From 7f471e58b56a2849fd8e701a4d168a2f072d3e17 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: May 16 2012 11:46:39 +0000
Subject: - Fix pulseaudio port definition

- Add labeling for condor_starter
- Allow chfn_t to creat user_tmp_files
- Allow chfn_t to execute bin_t
- Allow prelink_cron_system_t to getpw calls
- Allow sudo domains to manage kerberos rcache files
- Allow user_mail_domains to work with courie
- Port definitions necessary for running jboss apps within openshift
-  Add support for openstack-nova-metadata-api
- Add support for nova-console*
- Add support for openstack-nova-xvpvncproxy
- Fixes to make privsep+SELinux working if we try to use chage to change passwd
- Fix auth_role() interface
- Allow numad to read sysfs
- Allow matahari-rpcd to execute shell
- Add label for ~/.spicec
- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed wit
- Devicekit_disk wants to read the logind sessions file when writing a cd
- Add fixes for condor to make condor jobs working correctly
- Change label of /var/log/rpmpkgs to cron_log_t
- Access requires to allow systemd-tmpfiles --create to work.
- Fix obex to be a user application started by the session bus.
- Add additional filename trans rules for kerberos
- Fix /var/run/heartbeat labeling
- Allow apps that are managing rcache to file trans correctly
- Allow openvpn to authenticate against ldap server
- Containers need to listen to network starting and stopping events

---

diff --git a/policy-F16.patch b/policy-F16.patch
index 726c4a7..8e5aff8 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -60434,7 +60434,7 @@ index 93ec175..0e42018 100644
  	')
  ')
 diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..5d940f8 100644
+index af55369..437026a 100644
 --- a/policy/modules/admin/prelink.te
 +++ b/policy/modules/admin/prelink.te
 @@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
@@ -60517,13 +60517,15 @@ index af55369..5d940f8 100644
  
  	domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
  	allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -148,17 +170,29 @@ optional_policy(`
+@@ -148,17 +170,31 @@ optional_policy(`
  	files_read_etc_files(prelink_cron_system_t)
  	files_search_var_lib(prelink_cron_system_t)
  
 -	init_exec(prelink_cron_system_t)
 +	fs_search_cgroup_dirs(prelink_cron_system_t)
 +
++	auth_use_nsswitch(prelink_cron_system_t)
++
 +	init_telinit(prelink_cron_system_t)
  
  	libs_exec_ld_so(prelink_cron_system_t)
@@ -60930,7 +60932,7 @@ index b4ac57e..ef944a4 100644
  logging_send_syslog_msg(readahead_t)
  logging_set_audit_parameters(readahead_t)
 diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
-index b206bf6..0bc863c 100644
+index b206bf6..3d5caa1 100644
 --- a/policy/modules/admin/rpm.fc
 +++ b/policy/modules/admin/rpm.fc
 @@ -6,7 +6,9 @@
@@ -60943,7 +60945,7 @@ index b206bf6..0bc863c 100644
  /usr/libexec/yumDBUSBackend.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
  
  /usr/sbin/yum-complete-transaction --	gen_context(system_u:object_r:rpm_exec_t,s0)
-@@ -19,14 +21,21 @@
+@@ -19,23 +21,31 @@
  /usr/share/yumex/yum_childtask\.py --	gen_context(system_u:object_r:rpm_exec_t,s0)
  
  ifdef(`distro_redhat', `
@@ -60965,8 +60967,10 @@ index b206bf6..0bc863c 100644
  /var/cache/yum(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
  
  /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
-@@ -36,6 +45,8 @@ ifdef(`distro_redhat', `
- /var/log/rpmpkgs.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
+ /var/lib/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
+ /var/lib/yum(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
+ 
+-/var/log/rpmpkgs.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
  /var/log/yum\.log.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
  
 +/var/spool/up2date(/.*)?		gen_context(system_u:object_r:rpm_var_cache_t,s0)
@@ -62017,7 +62021,7 @@ index 7bddc02..2b59ed0 100644
 +
 +/var/db/sudo(/.*)?		gen_context(system_u:object_r:sudo_db_t,s0)
 diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 975af1a..748db5b 100644
+index 975af1a..0ae7660 100644
 --- a/policy/modules/admin/sudo.if
 +++ b/policy/modules/admin/sudo.if
 @@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -62061,7 +62065,7 @@ index 975af1a..748db5b 100644
  
  	allow $1_sudo_t $3:key search;
  
-@@ -76,88 +63,19 @@ template(`sudo_role_template',`
+@@ -76,86 +63,25 @@ template(`sudo_role_template',`
  	# By default, revert to the calling domain when a shell is executed.
  	corecmd_shell_domtrans($1_sudo_t, $3)
  	corecmd_bin_domtrans($1_sudo_t, $3)
@@ -62144,19 +62148,19 @@ index 975af1a..748db5b 100644
 -		fs_manage_cifs_files($1_sudo_t)
 -	')
 -
--	optional_policy(`
+ 	optional_policy(`
 -		dbus_system_bus_client($1_sudo_t)
--	')
--
--	optional_policy(`
++		mta_role($2, $1_sudo_t)
+ 	')
+ 
+ 	optional_policy(`
 -		fprintd_dbus_chat($1_sudo_t)
--	')
--
-+	mta_role($2, $1_sudo_t)
- ')
++    	kerberos_manage_host_rcache($1_sudo_t)
++    	kerberos_read_config($1_sudo_t)
+ 	')
  
- ########################################
-@@ -177,3 +95,22 @@ interface(`sudo_sigchld',`
+ ')
+@@ -177,3 +103,22 @@ interface(`sudo_sigchld',`
  
  	allow $1 sudodomain:process sigchld;
  ')
@@ -62662,7 +62666,7 @@ index 81fb26f..66cf96c 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..8b16b42 100644
+index 441cf22..b599f68 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -71,6 +71,7 @@ allow chfn_t self:unix_stream_socket connectto;
@@ -62673,7 +62677,7 @@ index 441cf22..8b16b42 100644
  
  selinux_get_fs_mount(chfn_t)
  selinux_validate_context(chfn_t)
-@@ -79,25 +80,25 @@ selinux_compute_create_context(chfn_t)
+@@ -79,25 +80,26 @@ selinux_compute_create_context(chfn_t)
  selinux_compute_relabel_context(chfn_t)
  selinux_compute_user_contexts(chfn_t)
  
@@ -62698,6 +62702,7 @@ index 441cf22..8b16b42 100644
  
  # allow checking if a shell is executable
  corecmd_check_exec_shell(chfn_t)
++corecmd_exec_bin(chfn_t)
  
  domain_use_interactive_fds(chfn_t)
  
@@ -62705,7 +62710,7 @@ index 441cf22..8b16b42 100644
  files_read_etc_runtime_files(chfn_t)
  files_dontaudit_search_var(chfn_t)
  files_dontaudit_search_home(chfn_t)
-@@ -105,6 +106,7 @@ files_dontaudit_search_home(chfn_t)
+@@ -105,6 +107,7 @@ files_dontaudit_search_home(chfn_t)
  # /usr/bin/passwd asks for w access to utmp, but it will operate
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(chfn_t)
@@ -62713,7 +62718,15 @@ index 441cf22..8b16b42 100644
  
  miscfiles_read_localization(chfn_t)
  
-@@ -118,6 +120,10 @@ userdom_use_unpriv_users_fds(chfn_t)
+@@ -113,11 +116,18 @@ logging_send_syslog_msg(chfn_t)
+ # uses unix_chkpwd for checking passwords
+ seutil_dontaudit_search_config(chfn_t)
+ 
++userdom_manage_user_tmp_files(chfn_t)
++userdom_tmp_filetrans_user_tmp(chfn_t, { file })
++
+ userdom_use_unpriv_users_fds(chfn_t)
+ # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(chfn_t)
  
@@ -62724,7 +62737,7 @@ index 441cf22..8b16b42 100644
  ########################################
  #
  # Crack local policy
-@@ -194,8 +200,8 @@ selinux_compute_create_context(groupadd_t)
+@@ -194,8 +204,8 @@ selinux_compute_create_context(groupadd_t)
  selinux_compute_relabel_context(groupadd_t)
  selinux_compute_user_contexts(groupadd_t)
  
@@ -62735,7 +62748,7 @@ index 441cf22..8b16b42 100644
  
  init_use_fds(groupadd_t)
  init_read_utmp(groupadd_t)
-@@ -203,8 +209,8 @@ init_dontaudit_write_utmp(groupadd_t)
+@@ -203,8 +213,8 @@ init_dontaudit_write_utmp(groupadd_t)
  
  domain_use_interactive_fds(groupadd_t)
  
@@ -62745,7 +62758,7 @@ index 441cf22..8b16b42 100644
  files_read_etc_runtime_files(groupadd_t)
  files_read_usr_symlinks(groupadd_t)
  
-@@ -219,9 +225,10 @@ miscfiles_read_localization(groupadd_t)
+@@ -219,9 +229,10 @@ miscfiles_read_localization(groupadd_t)
  auth_domtrans_chk_passwd(groupadd_t)
  auth_rw_lastlog(groupadd_t)
  auth_use_nsswitch(groupadd_t)
@@ -62757,7 +62770,7 @@ index 441cf22..8b16b42 100644
  auth_relabel_shadow(groupadd_t)
  auth_etc_filetrans_shadow(groupadd_t)
  
-@@ -269,6 +276,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -269,6 +280,7 @@ allow passwd_t self:shm create_shm_perms;
  allow passwd_t self:sem create_sem_perms;
  allow passwd_t self:msgq create_msgq_perms;
  allow passwd_t self:msg { send receive };
@@ -62765,7 +62778,7 @@ index 441cf22..8b16b42 100644
  
  allow passwd_t crack_db_t:dir list_dir_perms;
  read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -277,6 +285,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -277,6 +289,7 @@ kernel_read_kernel_sysctls(passwd_t)
  
  # for SSP
  dev_read_urand(passwd_t)
@@ -62773,7 +62786,7 @@ index 441cf22..8b16b42 100644
  
  fs_getattr_xattr_fs(passwd_t)
  fs_search_auto_mountpoints(passwd_t)
-@@ -291,26 +300,30 @@ selinux_compute_create_context(passwd_t)
+@@ -291,26 +304,30 @@ selinux_compute_create_context(passwd_t)
  selinux_compute_relabel_context(passwd_t)
  selinux_compute_user_contexts(passwd_t)
  
@@ -62809,7 +62822,7 @@ index 441cf22..8b16b42 100644
  # /usr/bin/passwd asks for w access to utmp, but it will operate
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(passwd_t)
-@@ -323,7 +336,7 @@ miscfiles_read_localization(passwd_t)
+@@ -323,7 +340,7 @@ miscfiles_read_localization(passwd_t)
  
  seutil_dontaudit_search_config(passwd_t)
  
@@ -62818,7 +62831,7 @@ index 441cf22..8b16b42 100644
  userdom_use_unpriv_users_fds(passwd_t)
  # make sure that getcon succeeds
  userdom_getattr_all_users(passwd_t)
-@@ -332,6 +345,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -332,6 +349,7 @@ userdom_read_user_tmp_files(passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(passwd_t)
@@ -62826,7 +62839,7 @@ index 441cf22..8b16b42 100644
  
  optional_policy(`
  	nscd_domtrans(passwd_t)
-@@ -381,9 +395,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -381,9 +399,10 @@ dev_read_urand(sysadm_passwd_t)
  fs_getattr_xattr_fs(sysadm_passwd_t)
  fs_search_auto_mountpoints(sysadm_passwd_t)
  
@@ -62839,7 +62852,7 @@ index 441cf22..8b16b42 100644
  auth_manage_shadow(sysadm_passwd_t)
  auth_relabel_shadow(sysadm_passwd_t)
  auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -396,7 +411,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -396,7 +415,6 @@ files_read_usr_files(sysadm_passwd_t)
  
  domain_use_interactive_fds(sysadm_passwd_t)
  
@@ -62847,7 +62860,7 @@ index 441cf22..8b16b42 100644
  files_relabel_etc_files(sysadm_passwd_t)
  files_read_etc_runtime_files(sysadm_passwd_t)
  # for nscd lookups
-@@ -426,7 +440,8 @@ optional_policy(`
+@@ -426,7 +444,8 @@ optional_policy(`
  # Useradd local policy
  #
  
@@ -62857,7 +62870,7 @@ index 441cf22..8b16b42 100644
  dontaudit useradd_t self:capability sys_tty_config;
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
-@@ -448,10 +463,13 @@ corecmd_exec_shell(useradd_t)
+@@ -448,10 +467,13 @@ corecmd_exec_shell(useradd_t)
  # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
  corecmd_exec_bin(useradd_t)
  
