From 731a6f2945cb79ebe537461f737cde325d134bff Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Jul 29 2016 09:42:29 +0000
Subject: * Fri Jul 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-191.9

- Dontaudit mock_build_t can list all ptys.
- Allow ftpd_t to mamange userhome data without any boolean.
- Add logrotate permissions for creating netlink selinux sockets.
- Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.
- Label all VBox libraries stored in /var/lib/VBoxGuestAdditions/lib/ as textrel_shlib_t BZ(1356654)
- Allow systemd gpt generator to run fstools BZ(1353585)
- Allow gnome-keyring also manage user_tmp_t sockets.
- Allow systemd to mounton /etc filesystem. BZ(1341753)

---

diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 16f1156..c75579b 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-f24-base.patch b/policy-f24-base.patch
index 3a23692..3dc3cde 100644
--- a/policy-f24-base.patch
+++ b/policy-f24-base.patch
@@ -1286,10 +1286,21 @@ index 216b3d1..064ec83 100644
 +
  ') dnl end enable_mcs
 diff --git a/policy/mls b/policy/mls
-index f11e5e2..2d2ab83 100644
+index f11e5e2..b723977 100644
 --- a/policy/mls
 +++ b/policy/mls
-@@ -156,15 +156,12 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
+@@ -70,7 +70,9 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
+ 
+ # new file labels must be dominated by the relabeling subjects clearance
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
+-	( h1 dom h2 );
++	(( h1 dom h2 ) or
++	(( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or
++	( t1 == mlsfilewrite ));
+ 
+ # the file "read" ops (note the check is dominance of the low level)
+ mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute }
+@@ -156,15 +158,12 @@ mlsconstrain filesystem { mount remount unmount relabelfrom quotamod }
  # these access vectors have no MLS restrictions
  # filesystem { transition associate }
  
@@ -1306,7 +1317,7 @@ index f11e5e2..2d2ab83 100644
  	( h1 dom h2 );
  
  # the socket "read+write" ops
-@@ -180,7 +177,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
+@@ -180,7 +179,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
  
  
  # the socket "read" ops (note the check is dominance of the low level)
@@ -1315,7 +1326,7 @@ index f11e5e2..2d2ab83 100644
  	(( l1 dom l2 ) or
  	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
  	 ( t1 == mlsnetread ));
-@@ -191,11 +188,12 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
+@@ -191,11 +190,12 @@ mlsconstrain { netlink_route_socket netlink_firewall_socket netlink_tcpdiag_sock
  	 ( t1 == mlsnetread ));
  
  # the socket "write" ops
@@ -1330,7 +1341,7 @@ index f11e5e2..2d2ab83 100644
  
  # used by netlabel to restrict normal domains to same level connections
  mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
-@@ -252,6 +250,11 @@ mlsconstrain msg receive
+@@ -252,6 +252,11 @@ mlsconstrain msg receive
  	 (( t1 == mlsipcreadtoclr ) and ( h1 dom l2 )) or
  	 ( t1 == mlsipcread ));
  
@@ -1342,7 +1353,7 @@ index f11e5e2..2d2ab83 100644
  # the ipc "write" ops (implicit single level)
  mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
  	(( l1 eq l2 ) or
-@@ -361,9 +364,6 @@ mlsconstrain { peer packet } { recv }
+@@ -361,9 +366,6 @@ mlsconstrain { peer packet } { recv }
  	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
  	 ( t1 == mlsnetread ));
  
@@ -2898,7 +2909,7 @@ index 99e3903..fa68362 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1..47af4c3 100644
+index 1d732f1..c2962a5 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3127,7 +3138,7 @@ index 1d732f1..47af4c3 100644
  userdom_use_unpriv_users_fds(passwd_t)
  # make sure that getcon succeeds
  userdom_getattr_all_users(passwd_t)
-@@ -352,6 +383,19 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,6 +383,20 @@ userdom_read_user_tmp_files(passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(passwd_t)
@@ -3136,6 +3147,7 @@ index 1d732f1..47af4c3 100644
 +
 +# needed by gnome-keyring
 +userdom_manage_user_tmp_files(passwd_t)
++userdom_manage_user_tmp_sockets(passwd_t)
 +userdom_manage_user_tmp_dirs(passwd_t)
 +
 +optional_policy(`
@@ -3147,7 +3159,7 @@ index 1d732f1..47af4c3 100644
  
  optional_policy(`
  	nscd_run(passwd_t, passwd_roles)
-@@ -401,9 +445,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -401,9 +446,10 @@ dev_read_urand(sysadm_passwd_t)
  fs_getattr_xattr_fs(sysadm_passwd_t)
  fs_search_auto_mountpoints(sysadm_passwd_t)
  
@@ -3160,7 +3172,7 @@ index 1d732f1..47af4c3 100644
  auth_manage_shadow(sysadm_passwd_t)
  auth_relabel_shadow(sysadm_passwd_t)
  auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -416,7 +461,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +462,6 @@ files_read_usr_files(sysadm_passwd_t)
  
  domain_use_interactive_fds(sysadm_passwd_t)
  
@@ -3168,7 +3180,7 @@ index 1d732f1..47af4c3 100644
  files_relabel_etc_files(sysadm_passwd_t)
  files_read_etc_runtime_files(sysadm_passwd_t)
  # for nscd lookups
-@@ -426,12 +470,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,12 +471,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(sysadm_passwd_t)
  
@@ -3181,7 +3193,7 @@ index 1d732f1..47af4c3 100644
  userdom_use_unpriv_users_fds(sysadm_passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
-@@ -446,7 +487,8 @@ optional_policy(`
+@@ -446,7 +488,8 @@ optional_policy(`
  # Useradd local policy
  #
  
@@ -3191,7 +3203,7 @@ index 1d732f1..47af4c3 100644
  dontaudit useradd_t self:capability sys_tty_config;
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
-@@ -461,6 +503,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +504,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
  allow useradd_t self:unix_dgram_socket sendto;
  allow useradd_t self:unix_stream_socket connectto;
  
@@ -3202,7 +3214,7 @@ index 1d732f1..47af4c3 100644
  # for getting the number of groups
  kernel_read_kernel_sysctls(useradd_t)
  
-@@ -468,29 +514,28 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +515,28 @@ corecmd_exec_shell(useradd_t)
  # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
  corecmd_exec_bin(useradd_t)
  
@@ -3242,7 +3254,7 @@ index 1d732f1..47af4c3 100644
  
  auth_run_chk_passwd(useradd_t, useradd_roles)
  auth_rw_lastlog(useradd_t)
-@@ -498,6 +543,7 @@ auth_rw_faillog(useradd_t)
+@@ -498,6 +544,7 @@ auth_rw_faillog(useradd_t)
  auth_use_nsswitch(useradd_t)
  # these may be unnecessary due to the above
  # domtrans_chk_passwd() call.
@@ -3250,7 +3262,7 @@ index 1d732f1..47af4c3 100644
  auth_manage_shadow(useradd_t)
  auth_relabel_shadow(useradd_t)
  auth_etc_filetrans_shadow(useradd_t)
-@@ -508,33 +554,32 @@ init_rw_utmp(useradd_t)
+@@ -508,33 +555,32 @@ init_rw_utmp(useradd_t)
  logging_send_audit_msgs(useradd_t)
  logging_send_syslog_msg(useradd_t)
  
