From a3cd830148d653c2f71fe0a4dde13f28ad119ac3 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Jun 12 2012 05:05:34 +0000
Subject: - Allow systemd to read tmp_t link files

- Backport ABRT policy from F17
- Allow nagios domains to execute bin_t
- Allow pads to read kernel network state
- Allow sudo domains to manage kerberos rcache files
- Allow polipo to manage polipo_cache dirs
- Allow nsswitch domains to read sssd public files
- Dontaudit net_admin capability for collectd
- Allow thumb_t to create gstreamer dirs
- user_tcp_server boolean should be also for sysadm_t
- Add labeling for /var/lib/lighttpd
- Fix files_lib_filetrans_shared_lib() interface

---

diff --git a/policy-F16.patch b/policy-F16.patch
index 5e3fd35..5c712f7 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -3823,7 +3823,7 @@ index 7bddc02..2b59ed0 100644
 +
 +/var/db/sudo(/.*)?		gen_context(system_u:object_r:sudo_db_t,s0)
 diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 975af1a..634c47a 100644
+index 975af1a..f681195 100644
 --- a/policy/modules/admin/sudo.if
 +++ b/policy/modules/admin/sudo.if
 @@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -3865,7 +3865,7 @@ index 975af1a..634c47a 100644
  
  	allow $1_sudo_t $3:key search;
  
-@@ -76,88 +62,19 @@ template(`sudo_role_template',`
+@@ -76,86 +62,25 @@ template(`sudo_role_template',`
  	# By default, revert to the calling domain when a shell is executed.
  	corecmd_shell_domtrans($1_sudo_t, $3)
  	corecmd_bin_domtrans($1_sudo_t, $3)
@@ -3948,19 +3948,19 @@ index 975af1a..634c47a 100644
 -		fs_manage_cifs_files($1_sudo_t)
 -	')
 -
--	optional_policy(`
+ 	optional_policy(`
 -		dbus_system_bus_client($1_sudo_t)
--	')
--
--	optional_policy(`
++		mta_role($2, $1_sudo_t)
+ 	')
+ 
+ 	optional_policy(`
 -		fprintd_dbus_chat($1_sudo_t)
--	')
--
-+	mta_role($2, $1_sudo_t)
- ')
++		kerberos_manage_host_rcache($1_sudo_t)
++		kerberos_read_config($1_sudo_t)
+ 	')
  
- ########################################
-@@ -177,3 +94,22 @@ interface(`sudo_sigchld',`
+ ')
+@@ -177,3 +102,22 @@ interface(`sudo_sigchld',`
  
  	allow $1 sudodomain:process sigchld;
  ')
@@ -5710,7 +5710,7 @@ index 00a19e3..ade1224 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..5bd094e 100644
+index f5afe78..f91a120 100644
 --- a/policy/modules/apps/gnome.if
 +++ b/policy/modules/apps/gnome.if
 @@ -1,44 +1,879 @@
@@ -6780,7 +6780,7 @@ index f5afe78..5bd094e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -122,17 +1028,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1028,35 @@ interface(`gnome_stream_connect_gconf',`
  ##	</summary>
  ## </param>
  #
@@ -6793,6 +6793,24 @@ index f5afe78..5bd094e 100644
  
 -	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
 +	manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
++')
++
++#######################################
++## <summary>
++##  manage gstreamer home content files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`gnome_manage_gstreamer_home_dirs',`
++    gen_require(`
++        type gstreamer_home_t;
++    ')
++
++    manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
  ')
  
  ########################################
@@ -6802,7 +6820,7 @@ index f5afe78..5bd094e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -140,51 +1046,303 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1064,303 @@ interface(`gnome_domtrans_gconfd',`
  ##	</summary>
  ## </param>
  #
@@ -12389,10 +12407,10 @@ index 0000000..5554dc9
 +
 diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
 new file mode 100644
-index 0000000..b4001f1
+index 0000000..6d178d3
 --- /dev/null
 +++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,76 @@
+@@ -0,0 +1,77 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -12468,7 +12486,8 @@ index 0000000..b4001f1
 +	gnome_dontaudit_search_config(thumb_t)
 +	gnome_read_generic_data_home_files(thumb_t)
 +	gnome_manage_gstreamer_home_files(thumb_t)
-+') 
++	gnome_manage_gstreamer_home_dirs(thumb_t)
++')
 diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
 index 11fe4f2..98bfbf3 100644
 --- a/policy/modules/apps/tvtime.te
@@ -24233,19 +24252,22 @@ index e88b95f..1cd57fd 100644
 -#gen_user(xguest_u,, xguest_r, s0, s0)
 +gen_user(xguest_u, user, xguest_r, s0, s0)
 diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
-index 1bd5812..0d7d8d1 100644
+index 1bd5812..196cfc9 100644
 --- a/policy/modules/services/abrt.fc
 +++ b/policy/modules/services/abrt.fc
-@@ -1,13 +1,13 @@
+@@ -1,13 +1,16 @@
  /etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
  /etc/rc\.d/init\.d/abrt		--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
  
