebool_t)
 +seutil_manage_file_contexts(setsebool_t)
 +seutil_manage_default_contexts(setsebool_t)
 +seutil_manage_config(setsebool_t)
  
--# this is to satisfy the assertion:
--auth_relabelto_shadow(setfiles_t)
--
 -init_use_fds(setfiles_t)
 -init_use_script_fds(setfiles_t)
 -init_use_script_ptys(setfiles_t)
@@ -77813,10 +77863,10 @@ index eae5001..71e46b2 100644
 -')
 +attribute unconfined_services;
 diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..494ec08 100644
+index db75976..ce61aed 100644
 --- a/policy/modules/system/userdomain.fc
 +++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,19 @@
+@@ -1,4 +1,20 @@
  HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 +HOME_DIR	-l	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
  HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
@@ -77832,13 +77882,14 @@ index db75976..494ec08 100644
 +HOME_DIR/Audio(/.*)?    gen_context(system_u:object_r:audio_home_t,s0)
 +HOME_DIR/Music(/.*)?    gen_context(system_u:object_r:audio_home_t,s0)
 +HOME_DIR/\.cert(/.*)?	gen_context(system_u:object_r:home_cert_t,s0)
++HOME_DIR/.kde/share/apps/networkmanagement/certificates(/.*)?	gen_context(system_u:object_r:home_cert_t,s0)
 +HOME_DIR/\.pki(/.*)?		gen_context(system_u:object_r:home_cert_t,s0)
 +HOME_DIR/\.gvfs/.*	<<none>>
 +HOME_DIR/\.debug(/.*)?	<<none>>
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..31047e8 100644
+index 4b2878a..0b3811d 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -78838,7 +78889,7 @@ index 4b2878a..31047e8 100644
  	##############################
  	#
  	# Local policy
-@@ -874,45 +1059,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1059,114 @@ template(`userdom_restricted_xwindows_user_template',`
  	#
  
  	auth_role($1_r, $1_t)
@@ -78938,10 +78989,6 @@ index 4b2878a..31047e8 100644
  
  	optional_policy(`
 -		java_role($1_r, $1_t)
-+		openoffice_role_template($1, $1_r, $1_usertype)
-+	')
-+
-+	optional_policy(`
 +		policykit_role($1_r, $1_usertype)
 +	')
 +
@@ -78968,7 +79015,7 @@ index 4b2878a..31047e8 100644
  	')
  ')
  
-@@ -947,7 +1205,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1201,7 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# Inherit rules for ordinary users.
@@ -78977,7 +79024,7 @@ index 4b2878a..31047e8 100644
  	userdom_common_user_template($1)
  
  	##############################
-@@ -956,12 +1214,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1210,15 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -78995,7 +79042,7 @@ index 4b2878a..31047e8 100644
  	files_read_kernel_symbol_table($1_t)
  
  	ifndef(`enable_mls',`
-@@ -978,23 +1239,64 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1235,60 @@ template(`userdom_unpriv_user_template', `
  		')
  	')
  
@@ -79049,27 +79096,23 @@ index 4b2878a..31047e8 100644
 +	')
 +
 +	optional_policy(`
-+		mono_role_template($1, $1_r, $1_t)
- 	')
- 
- 	optional_policy(`
--		netutils_run_ping_cond($1_t, $1_r)
--		netutils_run_traceroute_cond($1_t, $1_r)
 +		mount_run_fusermount($1_t, $1_r)
 +		mount_read_pid_files($1_t)
 +	')
 +
 +	optional_policy(`
 +		wine_role_template($1, $1_r, $1_t)
-+	')
-+
-+	optional_policy(`
+ 	')
+ 
+ 	optional_policy(`
+-		netutils_run_ping_cond($1_t, $1_r)
+-		netutils_run_traceroute_cond($1_t, $1_r)
 +		postfix_run_postdrop($1_t, $1_r)
 +		postfix_search_spool($1_t)
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1003,7 +1305,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1297,9 @@ template(`userdom_unpriv_user_template', `
  	')
  
  	optional_policy(`
@@ -79080,7 +79123,7 @@ index 4b2878a..31047e8 100644
  	')
  ')
  
-@@ -1039,7 +1343,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1335,7 @@ template(`userdom_unpriv_user_template', `
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -79089,7 +79132,7 @@ index 4b2878a..31047e8 100644
  	')
  