@@ -3295,7 +3307,7 @@ index 1d732f1..47af4c3 100644
  optional_policy(`
  	apache_manage_all_user_content(useradd_t)
  ')
-@@ -545,14 +590,27 @@ optional_policy(`
+@@ -545,14 +591,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3323,7 +3335,7 @@ index 1d732f1..47af4c3 100644
  	tunable_policy(`samba_domain_controller',`
  		samba_append_log(useradd_t)
  	')
-@@ -562,3 +620,12 @@ optional_policy(`
+@@ -562,3 +621,12 @@ optional_policy(`
  	rpm_use_fds(useradd_t)
  	rpm_rw_pipes(useradd_t)
  ')
@@ -11017,7 +11029,7 @@ index b876c48..03f9342 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..890900c 100644
+index f962f76..50b1f05 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -12262,7 +12274,32 @@ index f962f76..890900c 100644
  ######################################
  ## <summary>
  ##	Read symbolic links in the /boot directory.
-@@ -2645,6 +3276,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2557,6 +3188,24 @@ interface(`files_read_default_pipes',`
+ 
+ ########################################
+ ## <summary>
++##	Mounton directories on filesystem /etc.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_mounton_etc',`
++	gen_require(`
++		type etc_t;
++	')
++
++	allow $1 etc_t:dir mounton;
++')
++
++########################################
++## <summary>
+ ##	Search the contents of /etc directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -2645,6 +3294,24 @@ interface(`files_rw_etc_dirs',`
  	allow $1 etc_t:dir rw_dir_perms;
  ')
  
@@ -12287,7 +12324,7 @@ index f962f76..890900c 100644
  ##########################################
  ## <summary>
  ## 	Manage generic directories in /etc
-@@ -2716,6 +3365,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3383,7 @@ interface(`files_read_etc_files',`
  	allow $1 etc_t:dir list_dir_perms;
  	read_files_pattern($1, etc_t, etc_t)
  	read_lnk_files_pattern($1, etc_t, etc_t)
@@ -12295,7 +12332,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -2724,7 +3374,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3392,7 @@ interface(`files_read_etc_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -12304,7 +12341,7 @@ index f962f76..890900c 100644
  ##	</summary>
  ## </param>
  #
-@@ -2780,6 +3430,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3448,25 @@ interface(`files_manage_etc_files',`
  
  ########################################
  ## <summary>
@@ -12330,7 +12367,7 @@ index f962f76..890900c 100644
  ##	Delete system configuration files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2798,6 +3467,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3485,24 @@ interface(`files_delete_etc_files',`
  
  ########################################
  ## <summary>
@@ -12355,7 +12392,7 @@ index f962f76..890900c 100644
  ##	Execute generic files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2963,24 +3650,6 @@ interface(`files_delete_boot_flag',`
+@@ -2963,26 +3668,8 @@ interface(`files_delete_boot_flag',`
  
  ########################################
  ## <summary>
@@ -12377,10 +12414,14 @@ index f962f76..890900c 100644
 -
 -########################################
 -## <summary>
- ##	Read files in /etc that are dynamically
- ##	created on boot, such as mtab.
+-##	Read files in /etc that are dynamically
+-##	created on boot, such as mtab.
++##	Read files in /etc that are dynamically
++##	created on boot, such as mtab.
  ## </summary>
-@@ -3021,9 +3690,7 @@ interface(`files_read_etc_runtime_files',`
+ ## <desc>
+ ##	<p>
+@@ -3021,9 +3708,7 @@ interface(`files_read_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -12391,7 +12432,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3031,18 +3698,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3716,17 @@ interface(`files_read_etc_runtime_files',`
  ##	</summary>
  ## </param>
  #
@@ -12413,7 +12454,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3060,6 +3726,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3744,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -12440,7 +12481,7 @@ index f962f76..890900c 100644
  ##	Read and write files in /etc that are dynamically
  ##	created on boot, such as mtab.
  ## </summary>
-@@ -3077,6 +3763,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3077,6 +3781,7 @@ interface(`files_rw_etc_runtime_files',`
  
  	allow $1 etc_t:dir list_dir_perms;
  	rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -12448,7 +12489,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3098,6 +3785,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3803,7 @@ interface(`files_manage_etc_runtime_files',`
  	')
  
  	manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -12456,7 +12497,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3142,10 +3830,48 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -3142,10 +3848,48 @@ interface(`files_etc_filetrans_etc_runtime',`
  #
  interface(`files_getattr_isid_type_dirs',`
  	gen_require(`
@@ -12507,7 +12548,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3161,10 +3887,10 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3161,10 +3905,10 @@ interface(`files_getattr_isid_type_dirs',`
  #
  interface(`files_dontaudit_search_isid_type_dirs',`
  	gen_require(`
@@ -12520,7 +12561,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3180,10 +3906,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+@@ -3180,10 +3924,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
  #
  interface(`files_list_isid_type_dirs',`
  	gen_require(`
@@ -12533,7 +12574,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3199,10 +3925,10 @@ interface(`files_list_isid_type_dirs',`
+@@ -3199,10 +3943,10 @@ interface(`files_list_isid_type_dirs',`
  #
  interface(`files_rw_isid_type_dirs',`
  	gen_require(`
@@ -12546,7 +12587,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3218,10 +3944,66 @@ interface(`files_rw_isid_type_dirs',`
+@@ -3218,10 +3962,66 @@ interface(`files_rw_isid_type_dirs',`
  #
  interface(`files_delete_isid_type_dirs',`
  	gen_require(`
@@ -12615,7 +12656,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3237,10 +4019,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3237,10 +4037,10 @@ interface(`files_delete_isid_type_dirs',`
  #
  interface(`files_manage_isid_type_dirs',`
  	gen_require(`
@@ -12628,7 +12669,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3256,10 +4038,29 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3256,10 +4056,29 @@ interface(`files_manage_isid_type_dirs',`
  #
  interface(`files_mounton_isid_type_dirs',`
  	gen_require(`
@@ -12660,7 +12701,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3275,10 +4076,10 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3275,10 +4094,10 @@ interface(`files_mounton_isid_type_dirs',`
  #
  interface(`files_read_isid_type_files',`
  	gen_require(`
@@ -12673,7 +12714,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3294,10 +4095,10 @@ interface(`files_read_isid_type_files',`
+@@ -3294,10 +4113,10 @@ interface(`files_read_isid_type_files',`
  #
  interface(`files_delete_isid_type_files',`
  	gen_require(`
@@ -12686,7 +12727,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3313,10 +4114,10 @@ interface(`files_delete_isid_type_files',`
+@@ -3313,10 +4132,10 @@ interface(`files_delete_isid_type_files',`
  #
  interface(`files_delete_isid_type_symlinks',`
  	gen_require(`
@@ -12699,7 +12740,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3332,10 +4133,10 @@ interface(`files_delete_isid_type_symlinks',`
+@@ -3332,10 +4151,10 @@ interface(`files_delete_isid_type_symlinks',`
  #
  interface(`files_delete_isid_type_fifo_files',`
  	gen_require(`
@@ -12712,7 +12753,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3351,10 +4152,10 @@ interface(`files_delete_isid_type_fifo_files',`
+@@ -3351,10 +4170,10 @@ interface(`files_delete_isid_type_fifo_files',`
  #
  interface(`files_delete_isid_type_sock_files',`
  	gen_require(`
@@ -12725,7 +12766,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3370,10 +4171,10 @@ interface(`files_delete_isid_type_sock_files',`
+@@ -3370,10 +4189,10 @@ interface(`files_delete_isid_type_sock_files',`
  #
  interface(`files_delete_isid_type_blk_files',`
  	gen_require(`
@@ -12738,7 +12779,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3389,10 +4190,10 @@ interface(`files_delete_isid_type_blk_files',`
+@@ -3389,10 +4208,10 @@ interface(`files_delete_isid_type_blk_files',`
  #
  interface(`files_dontaudit_write_isid_chr_files',`
  	gen_require(`
@@ -12751,7 +12792,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3408,10 +4209,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+@@ -3408,10 +4227,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
  #
  interface(`files_delete_isid_type_chr_files',`
  	gen_require(`
@@ -12764,7 +12805,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3427,10 +4228,10 @@ interface(`files_delete_isid_type_chr_files',`
+@@ -3427,10 +4246,10 @@ interface(`files_delete_isid_type_chr_files',`
  #
  interface(`files_manage_isid_type_files',`
  	gen_require(`
@@ -12777,7 +12818,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3446,10 +4247,10 @@ interface(`files_manage_isid_type_files',`
+@@ -3446,10 +4265,10 @@ interface(`files_manage_isid_type_files',`
  #
  interface(`files_manage_isid_type_symlinks',`
  	gen_require(`
@@ -12790,7 +12831,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3465,10 +4266,29 @@ interface(`files_manage_isid_type_symlinks',`
+@@ -3465,10 +4284,29 @@ interface(`files_manage_isid_type_symlinks',`
  #
  interface(`files_rw_isid_type_blk_files',`
  	gen_require(`
@@ -12822,7 +12863,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3484,10 +4304,10 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3484,10 +4322,10 @@ interface(`files_rw_isid_type_blk_files',`
  #
  interface(`files_manage_isid_type_blk_files',`
  	gen_require(`
@@ -12835,7 +12876,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3503,10 +4323,10 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4341,10 @@ interface(`files_manage_isid_type_blk_files',`
  #
  interface(`files_manage_isid_type_chr_files',`
  	gen_require(`
@@ -12848,7 +12889,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -3552,6 +4372,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3552,6 +4390,27 @@ interface(`files_dontaudit_getattr_home_dir',`
  