-+/usr/bin/abrt-dump-oops 	--	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
- /usr/bin/abrt-pyhook-helper 	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+-/usr/bin/abrt-pyhook-helper 	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/lib/systemd/system/abrt.*	--	gen_context(system_u:object_r:abrt_unit_file_t,s0)
  
 -/usr/libexec/abrt-pyhook-helper --	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
 -/usr/libexec/abrt-hook-python 	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
--
++/usr/bin/abrt-dump-oops 	--	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
++/usr/bin/abrt-pyhook-helper 	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/bin/abrt-watch-log         --      gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
+ 
  /usr/sbin/abrtd			--	gen_context(system_u:object_r:abrt_exec_t,s0)
  
 +/usr/libexec/abrt-handle-event	--	gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
@@ -24253,7 +24275,7 @@ index 1bd5812..0d7d8d1 100644
  /var/cache/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_cache_t,s0)
  /var/cache/abrt-di(/.*)?		gen_context(system_u:object_r:abrt_var_cache_t,s0)
  
-@@ -15,6 +15,19 @@
+@@ -15,6 +18,19 @@
  
  /var/run/abrt\.pid		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
  /var/run/abrtd?\.lock		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -24274,10 +24296,10 @@ index 1bd5812..0d7d8d1 100644
 +/var/cache/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
 +/var/spool/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
 diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..b2d6129 100644
+index 0b827c5..ac79ca6 100644
 --- a/policy/modules/services/abrt.if
 +++ b/policy/modules/services/abrt.if
-@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
+@@ -71,12 +71,13 @@ interface(`abrt_read_state',`
  		type abrt_t;
  	')
  
@@ -24285,21 +24307,27 @@ index 0b827c5..b2d6129 100644
  	ps_process_pattern($1, abrt_t)
  ')
  
-@@ -160,8 +161,7 @@ interface(`abrt_run_helper',`
+ ########################################
+ ## <summary>
+-##	Connect to abrt over an unix stream socket.
++##	Connect to abrt over a unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -160,8 +161,26 @@ interface(`abrt_run_helper',`
  
  ########################################
  ## <summary>
 -##	Send and receive messages from
 -##	abrt over dbus.
 +##	Read abrt cache
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -169,12 +169,52 @@ interface(`abrt_run_helper',`
- ##	</summary>
- ## </param>
- #
--interface(`abrt_cache_manage',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`abrt_read_cache',`
 +	gen_require(`
 +		type abrt_var_cache_t;
@@ -24312,13 +24340,14 @@ index 0b827c5..b2d6129 100644
 +########################################
 +## <summary>
 +##	Append abrt cache
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -169,12 +188,33 @@ interface(`abrt_run_helper',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`abrt_cache_manage',`
 +interface(`abrt_append_cache',`
 +	gen_require(`
 +		type abrt_var_cache_t;
@@ -24349,7 +24378,7 @@ index 0b827c5..b2d6129 100644
  ')
  
  ####################################
-@@ -253,6 +293,24 @@ interface(`abrt_manage_pid_files',`
+@@ -253,6 +293,47 @@ interface(`abrt_manage_pid_files',`
  	manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
  ')
  
@@ -24371,10 +24400,49 @@ index 0b827c5..b2d6129 100644
 +	allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 +
++########################################
++## <summary>
++##	Execute abrt server in the abrt domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`abrt_systemctl',`
++	gen_require(`
++		type abrt_t;
++		type abrt_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++	allow $1 abrt_unit_file_t:file read_file_perms;
++	allow $1 abrt_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, abrt_t)
++')
++
  #####################################
  ## <summary>
  ##	All of the rules required to administrate
-@@ -286,18 +344,116 @@ interface(`abrt_admin',`
+@@ -276,28 +357,135 @@ interface(`abrt_admin',`
+ 		type abrt_var_cache_t, abrt_var_log_t;
+ 		type abrt_var_run_t, abrt_tmp_t;
+ 		type abrt_initrc_exec_t;
++		type abrt_unit_file_t;
+ 	')
+ 
+-	allow $1 abrt_t:process { ptrace signal_perms };
++	allow $1 abrt_t:process { signal_perms };
+ 	ps_process_pattern($1, abrt_t)
+ 
++	tunable_policy(`deny_ptrace',`',`
++		allow $1 abrt_t:process ptrace;
++	')
++
+ 	init_labeled_script_domtrans($1, abrt_initrc_exec_t)
+ 	domain_system_change_exemption($1)
  	role_transition $2 abrt_initrc_exec_t system_r;
  	allow $2 system_r;
  
