From 5b299ca3408da8c06e6b96bb610b47dfc21858dc Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Jun 19 2014 12:16:25 +0000
Subject: * Thu Jun 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-74.28

- Added docker policy
- Allow chrome_sandbox to execute config_home_t
- apcupsd will send a wall message to all terminals telling the system
is about to go down
- If you use ldap you should be able to read certs

---

diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 55ccf84..af264ba 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -3244,7 +3244,7 @@ index 7590165..19aaaed 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..ad789c2 100644
+index 644d4d7..6e7dd83 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -1,9 +1,10 @@
@@ -3556,7 +3556,7 @@ index 644d4d7..ad789c2 100644
  /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +458,16 @@ ifdef(`distro_suse', `
+@@ -383,11 +458,15 @@ ifdef(`distro_suse', `
  #
  # /var
  #
@@ -3566,7 +3566,6 @@ index 644d4d7..ad789c2 100644
  /var/ftp/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
  /var/lib/asterisk/agi-bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-+/var/lib/dirsrv/scripts-INSTANCE    --  gen_context(system_u:object_r:bin_t,s0)
 +/var/lib/iscan/interpreter		gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
 +/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3574,7 +3573,7 @@ index 644d4d7..ad789c2 100644
  /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +477,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +476,12 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -9406,7 +9405,7 @@ index c2c6e05..be423a7 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..48e851f 100644
+index 64ff4d7..9a38351 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -10315,12 +10314,12 @@ index 64ff4d7..48e851f 100644
  ##	Create, read, write, and delete directories
  ##	on new filesystems that have not yet been labeled.
  ## </summary>
-@@ -3455,6 +3949,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3227,6 +3721,25 @@ interface(`files_manage_isid_type_dirs',`
  
  ########################################
  ## <summary>
-+##	rw any files inherited from another process
-+##	on new filesystems that have not yet been labeled.
++##	Moundon directories on new filesystems
++##	that have not yet been labeled.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -10328,20 +10327,195 @@ index 64ff4d7..48e851f 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_rw_inherited_isid_type_files',`
++interface(`files_mounton_isid',`
 +	gen_require(`
 +		type file_t;
 +	')
 +
-+	allow $1 file_t:file rw_inherited_file_perms;
++	allow $1 file_t:dir mounton;
 +')
 +
 +########################################
 +## <summary>
- ##	Create, read, write, and delete block device nodes
+ ##	Mount a filesystem on a directory on new filesystems
+ ##	that has not yet been labeled.
+ ## </summary>
+@@ -3455,8 +3968,8 @@ interface(`files_rw_isid_type_blk_files',`
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete block device nodes
+-##	on new filesystems that have not yet been labeled.
++##	Mount a filesystem on a new chr_file 
++##	that has not yet been labeled.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -3464,17 +3977,17 @@ interface(`files_rw_isid_type_blk_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_isid_type_blk_files',`
++interface(`files_mounton_isid_type_chr_file',`
+ 	gen_require(`
+-		type file_t;
++		type unlabeled_t;
+ 	')
+ 
+-	allow $1 file_t:blk_file manage_blk_file_perms;
++	allow $1 unlabeled_t:chr_file mounton;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete character device nodes
++##	rw any files inherited from another process
  ##	on new filesystems that have not yet been labeled.
  ## </summary>
-@@ -3796,20 +4309,38 @@ interface(`files_list_mnt',`
+ ## <param name="domain">
+@@ -3483,18 +3996,18 @@ interface(`files_manage_isid_type_blk_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_isid_type_chr_files',`
++interface(`files_rw_inherited_isid_type_files',`
+ 	gen_require(`
+ 		type file_t;
+ 	')
+ 
+-	allow $1 file_t:chr_file manage_chr_file_perms;
++	allow $1 file_t:file rw_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of the home directories root
+-##	(/home).
++##	Create, read, write, and delete block device nodes
++##	on new filesystems that have not yet been labeled.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -3502,39 +4015,37 @@ interface(`files_manage_isid_type_chr_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_home_dir',`
++interface(`files_manage_isid_type_blk_files',`
+ 	gen_require(`
+-		type home_root_t;
++		type file_t;
+ 	')
+ 
+-	allow $1 home_root_t:dir getattr;
+-	allow $1 home_root_t:lnk_file getattr;
++	allow $1 file_t:blk_file manage_blk_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the
+-##	attributes of the home directories root
+-##	(/home).
++##	Create, read, write, and delete character device nodes
++##	on new filesystems that have not yet been labeled.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_home_dir',`
++interface(`files_manage_isid_type_chr_files',`
+ 	gen_require(`
+-		type home_root_t;
++		type file_t;
+ 	')
+ 
+-	dontaudit $1 home_root_t:dir getattr;
+-	dontaudit $1 home_root_t:lnk_file getattr;
++	allow $1 file_t:chr_file manage_chr_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search home directories root (/home).
++##	Execute files on new filesystems
++##	that have not yet been labeled.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -3542,7 +4053,66 @@ interface(`files_dontaudit_getattr_home_dir',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_home',`
++interface(`files_exec_isid_files',`
++	gen_require(`
++		type file_t;
++	')
++
++	can_exec($1, file_t)
++')
++
++########################################
++## <summary>
++##	Get the attributes of the home directories root
++##	(/home).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_getattr_home_dir',`
++	gen_require(`
++		type home_root_t;
++	')
++
++	allow $1 home_root_t:dir getattr;
++	allow $1 home_root_t:lnk_file getattr;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to get the
++##	attributes of the home directories root
++##	(/home).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_home_dir',`
++	gen_require(`
++		type home_root_t;
++	')
++
++	dontaudit $1 home_root_t:dir getattr;
++	dontaudit $1 home_root_t:lnk_file getattr;
++')
++
++########################################
++## <summary>
++##	Search home directories root (/home).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_search_home',`
+ 	gen_require(`
+ 		type home_root_t;
+ 	')
+@@ -3796,20 +4366,38 @@ interface(`files_list_mnt',`
  
  ######################################
  ## <summary>
@@ -10385,59 +10559,40 @@ index 64ff4d7..48e851f 100644
  ')
  
  ########################################
-@@ -4199,52 +4730,219 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,6 +4787,133 @@ interface(`files_read_world_readable_sockets',`
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
--########################################
 +#######################################
- ## <summary>
--##	Allow the specified type to associate
--##	to a filesystem with the type of the
--##	temporary directory (/tmp).
++## <summary>
 +##  Read manageable system configuration files in /etc
- ## </summary>
--## <param name="file_type">
--##	<summary>
--##	Type of the file to associate.
--##	</summary>
++## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
- ## </param>
- #
--interface(`files_associate_tmp',`
--	gen_require(`
--		type tmp_t;
--	')
++## </param>
++#
 +interface(`files_read_system_conf_files',`
 +    gen_require(`
 +        type etc_t, system_conf_t;
 +    ')
- 
--	allow $1 tmp_t:filesystem associate;
++
 +    allow $1 etc_t:dir list_dir_perms;
 +    read_files_pattern($1, etc_t, system_conf_t)
 +    read_lnk_files_pattern($1, etc_t, system_conf_t)
- ')
- 
--########################################
++')
++
 +######################################
- ## <summary>
--##	Get the	attributes of the tmp directory (/tmp).
++## <summary>
 +##  Manage manageable system configuration files in /etc.
- ## </summary>
- ## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
++## </summary>
++## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
- ## </param>
- #
--interface(`files_getattr_tmp_dirs',`
++## </param>
++#
 +interface(`files_manage_system_conf_files',`
 +    gen_require(`
 +        type etc_t, system_conf_t;
@@ -10535,28 +10690,13 @@ index 64ff4d7..48e851f 100644
 +    filetrans_pattern($1, etc_t, system_conf_t, file)
 +')
 +
-+########################################
-+## <summary>
-+##	Allow the specified type to associate
-+##	to a filesystem with the type of the
-+##	temporary directory (/tmp).
-+## </summary>
-+## <param name="file_type">
-+##	<summary>
-+##	Type of the file to associate.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_associate_tmp',`
-+	gen_require(`
-+		type tmp_t;
-+	')
-+
-+	allow $1 tmp_t:filesystem associate;
-+')
-+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+ ##	Allow the specified type to associate
+@@ -4221,6 +4936,26 @@ interface(`files_associate_tmp',`
+ 
+ ########################################
+ ## <summary>
 +##	Allow the specified type to associate
 +##	to a filesystem with the type of the
 +##	/ file system
@@ -10577,16 +10717,10 @@ index 64ff4d7..48e851f 100644
 +
 +########################################
 +## <summary>
-+##	Get the	attributes of the tmp directory (/tmp).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_getattr_tmp_dirs',`
- 	gen_require(`
+ ##	Get the	attributes of the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+@@ -4234,17 +4969,37 @@ interface(`files_getattr_tmp_dirs',`
  		type tmp_t;
  	')
  
@@ -10625,7 +10759,7 @@ index 64ff4d7..48e851f 100644
  ##	</summary>
  ## </param>
  #
-@@ -4271,6 +4969,7 @@ interface(`files_search_tmp',`
+@@ -4271,6 +5026,7 @@ interface(`files_search_tmp',`
  		type tmp_t;
  	')
  
@@ -10633,7 +10767,7 @@ index 64ff4d7..48e851f 100644
  	allow $1 tmp_t:dir search_dir_perms;
  ')
  
-@@ -4307,6 +5006,7 @@ interface(`files_list_tmp',`
+@@ -4307,6 +5063,7 @@ interface(`files_list_tmp',`
  		type tmp_t;
  	')
  
@@ -10641,7 +10775,7 @@ index 64ff4d7..48e851f 100644
  	allow $1 tmp_t:dir list_dir_perms;
  ')
  
-@@ -4316,7 +5016,7 @@ interface(`files_list_tmp',`
+@@ -4316,7 +5073,7 @@ interface(`files_list_tmp',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -10650,7 +10784,7 @@ index 64ff4d7..48e851f 100644
  ##	</summary>
  ## </param>
  #
-@@ -4328,6 +5028,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4328,6 +5085,25 @@ interface(`files_dontaudit_list_tmp',`
  	dontaudit $1 tmp_t:dir list_dir_perms;
  ')
  
@@ -10676,7 +10810,7 @@ index 64ff4d7..48e851f 100644
  ########################################
  ## <summary>
  ##	Remove entries from the tmp directory.
-@@ -4343,6 +5062,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4343,6 +5119,7 @@ interface(`files_delete_tmp_dir_entry',`
  		type tmp_t;
  	')
  
@@ -10684,7 +10818,7 @@ index 64ff4d7..48e851f 100644
  	allow $1 tmp_t:dir del_entry_dir_perms;
  ')
  
-@@ -4384,6 +5104,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4384,6 +5161,32 @@ interface(`files_manage_generic_tmp_dirs',`
  
  ########################################
  ## <summary>
@@ -10717,29 +10851,222 @@ index 64ff4d7..48e851f 100644
  ##	Manage temporary files and directories in /tmp.
  ## </summary>
  ## <param name="domain">
-@@ -4438,6 +5184,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4438,7 +5241,7 @@ interface(`files_rw_generic_tmp_sockets',`
  
  ########################################
  ## <summary>
+-##	Set the attributes of all tmp directories.
 +##	Relabel a dir from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4446,17 +5249,17 @@ interface(`files_rw_generic_tmp_sockets',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_all_tmp_dirs',`
++interface(`files_relabelfrom_tmp_dirs',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:dir { search_dir_perms setattr };
++	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List all tmp directories.
++##	Relabel a file from the type used in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4464,59 +5267,53 @@ interface(`files_setattr_all_tmp_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_all_tmp',`
++interface(`files_relabelfrom_tmp_files',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:dir list_dir_perms;
++	relabelfrom_files_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel to and from all temporary
+-##	directory types.
++##	Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_dirs',`
++interface(`files_setattr_all_tmp_dirs',`
+ 	gen_require(`
+ 		attribute tmpfile;
+-		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	relabel_dirs_pattern($1, tmpfile, tmpfile)
++	allow $1 tmpfile:dir { search_dir_perms setattr };
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp files.
++##	Allow caller to read inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_read_inherited_tmp_files',`
+ 	gen_require(`
+ 		attribute tmpfile;
+ 	')
+ 
+-	dontaudit $1 tmpfile:file getattr;
++	allow $1 tmpfile:file { append read_inherited_file_perms };
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow attempts to get the attributes
+-##	of all tmp files.
++##	Allow caller to append inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4524,84 +5321,218 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_all_tmp_files',`
++interface(`files_append_inherited_tmp_files',`
+ 	gen_require(`
+ 		attribute tmpfile;
+ 	')
+ 
+-	allow $1 tmpfile:file getattr;
++	allow $1 tmpfile:file append_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel to and from all temporary
+-##	file types.
++##	Allow caller to read and write inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_files',`
++interface(`files_rw_inherited_tmp_file',`
+ 	gen_require(`
+ 		attribute tmpfile;
+-		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	relabel_files_pattern($1, tmpfile, tmpfile)
++	allow $1 tmpfile:file rw_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp sock_file.
++##	List all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_sockets',`
++interface(`files_list_all_tmp',`
+ 	gen_require(`
+ 		attribute tmpfile;
+ 	')
+ 
+-	dontaudit $1 tmpfile:sock_file getattr;
++	allow $1 tmpfile:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read all tmp files.
++##	Relabel to and from all temporary
++##	directory types.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_read_all_tmp_files',`
++interface(`files_relabel_all_tmp_dirs',`
+ 	gen_require(`
+ 		attribute tmpfile;
++		type var_t;
+ 	')
+ 
+-	read_files_pattern($1, tmpfile, tmpfile)
++	allow $1 var_t:dir search_dir_perms;
++	relabel_dirs_pattern($1, tmpfile, tmpfile)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create an object in the tmp directories, with a private
+-##	type using a type transition.
++##	Do not audit attempts to get the attributes
++##	of all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
 +#
-+interface(`files_relabelfrom_tmp_dirs',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
 +	gen_require(`
-+		type tmp_t;
++		attribute tmpfile;
 +	')
 +
-+	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++	dontaudit $1 tmpfile:file getattr;
 +')
 +
 +########################################
 +## <summary>
-+##	Relabel a file from the type used in /tmp.
++##	Allow attempts to get the attributes
++##	of all tmp files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -10747,60 +11074,58 @@ index 64ff4d7..48e851f 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_relabelfrom_tmp_files',`
++interface(`files_getattr_all_tmp_files',`
 +	gen_require(`
-+		type tmp_t;
++		attribute tmpfile;
 +	')
 +
-+	relabelfrom_files_pattern($1, tmp_t, tmp_t)
++	allow $1 tmpfile:file getattr;
 +')
 +
 +########################################
 +## <summary>
- ##	Set the attributes of all tmp directories.
- ## </summary>
- ## <param name="domain">
-@@ -4456,6 +5238,60 @@ interface(`files_setattr_all_tmp_dirs',`
- 
- ########################################
- ## <summary>
-+##	Allow caller to read inherited tmp files.
++##	Relabel to and from all temporary
++##	file types.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`files_read_inherited_tmp_files',`
++interface(`files_relabel_all_tmp_files',`
 +	gen_require(`
 +		attribute tmpfile;
++		type var_t;
 +	')
 +
-+	allow $1 tmpfile:file { append read_inherited_file_perms };
++	allow $1 var_t:dir search_dir_perms;
++	relabel_files_pattern($1, tmpfile, tmpfile)
 +')
 +
 +########################################
 +## <summary>
-+##	Allow caller to append inherited tmp files.
++##	Do not audit attempts to get the attributes
++##	of all tmp sock_file.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_append_inherited_tmp_files',`
++interface(`files_dontaudit_getattr_all_tmp_sockets',`
 +	gen_require(`
 +		attribute tmpfile;
 +	')
 +
-+	allow $1 tmpfile:file append_inherited_file_perms;
++	dontaudit $1 tmpfile:sock_file getattr;
 +')
 +
 +########################################
 +## <summary>
-+##	Allow caller to read and write inherited tmp files.
++##	Read all tmp files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -10808,41 +11133,16 @@ index 64ff4d7..48e851f 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_rw_inherited_tmp_file',`
++interface(`files_read_all_tmp_files',`
 +	gen_require(`
 +		attribute tmpfile;
 +	')
 +
-+	allow $1 tmpfile:file rw_inherited_file_perms;
++	read_files_pattern($1, tmpfile, tmpfile)
 +')
 +
 +########################################
 +## <summary>
- ##	List all tmp directories.
- ## </summary>
- ## <param name="domain">
-@@ -4501,7 +5337,7 @@ interface(`files_relabel_all_tmp_dirs',`
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain not to audit.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
-@@ -4561,7 +5397,7 @@ interface(`files_relabel_all_tmp_files',`
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain not to audit.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
-@@ -4593,6 +5429,44 @@ interface(`files_read_all_tmp_files',`
- 
- ########################################
- ## <summary>
 +##	Do not audit attempts to read or write
 +##	all leaked tmpfiles files.
 +## </summary>
@@ -10881,10 +11181,19 @@ index 64ff4d7..48e851f 100644
 +
 +########################################
 +## <summary>
- ##	Create an object in the tmp directories, with a private
- ##	type using a type transition.
- ## </summary>
-@@ -4646,6 +5520,16 @@ interface(`files_purge_tmp',`
++##	Create an object in the tmp directories, with a private
++##	type using a type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private type">
+ ##	<summary>
+ ##	The type of the object to be created.
+ ##	</summary>
+@@ -4646,6 +5577,16 @@ interface(`files_purge_tmp',`
  	delete_lnk_files_pattern($1, tmpfile, tmpfile)
  	delete_fifo_files_pattern($1, tmpfile, tmpfile)
  	delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -10901,67 +11210,32 @@ index 64ff4d7..48e851f 100644
  ')
  