  ########################################
  ## <summary>
@@ -12876,7 +12917,7 @@ index f962f76..890900c 100644
  ##	Search home directories root (/home).
  ## </summary>
  ## <param name="domain">
-@@ -3814,20 +4655,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4673,38 @@ interface(`files_list_mnt',`
  
  ######################################
  ## <summary>
@@ -12920,7 +12961,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -4012,6 +4871,12 @@ interface(`files_read_kernel_modules',`
+@@ -4012,6 +4889,12 @@ interface(`files_read_kernel_modules',`
  	allow $1 modules_object_t:dir list_dir_perms;
  	read_files_pattern($1, modules_object_t, modules_object_t)
  	read_lnk_files_pattern($1, modules_object_t, modules_object_t)
@@ -12933,7 +12974,7 @@ index f962f76..890900c 100644
  ')
  
  ########################################
-@@ -4217,192 +5082,218 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,174 +5100,218 @@ interface(`files_read_world_readable_sockets',`
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
@@ -13168,36 +13209,26 @@ index f962f76..890900c 100644
 +##  File name transition for system db files in /var/lib.
  ## </summary>
  ## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
- ## </param>
- #
--interface(`files_delete_tmp_dir_entry',`
--	gen_require(`
--		type tmp_t;
--	')
++## </param>
++#
 +interface(`files_filetrans_system_db_named_files',`
 +    gen_require(`
 +        type var_lib_t, system_db_t;
 +    ')
- 
--	allow $1 tmp_t:dir del_entry_dir_perms;
++
 +    filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
 +    filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
- ')
- 
- ########################################
- ## <summary>
--##	Read files in the tmp directory (/tmp).
++')
++
++########################################
++## <summary>
 +##	Allow the specified type to associate
 +##	to a filesystem with the type of the
 +##	temporary directory (/tmp).
- ## </summary>
--## <param name="domain">
++## </summary>
 +## <param name="file_type">
  ##	<summary>
 -##	Domain allowed access.
@@ -13205,19 +13236,19 @@ index f962f76..890900c 100644
  ##	</summary>
  ## </param>
  #
--interface(`files_read_generic_tmp_files',`
+-interface(`files_delete_tmp_dir_entry',`
 +interface(`files_associate_tmp',`
  	gen_require(`
  		type tmp_t;
  	')
  
--	read_files_pattern($1, tmp_t, tmp_t)
+-	allow $1 tmp_t:dir del_entry_dir_perms;
 +	allow $1 tmp_t:filesystem associate;
  ')
  
  ########################################
  ## <summary>
--##	Manage temporary directories in /tmp.
+-##	Read files in the tmp directory (/tmp).
 +##	Allow the specified type to associate
 +##	to a filesystem with the type of the
 +##	/ file system
@@ -13230,42 +13261,42 @@ index f962f76..890900c 100644
  ##	</summary>
  ## </param>
  #
--interface(`files_manage_generic_tmp_dirs',`
+-interface(`files_read_generic_tmp_files',`
 +interface(`files_associate_rootfs',`
  	gen_require(`
 -		type tmp_t;
 +		type root_t;
  	')
  
--	manage_dirs_pattern($1, tmp_t, tmp_t)
+-	read_files_pattern($1, tmp_t, tmp_t)
 +	allow $1 root_t:filesystem associate;
  ')
  
  ########################################
  ## <summary>
--##	Manage temporary files and directories in /tmp.
+-##	Manage temporary directories in /tmp.
 +##	Get the	attributes of the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4410,53 +5301,56 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4392,53 +5319,56 @@ interface(`files_read_generic_tmp_files',`
  ##	</summary>
  ## </param>
  #
--interface(`files_manage_generic_tmp_files',`
+-interface(`files_manage_generic_tmp_dirs',`
 +interface(`files_getattr_tmp_dirs',`
  	gen_require(`
  		type tmp_t;
  	')
  
--	manage_files_pattern($1, tmp_t, tmp_t)
+-	manage_dirs_pattern($1, tmp_t, tmp_t)
 +	read_lnk_files_pattern($1, tmp_t, tmp_t)
 +	allow $1 tmp_t:dir getattr;
  ')
  
  ########################################
  ## <summary>
--##	Read symbolic links in the tmp directory (/tmp).
+-##	Manage temporary files and directories in /tmp.
 +##	Do not audit attempts to check the 
 +##	access on tmp files
  ## </summary>
@@ -13276,20 +13307,20 @@ index f962f76..890900c 100644
  ##	</summary>
  ## </param>
  #
--interface(`files_read_generic_tmp_symlinks',`
+-interface(`files_manage_generic_tmp_files',`
 +interface(`files_dontaudit_access_check_tmp',`
  	gen_require(`
 -		type tmp_t;
 +		type etc_t;
  	')
  