@@ -24397,7 +24465,11 @@ index 0b827c5..b2d6129 100644
 -	files_search_tmp($1)
 +	files_list_tmp($1)
  	admin_pattern($1, abrt_tmp_t)
- ')
++
++	abrt_systemctl($1)
++	admin_pattern($1, abrt_unit_file_t)
++	allow $1 abrt_unit_file_t:service all_service_perms;
++')
 +
 +####################################
 +## <summary>
@@ -24495,12 +24567,12 @@ index 0b827c5..b2d6129 100644
 +	')
 +
 +	dontaudit $1 abrt_t:sock_file write;
-+')
+ ')
 diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..77c9f63 100644
+index 30861ec..c872f94 100644
 --- a/policy/modules/services/abrt.te
 +++ b/policy/modules/services/abrt.te
-@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
+@@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0)
  # Declarations
  #
  
@@ -24527,7 +24599,16 @@ index 30861ec..77c9f63 100644
  type abrt_exec_t;
  init_daemon_domain(abrt_t, abrt_exec_t)
  
-@@ -32,9 +50,20 @@ files_type(abrt_var_cache_t)
+ type abrt_initrc_exec_t;
+ init_script_file(abrt_initrc_exec_t)
+ 
++type abrt_unit_file_t;
++systemd_unit_file(abrt_unit_file_t)
++
+ # etc files
+ type abrt_etc_t;
+ files_config_file(abrt_etc_t)
+@@ -32,9 +53,20 @@ files_type(abrt_var_cache_t)
  type abrt_var_run_t;
  files_pid_file(abrt_var_run_t)
  
@@ -24549,7 +24630,7 @@ index 30861ec..77c9f63 100644
  type abrt_helper_exec_t;
  application_domain(abrt_helper_t, abrt_helper_exec_t)
  role system_r types abrt_helper_t;
-@@ -43,14 +72,34 @@ ifdef(`enable_mcs',`
+@@ -43,22 +75,48 @@ ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
  ')
  
@@ -24573,6 +24654,12 @@ index 30861ec..77c9f63 100644
 +type abrt_retrace_spool_t;
 +files_spool_file(abrt_retrace_spool_t)
 +
++# Support abrt-watch log
++
++type abrt_watch_log_t;
++type abrt_watch_log_exec_t;
++init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
++
  ########################################
  #
  # abrt local policy
@@ -24586,15 +24673,16 @@ index 30861ec..77c9f63 100644
  
  allow abrt_t self:fifo_file rw_fifo_file_perms;
  allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +108,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
- allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
+ allow abrt_t self:udp_socket create_socket_perms;
+ allow abrt_t self:unix_dgram_socket create_socket_perms;
+-allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
  
  # abrt etc files
 +list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
  rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
  
  # log file
-@@ -68,7 +118,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -68,7 +126,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
  # abrt tmp files
  manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
@@ -24604,7 +24692,7 @@ index 30861ec..77c9f63 100644
  
  # abrt var/cache files
  manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,10 +134,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,10 +142,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
  manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
  manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
  manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -24617,7 +24705,7 @@ index 30861ec..77c9f63 100644
  kernel_rw_kernel_sysctl(abrt_t)
  
  corecmd_exec_bin(abrt_t)
-@@ -104,6 +156,8 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +164,8 @@ corenet_tcp_connect_all_ports(abrt_t)
  corenet_sendrecv_http_client_packets(abrt_t)
  
  dev_getattr_all_chr_files(abrt_t)
@@ -24626,7 +24714,7 @@ index 30861ec..77c9f63 100644
  dev_read_urand(abrt_t)
  dev_rw_sysfs(abrt_t)
  dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +167,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +175,8 @@ domain_read_all_domains_state(abrt_t)
  domain_signull_all_domains(abrt_t)
  