@@ -62872,7 +62885,7 @@ index 441cf22..8b16b42 100644
  files_search_var_lib(useradd_t)
  files_relabel_etc_files(useradd_t)
  files_read_etc_runtime_files(useradd_t)
-@@ -460,17 +478,15 @@ fs_search_auto_mountpoints(useradd_t)
+@@ -460,17 +482,15 @@ fs_search_auto_mountpoints(useradd_t)
  fs_getattr_xattr_fs(useradd_t)
  
  mls_file_upgrade(useradd_t)
@@ -62897,7 +62910,7 @@ index 441cf22..8b16b42 100644
  
  auth_domtrans_chk_passwd(useradd_t)
  auth_rw_lastlog(useradd_t)
-@@ -478,6 +494,7 @@ auth_rw_faillog(useradd_t)
+@@ -478,6 +498,7 @@ auth_rw_faillog(useradd_t)
  auth_use_nsswitch(useradd_t)
  # these may be unnecessary due to the above
  # domtrans_chk_passwd() call.
@@ -62905,7 +62918,7 @@ index 441cf22..8b16b42 100644
  auth_manage_shadow(useradd_t)
  auth_relabel_shadow(useradd_t)
  auth_etc_filetrans_shadow(useradd_t)
-@@ -495,24 +512,19 @@ seutil_read_file_contexts(useradd_t)
+@@ -495,24 +516,19 @@ seutil_read_file_contexts(useradd_t)
  seutil_read_default_contexts(useradd_t)
  seutil_domtrans_semanage(useradd_t)
  seutil_domtrans_setfiles(useradd_t)
@@ -66581,10 +66594,10 @@ index dff0f12..ecab36d 100644
  init_dbus_chat_script(mono_t)
  
 diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
-index 93ac529..4c0895e 100644
+index 93ac529..ff22091 100644
 --- a/policy/modules/apps/mozilla.fc
 +++ b/policy/modules/apps/mozilla.fc
-@@ -1,8 +1,14 @@
+@@ -1,8 +1,15 @@
  HOME_DIR/\.galeon(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
  HOME_DIR/\.java(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
  HOME_DIR/\.mozilla(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -66596,10 +66609,11 @@ index 93ac529..4c0895e 100644
 +HOME_DIR/\.gnash(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.gcjwebplugin(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.icedteaplugin(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.spicec(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
  
  #
  # /bin
-@@ -14,16 +20,28 @@ HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -14,16 +21,28 @@ HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
  /usr/bin/epiphany		--	gen_context(system_u:object_r:mozilla_exec_t,s0)
  /usr/bin/mozilla-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
  /usr/bin/mozilla-bin-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -66638,7 +66652,7 @@ index 93ac529..4c0895e 100644
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index fbb5c5a..637eb37 100644
+index fbb5c5a..ca297bf 100644
 --- a/policy/modules/apps/mozilla.if
 +++ b/policy/modules/apps/mozilla.if
 @@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -66679,7 +66693,7 @@ index fbb5c5a..637eb37 100644
  ')
  
  ########################################
-@@ -197,12 +209,34 @@ interface(`mozilla_domtrans',`
+@@ -197,12 +209,35 @@ interface(`mozilla_domtrans',`
  #
  interface(`mozilla_domtrans_plugin',`
  	gen_require(`
@@ -66697,6 +66711,7 @@ index fbb5c5a..637eb37 100644
 +	allow $1 mozilla_plugin_t:fd use;
 +
 +	allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
++	allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms };
 +	allow mozilla_plugin_t $1:shm { rw_shm_perms destroy };
 +	allow mozilla_plugin_t $1:sem create_sem_perms;
 +
@@ -66715,7 +66730,7 @@ index fbb5c5a..637eb37 100644
  ')
  
  ########################################
-@@ -228,6 +262,35 @@ interface(`mozilla_run_plugin',`
+@@ -228,6 +263,35 @@ interface(`mozilla_run_plugin',`
  
  	mozilla_domtrans_plugin($1)
  	role $2 types mozilla_plugin_t;
@@ -66751,7 +66766,7 @@ index fbb5c5a..637eb37 100644
  ')
  
  ########################################
-@@ -269,9 +332,27 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -269,9 +333,27 @@ interface(`mozilla_rw_tcp_sockets',`
  	allow $1 mozilla_t:tcp_socket rw_socket_perms;
  ')
  
@@ -66780,7 +66795,7 @@ index fbb5c5a..637eb37 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -279,28 +360,79 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -279,28 +361,80 @@ interface(`mozilla_rw_tcp_sockets',`
  ##	</summary>
  ## </param>
  #
@@ -66865,6 +66880,7 @@ index fbb5c5a..637eb37 100644
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
++	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
  ')
 +
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
@@ -70989,10 +71005,10 @@ index 0000000..9127cec
 +')
 diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
 new file mode 100644
-index 0000000..28f7212
+index 0000000..4b4adba
 --- /dev/null
 +++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,102 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -71004,6 +71020,7 @@ index 0000000..28f7212
 +type thumb_exec_t;
 +application_domain(thumb_t, thumb_exec_t)
 +ubac_constrained(thumb_t)
++userdom_home_manager(thumb_t)
 +
 +type thumb_tmp_t;
 +files_tmp_file(thumb_tmp_t)
@@ -73729,7 +73746,7 @@ index 8e0f9cd..da3b374 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..60d4823 100644
+index 99b71cb..048159a 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -11,11 +11,15 @@ attribute netif_type;
@@ -73877,7 +73894,7 @@ index 99b71cb..60d4823 100644
  network_port(ipmi, udp,623,s0, udp,664,s0)
  network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
  network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +178,30 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +178,31 @@ network_port(iscsi, tcp,3260,s0)
  network_port(isns, tcp,3205,s0, udp,3205,s0)
  network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
  network_port(jabber_interserver, tcp,5269,s0)
@@ -73885,9 +73902,10 @@ index 99b71cb..60d4823 100644
 -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
 -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
 +network_port(jabber_router, tcp,5347,s0)
++network_port(jacorb, tcp,3528,s0, tcp,3529,s0)
 +network_port(jboss_debug, tcp,8787,s0)
 +network_port(jboss_messaging, tcp,5445,s0, tcp,5455,s0)
-+network_port(jboss_management, tcp,4712,s0, tcp,4447,s0, udp,4712,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 18001, s0)
++network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,4447,s0, tcp,7600,s0, tcp,9123,s0, udp,9123,s0, tcp, 9990, s0, tcp, 9999, s0, tcp, 18001, s0)
 +network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
 +network_port(kerberos_admin, tcp,749,s0)
 +network_port(kerberos_password, tcp,464,s0, udp,464,s0)
@@ -73911,7 +73929,7 @@ index 99b71cb..60d4823 100644
  network_port(mpd, tcp,6600,s0)
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
  network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +211,33 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,61 +212,81 @@ network_port(mysqlmanagerd, tcp,2273,s0)
  network_port(nessus, tcp,1241,s0)
  network_port(netport, tcp,3129,s0, udp,3129,s0)
  network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -73946,7 +73964,9 @@ index 99b71cb..60d4823 100644
  network_port(prelude, tcp,4690,s0, udp,4690,s0)
  network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
  network_port(printer, tcp,515,s0)
-@@ -175,38 +246,46 @@ network_port(pulseaudio, tcp,4713,s0)
+ network_port(ptal, tcp,5703,s0)
+-network_port(pulseaudio, tcp,4713,s0)
++network_port(pulseaudio, tcp,4713,s0, udp,4713,s0)
  network_port(puppet, tcp, 8140, s0)
  network_port(pxe, udp,4011,s0)
  network_port(pyzor, udp,24441,s0)
@@ -73999,7 +74019,7 @@ index 99b71cb..60d4823 100644
  network_port(traceroute, udp,64000-64010,s0)
  network_port(transproxy, tcp,8081,s0)
  network_port(ups, tcp,3493,s0)
-@@ -215,9 +294,12 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +295,12 @@ network_port(uucpd, tcp,540,s0)
  network_port(varnishd, tcp,6081-6082,s0)
  network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
  network_port(virt_migration, tcp,49152-49216,s0)
@@ -74013,7 +74033,7 @@ index 99b71cb..60d4823 100644
  network_port(xdmcp, udp,177,s0, tcp,177,s0)
  network_port(xen, tcp,8002,s0)
  network_port(xfs, tcp,7100,s0)
-@@ -229,6 +311,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +312,7 @@ network_port(zookeeper_client, tcp,2181,s0)
  network_port(zookeeper_election, tcp,3888,s0)
  network_port(zookeeper_leader, tcp,2888,s0)
  network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -74021,7 +74041,7 @@ index 99b71cb..60d4823 100644
  network_port(zope, tcp,8021,s0)
  
  # Defaults for reserved ports.	Earlier portcon entries take precedence;
-@@ -238,6 +321,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +322,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
  portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
  portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
  portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -74034,7 +74054,7 @@ index 99b71cb..60d4823 100644
  
  ########################################
  #
-@@ -282,9 +371,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +372,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -93400,10 +93420,10 @@ index 74505cc..dbd4f7f 100644
 +')
 diff --git a/policy/modules/services/condor.fc b/policy/modules/services/condor.fc
 new file mode 100644
-index 0000000..f838fdf
+index 0000000..b3a5b51
 --- /dev/null
 +++ b/policy/modules/services/condor.fc
-@@ -0,0 +1,20 @@
+@@ -0,0 +1,21 @@
 +/usr/lib/systemd/system/condor.*		--	gen_context(system_u:object_r:condor_unit_file_t,s0)
 +
 +/usr/sbin/condor_master		--	gen_context(system_u:object_r:condor_master_exec_t,s0)
@@ -93411,6 +93431,7 @@ index 0000000..f838fdf
 +/usr/sbin/condor_negotiator         --      gen_context(system_u:object_r:condor_negotiator_exec_t,s0)
 +/usr/sbin/condor_schedd         --      gen_context(system_u:object_r:condor_schedd_exec_t,s0)
 +/usr/sbin/condor_startd         --      gen_context(system_u:object_r:condor_startd_exec_t,s0)
++/usr/sbin/condor_starter        --      gen_context(system_u:object_r:condor_startd_exec_t,s0)
 +/usr/sbin/condor_procd         --      gen_context(system_u:object_r:condor_procd_exec_t,s0)
 +
 +/var/lib/condor(/.*)?		gen_context(system_u:object_r:condor_var_lib_t,s0)
@@ -93426,10 +93447,10 @@ index 0000000..f838fdf
 +/var/run/condor(/.*)?		gen_context(system_u:object_r:condor_var_run_t,s0)
 diff --git a/policy/modules/services/condor.if b/policy/modules/services/condor.if
 new file mode 100644
-index 0000000..2c150a6
+index 0000000..168f664
 --- /dev/null
 +++ b/policy/modules/services/condor.if
-@@ -0,0 +1,309 @@
+@@ -0,0 +1,327 @@
 +
 +## <summary>policy for condor</summary>
 +
@@ -93699,6 +93720,24 @@ index 0000000..2c150a6
 +	allow $1 condor_startd_t:tcp_socket rw_socket_perms;
 +')
 +
++######################################
++## <summary>
++##  Read and write condor_schedd server TCP sockets.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`condor_rw_tcp_sockets_schedd',`
++    gen_require(`
++        type condor_schedd_t;
++    ')
++
++    allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
++')
++
 +########################################
 +## <summary>
 +##	All of the rules required to administrate
@@ -93741,10 +93780,10 @@ index 0000000..2c150a6
 +')
 diff --git a/policy/modules/services/condor.te b/policy/modules/services/condor.te
 new file mode 100644
-index 0000000..e1f7dcb
+index 0000000..4eb7bd9
 --- /dev/null
 +++ b/policy/modules/services/condor.te
-@@ -0,0 +1,226 @@
+@@ -0,0 +1,231 @@
 +policy_module(condor, 1.0.0)
 +
 +########################################
@@ -93916,6 +93955,7 @@ index 0000000..e1f7dcb
 +#
 +
 +domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
++domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
 +
 +# dac_override because of /var/log/condor
 +allow condor_schedd_t self:capability { setuid chown setgid dac_override };
@@ -93953,8 +93993,12 @@ index 0000000..e1f7dcb
 +manage_files_pattern(condor_startd_t, condor_startd_tmpfs_t, condor_startd_tmpfs_t)
 +fs_tmpfs_filetrans(condor_startd_t, condor_startd_tmpfs_t, { dir file })
 +
++can_exec(condor_startd_t, condor_startd_exec_t)
++
 +kernel_read_kernel_sysctls(condor_startd_t)
 +
++domain_read_all_domains_state(condor_startd_t)
++
 +auth_use_nsswitch(condor_startd_t)
 +
 +init_domtrans_script(condor_startd_t)
@@ -94214,7 +94258,7 @@ index e67a003..cc813f3 100644
  	unconfined_stream_connect(consolekit_t)
  ')
 diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
-index 3a6d7eb..61eba8f 100644
+index 3a6d7eb..176271c 100644
 --- a/policy/modules/services/corosync.fc
 +++ b/policy/modules/services/corosync.fc
 @@ -1,12 +1,23 @@
@@ -94239,7 +94283,7 @@ index 3a6d7eb..61eba8f 100644
  
  /var/run/cman_.*		-s	gen_context(system_u:object_r:corosync_var_run_t,s0)
  /var/run/corosync\.pid		--	gen_context(system_u:object_r:corosync_var_run_t,s0)
-+/var/run/hearbeat(/.*)?             gen_context(system_u:object_r:corosync_var_run_t,s0)
++/var/run/heartbeat(/.*)?             gen_context(system_u:object_r:corosync_var_run_t,s0)
 +/var/run/rsctmp(/.*)?             gen_context(system_u:object_r:corosync_var_run_t,s0)
 diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
 index 5220c9d..11e5dc4 100644
@@ -95052,7 +95096,7 @@ index 13d2f63..861fad7 100644
  ')
  
 diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
-index 2eefc08..a1af527 100644
+index 2eefc08..f57c986 100644
 --- a/policy/modules/services/cron.fc
 +++ b/policy/modules/services/cron.fc
 @@ -2,6 +2,10 @@
@@ -95066,7 +95110,12 @@ index 2eefc08..a1af527 100644
  