  ########################################
-@@ -5223,26 +6107,26 @@ interface(`files_list_var',`
+@@ -5223,6 +6164,24 @@ interface(`files_list_var',`
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete directories
--##	in the /var directory.
 +##	Do not audit listing of the var directory (/var).
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_var_dirs',`
++##	</summary>
++## </param>
++#
 +interface(`files_dontaudit_list_var',`
- 	gen_require(`
- 		type var_t;
- 	')
- 
--	allow $1 var_t:dir manage_dir_perms;
-+	dontaudit $1 var_t:dir list_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Read files in the /var directory.
-+##	Create, read, write, and delete directories
-+##	in the /var directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5250,7 +6134,25 @@ interface(`files_manage_var_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`files_read_var_files',`
-+interface(`files_manage_var_dirs',`
 +	gen_require(`
 +		type var_t;
 +	')
 +
-+	allow $1 var_t:dir manage_dir_perms;
++	dontaudit $1 var_t:dir list_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Read files in the /var directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_read_var_files',`
- 	gen_require(`
- 		type var_t;
- 	')
-@@ -5578,6 +6480,25 @@ interface(`files_read_var_lib_symlinks',`
+ ##	Create, read, write, and delete directories
+ ##	in the /var directory.
+ ## </summary>
+@@ -5578,6 +6537,25 @@ interface(`files_read_var_lib_symlinks',`
  	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
  ')
  
@@ -10987,7 +11261,7 @@ index 64ff4d7..48e851f 100644
  # cjp: the next two interfaces really need to be fixed
  # in some way.  They really neeed their own types.
  
-@@ -5623,7 +6544,7 @@ interface(`files_manage_mounttab',`
+@@ -5623,7 +6601,7 @@ interface(`files_manage_mounttab',`
  
  ########################################
  ## <summary>
@@ -10996,7 +11270,7 @@ index 64ff4d7..48e851f 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5631,12 +6552,13 @@ interface(`files_manage_mounttab',`
+@@ -5631,12 +6609,13 @@ interface(`files_manage_mounttab',`
  ##	</summary>
  ## </param>
  #
@@ -11012,7 +11286,7 @@ index 64ff4d7..48e851f 100644
  ')
  
  ########################################
-@@ -5654,6 +6576,7 @@ interface(`files_search_locks',`
+@@ -5654,6 +6633,7 @@ interface(`files_search_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -11020,7 +11294,7 @@ index 64ff4d7..48e851f 100644
  	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
  	search_dirs_pattern($1, var_t, var_lock_t)
  ')
-@@ -5680,7 +6603,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5680,7 +6660,26 @@ interface(`files_dontaudit_search_locks',`
  
  ########################################
  ## <summary>
@@ -11048,7 +11322,7 @@ index 64ff4d7..48e851f 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5688,13 +6630,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,13 +6687,12 @@ interface(`files_dontaudit_search_locks',`
  ##	</summary>
  ## </param>
  #
@@ -11065,7 +11339,7 @@ index 64ff4d7..48e851f 100644
  ')
  
  ########################################
-@@ -5713,7 +6654,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5713,7 +6711,7 @@ interface(`files_rw_lock_dirs',`
  		type var_t, var_lock_t;
  	')
  
@@ -11074,7 +11348,7 @@ index 64ff4d7..48e851f 100644
  	rw_dirs_pattern($1, var_t, var_lock_t)
  ')
  
-@@ -5746,7 +6687,6 @@ interface(`files_create_lock_dirs',`
+@@ -5746,7 +6744,6 @@ interface(`files_create_lock_dirs',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -11082,7 +11356,7 @@ index 64ff4d7..48e851f 100644
  #
  interface(`files_relabel_all_lock_dirs',`
  	gen_require(`
-@@ -5761,7 +6701,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5761,7 +6758,7 @@ interface(`files_relabel_all_lock_dirs',`
  
  ########################################
  ## <summary>
@@ -11091,7 +11365,7 @@ index 64ff4d7..48e851f 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5769,13 +6709,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5769,13 +6766,33 @@ interface(`files_relabel_all_lock_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -11126,7 +11400,7 @@ index 64ff4d7..48e851f 100644
  	allow $1 var_lock_t:dir list_dir_perms;
  	getattr_files_pattern($1, var_lock_t, var_lock_t)
  ')
-@@ -5791,13 +6751,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6808,12 @@ interface(`files_getattr_generic_locks',`
  ## </param>
  #
  interface(`files_delete_generic_locks',`
@@ -11144,7 +11418,7 @@ index 64ff4d7..48e851f 100644
  ')
  
  ########################################
-@@ -5816,9 +6775,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +6832,7 @@ interface(`files_manage_generic_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -11155,7 +11429,7 @@ index 64ff4d7..48e851f 100644
  	manage_files_pattern($1, var_lock_t, var_lock_t)
  ')
  
-@@ -5860,8 +6817,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +6874,7 @@ interface(`files_read_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -11165,7 +11439,7 @@ index 64ff4d7..48e851f 100644
  	allow $1 lockfile:dir list_dir_perms;
  	read_files_pattern($1, lockfile, lockfile)
  	read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6839,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +6896,7 @@ interface(`files_manage_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -11175,7 +11449,7 @@ index 64ff4d7..48e851f 100644
  	manage_dirs_pattern($1, lockfile, lockfile)
  	manage_files_pattern($1, lockfile, lockfile)
  	manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +6876,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +6933,7 @@ interface(`files_lock_filetrans',`
  		type var_t, var_lock_t;
  	')
  
@@ -11185,7 +11459,7 @@ index 64ff4d7..48e851f 100644
  	filetrans_pattern($1, var_lock_t, $2, $3, $4)
  ')
  
-@@ -5961,7 +6915,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5961,7 +6972,7 @@ interface(`files_setattr_pid_dirs',`
  		type var_run_t;
  	')
  
@@ -11194,7 +11468,7 @@ index 64ff4d7..48e851f 100644
  	allow $1 var_run_t:dir setattr;
  ')
  
-@@ -5981,10 +6935,48 @@ interface(`files_search_pids',`
+@@ -5981,10 +6992,48 @@ interface(`files_search_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -11243,7 +11517,7 @@ index 64ff4d7..48e851f 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to search
-@@ -6007,6 +6999,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6007,6 +7056,25 @@ interface(`files_dontaudit_search_pids',`
  
  ########################################
  ## <summary>
@@ -11269,7 +11543,7 @@ index 64ff4d7..48e851f 100644
  ##	List the contents of the runtime process
  ##	ID directories (/var/run).
  ## </summary>
-@@ -6021,7 +7032,7 @@ interface(`files_list_pids',`
+@@ -6021,7 +7089,7 @@ interface(`files_list_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -11278,7 +11552,7 @@ index 64ff4d7..48e851f 100644
  	list_dirs_pattern($1, var_t, var_run_t)
  ')
  
-@@ -6040,7 +7051,7 @@ interface(`files_read_generic_pids',`
+@@ -6040,7 +7108,7 @@ interface(`files_read_generic_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -11287,7 +11561,7 @@ index 64ff4d7..48e851f 100644
  	list_dirs_pattern($1, var_t, var_run_t)
  	read_files_pattern($1, var_run_t, var_run_t)
  ')
-@@ -6060,7 +7071,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6060,7 +7128,7 @@ interface(`files_write_generic_pid_pipes',`
  		type var_run_t;
  	')
  
@@ -11296,7 +11570,7 @@ index 64ff4d7..48e851f 100644
  	allow $1 var_run_t:fifo_file write;
  ')
  
-@@ -6122,7 +7133,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +7190,6 @@ interface(`files_pid_filetrans',`
  	')
  
  	allow $1 var_t:dir search_dir_perms;
@@ -11304,7 +11578,7 @@ index 64ff4d7..48e851f 100644
  	filetrans_pattern($1, var_run_t, $2, $3, $4)
  ')
  
-@@ -6151,6 +7161,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6151,6 +7218,24 @@ interface(`files_pid_filetrans_lock_dir',`
  
  ########################################
  ## <summary>
@@ -11329,7 +11603,7 @@ index 64ff4d7..48e851f 100644
  ##	Read and write generic process ID files.
  ## </summary>
  ## <param name="domain">
-@@ -6164,7 +7192,7 @@ interface(`files_rw_generic_pids',`
+@@ -6164,7 +7249,7 @@ interface(`files_rw_generic_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -11338,332 +11612,196 @@ index 64ff4d7..48e851f 100644
  	list_dirs_pattern($1, var_t, var_run_t)
  	rw_files_pattern($1, var_run_t, var_run_t)
  ')
-@@ -6231,55 +7259,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6231,6 +7316,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
  
  ########################################
  ## <summary>
--##	Read all process ID files.
 +##	Relable all pid directories
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_read_all_pids',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_relabel_all_pid_dirs',`
- 	gen_require(`
- 		attribute pidfile;
--		type var_t, var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, pidfile)
--	read_files_pattern($1, pidfile, pidfile)
++	gen_require(`
++		attribute pidfile;
++	')
++
 +	relabel_dirs_pattern($1, pidfile, pidfile)
- ')
- 
- ########################################
- ## <summary>
--##	Delete all process IDs.
++')
++
++########################################
++## <summary>
 +##	Delete all pid sockets
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_delete_all_pids',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_delete_all_pid_sockets',`
- 	gen_require(`
- 		attribute pidfile;
--		type var_t, var_run_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	allow $1 var_run_t:dir rmdir;
--	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
--	delete_files_pattern($1, pidfile, pidfile)
--	delete_fifo_files_pattern($1, pidfile, pidfile)
--	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++	gen_require(`
++		attribute pidfile;
++	')
++
 +	allow $1 pidfile:sock_file delete_sock_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Delete all process ID directories.
++')
++
++########################################
++## <summary>
 +##	Create all pid sockets
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6287,42 +7303,35 @@ interface(`files_delete_all_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_delete_all_pid_dirs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_create_all_pid_sockets',`
- 	gen_require(`
- 		attribute pidfile;
--		type var_t, var_run_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	delete_dirs_pattern($1, pidfile, pidfile)
++	gen_require(`
++		attribute pidfile;
++	')
++
 +	allow $1 pidfile:sock_file create_sock_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write and delete all
--##	var_run (pid) content
++')
++
++########################################
++## <summary>
 +##	Create all pid named pipes
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain alloed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_all_pids',`
++##	</summary>
++## </param>
++#
 +interface(`files_create_all_pid_pipes',`
- 	gen_require(`
- 		attribute pidfile;
- 	')
- 
--	manage_dirs_pattern($1, pidfile, pidfile)
--	manage_files_pattern($1, pidfile, pidfile)
--	manage_lnk_files_pattern($1, pidfile, pidfile)
++	gen_require(`
++		attribute pidfile;
++	')
++
 +	allow $1 pidfile:fifo_file create_fifo_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Mount filesystems on all polyinstantiation
--##	member directories.
++')
++
++########################################
++## <summary>
 +##	Delete all pid named pipes
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6330,18 +7339,18 @@ interface(`files_manage_all_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_mounton_all_poly_members',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_delete_all_pid_pipes',`
- 	gen_require(`
--		attribute polymember;
++	gen_require(`
 +		attribute pidfile;
- 	')
- 
--	allow $1 polymember:dir mounton;
++	')
++
 +	allow $1 pidfile:fifo_file delete_fifo_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Search the contents of generic spool
--##	directories (/var/spool).
++')
++
++########################################
++## <summary>
 +##	manage all pidfile directories
 +##	in the /var/run directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6349,37 +7358,40 @@ interface(`files_mounton_all_poly_members',`
- ##	</summary>
- ## </param>
- #
--interface(`files_search_spool',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_manage_all_pid_dirs',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		attribute pidfile;
- 	')
- 
--	search_dirs_pattern($1, var_t, var_spool_t)
++	')
++
 +	manage_dirs_pattern($1,pidfile,pidfile)
- ')
- 
++')
 +
- ########################################
- ## <summary>
--##	Do not audit attempts to search generic
--##	spool directories.
-+##	Read all process ID files.
++
++########################################
++## <summary>
+ ##	Read all process ID files.
  ## </summary>
  ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`files_dontaudit_search_spool',`
-+interface(`files_read_all_pids',`
+@@ -6243,12 +7438,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
+ interface(`files_read_all_pids',`
  	gen_require(`
--		type var_spool_t;
-+		attribute pidfile;
+ 		attribute pidfile;
+-		type var_t, var_run_t;
 +		type var_t;
  	')
  