  files_getattr_all_files(abrt_t)
@@ -24636,24 +24724,26 @@ index 30861ec..77c9f63 100644
  files_read_var_symlinks(abrt_t)
  files_read_var_lib_files(abrt_t)
  files_read_usr_files(abrt_t)
-@@ -121,6 +176,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +184,9 @@ files_read_generic_tmp_files(abrt_t)
  files_read_kernel_modules(abrt_t)
  files_dontaudit_list_default(abrt_t)
  files_dontaudit_read_default_files(abrt_t)
 +files_dontaudit_read_all_symlinks(abrt_t)
 +files_dontaudit_getattr_all_sockets(abrt_t)
++files_list_mnt(abrt_t)
  
  fs_list_inotifyfs(abrt_t)
  fs_getattr_all_fs(abrt_t)
-@@ -131,15 +188,23 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +197,26 @@ fs_read_nfs_files(abrt_t)
  fs_read_nfs_symlinks(abrt_t)
  fs_search_all(abrt_t)
  
 -sysnet_read_config(abrt_t)
-+sysnet_dns_name_resolve(abrt_t)
- 
+-
  logging_read_generic_logs(abrt_t)
 -logging_send_syslog_msg(abrt_t)
++
++auth_use_nsswitch(abrt_t)
  
  miscfiles_read_generic_certs(abrt_t)
 -miscfiles_read_localization(abrt_t)
@@ -24664,26 +24754,19 @@ index 30861ec..77c9f63 100644
 +tunable_policy(`abrt_anon_write',`
 +	miscfiles_manage_public_files(abrt_t)
 +')
-+
-+optional_policy(`
+ 
+ optional_policy(`
+-	dbus_system_domain(abrt_t, abrt_exec_t)
 +	apache_list_modules(abrt_t)
 +	apache_read_modules(abrt_t)
-+')
+ ')
  
  optional_policy(`
- 	dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +215,11 @@ optional_policy(`
+-	nis_use_ypbind(abrt_t)
++	dbus_system_domain(abrt_t, abrt_exec_t)
  ')
  
  optional_policy(`
-+	nsplugin_read_rw_files(abrt_t)
-+	nsplugin_read_home(abrt_t)
-+')
-+
-+optional_policy(`
- 	policykit_dbus_chat(abrt_t)
- 	policykit_domtrans_auth(abrt_t)
- 	policykit_read_lib(abrt_t)
 @@ -167,6 +237,7 @@ optional_policy(`
  	rpm_exec(abrt_t)
  	rpm_dontaudit_manage_db(abrt_t)
@@ -24758,7 +24841,7 @@ index 30861ec..77c9f63 100644
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +317,128 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +317,146 @@ ifdef(`hide_broken_symptoms', `
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -24766,7 +24849,7 @@ index 30861ec..77c9f63 100644
 +	optional_policy(`
 +		rpm_dontaudit_leaks(abrt_helper_t)
 +	')
- ')
++')
 +
 +ifdef(`hide_broken_symptoms',`
 +	gen_require(`
@@ -24877,6 +24960,24 @@ index 30861ec..77c9f63 100644
 +
 +#######################################
 +#
++# abrt_watch_log local policy
++#
++
++allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
++allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
++
++domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
++
++logging_read_all_logs(abrt_watch_log_t)
++
++optional_policy(`
++	unconfined_domain(abrt_watch_log_t)
+ ')
++
++#######################################
++#
 +# Local policy for all abrt domain
 +#
 +
@@ -25364,7 +25465,7 @@ index deca9d3..ac92fce 100644
  ')
  
 diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..a5571ff 100644
+index 9e39aa5..9067769 100644
 --- a/policy/modules/services/apache.fc
 +++ b/policy/modules/services/apache.fc
 @@ -1,21 +1,30 @@
@@ -25449,7 +25550,7 @@ index 9e39aa5..a5571ff 100644
  
  /var/cache/httpd(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
  /var/cache/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,20 +87,26 @@ ifdef(`distro_suse', `
+@@ -73,20 +87,27 @@ ifdef(`distro_suse', `
  /var/cache/ssl.*\.sem		--	gen_context(system_u:object_r:httpd_cache_t,s0)
  
  /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25460,6 +25561,7 @@ index 9e39aa5..a5571ff 100644
 +/var/lib/drupal.*			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
  /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
  /var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
  /var/lib/squirrelmail/prefs(/.*)?	gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
 +/var/lib/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -25478,7 +25580,7 @@ index 9e39aa5..a5571ff 100644
  
  ifdef(`distro_debian', `
  /var/log/horde2(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -105,7 +125,30 @@ ifdef(`distro_debian', `
+@@ -105,7 +126,30 @@ ifdef(`distro_debian', `
  