  /usr/bin/at			--	gen_context(system_u:object_r:crontab_exec_t,s0)
  /usr/bin/(f)?crontab		--	gen_context(system_u:object_r:crontab_exec_t,s0)
-@@ -14,14 +18,15 @@
+@@ -11,17 +15,20 @@
+ /usr/sbin/cron(d)?		--	gen_context(system_u:object_r:crond_exec_t,s0)
+ /usr/sbin/fcron			--	gen_context(system_u:object_r:crond_exec_t,s0)
+ 
++/var/log/rpmpkgs.*		--	gen_context(system_u:object_r:cron_log_t,s0)
++
  /var/run/anacron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
  /var/run/atd\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
  /var/run/crond?\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -95084,7 +95133,7 @@ index 2eefc08..a1af527 100644
  #/var/spool/cron/root		--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
  /var/spool/cron/[^/]*		--	<<none>>
  
-@@ -45,3 +50,5 @@ ifdef(`distro_suse', `
+@@ -45,3 +52,5 @@ ifdef(`distro_suse', `
  /var/spool/fcron/systab\.orig	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
  /var/spool/fcron/systab		--	gen_context(system_u:object_r:system_cron_spool_t,s0)
  /var/spool/fcron/new\.systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -98391,7 +98440,7 @@ index f706b99..9b9f4ad 100644
 +	#logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
  ')
 diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..51d1512 100644
+index f231f17..f6803f2 100644
 --- a/policy/modules/services/devicekit.te
 +++ b/policy/modules/services/devicekit.te
 @@ -8,14 +8,17 @@ policy_module(devicekit, 1.1.0)
@@ -98493,7 +98542,18 @@ index f231f17..51d1512 100644
  
  optional_policy(`
  	dbus_system_bus_client(devicekit_disk_t)
-@@ -178,55 +196,85 @@ optional_policy(`
+@@ -170,6 +188,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	systemd_read_logind_sessions_files(devicekit_disk_t)
++')
++
++optional_policy(`
+ 	udev_domtrans(devicekit_disk_t)
+ 	udev_read_db(devicekit_disk_t)
+ ')
+@@ -178,55 +200,85 @@ optional_policy(`
  	virt_manage_images(devicekit_disk_t)
  ')
  
@@ -98584,7 +98644,7 @@ index f231f17..51d1512 100644
  
  userdom_read_all_users_state(devicekit_power_t)
  
-@@ -235,7 +283,12 @@ optional_policy(`
+@@ -235,7 +287,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -98597,7 +98657,7 @@ index f231f17..51d1512 100644
  ')
  
  optional_policy(`
-@@ -261,14 +314,21 @@ optional_policy(`
+@@ -261,14 +318,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -98620,7 +98680,7 @@ index f231f17..51d1512 100644
  	policykit_dbus_chat(devicekit_power_t)
  	policykit_domtrans_auth(devicekit_power_t)
  	policykit_read_lib(devicekit_power_t)
-@@ -276,9 +336,30 @@ optional_policy(`
+@@ -276,9 +340,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -102371,7 +102431,7 @@ index 9d3201b..6e75e3d 100644
 +	allow $1 ftpd_unit_file_t:service all_service_perms;
  ')
 diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..14b822a 100644
+index 8a74a83..9be06fe 100644
 --- a/policy/modules/services/ftp.te
 +++ b/policy/modules/services/ftp.te
 @@ -40,6 +40,27 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -102560,7 +102620,7 @@ index 8a74a83..14b822a 100644
  ')
  
  tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,6 +353,10 @@ optional_policy(`
+@@ -309,10 +353,34 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -102571,10 +102631,12 @@ index 8a74a83..14b822a 100644
  	selinux_validate_context(ftpd_t)
  
  	kerberos_keytab_template(ftpd, ftpd_t)
-@@ -316,6 +364,25 @@ optional_policy(`
- ')
- 
- optional_policy(`
+-	kerberos_manage_host_rcache(ftpd_t)
++	# this part of auth_use_pam
++	#kerberos_manage_host_rcache(ftpd_t)
++')
++
++optional_policy(`
 +	tunable_policy(`ftpd_connect_db',`
 +		mysql_stream_connect(ftpd_t)
 +	')
@@ -102591,13 +102653,10 @@ index 8a74a83..14b822a 100644
 +		mysql_tcp_connect(ftpd_t)
 +		postgresql_tcp_connect(ftpd_t)
 +	')
-+')
-+
-+optional_policy(`
- 	inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
+ ')
  
- 	optional_policy(`
-@@ -347,16 +414,17 @@ optional_policy(`
+ optional_policy(`
+@@ -347,16 +415,17 @@ optional_policy(`
  
  # Allow ftpdctl to talk to ftpd over a socket connection
  stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -102617,7 +102676,7 @@ index 8a74a83..14b822a 100644
  
  ########################################
  #
-@@ -365,18 +433,33 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +434,33 @@ userdom_use_user_terminals(ftpdctl_t)
  
  files_read_etc_files(sftpd_t)
  
@@ -102654,7 +102713,7 @@ index 8a74a83..14b822a 100644
  ')
  
  tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,19 +477,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,19 +478,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
  tunable_policy(`sftpd_full_access',`
  	allow sftpd_t self:capability { dac_override dac_read_search };
  	fs_read_noxattr_fs_files(sftpd_t)
@@ -105812,7 +105871,7 @@ index 0000000..af510ea
 +
 +# No local policy. This module just contains type definitions
 diff --git a/policy/modules/services/kerberos.fc b/policy/modules/services/kerberos.fc
-index 3525d24..033de90 100644
+index 3525d24..36582cd 100644
 --- a/policy/modules/services/kerberos.fc
 +++ b/policy/modules/services/kerberos.fc
 @@ -8,7 +8,7 @@ HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
@@ -105824,7 +105883,7 @@ index 3525d24..033de90 100644
  /etc/rc\.d/init\.d/kprop	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/krb524d	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
-@@ -30,4 +30,8 @@ HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
+@@ -30,4 +30,12 @@ HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
  /var/log/krb5kdc\.log			gen_context(system_u:object_r:krb5kdc_log_t,s0)
  /var/log/kadmin(d)?\.log		gen_context(system_u:object_r:kadmind_log_t,s0)
  
@@ -105832,9 +105891,13 @@ index 3525d24..033de90 100644
 +
  /var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/HTTP_23		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/HTTP_48		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/nfs_0		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/ldapmap1_0		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/ldap_487		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
++/var/tmp/ldap_55		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..91ef376 100644
+index 604f67b..276cf5f 100644
 --- a/policy/modules/services/kerberos.if
 +++ b/policy/modules/services/kerberos.if
 @@ -26,9 +26,9 @@
@@ -105881,7 +105944,18 @@ index 604f67b..91ef376 100644
  	')
  
  	optional_policy(`
-@@ -218,6 +218,25 @@ interface(`kerberos_rw_keytab',`
+@@ -111,10 +111,6 @@ interface(`kerberos_use',`
+ 			pcscd_stream_connect($1)
+ 		')
+ 	')
+-
+-	optional_policy(`
+-		sssd_read_public_files($1)
+-	')
+ ')
+ 
+ ########################################
+@@ -218,6 +214,25 @@ interface(`kerberos_rw_keytab',`
  
  ########################################
  ## <summary>
@@ -105907,7 +105981,7 @@ index 604f67b..91ef376 100644
  ##	Create a derived type for kerberos keytab
  ## </summary>
  ## <param name="prefix">
-@@ -235,7 +254,7 @@ template(`kerberos_keytab_template',`
+@@ -235,7 +250,7 @@ template(`kerberos_keytab_template',`
  	type $1_keytab_t;
  	files_type($1_keytab_t)
  
@@ -105916,7 +105990,7 @@ index 604f67b..91ef376 100644
  
  	kerberos_read_keytab($2)
  	kerberos_use($2)
-@@ -289,35 +308,14 @@ interface(`kerberos_manage_host_rcache',`
+@@ -289,31 +304,18 @@ interface(`kerberos_manage_host_rcache',`
  
  		seutil_read_file_contexts($1)
  
@@ -105925,10 +105999,10 @@ index 604f67b..91ef376 100644
 +		manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
  		files_search_tmp($1)
  	')
- ')
- 
- ########################################
- ## <summary>
+-')
+-
+-########################################
+-## <summary>
 -##	Connect to krb524 service
 -## </summary>
 -## <param name="domain">
@@ -105940,21 +106014,24 @@ index 604f67b..91ef376 100644
 -interface(`kerberos_connect_524',`
 -	tunable_policy(`allow_kerberos',`
 -		allow $1 self:udp_socket create_socket_perms;
--
+ 
 -		corenet_all_recvfrom_unlabeled($1)
 -		corenet_udp_sendrecv_generic_if($1)
 -		corenet_udp_sendrecv_generic_node($1)
 -		corenet_udp_sendrecv_kerberos_master_port($1)
 -		corenet_sendrecv_kerberos_master_client_packets($1)
 -	')
--')
--
--########################################
--## <summary>
- ##	All of the rules required to administrate 
- ##	an kerberos environment
- ## </summary>
-@@ -338,18 +336,22 @@ interface(`kerberos_admin',`
++	kerberos_tmp_filetrans_host_rcache($1, "host_0")
++	kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
++	kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
++	kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
++	kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
++	kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
++	kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
+ ')
+ 
+ ########################################
+@@ -338,18 +340,22 @@ interface(`kerberos_admin',`
  		type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
  		type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
  		type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
@@ -105982,7 +106059,7 @@ index 604f67b..91ef376 100644
  	ps_process_pattern($1, kpropd_t)
  
  	init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
-@@ -378,3 +380,109 @@ interface(`kerberos_admin',`
+@@ -378,3 +384,113 @@ interface(`kerberos_admin',`
  
  	admin_pattern($1, krb5kdc_var_run_t)
  ')
@@ -106090,7 +106167,11 @@ index 604f67b..91ef376 100644
 +
 +	kerberos_tmp_filetrans_host_rcache($1, "host_0")
 +	kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
++	kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
++	kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
 +	kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
++	kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
++	kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
 +')
 diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
 index 8edc29b..92dde2c 100644
@@ -108678,10 +108759,10 @@ index 0000000..1ec1c97
 +')
 diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te
 new file mode 100644
-index 0000000..3a1b451
+index 0000000..d1ba3e7
 --- /dev/null
 +++ b/policy/modules/services/matahari.te
-@@ -0,0 +1,106 @@
+@@ -0,0 +1,108 @@
 +policy_module(matahari,1.0.0)
 +
 +########################################
@@ -108710,6 +108791,7 @@ index 0000000..3a1b451
 +#
 +# matahari_hostd local policy
 +#
++
 +dev_read_sysfs(matahari_hostd_t)
 +dev_rw_mtrr(matahari_hostd_t)
 +
@@ -108738,6 +108820,7 @@ index 0000000..3a1b451
 +#
 +
 +corecmd_exec_bin(matahari_rpcd_t)
++corecmd_exec_shell(matahari_rpcd_t)
 +
 +auth_read_passwd(matahari_rpcd_t)
 +
@@ -110566,7 +110649,7 @@ index 343cee3..555300e 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..12e5313 100644
+index 64268e4..da35763 100644
 --- a/policy/modules/services/mta.te
 +++ b/policy/modules/services/mta.te
 @@ -20,14 +20,19 @@ files_type(etc_aliases_t)
@@ -110777,11 +110860,11 @@ index 64268e4..12e5313 100644
  read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  
 -read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
--
--read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
 +userdom_search_admin_dir(mailserver_delivery)
 +read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
  
