From a8066ad4b18b0d25515d9f25e28f2ec22cc3485d Mon Sep 17 00:00:00 2001
From: Miroslav <mgrepl@redhat.com>
Date: Aug 29 2011 11:51:53 +0000
Subject: - Allow Postfix to deliver to Dovecot LMTP socket

- Ignore bogus sys_module for lldpad
- Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock
- systemd_logind_t sets the attributes on usb devices
- Allow hddtemp_t to read etc_t files
- Add permissivedomains module
- Move all permissive domains calls to permissivedomain.te
- Allow pegasis to send kill signals to other UIDs

---

diff --git a/modules-targeted.conf b/modules-targeted.conf
index beed176..a65d10b 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -716,6 +716,14 @@ hddtemp = module
 # 
 passenger = module
 
+ Layer: admin
+
+# Module: permissivedomains 
+#
+# Contains all permissivedomains shipped by distribution
+# 
+permissivedomains = module
+
 # Layer: services
 # Module: policykit
 #
diff --git a/policy-F16.patch b/policy-F16.patch
index 207bd6d..d704566 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -336,10 +336,27 @@ index e3e0701..3fd0282 100644
  /usr/sbin/amrecover		--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
  
 diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
-index 46d467c..3305e15 100644
+index 46d467c..53c116c 100644
 --- a/policy/modules/admin/amanda.te
 +++ b/policy/modules/admin/amanda.te
-@@ -200,12 +200,14 @@ files_search_pids(amanda_recover_t)
+@@ -58,7 +58,7 @@ optional_policy(`
+ #
+ 
+ allow amanda_t self:capability { chown dac_override setuid kill };
+-allow amanda_t self:process { setpgid signal };
++allow amanda_t self:process { getsched setsched setpgid signal };
+ allow amanda_t self:fifo_file rw_fifo_file_perms;
+ allow amanda_t self:unix_stream_socket create_stream_socket_perms;
+ allow amanda_t self:unix_dgram_socket create_socket_perms;
+@@ -71,6 +71,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
+ 
+ manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
+ manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
++manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
+ filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
+ 
+ allow amanda_t amanda_dumpdates_t:file rw_file_perms;
+@@ -200,12 +201,14 @@ files_search_pids(amanda_recover_t)
  
  auth_use_nsswitch(amanda_recover_t)
  
@@ -472,7 +489,7 @@ index 63eb96b..17a9f6d 100644
  ## <summary>
  ##	Execute bootloader interactively and do
 diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index d3da8f2..559bc9b 100644
+index d3da8f2..9152065 100644
 --- a/policy/modules/admin/bootloader.te
 +++ b/policy/modules/admin/bootloader.te
 @@ -23,7 +23,7 @@ role system_r types bootloader_t;
@@ -506,29 +523,30 @@ index d3da8f2..559bc9b 100644
  userdom_dontaudit_search_user_home_dirs(bootloader_t)
  
  ifdef(`distro_debian',`
-@@ -162,12 +162,18 @@ ifdef(`distro_redhat',`
+@@ -162,8 +162,10 @@ ifdef(`distro_redhat',`
  	files_manage_isid_type_blk_files(bootloader_t)
  	files_manage_isid_type_chr_files(bootloader_t)
  
 -	# for mke2fs
 -	mount_domtrans(bootloader_t)
--
- 	optional_policy(`
--		unconfined_domain(bootloader_t)
++	optional_policy(`
 +		# for mke2fs
 +		mount_domtrans(bootloader_t)
- 	')
-+
-+	#optional_policy(`
-+	#	unconfined_domain(bootloader_t)
-+	#')
++	')
+ 
+ 	optional_policy(`
+ 		unconfined_domain(bootloader_t)
+@@ -171,6 +173,10 @@ ifdef(`distro_redhat',`
+ ')
+ 
+ optional_policy(`
++	devicekit_dontaudit_read_pid_files(bootloader_t)
 +')
 +
 +optional_policy(`
-+	devicekit_dontaudit_read_pid_files(bootloader_t)
+ 	fstools_exec(bootloader_t)
  ')
  
- optional_policy(`
 @@ -197,10 +203,7 @@ optional_policy(`
  	modutils_exec_insmod(bootloader_t)
  	modutils_exec_depmod(bootloader_t)
@@ -966,7 +984,7 @@ index 9dd6880..4b7fa27 100644
  
  optional_policy(`
 diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
-index 4f7bd3c..6c420a4 100644
+index 4f7bd3c..a29af21 100644
 --- a/policy/modules/admin/kudzu.te
 +++ b/policy/modules/admin/kudzu.te
 @@ -111,15 +111,10 @@ logging_send_syslog_msg(kudzu_t)
@@ -999,12 +1017,11 @@ index 4f7bd3c..6c420a4 100644
  ')
  
  optional_policy(`
-@@ -141,5 +140,5 @@ optional_policy(`
+@@ -141,5 +140,4 @@ optional_policy(`
  
  optional_policy(`
  	unconfined_domtrans(kudzu_t)
 -	unconfined_domain(kudzu_t)
-+	#unconfined_domain(kudzu_t)
  ')
 diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
 index 7090dae..6eac7b9 100644
@@ -1579,6 +1596,243 @@ index 3470036..66412e6 100644
 +optional_policy(`
 +	puppet_manage_lib(passenger_t)
 +')
+diff --git a/policy/modules/admin/permissivedomains.fc b/policy/modules/admin/permissivedomains.fc
+new file mode 100644
+index 0000000..6e6a8fc
+--- /dev/null
++++ b/policy/modules/admin/permissivedomains.fc
+@@ -0,0 +1 @@
++# No file contexts 
+diff --git a/policy/modules/admin/permissivedomains.if b/policy/modules/admin/permissivedomains.if
+new file mode 100644
+index 0000000..bd83148
+--- /dev/null
++++ b/policy/modules/admin/permissivedomains.if
+@@ -0,0 +1 @@
++## <summary>No Interfaces</summary>
+diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
+new file mode 100644
+index 0000000..3b8c1e9
+--- /dev/null
++++ b/policy/modules/admin/permissivedomains.te
+@@ -0,0 +1,217 @@
++policy_module(permissivedomains,16)
++
++optional_policy(`
++      gen_require(`
++             type systemd_logger_t;
++      ')
++
++      permissive systemd_logger_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type systemd_logind_t;
++      ')
++
++      permissive systemd_logind_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type fcoemon_t;
++      ')
++
++      permissive fcoemon_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type httpd_passwd_t;
++      ')
++
++      permissive httpd_passwd_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type puppetca_t;
++      ')
++
++      permissive puppetca_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type spamd_update_t;
++      ')
++
++      permissive spamd_update_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type rhev_agentd_t;
++      ')
++
++      permissive rhev_agentd_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type abrt_handle_event_t;
++      ')
++
++      permissive abrt_handle_event_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type cfengine_serverd_t;
++      ')
++
++      permissive cfengine_serverd_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type cfengine_execd_t;
++      ')
++
++      permissive cfengine_execd_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type cfengine_monitord_t;
++      ')
++
++      permissive cfengine_monitord_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type rhsmcertd_t;
++      ')
++
++      permissive rhsmcertd_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type fail2ban_client_t;
++      ')
++
++      permissive fail2ban_client_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type ctdbd_t;
++      ')
++
++      permissive ctdbd_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type mscan_t;
++      ')
++
++      permissive mscan_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type lldpad_t;
++      ')
++
++      permissive lldpad_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type sblim_gatherd_t;
++      ')
++
++      permissive sblim_gatherd_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type sblim_gatherd_t;
++      ')
++
++      permissive sblim_gatherd_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type callweaver_t;
++      ')
++
++      permissive callweaver_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type sanlock_t;
++      ')
++
++      permissive sanlock_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type uuidd_t;
++      ')
++
++      permissive uuidd_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type wdmd_t;
++      ')
++
++      permissive wdmd_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type dspam_t;
++      ')
++
++      permissive dspam_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type virt_lxc_t;
++      ')
++
++      permissive virt_lxc_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type virtd_t;
++      ')
++
++      permissive virtd_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type pyicqt_t;
++      ')
++
++      permissive pyicqt_t;
++')
++
++optional_policy(`
++      gen_require(`
++             type telepathy_logger_t;
++      ')
++
++      permissive telepathy_logger_t;
++')
 diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
 index db46387..b665b08 100644
 --- a/policy/modules/admin/portage.fc
@@ -1664,7 +1918,7 @@ index 93ec175..0e42018 100644
  	')
  ')
 diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..77b9b29 100644
+index af55369..e83b341 100644
 --- a/policy/modules/admin/prelink.te
 +++ b/policy/modules/admin/prelink.te
 @@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
@@ -1722,31 +1976,22 @@ index af55369..77b9b29 100644
  
  optional_policy(`
  	amanda_manage_lib(prelink_t)
-@@ -109,13 +120,22 @@ optional_policy(`
+@@ -109,6 +120,15 @@ optional_policy(`
  ')
  
  optional_policy(`
--	rpm_manage_tmp_files(prelink_t)
 +	gnome_dontaudit_read_config(prelink_t)
 +	gnome_dontaudit_read_inherited_gconf_config_files(prelink_t)
- ')
- 
- optional_policy(`
--	unconfined_domain(prelink_t)
++')
++
++optional_policy(`
 +	nsplugin_manage_rw_files(prelink_t)
 +')
 +
 +optional_policy(`
-+	rpm_manage_tmp_files(prelink_t)
+ 	rpm_manage_tmp_files(prelink_t)
  ')
  