--	dontaudit $1 var_spool_t:dir search_dir_perms;
-+	list_dirs_pattern($1, var_t, pidfile)
-+	read_files_pattern($1, pidfile, pidfile)
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ 	list_dirs_pattern($1, var_t, pidfile)
+ 	read_files_pattern($1, pidfile, pidfile)
 +	read_lnk_files_pattern($1, pidfile, pidfile)
- ')
- 
- ########################################
- ## <summary>
--##	List the contents of generic spool
--##	(/var/spool) directories.
++')
++
++########################################
++## <summary>
 +##	Relable all pid files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6387,18 +7399,17 @@ interface(`files_dontaudit_search_spool',`
- ##	</summary>
- ## </param>
- #
--interface(`files_list_spool',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_relabel_all_pid_files',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		attribute pidfile;
- 	')
- 
--	list_dirs_pattern($1, var_t, var_spool_t)
++	')
++
 +	relabel_files_pattern($1, pidfile, pidfile)
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete generic
--##	spool directories (/var/spool).
++')
++
++########################################
++## <summary>
 +##	Execute generic programs in /var/run in the caller domain.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6406,18 +7417,18 @@ interface(`files_list_spool',`
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_generic_spool_dirs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_exec_generic_pid_files',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		type var_run_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	manage_dirs_pattern($1, var_spool_t, var_spool_t)
++	')
++
 +	exec_files_pattern($1, var_run_t, var_run_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read generic spool files.
++')
++
++########################################
++## <summary>
 +##	manage all pidfiles 
 +##	in the /var/run directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6425,19 +7436,18 @@ interface(`files_manage_generic_spool_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`files_read_generic_spool',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_manage_all_pids',`
- 	gen_require(`
--		type var_t, var_spool_t;
-+		attribute pidfile;
- 	')
- 
--	list_dirs_pattern($1, var_t, var_spool_t)
--	read_files_pattern($1, var_spool_t, var_spool_t)
-+	manage_files_pattern($1,pidfile,pidfile)
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete generic
--##	spool files.
-+##	Mount filesystems on all polyinstantiation
-+##	member directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6445,45 +7455,312 @@ interface(`files_read_generic_spool',`
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_generic_spool',`
-+interface(`files_mounton_all_poly_members',`
- 	gen_require(`
--		type var_t, var_spool_t;
-+		attribute polymember;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	manage_files_pattern($1, var_spool_t, var_spool_t)
-+	allow $1 polymember:dir mounton;
- ')
- 
- ########################################
- ## <summary>
--##	Create objects in the spool directory
--##	with a private type with a type transition.
-+##	Delete all process IDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="file">
--##	<summary>
--##	Type to which the created node will be transitioned.
--##	</summary>
--## </param>
--## <param name="class">
--##	<summary>
--##	Object class(es) (single or set including {}) for which this
--##	the transition will occur.
--##	</summary>
--## </param>
--## <param name="name" optional="true">
--##	<summary>
--##	The name of the object being created.
--##	</summary>
--## </param>
-+## <rolecap/>
- #
--interface(`files_spool_filetrans',`
-+interface(`files_delete_all_pids',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		attribute pidfile;
-+		type var_t, var_run_t;
 +	')
 +
-+	files_search_pids($1)
-+	allow $1 var_t:dir search_dir_perms;
-+	allow $1 var_run_t:dir rmdir;
-+	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
-+	delete_files_pattern($1, pidfile, pidfile)
-+	delete_fifo_files_pattern($1, pidfile, pidfile)
-+	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++	manage_files_pattern($1,pidfile,pidfile)
 +')
 +
 +########################################
 +## <summary>
-+##	Delete all process ID directories.
++##	Mount filesystems on all polyinstantiation
++##	member directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -11671,19 +11809,39 @@ index 64ff4d7..48e851f 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_delete_all_pid_dirs',`
++interface(`files_mounton_all_poly_members',`
 +	gen_require(`
-+		attribute pidfile;
-+		type var_t, var_run_t;
++		attribute polymember;
 +	')
 +
++	allow $1 polymember:dir mounton;
+ ')
+ 
+ ########################################
+@@ -6268,8 +7537,8 @@ interface(`files_delete_all_pids',`
+ 		type var_t, var_run_t;
+ 	')
+ 
 +	files_search_pids($1)
-+	allow $1 var_t:dir search_dir_perms;
-+	delete_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
+ 	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ 	allow $1 var_run_t:dir rmdir;
+ 	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ 	delete_files_pattern($1, pidfile, pidfile)
+@@ -6293,36 +7562,80 @@ interface(`files_delete_all_pid_dirs',`
+ 		type var_t, var_run_t;
+ 	')
+ 
++	files_search_pids($1)
+ 	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ 	delete_dirs_pattern($1, pidfile, pidfile)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write and delete all
+-##	var_run (pid) content
 +##	Make the specified type a file
 +##	used for spool files.
 +## </summary>
@@ -11733,36 +11891,47 @@ index 64ff4d7..48e851f 100644
 +########################################
 +## <summary>
 +##	Create all spool sockets
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain alloed access.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
 +interface(`files_create_all_spool_sockets',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
 +		attribute spoolfile;
-+	')
-+
+ 	')
+ 
+-	manage_dirs_pattern($1, pidfile, pidfile)
+-	manage_files_pattern($1, pidfile, pidfile)
+-	manage_lnk_files_pattern($1, pidfile, pidfile)
 +	allow $1 spoolfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Mount filesystems on all polyinstantiation
+-##	member directories.
 +##	Delete all spool sockets
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6330,12 +7643,33 @@ interface(`files_manage_all_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
 +interface(`files_delete_all_spool_sockets',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute polymember;
 +		attribute spoolfile;
-+	')
-+
+ 	')
+ 
+-	allow $1 polymember:dir mounton;
 +	allow $1 spoolfile:sock_file delete_sock_file_perms;
 +')
 +
@@ -11785,158 +11954,10 @@ index 64ff4d7..48e851f 100644
 +	')
 +
 +	relabel_dirs_pattern($1, spoolfile, spoolfile)
-+')
-+
-+########################################
-+## <summary>
-+##	Search the contents of generic spool
-+##	directories (/var/spool).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_search_spool',`
-+	gen_require(`
-+		type var_t, var_spool_t;
-+	')
-+
-+	search_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to search generic
-+##	spool directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_search_spool',`
-+	gen_require(`
-+		type var_spool_t;
-+	')
-+
-+	dontaudit $1 var_spool_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	List the contents of generic spool
-+##	(/var/spool) directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_list_spool',`
-+	gen_require(`
-+		type var_t, var_spool_t;
-+	')
-+
-+	list_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Create, read, write, and delete generic
-+##	spool directories (/var/spool).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_manage_generic_spool_dirs',`
-+	gen_require(`
-+		type var_t, var_spool_t;
-+	')
-+
-+	allow $1 var_t:dir search_dir_perms;
-+	manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Read generic spool files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_read_generic_spool',`
-+	gen_require(`
-+		type var_t, var_spool_t;
-+	')
-+
-+	list_dirs_pattern($1, var_t, var_spool_t)
-+	read_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Create, read, write, and delete generic
-+##	spool files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_manage_generic_spool',`
-+	gen_require(`
-+		type var_t, var_spool_t;
-+	')
-+
-+	allow $1 var_t:dir search_dir_perms;
-+	manage_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Create objects in the spool directory
-+##	with a private type with a type transition.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="file">
-+##	<summary>
-+##	Type to which the created node will be transitioned.
-+##	</summary>
-+## </param>
-+## <param name="class">
-+##	<summary>
-+##	Object class(es) (single or set including {}) for which this
-+##	the transition will occur.
-+##	</summary>
-+## </param>
-+## <param name="name" optional="true">
-+##	<summary>
-+##	The name of the object being created.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_spool_filetrans',`
-+	gen_require(`
-+		type var_t, var_spool_t;
- 	')
+ ')
  
- 	allow $1 var_t:dir search_dir_perms;
-@@ -6562,3 +7839,509 @@ interface(`files_unconfined',`
+ ########################################
+@@ -6562,3 +7896,509 @@ interface(`files_unconfined',`
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -14147,7 +14168,7 @@ index 7be4ddf..f7021a0 100644
 +
 +/sys/class/net/ib.* 		gen_context(system_u:object_r:sysctl_net_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..bb7d1a2 100644
+index 649e458..dcb1def 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
 @@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -14489,7 +14510,7 @@ index 649e458..bb7d1a2 100644
  ##	Unconfined access to kernel module resources.
  ## </summary>
  ## <param name="domain">
-@@ -2975,5 +3182,300 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3182,319 @@ interface(`kernel_unconfined',`
  	')
  
  	typeattribute $1 kern_unconfined;
@@ -14790,6 +14811,25 @@ index 649e458..bb7d1a2 100644
 +	kernel_search_vm_sysctl($1)
 +	rw_files_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
 +	list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
++')
++
++########################################
++## <summary>
++##	Allow caller to read kernel messages
++##	using the /proc/kmsg interface.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_mounton_messages',`
++	gen_require(`
++		type proc_kmsg_t, proc_t;
++	')
++
++    allow $1 proc_kmsg_t:dir mounton;
  ')
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
 index 6fac350..5a087a7 100644
@@ -16154,7 +16194,7 @@ index 7d45d15..22c9cfe 100644
 +
 +/usr/lib/udev/devices/pts -d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
 diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 771bce1..5bbf50b 100644
+index 771bce1..e3722ab 100644
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
 @@ -124,7 +124,7 @@ interface(`term_user_tty',`
@@ -16381,7 +16421,33 @@ index 771bce1..5bbf50b 100644
  ##	</summary>
  ## </param>
  #
-@@ -1259,7 +1376,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1165,6 +1282,25 @@ interface(`term_relabel_unallocated_ttys',`
+ 
+ ########################################
+ ## <summary>
++##	Mounton unallocated tty device nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`term_mounton_unallocated_ttys',`
++	gen_require(`
++		type tty_device_t;
++	')
++
++	allow $1 tty_device_t:chr_file mounton;
++')
++
++########################################
++## <summary>
+ ##	Relabel from all user tty types to
+ ##	the unallocated tty type.
+ ## </summary>
+@@ -1259,7 +1395,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
  		type tty_device_t;
  	')
  
@@ -16430,7 +16496,7 @@ index 771bce1..5bbf50b 100644
  ')
  
  ########################################
-@@ -1275,11 +1432,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1275,11 +1451,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
  #
  interface(`term_getattr_all_ttys',`
  	gen_require(`
@@ -16444,7 +16510,7 @@ index 771bce1..5bbf50b 100644
  ')
  
  ########################################
-@@ -1296,10 +1455,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1296,10 +1474,12 @@ interface(`term_getattr_all_ttys',`
  interface(`term_dontaudit_getattr_all_ttys',`
  	gen_require(`
  		attribute ttynode;
@@ -16457,7 +16523,7 @@ index 771bce1..5bbf50b 100644
  ')
  
  ########################################
-@@ -1377,7 +1538,27 @@ interface(`term_use_all_ttys',`
+@@ -1377,7 +1557,27 @@ interface(`term_use_all_ttys',`
  	')
  
  	dev_list_all_dev_nodes($1)
@@ -16486,7 +16552,7 @@ index 771bce1..5bbf50b 100644
  ')
  
  ########################################
-@@ -1396,7 +1577,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1396,7 +1596,7 @@ interface(`term_dontaudit_use_all_ttys',`
  		attribute ttynode;
  	')
  
@@ -16495,7 +16561,7 @@ index 771bce1..5bbf50b 100644
  ')
  
  ########################################
-@@ -1504,7 +1685,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1504,7 +1704,7 @@ interface(`term_use_all_user_ttys',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -16504,7 +16570,7 @@ index 771bce1..5bbf50b 100644
  ##	</summary>
  ## </param>
  #
-@@ -1512,3 +1693,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1512,3 +1712,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
  	refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
  	term_dontaudit_use_all_ttys($1)
  ')
@@ -17062,7 +17128,7 @@ index 234a940..d340f20 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..834a511 100644
+index 5da7870..ac03ca2 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
 @@ -8,12 +8,70 @@ policy_module(staff, 2.3.1)
@@ -17136,7 +17202,7 @@ index 5da7870..834a511 100644
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -23,11 +81,106 @@ optional_policy(`
+@@ -23,11 +81,111 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17169,6 +17235,11 @@ index 5da7870..834a511 100644
 +')
 +
 +optional_policy(`
++	docker_stream_connect(staff_t)
++	docker_exec(staff_t)
++')
++
++optional_policy(`
 +	dmesg_exec(staff_t)
 +')
 +
@@ -17244,7 +17315,7 @@ index 5da7870..834a511 100644
  ')
  
  optional_policy(`
-@@ -35,15 +188,31 @@ optional_policy(`
+@@ -35,15 +193,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17278,7 +17349,7 @@ index 5da7870..834a511 100644
  ')
  
  optional_policy(`
-@@ -52,10 +221,55 @@ optional_policy(`
+@@ -52,10 +226,55 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17334,7 +17405,7 @@ index 5da7870..834a511 100644
  	xserver_role(staff_r, staff_t)
  ')
  
-@@ -65,10 +279,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +284,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -17345,7 +17416,7 @@ index 5da7870..834a511 100644
  		cdrecord_role(staff_r, staff_t)
  	')
  
-@@ -78,10 +288,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +293,6 @@ ifndef(`distro_redhat',`
  
  	optional_policy(`
  		dbus_role_template(staff, staff_r, staff_t)
@@ -17356,7 +17427,7 @@ index 5da7870..834a511 100644
  	')
  
  	optional_policy(`
-@@ -101,10 +307,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +312,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -17367,7 +17438,7 @@ index 5da7870..834a511 100644
  		java_role(staff_r, staff_t)
  	')
  
-@@ -125,10 +327,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +332,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -17378,7 +17449,7 @@ index 5da7870..834a511 100644
  		pyzor_role(staff_r, staff_t)
  	')
  