+-read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+-
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_manage_cifs_dirs(mailserver_delivery)
 -	fs_manage_cifs_files(mailserver_delivery)
@@ -110855,7 +110938,7 @@ index 64268e4..12e5313 100644
  	# Read user temporary files.
  	# postfix seems to need write access if the file handle is opened read/write
  	userdom_rw_user_tmp_files(user_mail_t)
-@@ -292,3 +315,117 @@ optional_policy(`
+@@ -292,3 +315,123 @@ optional_policy(`
  	postfix_read_config(user_mail_t)
  	postfix_list_spool(user_mail_t)
  ')
@@ -110935,6 +111018,12 @@ index 64268e4..12e5313 100644
 +miscfiles_read_localization(user_mail_domain)
 +
 +optional_policy(`
++	courier_manage_spool_dirs(user_mail_domain)
++	courier_manage_spool_files(user_mail_domain)
++	courier_rw_spool_pipes(user_mail_domain)
++')
++
++optional_policy(`
 +	exim_domtrans(user_mail_domain)
 +	exim_manage_log(user_mail_domain)
 +	exim_manage_spool_files(user_mail_domain)
@@ -113071,43 +113160,48 @@ index 4876cae..9f3b09b 100644
  
 diff --git a/policy/modules/services/nova.fc b/policy/modules/services/nova.fc
 new file mode 100644
-index 0000000..03d78ae
+index 0000000..d4e64d8
 --- /dev/null
 +++ b/policy/modules/services/nova.fc
-@@ -0,0 +1,40 @@
-+
+@@ -0,0 +1,45 @@
 +
 +/usr/bin/nova-ajax-console-proxy	--	gen_context(system_u:object_r:nova_ajax_exec_t,s0)
-+#/usr/bin/nova-compute       --  gen_context(system_u:object_r:nova_compute_exec_t,s0)
++/usr/bin/nova-console.*		--	gen_context(system_u:object_r:nova_console_exec_t,s0)
 +/usr/bin/nova-direct-api	--  gen_context(system_u:object_r:nova_direct_exec_t,s0)
 +/usr/bin/nova-api			--  gen_context(system_u:object_r:nova_api_exec_t,s0)
 +/usr/bin/nova-cert           --  gen_context(system_u:object_r:nova_cert_exec_t,s0)
++/usr//bin/nova-api-metadata	--	gen_context(system_u:object_r:nova_api_exec_t,s0)
 +/usr/bin/nova-network       --  gen_context(system_u:object_r:nova_network_exec_t,s0)
 +/usr/bin/nova-objectstore       --  gen_context(system_u:object_r:nova_objectstore_exec_t,s0)
 +/usr/bin/nova-scheduler     --  gen_context(system_u:object_r:nova_scheduler_exec_t,s0)
 +/usr/bin/nova-vncproxy      --  gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
 +/usr/bin/nova-volume        --  gen_context(system_u:object_r:nova_volume_exec_t,s0)
++/usr/bin/nova-xvpvncproxy	--	gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
 +
-+/lib/systemd/system/openstack-nova-ajax-console-proxy.*	--	gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
++/lib/systemd/system/openstack-nova-ajax-console-proxy.*	--	gen_context(system_u:object_r:nova_ajax_unit_file_t,s0)
 +/lib/systemd/system/openstack-nova-api.*		--	gen_context(system_u:object_r:nova_api_unit_file_t,s0)
 +/lib/systemd/system/openstack-nova-cert.*	--	gen_context(system_u:object_r:nova_cert_unit_file_t,s0)
-+#/lib/systemd/system/openstack-nova-compute.service
++/lib/systemd/system/openstack-nova-console.*	--	gen_context(system_u:object_r:nova_console_unit_file_t,s0)
 +/lib/systemd/system/openstack-nova-direct-api.*	--	gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
++/lib/systemd/system/openstack-nova-metadata-api.service.*   --  gen_context(system_u:object_r:nova_api_unit_file_t,s0)
 +/lib/systemd/system/openstack-nova-network.*	--	gen_context(system_u:object_r:nova_network_unit_file_t,s0)
 +/lib/systemd/system/openstack-nova-objectstore.*	--	gen_context(system_u:object_r:nova_objectstore_unit_file_t,s0)
 +/lib/systemd/system/openstack-nova-scheduler.*	--	gen_context(system_u:object_r:nova_scheduler_unit_file_t,s0)
 +/lib/systemd/system/openstack-nova-vncproxy.*	--	gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
++/lib/systemd/system/openstack-nova-xvpvncproxy.*   --  gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
 +/lib/systemd/system/openstack-nova-volume.*	--	gen_context(system_u:object_r:nova_volume_unit_file_t,s0)
 +
-+/usr/lib/systemd/system/openstack-nova-ajax-console-proxy.*	--	gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-ajax-console-proxy.*	--	gen_context(system_u:object_r:nova_ajax_unit_file_t,s0)
 +/usr/lib/systemd/system/openstack-nova-api.*		--	gen_context(system_u:object_r:nova_api_unit_file_t,s0)
 +/usr/lib/systemd/system/openstack-nova-cert.*	--	gen_context(system_u:object_r:nova_cert_unit_file_t,s0)
-+#/lib/systemd/system/openstack-nova-compute.service
++/usr/lib/systemd/system/openstack-nova-console.*    --  gen_context(system_u:object_r:nova_console_unit_file_t,s0)
 +/usr/lib/systemd/system/openstack-nova-direct-api.*	--	gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-metadata-api.service.*	--	gen_context(system_u:object_r:nova_api_unit_file_t,s0)
 +/usr/lib/systemd/system/openstack-nova-network.*	--	gen_context(system_u:object_r:nova_network_unit_file_t,s0)
 +/usr/lib/systemd/system/openstack-nova-objectstore.*	--	gen_context(system_u:object_r:nova_objectstore_unit_file_t,s0)
 +/usr/lib/systemd/system/openstack-nova-scheduler.*	--	gen_context(system_u:object_r:nova_scheduler_unit_file_t,s0)
 +/usr/lib/systemd/system/openstack-nova-vncproxy.*	--	gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
++/usr/lib/systemd/system/openstack-nova-xvpvncproxy.*   --  gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
 +/usr/lib/systemd/system/openstack-nova-volume.*		--	gen_context(system_u:object_r:nova_volume_unit_file_t,s0)
 +
 +/var/lib/nova(/.*)?     gen_context(system_u:object_r:nova_var_lib_t,s0)
@@ -113156,10 +113250,10 @@ index 0000000..0d11800
 +')
 diff --git a/policy/modules/services/nova.te b/policy/modules/services/nova.te
 new file mode 100644
-index 0000000..9dd1d72
+index 0000000..b0d25bb
 --- /dev/null
 +++ b/policy/modules/services/nova.te
-@@ -0,0 +1,315 @@
+@@ -0,0 +1,328 @@
 +policy_module(nova, 1.0.0)
 +
 +########################################
@@ -113178,6 +113272,7 @@ index 0000000..9dd1d72
 +nova_domain_template(api)
 +nova_domain_template(cert)
 +nova_domain_template(compute)
++nova_domain_template(console)
 +nova_domain_template(direct)
 +nova_domain_template(network)
 +nova_domain_template(objectstore)
@@ -113252,6 +113347,8 @@ index 0000000..9dd1d72
 +
 +allow nova_api_t self:process setfscreate;
 +
++allow nova_api_t self:key write;
++
 +allow nova_api_t self:netlink_route_socket r_netlink_socket_perms;
 +
 +allow nova_api_t self:udp_socket create_socket_perms;
@@ -113264,6 +113361,8 @@ index 0000000..9dd1d72
 +corenet_tcp_connect_all_ports(nova_api_t)
 +corenet_tcp_bind_all_unreserved_ports(nova_api_t)
 +
++auth_read_passwd(nova_api_t)
++
 +logging_send_syslog_msg(nova_api_t)
 +
 +miscfiles_read_certs(nova_api_t)
@@ -113326,6 +113425,14 @@ index 0000000..9dd1d72
 +	virt_stream_connect(nova_compute_t)
 +')
 +
++######################################
++#
++# nova console local policy
++#
++
++allow nova_console_t self:udp_socket create_socket_perms;
++
++auth_use_nsswitch(nova_console_t)
 +
 +#######################################
 +#
@@ -114179,10 +114286,10 @@ index 0000000..77a3112
 +')
 diff --git a/policy/modules/services/numad.te b/policy/modules/services/numad.te
 new file mode 100644
-index 0000000..e3ac955
+index 0000000..e18b767
 --- /dev/null
 +++ b/policy/modules/services/numad.te
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,45 @@
 +policy_module(numad, 1.0.0)
 +
 +########################################
@@ -114221,6 +114328,8 @@ index 0000000..e3ac955
 +
 +kernel_read_system_state(numad_t)
 +
++dev_read_sysfs(numad_t)
++
 +domain_use_interactive_fds(numad_t)
 +
 +files_read_etc_files(numad_t)
@@ -114386,14 +114495,13 @@ index b4c5f86..0f1549d 100644
  	cron_system_entry(oav_update_t, oav_update_exec_t)
 diff --git a/policy/modules/services/obex.fc b/policy/modules/services/obex.fc
 new file mode 100644
-index 0000000..eebfda8
+index 0000000..7b31529
 --- /dev/null
 +++ b/policy/modules/services/obex.fc
-@@ -0,0 +1,4 @@
+@@ -0,0 +1,3 @@
 +
 +
 +/usr/bin/obex-data-server	--	gen_context(system_u:object_r:obex_exec_t,s0)
-+			
 diff --git a/policy/modules/services/obex.if b/policy/modules/services/obex.if
 new file mode 100644
 index 0000000..d3b9544
@@ -114479,10 +114587,10 @@ index 0000000..d3b9544
 +')
 diff --git a/policy/modules/services/obex.te b/policy/modules/services/obex.te
 new file mode 100644
-index 0000000..5285bef
+index 0000000..3689d8a
 --- /dev/null
 +++ b/policy/modules/services/obex.te
-@@ -0,0 +1,28 @@
+@@ -0,0 +1,30 @@
 +policy_module(obex,1.0.0) 
 +
 +########################################
@@ -114492,8 +114600,8 @@ index 0000000..5285bef
 +
 +type obex_t;
 +type obex_exec_t;
-+dbus_system_domain(obex_t, obex_exec_t)
-+init_daemon_domain(obex_t, obex_exec_t)
++application_domain(obex_t, obex_exec_t)
++ubac_constrained(obex_t)
 +
 +########################################
 +#
@@ -114511,6 +114619,8 @@ index 0000000..5285bef
 +
 +miscfiles_read_localization(obex_t)
 +
++userdom_search_user_home_content(obex_t)
++
 diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc
 index bdf8c89..0132b08 100644
 --- a/policy/modules/services/oddjob.fc
@@ -115070,7 +115180,7 @@ index d883214..d6afa87 100644
  	init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index 8b550f4..3075607 100644
+index 8b550f4..cae4941 100644
 --- a/policy/modules/services/openvpn.te
 +++ b/policy/modules/services/openvpn.te
 @@ -6,9 +6,9 @@ policy_module(openvpn, 1.10.0)
@@ -115145,7 +115255,7 @@ index 8b550f4..3075607 100644
  corenet_tcp_connect_http_cache_port(openvpn_t)
  corenet_rw_tun_tap_dev(openvpn_t)
  corenet_sendrecv_openvpn_server_packets(openvpn_t)
-@@ -100,8 +108,12 @@ dev_read_urand(openvpn_t)
+@@ -100,33 +108,40 @@ dev_read_urand(openvpn_t)
  files_read_etc_files(openvpn_t)
  files_read_etc_runtime_files(openvpn_t)
  
@@ -115158,7 +115268,11 @@ index 8b550f4..3075607 100644
  logging_send_syslog_msg(openvpn_t)
  
  miscfiles_read_localization(openvpn_t)
-@@ -112,21 +124,23 @@ sysnet_exec_ifconfig(openvpn_t)
+ miscfiles_read_all_certs(openvpn_t)
+ 
+ sysnet_dns_name_resolve(openvpn_t)
++sysnet_use_ldap(openvpn_t)
+ sysnet_exec_ifconfig(openvpn_t)
  sysnet_manage_config(openvpn_t)
  sysnet_etc_filetrans_config(openvpn_t)
  
@@ -115190,7 +115304,7 @@ index 8b550f4..3075607 100644
  
  optional_policy(`
  	daemontools_service_domain(openvpn_t, openvpn_exec_t)
-@@ -138,3 +152,7 @@ optional_policy(`
+@@ -138,3 +153,7 @@ optional_policy(`
  
  	networkmanager_dbus_chat(openvpn_t)
  ')
@@ -124264,7 +124378,7 @@ index 63e78c6..fdd8228 100644
  		type rlogind_home_t;
  	')
 diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
-index 779fa44..91c8ee8 100644
+index 779fa44..1570864 100644
 --- a/policy/modules/services/rlogin.te
 +++ b/policy/modules/services/rlogin.te
 @@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
@@ -124304,7 +124418,7 @@ index 779fa44..91c8ee8 100644
  
  files_read_etc_files(rlogind_t)
  files_read_etc_runtime_files(rlogind_t)
-@@ -88,29 +88,24 @@ seutil_read_config(rlogind_t)
+@@ -88,27 +88,23 @@ seutil_read_config(rlogind_t)
  userdom_setattr_user_ptys(rlogind_t)
  # cjp: this is egregious
  userdom_read_user_home_content_files(rlogind_t)
@@ -124329,21 +124443,20 @@ index 779fa44..91c8ee8 100644
 -	fs_list_cifs(rlogind_t)
 -	fs_read_cifs_files(rlogind_t)
 -	fs_read_cifs_symlinks(rlogind_t)
--')
--
- optional_policy(`
- 	kerberos_keytab_template(rlogind, rlogind_t)
- 	kerberos_manage_host_rcache(rlogind_t)
++optional_policy(`
++	kerberos_keytab_template(rlogind, rlogind_t)
++	#part of auth_use_pam
++	#kerberos_manage_host_rcache(rlogind_t)
  ')
  
  optional_policy(`
+-	kerberos_keytab_template(rlogind, rlogind_t)
+-	kerberos_manage_host_rcache(rlogind_t)
 +	remotelogin_domtrans(rlogind_t)
 +	remotelogin_signal(rlogind_t)
-+')
-+
-+optional_policy(`
- 	tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
  ')
+ 
+ optional_policy(`
 diff --git a/policy/modules/services/roundup.if b/policy/modules/services/roundup.if
 index 30c4b75..e07c2ff 100644
 --- a/policy/modules/services/roundup.if
@@ -124362,7 +124475,7 @@ index 30c4b75..e07c2ff 100644
  	init_labeled_script_domtrans($1, roundup_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
-index 5c70c0c..5a75e95 100644
+index 5c70c0c..ce7da4f 100644
 --- a/policy/modules/services/rpc.fc
 +++ b/policy/modules/services/rpc.fc
 @@ -6,6 +6,12 @@
@@ -124393,12 +124506,11 @@ index 5c70c0c..5a75e95 100644
  