  /var/www(/.*)?				gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/www(/.*)?/logs(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
@@ -31680,10 +31782,10 @@ index 0000000..ed13d1e
 +
 diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
 new file mode 100644
-index 0000000..7bd44e8
+index 0000000..faad53d
 --- /dev/null
 +++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,85 @@
+@@ -0,0 +1,86 @@
 +policy_module(collectd, 1.0.0)
 +
 +########################################
@@ -31718,6 +31820,7 @@ index 0000000..7bd44e8
 +#
 +
 +allow collectd_t self:capability ipc_lock;
++dontaudit collectd_t self:capability net_admin;
 +allow collectd_t self:process { signal fork };
 +
 +allow collectd_t self:fifo_file rw_fifo_file_perms;
@@ -47380,7 +47483,7 @@ index 8581040..3983667 100644
  
  	allow $1 nagios_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..2275f40 100644
+index bf64a4c..add7b8f 100644
 --- a/policy/modules/services/nagios.te
 +++ b/policy/modules/services/nagios.te
 @@ -5,6 +5,8 @@ policy_module(nagios, 1.10.0)
@@ -47586,7 +47689,7 @@ index bf64a4c..2275f40 100644
  # needed by check_users plugin
  optional_policy(`
  	init_read_utmp(nagios_system_plugin_t)
-@@ -389,3 +408,52 @@ optional_policy(`
+@@ -389,3 +408,54 @@ optional_policy(`
  optional_policy(`
  	unconfined_domain(nagios_unconfined_plugin_t)
  ')
@@ -47630,6 +47733,8 @@ index bf64a4c..2275f40 100644
 +
 +kernel_read_system_state(nagios_plugin_domain)
 +
++corecmd_exec_bin(nagios_plugin_domain)
++
 +dev_read_urand(nagios_plugin_domain)
 +dev_read_rand(nagios_plugin_domain)
 +
@@ -49743,7 +49848,7 @@ index 8ac407e..8235fb6 100644
  	admin_pattern($1, pads_config_t)
  ')
 diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te
-index b246bdd..84afa7a 100644
+index b246bdd..e6a686f 100644
 --- a/policy/modules/services/pads.te
 +++ b/policy/modules/services/pads.te
 @@ -1,4 +1,4 @@
@@ -49776,7 +49881,15 @@ index b246bdd..84afa7a 100644
  
  allow pads_t pads_config_t:file manage_file_perms;
  files_etc_filetrans(pads_t, pads_config_t, file)
-@@ -48,6 +48,7 @@ corenet_tcp_connect_prelude_port(pads_t)
+@@ -37,6 +37,7 @@ allow pads_t pads_var_run_t:file manage_file_perms;
+ files_pid_filetrans(pads_t, pads_var_run_t, file)
+ 
+ kernel_read_sysctl(pads_t)
++kernel_read_network_state(pads_t)
+ 
+ corecmd_search_bin(pads_t)
+ 
+@@ -48,6 +49,7 @@ corenet_tcp_connect_prelude_port(pads_t)
  
  dev_read_rand(pads_t)
  dev_read_urand(pads_t)
@@ -51506,10 +51619,10 @@ index 0000000..b11f37a
 +')
 diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te
 new file mode 100644
-index 0000000..7750ace
+index 0000000..299b3ed
 --- /dev/null
 +++ b/policy/modules/services/polipo.te
-@@ -0,0 +1,170 @@
+@@ -0,0 +1,172 @@
 +policy_module(polipo, 1.0.0)
 +
 +########################################
@@ -51627,6 +51740,8 @@ index 0000000..7750ace
 +read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t)
 +
 +manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
++manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
++files_var_filetrans(polipo_t, polipo_cache_t, dir)
 +
 +append_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
 +
@@ -69208,7 +69323,7 @@ index 73554ec..cd2c7cc 100644
 +	logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
 +')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index b7a5f00..7edafde 100644
+index b7a5f00..c175fd9 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
 @@ -5,9 +5,25 @@ policy_module(authlogin, 2.2.1)
@@ -69289,7 +69404,7 @@ index b7a5f00..7edafde 100644
  # Allow utemper to write to /tmp/.xses-*
  userdom_write_user_tmp_files(utempter_t)
  