  	##############################
-@@ -1065,7 +1369,11 @@ template(`userdom_admin_user_template',`
+@@ -1065,7 +1361,11 @@ template(`userdom_admin_user_template',`
  	# $1_t local policy
  	#
  
@@ -79102,7 +79145,7 @@ index 4b2878a..31047e8 100644
  	allow $1_t self:process { setexec setfscreate };
  	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
  	allow $1_t self:tun_socket create;
-@@ -1074,6 +1382,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1374,9 @@ template(`userdom_admin_user_template',`
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -79112,7 +79155,7 @@ index 4b2878a..31047e8 100644
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1088,6 +1399,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1391,7 @@ template(`userdom_admin_user_template',`
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -79120,7 +79163,7 @@ index 4b2878a..31047e8 100644
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1105,10 +1417,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1409,13 @@ template(`userdom_admin_user_template',`
  	dev_rename_all_blk_files($1_t)
  	dev_rename_all_chr_files($1_t)
  	dev_create_generic_symlinks($1_t)
@@ -79134,7 +79177,7 @@ index 4b2878a..31047e8 100644
  	domain_dontaudit_ptrace_all_domains($1_t)
  	# signal all domains:
  	domain_kill_all_domains($1_t)
-@@ -1119,29 +1434,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1426,38 @@ template(`userdom_admin_user_template',`
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -79177,7 +79220,7 @@ index 4b2878a..31047e8 100644
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1475,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1467,8 @@ template(`userdom_admin_user_template',`
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -79186,7 +79229,7 @@ index 4b2878a..31047e8 100644
  	userdom_manage_user_home_content_dirs($1_t)
  	userdom_manage_user_home_content_files($1_t)
  	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1536,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1528,8 @@ template(`userdom_security_admin_template',`
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -79195,7 +79238,7 @@ index 4b2878a..31047e8 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1222,8 +1550,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1542,9 @@ template(`userdom_security_admin_template',`
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
@@ -79206,7 +79249,7 @@ index 4b2878a..31047e8 100644
  	auth_relabel_shadow($1)
  
  	init_exec($1)
-@@ -1234,13 +1563,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1555,24 @@ template(`userdom_security_admin_template',`
  	logging_read_audit_config($1)
  
  	seutil_manage_bin_policy($1)
@@ -79235,7 +79278,7 @@ index 4b2878a..31047e8 100644
  	')
  
  	optional_policy(`
-@@ -1251,12 +1591,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1583,12 @@ template(`userdom_security_admin_template',`
  		dmesg_exec($1)
  	')
  
@@ -79251,7 +79294,7 @@ index 4b2878a..31047e8 100644
  	')
  
  	optional_policy(`
-@@ -1279,54 +1619,66 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1611,60 @@ template(`userdom_security_admin_template',`
  interface(`userdom_user_home_content',`
  	gen_require(`
  		type user_home_t;
@@ -79260,133 +79303,59 @@ index 4b2878a..31047e8 100644
  