  #
  # /var
-@@ -29,3 +37,5 @@
+@@ -29,3 +37,4 @@
  
  /var/run/rpc\.statd(/.*)?	gen_context(system_u:object_r:rpcd_var_run_t,s0)
  /var/run/rpc\.statd\.pid --	gen_context(system_u:object_r:rpcd_var_run_t,s0)
 +
-+/var/tmp/nfs_0 		 --	gen_context(system_u:object_r:gssd_tmp_t,s0)
 diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
 index cda37bb..b3469d6 100644
 --- a/policy/modules/services/rpc.if
@@ -124552,7 +124664,7 @@ index cda37bb..b3469d6 100644
 +	allow $1 var_lib_nfs_t:file relabel_file_perms;
  ')
 diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..d9b4001 100644
+index b1468ed..f30c62e 100644
 --- a/policy/modules/services/rpc.te
 +++ b/policy/modules/services/rpc.te
 @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -124767,17 +124879,18 @@ index b1468ed..d9b4001 100644
  ')
  
  optional_policy(`
-@@ -229,6 +270,10 @@ optional_policy(`
- ')
+@@ -226,6 +267,11 @@ optional_policy(`
  
  optional_policy(`
-+	mount_signal(gssd_t)
+ 	kerberos_keytab_template(gssd, gssd_t)
++	kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0")
 +')
 +
 +optional_policy(`
- 	pcscd_read_pub_files(gssd_t)
++	mount_signal(gssd_t)
  ')
  
+ optional_policy(`
 diff --git a/policy/modules/services/rpcbind.fc b/policy/modules/services/rpcbind.fc
 index f5c47d6..482b584 100644
 --- a/policy/modules/services/rpcbind.fc
@@ -124897,7 +125010,7 @@ index d6d76e1..9cb5e25 100644
 +	nis_use_ypbind(rpcbind_t)
 +')
 diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
-index 0b405d1..e91eb53 100644
+index 0b405d1..d55394c 100644
 --- a/policy/modules/services/rshd.te
 +++ b/policy/modules/services/rshd.te
 @@ -39,6 +39,8 @@ corenet_sendrecv_rsh_server_packets(rshd_t)
@@ -124909,7 +125022,7 @@ index 0b405d1..e91eb53 100644
  selinux_get_fs_mount(rshd_t)
  selinux_validate_context(rshd_t)
  selinux_compute_access_vector(rshd_t)
-@@ -66,16 +68,9 @@ seutil_read_config(rshd_t)
+@@ -66,20 +68,13 @@ seutil_read_config(rshd_t)
  seutil_read_default_contexts(rshd_t)
  
  userdom_search_user_home_content(rshd_t)
@@ -124928,6 +125041,11 @@ index 0b405d1..e91eb53 100644
  
  optional_policy(`
  	kerberos_keytab_template(rshd, rshd_t)
+-	kerberos_manage_host_rcache(rshd_t)
++	#kerberos_manage_host_rcache(rshd_t)
+ ')
+ 
+ optional_policy(`
 diff --git a/policy/modules/services/rsync.if b/policy/modules/services/rsync.if
 index 3386f29..b28cae5 100644
 --- a/policy/modules/services/rsync.if
@@ -126385,7 +126503,7 @@ index f1aea88..3e6a93f 100644
  	admin_pattern($1, saslauthd_var_run_t)
  ')
 diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
-index cfc60dd..71d76cf 100644
+index cfc60dd..8908145 100644
 --- a/policy/modules/services/sasl.te
 +++ b/policy/modules/services/sasl.te
 @@ -19,9 +19,6 @@ init_daemon_domain(saslauthd_t, saslauthd_exec_t)
@@ -126434,7 +126552,7 @@ index cfc60dd..71d76cf 100644
  
  optional_policy(`
  	kerberos_keytab_template(saslauthd, saslauthd_t)
-+	kerberos_manage_host_rcache(saslauthd_t)
++	#kerberos_manage_host_rcache(saslauthd_t)
  ')
  
  optional_policy(`
@@ -128643,7 +128761,7 @@ index 078bcd7..21ff471 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..60103b5 100644
+index 22adaca..7f010a4 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
 @@ -32,10 +32,11 @@
@@ -128807,7 +128925,7 @@ index 22adaca..60103b5 100644
  
  	files_read_etc_files($1_t)
  	files_read_etc_runtime_files($1_t)
-@@ -243,21 +276,13 @@ template(`ssh_server_template', `
+@@ -243,31 +276,31 @@ template(`ssh_server_template', `
  
  	miscfiles_read_localization($1_t)
  
@@ -128831,7 +128949,11 @@ index 22adaca..60103b5 100644
  
  	optional_policy(`
  		kerberos_use($1_t)
-@@ -268,6 +293,14 @@ template(`ssh_server_template', `
+-		kerberos_manage_host_rcache($1_t)
++		#kerberos_manage_host_rcache($1_t)
+ 	')
+ 
+ 	optional_policy(`
  		files_read_var_lib_symlinks($1_t)
  		nx_spec_domtrans_server($1_t)
  	')
@@ -129203,7 +129325,7 @@ index 22adaca..60103b5 100644
 +	userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..5ad9960 100644
+index 2dad3c8..6dbec51 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,26 +6,37 @@ policy_module(ssh, 2.2.0)
@@ -129435,7 +129557,7 @@ index 2dad3c8..5ad9960 100644
  #################################
  #
  # sshd local policy
-@@ -232,33 +244,45 @@ optional_policy(`
+@@ -232,33 +244,46 @@ optional_policy(`
  # so a tunnel can point to another ssh tunnel
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
@@ -129487,10 +129609,11 @@ index 2dad3c8..5ad9960 100644
 +optional_policy(`
 +	condor_rw_lib_files(sshd_t)
 +	condor_rw_tcp_sockets_startd(sshd_t)
++	condor_rw_tcp_sockets_schedd(sshd_t)
  ')
  
  optional_policy(`
-@@ -266,11 +290,24 @@ optional_policy(`
+@@ -266,11 +291,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -129516,7 +129639,7 @@ index 2dad3c8..5ad9960 100644
  ')
  
  optional_policy(`
-@@ -284,6 +321,15 @@ optional_policy(`
+@@ -284,6 +322,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -129532,7 +129655,7 @@ index 2dad3c8..5ad9960 100644
  	unconfined_shell_domtrans(sshd_t)
  ')
  
-@@ -292,26 +338,26 @@ optional_policy(`
+@@ -292,26 +339,26 @@ optional_policy(`
  ')
  
  ifdef(`TODO',`
@@ -129578,7 +129701,7 @@ index 2dad3c8..5ad9960 100644
  ') dnl endif TODO
  
  ########################################
-@@ -322,19 +368,26 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +369,26 @@ tunable_policy(`ssh_sysadm_login',`
  # ssh_keygen_t is the type of the ssh-keygen program when run at install time
  # and by sysadm_t
  
@@ -129606,7 +129729,7 @@ index 2dad3c8..5ad9960 100644
  dev_read_urand(ssh_keygen_t)
  
  term_dontaudit_use_console(ssh_keygen_t)
-@@ -351,9 +404,11 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -351,9 +405,11 @@ auth_use_nsswitch(ssh_keygen_t)
  logging_send_syslog_msg(ssh_keygen_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -129620,7 +129743,7 @@ index 2dad3c8..5ad9960 100644
  ')
  
  optional_policy(`
-@@ -363,3 +418,76 @@ optional_policy(`
+@@ -363,3 +419,76 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ssh_keygen_t)
  ')
@@ -132353,7 +132476,7 @@ index 7c5d8d8..85b7d8b 100644
 +	files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
  ')
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..0900b33 100644
+index 3eca020..58ea3c0 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
 @@ -5,56 +5,87 @@ policy_module(virt, 1.4.0)
@@ -132935,7 +133058,7 @@ index 3eca020..0900b33 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -440,25 +652,427 @@ files_search_all(virt_domain)
+@@ -440,25 +652,428 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -133216,7 +133339,6 @@ index 3eca020..0900b33 100644
 +allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
 +dontaudit svirt_lxc_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 +
-+
 +manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 +manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 +manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -133244,6 +133366,7 @@ index 3eca020..0900b33 100644
 +files_read_config_files(svirt_lxc_domain)
 +files_read_usr_files(svirt_lxc_domain)
 +files_read_usr_symlinks(svirt_lxc_domain)
++files_search_locks(svirt_lxc_domain)
 +
 +fs_getattr_all_fs(svirt_lxc_domain)
 +fs_list_inotifyfs(svirt_lxc_domain)
@@ -133276,7 +133399,7 @@ index 3eca020..0900b33 100644
 +
 +virt_lxc_domain_template(svirt_lxc_net)
 +
-+allow svirt_lxc_net_t self:capability { net_raw net_admin net_bind_service sys_nice };
++allow svirt_lxc_net_t self:capability { net_raw net_admin net_bind_service sys_nice chown dac_read_search dac_override fowner };
 +allow svirt_lxc_net_t self:udp_socket create_socket_perms;
 +allow svirt_lxc_net_t self:tcp_socket create_stream_socket_perms;
 +allow svirt_lxc_net_t self:netlink_route_socket create_netlink_socket_perms;
@@ -133284,6 +133407,7 @@ index 3eca020..0900b33 100644
 +allow svirt_lxc_net_t self:socket create_socket_perms;
 +allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
 +allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
++allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
 +
 +corenet_tcp_bind_generic_node(svirt_lxc_net_t)
 +corenet_udp_bind_generic_node(svirt_lxc_net_t)
@@ -135096,7 +135220,7 @@ index 130ced9..56cb1f8 100644
 +	files_search_tmp($1)
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..479bf53 100644
+index 143c893..b657135 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,27 +26,50 @@ gen_require(`
@@ -135422,13 +135546,14 @@ index 143c893..479bf53 100644
  ')
  
  optional_policy(`
-@@ -304,20 +400,37 @@ optional_policy(`
+@@ -304,20 +400,38 @@ optional_policy(`
  # XDM Local policy
  #
  
 -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
 -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
 +allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
++dontaudit xserver_t self:capability sys_admin;
 +
 +allow xdm_t self:process { setexec setpgid getattr getcap setcap getsched getsession setsched setrlimit signal_perms setkeycreate };
  allow xdm_t self:fifo_file rw_fifo_file_perms;
@@ -135464,7 +135589,7 @@ index 143c893..479bf53 100644
  
  # Allow gdm to run gdm-binary
  can_exec(xdm_t, xdm_exec_t)
-@@ -325,43 +438,63 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -325,43 +439,63 @@ can_exec(xdm_t, xdm_exec_t)
  allow xdm_t xdm_lock_t:file manage_file_perms;
  files_lock_filetrans(xdm_t, xdm_lock_t, file)
  
@@ -135534,7 +135659,7 @@ index 143c893..479bf53 100644
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -370,18 +503,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -370,18 +504,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -135562,7 +135687,7 @@ index 143c893..479bf53 100644
  
  corenet_all_recvfrom_unlabeled(xdm_t)
  corenet_all_recvfrom_netlabel(xdm_t)
-@@ -393,38 +534,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -393,38 +535,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -135615,7 +135740,7 @@ index 143c893..479bf53 100644
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -435,9 +586,25 @@ files_list_mnt(xdm_t)
+@@ -435,9 +587,25 @@ files_list_mnt(xdm_t)
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -135641,7 +135766,7 @@ index 143c893..479bf53 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +613,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +614,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -135683,7 +135808,7 @@ index 143c893..479bf53 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -476,24 +653,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,24 +654,43 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -135733,7 +135858,7 @@ index 143c893..479bf53 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -507,11 +703,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +704,21 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
@@ -135755,7 +135880,7 @@ index 143c893..479bf53 100644
  ')
  
  optional_policy(`
-@@ -519,12 +725,63 @@ optional_policy(`
+@@ -519,12 +726,63 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -135819,7 +135944,7 @@ index 143c893..479bf53 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -542,28 +799,69 @@ optional_policy(`
+@@ -542,28 +800,69 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -135898,7 +136023,7 @@ index 143c893..479bf53 100644
  ')
  
  optional_policy(`
-@@ -575,6 +873,14 @@ optional_policy(`
+@@ -575,6 +874,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -135913,7 +136038,7 @@ index 143c893..479bf53 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -599,7 +905,8 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +906,8 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -135923,7 +136048,7 @@ index 143c893..479bf53 100644
  dontaudit xserver_t self:capability chown;
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
-@@ -613,8 +920,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +921,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -135939,7 +136064,7 @@ index 143c893..479bf53 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +947,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +948,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -135961,7 +136086,7 @@ index 143c893..479bf53 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +967,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +968,7 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -135969,7 +136094,7 @@ index 143c893..479bf53 100644
  