-@@ -388,10 +409,71 @@ ifdef(`distro_ubuntu',`
+@@ -388,10 +409,72 @@ ifdef(`distro_ubuntu',`
  ')
  
  optional_policy(`
@@ -69357,6 +69472,7 @@ index b7a5f00..7edafde 100644
 +
 +optional_policy(`
 +	sssd_stream_connect(nsswitch_domain)
++	sssd_read_public_files(nsswitch_domain)
 +')
 +
 +optional_policy(`
@@ -77302,10 +77418,10 @@ index 0000000..d77929b
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..d0fcf7c
+index 0000000..af1e889
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,393 @@
+@@ -0,0 +1,394 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -77537,6 +77653,7 @@ index 0000000..d0fcf7c
 +files_manage_all_pids(systemd_tmpfiles_t)
 +files_manage_all_pid_dirs(systemd_tmpfiles_t)
 +files_manage_all_locks(systemd_tmpfiles_t)
++files_read_generic_tmp_symlinks(systemd_tmpfiles_t)
 +files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
 +files_delete_all_non_security_files(systemd_tmpfiles_t)
 +files_delete_all_pid_sockets(systemd_tmpfiles_t)
@@ -78913,7 +79030,7 @@ index db75976..ce61aed 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..48bc324 100644
+index 4b2878a..46e298b 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -80268,7 +80385,18 @@ index 4b2878a..48bc324 100644
  	userdom_manage_user_home_content_dirs($1_t)
  	userdom_manage_user_home_content_files($1_t)
  	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1546,8 @@ template(`userdom_security_admin_template',`
+@@ -1165,6 +1501,10 @@ template(`userdom_admin_user_template',`
+ 		fs_read_noxattr_fs_files($1_t)
+ 	')
+ 
++	tunable_policy(`user_tcp_server',`
++        corenet_tcp_bind_all_unreserved_ports($1_t)
++    ')
++
+ 	optional_policy(`
+ 		postgresql_unconfined($1_t)
+ 	')
+@@ -1210,6 +1550,8 @@ template(`userdom_security_admin_template',`
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -80277,7 +80405,7 @@ index 4b2878a..48bc324 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1222,8 +1560,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1564,9 @@ template(`userdom_security_admin_template',`
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
@@ -80288,7 +80416,7 @@ index 4b2878a..48bc324 100644
  	auth_relabel_shadow($1)
  
  	init_exec($1)
-@@ -1234,13 +1573,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1577,24 @@ template(`userdom_security_admin_template',`
  	logging_read_audit_config($1)
  
  	seutil_manage_bin_policy($1)
@@ -80317,7 +80445,7 @@ index 4b2878a..48bc324 100644
  	')
  
  	optional_policy(`
-@@ -1251,12 +1601,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1605,12 @@ template(`userdom_security_admin_template',`
  		dmesg_exec($1)
  	')
  
@@ -80333,7 +80461,7 @@ index 4b2878a..48bc324 100644
  	')
  
  	optional_policy(`
-@@ -1279,49 +1629,98 @@ template(`userdom_security_admin_template',`
+@@ -1279,44 +1633,93 @@ template(`userdom_security_admin_template',`
  interface(`userdom_user_home_content',`
  	gen_require(`
  		type user_home_t;
@@ -80396,12 +80524,10 @@ index 4b2878a..48bc324 100644
  #
 -interface(`userdom_setattr_user_ptys',`
 +interface(`userdom_user_tmpfs_content',`
- 	gen_require(`
--		type user_devpts_t;
++	gen_require(`
 +		attribute user_tmpfs_type;
- 	')
- 
--	allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
++	')
++
 +	typeattribute $1 user_tmpfs_type;
 +
 +	files_tmpfs_file($1)
@@ -80438,15 +80564,10 @@ index 4b2878a..48bc324 100644
 +## </param>
 +#
 +interface(`userdom_setattr_user_ptys',`
-+	gen_require(`
-+		type user_devpts_t;
-+	')
-+
-+	allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
- ')
- 
- ########################################
-@@ -1395,6 +1794,7 @@ interface(`userdom_search_user_home_dirs',`
+ 	gen_require(`
+ 		type user_devpts_t;
+ 	')
+@@ -1395,6 +1798,7 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -80454,7 +80575,7 @@ index 4b2878a..48bc324 100644
  	files_search_home($1)
  ')
  
-@@ -1441,6 +1841,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1845,14 @@ interface(`userdom_list_user_home_dirs',`
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -80469,7 +80590,7 @@ index 4b2878a..48bc324 100644
  ')
  