  	allow $1 user_home_t:filesystem associate;
  	files_type($1)
--	files_poly_member($1)
- 	ubac_constrained($1)
-+
-+	files_poly_member($1)
-+	typeattribute $1  user_home_type;
- ')
- 
- ########################################
- ## <summary>
--##	Allow domain to attach to TUN devices created by administrative users.
-+##	Make the specified type usable in a
-+##	generic temporary directory.
- ## </summary>
--## <param name="domain">
-+## <param name="type">
- ##	<summary>
--##	Domain allowed access.
-+##	Type to be used as a file in the
-+##	generic temporary directory.
- ##	</summary>
- ## </param>
- #
--interface(`userdom_attach_admin_tun_iface',`
-+interface(`userdom_user_tmp_content',`
- 	gen_require(`
--		attribute admindomain;
-+		attribute user_tmp_type;
- 	')
- 
--	allow $1 admindomain:tun_socket relabelfrom;
--	allow $1 self:tun_socket relabelto;
-+	typeattribute $1 user_tmp_type;
-+
-+	files_tmp_file($1)
 +	ubac_constrained($1)
- ')
- 
- ########################################
- ## <summary>
--##	Set the attributes of a user pty.
-+##	Make the specified type usable in a
-+##	generic tmpfs_t directory.
- ## </summary>
--## <param name="domain">
-+## <param name="type">
- ##	<summary>
--##	Domain allowed access.
-+##	Type to be used as a file in the
-+##	generic temporary directory.
- ##	</summary>
- ## </param>
- #
--interface(`userdom_setattr_user_ptys',`
-+interface(`userdom_user_tmpfs_content',`
- 	gen_require(`
--		type user_devpts_t;
-+		attribute user_tmpfs_type;
- 	')
- 
--	allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
-+	typeattribute $1 user_tmpfs_type;
 +
-+	files_tmpfs_file($1)
-+	ubac_constrained($1)
- ')
- 
- ########################################
- ## <summary>
--##	Create a user pty.
-+##	Allow domain to attach to TUN devices created by administrative users.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -1334,12 +1686,49 @@ interface(`userdom_setattr_user_ptys',`
- ##	</summary>
- ## </param>
- #
--interface(`userdom_create_user_pty',`
-+interface(`userdom_attach_admin_tun_iface',`
- 	gen_require(`
--		type user_devpts_t;
-+		attribute admindomain;
- 	')
- 
--	term_create_pty($1, user_devpts_t)
-+	allow $1 admindomain:tun_socket relabelfrom;
-+	allow $1 self:tun_socket relabelto;
+ 	files_poly_member($1)
++	typeattribute $1  user_home_type;
 +')
 +
 +########################################
 +## <summary>
-+##	Set the attributes of a user pty.
++##	Make the specified type usable in a
++##	generic temporary directory.
 +## </summary>
-+## <param name="domain">
++## <param name="type">
 +##	<summary>
-+##	Domain allowed access.
++##	Type to be used as a file in the
++##	generic temporary directory.
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_setattr_user_ptys',`
++interface(`userdom_user_tmp_content',`
 +	gen_require(`
-+		type user_devpts_t;
++		attribute user_tmp_type;
 +	')
 +
-+	allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
++	typeattribute $1 user_tmp_type;
++
++	files_tmp_file($1)
++	ubac_constrained($1)
 +')
 +
 +########################################
 +## <summary>
-+##	Create a user pty.
++##	Make the specified type usable in a
++##	generic tmpfs_t directory.
 +## </summary>
-+## <param name="domain">
++## <param name="type">
 +##	<summary>
-+##	Domain allowed access.
++##	Type to be used as a file in the
++##	generic temporary directory.
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_create_user_pty',`
++interface(`userdom_user_tmpfs_content',`
 +	gen_require(`
-+		type user_devpts_t;
++		attribute user_tmpfs_type;
 +	')
 +
-+	term_create_pty($1, user_devpts_t)
++	typeattribute $1 user_tmpfs_type;
++
++	files_tmpfs_file($1)
+ 	ubac_constrained($1)
  ')
  
- ########################################
-@@ -1395,6 +1784,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1776,7 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -79394,11 +79363,15 @@ index 4b2878a..31047e8 100644
  	files_search_home($1)
  ')
  
-@@ -1441,6 +1831,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,11 +1823,19 @@ interface(`userdom_list_user_home_dirs',`
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
-+
+-')
+ 
+-########################################
+-## <summary>
+-##	Do not audit attempts to list user home subdirectories.
 +	tunable_policy(`use_nfs_home_dirs',`
 +		fs_list_nfs($1)
 +	')
@@ -79406,10 +79379,15 @@ index 4b2878a..31047e8 100644
 +	tunable_policy(`use_samba_home_dirs',`
 +		fs_list_cifs($1)
 +	')
- ')
- 
- ########################################
-@@ -1456,9 +1854,11 @@ interface(`userdom_list_user_home_dirs',`
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to list user home subdirectories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1456,9 +1846,11 @@ interface(`userdom_list_user_home_dirs',`
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -79421,7 +79399,7 @@ index 4b2878a..31047e8 100644
  ')
  
  ########################################
-@@ -1515,6 +1915,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1907,42 @@ interface(`userdom_relabelto_user_home_dirs',`
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -79464,7 +79442,7 @@ index 4b2878a..31047e8 100644
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1589,6 +2025,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2017,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -79473,7 +79451,7 @@ index 4b2878a..31047e8 100644
  ')
  
  ########################################
-@@ -1603,10 +2041,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2033,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -79488,7 +79466,7 @@ index 4b2878a..31047e8 100644
  ')
  