  # Run helper programs in xserver_t.
  corecmd_exec_bin(xserver_t)
-@@ -672,21 +994,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,21 +995,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -136000,7 +136125,7 @@ index 143c893..479bf53 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -697,8 +1026,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1027,13 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -136014,7 +136139,7 @@ index 143c893..479bf53 100644
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1045,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1046,6 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -136023,7 +136148,7 @@ index 143c893..479bf53 100644
  locallogin_use_fds(xserver_t)
  
  logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1052,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1053,12 @@ logging_send_audit_msgs(xserver_t)
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -136038,7 +136163,7 @@ index 143c893..479bf53 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1111,40 @@ optional_policy(`
+@@ -778,16 +1112,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -136080,7 +136205,7 @@ index 143c893..479bf53 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -796,6 +1153,10 @@ optional_policy(`
+@@ -796,6 +1154,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -136091,7 +136216,7 @@ index 143c893..479bf53 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -811,10 +1172,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1173,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -136105,7 +136230,7 @@ index 143c893..479bf53 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1183,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1184,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -136114,7 +136239,7 @@ index 143c893..479bf53 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -835,26 +1196,21 @@ init_use_fds(xserver_t)
+@@ -835,26 +1197,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -136149,7 +136274,7 @@ index 143c893..479bf53 100644
  ')
  
  optional_policy(`
-@@ -862,6 +1218,10 @@ optional_policy(`
+@@ -862,6 +1219,10 @@ optional_policy(`
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -136160,7 +136285,7 @@ index 143c893..479bf53 100644
  ########################################
  #
  # Rules common to all X window domains
-@@ -905,7 +1265,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1266,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -136169,7 +136294,7 @@ index 143c893..479bf53 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -959,11 +1319,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1320,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -136201,7 +136326,7 @@ index 143c893..479bf53 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -985,18 +1365,43 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1366,43 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -137438,10 +137563,29 @@ index 28ad538..82def3d 100644
 -/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..3fcce09 100644
+index 73554ec..a0bd29b 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
-@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
+@@ -23,11 +23,17 @@ interface(`auth_role',`
+ 	role $1 types chkpwd_t;
+ 
+ 	# Transition from the user domain to this domain.
+-	domtrans_pattern($2, chkpwd_exec_t, chkpwd_t)
++	auth_domtrans_chkpwd($2)
+ 
+ 	ps_process_pattern($2, chkpwd_t)
+ 
+ 	dontaudit $2 shadow_t:file read_file_perms;
++
++	logging_send_syslog_msg($2)
++	logging_send_audit_msgs($2)
++
++	usermanage_read_crack_db($2)
++
+ ')
+ 
+ ########################################
+@@ -57,6 +63,8 @@ interface(`auth_use_pam',`
  	auth_exec_pam($1)
  	auth_use_nsswitch($1)
  
@@ -137450,7 +137594,7 @@ index 73554ec..3fcce09 100644
  	logging_send_audit_msgs($1)
  	logging_send_syslog_msg($1)
  
-@@ -78,8 +80,19 @@ interface(`auth_use_pam',`
+@@ -78,8 +86,19 @@ interface(`auth_use_pam',`
  	')
  
  	optional_policy(`
@@ -137470,7 +137614,7 @@ index 73554ec..3fcce09 100644
  ')
  
  ########################################
-@@ -95,9 +108,13 @@ interface(`auth_use_pam',`
+@@ -95,9 +114,13 @@ interface(`auth_use_pam',`
  interface(`auth_login_pgm_domain',`
  	gen_require(`
  		type var_auth_t, auth_cache_t;
@@ -137484,7 +137628,7 @@ index 73554ec..3fcce09 100644
  	domain_subj_id_change_exemption($1)
  	domain_role_change_exemption($1)
  	domain_obj_id_change_exemption($1)
-@@ -105,14 +122,17 @@ interface(`auth_login_pgm_domain',`
+@@ -105,14 +128,17 @@ interface(`auth_login_pgm_domain',`
  
  	# Needed for pam_selinux_permit to cleanup properly
  	domain_read_all_domains_state($1)
@@ -137502,7 +137646,7 @@ index 73554ec..3fcce09 100644
  	manage_files_pattern($1, var_auth_t, var_auth_t)
  
  	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -120,16 +140,29 @@ interface(`auth_login_pgm_domain',`
+@@ -120,16 +146,29 @@ interface(`auth_login_pgm_domain',`
  	manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
  	files_var_filetrans($1, auth_cache_t, dir)
  
@@ -137533,7 +137677,7 @@ index 73554ec..3fcce09 100644
  
  	selinux_get_fs_mount($1)
  	selinux_validate_context($1)
-@@ -145,6 +178,8 @@ interface(`auth_login_pgm_domain',`
+@@ -145,6 +184,8 @@ interface(`auth_login_pgm_domain',`
  	mls_process_set_level($1)
  	mls_fd_share_all_levels($1)
  
@@ -137542,7 +137686,7 @@ index 73554ec..3fcce09 100644
  	auth_use_pam($1)
  
  	init_rw_utmp($1)
-@@ -155,13 +190,87 @@ interface(`auth_login_pgm_domain',`
+@@ -155,9 +196,83 @@ interface(`auth_login_pgm_domain',`
  	seutil_read_config($1)
  	seutil_read_default_contexts($1)
  
@@ -137587,11 +137731,11 @@ index 73554ec..3fcce09 100644
 +	optional_policy(`
 +		ssh_agent_exec($1)
 +		ssh_read_user_home_files($1)
- 	')
- ')
- 
- ########################################
- ## <summary>
++	')
++')
++
++########################################
++## <summary>
 +##	Read authlogin state files.
 +## </summary>
 +## <param name="domain">
@@ -137622,17 +137766,13 @@ index 73554ec..3fcce09 100644
 +interface(`authlogin_rw_pipes',`
 +	gen_require(`
 +		attribute polydomain;
-+	')
+ 	')
 +
 +	allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	Use the login program as an entry point program.
- ## </summary>
- ## <param name="domain">
-@@ -368,13 +477,15 @@ interface(`auth_domtrans_chk_passwd',`
+ ')
+ 
+ ########################################
+@@ -368,13 +483,15 @@ interface(`auth_domtrans_chk_passwd',`
  	')
  
  	optional_policy(`
@@ -137649,7 +137789,7 @@ index 73554ec..3fcce09 100644
  ')
  
  ########################################
-@@ -421,6 +532,25 @@ interface(`auth_run_chk_passwd',`
+@@ -421,6 +538,25 @@ interface(`auth_run_chk_passwd',`
  
  	auth_domtrans_chk_passwd($1)
  	role $2 types chkpwd_t;
@@ -137675,7 +137815,7 @@ index 73554ec..3fcce09 100644
  ')
  
  ########################################
-@@ -440,7 +570,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -440,7 +576,6 @@ interface(`auth_domtrans_upd_passwd',`
  
  	domtrans_pattern($1, updpwd_exec_t, updpwd_t)
  	auth_dontaudit_read_shadow($1)
@@ -137683,7 +137823,7 @@ index 73554ec..3fcce09 100644
  ')
  
  ########################################
-@@ -637,6 +766,10 @@ interface(`auth_manage_shadow',`
+@@ -637,6 +772,10 @@ interface(`auth_manage_shadow',`
  
  	allow $1 shadow_t:file manage_file_perms;
  	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -137694,7 +137834,7 @@ index 73554ec..3fcce09 100644
  ')
  
  #######################################
-@@ -736,7 +869,50 @@ interface(`auth_rw_faillog',`
+@@ -736,7 +875,50 @@ interface(`auth_rw_faillog',`
  	')
  
  	logging_search_logs($1)
@@ -137746,7 +137886,7 @@ index 73554ec..3fcce09 100644
  ')
  
  #######################################
-@@ -932,9 +1108,30 @@ interface(`auth_manage_var_auth',`
+@@ -932,9 +1114,30 @@ interface(`auth_manage_var_auth',`
  	')
  
  	files_search_var($1)
@@ -137780,7 +137920,7 @@ index 73554ec..3fcce09 100644
  ')
  
  ########################################
-@@ -1013,6 +1210,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1013,6 +1216,10 @@ interface(`auth_manage_pam_pid',`
  	files_search_pids($1)
  	allow $1 pam_var_run_t:dir manage_dir_perms;
  	allow $1 pam_var_run_t:file manage_file_perms;
@@ -137791,7 +137931,7 @@ index 73554ec..3fcce09 100644
  ')
  
  ########################################
-@@ -1130,6 +1331,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1130,6 +1337,7 @@ interface(`auth_manage_pam_console_data',`
  	files_search_pids($1)
  	manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
  	manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -137799,7 +137939,7 @@ index 73554ec..3fcce09 100644
  ')
  
  #######################################
-@@ -1387,6 +1589,25 @@ interface(`auth_setattr_login_records',`
+@@ -1387,6 +1595,25 @@ interface(`auth_setattr_login_records',`
  
  ########################################
  ## <summary>
@@ -137825,7 +137965,7 @@ index 73554ec..3fcce09 100644
  ##	Read login records files (/var/log/wtmp).
  ## </summary>
  ## <param name="domain">
-@@ -1537,37 +1758,49 @@ interface(`auth_manage_login_records',`
+@@ -1537,37 +1764,49 @@ interface(`auth_manage_login_records',`
  
  	logging_rw_generic_log_dirs($1)
  	allow $1 wtmp_t:file manage_file_perms;
@@ -137885,7 +138025,7 @@ index 73554ec..3fcce09 100644
  ##	</p>
  ## </desc>
  ## <param name="domain">
-@@ -1575,87 +1808,206 @@ interface(`auth_relabel_login_records',`
+@@ -1575,87 +1814,206 @@ interface(`auth_relabel_login_records',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -138143,7 +138283,7 @@ index 73554ec..3fcce09 100644
 +	userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
  ')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index b7a5f00..a22fe6d 100644
+index b7a5f00..b2a6592 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
 @@ -5,22 +5,42 @@ policy_module(authlogin, 2.2.1)
@@ -138252,7 +138392,7 @@ index b7a5f00..a22fe6d 100644
  # Allow utemper to write to /tmp/.xses-*
  userdom_write_user_tmp_files(utempter_t)
  
-@@ -388,10 +416,74 @@ ifdef(`distro_ubuntu',`
+@@ -388,10 +416,75 @@ ifdef(`distro_ubuntu',`
  ')
  
  optional_policy(`
@@ -138323,6 +138463,7 @@ index b7a5f00..a22fe6d 100644
 +
 +optional_policy(`
 +	sssd_stream_connect(nsswitch_domain)
++	sssd_read_public_files(nsswitch_domain)
 +')
 +
 +optional_policy(`
@@ -148969,7 +149110,7 @@ index db75976..ce61aed 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..917240b 100644
+index 4b2878a..e3e0e4f 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -149620,15 +149761,15 @@ index 4b2878a..917240b 100644
 -		alsa_relabel_home_files($1_t)
 +		# Allow graphical boot to check battery lifespan
 +		apm_stream_connect($1_usertype)
-+	')
-+
-+	optional_policy(`
-+		canna_stream_connect($1_usertype)
  	')
  
  	optional_policy(`
 -		# Allow graphical boot to check battery lifespan
 -		apm_stream_connect($1_t)
++		canna_stream_connect($1_usertype)
++	')
++
++	optional_policy(`
 +		chrome_role($1_r, $1_usertype)
  	')
  
@@ -149646,57 +149787,57 @@ index 4b2878a..917240b 100644
 +		optional_policy(`
 +			avahi_dbus_chat($1_usertype)
 +		')
++
++		optional_policy(`
++			policykit_dbus_chat($1_usertype)
++		')
++
++		optional_policy(`
++			bluetooth_dbus_chat($1_usertype)
++		')
++
++		optional_policy(`
++			consolekit_dbus_chat($1_usertype)
++			consolekit_read_log($1_usertype)
++		')
++
++		optional_policy(`
++			devicekit_dbus_chat($1_usertype)
++			devicekit_dbus_chat_power($1_usertype)
++			devicekit_dbus_chat_disk($1_usertype)
++		')
++
++		optional_policy(`
++			evolution_dbus_chat($1_usertype)
++			evolution_alarm_dbus_chat($1_usertype)
++		')
  
  		optional_policy(`
 -			bluetooth_dbus_chat($1_t)
-+			policykit_dbus_chat($1_usertype)
++			gnome_dbus_chat_gconfdefault($1_usertype)
  		')
  
  		optional_policy(`
 -			evolution_dbus_chat($1_t)
 -			evolution_alarm_dbus_chat($1_t)
-+			bluetooth_dbus_chat($1_usertype)
++			hal_dbus_chat($1_usertype)
  		')
  
  		optional_policy(`
 -			cups_dbus_chat_config($1_t)
-+			consolekit_dbus_chat($1_usertype)
-+			consolekit_read_log($1_usertype)
++			kde_dbus_chat_backlighthelper($1_usertype)
  		')
  
  		optional_policy(`
 -			hal_dbus_chat($1_t)
-+			devicekit_dbus_chat($1_usertype)
-+			devicekit_dbus_chat_power($1_usertype)
-+			devicekit_dbus_chat_disk($1_usertype)
++			modemmanager_dbus_chat($1_usertype)
  		')
  
  		optional_policy(`
 -			networkmanager_dbus_chat($1_t)
-+			evolution_dbus_chat($1_usertype)
-+			evolution_alarm_dbus_chat($1_usertype)
- 		')
-+
-+		optional_policy(`
-+			gnome_dbus_chat_gconfdefault($1_usertype)
-+		')
-+
-+		optional_policy(`
-+			hal_dbus_chat($1_usertype)
-+		')
-+
-+		optional_policy(`
-+			kde_dbus_chat_backlighthelper($1_usertype)
-+		')
-+
-+		optional_policy(`
-+			modemmanager_dbus_chat($1_usertype)
-+		')
-+
-+		optional_policy(`
 +			networkmanager_dbus_chat($1_usertype)
 +			networkmanager_read_lib_files($1_usertype)
-+		')
+ 		')
 +
 +		optional_policy(`
 +			vpn_dbus_chat($1_usertype)
@@ -149826,12 +149967,14 @@ index 4b2878a..917240b 100644
 +
 +	userdom_manage_tmp_role($1_r, $1_usertype)
 +	userdom_manage_tmpfs_role($1_r, $1_usertype)
-+
-+	ifelse(`$1',`unconfined',`',`
-+		gen_tunable(allow_$1_exec_content, true)
  