-+#optional_policy(`
-+#	unconfined_domain(prelink_t)
-+#')
-+
- ########################################
- #
- # Prelink Cron system Policy
 @@ -129,6 +149,7 @@ optional_policy(`
  
  	read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
@@ -3016,7 +3261,7 @@ index d5aaf0e..6b16aef 100644
  optional_policy(`
  	mta_send_mail(sxid_t)
 diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..de58aeb 100644
+index 6a5004b..90cf622 100644
 --- a/policy/modules/admin/tmpreaper.te
 +++ b/policy/modules/admin/tmpreaper.te
 @@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -3076,7 +3321,7 @@ index 6a5004b..de58aeb 100644
  	apache_delete_cache_files(tmpreaper_t)
  	apache_setattr_cache_dirs(tmpreaper_t)
  ')
-@@ -66,9 +78,17 @@ optional_policy(`
+@@ -66,9 +78,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3092,10 +3337,6 @@ index 6a5004b..de58aeb 100644
 -	unconfined_domain(tmpreaper_t)
 +	rpm_manage_cache(tmpreaper_t)
  ')
-+
-+#optional_policy(`
-+#	unconfined_domain(tmpreaper_t)
-+#')
 diff --git a/policy/modules/admin/tripwire.te b/policy/modules/admin/tripwire.te
 index 2ae8b62..a8e786b 100644
 --- a/policy/modules/admin/tripwire.te
@@ -3346,7 +3587,7 @@ index 81fb26f..66cf96c 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..233bbc6 100644
+index 441cf22..3d2f418 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -79,8 +79,8 @@ selinux_compute_create_context(chfn_t)
@@ -3479,15 +3720,15 @@ index 441cf22..233bbc6 100644
  
  auth_domtrans_chk_passwd(useradd_t)
  auth_rw_lastlog(useradd_t)
-@@ -498,20 +503,16 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -498,21 +503,11 @@ seutil_domtrans_setfiles(useradd_t)
  
  userdom_use_unpriv_users_fds(useradd_t)
  # Add/remove user home directories
 -userdom_manage_user_home_dirs(useradd_t)
--userdom_home_filetrans_user_home_dir(useradd_t)
+ userdom_home_filetrans_user_home_dir(useradd_t)
 -userdom_manage_user_home_content_dirs(useradd_t)
 -userdom_manage_user_home_content_files(useradd_t)
- userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_home_filetrans_user_home_dir(useradd_t)
 -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
 +userdom_manage_home_role(system_r, useradd_t)
  
@@ -3498,14 +3739,10 @@ index 441cf22..233bbc6 100644
 -		unconfined_domain(useradd_t)
 -	')
 -')
-+#ifdef(`distro_redhat',`
-+#	optional_policy(`
-+#		unconfined_domain(useradd_t)
-+#	')
-+#')
- 
+-
  optional_policy(`
  	apache_manage_all_user_content(useradd_t)
+ ')
 diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
 index ebf4b26..453a827 100644
 --- a/policy/modules/admin/vpn.te
@@ -6538,10 +6775,10 @@ index 0000000..cf65577
 +')
 diff --git a/policy/modules/apps/kde.te b/policy/modules/apps/kde.te
 new file mode 100644
-index 0000000..bb02f40
+index 0000000..6d0c9e3
 --- /dev/null
 +++ b/policy/modules/apps/kde.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,43 @@
 +policy_module(kde,1.0.0)
 +
 +########################################
@@ -6553,8 +6790,6 @@ index 0000000..bb02f40
 +type kdebacklighthelper_exec_t;
 +dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
 +
-+permissive kdebacklighthelper_t;
-+
 +########################################
 +#
 +# backlighthelper local policy
@@ -10008,19 +10243,10 @@ index 3cfb128..609921d 100644
 +    ')
 +')
 diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..e6e956f 100644
+index 2533ea0..7c8de51 100644
 --- a/policy/modules/apps/telepathy.te
 +++ b/policy/modules/apps/telepathy.te
-@@ -32,6 +32,8 @@ userdom_user_home_content(telepathy_gabble_cache_home_t)
- telepathy_domain_template(idle)
- telepathy_domain_template(logger)
- 
-+permissive telepathy_logger_t;
-+
- type telepathy_logger_cache_home_t;
- userdom_user_home_content(telepathy_logger_cache_home_t)
- 
-@@ -67,6 +69,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
+@@ -67,6 +67,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
  manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
  files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
  
@@ -10035,7 +10261,7 @@ index 2533ea0..e6e956f 100644
  corenet_all_recvfrom_netlabel(telepathy_gabble_t)
  corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
  corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
-@@ -112,6 +122,10 @@ optional_policy(`
+@@ -112,6 +120,10 @@ optional_policy(`
  	dbus_system_bus_client(telepathy_gabble_t)
  ')
  
@@ -10046,7 +10272,7 @@ index 2533ea0..e6e956f 100644
  #######################################
  #
  # Telepathy Idle local policy.
-@@ -148,9 +162,11 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -148,9 +160,11 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
  allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
  
  manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
@@ -10058,7 +10284,7 @@ index 2533ea0..e6e956f 100644
  
  files_read_etc_files(telepathy_logger_t)
  files_read_usr_files(telepathy_logger_t)
-@@ -168,6 +184,11 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -168,6 +182,11 @@ tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_files(telepathy_logger_t)
  ')
  
@@ -10070,7 +10296,7 @@ index 2533ea0..e6e956f 100644
  #######################################
  #
  # Telepathy Mission-Control local policy.
-@@ -176,6 +197,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -176,6 +195,7 @@ tunable_policy(`use_samba_home_dirs',`
  manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
  manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
  userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
@@ -10078,7 +10304,7 @@ index 2533ea0..e6e956f 100644
  
  dev_read_rand(telepathy_mission_control_t)
  
-@@ -194,6 +216,16 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -194,6 +214,16 @@ tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_files(telepathy_mission_control_t)
  ')
  
@@ -10095,7 +10321,7 @@ index 2533ea0..e6e956f 100644
  #######################################
  #
  # Telepathy Butterfly and Haze local policy.
-@@ -205,8 +237,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+@@ -205,8 +235,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
  manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
  manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
  manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
@@ -10107,7 +10333,7 @@ index 2533ea0..e6e956f 100644
  
  corenet_all_recvfrom_netlabel(telepathy_msn_t)
  corenet_all_recvfrom_unlabeled(telepathy_msn_t)
-@@ -246,6 +281,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -246,6 +279,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
  ')
  
  optional_policy(`
@@ -10118,7 +10344,7 @@ index 2533ea0..e6e956f 100644
  	dbus_system_bus_client(telepathy_msn_t)
  
  	optional_policy(`
-@@ -365,10 +404,9 @@ dev_read_urand(telepathy_domain)
+@@ -365,10 +402,9 @@ dev_read_urand(telepathy_domain)
  
  kernel_read_system_state(telepathy_domain)
  
@@ -10130,7 +10356,7 @@ index 2533ea0..e6e956f 100644
  miscfiles_read_localization(telepathy_domain)
  
  optional_policy(`
-@@ -376,5 +414,23 @@ optional_policy(`
+@@ -376,5 +412,23 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -12049,7 +12275,7 @@ index 4f3b542..5a41e58 100644
  	corenet_udp_recvfrom_labeled($1, $2)
  	corenet_raw_recvfrom_labeled($1, $2)
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..d898d5a 100644
+index 99b71cb..2039d50 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -11,11 +11,14 @@ attribute netif_type;
@@ -12182,7 +12408,7 @@ index 99b71cb..d898d5a 100644
 -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
 -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
 +network_port(jabber_router, tcp,5347,s0)
-+network_port(jboss_management, tcp,4712,s0, udp,4712,s0)
++network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0)
 +network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0)
 +network_port(kerberos_admin, tcp,749,s0)
 +network_port(kerberos_password, tcp,464,s0, udp,464,s0)
@@ -18530,7 +18756,7 @@ index 2be17d2..afb3532 100644
 +	userdom_execmod_user_home_files(staff_usertype)
 +')
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..9db59b0 100644
+index e14b961..7ef880f 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -24,20 +24,55 @@ ifndef(`enable_mls',`
@@ -18665,14 +18891,14 @@ index e14b961..9db59b0 100644
 -	libs_run_ldconfig(sysadm_t, sysadm_r)
 +	kerberos_exec_kadmind(sysadm_t)
 +	kerberos_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++	kudzu_run(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
 -	lockdev_role(sysadm_r, sysadm_t)
-+	kudzu_run(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
 +	libs_run_ldconfig(sysadm_t, sysadm_r)
  ')
  