-@@ -141,10 +339,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +344,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -17389,7 +17460,7 @@ index 5da7870..834a511 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -176,3 +370,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +375,22 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -18075,10 +18146,10 @@ index 0000000..0e8654b
 +/usr/sbin/xrdp-sesman   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
 diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
 new file mode 100644
-index 0000000..cf6582f
+index 0000000..1e950b2
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,613 @@
+@@ -0,0 +1,637 @@
 +## <summary>Unconfiend user role</summary>
 +
 +########################################
@@ -18692,6 +18763,30 @@ index 0000000..cf6582f
 +	allow $1 self:tun_socket relabelto;
 +')
 +
++########################################
++## <summary>
++##	Allow domain to transition to unconfined_t user
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="entrypoint">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`unconfined_transition',`
++	gen_require(`
++		type unconfined_t;
++	')
++
++	domtrans_pattern($1,$2,unconfined_t)
++	allow unconfined_t $2:file entrypoint;
++	allow $1 unconfined_t:process signal_perms;
++')
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
 index 0000000..f312edf
@@ -25425,7 +25520,7 @@ index 3efd5b6..f0151a8 100644
 +')
 +
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..f263075 100644
+index 104037e..2e237d6 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
 @@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -25690,17 +25785,36 @@ index 104037e..f263075 100644
  files_list_var_lib(nsswitch_domain)
  
  # read /etc/nsswitch.conf
-@@ -417,15 +447,21 @@ files_read_etc_files(nsswitch_domain)
+@@ -417,15 +447,41 @@ files_read_etc_files(nsswitch_domain)
  
  sysnet_dns_name_resolve(nsswitch_domain)
  
--tunable_policy(`authlogin_nsswitch_use_ldap',`
--	files_list_var_lib(nsswitch_domain)
 +systemd_hostnamed_read_config(nsswitch_domain)
++
++tunable_policy(`authlogin_nsswitch_use_ldap',`
++    allow nsswitch_domain self:tcp_socket create_socket_perms;
++')
++
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
+-	files_list_var_lib(nsswitch_domain)
++    corenet_tcp_sendrecv_generic_if(nsswitch_domain)
++    corenet_tcp_sendrecv_generic_node(nsswitch_domain)
++    corenet_tcp_sendrecv_ldap_port(nsswitch_domain)
++    corenet_tcp_connect_ldap_port(nsswitch_domain)
++    corenet_sendrecv_ldap_client_packets(nsswitch_domain)
++')
  
 +tunable_policy(`authlogin_nsswitch_use_ldap',`
++    # Support for LDAPS
++    dev_read_rand(nsswitch_domain)
++    # LDAP Configuration using encrypted requires
++    dev_read_urand(nsswitch_domain)
++    sysnet_read_config(nsswitch_domain)
++')
++
++tunable_policy(`authlogin_nsswitch_use_ldap',`
  	miscfiles_read_generic_certs(nsswitch_domain)
- 	sysnet_use_ldap(nsswitch_domain)
+-	sysnet_use_ldap(nsswitch_domain)
  ')
  
  optional_policy(`
@@ -25711,10 +25825,11 @@ index 104037e..f263075 100644
 +
 +optional_policy(`
 +	tunable_policy(`authlogin_nsswitch_use_ldap',`
++        ldap_read_certs(nsswitch_domain)
  		ldap_stream_connect(nsswitch_domain)
  	')
  ')
-@@ -438,6 +474,7 @@ optional_policy(`
+@@ -438,6 +494,7 @@ optional_policy(`
  	likewise_stream_connect_lsassd(nsswitch_domain)
  ')
  
@@ -25722,7 +25837,7 @@ index 104037e..f263075 100644
  optional_policy(`
  	kerberos_use(nsswitch_domain)
  ')
-@@ -456,6 +493,8 @@ optional_policy(`
+@@ -456,6 +513,8 @@ optional_policy(`
  
  optional_policy(`
  	sssd_stream_connect(nsswitch_domain)
@@ -25731,7 +25846,7 @@ index 104037e..f263075 100644
  ')
  
  optional_policy(`
-@@ -463,3 +502,133 @@ optional_policy(`
+@@ -463,3 +522,133 @@ optional_policy(`
  	samba_read_var_files(nsswitch_domain)
  	samba_dontaudit_write_var_files(nsswitch_domain)
  ')
@@ -31822,7 +31937,7 @@ index 58bc27f..51e9872 100644
 +	allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index e8c59a5..d2df072 100644
+index e8c59a5..b22837c 100644
 --- a/policy/modules/system/lvm.te
 +++ b/policy/modules/system/lvm.te
 @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -32050,10 +32165,14 @@ index e8c59a5..d2df072 100644
  	bootloader_rw_tmp_files(lvm_t)
  ')
  
-@@ -333,14 +374,26 @@ optional_policy(`
+@@ -333,14 +374,30 @@ optional_policy(`
  ')
  
  optional_policy(`
++	docker_rw_sem(lvm_t)
++')
++
++optional_policy(`
 +	livecd_rw_semaphores(lvm_t)
 +')
 +
@@ -35254,7 +35373,7 @@ index 346a7cc..42a48b6 100644
 +/var/run/netns(/.*)?		gen_context(system_u:object_r:ifconfig_var_run_t,s0)
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..a76e22c 100644
+index 6944526..1714f5b 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
 @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -35511,17 +35630,21 @@ index 6944526..a76e22c 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
  	corenet_tcp_sendrecv_ldap_port($1)
-@@ -733,6 +883,9 @@ interface(`sysnet_use_ldap',`
+@@ -733,6 +883,13 @@ interface(`sysnet_use_ldap',`
  	dev_read_urand($1)
  
  	sysnet_read_config($1)
 +
 +	# LDAP Configuration using encrypted requires
 +	dev_read_urand($1)
++
++	optional_policy(`
++		ldap_read_certs($1)
++	')
  ')
  
  ########################################
-@@ -754,7 +907,6 @@ interface(`sysnet_use_portmap',`
+@@ -754,7 +911,6 @@ interface(`sysnet_use_portmap',`
  	allow $1 self:udp_socket create_socket_perms;
  
  	corenet_all_recvfrom_unlabeled($1)
@@ -35529,7 +35652,7 @@ index 6944526..a76e22c 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +918,114 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +922,114 @@ interface(`sysnet_use_portmap',`
  
  	sysnet_read_config($1)
  ')
@@ -39442,7 +39565,7 @@ index db75976..65191bd 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..0aa6db0 100644
+index 3c5dba7..a44c781 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -40079,7 +40202,7 @@ index 3c5dba7..0aa6db0 100644
  
  	# cjp: some of this probably can be removed
  	selinux_get_fs_mount($1_t)
-@@ -546,93 +687,124 @@ template(`userdom_common_user_template',`
+@@ -546,93 +687,120 @@ template(`userdom_common_user_template',`
  	selinux_compute_user_contexts($1_t)
  
  	# for eject
@@ -40192,10 +40315,6 @@ index 3c5dba7..0aa6db0 100644
 +			kde_dbus_chat_backlighthelper($1_usertype)
 +		')
 +
-+        optional_policy(`
-+            memcached_stream_connect($1_usertype)
-+        ')
-+
 +		optional_policy(`
 +			modemmanager_dbus_chat($1_usertype)
 +		')
@@ -40242,7 +40361,7 @@ index 3c5dba7..0aa6db0 100644
  	')
  
  	optional_policy(`
-@@ -642,23 +814,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +810,21 @@ template(`userdom_common_user_template',`
  	optional_policy(`
  		mpd_manage_user_data_content($1_t)
  		mpd_relabel_user_data_content($1_t)
@@ -40271,7 +40390,7 @@ index 3c5dba7..0aa6db0 100644
  			mysql_stream_connect($1_t)
  		')
  	')
-@@ -671,7 +841,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +837,7 @@ template(`userdom_common_user_template',`
  
  	optional_policy(`
  		# to allow monitoring of pcmcia status
@@ -40280,7 +40399,7 @@ index 3c5dba7..0aa6db0 100644
  	')
  
  	optional_policy(`
-@@ -680,9 +850,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +846,9 @@ template(`userdom_common_user_template',`
  	')
  
  	optional_policy(`
@@ -40293,7 +40412,7 @@ index 3c5dba7..0aa6db0 100644
  		')
  	')
  
-@@ -693,32 +863,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +859,35 @@ template(`userdom_common_user_template',`
  	')
  
  	optional_policy(`
@@ -40340,7 +40459,7 @@ index 3c5dba7..0aa6db0 100644
  	')
  ')
  
-@@ -743,17 +916,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +912,33 @@ template(`userdom_common_user_template',`
  template(`userdom_login_user_template', `
  	gen_require(`
  		class context contains;
@@ -40378,7 +40497,7 @@ index 3c5dba7..0aa6db0 100644
  
  	userdom_change_password_template($1)
  
-@@ -761,82 +950,101 @@ template(`userdom_login_user_template', `
+@@ -761,82 +946,101 @@ template(`userdom_login_user_template', `
  	#
  	# User domain Local policy
  	#
@@ -40516,7 +40635,7 @@ index 3c5dba7..0aa6db0 100644
  	')
  ')
  
-@@ -868,6 +1076,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1072,12 @@ template(`userdom_restricted_user_template',`
  	typeattribute $1_t unpriv_userdomain;
  	domain_interactive_fd($1_t)
  
@@ -40529,7 +40648,7 @@ index 3c5dba7..0aa6db0 100644
  	##############################
  	#
  	# Local policy
-@@ -907,42 +1121,99 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,42 +1117,99 @@ template(`userdom_restricted_xwindows_user_template',`
  	#
  	# Local policy
  	#
@@ -40618,31 +40737,31 @@ index 3c5dba7..0aa6db0 100644
 +			consolekit_dontaudit_read_log($1_usertype)
 +			consolekit_dbus_chat($1_usertype)
 +		')
- 
- 		optional_policy(`
--			consolekit_dbus_chat($1_t)
++
++		optional_policy(`
 +			cups_dbus_chat($1_usertype)
 +			cups_dbus_chat_config($1_usertype)
- 		')
++		')
  
  		optional_policy(`
--			cups_dbus_chat($1_t)
+-			consolekit_dbus_chat($1_t)
 +			devicekit_dbus_chat($1_usertype)
 +			devicekit_dbus_chat_disk($1_usertype)
 +			devicekit_dbus_chat_power($1_usertype)
  		')
  
  		optional_policy(`
--			gnome_role_template($1, $1_r, $1_t)
+-			cups_dbus_chat($1_t)
 +			fprintd_dbus_chat($1_t)
-+		')
-+
-+		optional_policy(`
+ 		')
+ 
+ 		optional_policy(`
+-			gnome_role_template($1, $1_r, $1_t)
 +			realmd_dbus_chat($1_t)
  		')
  
  		optional_policy(`
-@@ -951,12 +1222,29 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1218,29 @@ template(`userdom_restricted_xwindows_user_template',`
  	')
  
  	optional_policy(`
@@ -40673,7 +40792,7 @@ index 3c5dba7..0aa6db0 100644
  ')
  
  #######################################
-@@ -990,27 +1278,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1274,33 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# Inherit rules for ordinary users.
@@ -40711,7 +40830,7 @@ index 3c5dba7..0aa6db0 100644
  			fs_manage_noxattr_fs_files($1_t)
  			fs_manage_noxattr_fs_dirs($1_t)
  			# Write floppies
-@@ -1021,55 +1315,94 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1311,60 @@ template(`userdom_unpriv_user_template', `
  		')
  	')
  
@@ -40737,46 +40856,20 @@ index 3c5dba7..0aa6db0 100644
 +
 +	tunable_policy(`selinuxuser_tcp_server',`
 +		corenet_tcp_bind_all_unreserved_ports($1_usertype)
- 	')
- 
- 	optional_policy(`
--		netutils_run_ping_cond($1_t, $1_r)
--		netutils_run_traceroute_cond($1_t, $1_r)
++	')
++
++	optional_policy(`
 +		cdrecord_role($1_r, $1_t)
- 	')
- 
--	# Run pppd in pppd_t by default for user
- 	optional_policy(`
--		ppp_run_cond($1_t, $1_r)
++	')
++
++	optional_policy(`
 +		cron_role($1_r, $1_t)
- 	')
- 
- 	optional_policy(`
--		setroubleshoot_stream_connect($1_t)
++	')
++
++	optional_policy(`
 +		games_rw_data($1_usertype)
- 	')
--')
- 
--#######################################
--## <summary>
--##	The template for creating an administrative user.
--## </summary>
--## <desc>
--##	<p>
--##	This template creates a user domain, types, and
--##	rules for the user's tty, pty, home directories,
--##	tmp, and tmpfs files.
--##	</p>
--##	<p>
--##	The privileges given to administrative users are:
--##	<ul>
--##		<li>Raw disk access</li>
--##		<li>Set all sysctls</li>
--##		<li>All kernel ring buffer controls</li>
--##		<li>Create, read, write, and delete all files but shadow</li>
--##		<li>Manage source and binary format SELinux policy</li>
--##		<li>Run insmod</li>
--##	</ul>
++	')
++
 +	optional_policy(`
 +		gpg_role($1_r, $1_usertype)
 +	')
@@ -40798,49 +40891,28 @@ index 3c5dba7..0aa6db0 100644
 +
 +	optional_policy(`
 +		wine_role_template($1, $1_r, $1_t)
-+	')
-+
-+	optional_policy(`
+ 	')
+ 
+ 	optional_policy(`
+-		netutils_run_ping_cond($1_t, $1_r)
+-		netutils_run_traceroute_cond($1_t, $1_r)
 +		postfix_run_postdrop($1_t, $1_r)
 +		postfix_search_spool($1_t)
-+	')
-+
-+	# Run pppd in pppd_t by default for user
-+	optional_policy(`
-+		ppp_run_cond($1_t, $1_r)
-+	')
-+
-+	optional_policy(`
+ 	')
+ 
+ 	# Run pppd in pppd_t by default for user
+@@ -1046,7 +1373,9 @@ template(`userdom_unpriv_user_template', `
+ 	')
+ 
+ 	optional_policy(`
+-		setroubleshoot_stream_connect($1_t)
 +		vdagent_getattr_log($1_t)
 +		vdagent_getattr_exec_files($1_t)
 +		vdagent_stream_connect($1_t)
-+	')
-+')
-+
-+#######################################
-+## <summary>
-+##	The template for creating an administrative user.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	This template creates a user domain, types, and
-+##	rules for the user's tty, pty, home directories,
-+##	tmp, and tmpfs files.
-+##	</p>
-+##	<p>
-+##	The privileges given to administrative users are:
-+##	<ul>
-+##		<li>Raw disk access</li>
-+##		<li>Set all sysctls</li>
-+##		<li>All kernel ring buffer controls</li>
-+##		<li>Create, read, write, and delete all files but shadow</li>
-+##		<li>Manage source and binary format SELinux policy</li>
-+##		<li>Run insmod</li>
-+##	</ul>
- ##	</p>
- ## </desc>
- ## <param name="userdomain_prefix">
-@@ -1082,7 +1415,7 @@ template(`userdom_unpriv_user_template', `
+ 	')
+ ')
+ 
+@@ -1082,7 +1411,7 @@ template(`userdom_unpriv_user_template', `
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -40849,7 +40921,7 @@ index 3c5dba7..0aa6db0 100644
  	')
  