  ########################################
-@@ -1649,6 +2089,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2081,43 @@ interface(`userdom_delete_user_home_content_dirs',`
  
  ########################################
  ## <summary>
@@ -79532,7 +79510,7 @@ index 4b2878a..31047e8 100644
  ##	Do not audit attempts to set the
  ##	attributes of user home files.
  ## </summary>
-@@ -1668,6 +2145,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2137,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -79558,7 +79536,7 @@ index 4b2878a..31047e8 100644
  ##	Mmap user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1700,12 +2196,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2188,32 @@ interface(`userdom_read_user_home_content_files',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -79591,7 +79569,7 @@ index 4b2878a..31047e8 100644
  ##	Do not audit attempts to read user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1716,11 +2232,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2224,14 @@ interface(`userdom_read_user_home_content_files',`
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -79609,7 +79587,7 @@ index 4b2878a..31047e8 100644
  ')
  
  ########################################
-@@ -1779,6 +2298,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2290,60 @@ interface(`userdom_delete_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -79670,7 +79648,7 @@ index 4b2878a..31047e8 100644
  ##	Do not audit attempts to write user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1810,8 +2383,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2375,7 @@ interface(`userdom_read_user_home_content_symlinks',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -79680,7 +79658,7 @@ index 4b2878a..31047e8 100644
  ')
  
  ########################################
-@@ -1827,20 +2399,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2391,15 @@ interface(`userdom_read_user_home_content_symlinks',`
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -79694,18 +79672,19 @@ index 4b2878a..31047e8 100644
 -
 -	tunable_policy(`use_nfs_home_dirs',`
 -		fs_exec_nfs_files($1)
--	')
--
--	tunable_policy(`use_samba_home_dirs',`
--		fs_exec_cifs_files($1)
 +	exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
 +	dontaudit $1 user_home_type:sock_file execute;
  	')
--')
  
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_exec_cifs_files($1)
+-	')
+-')
+-
  ########################################
  ## <summary>
-@@ -1941,6 +2507,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+ ##	Do not audit attempts to execute user home files.
+@@ -1941,6 +2499,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
  
  ########################################
  ## <summary>
@@ -79730,7 +79709,7 @@ index 4b2878a..31047e8 100644
  ##	Create, read, write, and delete named pipes
  ##	in a user home subdirectory.
  ## </summary>
-@@ -2008,7 +2592,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2584,7 @@ interface(`userdom_user_home_dir_filetrans',`
  		type user_home_dir_t;
  	')
  
@@ -79739,7 +79718,7 @@ index 4b2878a..31047e8 100644
  	files_search_home($1)
  ')
  
-@@ -2039,7 +2623,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2615,7 @@ interface(`userdom_user_home_content_filetrans',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -79748,7 +79727,7 @@ index 4b2878a..31047e8 100644
  	allow $1 user_home_dir_t:dir search_dir_perms;
  	files_search_home($1)
  ')
-@@ -2182,7 +2766,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2758,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -79757,7 +79736,7 @@ index 4b2878a..31047e8 100644
  ')
  
  ########################################
-@@ -2390,7 +2974,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2966,7 @@ interface(`userdom_user_tmp_filetrans',`
  		type user_tmp_t;
  	')
  
@@ -79766,7 +79745,7 @@ index 4b2878a..31047e8 100644
  	files_search_tmp($1)
  ')
  
-@@ -2419,6 +3003,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +2995,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  	files_tmp_filetrans($1, user_tmp_t, $2)
  ')
  
@@ -79792,7 +79771,7 @@ index 4b2878a..31047e8 100644
  ########################################
  ## <summary>
  ##	Read user tmpfs files.
-@@ -2435,13 +3038,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3030,14 @@ interface(`userdom_read_user_tmpfs_files',`
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -79808,7 +79787,7 @@ index 4b2878a..31047e8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2462,7 +3066,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3058,7 @@ interface(`userdom_rw_user_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -79817,7 +79796,7 @@ index 4b2878a..31047e8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2470,14 +3074,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3066,30 @@ interface(`userdom_rw_user_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -79852,71 +79831,36 @@ index 4b2878a..31047e8 100644
  ')
  