@@ -18705,7 +18931,7 @@ index e14b961..9db59b0 100644
  ')
  
  optional_policy(`
-@@ -225,17 +278,29 @@ optional_policy(`
+@@ -225,21 +278,37 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18735,7 +18961,15 @@ index e14b961..9db59b0 100644
  	oav_run_update(sysadm_t, sysadm_r)
  ')
  
-@@ -253,19 +318,19 @@ optional_policy(`
+ optional_policy(`
++	openvpn_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ 	pcmcia_run_cardctl(sysadm_t, sysadm_r)
+ ')
+ 
+@@ -253,19 +322,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18759,7 +18993,7 @@ index e14b961..9db59b0 100644
  ')
  
  optional_policy(`
-@@ -274,10 +339,7 @@ optional_policy(`
+@@ -274,10 +343,7 @@ optional_policy(`
  
  optional_policy(`
  	rpm_run(sysadm_t, sysadm_r)
@@ -18771,7 +19005,7 @@ index e14b961..9db59b0 100644
  ')
  
  optional_policy(`
-@@ -302,12 +364,18 @@ optional_policy(`
+@@ -302,12 +368,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18791,7 +19025,7 @@ index e14b961..9db59b0 100644
  ')
  
  optional_policy(`
-@@ -332,7 +400,7 @@ optional_policy(`
+@@ -332,7 +404,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18800,7 +19034,7 @@ index e14b961..9db59b0 100644
  ')
  
  optional_policy(`
-@@ -343,19 +411,15 @@ optional_policy(`
+@@ -343,19 +415,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18822,7 +19056,7 @@ index e14b961..9db59b0 100644
  ')
  
  optional_policy(`
-@@ -367,45 +431,45 @@ optional_policy(`
+@@ -367,45 +435,45 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18879,7 +19113,7 @@ index e14b961..9db59b0 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -439,6 +503,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +507,7 @@ ifndef(`distro_redhat',`
  
  	optional_policy(`
  		gnome_role(sysadm_r, sysadm_t)
@@ -18887,36 +19121,36 @@ index e14b961..9db59b0 100644
  	')
  
  	optional_policy(`
-@@ -446,11 +511,62 @@ ifndef(`distro_redhat',`
+@@ -446,11 +515,62 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
 -		irc_role(sysadm_r, sysadm_t)
 +		java_role(sysadm_r, sysadm_t)
-+	')
-+
-+	optional_policy(`
-+		lockdev_role(sysadm_r, sysadm_t)
  	')
  
  	optional_policy(`
 -		java_role(sysadm_r, sysadm_t)
-+		mozilla_role(sysadm_r, sysadm_t)
++		lockdev_role(sysadm_r, sysadm_t)
 +	')
 +
 +	optional_policy(`
-+		mplayer_role(sysadm_r, sysadm_t)
++		mozilla_role(sysadm_r, sysadm_t)
 +	')
 +
 +	optional_policy(`
++		mplayer_role(sysadm_r, sysadm_t)
+ 	')
+-')
+ 
++	optional_policy(`
 +		pyzor_role(sysadm_r, sysadm_t)
 +	')
 +
 +	optional_policy(`
 +		razor_role(sysadm_r, sysadm_t)
- 	')
--')
- 
++	')
++
 +	optional_policy(`
 +		rssh_role(sysadm_r, sysadm_t)
 +	')
@@ -20745,7 +20979,7 @@ index 0b827c5..e03a970 100644
 +    read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
 +')
 diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..e96a565 100644
+index 30861ec..ee2d7f1 100644
 --- a/policy/modules/services/abrt.te
 +++ b/policy/modules/services/abrt.te
 @@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
@@ -20775,7 +21009,7 @@ index 30861ec..e96a565 100644
  type abrt_exec_t;
  init_daemon_domain(abrt_t, abrt_exec_t)
  
-@@ -32,9 +50,24 @@ files_type(abrt_var_cache_t)
+@@ -32,9 +50,20 @@ files_type(abrt_var_cache_t)
  type abrt_var_run_t;
  files_pid_file(abrt_var_run_t)
  
@@ -20783,8 +21017,6 @@ index 30861ec..e96a565 100644
 +type abrt_dump_oops_exec_t;
 +init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
 +
-+permissive abrt_dump_oops_t;
-+
 +# type for abrt-handle-event to handle
 +# ABRT event scripts
 +type abrt_handle_event_t, abrt_domain;
@@ -20792,8 +21024,6 @@ index 30861ec..e96a565 100644
 +application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
 +role system_r types abrt_handle_event_t;
 +
-+permissive abrt_handle_event_t;
-+
  # type needed to allow all domains
  # to handle /var/cache/abrt
 -type abrt_helper_t;
@@ -20801,7 +21031,7 @@ index 30861ec..e96a565 100644
  type abrt_helper_exec_t;
  application_domain(abrt_helper_t, abrt_helper_exec_t)
  role system_r types abrt_helper_t;
-@@ -43,14 +76,37 @@ ifdef(`enable_mcs',`
+@@ -43,14 +72,34 @@ ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
  ')
  
@@ -20819,9 +21049,6 @@ index 30861ec..e96a565 100644
 +application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
 +role system_r types abrt_retrace_coredump_t;
 +
-+permissive abrt_retrace_worker_exec_t;
-+permissive abrt_retrace_coredump_t;
-+
 +type abrt_retrace_cache_t;
 +files_type(abrt_retrace_cache_t)
 +
@@ -20841,7 +21068,7 @@ index 30861ec..e96a565 100644
  
  allow abrt_t self:fifo_file rw_fifo_file_perms;
  allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +115,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
+@@ -59,6 +108,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
  allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
  
  # abrt etc files
@@ -20849,7 +21076,7 @@ index 30861ec..e96a565 100644
  rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
  
  # log file
-@@ -69,6 +126,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -69,6 +119,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
  manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -20857,7 +21084,7 @@ index 30861ec..e96a565 100644
  
  # abrt var/cache files
  manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,10 +140,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,10 +133,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
  manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
  manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
  manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -20869,7 +21096,7 @@ index 30861ec..e96a565 100644
  kernel_rw_kernel_sysctl(abrt_t)
  
  corecmd_exec_bin(abrt_t)
-@@ -104,6 +161,7 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +154,7 @@ corenet_tcp_connect_all_ports(abrt_t)
  corenet_sendrecv_http_client_packets(abrt_t)
  
  dev_getattr_all_chr_files(abrt_t)
@@ -20877,7 +21104,7 @@ index 30861ec..e96a565 100644
  dev_read_urand(abrt_t)
  dev_rw_sysfs(abrt_t)
  dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +171,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +164,8 @@ domain_read_all_domains_state(abrt_t)
  domain_signull_all_domains(abrt_t)
  
  files_getattr_all_files(abrt_t)
@@ -20887,7 +21114,7 @@ index 30861ec..e96a565 100644
  files_read_var_symlinks(abrt_t)
  files_read_var_lib_files(abrt_t)
  files_read_usr_files(abrt_t)
-@@ -121,6 +180,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +173,8 @@ files_read_generic_tmp_files(abrt_t)
  files_read_kernel_modules(abrt_t)
  files_dontaudit_list_default(abrt_t)
  files_dontaudit_read_default_files(abrt_t)
@@ -20896,7 +21123,7 @@ index 30861ec..e96a565 100644
  
  fs_list_inotifyfs(abrt_t)
  fs_getattr_all_fs(abrt_t)
-@@ -131,15 +192,23 @@ fs_read_nfs_files(abrt_t)
+@@ -131,15 +185,23 @@ fs_read_nfs_files(abrt_t)
  fs_read_nfs_symlinks(abrt_t)
  fs_search_all(abrt_t)
  
@@ -20923,7 +21150,7 @@ index 30861ec..e96a565 100644
  
  optional_policy(`
  	dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +219,11 @@ optional_policy(`
+@@ -150,6 +212,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20935,7 +21162,7 @@ index 30861ec..e96a565 100644
  	policykit_dbus_chat(abrt_t)
  	policykit_domtrans_auth(abrt_t)
  	policykit_read_lib(abrt_t)
-@@ -167,6 +241,7 @@ optional_policy(`
+@@ -167,6 +234,7 @@ optional_policy(`
  	rpm_exec(abrt_t)
  	rpm_dontaudit_manage_db(abrt_t)
  	rpm_manage_cache(abrt_t)
@@ -20943,7 +21170,7 @@ index 30861ec..e96a565 100644
  	rpm_manage_pid_files(abrt_t)
  	rpm_read_db(abrt_t)
  	rpm_signull(abrt_t)
-@@ -178,12 +253,35 @@ optional_policy(`
+@@ -178,12 +246,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20980,7 +21207,7 @@ index 30861ec..e96a565 100644
  #
  
  allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,23 +298,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +291,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
  read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
  read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
  