  	##############################
-@@ -1109,6 +1442,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1438,7 @@ template(`userdom_admin_user_template',`
  	#
  
  	allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -40857,7 +40929,7 @@ index 3c5dba7..0aa6db0 100644
  	allow $1_t self:process { setexec setfscreate };
  	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
  	allow $1_t self:tun_socket create;
-@@ -1117,6 +1451,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1447,9 @@ template(`userdom_admin_user_template',`
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -40867,7 +40939,7 @@ index 3c5dba7..0aa6db0 100644
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1131,6 +1468,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1464,7 @@ template(`userdom_admin_user_template',`
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -40875,7 +40947,7 @@ index 3c5dba7..0aa6db0 100644
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1148,10 +1486,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1482,14 @@ template(`userdom_admin_user_template',`
  	dev_rename_all_blk_files($1_t)
  	dev_rename_all_chr_files($1_t)
  	dev_create_generic_symlinks($1_t)
@@ -40890,7 +40962,7 @@ index 3c5dba7..0aa6db0 100644
  	domain_dontaudit_ptrace_all_domains($1_t)
  	# signal all domains:
  	domain_kill_all_domains($1_t)
-@@ -1162,29 +1504,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1500,38 @@ template(`userdom_admin_user_template',`
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -40933,7 +41005,7 @@ index 3c5dba7..0aa6db0 100644
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1545,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1541,8 @@ template(`userdom_admin_user_template',`
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -40942,7 +41014,7 @@ index 3c5dba7..0aa6db0 100644
  	userdom_manage_user_home_content_dirs($1_t)
  	userdom_manage_user_home_content_files($1_t)
  	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1554,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1550,17 @@ template(`userdom_admin_user_template',`
  	userdom_manage_user_home_content_sockets($1_t)
  	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
  
@@ -40961,7 +41033,7 @@ index 3c5dba7..0aa6db0 100644
  	optional_policy(`
  		postgresql_unconfined($1_t)
  	')
-@@ -1253,6 +1610,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1606,8 @@ template(`userdom_security_admin_template',`
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -40970,7 +41042,7 @@ index 3c5dba7..0aa6db0 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1265,8 +1624,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1620,10 @@ template(`userdom_security_admin_template',`
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
@@ -40982,7 +41054,7 @@ index 3c5dba7..0aa6db0 100644
  	auth_relabel_shadow($1)
  
  	init_exec($1)
-@@ -1277,29 +1638,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1634,31 @@ template(`userdom_security_admin_template',`
  	logging_read_audit_config($1)
  
  	seutil_manage_bin_policy($1)
@@ -41025,7 +41097,7 @@ index 3c5dba7..0aa6db0 100644
  	')
  
  	optional_policy(`
-@@ -1360,14 +1723,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1719,17 @@ interface(`userdom_user_home_content',`
  	gen_require(`
  		attribute user_home_content_type;
  		type user_home_t;
@@ -41044,7 +41116,7 @@ index 3c5dba7..0aa6db0 100644
  ')
  
  ########################################
-@@ -1408,6 +1774,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1770,51 @@ interface(`userdom_user_tmpfs_file',`
  ## <summary>
  ##	Allow domain to attach to TUN devices created by administrative users.
  ## </summary>
@@ -41096,7 +41168,7 @@ index 3c5dba7..0aa6db0 100644
  ## <param name="domain">
  ##	<summary>
  ##	Domain allowed access.
-@@ -1512,11 +1923,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1919,31 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -41128,7 +41200,7 @@ index 3c5dba7..0aa6db0 100644
  ##	Do not audit attempts to search user home directories.
  ## </summary>
  ## <desc>
-@@ -1558,6 +1989,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1985,14 @@ interface(`userdom_list_user_home_dirs',`
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -41143,7 +41215,7 @@ index 3c5dba7..0aa6db0 100644
  ')
  
  ########################################
-@@ -1573,9 +2012,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2008,11 @@ interface(`userdom_list_user_home_dirs',`
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -41155,7 +41227,7 @@ index 3c5dba7..0aa6db0 100644
  ')
  
  ########################################
-@@ -1632,6 +2073,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2069,42 @@ interface(`userdom_relabelto_user_home_dirs',`
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -41198,7 +41270,7 @@ index 3c5dba7..0aa6db0 100644
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1711,6 +2188,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2184,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -41207,7 +41279,7 @@ index 3c5dba7..0aa6db0 100644
  ')
  
  ########################################
-@@ -1744,10 +2223,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2219,12 @@ interface(`userdom_list_all_user_home_content',`
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -41222,7 +41294,7 @@ index 3c5dba7..0aa6db0 100644
  ')
  
  ########################################
-@@ -1772,7 +2253,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2249,25 @@ interface(`userdom_manage_user_home_content_dirs',`
  
  ########################################
  ## <summary>
@@ -41249,7 +41321,7 @@ index 3c5dba7..0aa6db0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1782,49 +2281,67 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,49 +2277,67 @@ interface(`userdom_manage_user_home_content_dirs',`
  #
  interface(`userdom_delete_all_user_home_content_dirs',`
  	gen_require(`
@@ -41329,7 +41401,7 @@ index 3c5dba7..0aa6db0 100644
  ')
  
  ########################################
-@@ -1848,6 +2365,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2361,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -41355,7 +41427,7 @@ index 3c5dba7..0aa6db0 100644
  ##	Mmap user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1878,14 +2414,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2410,36 @@ interface(`userdom_mmap_user_home_content_files',`
  interface(`userdom_read_user_home_content_files',`
  	gen_require(`
  		type user_home_dir_t, user_home_t;
@@ -41393,7 +41465,7 @@ index 3c5dba7..0aa6db0 100644
  ##	Do not audit attempts to read user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1896,11 +2454,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2450,14 @@ interface(`userdom_read_user_home_content_files',`
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -41411,148 +41483,89 @@ index 3c5dba7..0aa6db0 100644
  ')
  
  ########################################
-@@ -1941,7 +2502,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2498,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  
  ########################################
  ## <summary>
 -##	Delete all user home content files.
 +##	Delete files in a user home subdirectory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -1949,19 +2510,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
- ##	</summary>
- ## </param>
- #
--interface(`userdom_delete_all_user_home_content_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`userdom_delete_user_home_content_files',`
- 	gen_require(`
--		attribute user_home_content_type;
--		type user_home_dir_t;
++	gen_require(`
 +		type user_home_t;
- 	')
- 
--	userdom_search_user_home_content($1)
--	delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
++	')
++
 +	allow $1 user_home_t:file delete_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Delete files in a user home subdirectory.
++')
++
++########################################
++## <summary>
 +##	Delete all files in a user home subdirectory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1969,35 +2528,35 @@ interface(`userdom_delete_all_user_home_content_files',`
- ##	</summary>
- ## </param>
+@@ -1951,17 +2526,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  #
--interface(`userdom_delete_user_home_content_files',`
-+interface(`userdom_delete_all_user_home_content_files',`
+ interface(`userdom_delete_all_user_home_content_files',`
  	gen_require(`
--		type user_home_t;
+-		attribute user_home_content_type;
+-		type user_home_dir_t;
 +		attribute user_home_type;
  	')
  
--	allow $1 user_home_t:file delete_file_perms;
+-	userdom_search_user_home_content($1)
+-	delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
 +	allow $1 user_home_type:file delete_file_perms;
  ')
  
  ########################################
  ## <summary>
--##	Do not audit attempts to write user home files.
+-##	Delete files in a user home subdirectory.
 +##	Delete sock files in a user home subdirectory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+@@ -1969,12 +2542,48 @@ interface(`userdom_delete_all_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
--interface(`userdom_dontaudit_relabel_user_home_content_files',`
+-interface(`userdom_delete_user_home_content_files',`
 +interface(`userdom_delete_user_home_content_sock_files',`
  	gen_require(`
  		type user_home_t;
  	')
  
--	dontaudit $1 user_home_t:file relabel_file_perms;
+-	allow $1 user_home_t:file delete_file_perms;
 +	allow $1 user_home_t:sock_file delete_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Read user home subdirectory symbolic links.
-+##	Delete all sock files in a user home subdirectory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2005,45 +2564,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
- ##	</summary>
- ## </param>
- #
--interface(`userdom_read_user_home_content_symlinks',`
-+interface(`userdom_delete_all_user_home_content_sock_files',`
- 	gen_require(`
--		type user_home_dir_t, user_home_t;
-+		attribute user_home_type;
- 	')
- 
--	read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
--	files_search_home($1)
-+	allow $1 user_home_type:sock_file delete_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Execute user home files.
-+##	Delete all files in a user home subdirectory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`userdom_exec_user_home_content_files',`
-+interface(`userdom_delete_all_user_home_content',`
- 	gen_require(`
--		type user_home_dir_t, user_home_t;
-+		attribute user_home_type;
- 	')
- 
--	files_search_home($1)
--	exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+	allow $1 user_home_type:dir_file_class_set delete_file_perms;
 +')
- 
--	tunable_policy(`use_nfs_home_dirs',`
--		fs_exec_nfs_files($1)
++
 +########################################
 +## <summary>
-+##	Do not audit attempts to write user home files.
++##	Delete all sock files in a user home subdirectory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaudit_relabel_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content_sock_files',`
 +	gen_require(`
-+		type user_home_t;
- 	')
- 
--	tunable_policy(`use_samba_home_dirs',`
--		fs_exec_cifs_files($1)
-+	dontaudit $1 user_home_t:file relabel_file_perms;
++		attribute user_home_type;
++	')
++
++	allow $1 user_home_type:sock_file delete_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Read user home subdirectory symbolic links.
++##	Delete all files in a user home subdirectory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -41560,42 +41573,51 @@ index 3c5dba7..0aa6db0 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_read_user_home_content_symlinks',`
++interface(`userdom_delete_all_user_home_content',`
 +	gen_require(`
-+		type user_home_dir_t, user_home_t;
- 	')
++		attribute user_home_type;
++	')
 +
++	allow $1 user_home_type:dir_file_class_set delete_file_perms;
+ ')
+ 
+ ########################################
+@@ -2010,8 +2619,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+ 		type user_home_dir_t, user_home_t;
+ 	')
+ 
+-	read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+-	files_search_home($1)
 +	allow $1 { user_home_dir_t user_home_t }:lnk_file  read_lnk_file_perms;
  ')
  
  ########################################
- ## <summary>
-+##	Execute user home files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`userdom_exec_user_home_content_files',`
-+	gen_require(`
+@@ -2027,20 +2635,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+ #
+ interface(`userdom_exec_user_home_content_files',`
+ 	gen_require(`
+-		type user_home_dir_t, user_home_t;
 +		type user_home_dir_t;
 +		attribute user_home_type;
-+	')
-+
-+	files_search_home($1)
+ 	')
+ 
+ 	files_search_home($1)
+-	exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+-
+-	tunable_policy(`use_nfs_home_dirs',`
+-		fs_exec_nfs_files($1)
+-	')
+-
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_exec_cifs_files($1)
 +	exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
 +	dontaudit $1 user_home_type:sock_file execute;
-+	')
-+
-+########################################
-+## <summary>
- ##	Do not audit attempts to execute user home files.
- ## </summary>
- ## <param name="domain">
-@@ -2123,7 +2729,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+ 	')
+-')
+ 
+ ########################################
+ ## <summary>
+@@ -2123,7 +2725,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
  
  ########################################
  ## <summary>
@@ -41604,7 +41626,7 @@ index 3c5dba7..0aa6db0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2131,19 +2737,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2733,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -41628,7 +41650,7 @@ index 3c5dba7..0aa6db0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2151,12 +2755,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2751,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -41644,7 +41666,7 @@ index 3c5dba7..0aa6db0 100644
  ')
  
  ########################################
-@@ -2393,11 +2997,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2993,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
  #
  interface(`userdom_read_user_tmp_files',`
  	gen_require(`
@@ -41659,7 +41681,7 @@ index 3c5dba7..0aa6db0 100644
  	files_search_tmp($1)
  ')
  
-@@ -2417,7 +3021,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3017,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -41668,7 +41690,7 @@ index 3c5dba7..0aa6db0 100644
  ')
  
  ########################################
-@@ -2664,6 +3268,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3264,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  	files_tmp_filetrans($1, user_tmp_t, $2, $3)
  ')
  
@@ -41694,7 +41716,7 @@ index 3c5dba7..0aa6db0 100644
  ########################################
  ## <summary>
  ##	Read user tmpfs files.
-@@ -2680,13 +3303,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3299,14 @@ interface(`userdom_read_user_tmpfs_files',`
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -41710,7 +41732,7 @@ index 3c5dba7..0aa6db0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2707,7 +3331,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3327,7 @@ interface(`userdom_rw_user_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -41719,7 +41741,7 @@ index 3c5dba7..0aa6db0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2715,14 +3339,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3335,30 @@ interface(`userdom_rw_user_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -41754,7 +41776,7 @@ index 3c5dba7..0aa6db0 100644
  ')
  
  ########################################
-@@ -2817,6 +3457,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3453,24 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
@@ -41779,7 +41801,7 @@ index 3c5dba7..0aa6db0 100644
  ##	Read and write a user domain pty.
  ## </summary>
  ## <param name="domain">
-@@ -2835,22 +3493,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3489,34 @@ interface(`userdom_use_user_ptys',`
  
  ########################################
  ## <summary>
@@ -41822,7 +41844,7 @@ index 3c5dba7..0aa6db0 100644
  ## </desc>
  ## <param name="domain">
  ##	<summary>
-@@ -2859,14 +3529,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3525,33 @@ interface(`userdom_use_user_ptys',`
  ## </param>
  ## <infoflow type="both" weight="10"/>
  #
@@ -41860,7 +41882,7 @@ index 3c5dba7..0aa6db0 100644
  ')
  
  ########################################
-@@ -2885,8 +3574,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3570,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
  		type user_tty_device_t, user_devpts_t;
  	')
  
@@ -41890,7 +41912,7 @@ index 3c5dba7..0aa6db0 100644
  ')
  
  ########################################
-@@ -2958,69 +3666,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3662,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -41991,7 +42013,7 @@ index 3c5dba7..0aa6db0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3028,12 +3735,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3731,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -42006,7 +42028,7 @@ index 3c5dba7..0aa6db0 100644
  ')
  
  ########################################
-@@ -3097,7 +3804,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3800,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -42015,7 +42037,7 @@ index 3c5dba7..0aa6db0 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -3113,29 +3820,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3816,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -42049,7 +42071,7 @@ index 3c5dba7..0aa6db0 100644
  ')
  