  ########################################
-@@ -1456,9 +1864,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1868,11 @@ interface(`userdom_list_user_home_dirs',`
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -80481,7 +80602,7 @@ index 4b2878a..48bc324 100644
  ')
  
  ########################################
-@@ -1515,6 +1925,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1929,42 @@ interface(`userdom_relabelto_user_home_dirs',`
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -80524,7 +80645,7 @@ index 4b2878a..48bc324 100644
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1589,6 +2035,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2039,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -80533,7 +80654,7 @@ index 4b2878a..48bc324 100644
  ')
  
  ########################################
-@@ -1603,10 +2051,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2055,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -80548,7 +80669,7 @@ index 4b2878a..48bc324 100644
  ')
  
  ########################################
-@@ -1649,6 +2099,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2103,43 @@ interface(`userdom_delete_user_home_content_dirs',`
  
  ########################################
  ## <summary>
@@ -80592,7 +80713,7 @@ index 4b2878a..48bc324 100644
  ##	Do not audit attempts to set the
  ##	attributes of user home files.
  ## </summary>
-@@ -1668,6 +2155,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2159,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -80618,7 +80739,7 @@ index 4b2878a..48bc324 100644
  ##	Mmap user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1698,14 +2204,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1698,14 +2208,36 @@ interface(`userdom_mmap_user_home_content_files',`
  interface(`userdom_read_user_home_content_files',`
  	gen_require(`
  		type user_home_dir_t, user_home_t;
@@ -80656,7 +80777,7 @@ index 4b2878a..48bc324 100644
  ##	Do not audit attempts to read user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1716,11 +2244,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2248,14 @@ interface(`userdom_read_user_home_content_files',`
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -80674,7 +80795,7 @@ index 4b2878a..48bc324 100644
  ')
  
  ########################################
-@@ -1779,6 +2310,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2314,60 @@ interface(`userdom_delete_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -80735,7 +80856,7 @@ index 4b2878a..48bc324 100644
  ##	Do not audit attempts to write user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1810,8 +2395,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2399,7 @@ interface(`userdom_read_user_home_content_symlinks',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -80745,7 +80866,7 @@ index 4b2878a..48bc324 100644
  ')
  
  ########################################
-@@ -1827,20 +2411,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2415,14 @@ interface(`userdom_read_user_home_content_symlinks',`
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -80770,7 +80891,7 @@ index 4b2878a..48bc324 100644
  
  ########################################
  ## <summary>
-@@ -1941,6 +2519,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2523,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
  
  ########################################
  ## <summary>
@@ -80795,7 +80916,7 @@ index 4b2878a..48bc324 100644
  ##	Create, read, write, and delete named pipes
  ##	in a user home subdirectory.
  ## </summary>
-@@ -2008,7 +2604,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2608,7 @@ interface(`userdom_user_home_dir_filetrans',`
  		type user_home_dir_t;
  	')
  
@@ -80804,7 +80925,7 @@ index 4b2878a..48bc324 100644
  	files_search_home($1)
  ')
  
-@@ -2039,7 +2635,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2639,7 @@ interface(`userdom_user_home_content_filetrans',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -80813,7 +80934,7 @@ index 4b2878a..48bc324 100644
  	allow $1 user_home_dir_t:dir search_dir_perms;
  	files_search_home($1)
  ')
-@@ -2158,11 +2754,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2158,11 +2758,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
  #
  interface(`userdom_read_user_tmp_files',`
  	gen_require(`
@@ -80828,7 +80949,7 @@ index 4b2878a..48bc324 100644
  	files_search_tmp($1)
  ')
  
-@@ -2182,7 +2778,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2782,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -80837,7 +80958,7 @@ index 4b2878a..48bc324 100644
  ')
  
  ########################################
-@@ -2390,7 +2986,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2990,7 @@ interface(`userdom_user_tmp_filetrans',`
  		type user_tmp_t;
  	')
  
@@ -80846,7 +80967,7 @@ index 4b2878a..48bc324 100644
  	files_search_tmp($1)
  ')
  
-@@ -2419,6 +3015,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +3019,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  	files_tmp_filetrans($1, user_tmp_t, $2)
  ')
  