@@ -21009,7 +21236,7 @@ index 30861ec..e96a565 100644
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +321,126 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +314,126 @@ ifdef(`hide_broken_symptoms', `
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -21027,7 +21254,7 @@ index 30861ec..e96a565 100644
 +	allow abrt_t self:capability sys_resource;
 +	allow abrt_t domain:file write;
 +	allow abrt_t domain:process setrlimit;
- ')
++')
 +
 +#######################################
 +#
@@ -21095,7 +21322,7 @@ index 30861ec..e96a565 100644
 +
 +optional_policy(`
 +	mock_domtrans(abrt_retrace_worker_t)
-+')
+ ')
 +
 +########################################
 +#
@@ -22333,7 +22560,7 @@ index 6480167..13d57b7 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..9b19325 100644
+index 3136c6a..ee04348 100644
 --- a/policy/modules/services/apache.te
 +++ b/policy/modules/services/apache.te
 @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -22645,7 +22872,7 @@ index 3136c6a..9b19325 100644
  typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
  typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
  typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +337,25 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +337,23 @@ files_type(httpd_var_lib_t)
  type httpd_var_run_t;
  files_pid_file(httpd_var_run_t)
  
@@ -22666,12 +22893,10 @@ index 3136c6a..9b19325 100644
 +application_domain(httpd_passwd_t, httpd_passwd_exec_t)
 +role system_r types httpd_passwd_t;
 +
-+permissive httpd_passwd_t;
-+
  ########################################
  #
  # Apache server local policy
-@@ -281,11 +375,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +373,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
  allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow httpd_t self:tcp_socket create_stream_socket_perms;
  allow httpd_t self:udp_socket create_socket_perms;
@@ -22685,7 +22910,7 @@ index 3136c6a..9b19325 100644
  
  # Allow the httpd_t to read the web servers config files
  allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +425,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +423,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
  manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -22696,7 +22921,7 @@ index 3136c6a..9b19325 100644
  
  manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
  manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -355,6 +452,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +450,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  kernel_read_kernel_sysctls(httpd_t)
  # for modules that want to access /proc/meminfo
  kernel_read_system_state(httpd_t)
@@ -22706,7 +22931,7 @@ index 3136c6a..9b19325 100644
  
  corenet_all_recvfrom_unlabeled(httpd_t)
  corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +465,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +463,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
  corenet_tcp_sendrecv_all_ports(httpd_t)
  corenet_udp_sendrecv_all_ports(httpd_t)
  corenet_tcp_bind_generic_node(httpd_t)
@@ -22723,7 +22948,7 @@ index 3136c6a..9b19325 100644
  
  dev_read_sysfs(httpd_t)
  dev_read_rand(httpd_t)
-@@ -378,12 +482,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +480,12 @@ dev_rw_crypto(httpd_t)
  
  fs_getattr_all_fs(httpd_t)
  fs_search_auto_mountpoints(httpd_t)
@@ -22739,7 +22964,7 @@ index 3136c6a..9b19325 100644
  
  domain_use_interactive_fds(httpd_t)
  
-@@ -391,6 +495,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +493,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
  files_read_usr_files(httpd_t)
  files_list_mnt(httpd_t)
  files_search_spool(httpd_t)
@@ -22747,7 +22972,7 @@ index 3136c6a..9b19325 100644
  files_read_var_lib_files(httpd_t)
  files_search_home(httpd_t)
  files_getattr_home_dir(httpd_t)
-@@ -402,9 +507,20 @@ files_read_etc_files(httpd_t)
+@@ -402,9 +505,20 @@ files_read_etc_files(httpd_t)
  files_read_var_lib_symlinks(httpd_t)
  
  fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -22768,7 +22993,7 @@ index 3136c6a..9b19325 100644
  logging_send_syslog_msg(httpd_t)
  
  miscfiles_read_localization(httpd_t)
-@@ -416,34 +532,74 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,34 +530,74 @@ seutil_dontaudit_search_config(httpd_t)
  
  userdom_use_unpriv_users_fds(httpd_t)
  
@@ -22845,7 +23070,7 @@ index 3136c6a..9b19325 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +612,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +610,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  
  tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
  	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -22856,7 +23081,7 @@ index 3136c6a..9b19325 100644
  
  	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
  	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,15 +626,27 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,15 +624,27 @@ tunable_policy(`httpd_enable_ftp_server',`
  	corenet_tcp_bind_ftp_port(httpd_t)
  ')
  
@@ -22886,7 +23111,7 @@ index 3136c6a..9b19325 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_t)
  	fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +656,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +654,16 @@ tunable_policy(`httpd_can_sendmail',`
  	# allow httpd to connect to mail servers
  	corenet_tcp_connect_smtp_port(httpd_t)
  	corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -22903,7 +23128,7 @@ index 3136c6a..9b19325 100644
  ')
  
  tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +680,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +678,19 @@ tunable_policy(`httpd_ssi_exec',`
  # to run correctly without this permission, so the permission
  # are dontaudited here.
  tunable_policy(`httpd_tty_comm',`
@@ -22924,7 +23149,7 @@ index 3136c6a..9b19325 100644
  ')
  
  optional_policy(`
-@@ -513,7 +704,13 @@ optional_policy(`
+@@ -513,7 +702,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22939,7 +23164,7 @@ index 3136c6a..9b19325 100644
  ')
  
  optional_policy(`
-@@ -528,7 +725,19 @@ optional_policy(`
+@@ -528,7 +723,19 @@ optional_policy(`
  	daemontools_service_domain(httpd_t, httpd_exec_t)
  ')
  
@@ -22960,7 +23185,7 @@ index 3136c6a..9b19325 100644
  	dbus_system_bus_client(httpd_t)
  
  	tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +746,13 @@ optional_policy(`
+@@ -537,8 +744,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22975,7 +23200,7 @@ index 3136c6a..9b19325 100644
  	')
  ')
  
-@@ -556,7 +770,13 @@ optional_policy(`
+@@ -556,7 +768,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22989,7 +23214,7 @@ index 3136c6a..9b19325 100644
  	mysql_stream_connect(httpd_t)
  	mysql_rw_db_sockets(httpd_t)
  
-@@ -567,6 +787,7 @@ optional_policy(`
+@@ -567,6 +785,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -22997,7 +23222,7 @@ index 3136c6a..9b19325 100644
  ')
  
  optional_policy(`
-@@ -577,6 +798,20 @@ optional_policy(`
+@@ -577,6 +796,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23018,7 +23243,7 @@ index 3136c6a..9b19325 100644
  	# Allow httpd to work with postgresql
  	postgresql_stream_connect(httpd_t)
  	postgresql_unpriv_client(httpd_t)
-@@ -591,6 +826,11 @@ optional_policy(`
+@@ -591,6 +824,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23030,7 +23255,7 @@ index 3136c6a..9b19325 100644
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -603,6 +843,12 @@ optional_policy(`
+@@ -603,6 +841,12 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -23043,7 +23268,7 @@ index 3136c6a..9b19325 100644
  ########################################
  #
  # Apache helper local policy
-@@ -616,7 +862,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +860,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
  
  logging_send_syslog_msg(httpd_helper_t)
  
@@ -23056,7 +23281,7 @@ index 3136c6a..9b19325 100644
  
  ########################################
  #
-@@ -654,28 +904,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +902,30 @@ libs_exec_lib_files(httpd_php_t)
  userdom_use_unpriv_users_fds(httpd_php_t)
  
  tunable_policy(`httpd_can_network_connect_db',`
@@ -23100,7 +23325,7 @@ index 3136c6a..9b19325 100644
  ')
  
  ########################################
-@@ -685,6 +937,8 @@ optional_policy(`
+@@ -685,6 +935,8 @@ optional_policy(`
  
  allow httpd_suexec_t self:capability { setuid setgid };
  allow httpd_suexec_t self:process signal_perms;
@@ -23109,7 +23334,7 @@ index 3136c6a..9b19325 100644
  allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
  
  domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +953,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +951,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -23135,7 +23360,7 @@ index 3136c6a..9b19325 100644
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +999,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +997,31 @@ tunable_policy(`httpd_can_network_connect',`
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -23168,7 +23393,7 @@ index 3136c6a..9b19325 100644
  	fs_read_nfs_files(httpd_suexec_t)
  	fs_read_nfs_symlinks(httpd_suexec_t)
  	fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1046,25 @@ optional_policy(`
+@@ -769,6 +1044,25 @@ optional_policy(`
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -23194,7 +23419,7 @@ index 3136c6a..9b19325 100644
  ########################################
  #
  # Apache system script local policy
-@@ -789,12 +1085,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1083,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
  
  kernel_read_kernel_sysctls(httpd_sys_script_t)
  
@@ -23212,7 +23437,7 @@ index 3136c6a..9b19325 100644
  ifdef(`distro_redhat',`
  	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
  ')
-@@ -803,18 +1104,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1102,50 @@ tunable_policy(`httpd_can_sendmail',`
  	mta_send_mail(httpd_sys_script_t)
  ')
  
@@ -23269,7 +23494,7 @@ index 3136c6a..9b19325 100644
  	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1155,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1153,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
  ')
  
  tunable_policy(`httpd_enable_homedirs',`
@@ -23300,7 +23525,7 @@ index 3136c6a..9b19325 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1190,20 @@ optional_policy(`
+@@ -842,10 +1188,20 @@ optional_policy(`
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -23321,7 +23546,7 @@ index 3136c6a..9b19325 100644
  ')
  