--	read_lnk_files_pattern($1, tmp_t, tmp_t)
+-	manage_files_pattern($1, tmp_t, tmp_t)
 +	dontaudit $1 tmp_t:dir_file_class_set audit_access;
  ')
  
  ########################################
  ## <summary>
--##	Read and write generic named sockets in the tmp directory (/tmp).
+-##	Read symbolic links in the tmp directory (/tmp).
 +##	Do not audit attempts to get the
 +##	attributes of the tmp directory (/tmp).
  ## </summary>
@@ -13300,35 +13331,34 @@ index f962f76..890900c 100644
  ##	</summary>
  ## </param>
  #
--interface(`files_rw_generic_tmp_sockets',`
+-interface(`files_read_generic_tmp_symlinks',`
 +interface(`files_dontaudit_getattr_tmp_dirs',`
  	gen_require(`
  		type tmp_t;
  	')
  
--	rw_sock_files_pattern($1, tmp_t, tmp_t)
+-	read_lnk_files_pattern($1, tmp_t, tmp_t)
 +	dontaudit $1 tmp_t:dir getattr;
  ')
  
  ########################################
  ## <summary>
--##	Set the attributes of all tmp directories.
+-##	Read and write generic named sockets in the tmp directory (/tmp).
 +##	Search the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4464,77 +5358,93 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4446,35 +5376,37 @@ interface(`files_read_generic_tmp_symlinks',`
  ##	</summary>
  ## </param>
  #
--interface(`files_setattr_all_tmp_dirs',`
+-interface(`files_rw_generic_tmp_sockets',`
 +interface(`files_search_tmp',`
  	gen_require(`
--		attribute tmpfile;
-+		type tmp_t;
+ 		type tmp_t;
  	')
  
--	allow $1 tmpfile:dir { search_dir_perms setattr };
+-	rw_sock_files_pattern($1, tmp_t, tmp_t)
 +    fs_search_tmpfs($1)
 +	read_lnk_files_pattern($1, tmp_t, tmp_t)
 +	allow $1 tmp_t:dir search_dir_perms;
@@ -13336,7 +13366,7 @@ index f962f76..890900c 100644
  
  ########################################
  ## <summary>
--##	List all tmp directories.
+-##	Set the attributes of all tmp directories.
 +##	Do not audit attempts to search the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
@@ -13346,83 +13376,93 @@ index f962f76..890900c 100644
  ##	</summary>
  ## </param>
  #
--interface(`files_list_all_tmp',`
+-interface(`files_setattr_all_tmp_dirs',`
 +interface(`files_dontaudit_search_tmp',`
  	gen_require(`
 -		attribute tmpfile;
 +		type tmp_t;
  	')
  
--	allow $1 tmpfile:dir list_dir_perms;
+-	allow $1 tmpfile:dir { search_dir_perms setattr };
 +	dontaudit $1 tmp_t:dir search_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Relabel to and from all temporary
--##	directory types.
+-##	List all tmp directories.
 +##	Read the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -4482,59 +5414,55 @@ interface(`files_setattr_all_tmp_dirs',`
  ##	</summary>
  ## </param>
--## <rolecap/>
  #
--interface(`files_relabel_all_tmp_dirs',`
+-interface(`files_list_all_tmp',`
 +interface(`files_list_tmp',`
  	gen_require(`
 -		attribute tmpfile;
--		type var_t;
 +		type tmp_t;
  	')
  
--	allow $1 var_t:dir search_dir_perms;
--	relabel_dirs_pattern($1, tmpfile, tmpfile)
+-	allow $1 tmpfile:dir list_dir_perms;
 +	read_lnk_files_pattern($1, tmp_t, tmp_t)
 +	allow $1 tmp_t:dir list_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Do not audit attempts to get the attributes
--##	of all tmp files.
+-##	Relabel to and from all temporary
+-##	directory types.
 +##	Do not audit listing of the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain not to audit.
+-##	Domain allowed access.
 +##	Domain to not audit.
  ##	</summary>
  ## </param>
+-## <rolecap/>
  #
--interface(`files_dontaudit_getattr_all_tmp_files',`
+-interface(`files_relabel_all_tmp_dirs',`
 +interface(`files_dontaudit_list_tmp',`
  	gen_require(`
 -		attribute tmpfile;
+-		type var_t;
 +		type tmp_t;
  	')
  