@@ -80872,7 +80993,7 @@ index 4b2878a..48bc324 100644
  ########################################
  ## <summary>
  ##	Read user tmpfs files.
-@@ -2435,13 +3050,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3054,14 @@ interface(`userdom_read_user_tmpfs_files',`
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -80888,7 +81009,7 @@ index 4b2878a..48bc324 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2462,7 +3078,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3082,7 @@ interface(`userdom_rw_user_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -80897,7 +81018,7 @@ index 4b2878a..48bc324 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2470,14 +3086,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3090,30 @@ interface(`userdom_rw_user_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -80932,7 +81053,7 @@ index 4b2878a..48bc324 100644
  ')
  
  ########################################
-@@ -2572,7 +3204,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3208,7 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
@@ -80941,7 +81062,7 @@ index 4b2878a..48bc324 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2580,48 +3212,97 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,48 +3216,97 @@ interface(`userdom_use_user_ttys',`
  ##	</summary>
  ## </param>
  #
@@ -81063,7 +81184,7 @@ index 4b2878a..48bc324 100644
  ')
  
  ########################################
-@@ -2640,8 +3321,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2640,8 +3325,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
  		type user_tty_device_t, user_devpts_t;
  	')
  
@@ -81093,7 +81214,7 @@ index 4b2878a..48bc324 100644
  ')
  
  ########################################
-@@ -2713,6 +3413,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2713,6 +3417,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -81118,7 +81239,7 @@ index 4b2878a..48bc324 100644
  ########################################
  ## <summary>
  ##	Execute an Xserver session in all unprivileged user domains.  This
-@@ -2736,24 +3454,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2736,24 +3458,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -81143,7 +81264,7 @@ index 4b2878a..48bc324 100644
  ########################################
  ## <summary>
  ##	Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3472,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3476,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  	allow $1 unpriv_userdomain:sem create_sem_perms;
  ')
  
@@ -81169,7 +81290,7 @@ index 4b2878a..48bc324 100644
  ########################################
  ## <summary>
  ##	Manage unpriviledged user SysV shared
-@@ -2852,7 +3533,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3537,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -81178,7 +81299,7 @@ index 4b2878a..48bc324 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -2868,29 +3549,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3553,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -81212,7 +81333,7 @@ index 4b2878a..48bc324 100644
  ')
  
  ########################################
-@@ -2972,7 +3637,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3641,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -81221,7 +81342,7 @@ index 4b2878a..48bc324 100644
  ')
  
  ########################################
-@@ -3027,7 +3692,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3696,45 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -81268,7 +81389,7 @@ index 4b2878a..48bc324 100644
  ')
  
  ########################################
-@@ -3045,7 +3748,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3752,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
  		type user_tty_device_t;
  	')
  
@@ -81277,7 +81398,7 @@ index 4b2878a..48bc324 100644
  ')
  
  ########################################
-@@ -3064,6 +3767,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3771,7 @@ interface(`userdom_read_all_users_state',`
  	')
  
  	read_files_pattern($1, userdomain, userdomain)
@@ -81285,7 +81406,7 @@ index 4b2878a..48bc324 100644
  	kernel_search_proc($1)
  ')
  
-@@ -3140,6 +3844,42 @@ interface(`userdom_signal_all_users',`
+@@ -3140,6 +3848,42 @@ interface(`userdom_signal_all_users',`
  	allow $1 userdomain:process signal;
  ')
  
@@ -81328,7 +81449,7 @@ index 4b2878a..48bc324 100644
  ########################################
  ## <summary>
  ##	Send a SIGCHLD signal to all user domains.
-@@ -3160,6 +3900,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3904,24 @@ interface(`userdom_sigchld_all_users',`
  
  ########################################
  ## <summary>
@@ -81353,7 +81474,7 @@ index 4b2878a..48bc324 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3194,3 +3952,1238 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3956,1238 @@ interface(`userdom_dbus_send_all_users',`
  
  	allow $1 userdomain:dbus send_msg;
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 042c5d3..e0291d1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 88%{?dist}
+Release: 89%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,20 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Jun 12 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-89
+- Allow systemd to read tmp_t link files
+- Backport ABRT policy from F17
+- Allow nagios domains to execute bin_t
+- Allow pads to read kernel network state
+- Allow sudo domains to manage kerberos rcache files
+- Allow polipo to manage polipo_cache dirs
+- Allow nsswitch domains to read sssd public files
+- Dontaudit net_admin capability for collectd
+- Allow thumb_t to create gstreamer dirs
+- user_tcp_server boolean should be also for sysadm_t
+- Add labeling for /var/lib/lighttpd
+- Fix files_lib_filetrans_shared_lib() interface
+
 * Fri May 4 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-88
 - Allow jockey to use its own fifo_file
 - Allow collectd to read /dev/random