  ########################################
-@@ -891,11 +1249,48 @@ optional_policy(`
+@@ -891,11 +1247,48 @@ optional_policy(`
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -23446,7 +23671,7 @@ index 1ea99b2..9427dd5 100644
 +	stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
  ')
 diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..4ae8a51 100644
+index 1c8c27e..21b91de 100644
 --- a/policy/modules/services/apm.te
 +++ b/policy/modules/services/apm.te
 @@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -23552,19 +23777,17 @@ index 1c8c27e..4ae8a51 100644
  ')
  
  optional_policy(`
-@@ -218,9 +232,9 @@ optional_policy(`
- 	udev_read_state(apmd_t) #necessary?
+@@ -219,10 +233,6 @@ optional_policy(`
  ')
  
--optional_policy(`
+ optional_policy(`
 -	unconfined_domain(apmd_t)
 -')
-+#optional_policy(`
-+#	unconfined_domain(apmd_t)
-+#')
- 
- optional_policy(`
+-
+-optional_policy(`
  	vbetool_domtrans(apmd_t)
+ ')
+ 
 diff --git a/policy/modules/services/arpwatch.if b/policy/modules/services/arpwatch.if
 index c804110..bdefbe1 100644
 --- a/policy/modules/services/arpwatch.if
@@ -25272,10 +25495,10 @@ index 0000000..564acbd
 +')
 diff --git a/policy/modules/services/callweaver.te b/policy/modules/services/callweaver.te
 new file mode 100644
-index 0000000..a7c96a5
+index 0000000..4cfc9f8
 --- /dev/null
 +++ b/policy/modules/services/callweaver.te
-@@ -0,0 +1,79 @@
+@@ -0,0 +1,77 @@
 +policy_module(callweaver,1.0.0)
 +
 +########################################
@@ -25287,8 +25510,6 @@ index 0000000..a7c96a5
 +type callweaver_exec_t;
 +init_daemon_domain(callweaver_t, callweaver_exec_t)
 +
-+permissive callweaver_t;
-+
 +type callweaver_initrc_exec_t;
 +init_script_file(callweaver_initrc_exec_t)
 +
@@ -25674,10 +25895,10 @@ index 0000000..12fe9ce
 +
 diff --git a/policy/modules/services/cfengine.te b/policy/modules/services/cfengine.te
 new file mode 100644
-index 0000000..db2ac2d
+index 0000000..1ba0484
 --- /dev/null
 +++ b/policy/modules/services/cfengine.te
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,127 @@
 +policy_module(cfengine, 1.0.0)
 +
 +########################################
@@ -25689,8 +25910,6 @@ index 0000000..db2ac2d
 +type cfengine_serverd_exec_t;
 +init_daemon_domain(cfengine_serverd_t, cfengine_serverd_exec_t)
 +
-+permissive cfengine_serverd_t;
-+
 +type cfengine_initrc_exec_t;
 +init_script_file(cfengine_initrc_exec_t)
 +
@@ -25701,14 +25920,10 @@ index 0000000..db2ac2d
 +type cfengine_execd_exec_t;
 +init_daemon_domain(cfengine_execd_t, cfengine_execd_exec_t)
 +
-+permissive cfengine_execd_t;
-+
 +type cfengine_monitord_t;
 +type cfengine_monitord_exec_t;
 +init_daemon_domain(cfengine_monitord_t, cfengine_monitord_exec_t)
 +
-+permissive cfengine_monitord_t;
-+
 +########################################
 +#
 +# cfengine-server local policy
@@ -25894,14 +26109,14 @@ index dad226c..7617c53 100644
  
  miscfiles_read_localization(cgred_t)
 diff --git a/policy/modules/services/chronyd.fc b/policy/modules/services/chronyd.fc
-index fd8cd0b..46678a2 100644
+index fd8cd0b..3d61138 100644
 --- a/policy/modules/services/chronyd.fc
 +++ b/policy/modules/services/chronyd.fc
 @@ -2,8 +2,12 @@
  
  /etc/rc\.d/init\.d/chronyd	--	gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
  
-+/lib/systemd/system/chonyd\.service  --              gen_context(system_u:object_r:chronyd_unit_t,s0)
++/lib/systemd/system/chronyd.*	--      gen_context(system_u:object_r:chronyd_unit_t,s0)
 +
  /usr/sbin/chronyd		--	gen_context(system_u:object_r:chronyd_exec_t,s0)
  
@@ -25911,7 +26126,7 @@ index fd8cd0b..46678a2 100644
 +/var/run/chronyd(/.*)			gen_context(system_u:object_r:chronyd_var_run_t,s0)
 +/var/run/chronyd\.sock			gen_context(system_u:object_r:chronyd_var_run_t,s0)
 diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
-index 9a0da94..f599a70 100644
+index 9a0da94..6a9d3d8 100644
 --- a/policy/modules/services/chronyd.if
 +++ b/policy/modules/services/chronyd.if
 @@ -19,6 +19,24 @@ interface(`chronyd_domtrans',`
@@ -25939,7 +26154,7 @@ index 9a0da94..f599a70 100644
  ####################################
  ## <summary>
  ##	Execute chronyd
-@@ -56,6 +74,103 @@ interface(`chronyd_read_log',`
+@@ -56,6 +74,122 @@ interface(`chronyd_read_log',`
  	read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t)
  ')
  
@@ -26040,10 +26255,29 @@ index 9a0da94..f599a70 100644
 +	stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
 +')
 +
++########################################
++## <summary>
++##	Send to chronyd over a unix domain
++##	datagram socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`chronyd_dgram_send',`
++	gen_require(`
++		type chronyd_t;
++	')
++
++	allow $1 chronyd_t:unix_dgram_socket sendto;
++')
++
  ####################################
  ## <summary>
  ##	All of the rules required to administrate
-@@ -75,9 +190,9 @@ interface(`chronyd_read_log',`
+@@ -75,9 +209,9 @@ interface(`chronyd_read_log',`
  #
  interface(`chronyd_admin',`
  	gen_require(`
@@ -26056,7 +26290,7 @@ index 9a0da94..f599a70 100644
  	')
  
  	allow $1 chronyd_t:process { ptrace signal_perms };
-@@ -88,18 +203,19 @@ interface(`chronyd_admin',`
+@@ -88,18 +222,19 @@ interface(`chronyd_admin',`
  	role_transition $2 chronyd_initrc_exec_t system_r;
  	allow $2 system_r;
  
@@ -27119,10 +27353,10 @@ index 0000000..ed13d1e
 +
 diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
 new file mode 100644
-index 0000000..2dfd363
+index 0000000..207f706
 --- /dev/null
 +++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,57 @@
 +policy_module(collectd, 1.0.0)
 +
 +########################################
@@ -27134,8 +27368,6 @@ index 0000000..2dfd363
 +type collectd_exec_t;
 +init_daemon_domain(collectd_t, collectd_exec_t)
 +
-+permissive collectd_t;
-+
 +type collectd_initrc_exec_t;
 +init_script_file(collectd_initrc_exec_t)
 +
@@ -27178,7 +27410,6 @@ index 0000000..2dfd363
 +
 +optional_policy(`
 +	apache_content_template(collectd)
-+	permissive httpd_collectd_script_t;
 +
 +	miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
 +')
@@ -28950,10 +29181,10 @@ index 0000000..1c3a90b
 +
 diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te
 new file mode 100644
-index 0000000..758f972
+index 0000000..e6042d9
 --- /dev/null
 +++ b/policy/modules/services/ctdbd.te
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,113 @@
 +policy_module(ctdbd, 1.0.0)
 +
 +########################################
@@ -28965,8 +29196,6 @@ index 0000000..758f972
 +type ctdbd_exec_t;
 +init_daemon_domain(ctdbd_t, ctdbd_exec_t)
 +
-+permissive ctdbd_t;
-+
 +type ctdbd_initrc_exec_t;
 +init_script_file(ctdbd_initrc_exec_t)
 +
@@ -30591,7 +30820,7 @@ index f706b99..13d3a35 100644
 +	files_list_pids($1)
  ')
 diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..4506fa3 100644
+index f231f17..5a06fc7 100644
 --- a/policy/modules/services/devicekit.te
 +++ b/policy/modules/services/devicekit.te
 @@ -26,6 +26,9 @@ files_pid_file(devicekit_var_run_t)
@@ -30658,11 +30887,11 @@ index f231f17..4506fa3 100644
  	virt_manage_images(devicekit_disk_t)
  ')
  