  ########################################
-@@ -3217,7 +3908,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3904,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -42076,67 +42098,18 @@ index 3c5dba7..0aa6db0 100644
  ')
  
  ########################################
-@@ -3272,12 +3981,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3977,83 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
 -	allow $1 user_tmp_t:file write_file_perms;
 +	write_files_pattern($1, user_tmp_t, user_tmp_t)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to use user ttys.
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to write users
 +##	temporary files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -3285,36 +3995,112 @@ interface(`userdom_write_user_tmp_files',`
- ##	</summary>
- ## </param>
- #
--interface(`userdom_dontaudit_use_user_ttys',`
-+interface(`userdom_dontaudit_write_user_tmp_files',`
- 	gen_require(`
--		type user_tty_device_t;
-+		type user_tmp_t;
- 	')
- 
--	dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+	dontaudit $1 user_tmp_t:file write;
- ')
- 
- ########################################
- ## <summary>
--##	Read the process state of all user domains.
-+##	Do not audit attempts to delete users
-+##	temporary files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`userdom_read_all_users_state',`
-+interface(`userdom_dontaudit_delete_user_tmp_files',`
- 	gen_require(`
--		attribute userdomain;
-+		type user_tmp_t;
- 	')
- 
--	read_files_pattern($1, userdomain, userdomain)
--	kernel_search_proc($1)
-+	dontaudit $1 user_tmp_t:file delete_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Get the attributes of all user domains.
-+##	Do not audit attempts to read/write users
-+##	temporary fifo files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -42144,36 +42117,37 @@ index 3c5dba7..0aa6db0 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
++interface(`userdom_dontaudit_write_user_tmp_files',`
 +	gen_require(`
 +		type user_tmp_t;
 +	')
 +
-+	dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++	dontaudit $1 user_tmp_t:file write;
 +')
 +
 +########################################
 +## <summary>
-+##	Allow domain to read/write inherited users
-+##	fifo files.
++##	Do not audit attempts to delete users
++##	temporary files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_rw_inherited_user_pipes',`
++interface(`userdom_dontaudit_delete_user_tmp_files',`
 +	gen_require(`
-+		attribute userdomain;
++		type user_tmp_t;
 +	')
 +
-+	allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
++	dontaudit $1 user_tmp_t:file delete_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to use user ttys.
++##	Do not audit attempts to read/write users
++##	temporary fifo files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -42181,17 +42155,18 @@ index 3c5dba7..0aa6db0 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_dontaudit_rw_user_tmp_pipes',`
 +	gen_require(`
-+		type user_tty_device_t;
++		type user_tmp_t;
 +	')
 +
-+	dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
++	dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Read the process state of all user domains.
++##	Allow domain to read/write inherited users
++##	fifo files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -42199,47 +42174,108 @@ index 3c5dba7..0aa6db0 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_read_all_users_state',`
++interface(`userdom_rw_inherited_user_pipes',`
 +	gen_require(`
 +		attribute userdomain;
 +	')
 +
-+	read_files_pattern($1, userdomain, userdomain)
++	allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
+ ')
+ 
+ ########################################
+@@ -3290,7 +4071,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+ 		type user_tty_device_t;
+ 	')
+ 
+-	dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++	dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
+ ')
+ 
+ ########################################
+@@ -3309,6 +4090,7 @@ interface(`userdom_read_all_users_state',`
+ 	')
+ 
+ 	read_files_pattern($1, userdomain, userdomain)
 +	read_lnk_files_pattern($1,userdomain,userdomain)
-+	kernel_search_proc($1)
-+')
-+
-+########################################
-+## <summary>
-+##	Get the attributes of all user domains.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -3385,6 +4171,42 @@ interface(`userdom_signal_all_users',`
+ 	kernel_search_proc($1)
+ ')
+ 
+@@ -3385,27 +4167,27 @@ interface(`userdom_signal_all_users',`
  	allow $1 userdomain:process signal;
  ')
  
+-########################################
 +#######################################
-+## <summary>
+ ## <summary>
+-##	Send a SIGCHLD signal to all user domains.
 +##  Send signull to all user domains.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`userdom_sigchld_all_users',`
+-	gen_require(`
+-		attribute userdomain;
+-	')
 +interface(`userdom_signull_all_users',`
 +    gen_require(`
 +        attribute userdomain;
 +    ')
-+
+ 
+-	allow $1 userdomain:process sigchld;
 +    allow $1 userdomain:process signull;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create keys for all user domains.
++##	Send kill signals to all user domains.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -3413,17 +4195,17 @@ interface(`userdom_sigchld_all_users',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_create_all_users_keys',`
++interface(`userdom_kill_all_users',`
+ 	gen_require(`
+ 		attribute userdomain;
+ 	')
+ 
+-	allow $1 userdomain:key create;
++	allow $1 userdomain:process sigkill;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Send a dbus message to all user domains.
++##	Send a SIGCHLD signal to all user domains.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -3431,11 +4213,1552 @@ interface(`userdom_create_all_users_keys',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_dbus_send_all_users',`
++interface(`userdom_sigchld_all_users',`
++	gen_require(`
++		attribute userdomain;
++	')
++
++	allow $1 userdomain:process sigchld;
 +')
 +
 +########################################
 +## <summary>
-+##	Send kill signals to all user domains.
++##	Read keys for all user domains.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -42247,22 +42283,17 @@ index 3c5dba7..0aa6db0 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_kill_all_users',`
++interface(`userdom_read_all_users_keys',`
 +	gen_require(`
 +		attribute userdomain;
 +	')
 +
-+	allow $1 userdomain:process sigkill;
++	allow $1 userdomain:key read;
 +')
 +
- ########################################
- ## <summary>
- ##	Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4227,24 @@ interface(`userdom_sigchld_all_users',`
- 
- ########################################
- ## <summary>
-+##	Read keys for all user domains.
++########################################
++## <summary>
++##	Create keys for all user domains.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -42270,20 +42301,28 @@ index 3c5dba7..0aa6db0 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_read_all_users_keys',`
++interface(`userdom_create_all_users_keys',`
 +	gen_require(`
 +		attribute userdomain;
 +	')
 +
-+	allow $1 userdomain:key read;
++	allow $1 userdomain:key create;
 +')
 +
 +########################################
 +## <summary>
- ##	Create keys for all user domains.
- ## </summary>
- ## <param name="domain">
-@@ -3438,4 +4278,1491 @@ interface(`userdom_dbus_send_all_users',`
++##	Send a dbus message to all user domains.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_dbus_send_all_users',`
+ 	gen_require(`
+ 		attribute userdomain;
+ 		class dbus send_msg;
  	')
  
  	allow $1 userdomain:dbus send_msg;
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index daa3ee0..95f8e9b 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -7021,7 +7021,7 @@ index f3c0aba..b6afc90 100644
 +	allow $1 apcupsd_unit_file_t:service all_service_perms;
  ')
 diff --git a/apcupsd.te b/apcupsd.te
-index b236327..3128e78 100644
+index b236327..a26255d 100644
 --- a/apcupsd.te
 +++ b/apcupsd.te
 @@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -7061,7 +7061,7 @@ index b236327..3128e78 100644
  
  corenet_udp_bind_snmp_port(apcupsd_t)
  corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +75,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +75,24 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
  
  dev_rw_generic_usb_dev(apcupsd_t)
  
@@ -7069,8 +7069,8 @@ index b236327..3128e78 100644
  files_manage_etc_runtime_files(apcupsd_t)
  files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
  
- term_use_unallocated_ttys(apcupsd_t)
-+term_use_usb_ttys(apcupsd_t)
+-term_use_unallocated_ttys(apcupsd_t)
++term_use_all_terms(apcupsd_t)
  
 -logging_send_syslog_msg(apcupsd_t)
 +#apcupsd runs shutdown, probably need a shutdown domain
@@ -7091,7 +7091,7 @@ index b236327..3128e78 100644
  
  optional_policy(`
  	hostname_exec(apcupsd_t)
-@@ -112,7 +119,6 @@ optional_policy(`
+@@ -112,7 +118,6 @@ optional_policy(`
  	allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
  	allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
  
@@ -11032,10 +11032,10 @@ index 0000000..5977d96
 +')
 diff --git a/chrome.te b/chrome.te
 new file mode 100644
-index 0000000..307b083
+index 0000000..66d3c1f
 --- /dev/null
 +++ b/chrome.te
-@@ -0,0 +1,242 @@
+@@ -0,0 +1,243 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@@ -11164,6 +11164,7 @@ index 0000000..307b083
 +userdom_manage_home_certs(chrome_sandbox_t)
 +
 +optional_policy(`
++	gnome_exec_config_home_files(chrome_sandbox_t)
 +	gnome_rw_inherited_config(chrome_sandbox_t)
 +	gnome_read_home_config(chrome_sandbox_t)
 +	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
@@ -20615,7 +20616,7 @@ index c697edb..31d45bf 100644
 +	allow $1 dhcpd_unit_file_t:service all_service_perms;
  ')
 diff --git a/dhcp.te b/dhcp.te
-index c93c3db..cdb4d60 100644
+index c93c3db..e97c711 100644
 --- a/dhcp.te
 +++ b/dhcp.te
 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -20644,7 +20645,7 @@ index c93c3db..cdb4d60 100644
  files_read_etc_runtime_files(dhcpd_t)
  files_search_var_lib(dhcpd_t)
  
-@@ -102,8 +103,6 @@ auth_use_nsswitch(dhcpd_t)
+@@ -102,22 +103,41 @@ auth_use_nsswitch(dhcpd_t)
  
  logging_send_syslog_msg(dhcpd_t)
  
@@ -20653,14 +20654,29 @@ index c93c3db..cdb4d60 100644
  sysnet_read_dhcp_config(dhcpd_t)
  
  userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
-@@ -113,11 +112,20 @@ tunable_policy(`dhcpd_use_ldap',`
- 	sysnet_use_ldap(dhcpd_t)
- ')
+ userdom_dontaudit_search_user_home_dirs(dhcpd_t)
  