--	dontaudit $1 tmpfile:file getattr;
+-	allow $1 var_t:dir search_dir_perms;
+-	relabel_dirs_pattern($1, tmpfile, tmpfile)
 +	dontaudit $1 tmp_t:dir list_dir_perms;
-+')
-+
+ ')
+ 
+-########################################
 +#######################################
-+## <summary>
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp files.
 +##  Allow read and write to the tmp directory (/tmp).
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain not to audit.
+-##	</summary>
 +##  <summary>
 +##  Domain not to audit.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
+-	gen_require(`
+-		attribute tmpfile;
+-	')
 +interface(`files_rw_generic_tmp_dir',`
 +    gen_require(`
 +        type tmp_t;
 +    ')
-+
+ 
+-	dontaudit $1 tmpfile:file getattr;
 +    files_search_tmp($1)
 +    allow $1 tmp_t:dir rw_dir_perms;
  ')
@@ -13435,7 +13475,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4542,110 +5452,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4542,110 +5470,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
  ##	</summary>
  ## </param>
  #
@@ -13574,7 +13614,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4653,22 +5551,17 @@ interface(`files_tmp_filetrans',`
+@@ -4653,22 +5569,17 @@ interface(`files_tmp_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -13601,7 +13641,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4676,17 +5569,17 @@ interface(`files_purge_tmp',`
+@@ -4676,17 +5587,17 @@ interface(`files_purge_tmp',`
  ##	</summary>
  ## </param>
  #
@@ -13623,7 +13663,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4694,18 +5587,17 @@ interface(`files_setattr_usr_dirs',`
+@@ -4694,18 +5605,17 @@ interface(`files_setattr_usr_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -13646,7 +13686,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4713,35 +5605,35 @@ interface(`files_search_usr',`
+@@ -4713,35 +5623,35 @@ interface(`files_search_usr',`
  ##	</summary>
  ## </param>
  #
@@ -13691,7 +13731,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4749,36 +5641,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+@@ -4749,36 +5659,35 @@ interface(`files_dontaudit_write_usr_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -13737,7 +13777,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4786,17 +5677,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
+@@ -4786,17 +5695,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -13759,7 +13799,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4804,73 +5695,59 @@ interface(`files_delete_usr_dirs',`
+@@ -4804,73 +5713,59 @@ interface(`files_delete_usr_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -13852,7 +13892,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4878,55 +5755,58 @@ interface(`files_read_usr_files',`
+@@ -4878,55 +5773,58 @@ interface(`files_read_usr_files',`
  ##	</summary>
  ## </param>
  #
@@ -13927,7 +13967,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4934,67 +5814,70 @@ interface(`files_manage_usr_files',`
+@@ -4934,67 +5832,70 @@ interface(`files_manage_usr_files',`
  ##	</summary>
  ## </param>
  #
@@ -14016,7 +14056,7 @@ index f962f76..890900c 100644
  ##	</summary>
  ## </param>
  ## <param name="name" optional="true">
-@@ -5003,35 +5886,50 @@ interface(`files_read_usr_symlinks',`
+@@ -5003,35 +5904,50 @@ interface(`files_read_usr_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -14076,7 +14116,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5039,20 +5937,17 @@ interface(`files_dontaudit_search_src',`
+@@ -5039,20 +5955,17 @@ interface(`files_dontaudit_search_src',`
  ##	</summary>
  ## </param>
  #
@@ -14101,7 +14141,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5060,20 +5955,18 @@ interface(`files_getattr_usr_src_files',`
+@@ -5060,20 +5973,18 @@ interface(`files_getattr_usr_src_files',`
  ##	</summary>
  ## </param>
  #
@@ -14126,7 +14166,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5081,38 +5974,35 @@ interface(`files_read_usr_src_files',`
+@@ -5081,38 +5992,35 @@ interface(`files_read_usr_src_files',`
  ##	</summary>
  ## </param>
  #
@@ -14174,7 +14214,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5120,37 +6010,36 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5120,37 +6028,36 @@ interface(`files_create_kernel_symbol_table',`
  ##	</summary>
  ## </param>
  #
@@ -14222,7 +14262,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5158,35 +6047,35 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -5158,35 +6065,35 @@ interface(`files_delete_kernel_symbol_table',`
  ##	</summary>
  ## </param>
  #
@@ -14267,7 +14307,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5194,36 +6083,55 @@ interface(`files_dontaudit_write_var_dirs',`
+@@ -5194,36 +6101,55 @@ interface(`files_dontaudit_write_var_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -14333,7 +14373,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5231,36 +6139,37 @@ interface(`files_dontaudit_search_var',`
+@@ -5231,36 +6157,37 @@ interface(`files_dontaudit_search_var',`
  ##	</summary>
  ## </param>
  #
@@ -14381,7 +14421,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5268,17 +6177,17 @@ interface(`files_manage_var_dirs',`
+@@ -5268,17 +6195,17 @@ interface(`files_manage_var_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -14403,7 +14443,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5286,17 +6195,17 @@ interface(`files_read_var_files',`
+@@ -5286,17 +6213,17 @@ interface(`files_read_var_files',`
  ##	</summary>
  ## </param>
  #
@@ -14425,7 +14465,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5304,73 +6213,86 @@ interface(`files_append_var_files',`
+@@ -5304,73 +6231,86 @@ interface(`files_append_var_files',`
  ##	</summary>
  ## </param>
  #
@@ -14532,7 +14572,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5378,50 +6300,41 @@ interface(`files_read_var_symlinks',`
+@@ -5378,50 +6318,41 @@ interface(`files_read_var_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -14597,7 +14637,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5429,69 +6342,56 @@ interface(`files_var_filetrans',`
+@@ -5429,69 +6360,56 @@ interface(`files_var_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -14682,7 +14722,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5499,17 +6399,18 @@ interface(`files_dontaudit_search_var_lib',`
+@@ -5499,17 +6417,18 @@ interface(`files_dontaudit_search_var_lib',`
  ##	</summary>
  ## </param>
  #
@@ -14706,7 +14746,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5517,70 +6418,54 @@ interface(`files_list_var_lib',`
+@@ -5517,70 +6436,54 @@ interface(`files_list_var_lib',`
  ##	</summary>
  ## </param>
  #
@@ -14790,7 +14830,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5588,41 +6473,36 @@ interface(`files_read_var_lib_files',`
+@@ -5588,41 +6491,36 @@ interface(`files_read_var_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -14842,7 +14882,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5630,36 +6510,36 @@ interface(`files_manage_urandom_seed',`
+@@ -5630,36 +6528,36 @@ interface(`files_manage_urandom_seed',`
  ##	</summary>
  ## </param>
  #
@@ -14889,7 +14929,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5667,38 +6547,35 @@ interface(`files_setattr_lock_dirs',`
+@@ -5667,38 +6565,35 @@ interface(`files_setattr_lock_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -14937,7 +14977,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5706,19 +6583,17 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,19 +6601,17 @@ interface(`files_dontaudit_search_locks',`
  ##	</summary>
  ## </param>
  #
@@ -14961,7 +15001,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5726,60 +6601,54 @@ interface(`files_list_locks',`
+@@ -5726,60 +6619,54 @@ interface(`files_list_locks',`
  ##	</summary>
  ## </param>
  #
@@ -15037,7 +15077,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5787,20 +6656,18 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,20 +6674,18 @@ interface(`files_relabel_all_lock_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -15063,7 +15103,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5808,63 +6675,68 @@ interface(`files_getattr_generic_locks',`
+@@ -5808,63 +6693,68 @@ interface(`files_getattr_generic_locks',`
  ##	</summary>
  ## </param>
  #
@@ -15155,7 +15195,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5872,101 +6744,87 @@ interface(`files_delete_all_locks',`
+@@ -5872,101 +6762,87 @@ interface(`files_delete_all_locks',`
  ##	</summary>
  ## </param>
  #
@@ -15292,7 +15332,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5974,19 +6832,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+@@ -5974,19 +6850,17 @@ interface(`files_dontaudit_getattr_pid_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -15316,7 +15356,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5994,39 +6850,52 @@ interface(`files_setattr_pid_dirs',`
+@@ -5994,39 +6868,52 @@ interface(`files_setattr_pid_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -15382,7 +15422,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6034,18 +6903,18 @@ interface(`files_dontaudit_search_pids',`
+@@ -6034,18 +6921,18 @@ interface(`files_dontaudit_search_pids',`