-+#optional_policy(`
-+#	unconfined_domain(devicekit_t)
-+#	unconfined_domain(devicekit_power_t)
-+#	unconfined_domain(devicekit_disk_t)
-+#')
++optional_policy(`
++	unconfined_domain(devicekit_t)
++	unconfined_domain(devicekit_power_t)
++	unconfined_domain(devicekit_disk_t)
++')
 +
  ########################################
  #
@@ -32681,10 +32910,10 @@ index 0000000..d7a7118
 +')
 diff --git a/policy/modules/services/dspam.te b/policy/modules/services/dspam.te
 new file mode 100644
-index 0000000..66e9629
+index 0000000..d409571
 --- /dev/null
 +++ b/policy/modules/services/dspam.te
-@@ -0,0 +1,97 @@
+@@ -0,0 +1,95 @@
 +
 +policy_module(dspam, 1.0.0)
 +
@@ -32697,8 +32926,6 @@ index 0000000..66e9629
 +type dspam_exec_t;
 +init_daemon_domain(dspam_t, dspam_exec_t)
 +
-+permissive dspam_t;
-+
 +type dspam_initrc_exec_t;
 +init_script_file(dspam_initrc_exec_t)
 +
@@ -33099,10 +33326,10 @@ index f590a1f..338e5bf 100644
 +	admin_pattern($1, fail2ban_tmp_t)
  ')
 diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
-index 2a69e5e..7b33bda 100644
+index 2a69e5e..35a2c0b 100644
 --- a/policy/modules/services/fail2ban.te
 +++ b/policy/modules/services/fail2ban.te
-@@ -23,12 +23,22 @@ files_type(fail2ban_var_lib_t)
+@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t)
  type fail2ban_var_run_t;
  files_pid_file(fail2ban_var_run_t)
  
@@ -33113,9 +33340,6 @@ index 2a69e5e..7b33bda 100644
 +type fail2ban_client_exec_t;
 +init_daemon_domain(fail2ban_client_t, fail2ban_client_exec_t)
 +
-+# new in F16
-+permissive fail2ban_client_t;
-+
  ########################################
  #
 -# fail2ban local policy
@@ -33127,7 +33351,7 @@ index 2a69e5e..7b33bda 100644
  allow fail2ban_t self:process signal;
  allow fail2ban_t self:fifo_file rw_fifo_file_perms;
  allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
-@@ -36,7 +46,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
+@@ -36,7 +43,7 @@ allow fail2ban_t self:unix_dgram_socket create_socket_perms;
  allow fail2ban_t self:tcp_socket create_stream_socket_perms;
  
  # log files
@@ -33136,7 +33360,7 @@ index 2a69e5e..7b33bda 100644
  manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
  logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
  
-@@ -50,6 +60,11 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+@@ -50,6 +57,11 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
  manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
  files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
  
@@ -33148,7 +33372,7 @@ index 2a69e5e..7b33bda 100644
  kernel_read_system_state(fail2ban_t)
  
  corecmd_exec_bin(fail2ban_t)
-@@ -66,6 +81,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t)
+@@ -66,6 +78,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t)
  dev_read_urand(fail2ban_t)
  
  domain_use_interactive_fds(fail2ban_t)
@@ -33156,7 +33380,7 @@ index 2a69e5e..7b33bda 100644
  
  files_read_etc_files(fail2ban_t)
  files_read_etc_runtime_files(fail2ban_t)
-@@ -94,5 +110,34 @@ optional_policy(`
+@@ -94,5 +107,34 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33301,10 +33525,10 @@ index 0000000..d827274
 +
 diff --git a/policy/modules/services/fcoemon.te b/policy/modules/services/fcoemon.te
 new file mode 100644
-index 0000000..eb4be44
+index 0000000..1f39a80
 --- /dev/null
 +++ b/policy/modules/services/fcoemon.te
-@@ -0,0 +1,48 @@
+@@ -0,0 +1,46 @@
 +policy_module(fcoemon, 1.0.0)
 +
 +########################################
@@ -33316,8 +33540,6 @@ index 0000000..eb4be44
 +type fcoemon_exec_t;
 +init_daemon_domain(fcoemon_t, fcoemon_exec_t)
 +
-+permissive fcoemon_t;
-+
 +type fcoemon_var_run_t;
 +files_pid_file(fcoemon_var_run_t)
 +
@@ -34731,15 +34953,14 @@ index 671d8fd..25c7ab8 100644
 +	dontaudit gnomeclock_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..983ab3e 100644
+index 4fde46b..ab59945 100644
 --- a/policy/modules/services/gnomeclock.te
 +++ b/policy/modules/services/gnomeclock.te
-@@ -9,24 +9,32 @@ type gnomeclock_t;
+@@ -9,24 +9,31 @@ type gnomeclock_t;
  type gnomeclock_exec_t;
  dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
  
 +systemd_systemctl_domain(gnomeclock)
-+permissive gnomeclock_systemctl_t;
 +
  ########################################
  #
@@ -34770,7 +34991,7 @@ index 4fde46b..983ab3e 100644
  
  miscfiles_read_localization(gnomeclock_t)
  miscfiles_manage_localization(gnomeclock_t)
-@@ -35,12 +43,52 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,12 +42,52 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
  userdom_read_all_users_state(gnomeclock_t)
  
  optional_policy(`
@@ -34885,7 +35106,7 @@ index a627b34..c4cfc6d 100644
  optional_policy(`
  	seutil_sigchld_newrole(gpm_t)
 diff --git a/policy/modules/services/gpsd.te b/policy/modules/services/gpsd.te
-index 03742d8..6ba7c74 100644
+index 03742d8..d9232fe 100644
 --- a/policy/modules/services/gpsd.te
 +++ b/policy/modules/services/gpsd.te
 @@ -24,8 +24,8 @@ files_pid_file(gpsd_var_run_t)
@@ -34899,7 +35120,14 @@ index 03742d8..6ba7c74 100644
  allow gpsd_t self:shm create_shm_perms;
  allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
  allow gpsd_t self:tcp_socket create_stream_socket_perms;
-@@ -43,9 +43,13 @@ corenet_all_recvfrom_netlabel(gpsd_t)
+@@ -38,14 +38,21 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+ manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t)
+ files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file })
+ 
++kernel_list_proc(gpsd_t)
++
+ corenet_all_recvfrom_unlabeled(gpsd_t)
+ corenet_all_recvfrom_netlabel(gpsd_t)
  corenet_tcp_sendrecv_generic_if(gpsd_t)
  corenet_tcp_sendrecv_generic_node(gpsd_t)
  corenet_tcp_sendrecv_all_ports(gpsd_t)
@@ -34908,18 +35136,20 @@ index 03742d8..6ba7c74 100644
  corenet_tcp_bind_gpsd_port(gpsd_t)
  
 +dev_read_sysfs(gpsd_t)
++dev_rw_realtime_clock(gpsd_t)
 +
 +domain_dontaudit_read_all_domains_state(gpsd_t)
 +
  term_use_unallocated_ttys(gpsd_t)
  term_setattr_unallocated_ttys(gpsd_t)
  
-@@ -56,6 +60,11 @@ logging_send_syslog_msg(gpsd_t)
+@@ -56,6 +63,12 @@ logging_send_syslog_msg(gpsd_t)
  miscfiles_read_localization(gpsd_t)
  
  optional_policy(`
 +	chronyd_rw_shm(gpsd_t)
 +	chronyd_stream_connect(gpsd_t)
++	chronyd_dgram_send(gpsd_t)
 +')
 +
 +optional_policy(`
@@ -35377,10 +35607,15 @@ index 87b4531..db2d189 100644
 +	files_list_etc($1)
  ')
 diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te
-index c234b32..32f1b6d 100644
+index c234b32..6c0a73d 100644
 --- a/policy/modules/services/hddtemp.te
 +++ b/policy/modules/services/hddtemp.te
-@@ -42,8 +42,12 @@ files_search_etc(hddtemp_t)
+@@ -38,12 +38,16 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
+ corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
+ corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
+ 
+-files_search_etc(hddtemp_t)
++files_read_etc_files(hddtemp_t)
  files_read_usr_files(hddtemp_t)
  
  storage_raw_read_fixed_disk(hddtemp_t)
@@ -35954,10 +36189,10 @@ index 9878499..81fcd0f 100644
 -	admin_pattern($1, jabberd_var_run_t)
  ')
 diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
-index da2127e..6538d66 100644
+index da2127e..a666df2 100644
 --- a/policy/modules/services/jabber.te
 +++ b/policy/modules/services/jabber.te
-@@ -5,90 +5,152 @@ policy_module(jabber, 1.8.0)
+@@ -5,90 +5,150 @@ policy_module(jabber, 1.8.0)
  # Declarations
  #
  
@@ -35969,8 +36204,6 @@ index da2127e..6538d66 100644
 +jabber_domain_template(jabberd)
 +jabber_domain_template(jabberd_router)
 +jabber_domain_template(pyicqt)
-+
-+permissive pyicqt_t;
  
  type jabberd_initrc_exec_t;
  init_script_file(jabberd_initrc_exec_t)
@@ -36043,15 +36276,15 @@ index da2127e..6538d66 100644
 +corenet_tcp_connect_jabber_router_port(jabberd_router_t)
 +corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
 +corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
++
++fs_getattr_all_fs(jabberd_router_t)
  
 -dev_read_sysfs(jabberd_t)
 -# For SSL
 -dev_read_rand(jabberd_t)
-+fs_getattr_all_fs(jabberd_router_t)
++miscfiles_read_generic_certs(jabberd_router_t)
  