-+ifdef(`distro_gentoo',`
-+	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+ tunable_policy(`dhcpd_use_ldap',`
+-	sysnet_use_ldap(dhcpd_t)
++    allow dhcpd_t self:tcp_socket create_socket_perms;
++')
++
++tunable_policy(`dhcpd_use_ldap',`
++    corenet_tcp_sendrecv_generic_if(dhcpd_t)
++    corenet_tcp_sendrecv_generic_node(dhcpd_t)
++    corenet_tcp_sendrecv_ldap_port(dhcpd_t)
++    corenet_tcp_connect_ldap_port(dhcpd_t)
++    corenet_sendrecv_ldap_client_packets(dhcpd_t)
 +')
 +
++tunable_policy(`dhcpd_use_ldap',`
++	ldap_read_certs(dhcpd_t)
++')
++
++ifdef(`distro_gentoo',`
++	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+ ')
+ 
  optional_policy(`
 +	# used for dynamic DNS
  	bind_read_dnssec_keys(dhcpd_t)
@@ -22138,6 +22154,678 @@ index ef36d73..fddd51f 100644
  sysnet_dns_name_resolve(dnssec_triggerd_t)
  sysnet_manage_config(dnssec_triggerd_t)
  sysnet_etc_filetrans_config(dnssec_triggerd_t)
+diff --git a/docker.fc b/docker.fc
+new file mode 100644
+index 0000000..1c4ac02
+--- /dev/null
++++ b/docker.fc
+@@ -0,0 +1,17 @@
++/usr/bin/docker			--	gen_context(system_u:object_r:docker_exec_t,s0)
++
++/usr/lib/systemd/system/docker.service		--	gen_context(system_u:object_r:docker_unit_file_t,s0)
++
++/var/lib/docker(/.*)?		gen_context(system_u:object_r:docker_var_lib_t,s0)
++
++/var/run/docker\.pid		--	gen_context(system_u:object_r:docker_var_run_t,s0)
++/var/run/docker\.sock		-s	gen_context(system_u:object_r:docker_var_run_t,s0)
++
++/var/lock/lxc(/.*)?		gen_context(system_u:object_r:docker_lock_t,s0)
++
++/var/log/lxc(/.*)?		gen_context(system_u:object_r:docker_log_t,s0)
++
++/var/lib/docker/init(/.*)?		gen_context(system_u:object_r:docker_share_t,s0)
++/var/lib/docker/containers/.*/hosts		gen_context(system_u:object_r:docker_share_t,s0)
++/var/lib/docker/containers/.*/hostname		gen_context(system_u:object_r:docker_share_t,s0)
++/var/lib/docker/.*/config\.env	gen_context(system_u:object_r:docker_share_t,s0)
+diff --git a/docker.if b/docker.if
+new file mode 100644
+index 0000000..683dfdc
+--- /dev/null
++++ b/docker.if
+@@ -0,0 +1,363 @@
++
++## <summary>The open-source application container engine.</summary>
++
++########################################
++## <summary>
++##	Execute docker in the docker domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`docker_domtrans',`
++	gen_require(`
++		type docker_t, docker_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, docker_exec_t, docker_t)
++')
++
++########################################
++## <summary>
++##	Execute docker in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`docker_exec',`
++	gen_require(`
++		type docker_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	can_exec($1, docker_exec_t)
++')
++
++########################################
++## <summary>
++##	Search docker lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`docker_search_lib',`
++	gen_require(`
++		type docker_var_lib_t;
++	')
++
++	allow $1 docker_var_lib_t:dir search_dir_perms;
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##	Execute docker lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`docker_exec_lib',`
++	gen_require(`
++		type docker_var_lib_t;
++	')
++
++	allow $1 docker_var_lib_t:dir search_dir_perms;
++	can_exec($1, docker_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Read docker lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`docker_read_lib_files',`
++	gen_require(`
++		type docker_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	read_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Read docker share files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`docker_read_share_files',`
++	gen_require(`
++		type docker_share_t;
++	')
++
++	files_search_var_lib($1)
++	read_files_pattern($1, docker_share_t, docker_share_t)
++')
++
++########################################
++## <summary>
++##	Manage docker lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`docker_manage_lib_files',`
++	gen_require(`
++		type docker_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
++	manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage docker lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`docker_manage_lib_dirs',`
++	gen_require(`
++		type docker_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Create objects in a docker var lib directory
++##	with an automatic type transition to
++##	a specified private type.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private_type">
++##	<summary>
++##	The type of the object to create.
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The class of the object to be created.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`docker_lib_filetrans',`
++	gen_require(`
++		type docker_var_lib_t;
++	')
++
++	filetrans_pattern($1, docker_var_lib_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++##	Read docker PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`docker_read_pid_files',`
++	gen_require(`
++		type docker_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_files_pattern($1, docker_var_run_t, docker_var_run_t)
++')
++
++########################################
++## <summary>
++##	Execute docker server in the docker domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`docker_systemctl',`
++	gen_require(`
++		type docker_t;
++		type docker_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++        systemd_read_fifo_file_passwd_run($1)
++	allow $1 docker_unit_file_t:file read_file_perms;
++	allow $1 docker_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, docker_t)
++')
++
++########################################
++## <summary>
++##	Read and write docker shared memory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`docker_rw_sem',`
++	gen_require(`
++		type docker_t;
++	')
++
++	allow $1 docker_t:sem rw_sem_perms;
++')
++
++#######################################
++## <summary>
++##  Read and write the docker pty type.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`docker_use_ptys',`
++    gen_require(`
++        type docker_devpts_t;
++    ')
++
++    allow $1 docker_devpts_t:chr_file rw_term_perms;
++')
++
++#######################################
++## <summary>
++##      Allow domain to create docker content
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`docker_filetrans_named_content',`
++
++    gen_require(`
++        type docker_var_lib_t;
++        type docker_share_t;
++	type docker_log_t;
++	type docker_var_run_t;
++    ')
++
++    files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
++    files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
++    logging_log_filetrans($1, docker_log_t, dir, "lxc")
++    files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
++    filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
++    filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
++    filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
++    filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
++')
++
++########################################
++## <summary>
++##	Connect to docker over a unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`docker_stream_connect',`
++	gen_require(`
++		type docker_t, docker_var_run_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an docker environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`docker_admin',`
++	gen_require(`
++		type docker_t;
++		type docker_var_lib_t, docker_var_run_t;
++		type docker_unit_file_t;
++		type docker_lock_t;
++		type docker_log_t;
++	')
++
++	allow $1 docker_t:process { ptrace signal_perms };
++	ps_process_pattern($1, docker_t)
++
++	files_search_var_lib($1)
++	admin_pattern($1, docker_var_lib_t)
++
++	files_search_pids($1)
++	admin_pattern($1, docker_var_run_t)
++
++	files_search_locks($1)
++	admin_pattern($1, docker_lock_t)
++
++	logging_search_logs($1)
++	admin_pattern($1, docker_log_t)
++
++	docker_systemctl($1)
++	admin_pattern($1, docker_unit_file_t)
++	allow $1 docker_unit_file_t:service all_service_perms;
++
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/docker.te b/docker.te
+new file mode 100644
+index 0000000..73e71c1
+--- /dev/null
++++ b/docker.te
+@@ -0,0 +1,274 @@
++policy_module(docker, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++## <desc>
++##  <p>
++##  Determine whether docker can
++##  connect to all TCP ports.
++##  </p>
++## </desc>
++gen_tunable(docker_connect_any, false)
++
++## <desc>
++## <p>
++## Allow docker to transition to unconfined containers.
++## </p>
++## </desc>
++gen_tunable(docker_transition_unconfined, false)
++
++type docker_t;
++type docker_exec_t;
++init_daemon_domain(docker_t, docker_exec_t)
++domain_subj_id_change_exemption(docker_t)
++domain_role_change_exemption(docker_t)
++
++type docker_var_lib_t;
++files_type(docker_var_lib_t)
++
++type docker_lock_t;
++files_lock_file(docker_lock_t)
++
++type docker_log_t;
++logging_log_file(docker_log_t)
++
++type docker_tmp_t;
++files_tmp_file(docker_tmp_t)
++
++type docker_tmpfs_t;
++files_tmpfs_file(docker_tmpfs_t)
++
++type docker_var_run_t;
++files_pid_file(docker_var_run_t)
++
++type docker_unit_file_t;
++systemd_unit_file(docker_unit_file_t)
++
++type docker_devpts_t;
++term_pty(docker_devpts_t)
++
++type docker_share_t;
++files_type(docker_share_t)
++
++########################################
++#
++# docker local policy
++#
++allow docker_t self:capability { chown fowner fsetid mknod net_admin net_bind_service };
++allow docker_t self:process { getattr signal_perms };
++allow docker_t self:fifo_file rw_fifo_file_perms;
++allow docker_t self:unix_stream_socket create_stream_socket_perms;
++allow docker_t self:tcp_socket create_stream_socket_perms;
++allow docker_t self:udp_socket create_socket_perms;
++allow docker_t self:capability2 block_suspend;
++
++manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
++manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)
++files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc")
++
++manage_dirs_pattern(docker_t, docker_log_t, docker_log_t)
++manage_files_pattern(docker_t, docker_log_t, docker_log_t)
++manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t)
++logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file })
++
++manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t)
++manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
++manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
++files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file })
++
++manage_dirs_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_lnk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file })
++
++manage_dirs_pattern(docker_t, docker_share_t, docker_share_t)
++manage_files_pattern(docker_t, docker_share_t, docker_share_t)
++manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t)
++can_exec(docker_t, docker_share_t)
++docker_filetrans_named_content(docker_t)
++
++manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
++manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
++manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
++manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
++manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
++allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto };
++files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file })
++
++manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t)
++manage_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
++manage_sock_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
++manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
++files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file })
++
++allow docker_t docker_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
++term_create_pty(docker_t, docker_devpts_t)
++
++kernel_read_system_state(docker_t)
++kernel_read_network_state(docker_t)
++kernel_read_all_sysctls(docker_t)
++kernel_rw_net_sysctls(docker_t)
++
++domain_use_interactive_fds(docker_t)
++
++corecmd_exec_bin(docker_t)
++corecmd_exec_shell(docker_t)
++
++corenet_tcp_bind_generic_node(docker_t)
++corenet_tcp_sendrecv_generic_if(docker_t)
++corenet_tcp_sendrecv_generic_node(docker_t)
++corenet_tcp_sendrecv_generic_port(docker_t)
++corenet_tcp_bind_all_ports(docker_t)
++corenet_tcp_connect_http_port(docker_t)
++corenet_tcp_connect_commplex_main_port(docker_t)
++corenet_udp_sendrecv_generic_if(docker_t)
++corenet_udp_sendrecv_generic_node(docker_t)
++corenet_udp_sendrecv_all_ports(docker_t)
++corenet_udp_bind_generic_node(docker_t)
++corenet_udp_bind_all_ports(docker_t)
++
++files_read_etc_files(docker_t)
++
++fs_read_cgroup_files(docker_t)
++fs_read_tmpfs_symlinks(docker_t)
++fs_getattr_all_fs(docker_t)
++
++storage_raw_rw_fixed_disk(docker_t)
++
++auth_use_nsswitch(docker_t)
++
++init_read_state(docker_t)
++init_status(docker_t)
++
++logging_send_audit_msgs(docker_t)
++logging_send_syslog_msg(docker_t)
++
++miscfiles_read_localization(docker_t)
++
++mount_domtrans(docker_t)
++
++seutil_read_default_contexts(docker_t)
++
++sysnet_dns_name_resolve(docker_t)
++sysnet_exec_ifconfig(docker_t)
++
++optional_policy(`
++	fstools_domtrans(docker_t)
++')
++
++optional_policy(`
++	iptables_domtrans(docker_t)
++')
++
++#
++# lxc rules
++#
++
++allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace };
++
++allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms };
++
++allow docker_t self:netlink_route_socket rw_netlink_socket_perms;;
++allow docker_t self:netlink_audit_socket create_netlink_socket_perms;
++allow docker_t self:unix_dgram_socket { create_socket_perms sendto };
++allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto };
++
++allow docker_t docker_var_lib_t:dir mounton;
++allow docker_t docker_var_lib_t:chr_file mounton;
++can_exec(docker_t, docker_var_lib_t)
++
++kernel_setsched(docker_t)
++kernel_get_sysvipc_info(docker_t)
++kernel_request_load_module(docker_t)
++kernel_mounton_messages(docker_t)
++
++dev_getattr_all_blk_files(docker_t)
++dev_getattr_sysfs_fs(docker_t)
++dev_read_urand(docker_t)
++dev_read_lvm_control(docker_t)
++dev_read_sysfs(docker_t)
++dev_rw_loop_control(docker_t)
++dev_rw_lvm_control(docker_t)
++
++files_getattr_isid_type_dirs(docker_t)
++files_manage_isid_type_dirs(docker_t)
++files_manage_isid_type_files(docker_t)
++files_manage_isid_type_symlinks(docker_t)
++files_manage_isid_type_chr_files(docker_t)
++files_manage_isid_type_blk_files(docker_t)
++files_exec_isid_files(docker_t)
++files_mounton_isid(docker_t)
++files_mounton_non_security(docker_t)
++files_mounton_isid_type_chr_file(docker_t)
++
++fs_mount_all_fs(docker_t)
++fs_unmount_all_fs(docker_t)
++fs_remount_all_fs(docker_t)
++files_mounton_isid(docker_t)
++fs_manage_cgroup_dirs(docker_t)
++fs_manage_cgroup_files(docker_t)
++fs_relabelfrom_xattr_fs(docker_t)
++fs_relabelfrom_tmpfs(docker_t)
++
++term_use_generic_ptys(docker_t)
++term_use_ptmx(docker_t)
++term_getattr_pty_fs(docker_t)
++term_relabel_pty_fs(docker_t)
++term_mounton_unallocated_ttys(docker_t)
++
++modutils_domtrans_insmod(docker_t)
++
++systemd_status_all_unit_files(docker_t)
++systemd_start_systemd_services(docker_t)
++
++userdom_stream_connect(docker_t)
++userdom_search_user_home_content(docker_t)
++
++optional_policy(`
++	dbus_system_bus_client(docker_t)
++	init_dbus_chat(docker_t)
++
++	optional_policy(`
++		systemd_dbus_chat_logind(docker_t)
++	')
++')
++
++optional_policy(`
++	udev_read_db(docker_t)
++')
++
++optional_policy(`
++	virt_read_config(docker_t)
++	virt_exec(docker_t)
++	virt_stream_connect(docker_t)
++	virt_stream_connect_sandbox(docker_t)
++	virt_exec_sandbox_files(docker_t)
++	virt_manage_sandbox_files(docker_t)
++	virt_relabel_sandbox_filesystem(docker_t)
++	# for lxc
++	virt_transition_svirt_sandbox(docker_t, system_r)
++	virt_mounton_sandbox_file(docker_t)
++')
++
++tunable_policy(`docker_connect_any',`
++    corenet_tcp_connect_all_ports(docker_t)
++    corenet_sendrecv_all_packets(docker_t)
++    corenet_tcp_sendrecv_all_ports(docker_t)
++')
++
++optional_policy(`
++    tunable_policy(`docker_transition_unconfined',`
++	    unconfined_transition(docker_t, docker_share_t)
++    	unconfined_transition(docker_t, docker_var_lib_t)
++    ')
++')
++
++optional_policy(`
++    unconfined_domain(docker_t)
++')
++
 diff --git a/dovecot.fc b/dovecot.fc
 index c880070..4448055 100644
 --- a/dovecot.fc
@@ -26362,7 +27050,7 @@ index e39de43..4c8113b 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index d03fd43..fdf1f36 100644
+index d03fd43..e7a9729 100644
 --- a/gnome.if
 +++ b/gnome.if
 @@ -1,123 +1,157 @@
@@ -27447,7 +28135,7 @@ index d03fd43..fdf1f36 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -704,12 +799,851 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +799,869 @@ interface(`gnome_stream_connect_gkeyringd',`
  ##	</summary>
  ## </param>
  #
@@ -27904,6 +28592,24 @@ index d03fd43..fdf1f36 100644
 +        can_exec($1, gstreamer_home_t)
 +')
 +
++######################################
++## <summary>
++##      Allow to execute config home content files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`gnome_exec_config_home_files',`
++        gen_require(`
++                type config_home_t;
++        ')
++
++        can_exec($1, config_home_t)
++')
++
 +#######################################
 +## <summary>
 +##  file name transition gstreamer home content files.
@@ -91240,7 +91946,7 @@ index c30da4c..459fbcf 100644
 +
 +/var/log/qemu-ga\.log           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index 9dec06c..73549fd 100644
+index 9dec06c..abf93cf 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,120 +1,51 @@
@@ -92255,7 +92961,7 @@ index 9dec06c..73549fd 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -860,94 +658,189 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +658,170 @@ interface(`virt_read_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -92442,97 +93148,99 @@ index 9dec06c..73549fd 100644
 +	')
  ')
  
- ########################################
+-########################################
++#######################################
  ## <summary>
 -##	Append virt log files.
-+##	Do not audit attempts to write virt daemon unnamed pipes.
++##	Execute Sandbox Files
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+@@ -935,19 +829,17 @@ interface(`virt_read_log',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_append_log',`
-+interface(`virt_dontaudit_write_pipes',`
++interface(`virt_exec_sandbox_files',`
  	gen_require(`
 -		type virt_log_t;
-+		type virtd_t;
++		type svirt_sandbox_file_t;
  	')
  
 -	logging_search_logs($1)
 -	append_files_pattern($1, virt_log_t, virt_log_t)
-+	dontaudit $1 virtd_t:fd use;
-+	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
++	can_exec($1, svirt_sandbox_file_t)
  ')
  
- ########################################
+-########################################
++#######################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	virt log files.
-+##	Send a sigkill to virtual machines
++##	Relabel Sandbox File systems
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -955,20 +848,17 @@ interface(`virt_append_log',`
+@@ -955,20 +847,17 @@ interface(`virt_append_log',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_log',`
-+interface(`virt_kill_svirt',`
++interface(`virt_relabel_sandbox_filesystem',`
  	gen_require(`
 -		type virt_log_t;
-+		attribute virt_domain;
++		type svirt_sandbox_file_t;
  	')
  
 -	logging_search_logs($1)
 -	manage_dirs_pattern($1, virt_log_t, virt_log_t)
 -	manage_files_pattern($1, virt_log_t, virt_log_t)
 -	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
-+	allow $1 virt_domain:process sigkill;
++	allow $1 svirt_sandbox_file_t:filesystem { relabelfrom relabelto };
  ')
  
- ########################################
+-########################################
++#######################################
  ## <summary>
 -##	Search virt image directories.
-+##	Send a sigkill to virtd daemon.
++##	Mounton Sandbox Files
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -976,18 +866,17 @@ interface(`virt_manage_log',`
+@@ -976,55 +865,72 @@ interface(`virt_manage_log',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_search_images',`
-+interface(`virt_kill',`
++interface(`virt_mounton_sandbox_file',`
  	gen_require(`
 -		attribute virt_image_type;
-+		type virtd_t;
++		type svirt_sandbox_file_t;
  	')
  
 -	virt_search_lib($1)
 -	allow $1 virt_image_type:dir search_dir_perms;
-+	allow $1 virtd_t:process sigkill;
++	allow $1 svirt_sandbox_file_t:dir_file_class_set mounton;
  ')
  