  ##	</summary>
  ## </param>
  #
@@ -15406,7 +15446,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6053,19 +6922,18 @@ interface(`files_list_pids',`
+@@ -6053,19 +6940,1283 @@ interface(`files_list_pids',`
  ##	</summary>
  ## </param>
  #
@@ -15421,45 +15461,35 @@ index f962f76..890900c 100644
 -	list_dirs_pattern($1, var_t, var_run_t)
 -	read_files_pattern($1, var_run_t, var_run_t)
 +	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
- 
- ########################################
- ## <summary>
--##	Write named generic process ID pipes
++')
++
++########################################
++## <summary>
 +##	manage generic symbolic links
 +##	in the /var/lib directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6073,23 +6941,652 @@ interface(`files_read_generic_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_write_generic_pid_pipes',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_manage_var_lib_symlinks',`
- 	gen_require(`
--		type var_run_t;
++	gen_require(`
 +		type var_lib_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	allow $1 var_run_t:fifo_file write;
++	')
++
 +	manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
- ')
- 
++')
++
 +# cjp: the next two interfaces really need to be fixed
 +# in some way.  They really neeed their own types.
 +
- ########################################
- ## <summary>
--##	Create an object in the process ID directory, with a private type.
++########################################
++## <summary>
 +##	Create, read, write, and delete the
 +##	pseudorandom number generator seed.
- ## </summary>
--## <desc>
--##	<p>
--##	Create an object in the process ID directory (e.g., /var/run)
--##	with a private type.  Typically this is used for creating
++## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
@@ -16090,14 +16120,14 @@ index f962f76..890900c 100644
 +##	<p>
 +##	Create an object in the process ID directory (e.g., /var/run)
 +##	with a private type.  Typically this is used for creating
- ##	private PID files in /var/run with the private type instead
- ##	of the general PID file type. To accomplish this goal,
- ##	either the program must be SELinux-aware, or use this interface.
-@@ -6098,18 +7595,781 @@ interface(`files_write_generic_pid_pipes',`
- ##	Related interfaces:
- ##	</p>
- ##	<ul>
--##		<li>files_pid_file()</li>
++##	private PID files in /var/run with the private type instead
++##	of the general PID file type. To accomplish this goal,
++##	either the program must be SELinux-aware, or use this interface.
++##	</p>
++##	<p>
++##	Related interfaces:
++##	</p>
++##	<ul>
 +##		<li>files_pid_file()</li>
 +##	</ul>
 +##	<p>
@@ -16554,11 +16584,9 @@ index f962f76..890900c 100644
 +##	</p>
 +##	<ul>
 +##		<li>files_spool_filetrans()</li>
- ##	</ul>
- ##	<p>
- ##	Example usage with a domain that can create and
--##	write its PID file with a private PID file type in the
--##	/var/run directory:
++##	</ul>
++##	<p>
++##	Example usage with a domain that can create and
 +##	write its spool file in the system spool file
 +##	directories (/var/spool):
 +##	</p>
@@ -16567,7 +16595,7 @@ index f962f76..890900c 100644
 +##	files_spool_file(myfile_spool_t)
 +##	allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
 +##	files_spool_filetrans(mydomain_t, myfile_spool_t, file)
- ##	</p>
++##	</p>
 +## </desc>
 +## <param name="file_type">
 +##	<summary>
@@ -16698,30 +16726,36 @@ index f962f76..890900c 100644
 +	')
 +
 +	list_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Write named generic process ID pipes
 +##	Create, read, write, and delete generic
 +##	spool directories (/var/spool).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6073,43 +8224,170 @@ interface(`files_read_generic_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_write_generic_pid_pipes',`
 +interface(`files_manage_generic_spool_dirs',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_run_t;
 +		type var_t, var_spool_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:fifo_file write;
 +	allow $1 var_t:dir search_dir_perms;
 +	manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create an object in the process ID directory, with a private type.
 +##	Read generic spool files.
 +## </summary>
 +## <param name="domain">
@@ -16871,9 +16905,27 @@ index f962f76..890900c 100644
 +########################################
 +## <summary>
 +##	Create a core files in /
-+## </summary>
-+## <desc>
+ ## </summary>
+ ## <desc>
  ##	<p>
+-##	Create an object in the process ID directory (e.g., /var/run)
+-##	with a private type.  Typically this is used for creating
+-##	private PID files in /var/run with the private type instead
+-##	of the general PID file type. To accomplish this goal,
+-##	either the program must be SELinux-aware, or use this interface.
+-##	</p>
+-##	<p>
+-##	Related interfaces:
+-##	</p>
+-##	<ul>
+-##		<li>files_pid_file()</li>
+-##	</ul>
+-##	<p>
+-##	Example usage with a domain that can create and
+-##	write its PID file with a private PID file type in the
+-##	/var/run directory:
+-##	</p>
+-##	<p>
 -##	type mypidfile_t;
 -##	files_pid_file(mypidfile_t)
 -##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
@@ -16882,7 +16934,7 @@ index f962f76..890900c 100644
  ##	</p>
  ## </desc>
  ## <param name="domain">
-@@ -6117,80 +8377,157 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6117,80 +8395,157 @@ interface(`files_write_generic_pid_pipes',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -17069,7 +17121,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6198,19 +8535,17 @@ interface(`files_rw_generic_pids',`
+@@ -6198,19 +8553,17 @@ interface(`files_rw_generic_pids',`
  ##	</summary>
  ## </param>
  #
@@ -17093,7 +17145,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6218,18 +8553,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6218,18 +8571,17 @@ interface(`files_dontaudit_getattr_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -17116,7 +17168,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6237,129 +8571,118 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6237,129 +8589,118 @@ interface(`files_dontaudit_write_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -17285,7 +17337,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6367,18 +8690,19 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,18 +8708,19 @@ interface(`files_mounton_all_poly_members',`
  ##	</summary>
  ## </param>
  #
@@ -17310,7 +17362,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6386,132 +8710,227 @@ interface(`files_search_spool',`
+@@ -6386,132 +8728,227 @@ interface(`files_search_spool',`
  ##	</summary>
  ## </param>
  #
@@ -17584,7 +17636,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6519,53 +8938,17 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +8956,17 @@ interface(`files_spool_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -17642,7 +17694,7 @@ index f962f76..890900c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6573,10 +8956,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +8974,10 @@ interface(`files_polyinstantiate_all',`
  ##	</summary>
  ## </param>
  #
@@ -22638,6 +22690,49 @@ index 2da98c2..31bed0a 100644
  attribute mcsreadall;
  attribute mcs_constrained_type;
 +attribute mcsnetwrite;
+diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
+index d178478..42bf05b 100644
+--- a/policy/modules/kernel/mls.if
++++ b/policy/modules/kernel/mls.if
+@@ -100,6 +100,26 @@ interface(`mls_file_write_to_clearance',`
+ ########################################
+ ## <summary>
+ ##	Make specified domain MLS trusted
++##	for relabelto to files up to its clearance.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`mls_file_relabel_to_clearance',`
++	gen_require(`
++		attribute mlsfilerelabeltoclr;
++	')
++
++	typeattribute $1 mlsfilerelabeltoclr;
++')
++
++########################################
++## <summary>
++##	Make specified domain MLS trusted
+ ##	for writing to files at all levels.  (Deprecated)
+ ## </summary>
+ ## <desc>
+diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
+index 8c7bd90..66ee5b9 100644
+--- a/policy/modules/kernel/mls.te
++++ b/policy/modules/kernel/mls.te
+@@ -12,6 +12,7 @@ attribute mlsfilewritetoclr;
+ attribute mlsfilewriteinrange;
+ attribute mlsfileupgrade;
+ attribute mlsfiledowngrade;
++attribute mlsfilerelabeltoclr;
+ 
+ attribute mlsnetread;
+ attribute mlsnetreadtoclr;
 diff --git a/policy/modules/kernel/selinux.fc b/policy/modules/kernel/selinux.fc
 index 7be4ddf..4d4c577 100644
 --- a/policy/modules/kernel/selinux.fc
@@ -36748,7 +36843,7 @@ index 79a45f6..e69fa39 100644
 +    allow $1 init_var_lib_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..ca7fe18 100644
+index 17eda24..ef7952e 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -37043,7 +37138,7 @@ index 17eda24..ca7fe18 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +323,263 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +323,264 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -37163,6 +37258,7 @@ index 17eda24..ca7fe18 100644
 +
 +files_search_all(init_t)
 +files_mounton_all_mountpoints(init_t)
++files_mounton_etc(init_t)
 +files_unmount_all_file_type_fs(init_t)
 +files_manage_all_pid_dirs(init_t)
 +files_manage_etc_dirs(init_t)
@@ -37316,7 +37412,7 @@ index 17eda24..ca7fe18 100644
  ')
  