 -domain_use_interactive_fds(jabberd_t)
-+miscfiles_read_generic_certs(jabberd_router_t)
-+
 +optional_policy(`
 +	kerberos_use(jabberd_router_t)
 +')
@@ -36091,8 +36324,8 @@ index da2127e..6538d66 100644
  optional_policy(`
 -	seutil_sigchld_newrole(jabberd_t)
 +	udev_read_db(jabberd_t)
-+')
-+
+ ')
+ 
 +######################################
 +#
 +# Local policy for pyicq-t
@@ -36125,15 +36358,15 @@ index da2127e..6538d66 100644
 +libs_use_shared_libs(pyicqt_t)
 +
 +# needed for pyicq-t-mysql
-+optional_policy(`
-+	corenet_tcp_connect_mysqld_port(pyicqt_t)
- ')
- 
  optional_policy(`
 -	udev_read_db(jabberd_t)
-+	sysnet_use_ldap(pyicqt_t)
++	corenet_tcp_connect_mysqld_port(pyicqt_t)
  ')
 +
++optional_policy(`
++	sysnet_use_ldap(pyicqt_t)
++')
++
 +#######################################
 +#
 +# Local policy for jabberd domains
@@ -36944,10 +37177,10 @@ index 0000000..5783d58
 +
 diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te
 new file mode 100644
-index 0000000..02359ec
+index 0000000..4aac893
 --- /dev/null
 +++ b/policy/modules/services/l2tpd.te
-@@ -0,0 +1,58 @@
+@@ -0,0 +1,56 @@
 +policy_module(l2tpd, 1.0.0)
 +
 +########################################
@@ -36959,8 +37192,6 @@ index 0000000..02359ec
 +type l2tpd_exec_t;
 +init_daemon_domain(l2tpd_t, l2tpd_exec_t)
 +
-+permissive l2tpd_t;
-+
 +type l2tpd_initrc_exec_t;
 +init_script_file(l2tpd_initrc_exec_t)
 +
@@ -37472,10 +37703,10 @@ index 0000000..9d1bac3
 +
 diff --git a/policy/modules/services/lldpad.te b/policy/modules/services/lldpad.te
 new file mode 100644
-index 0000000..b5ba929
+index 0000000..b7f4268
 --- /dev/null
 +++ b/policy/modules/services/lldpad.te
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,72 @@
 +policy_module(lldpad, 1.0.0)
 +
 +########################################
@@ -37487,8 +37718,6 @@ index 0000000..b5ba929
 +type lldpad_exec_t;
 +init_daemon_domain(lldpad_t, lldpad_exec_t)
 +
-+permissive lldpad_t;
-+
 +type lldpad_initrc_exec_t;
 +init_script_file(lldpad_initrc_exec_t)
 +
@@ -37507,6 +37736,10 @@ index 0000000..b5ba929
 +#
 +
 +allow lldpad_t self:capability { net_admin net_raw };
++ifdef(`hide_broken_symptoms',`
++	# caused by some bogus kernel code
++	dontaudit lldpad_t self:capability sys_module;
++')
 +
 +allow lldpad_t self:shm create_shm_perms;
 +allow lldpad_t self:fifo_file rw_fifo_file_perms;
@@ -37899,10 +38132,10 @@ index 0000000..39c12cb
 +')
 diff --git a/policy/modules/services/mailscanner.te b/policy/modules/services/mailscanner.te
 new file mode 100644
-index 0000000..b1cf109
+index 0000000..5b84980
 --- /dev/null
 +++ b/policy/modules/services/mailscanner.te
-@@ -0,0 +1,90 @@
+@@ -0,0 +1,87 @@
 +policy_module(mailscanner, 1.0.0)
 +
 +########################################
@@ -37926,9 +38159,6 @@ index 0000000..b1cf109
 +type mscan_var_run_t;
 +files_pid_file(mscan_var_run_t)
 +
-+# New in F16
-+permissive mscan_t;
-+
 +########################################
 +#
 +# Local policy
@@ -39629,7 +39859,7 @@ index 343cee3..f8c4fb6 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..cdcf4c7 100644
+index 64268e4..8d3091f 100644
 --- a/policy/modules/services/mta.te
 +++ b/policy/modules/services/mta.te
 @@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@@ -39751,7 +39981,7 @@ index 64268e4..cdcf4c7 100644
  	nagios_read_tmp_files(system_mail_t)
  ')
  
-@@ -158,18 +165,6 @@ optional_policy(`
+@@ -158,22 +165,13 @@ optional_policy(`
  	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
  
  	domain_use_interactive_fds(system_mail_t)
@@ -39770,7 +40000,14 @@ index 64268e4..cdcf4c7 100644
  ')
  
  optional_policy(`
-@@ -189,6 +184,10 @@ optional_policy(`
+ 	qmail_domtrans_inject(system_mail_t)
++	qmail_manage_spool_dirs(system_mail_t)
++	qmail_manage_spool_files(system_mail_t)
++	qmail_rw_spool_pipes(system_mail_t)
+ ')
+ 
+ optional_policy(`
+@@ -189,6 +187,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39781,7 +40018,7 @@ index 64268e4..cdcf4c7 100644
  	smartmon_read_tmp_files(system_mail_t)
  ')
  
-@@ -199,15 +198,16 @@ optional_policy(`
+@@ -199,15 +201,16 @@ optional_policy(`
  	arpwatch_search_data(mailserver_delivery)
  	arpwatch_manage_tmp_files(mta_user_agent)
  
@@ -39802,7 +40039,7 @@ index 64268e4..cdcf4c7 100644
  ########################################
  #
  # Mailserver delivery local policy
-@@ -220,7 +220,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,7 +223,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  
@@ -39812,7 +40049,7 @@ index 64268e4..cdcf4c7 100644
  
  read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
  
-@@ -242,6 +243,10 @@ optional_policy(`
+@@ -242,6 +246,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39823,7 +40060,7 @@ index 64268e4..cdcf4c7 100644
  	# so MTA can access /var/lib/mailman/mail/wrapper
  	files_search_var_lib(mailserver_delivery)
  
-@@ -249,16 +254,25 @@ optional_policy(`
+@@ -249,16 +257,25 @@ optional_policy(`
  	mailman_read_data_symlinks(mailserver_delivery)
  ')
  
@@ -39851,7 +40088,7 @@ index 64268e4..cdcf4c7 100644
  # Create dead.letter in user home directories.
  userdom_manage_user_home_content_files(user_mail_t)
  userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -292,3 +306,44 @@ optional_policy(`
+@@ -292,3 +309,44 @@ optional_policy(`
  	postfix_read_config(user_mail_t)
  	postfix_list_spool(user_mail_t)
  ')
@@ -42426,7 +42663,7 @@ index ceafba6..9eb6967 100644
 +	udev_read_db(pcscd_t)
 +')
 diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
-index 3185114..6f2f1d4 100644
+index 3185114..4abd429 100644
 --- a/policy/modules/services/pegasus.te
 +++ b/policy/modules/services/pegasus.te
 @@ -16,7 +16,7 @@ type pegasus_tmp_t;
@@ -42443,7 +42680,7 @@ index 3185114..6f2f1d4 100644
  #
  
 -allow pegasus_t self:capability { chown sys_nice setuid setgid dac_override net_bind_service };
-+allow pegasus_t self:capability { chown ipc_lock sys_nice setuid setgid dac_override net_bind_service };
++allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_bind_service };
  dontaudit pegasus_t self:capability sys_tty_config;
  allow pegasus_t self:process signal;
  allow pegasus_t self:fifo_file rw_fifo_file_perms;
@@ -42823,10 +43060,10 @@ index 0000000..548d0a2
 +')
 diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
 new file mode 100644
-index 0000000..0ac1a0c
+index 0000000..aaf3fa8
 --- /dev/null
 +++ b/policy/modules/services/piranha.te
-@@ -0,0 +1,299 @@
+@@ -0,0 +1,295 @@
 +policy_module(piranha, 1.0.0)
 +
 +########################################
@@ -43086,10 +43323,6 @@ index 0000000..0ac1a0c
 +    udev_read_db(piranha_pulse_t)
 +')
 +
-+#optional_policy(`
-+#       unconfined_domain(piranha_pulse_t)
-+#')
-+
 +####################################
 +#
 +# piranha domains common policy
@@ -44280,7 +44513,7 @@ index 46bee12..c22af86 100644
 +	role $2 types postfix_postdrop_t;
 +')
 diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..511cb5f 100644
+index a32c4b3..4f41f4e 100644
 --- a/policy/modules/services/postfix.te
 +++ b/policy/modules/services/postfix.te
 @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -44623,10 +44856,14 @@ index a32c4b3..511cb5f 100644
  
  # to write the mailq output, it really should not need read access!
  term_use_all_ptys(postfix_showq_t)
-@@ -565,6 +641,10 @@ optional_policy(`
+@@ -565,6 +641,14 @@ optional_policy(`
  ')
  
  optional_policy(`
++    dovecot_stream_connect(postfix_smtp_t)
++')
++
++optional_policy(`
 +	dspam_stream_connect(postfix_smtp_t)
 +')
 +
@@ -44634,7 +44871,7 @@ index a32c4b3..511cb5f 100644
  	milter_stream_connect_all(postfix_smtp_t)
  ')
  