 -	userdom_manage_tmp_role($1_r, $1_t)
 -	userdom_manage_tmpfs_role($1_r, $1_t)
++	ifelse(`$1',`unconfined',`',`
++		gen_tunable(allow_$1_exec_content, true)
+ 
+-	userdom_exec_user_tmp_files($1_t)
+-	userdom_exec_user_home_content_files($1_t)
 +		tunable_policy(`allow_$1_exec_content',`
 +			userdom_exec_user_tmp_files($1_usertype)
 +			userdom_exec_user_home_content_files($1_usertype)
@@ -149839,9 +149982,7 @@ index 4b2878a..917240b 100644
 +		tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
 +                        fs_exec_nfs_files($1_usertype)
 +		')
- 
--	userdom_exec_user_tmp_files($1_t)
--	userdom_exec_user_home_content_files($1_t)
++
 +		tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
 +			fs_exec_cifs_files($1_usertype)
 +		')
@@ -149849,12 +149990,18 @@ index 4b2878a..917240b 100644
  
  	userdom_change_password_template($1)
  
-@@ -730,78 +911,89 @@ template(`userdom_login_user_template', `
- 	allow $1_t self:capability { setgid chown fowner };
+@@ -727,81 +908,98 @@ template(`userdom_login_user_template', `
+ 	# User domain Local policy
+ 	#
+ 
+-	allow $1_t self:capability { setgid chown fowner };
++	allow $1_t self:capability { setgid setuid chown fowner };
++	allow $1_t self:process setcurrent;
++	domain_dyntrans_type($1_t)
  	dontaudit $1_t self:capability { sys_nice fsetid };
  
 -	allow $1_t self:process ~{ setcurrent setexec setrlimit execmem execstack execheap };
-+	allow $1_t self:process ~{ ptrace setcurrent setrlimit execmem execstack execheap };
++	allow $1_t self:process ~{ ptrace setrlimit execmem execstack execheap };
  	dontaudit $1_t self:process setrlimit;
  	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
  
@@ -149867,6 +150014,7 @@ index 4b2878a..917240b 100644
 -	dev_read_sysfs($1_t)
 -	dev_read_urand($1_t)
 +	dev_read_sysfs($1_usertype)
++	dev_read_rand($1_usertype)
 +	dev_read_urand($1_usertype)
  
 -	domain_use_interactive_fds($1_t)
@@ -149897,8 +150045,11 @@ index 4b2878a..917240b 100644
 +	fs_list_inotifyfs($1_usertype)
 +	fs_rw_anon_inodefs_files($1_usertype)
  
- 	auth_dontaudit_write_login_records($1_t)
++	auth_role($1_r, $1_t)
 +	auth_rw_cache($1_t)
++	auth_search_pam_console_data($1_t)
++	auth_dontaudit_read_login_records($1_t)
+ 	auth_dontaudit_write_login_records($1_t)
  
  	application_exec_all($1_t)
 -
@@ -149929,14 +150080,14 @@ index 4b2878a..917240b 100644
 +	seutil_read_file_contexts($1_usertype)
 +	seutil_read_default_contexts($1_usertype)
 +	seutil_exec_setfiles($1_usertype)
- 
--	seutil_read_config($1_t)
++
 +	optional_policy(`
 +		cups_read_config($1_usertype)
 +		cups_stream_connect($1_usertype)
 +		cups_stream_connect_ptal($1_usertype)
 +	')
-+
+ 
+-	seutil_read_config($1_t)
 +	optional_policy(`
 +		kerberos_use($1_usertype)
 +		kerberos_filetrans_home_content($1_usertype)
@@ -149973,7 +150124,7 @@ index 4b2878a..917240b 100644
  	')
  ')
  
-@@ -833,6 +1025,12 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1031,12 @@ template(`userdom_restricted_user_template',`
  	typeattribute $1_t unpriv_userdomain;
  	domain_interactive_fd($1_t)
  
@@ -149986,14 +150137,13 @@ index 4b2878a..917240b 100644
  	##############################
  	#
  	# Local policy
-@@ -874,45 +1072,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -873,46 +1077,115 @@ template(`userdom_restricted_xwindows_user_template',`
+ 	# Local policy
  	#
  
- 	auth_role($1_r, $1_t)
+-	auth_role($1_r, $1_t)
 -	auth_search_pam_console_data($1_t)
-+	auth_search_pam_console_data($1_usertype)
-+	auth_dontaudit_read_login_records($1_usertype)
- 
+-
 -	dev_read_sound($1_t)
 -	dev_write_sound($1_t)
 +	dev_read_sound($1_usertype)
@@ -150116,7 +150266,7 @@ index 4b2878a..917240b 100644
  	')
  ')
  
-@@ -947,7 +1218,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1220,7 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# Inherit rules for ordinary users.
@@ -150125,7 +150275,7 @@ index 4b2878a..917240b 100644
  	userdom_common_user_template($1)
  
  	##############################
-@@ -956,12 +1227,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1229,15 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -150143,7 +150293,7 @@ index 4b2878a..917240b 100644
  	files_read_kernel_symbol_table($1_t)
  
  	ifndef(`enable_mls',`
-@@ -978,23 +1252,60 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1254,60 @@ template(`userdom_unpriv_user_template', `
  		')
  	')
  
@@ -150174,11 +150324,9 @@ index 4b2878a..917240b 100644
 +
 +	optional_policy(`
 +		cdrecord_role($1_r, $1_t)
- 	')
- 
- 	optional_policy(`
--		netutils_run_ping_cond($1_t, $1_r)
--		netutils_run_traceroute_cond($1_t, $1_r)
++	')
++
++	optional_policy(`
 +		cron_role($1_r, $1_t)
 +	')
 +
@@ -150201,9 +150349,11 @@ index 4b2878a..917240b 100644
 +	optional_policy(`
 +		mount_run_fusermount($1_t, $1_r)
 +		mount_read_pid_files($1_t)
-+	')
-+
-+	optional_policy(`
+ 	')
+ 
+ 	optional_policy(`
+-		netutils_run_ping_cond($1_t, $1_r)
+-		netutils_run_traceroute_cond($1_t, $1_r)
 +		wine_role_template($1, $1_r, $1_t)
 +	')
 +
@@ -150213,7 +150363,7 @@ index 4b2878a..917240b 100644
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1003,7 +1314,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1316,9 @@ template(`userdom_unpriv_user_template', `
  	')
  
  	optional_policy(`
@@ -150224,7 +150374,7 @@ index 4b2878a..917240b 100644
  	')
  ')
  
-@@ -1039,7 +1352,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1354,7 @@ template(`userdom_unpriv_user_template', `
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -150233,7 +150383,7 @@ index 4b2878a..917240b 100644
  	')
  
  	##############################
-@@ -1066,6 +1379,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1381,7 @@ template(`userdom_admin_user_template',`
  	#
  
  	allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -150241,7 +150391,7 @@ index 4b2878a..917240b 100644
  	allow $1_t self:process { setexec setfscreate };
  	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
  	allow $1_t self:tun_socket create;
-@@ -1074,6 +1388,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1390,9 @@ template(`userdom_admin_user_template',`
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -150251,7 +150401,7 @@ index 4b2878a..917240b 100644
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1088,6 +1405,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1407,7 @@ template(`userdom_admin_user_template',`
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -150259,7 +150409,7 @@ index 4b2878a..917240b 100644
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1105,10 +1423,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1425,13 @@ template(`userdom_admin_user_template',`
  	dev_rename_all_blk_files($1_t)
  	dev_rename_all_chr_files($1_t)
  	dev_create_generic_symlinks($1_t)
@@ -150273,7 +150423,7 @@ index 4b2878a..917240b 100644
  	domain_dontaudit_ptrace_all_domains($1_t)
  	# signal all domains:
  	domain_kill_all_domains($1_t)
-@@ -1119,29 +1440,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1442,38 @@ template(`userdom_admin_user_template',`
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -150316,7 +150466,7 @@ index 4b2878a..917240b 100644
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1481,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1483,8 @@ template(`userdom_admin_user_template',`
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -150325,7 +150475,7 @@ index 4b2878a..917240b 100644
  	userdom_manage_user_home_content_dirs($1_t)
  	userdom_manage_user_home_content_files($1_t)
  	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1542,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1544,8 @@ template(`userdom_security_admin_template',`
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -150334,7 +150484,7 @@ index 4b2878a..917240b 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1222,8 +1556,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1558,9 @@ template(`userdom_security_admin_template',`
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
@@ -150345,7 +150495,7 @@ index 4b2878a..917240b 100644
  	auth_relabel_shadow($1)
  
  	init_exec($1)
-@@ -1234,13 +1569,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1571,24 @@ template(`userdom_security_admin_template',`
  	logging_read_audit_config($1)
  
  	seutil_manage_bin_policy($1)
@@ -150374,7 +150524,7 @@ index 4b2878a..917240b 100644
  	')
  
  	optional_policy(`
-@@ -1251,12 +1597,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1599,12 @@ template(`userdom_security_admin_template',`
  		dmesg_exec($1)
  	')
  
@@ -150390,7 +150540,7 @@ index 4b2878a..917240b 100644
  	')
  
  	optional_policy(`
-@@ -1279,11 +1625,60 @@ template(`userdom_security_admin_template',`
+@@ -1279,54 +1627,66 @@ template(`userdom_security_admin_template',`
  interface(`userdom_user_home_content',`
  	gen_require(`
  		type user_home_t;
@@ -150399,59 +150549,126 @@ index 4b2878a..917240b 100644
  
  	allow $1 user_home_t:filesystem associate;
  	files_type($1)
-+	ubac_constrained($1)
+-	files_poly_member($1)
+ 	ubac_constrained($1)
 +
- 	files_poly_member($1)
++	files_poly_member($1)
 +	typeattribute $1  user_home_type;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow domain to attach to TUN devices created by administrative users.
 +##	Make the specified type usable in a
 +##	generic temporary directory.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
 +## <param name="type">
-+##	<summary>
+ ##	<summary>
+-##	Domain allowed access.
 +##	Type to be used as a file in the
 +##	generic temporary directory.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_attach_admin_tun_iface',`
 +interface(`userdom_user_tmp_content',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute admindomain;
 +		attribute user_tmp_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 admindomain:tun_socket relabelfrom;
+-	allow $1 self:tun_socket relabelto;
 +	typeattribute $1 user_tmp_type;
 +
 +	files_tmp_file($1)
 +	ubac_constrained($1)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of a user pty.
++##	Make the specified type usable in a
++##	generic tmpfs_t directory.
+ ## </summary>
+-## <param name="domain">
++## <param name="type">
+ ##	<summary>
+-##	Domain allowed access.
++##	Type to be used as a file in the
++##	generic temporary directory.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_setattr_user_ptys',`
++interface(`userdom_user_tmpfs_content',`
+ 	gen_require(`
+-		type user_devpts_t;
++		attribute user_tmpfs_type;
+ 	')
+ 
+-	allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
++	typeattribute $1 user_tmpfs_type;
++
++	files_tmpfs_file($1)
++	ubac_constrained($1)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create a user pty.
++##	Allow domain to attach to TUN devices created by administrative users.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1334,7 +1694,44 @@ interface(`userdom_setattr_user_ptys',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_create_user_pty',`
++interface(`userdom_attach_admin_tun_iface',`
++	gen_require(`
++		attribute admindomain;
++	')
++
++	allow $1 admindomain:tun_socket relabelfrom;
++	allow $1 self:tun_socket relabelto;
 +')
 +
 +########################################
 +## <summary>
-+##	Make the specified type usable in a
-+##	generic tmpfs_t directory.
++##	Set the attributes of a user pty.
 +## </summary>
-+## <param name="type">
++## <param name="domain">
 +##	<summary>
-+##	Type to be used as a file in the
-+##	generic temporary directory.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_user_tmpfs_content',`
++interface(`userdom_setattr_user_ptys',`
 +	gen_require(`
-+		attribute user_tmpfs_type;
++		type user_devpts_t;
 +	')
 +
-+	typeattribute $1 user_tmpfs_type;
++	allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
++')
 +
-+	files_tmpfs_file($1)
- 	ubac_constrained($1)
- ')
- 
-@@ -1395,11 +1790,31 @@ interface(`userdom_search_user_home_dirs',`
++########################################
++## <summary>
++##	Create a user pty.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_create_user_pty',`
+ 	gen_require(`
+ 		type user_devpts_t;
+ 	')
+@@ -1395,11 +1792,31 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -150483,7 +150700,7 @@ index 4b2878a..917240b 100644
  ##	Do not audit attempts to search user home directories.
  ## </summary>
  ## <desc>
-@@ -1441,6 +1856,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1858,14 @@ interface(`userdom_list_user_home_dirs',`
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -150498,7 +150715,7 @@ index 4b2878a..917240b 100644
  ')
  
  ########################################
-@@ -1456,9 +1879,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1881,11 @@ interface(`userdom_list_user_home_dirs',`
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -150510,7 +150727,7 @@ index 4b2878a..917240b 100644
  ')
  
  ########################################
-@@ -1515,6 +1940,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1942,42 @@ interface(`userdom_relabelto_user_home_dirs',`
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -150553,7 +150770,7 @@ index 4b2878a..917240b 100644
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1589,6 +2050,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2052,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -150562,7 +150779,7 @@ index 4b2878a..917240b 100644
  ')
  