  optional_policy(`
-@@ -216,7 +587,30 @@ optional_policy(`
+@@ -216,7 +588,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37348,7 +37444,7 @@ index 17eda24..ca7fe18 100644
  ')
  
  ########################################
-@@ -225,9 +619,9 @@ optional_policy(`
+@@ -225,9 +620,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -37360,7 +37456,7 @@ index 17eda24..ca7fe18 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -258,12 +652,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +653,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -37377,7 +37473,7 @@ index 17eda24..ca7fe18 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +677,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +678,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -37420,7 +37516,7 @@ index 17eda24..ca7fe18 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +714,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +715,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -37432,7 +37528,7 @@ index 17eda24..ca7fe18 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -313,8 +726,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +727,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -37443,7 +37539,7 @@ index 17eda24..ca7fe18 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -322,8 +737,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +738,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -37453,7 +37549,7 @@ index 17eda24..ca7fe18 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -332,7 +746,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +747,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -37461,7 +37557,7 @@ index 17eda24..ca7fe18 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -340,6 +753,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +754,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -37469,7 +37565,7 @@ index 17eda24..ca7fe18 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -347,14 +761,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +762,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -37487,7 +37583,7 @@ index 17eda24..ca7fe18 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -364,8 +779,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +780,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -37501,7 +37597,7 @@ index 17eda24..ca7fe18 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -375,10 +794,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +795,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -37515,7 +37611,7 @@ index 17eda24..ca7fe18 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -387,8 +807,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +808,10 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -37526,7 +37622,7 @@ index 17eda24..ca7fe18 100644
  
  storage_getattr_fixed_disk_dev(initrc_t)
  storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +820,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +821,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -37534,7 +37630,7 @@ index 17eda24..ca7fe18 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -416,20 +839,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +840,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -37558,7 +37654,7 @@ index 17eda24..ca7fe18 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +872,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +873,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -37566,7 +37662,7 @@ index 17eda24..ca7fe18 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +906,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +907,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -37577,7 +37673,7 @@ index 17eda24..ca7fe18 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -506,7 +930,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +931,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -37586,7 +37682,7 @@ index 17eda24..ca7fe18 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -521,6 +945,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +946,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -37594,7 +37690,7 @@ index 17eda24..ca7fe18 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +966,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +967,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -37602,7 +37698,7 @@ index 17eda24..ca7fe18 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +976,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +977,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -37647,7 +37743,7 @@ index 17eda24..ca7fe18 100644
  	')
  
  	optional_policy(`
-@@ -559,14 +1021,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1022,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -37679,7 +37775,7 @@ index 17eda24..ca7fe18 100644
  	')
  ')
  
-@@ -577,6 +1056,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1057,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -37719,7 +37815,7 @@ index 17eda24..ca7fe18 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1101,8 @@ optional_policy(`
+@@ -589,6 +1102,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -37728,7 +37824,7 @@ index 17eda24..ca7fe18 100644
  ')
  
  optional_policy(`
-@@ -610,6 +1124,7 @@ optional_policy(`
+@@ -610,6 +1125,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -37736,7 +37832,7 @@ index 17eda24..ca7fe18 100644
  ')
  
  optional_policy(`
-@@ -626,6 +1141,17 @@ optional_policy(`
+@@ -626,6 +1142,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37754,7 +37850,7 @@ index 17eda24..ca7fe18 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -642,9 +1168,13 @@ optional_policy(`
+@@ -642,9 +1169,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -37768,7 +37864,7 @@ index 17eda24..ca7fe18 100644
  	')
  
  	optional_policy(`
-@@ -657,15 +1187,11 @@ optional_policy(`
+@@ -657,15 +1188,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37786,7 +37882,7 @@ index 17eda24..ca7fe18 100644
  ')
  
  optional_policy(`
-@@ -686,6 +1212,15 @@ optional_policy(`
+@@ -686,6 +1213,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37802,7 +37898,7 @@ index 17eda24..ca7fe18 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -726,6 +1261,7 @@ optional_policy(`
+@@ -726,6 +1262,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -37810,7 +37906,7 @@ index 17eda24..ca7fe18 100644
  ')
  
  optional_policy(`
-@@ -743,7 +1279,13 @@ optional_policy(`
+@@ -743,7 +1280,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37825,7 +37921,7 @@ index 17eda24..ca7fe18 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -766,6 +1308,10 @@ optional_policy(`
+@@ -766,6 +1309,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37836,7 +37932,7 @@ index 17eda24..ca7fe18 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -775,10 +1321,20 @@ optional_policy(`
+@@ -775,10 +1322,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37857,7 +37953,7 @@ index 17eda24..ca7fe18 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -787,6 +1343,10 @@ optional_policy(`
+@@ -787,6 +1344,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37868,7 +37964,7 @@ index 17eda24..ca7fe18 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -808,8 +1368,6 @@ optional_policy(`
+@@ -808,8 +1369,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -37877,7 +37973,7 @@ index 17eda24..ca7fe18 100644
  ')
  
  optional_policy(`
-@@ -818,6 +1376,10 @@ optional_policy(`
+@@ -818,6 +1377,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37888,7 +37984,7 @@ index 17eda24..ca7fe18 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -827,10 +1389,12 @@ optional_policy(`
+@@ -827,10 +1390,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -37901,7 +37997,7 @@ index 17eda24..ca7fe18 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1421,60 @@ optional_policy(`
+@@ -857,21 +1422,60 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37963,7 +38059,7 @@ index 17eda24..ca7fe18 100644
  ')
  
  optional_policy(`
-@@ -887,6 +1490,10 @@ optional_policy(`
+@@ -887,6 +1491,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37974,7 +38070,7 @@ index 17eda24..ca7fe18 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -897,3 +1504,218 @@ optional_policy(`
+@@ -897,3 +1505,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -39164,7 +39260,7 @@ index 0000000..c814795
 +fs_manage_kdbus_dirs(systemd_logind_t)
 +fs_manage_kdbus_files(systemd_logind_t)
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 73bb3c0..4fef124 100644
+index 73bb3c0..0dd3f58 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
 @@ -1,3 +1,4 @@
@@ -39331,7 +39427,7 @@ index 73bb3c0..4fef124 100644
  
  /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -299,17 +311,155 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -299,17 +311,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  #
  /var/cache/ldconfig(/.*)?			gen_context(system_u:object_r:ldconfig_cache_t,s0)
  
@@ -39453,6 +39549,7 @@ index 73bb3c0..4fef124 100644
 +/usr/lib/httpd/modules/libphp5\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +')
 +/opt/VBoxGuestAdditions.*/lib/VBox.*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/var/lib/VBoxGuestAdditions.*/lib/.*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/lib/nmm/liba52\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/lampp/lib/libct\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -48294,10 +48391,10 @@ index 0000000..16cd1ac
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..1d1f80b
+index 0000000..0a20dcb
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,950 @@
+@@ -0,0 +1,952 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -49154,6 +49251,8 @@ index 0000000..1d1f80b
 +dev_write_kmsg(systemd_gpt_generator_t)
 +dev_read_nvme(systemd_gpt_generator_t)
 +
++fstools_exec(systemd_gpt_generator_t)
++
 +storage_raw_read_fixed_disk(systemd_gpt_generator_t)
 +storage_raw_read_removable_device(systemd_gpt_generator_t)
 +
diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch
index e4152ae..c2f7d64 100644
--- a/policy-f24-contrib.patch
+++ b/policy-f24-contrib.patch
@@ -29669,7 +29669,7 @@ index 4498143..84a4858 100644
  	ftp_run_ftpdctl($1, $2)
  ')
 diff --git a/ftp.te b/ftp.te
-index 36838c2..0a8b621 100644
+index 36838c2..21cc5ed 100644
 --- a/ftp.te
 +++ b/ftp.te
 @@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
@@ -29834,11 +29834,16 @@ index 36838c2..0a8b621 100644
  miscfiles_read_public_files(ftpd_t)
  
  seutil_dontaudit_search_config(ftpd_t)
-@@ -259,32 +228,50 @@ sysnet_use_ldap(ftpd_t)
+@@ -259,32 +228,55 @@ sysnet_use_ldap(ftpd_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
  userdom_dontaudit_search_user_home_dirs(ftpd_t)
 +userdom_filetrans_home_content(ftpd_t)
++userdom_manage_user_home_content_dirs(ftpd_t)
++userdom_manage_user_home_content_files(ftpd_t)
++userdom_manage_user_tmp_dirs(ftpd_t)
++userdom_manage_user_tmp_files(ftpd_t)
++
  