  ########################################
-@@ -2572,7 +3192,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,6 +3184,24 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
--##	Read and write a user domain pty.
 +##	Read and write a inherited user domain tty.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2580,48 +3200,97 @@ interface(`userdom_use_user_ttys',`
- ##	</summary>
- ## </param>
- #
--interface(`userdom_use_user_ptys',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`userdom_use_inherited_user_ttys',`
- 	gen_require(`
--		type user_devpts_t;
++	gen_require(`
 +		type user_tty_device_t;
- 	')
- 
--	allow $1 user_devpts_t:chr_file rw_term_perms;
++	')
++
 +	allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Read and write a user TTYs and PTYs.
-+##	Read and write a user domain pty.
- ## </summary>
--## <desc>
--##	<p>
--##	Allow the specified domain to read and write user
--##	TTYs and PTYs. This will allow the domain to
--##	interact with the user via the terminal. Typically
--##	all interactive applications will require this
--##	access.
--##	</p>
--##	<p>
--##	However, this also allows the applications to spy
--##	on user sessions or inject information into the
--##	user session.  Thus, this access should likely
--##	not be allowed for non-interactive domains.
--##	</p>
--## </desc>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <infoflow type="both" weight="10"/>
- #
--interface(`userdom_use_user_terminals',`
-+interface(`userdom_use_user_ptys',`
- 	gen_require(`
--		type user_tty_device_t, user_devpts_t;
-+		type user_devpts_t;
- 	')
- 
--	allow $1 user_tty_device_t:chr_file rw_term_perms;
- 	allow $1 user_devpts_t:chr_file rw_term_perms;
--	term_list_ptys($1)
 +')
 +
 +########################################
 +## <summary>
+ ##	Read and write a user domain pty.
+ ## </summary>
+ ## <param name="domain">
+@@ -2590,22 +3220,34 @@ interface(`userdom_use_user_ptys',`
+ 
+ ########################################
+ ## <summary>
+-##	Read and write a user TTYs and PTYs.
 +##	Read and write a inherited user domain pty.
 +## </summary>
 +## <param name="domain">
@@ -79936,28 +79880,38 @@ index 4b2878a..31047e8 100644
 +########################################
 +## <summary>
 +##	Read and write a inherited user TTYs and PTYs.
-+## </summary>
-+## <desc>
-+##	<p>
+ ## </summary>
+ ## <desc>
+ ##	<p>
+-##	Allow the specified domain to read and write user
 +##	Allow the specified domain to read and write inherited user
-+##	TTYs and PTYs. This will allow the domain to
-+##	interact with the user via the terminal. Typically
-+##	all interactive applications will require this
-+##	access.
-+##	</p>
-+## </desc>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <infoflow type="both" weight="10"/>
-+#
+ ##	TTYs and PTYs. This will allow the domain to
+ ##	interact with the user via the terminal. Typically
+ ##	all interactive applications will require this
+ ##	access.
+ ##	</p>
+-##	<p>
+-##	However, this also allows the applications to spy
+-##	on user sessions or inject information into the
+-##	user session.  Thus, this access should likely
+-##	not be allowed for non-interactive domains.
+-##	</p>
+ ## </desc>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2614,14 +3256,33 @@ interface(`userdom_use_user_ptys',`
+ ## </param>
+ ## <infoflow type="both" weight="10"/>
+ #
+-interface(`userdom_use_user_terminals',`
 +interface(`userdom_use_inherited_user_terminals',`
-+	gen_require(`
-+		type user_tty_device_t, user_devpts_t;
-+	')
-+
+ 	gen_require(`
+ 		type user_tty_device_t, user_devpts_t;
+ 	')
+ 
+-	allow $1 user_tty_device_t:chr_file rw_term_perms;
+-	allow $1 user_devpts_t:chr_file rw_term_perms;
+-	term_list_ptys($1)
 +	allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
 +	allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
 +')
@@ -79983,7 +79937,7 @@ index 4b2878a..31047e8 100644
  ')
  
  ########################################
-@@ -2640,8 +3309,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2640,36 +3301,32 @@ interface(`userdom_dontaudit_use_user_terminals',`
  		type user_tty_device_t, user_devpts_t;
  	')
  