  ########################################
  ## <summary>
 -##	Read virt image files.
-+##	Send a signal to virtual machines
++##	Do not audit attempts to write virt daemon unnamed pipes.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -995,73 +884,75 @@ interface(`virt_search_images',`
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
 -interface(`virt_read_images',`
-+interface(`virt_signal_svirt',`
++interface(`virt_dontaudit_write_pipes',`
  	gen_require(`
 -		type virt_var_lib_t;
 -		attribute virt_image_type;
-+		attribute virt_domain;
++		type virtd_t;
  	')
  
 -	virt_search_lib($1)
@@ -92541,7 +93249,8 @@ index 9dec06c..73549fd 100644
 -	read_files_pattern($1, virt_image_type, virt_image_type)
 -	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
 -	read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+	allow $1 virt_domain:process signal;
++	dontaudit $1 virtd_t:fd use;
++	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
 +')
  
 -	tunable_policy(`virt_use_nfs',`
@@ -92550,7 +93259,7 @@ index 9dec06c..73549fd 100644
 -		fs_read_nfs_symlinks($1)
 +########################################
 +## <summary>
-+##	Manage virt home files.
++##	Send a sigkill to virtual machines
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -92558,82 +93267,133 @@ index 9dec06c..73549fd 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`virt_manage_home_files',`
++interface(`virt_kill_svirt',`
 +	gen_require(`
-+		type virt_home_t;
++		attribute virt_domain;
  	')
  
 -	tunable_policy(`virt_use_samba',`
 -		fs_list_cifs($1)
 -		fs_read_cifs_files($1)
 -		fs_read_cifs_symlinks($1)
--	')
-+	userdom_search_user_home_dirs($1)
-+	manage_files_pattern($1, virt_home_t, virt_home_t)
++	allow $1 virt_domain:process sigkill;
++')
++
++########################################
++## <summary>
++##	Send a sigkill to virtd daemon.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_kill',`
++	gen_require(`
++		type virtd_t;
+ 	')
++
++	allow $1 virtd_t:process sigkill;
  ')
  
  ########################################
  ## <summary>
 -##	Read and write all virt image
 -##	character files.
-+##	allow domain to read
-+##	virt tmpfs files
++##	Send a signal to virtual machines
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain allowed access
+@@ -1032,20 +938,17 @@ interface(`virt_read_images',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_rw_all_image_chr_files',`
-+interface(`virt_read_tmpfs_files',`
++interface(`virt_signal_svirt',`
  	gen_require(`
 -		attribute virt_image_type;
-+		attribute virt_tmpfs_type;
++		attribute virt_domain;
  	')
  
 -	virt_search_lib($1)
 -	allow $1 virt_image_type:dir list_dir_perms;
 -	rw_chr_files_pattern($1, virt_image_type, virt_image_type)
-+	allow $1 virt_tmpfs_type:file read_file_perms;
++	allow $1 virt_domain:process signal;
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	svirt cache files.
-+##	allow domain to manage
-+##	virt tmpfs files
++##	Manage virt home files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain allowed access
+@@ -1053,15 +956,57 @@ interface(`virt_rw_all_image_chr_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_svirt_cache',`
 -	refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
 -	virt_manage_virt_cache($1)
-+interface(`virt_manage_tmpfs_files',`
++interface(`virt_manage_home_files',`
 +	gen_require(`
-+		attribute virt_tmpfs_type;
++		type virt_home_t;
 +	')
 +
-+	allow $1 virt_tmpfs_type:file manage_file_perms;
++	userdom_search_user_home_dirs($1)
++	manage_files_pattern($1, virt_home_t, virt_home_t)
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	virt cache content.
++##	allow domain to read
++##	virt tmpfs files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++#
++interface(`virt_read_tmpfs_files',`
++	gen_require(`
++		attribute virt_tmpfs_type;
++	')
++
++	allow $1 virt_tmpfs_type:file read_file_perms;
++')
++
++########################################
++## <summary>
++##	allow domain to manage
++##	virt tmpfs files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++#
++interface(`virt_manage_tmpfs_files',`
++	gen_require(`
++		attribute virt_tmpfs_type;
++	')
++
++	allow $1 virt_tmpfs_type:file manage_file_perms;
++')
++
++########################################
++## <summary>
 +##	Create .virt directory in the user home directory
 +##	with an correct label.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1069,21 +960,28 @@ interface(`virt_manage_svirt_cache',`
+@@ -1069,21 +1014,28 @@ interface(`virt_manage_svirt_cache',`
  ##	</summary>
  ## </param>
  #
@@ -92670,7 +93430,7 @@ index 9dec06c..73549fd 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1091,36 +989,148 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,36 +1043,148 @@ interface(`virt_manage_virt_cache',`
  ##	</summary>
  ## </param>
  #
@@ -92737,13 +93497,15 @@ index 9dec06c..73549fd 100644
 +template(`virt_sandbox_domain',`
 +	gen_require(`
 +		attribute svirt_sandbox_domain;
-+	')
+ 	')
 +
 +	typeattribute  $1 svirt_sandbox_domain;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	All of the rules required to
+-##	administrate an virt environment.
 +##	Execute a qemu_exec_t in the callers domain
 +## </summary>
 +## <param name="domain">
@@ -92823,21 +93585,19 @@ index 9dec06c..73549fd 100644
 +interface(`virt_rw_svirt_dev',`
 +	gen_require(`
 +		type svirt_image_t;
- 	')
++	')
 +
 +	allow $1 svirt_image_t:chr_file rw_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	All of the rules required to
--##	administrate an virt environment.
++')
++
++########################################
++## <summary>
 +##	All of the rules required to administrate
 +##	an virt environment
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1136,50 +1146,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1200,59 @@ interface(`virt_manage_images',`
  #
  interface(`virt_admin',`
  	gen_require(`
@@ -92876,16 +93636,20 @@ index 9dec06c..73549fd 100644
  
 -	fs_search_tmpfs($1)
 -	admin_pattern($1, virt_tmpfs_type)
--
++	allow $1 virt_domain:process signal_perms;
+ 
 -	files_search_tmp($1)
 -	admin_pattern($1, { virt_tmp_type virt_tmp_t })
--
++	admin_pattern($1, virt_file_type)
++	admin_pattern($1, svirt_file_type)
+ 
 -	files_search_etc($1)
 -	admin_pattern($1, { virt_etc_t virt_etc_rw_t })
 -
 -	logging_search_logs($1)
 -	admin_pattern($1, virt_log_t)
-+	allow $1 virt_domain:process signal_perms;
++	virt_systemctl($1)
++	allow $1 virtd_unit_file_t:service all_service_perms;
  
 -	files_search_pids($1)
 -	admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
@@ -92895,22 +93659,39 @@ index 9dec06c..73549fd 100644
 -
 -	files_search_var_lib($1)
 -	admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
-+	admin_pattern($1, virt_file_type)
-+	admin_pattern($1, svirt_file_type)
++	virt_stream_connect_sandbox($1)
++	virt_stream_connect_svirt($1)
++	virt_stream_connect($1)
++')
  
 -	files_search_locks($1)
 -	admin_pattern($1, virt_lock_t)
-+	virt_systemctl($1)
-+	allow $1 virtd_unit_file_t:service all_service_perms;
++#######################################
++## <summary>
++##	Manage Sandbox Files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_manage_sandbox_files',`
++	gen_require(`
++		type svirt_sandbox_file_t;
++	')
  
 -	dev_list_all_dev_nodes($1)
 -	allow $1 virt_ptynode:chr_file rw_term_perms;
-+	virt_stream_connect_sandbox($1)
-+	virt_stream_connect_svirt($1)
-+	virt_stream_connect($1)
++	manage_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++	manage_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++	manage_fifo_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++	manage_chr_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++	manage_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
  ')
++
 diff --git a/virt.te b/virt.te
-index 1f22fba..9c0c607 100644
+index 1f22fba..8644981 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,147 +1,166 @@
@@ -93732,7 +94513,7 @@ index 1f22fba..9c0c607 100644
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
-@@ -658,20 +510,12 @@ optional_policy(`
+@@ -658,19 +510,15 @@ optional_policy(`
  	')
  
  	optional_policy(`
@@ -93743,17 +94524,20 @@ index 1f22fba..9c0c607 100644
  		hal_dbus_chat(virtd_t)
  	')
  
- 	optional_policy(`
- 		networkmanager_dbus_chat(virtd_t)
- 	')
--
 -	optional_policy(`
--		policykit_dbus_chat(virtd_t)
+-		networkmanager_dbus_chat(virtd_t)
 -	')
++optional_policy(`
++	docker_exec_lib(virtd_lxc_t)
++')
+ 
+ 	optional_policy(`
+-		policykit_dbus_chat(virtd_t)
++		networkmanager_dbus_chat(virtd_t)
+ 	')
  ')
  
- optional_policy(`
-@@ -684,14 +528,20 @@ optional_policy(`
+@@ -684,14 +532,20 @@ optional_policy(`
  	dnsmasq_kill(virtd_t)
  	dnsmasq_signull(virtd_t)
  	dnsmasq_create_pid_dirs(virtd_t)
@@ -93776,7 +94560,7 @@ index 1f22fba..9c0c607 100644
  	iptables_manage_config(virtd_t)
  ')
  
-@@ -704,11 +554,13 @@ optional_policy(`
+@@ -704,11 +558,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -93790,7 +94574,7 @@ index 1f22fba..9c0c607 100644
  	policykit_domtrans_auth(virtd_t)
  	policykit_domtrans_resolve(virtd_t)
  	policykit_read_lib(virtd_t)
-@@ -719,10 +571,18 @@ optional_policy(`
+@@ -719,10 +575,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -93809,7 +94593,7 @@ index 1f22fba..9c0c607 100644
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
-@@ -737,44 +597,264 @@ optional_policy(`
+@@ -737,44 +601,264 @@ optional_policy(`
  	udev_read_db(virtd_t)
  ')
  
@@ -93907,7 +94691,7 @@ index 1f22fba..9c0c607 100644
  
 -can_exec(virsh_t, virsh_exec_t)
 +append_files_pattern(virt_domain, virt_log_t, virt_log_t)
- 
++
 +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
 +
 +corecmd_exec_bin(virt_domain)
@@ -93965,7 +94749,7 @@ index 1f22fba..9c0c607 100644
 +tunable_policy(`virt_use_execmem',`
 +	allow virt_domain self:process { execmem execstack };
 +')
-+
+ 
 +optional_policy(`
 +	alsa_read_rw_config(virt_domain)
 +')
@@ -94096,7 +94880,7 @@ index 1f22fba..9c0c607 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +865,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +869,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -94123,7 +94907,7 @@ index 1f22fba..9c0c607 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +885,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +889,22 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -94155,7 +94939,7 @@ index 1f22fba..9c0c607 100644
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
  	fs_manage_nfs_files(virsh_t)
-@@ -847,14 +918,20 @@ optional_policy(`
+@@ -847,14 +922,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -94177,7 +94961,7 @@ index 1f22fba..9c0c607 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -879,49 +956,65 @@ optional_policy(`
+@@ -879,49 +960,65 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -94261,7 +95045,7 @@ index 1f22fba..9c0c607 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1026,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1030,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -94281,7 +95065,7 @@ index 1f22fba..9c0c607 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1047,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1051,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -94305,7 +95089,7 @@ index 1f22fba..9c0c607 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1072,254 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1076,263 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -94433,11 +95217,6 @@ index 1f22fba..9c0c607 100644
 +userdom_use_inherited_user_terminals(svirt_sandbox_domain)
 +userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
 +userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-+
-+optional_policy(`
-+	apache_exec_modules(svirt_sandbox_domain)
-+	apache_read_sys_content(svirt_sandbox_domain)
-+')
  
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
 -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -94522,21 +95301,35 @@ index 1f22fba..9c0c607 100644
 -
 -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +optional_policy(`
-+	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
-+
-+optional_policy(`
-+	ssh_use_ptys(svirt_sandbox_domain)
++	apache_exec_modules(svirt_sandbox_domain)
++	apache_read_sys_content(svirt_sandbox_domain)
 +')
  
  optional_policy(`
 -	udev_read_pid_files(svirt_lxc_domain)
-+	udev_read_pid_files(svirt_sandbox_domain)
++	docker_manage_lib_files(svirt_lxc_net_t)
++	docker_manage_lib_dirs(svirt_lxc_net_t)
++	docker_read_share_files(svirt_sandbox_domain)
++	docker_exec_lib(svirt_sandbox_domain)
++	docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
++	docker_use_ptys(svirt_sandbox_domain)
  ')
  
  optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
++	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
++
++optional_policy(`
++	ssh_use_ptys(svirt_sandbox_domain)
++')
++
++optional_policy(`
++	udev_read_pid_files(svirt_sandbox_domain)
++')
++
++optional_policy(`
 +	userhelper_dontaudit_write_config(svirt_sandbox_domain)
  ')
  
@@ -94649,7 +95442,8 @@ index 1f22fba..9c0c607 100644
 +dev_getattr_mtrr_dev(svirt_qemu_net_t)
 +dev_read_rand(svirt_qemu_net_t)
 +dev_read_urand(svirt_qemu_net_t)
-+
+ 
+-allow svirt_prot_exec_t self:process { execmem execstack };
 +corenet_tcp_bind_generic_node(svirt_qemu_net_t)
 +corenet_udp_bind_generic_node(svirt_qemu_net_t)
 +corenet_tcp_sendrecv_all_ports(svirt_qemu_net_t)
@@ -94659,8 +95453,7 @@ index 1f22fba..9c0c607 100644
 +corenet_tcp_connect_all_ports(svirt_qemu_net_t)
 +
 +files_read_kernel_modules(svirt_qemu_net_t)
- 
--allow svirt_prot_exec_t self:process { execmem execstack };
++
 +fs_noxattr_type(svirt_sandbox_file_t)
 +fs_mount_cgroup(svirt_qemu_net_t)
 +fs_manage_cgroup_dirs(svirt_qemu_net_t)
@@ -94690,7 +95483,7 @@ index 1f22fba..9c0c607 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1165,12 +1332,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1345,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -94705,7 +95498,7 @@ index 1f22fba..9c0c607 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1183,9 +1350,8 @@ optional_policy(`
+@@ -1183,9 +1363,8 @@ optional_policy(`
  
  ########################################
  #
@@ -94716,7 +95509,7 @@ index 1f22fba..9c0c607 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1364,124 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1377,124 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8379f37..bf2b84e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 74.27%{?dist}
+Release: 74.28%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -542,6 +542,12 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Thu Jun 19 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-74.28
+- Added docker policy
+- Allow chrome_sandbox to execute config_home_t
+- apcupsd will send a wall message to all terminals telling the system is about to go down
+- If you use ldap you should be able to read certs
+
 * Wed May 14 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-74.27
 - Add missing dyntransition for sandbox_x_domain