 -tunable_policy(`allow_ftpd_anon_write',`
 +tunable_policy(`ftpd_anon_write',`
@@ -29892,7 +29897,7 @@ index 36838c2..0a8b621 100644
  ')
  
  tunable_policy(`ftpd_use_passive_mode',`
-@@ -304,44 +291,24 @@ tunable_policy(`ftpd_connect_db',`
+@@ -304,44 +296,24 @@ tunable_policy(`ftpd_connect_db',`
  	corenet_sendrecv_mssql_client_packets(ftpd_t)
  	corenet_tcp_connect_mssql_port(ftpd_t)
  	corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -29942,7 +29947,7 @@ index 36838c2..0a8b621 100644
  	corecmd_exec_shell(ftpd_t)
  
  	files_read_usr_files(ftpd_t)
-@@ -363,9 +330,8 @@ optional_policy(`
+@@ -363,9 +335,8 @@ optional_policy(`
  
  optional_policy(`
  	selinux_validate_context(ftpd_t)
@@ -29953,7 +29958,7 @@ index 36838c2..0a8b621 100644
  	kerberos_use(ftpd_t)
  ')
  
-@@ -416,86 +382,39 @@ optional_policy(`
+@@ -416,86 +387,39 @@ optional_policy(`
  #
  
  stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -45848,7 +45853,7 @@ index dd8e01a..9cd6b0b 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84..6f475e4 100644
+index be0ab84..9059174 100644
 --- a/logrotate.te
 +++ b/logrotate.te
 @@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
@@ -45885,7 +45890,7 @@ index be0ab84..6f475e4 100644
  
  type logrotate_lock_t;
  files_lock_file(logrotate_lock_t)
-@@ -25,21 +38,30 @@ files_tmp_file(logrotate_tmp_t)
+@@ -25,21 +38,31 @@ files_tmp_file(logrotate_tmp_t)
  type logrotate_var_lib_t;
  files_type(logrotate_var_lib_t)
  
@@ -45919,10 +45924,11 @@ index be0ab84..6f475e4 100644
  allow logrotate_t self:unix_dgram_socket sendto;
 -allow logrotate_t self:unix_stream_socket { accept connectto listen };
 +allow logrotate_t self:unix_stream_socket connectto;
++allow logrotate_t self:netlink_selinux_socket create_socket_perms;
  allow logrotate_t self:shm create_shm_perms;
  allow logrotate_t self:sem create_sem_perms;
  allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,36 +70,52 @@ allow logrotate_t self:msg { send receive };
+@@ -48,36 +71,52 @@ allow logrotate_t self:msg { send receive };
  allow logrotate_t logrotate_lock_t:file manage_file_perms;
  files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
  
@@ -45980,7 +45986,7 @@ index be0ab84..6f475e4 100644
  files_manage_generic_spool(logrotate_t)
  files_manage_generic_spool_dirs(logrotate_t)
  files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +133,55 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +134,55 @@ mls_process_write_to_clearance(logrotate_t)
  selinux_get_fs_mount(logrotate_t)
  selinux_get_enforce_mode(logrotate_t)
  
@@ -46042,7 +46048,7 @@ index be0ab84..6f475e4 100644
  ')
  
  optional_policy(`
-@@ -135,16 +196,17 @@ optional_policy(`
+@@ -135,16 +197,17 @@ optional_policy(`
  
  optional_policy(`
  	apache_read_config(logrotate_t)
@@ -46062,7 +46068,7 @@ index be0ab84..6f475e4 100644
  ')
  
  optional_policy(`
-@@ -170,6 +232,11 @@ optional_policy(`
+@@ -170,6 +233,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46074,7 +46080,7 @@ index be0ab84..6f475e4 100644
  	fail2ban_stream_connect(logrotate_t)
  ')
  
-@@ -178,7 +245,7 @@ optional_policy(`
+@@ -178,7 +246,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46083,7 +46089,7 @@ index be0ab84..6f475e4 100644
  ')
  
  optional_policy(`
-@@ -198,17 +265,18 @@ optional_policy(`
+@@ -198,17 +266,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46105,7 +46111,7 @@ index be0ab84..6f475e4 100644
  ')
  
  optional_policy(`
-@@ -216,6 +284,14 @@ optional_policy(`
+@@ -216,6 +285,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46120,7 +46126,7 @@ index be0ab84..6f475e4 100644
  	samba_exec_log(logrotate_t)
  ')
  
-@@ -228,26 +304,50 @@ optional_policy(`
+@@ -228,26 +305,50 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49816,10 +49822,10 @@ index 0000000..f5b98e6
 +')
 diff --git a/mock.te b/mock.te
 new file mode 100644
-index 0000000..942a31e
+index 0000000..d854e6c
 --- /dev/null
 +++ b/mock.te
-@@ -0,0 +1,286 @@
+@@ -0,0 +1,287 @@
 +policy_module(mock,1.0.0)
 +
 +## <desc>
@@ -50102,6 +50108,7 @@ index 0000000..942a31e
 +
 +term_use_all_inherited_terms(mock_build_t)
 +userdom_use_inherited_user_ptys(mock_build_t)
++term_dontaudit_manage_pty_dirs(mock_build_t)
 +
 +tunable_policy(`mock_enable_homedirs',`
 +	userdom_read_user_home_content_files(mock_build_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 464f016..27988ac 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 191.8%{?dist}
+Release: 191.9%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -645,6 +645,16 @@ exit 0
 %endif
 
 %changelog
+* Fri Jul 29 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-191.9
+- Dontaudit mock_build_t can list all ptys.
+- Allow ftpd_t to mamange userhome data without any boolean.
+- Add logrotate permissions for creating netlink selinux sockets.
+- Add new MLS attribute to allow relabeling objects higher than system low. This exception is needed for package managers when processing sensitive data.
+- Label all VBox libraries stored in /var/lib/VBoxGuestAdditions/lib/ as textrel_shlib_t BZ(1356654)
+- Allow systemd gpt generator to run fstools BZ(1353585)
+- Allow gnome-keyring also manage user_tmp_t sockets.
+- Allow systemd to mounton /etc filesystem. BZ(1341753)
+
 * Wed Jul 27 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-191.8
 - Fix typo bug in ssh policy