@@ -79991,105 +79945,193 @@ index 4b2878a..31047e8 100644
 -	dontaudit $1 user_devpts_t:chr_file rw_term_perms;
 +	dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms;
 +	dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms;
-+')
-+
+ ')
+ 
 +
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-##	Execute a shell in all user domains.  This
+-##	is an explicit transition, requiring the
+-##	caller to use setexeccon().
 +##	Get attributes of user domain tty and pty.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed to transition.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_spec_domtrans_all_users',`
 +interface(`userdom_getattr_user_terminals',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute userdomain;
 +		type user_tty_device_t, user_devpts_t;
-+	')
-+
+ 	')
+ 
+-	corecmd_shell_spec_domtrans($1, userdomain)
+-	allow userdomain $1:fd use;
+-	allow userdomain $1:fifo_file rw_file_perms;
+-	allow userdomain $1:process sigchld;
 +	allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
  ')
  
  ########################################
-@@ -2713,6 +3401,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
- 	allow unpriv_userdomain $1:process sigchld;
+ ## <summary>
+-##	Execute an Xserver session in all unprivileged user domains.  This
++##	Execute a shell in all user domains.  This
+ ##	is an explicit transition, requiring the
+ ##	caller to use setexeccon().
+ ## </summary>
+@@ -2679,12 +3336,12 @@ interface(`userdom_spec_domtrans_all_users',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_xsession_spec_domtrans_all_users',`
++interface(`userdom_spec_domtrans_all_users',`
+ 	gen_require(`
+ 		attribute userdomain;
+ 	')
+ 
+-	xserver_xsession_spec_domtrans($1, userdomain)
++	corecmd_shell_spec_domtrans($1, userdomain)
+ 	allow userdomain $1:fd use;
+ 	allow userdomain $1:fifo_file rw_file_perms;
+ 	allow userdomain $1:process sigchld;
+@@ -2692,7 +3349,7 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
+ 
+ ########################################
+ ## <summary>
+-##	Execute a shell in all unprivileged user domains.  This
++##	Execute an Xserver session in all unprivileged user domains.  This
+ ##	is an explicit transition, requiring the
+ ##	caller to use setexeccon().
+ ## </summary>
+@@ -2702,20 +3359,20 @@ interface(`userdom_xsession_spec_domtrans_all_users',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_spec_domtrans_unpriv_users',`
++interface(`userdom_xsession_spec_domtrans_all_users',`
+ 	gen_require(`
+-		attribute unpriv_userdomain;
++		attribute userdomain;
+ 	')
+ 
+-	corecmd_shell_spec_domtrans($1, unpriv_userdomain)
+-	allow unpriv_userdomain $1:fd use;
+-	allow unpriv_userdomain $1:fifo_file rw_file_perms;
+-	allow unpriv_userdomain $1:process sigchld;
++	xserver_xsession_spec_domtrans($1, userdomain)
++	allow userdomain $1:fd use;
++	allow userdomain $1:fifo_file rw_file_perms;
++	allow userdomain $1:process sigchld;
  ')
  