  ########################################
-@@ -1603,10 +2066,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2068,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -150577,7 +150794,7 @@ index 4b2878a..917240b 100644
  ')
  
  ########################################
-@@ -1649,6 +2114,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2116,43 @@ interface(`userdom_delete_user_home_content_dirs',`
  
  ########################################
  ## <summary>
@@ -150621,7 +150838,7 @@ index 4b2878a..917240b 100644
  ##	Do not audit attempts to set the
  ##	attributes of user home files.
  ## </summary>
-@@ -1668,6 +2170,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2172,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -150647,7 +150864,7 @@ index 4b2878a..917240b 100644
  ##	Mmap user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1698,14 +2219,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1698,14 +2221,36 @@ interface(`userdom_mmap_user_home_content_files',`
  interface(`userdom_read_user_home_content_files',`
  	gen_require(`
  		type user_home_dir_t, user_home_t;
@@ -150685,7 +150902,7 @@ index 4b2878a..917240b 100644
  ##	Do not audit attempts to read user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1716,11 +2259,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2261,14 @@ interface(`userdom_read_user_home_content_files',`
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -150703,7 +150920,7 @@ index 4b2878a..917240b 100644
  ')
  
  ########################################
-@@ -1779,6 +2325,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2327,60 @@ interface(`userdom_delete_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -150764,7 +150981,7 @@ index 4b2878a..917240b 100644
  ##	Do not audit attempts to write user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1810,8 +2410,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2412,7 @@ interface(`userdom_read_user_home_content_symlinks',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -150774,7 +150991,7 @@ index 4b2878a..917240b 100644
  ')
  
  ########################################
-@@ -1827,21 +2426,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2428,14 @@ interface(`userdom_read_user_home_content_symlinks',`
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -150788,19 +151005,18 @@ index 4b2878a..917240b 100644
 -
 -	tunable_policy(`use_nfs_home_dirs',`
 -		fs_exec_nfs_files($1)
+-	')
+-
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_exec_cifs_files($1)
 +	exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
 +	dontaudit $1 user_home_type:sock_file execute;
  	')
- 
--	tunable_policy(`use_samba_home_dirs',`
--		fs_exec_cifs_files($1)
--	')
 -')
--
+ 
  ########################################
  ## <summary>
- ##	Do not audit attempts to execute user home files.
-@@ -1941,6 +2534,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2536,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
  
  ########################################
  ## <summary>
@@ -150825,7 +151041,7 @@ index 4b2878a..917240b 100644
  ##	Create, read, write, and delete named pipes
  ##	in a user home subdirectory.
  ## </summary>
-@@ -2008,7 +2619,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2621,7 @@ interface(`userdom_user_home_dir_filetrans',`
  		type user_home_dir_t;
  	')
  
@@ -150834,7 +151050,7 @@ index 4b2878a..917240b 100644
  	files_search_home($1)
  ')
  
-@@ -2039,7 +2650,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2652,7 @@ interface(`userdom_user_home_content_filetrans',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -150843,7 +151059,7 @@ index 4b2878a..917240b 100644
  	allow $1 user_home_dir_t:dir search_dir_perms;
  	files_search_home($1)
  ')
-@@ -2158,11 +2769,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2158,11 +2771,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
  #
  interface(`userdom_read_user_tmp_files',`
  	gen_require(`
@@ -150858,7 +151074,7 @@ index 4b2878a..917240b 100644
  	files_search_tmp($1)
  ')
  
-@@ -2182,7 +2793,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2795,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -150867,7 +151083,7 @@ index 4b2878a..917240b 100644
  ')
  
  ########################################
-@@ -2390,7 +3001,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +3003,7 @@ interface(`userdom_user_tmp_filetrans',`
  		type user_tmp_t;
  	')
  
@@ -150876,7 +151092,7 @@ index 4b2878a..917240b 100644
  	files_search_tmp($1)
  ')
  
-@@ -2419,6 +3030,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +3032,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  	files_tmp_filetrans($1, user_tmp_t, $2)
  ')
  
@@ -150902,7 +151118,7 @@ index 4b2878a..917240b 100644
  ########################################
  ## <summary>
  ##	Read user tmpfs files.
-@@ -2435,13 +3065,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3067,14 @@ interface(`userdom_read_user_tmpfs_files',`
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -150918,7 +151134,7 @@ index 4b2878a..917240b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2462,7 +3093,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3095,7 @@ interface(`userdom_rw_user_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -150927,7 +151143,7 @@ index 4b2878a..917240b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2470,14 +3101,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3103,30 @@ interface(`userdom_rw_user_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -150962,7 +151178,7 @@ index 4b2878a..917240b 100644
  ')
  
  ########################################
-@@ -2572,7 +3219,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3221,7 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
@@ -150971,113 +151187,89 @@ index 4b2878a..917240b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2580,75 +3227,143 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,7 +3229,25 @@ interface(`userdom_use_user_ttys',`
  ##	</summary>
  ## </param>
  #
 -interface(`userdom_use_user_ptys',`
 +interface(`userdom_use_inherited_user_ttys',`
- 	gen_require(`
--		type user_devpts_t;
++	gen_require(`
 +		type user_tty_device_t;
- 	')
- 
--	allow $1 user_devpts_t:chr_file rw_term_perms;
++	')
++
 +	allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
- ')
++')
++
++########################################
++## <summary>
++##	Read and write a user domain pty.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_use_user_ptys',`
+ 	gen_require(`
+ 		type user_devpts_t;
+ 	')
+@@ -2590,22 +3257,34 @@ interface(`userdom_use_user_ptys',`
  
  ########################################
  ## <summary>
 -##	Read and write a user TTYs and PTYs.
-+##	Read and write a user domain pty.
++##	Read and write a inherited user domain pty.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_use_inherited_user_ptys',`
++	gen_require(`
++		type user_devpts_t;
++	')
++
++	allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
++')
++
++########################################
++## <summary>
++##	Read and write a inherited user TTYs and PTYs.
  ## </summary>
--## <desc>
--##	<p>
+ ## <desc>
+ ##	<p>
 -##	Allow the specified domain to read and write user
--##	TTYs and PTYs. This will allow the domain to
--##	interact with the user via the terminal. Typically
--##	all interactive applications will require this
--##	access.
--##	</p>
++##	Allow the specified domain to read and write inherited user
+ ##	TTYs and PTYs. This will allow the domain to
+ ##	interact with the user via the terminal. Typically
+ ##	all interactive applications will require this
+ ##	access.
+ ##	</p>
 -##	<p>
 -##	However, this also allows the applications to spy
 -##	on user sessions or inject information into the
 -##	user session.  Thus, this access should likely
 -##	not be allowed for non-interactive domains.
 -##	</p>
--## </desc>
+ ## </desc>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
+@@ -2614,14 +3293,33 @@ interface(`userdom_use_user_ptys',`
  ## </param>
--## <infoflow type="both" weight="10"/>
+ ## <infoflow type="both" weight="10"/>
  #
 -interface(`userdom_use_user_terminals',`
-+interface(`userdom_use_user_ptys',`
++interface(`userdom_use_inherited_user_terminals',`
  	gen_require(`
--		type user_tty_device_t, user_devpts_t;
-+		type user_devpts_t;
+ 		type user_tty_device_t, user_devpts_t;
  	')
  
 -	allow $1 user_tty_device_t:chr_file rw_term_perms;
- 	allow $1 user_devpts_t:chr_file rw_term_perms;
+-	allow $1 user_devpts_t:chr_file rw_term_perms;
 -	term_list_ptys($1)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to read and write
--##	a user domain tty and pty.
-+##	Read and write a inherited user domain pty.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`userdom_dontaudit_use_user_terminals',`
-+interface(`userdom_use_inherited_user_ptys',`
- 	gen_require(`
--		type user_tty_device_t, user_devpts_t;
-+		type user_devpts_t;
- 	')
- 
--	dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
--	dontaudit $1 user_devpts_t:chr_file rw_term_perms;
-+	allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Execute a shell in all user domains.  This
--##	is an explicit transition, requiring the
--##	caller to use setexeccon().
-+##	Read and write a inherited user TTYs and PTYs.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	Allow the specified domain to read and write inherited user
-+##	TTYs and PTYs. This will allow the domain to
-+##	interact with the user via the terminal. Typically
-+##	all interactive applications will require this
-+##	access.
-+##	</p>
-+## </desc>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <infoflow type="both" weight="10"/>
-+#
-+interface(`userdom_use_inherited_user_terminals',`
-+	gen_require(`
-+		type user_tty_device_t, user_devpts_t;
-+	')
-+
 +	allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
 +	allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
 +')
@@ -151100,24 +151292,15 @@ index 4b2878a..917240b 100644
 +
 +    allow $1 user_tty_device_t:chr_file rw_term_perms;
 +    allow $1 user_devpts_t:chr_file rw_term_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to read and write
-+##	a user domain tty and pty.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_dontaudit_use_user_terminals',`
-+	gen_require(`
-+		type user_tty_device_t, user_devpts_t;
-+	')
-+
+ ')
+ 
+ ########################################
+@@ -2640,8 +3338,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+ 		type user_tty_device_t, user_devpts_t;
+ 	')
+ 
+-	dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
+-	dontaudit $1 user_devpts_t:chr_file rw_term_perms;
 +	dontaudit $1 user_tty_device_t:chr_file rw_inherited_term_perms;
 +	dontaudit $1 user_devpts_t:chr_file rw_inherited_term_perms;
 +')
@@ -151139,17 +151322,10 @@ index 4b2878a..917240b 100644
 +	')
 +
 +	allow $1 { user_tty_device_t user_devpts_t }:chr_file getattr_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Execute a shell in all user domains.  This
-+##	is an explicit transition, requiring the
-+##	caller to use setexeccon().
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2713,69 +3428,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+ ')
+ 
+ ########################################
+@@ -2713,69 +3430,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -151250,7 +151426,7 @@ index 4b2878a..917240b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2783,12 +3497,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2783,12 +3499,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -151265,7 +151441,7 @@ index 4b2878a..917240b 100644
  ')
  
  ########################################
-@@ -2852,7 +3566,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3568,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -151274,7 +151450,7 @@ index 4b2878a..917240b 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -2868,29 +3582,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3584,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -151308,7 +151484,7 @@ index 4b2878a..917240b 100644
  ')
  
  ########################################
-@@ -2972,7 +3670,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3672,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -151317,7 +151493,7 @@ index 4b2878a..917240b 100644
  ')
  
  ########################################
-@@ -3027,7 +3725,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3727,45 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -151364,7 +151540,7 @@ index 4b2878a..917240b 100644
  ')
  
  ########################################
-@@ -3045,7 +3781,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3783,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
  		type user_tty_device_t;
  	')
  
@@ -151373,7 +151549,7 @@ index 4b2878a..917240b 100644
  ')
  
  ########################################
-@@ -3064,6 +3800,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3802,7 @@ interface(`userdom_read_all_users_state',`
  	')
  
  	read_files_pattern($1, userdomain, userdomain)
@@ -151381,7 +151557,7 @@ index 4b2878a..917240b 100644
  	kernel_search_proc($1)
  ')
  
-@@ -3140,6 +3877,42 @@ interface(`userdom_signal_all_users',`
+@@ -3140,6 +3879,42 @@ interface(`userdom_signal_all_users',`
  	allow $1 userdomain:process signal;
  ')
  
@@ -151424,7 +151600,7 @@ index 4b2878a..917240b 100644
  ########################################
  ## <summary>
  ##	Send a SIGCHLD signal to all user domains.
-@@ -3160,6 +3933,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3935,24 @@ interface(`userdom_sigchld_all_users',`
  
  ########################################
  ## <summary>
@@ -151449,7 +151625,7 @@ index 4b2878a..917240b 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3194,3 +3985,1292 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3987,1292 @@ interface(`userdom_dbus_send_all_users',`
  
  	allow $1 userdomain:dbus send_msg;
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 87d5518..18117b0 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 124%{?dist}
+Release: 125%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,35 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed May 16 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-125
+- Fix pulseaudio port definition
+- Add labeling for condor_starter
+- Allow chfn_t to creat user_tmp_files
+- Allow chfn_t to execute bin_t
+- Allow prelink_cron_system_t to getpw calls
+- Allow sudo domains to manage kerberos rcache files
+- Allow user_mail_domains to work with courie
+- Port definitions necessary for running jboss apps within openshift
+-  Add support for openstack-nova-metadata-api
+- Add support for nova-console*
+- Add support for openstack-nova-xvpvncproxy
+- Fixes to make privsep+SELinux working if we try to use chage to change passwd
+- Fix auth_role() interface
+- Allow numad to read sysfs
+- Allow matahari-rpcd to execute shell
+- Add label for ~/.spicec
+- xdm is executing lspci as root which is requesting a sys_admin priv but seems to succeed without it
+- Devicekit_disk wants to read the logind sessions file when writing a cd
+- Add fixes for condor to make condor jobs working correctly
+- Change label of /var/log/rpmpkgs to cron_log_t
+- Access requires to allow systemd-tmpfiles --create to work.
+- Fix obex to be a user application started by the session bus.
+- Add additional filename trans rules for kerberos
+- Fix /var/run/heartbeat labeling
+- Allow apps that are managing rcache to file trans correctly
+- Allow openvpn to authenticate against ldap server
+- Containers need to listen to network starting and stopping events
+
 * Wed May 9 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-124
 - Make systemd unit files less specific