-+#####################################
-+## <summary>
-+##  Allow domain dyntrans to unpriv userdomain.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
-+## </param>
-+#
-+interface(`userdom_dyntransition_unpriv_users',`
-+    gen_require(`
-+        attribute unpriv_userdomain;
-+    ')
-+
-+    allow $1 unpriv_userdomain:process dyntransition;
-+')
-+
  ########################################
  ## <summary>
- ##	Execute an Xserver session in all unprivileged user domains.  This
-@@ -2736,24 +3442,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+-##	Execute an Xserver session in all unprivileged user domains.  This
++##	Execute a shell in all unprivileged user domains.  This
+ ##	is an explicit transition, requiring the
+ ##	caller to use setexeccon().
+ ## </summary>
+@@ -2725,57 +3382,61 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_xsession_spec_domtrans_unpriv_users',`
++interface(`userdom_spec_domtrans_unpriv_users',`
+ 	gen_require(`
+ 		attribute unpriv_userdomain;
+ 	')
+ 
+-	xserver_xsession_spec_domtrans($1, unpriv_userdomain)
++	corecmd_shell_spec_domtrans($1, unpriv_userdomain)
+ 	allow unpriv_userdomain $1:fd use;
+ 	allow unpriv_userdomain $1:fifo_file rw_file_perms;
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
 -#######################################
--## <summary>
++#####################################
+ ## <summary>
 -##	Read and write unpriviledged user SysV sempaphores.
--## </summary>
--## <param name="domain">
++##  Allow domain dyntrans to unpriv userdomain.
+ ## </summary>
+ ## <param name="domain">
 -##	<summary>
 -##	Domain allowed access.
 -##	</summary>
--## </param>
--#
++##  <summary>
++##  Domain allowed access.
++##  </summary>
+ ## </param>
+ #
 -interface(`userdom_rw_unpriv_user_semaphores',`
 -	gen_require(`
 -		attribute unpriv_userdomain;
 -	')
--
++interface(`userdom_dyntransition_unpriv_users',`
++    gen_require(`
++        attribute unpriv_userdomain;
++    ')
+ 
 -	allow $1 unpriv_userdomain:sem rw_sem_perms;
--')
--
++    allow $1 unpriv_userdomain:process dyntransition;
+ ')
+ 
  ########################################
  ## <summary>
- ##	Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3460,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
- 	allow $1 unpriv_userdomain:sem create_sem_perms;
+-##	Manage unpriviledged user SysV sempaphores.
++##	Execute an Xserver session in all unprivileged user domains.  This
++##	is an explicit transition, requiring the
++##	caller to use setexeccon().
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain allowed to transition.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_manage_unpriv_user_semaphores',`
++interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+ 	gen_require(`
+ 		attribute unpriv_userdomain;
+ 	')
+ 
+-	allow $1 unpriv_userdomain:sem create_sem_perms;
++	xserver_xsession_spec_domtrans($1, unpriv_userdomain)
++	allow unpriv_userdomain $1:fd use;
++	allow unpriv_userdomain $1:fifo_file rw_file_perms;
++	allow unpriv_userdomain $1:process sigchld;
  ')
  
 -#######################################
--## <summary>
++########################################
+ ## <summary>
 -##	Read and write unpriviledged user SysV shared
 -##	memory segments.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--#
++##	Manage unpriviledged user SysV sempaphores.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2783,12 +3444,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+ ##	</summary>
+ ## </param>
+ #
 -interface(`userdom_rw_unpriv_user_shared_mem',`
--	gen_require(`
--		attribute unpriv_userdomain;
--	')
--
++interface(`userdom_manage_unpriv_user_semaphores',`
+ 	gen_require(`
+ 		attribute unpriv_userdomain;
+ 	')
+ 
 -	allow $1 unpriv_userdomain:shm rw_shm_perms;
--')
--
++	allow $1 unpriv_userdomain:sem create_sem_perms;
+ ')
+ 
  ########################################
- ## <summary>
- ##	Manage unpriviledged user SysV shared
-@@ -2852,7 +3521,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3513,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -80098,7 +80140,7 @@ index 4b2878a..31047e8 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -2868,29 +3537,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3529,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -80132,7 +80174,7 @@ index 4b2878a..31047e8 100644
  ')
  
  ########################################
-@@ -2972,7 +3625,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3617,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -80141,7 +80183,7 @@ index 4b2878a..31047e8 100644
  ')
  
  ########################################
-@@ -3027,7 +3680,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3672,45 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -80188,7 +80230,7 @@ index 4b2878a..31047e8 100644
  ')
  
  ########################################
-@@ -3045,7 +3736,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3728,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
  		type user_tty_device_t;
  	')
  
@@ -80197,7 +80239,7 @@ index 4b2878a..31047e8 100644
  ')
  
  ########################################
-@@ -3064,6 +3755,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3747,7 @@ interface(`userdom_read_all_users_state',`
  	')
  
  	read_files_pattern($1, userdomain, userdomain)
@@ -80205,7 +80247,7 @@ index 4b2878a..31047e8 100644
  	kernel_search_proc($1)
  ')
  
-@@ -3142,6 +3834,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3826,24 @@ interface(`userdom_signal_all_users',`
  
  ########################################
  ## <summary>
@@ -80230,7 +80272,7 @@ index 4b2878a..31047e8 100644
  ##	Send a SIGCHLD signal to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3160,6 +3870,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3862,24 @@ interface(`userdom_sigchld_all_users',`
  
  ########################################
  ## <summary>
@@ -80255,7 +80297,7 @@ index 4b2878a..31047e8 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3194,3 +3922,1146 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3914,1186 @@ interface(`userdom_dbus_send_all_users',`
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -81397,13 +81439,53 @@ index 4b2878a..31047e8 100644
 +	userdom_user_home_dir_filetrans($1, audio_home_t, dir, "Music")
 +	userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".cert")
 +	userdom_user_home_dir_filetrans($1, home_cert_t, dir, ".pki")
++	userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
++	gnome_config_filetrans($1, home_cert_t, dir, "certificates")
 +
 +	#optional_policy(`
 +	#	gnome_admin_home_gconf_filetrans($1, home_bin_t, dir, "bin")
 +	#')
 +')
++
++########################################
++## <summary>
++##	Make the specified type able to read content in user home dirs
++## </summary>
++## <param name="type">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_home_reader',`
++	gen_require(`
++		attribute userdom_home_reader_type;
++	')
++
++	typeattribute $1 userdom_home_reader_type;
++')
++
++
++########################################
++## <summary>
++##	Make the specified type able to manage content in user home dirs
++## </summary>
++## <param name="type">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_home_manager',`
++	gen_require(`
++		attribute userdom_home_manager_type;
++	')
++
++	typeattribute $1 userdom_home_manager_type;
++')
++
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..d6c3860 100644
+index 9b4a930..ced52ff 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
 @@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@@ -81436,10 +81518,13 @@ index 9b4a930..d6c3860 100644
  ## Allow w to display everyone
  ## </p>
  ## </desc>
-@@ -59,6 +73,19 @@ attribute unpriv_userdomain;
+@@ -59,6 +73,22 @@ attribute unpriv_userdomain;
  attribute untrusted_content_type;
  attribute untrusted_content_tmp_type;
  
++attribute userdom_home_reader_type;
++attribute userdom_home_manager_type;
++
 +# unprivileged user domains
 +attribute user_home_type;
 +attribute user_tmp_type;
@@ -81456,7 +81541,7 @@ index 9b4a930..d6c3860 100644
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
  files_type(user_home_dir_t)
-@@ -71,26 +98,77 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +101,110 @@ ubac_constrained(user_home_dir_t)
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -81536,6 +81621,39 @@ index 9b4a930..d6c3860 100644
 +optional_policy(`
 +	xserver_filetrans_home_content(userdomain)
 +')
++
++
++tunable_policy(`use_nfs_home_dirs',`
++    fs_read_nfs_files(userdom_home_reader_type)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++    fs_read_cifs_files(userdom_home_reader_type)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++    fs_read_fusefs_files(userdom_home_reader_type)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++    fs_list_auto_mountpoints(userdom_home_manager_type)
++    fs_manage_nfs_dirs(userdom_home_manager_type)
++    fs_manage_nfs_files(userdom_home_manager_type)
++    fs_manage_nfs_symlinks(userdom_home_manager_type)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++    fs_manage_cifs_dirs(userdom_home_manager_type)
++    fs_manage_cifs_files(userdom_home_manager_type)
++    fs_manage_cifs_symlinks(userdom_home_manager_type)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++    fs_manage_fusefs_dirs(userdom_home_manager_type)
++    fs_manage_fusefs_files(userdom_home_manager_type)
++    fs_manage_fusefs_symlinks(userdom_home_manager_type)
++')
++
 diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
 index a865da7..a5ed06e 100644
 --- a/policy/modules/system/xen.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 726dd6c..9b66cd0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 57%{?dist}
+Release: 58%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,24 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Nov 16 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-58
+- Add ssh_dontaudit_search_home_dir
+- Changes to allow namespace_init_t to work
+- Add interface to allow exec of mongod, add port definition for mongod port, 27017
+- Label .kde/share/apps/networkmanagement/certificates/ as home_cert_t
+- Allow spamd and clamd to steam connect to each other
+- Add policy label for passwd.OLD
+- More fixes for postfix and postfix maildro
+- Add ftp support for mozilla plugins
+- Useradd now needs to manage policy since it calls libsemanage
+- Fix devicekit_manage_log_files() interface
+- Allow colord to execute ifconfig
+- Allow accountsd to read /sys
+- Allow mysqld-safe to execute shell
+- Allow openct to stream connect to pcscd
+- Add label for /var/run/nm-dns-dnsmasq\.conf
+- Allow networkmanager to chat with virtd_t
+
 * Fri Nov 11 2011 Dan Walsh <dwalsh@redhat.com> 3.10.0-57
 - Pulseaudio changes
 - Merge patches