-@@ -588,10 +668,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +672,16 @@ corecmd_exec_bin(postfix_smtpd_t)
  
  # for OpenSSL certificates
  files_read_usr_files(postfix_smtpd_t)
@@ -44651,7 +44888,7 @@ index a32c4b3..511cb5f 100644
  ')
  
  optional_policy(`
-@@ -611,8 +697,8 @@ optional_policy(`
+@@ -611,8 +701,8 @@ optional_policy(`
  # Postfix virtual local policy
  #
  
@@ -44661,7 +44898,7 @@ index a32c4b3..511cb5f 100644
  
  allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
  
-@@ -630,3 +716,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +720,8 @@ mta_delete_spool(postfix_virtual_t)
  # For reading spamassasin
  mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
@@ -45787,17 +46024,13 @@ index 2855a44..2898ff9 100644
 +    files_search_var_lib($1)
 +')
 diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..313f77d 100644
+index 64c5f95..7041ad9 100644
 --- a/policy/modules/services/puppet.te
 +++ b/policy/modules/services/puppet.te
-@@ -5,13 +5,23 @@ policy_module(puppet, 1.0.0)
- # Declarations
+@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
  #
  
-+# New in Fedora16
-+permissive puppetca_t;
-+
-+## <desc>
+ ## <desc>
 +##	<p>
 +##	Allow Puppet client to manage all file
 +##	types.
@@ -45805,7 +46038,7 @@ index 64c5f95..313f77d 100644
 +## </desc>
 +gen_tunable(puppet_manage_all_files, false)
 +
- ## <desc>
++## <desc>
  ## <p>
 -## Allow Puppet client to manage all file
 -## types.
@@ -45817,7 +46050,7 @@ index 64c5f95..313f77d 100644
  
  type puppet_t;
  type puppet_exec_t;
-@@ -35,6 +45,11 @@ files_type(puppet_var_lib_t)
+@@ -35,6 +42,11 @@ files_type(puppet_var_lib_t)
  type puppet_var_run_t;
  files_pid_file(puppet_var_run_t)
  
@@ -45829,7 +46062,7 @@ index 64c5f95..313f77d 100644
  type puppetmaster_t;
  type puppetmaster_exec_t;
  init_daemon_domain(puppetmaster_t, puppetmaster_exec_t)
-@@ -63,7 +78,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+@@ -63,7 +75,7 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
  manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
  files_search_var_lib(puppet_t)
  
@@ -45838,7 +46071,7 @@ index 64c5f95..313f77d 100644
  manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
  files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
  
-@@ -132,7 +147,7 @@ sysnet_dns_name_resolve(puppet_t)
+@@ -132,7 +144,7 @@ sysnet_dns_name_resolve(puppet_t)
  sysnet_run_ifconfig(puppet_t, system_r)
  
  tunable_policy(`puppet_manage_all_files',`
@@ -45847,7 +46080,7 @@ index 64c5f95..313f77d 100644
  ')
  
  optional_policy(`
-@@ -162,7 +177,60 @@ optional_policy(`
+@@ -162,7 +174,60 @@ optional_policy(`
  
  ########################################
  #
@@ -45909,7 +46142,7 @@ index 64c5f95..313f77d 100644
  #
  
  allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
-@@ -171,29 +239,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+@@ -171,29 +236,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
  allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
  allow puppetmaster_t self:socket create;
  allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
@@ -45948,7 +46181,7 @@ index 64c5f95..313f77d 100644
  
  corecmd_exec_bin(puppetmaster_t)
  corecmd_exec_shell(puppetmaster_t)
-@@ -206,21 +280,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
+@@ -206,21 +277,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
  corenet_tcp_bind_puppet_port(puppetmaster_t)
  corenet_sendrecv_puppet_server_packets(puppetmaster_t)
  
@@ -45998,7 +46231,7 @@ index 64c5f95..313f77d 100644
  optional_policy(`
  	hostname_exec(puppetmaster_t)
  ')
-@@ -231,3 +330,9 @@ optional_policy(`
+@@ -231,3 +327,9 @@ optional_policy(`
  	rpm_exec(puppetmaster_t)
  	rpm_read_db(puppetmaster_t)
  ')
@@ -46234,8 +46467,20 @@ index cd683f9..a272112 100644
  
  kernel_read_kernel_sysctls(pyzord_t)
  kernel_read_system_state(pyzord_t)
+diff --git a/policy/modules/services/qmail.fc b/policy/modules/services/qmail.fc
+index 0055e54..f988f51 100644
+--- a/policy/modules/services/qmail.fc
++++ b/policy/modules/services/qmail.fc
+@@ -17,6 +17,7 @@
+ /var/qmail/bin/tcp-env		--	gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+ 
+ /var/qmail/control(/.*)?		gen_context(system_u:object_r:qmail_etc_t,s0)
++/var/qmail/owners(/.*)?		gen_context(system_u:object_r:qmail_etc_t,s0)
+ 
+ /var/qmail/queue(/.*)?			gen_context(system_u:object_r:qmail_spool_t,s0)
+ 
 diff --git a/policy/modules/services/qmail.if b/policy/modules/services/qmail.if
-index a55bf44..77a25f5 100644
+index a55bf44..27007ed 100644
 --- a/policy/modules/services/qmail.if
 +++ b/policy/modules/services/qmail.if
 @@ -62,14 +62,13 @@ interface(`qmail_domtrans_inject',`
@@ -46270,6 +46515,66 @@ index a55bf44..77a25f5 100644
  	')
  ')
  
+@@ -149,3 +147,59 @@ interface(`qmail_smtpd_service_domain',`
+ 
+ 	domtrans_pattern(qmail_smtpd_t, $2, $1)
+ ')
++
++########################################
++## <summary>
++##      Create, read, write, and delete qmail
++##      spool directories.
++## </summary>
++## <param name="prefix">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`qmail_manage_spool_dirs',`
++        gen_require(`
++                type qmail_spool_t;
++        ')
++
++        manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t)
++')
++
++########################################
++## <summary>
++##      Create, read, write, and delete qmail
++##      spool files.
++## </summary>
++## <param name="prefix">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`qmail_manage_spool_files',`
++        gen_require(`
++                type qmail_spool_t;
++        ')
++
++        manage_files_pattern($1, qmail_spool_t, qmail_spool_t)
++')
++
++########################################
++## <summary>
++##      Read and write to qmail spool pipes.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain to not audit.
++##      </summary>
++## </param>
++#
++interface(`qmail_rw_spool_pipes',`
++        gen_require(`
++                type qmail_spool_t;
++        ')
++
++        allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
++')
 diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
 index 355b2a2..88e6f40 100644
 --- a/policy/modules/services/qmail.te
@@ -47282,7 +47587,7 @@ index 7dc38d1..9c2c963 100644
 +	admin_pattern($1, rgmanager_var_run_t)
 +')
 diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..d95e136 100644
+index 00fa514..e605105 100644
 --- a/policy/modules/services/rgmanager.te
 +++ b/policy/modules/services/rgmanager.te
 @@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0)
@@ -47413,19 +47718,6 @@ index 00fa514..d95e136 100644
  	mysql_domtrans_mysql_safe(rgmanager_t)
  	mysql_stream_connect(rgmanager_t)
  ')
-@@ -193,9 +220,9 @@ optional_policy(`
- 	virt_stream_connect(rgmanager_t)
- ')
- 
--optional_policy(`
--	unconfined_domain(rgmanager_t)
--')
-+#optional_policy(`
-+#	unconfined_domain(rgmanager_t)
-+#')
- 
- optional_policy(`
- 	xen_domtrans_xm(rgmanager_t)
 diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
 index c2ba53b..853eeb5 100644
 --- a/policy/modules/services/rhcs.fc
@@ -47965,10 +48257,10 @@ index 0000000..bf11e25
 +')
 diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
 new file mode 100644
-index 0000000..bc97a21
+index 0000000..23ba402
 --- /dev/null
 +++ b/policy/modules/services/rhev.te
-@@ -0,0 +1,84 @@
+@@ -0,0 +1,82 @@
 +policy_module(rhev,1.0)
 +
 +########################################
@@ -47987,8 +48279,6 @@ index 0000000..bc97a21
 +type rhev_agentd_tmp_t;
 +files_tmp_file(rhev_agentd_tmp_t)
 +
-+permissive rhev_agentd_t;
-+
 +########################################
 +#
 +# rhev_agentd_t local policy
@@ -48408,10 +48698,10 @@ index 0000000..811c52e
 +
 diff --git a/policy/modules/services/rhsmcertd.te b/policy/modules/services/rhsmcertd.te
 new file mode 100644
-index 0000000..9f9c62f
+index 0000000..4d1d0c7
 --- /dev/null
 +++ b/policy/modules/services/rhsmcertd.te
-@@ -0,0 +1,63 @@
+@@ -0,0 +1,61 @@
 +policy_module(rhsmcertd, 1.0.0)
 +
 +########################################
@@ -48423,8 +48713,6 @@ index 0000000..9f9c62f
 +type rhsmcertd_exec_t;
 +init_daemon_domain(rhsmcertd_t, rhsmcertd_exec_t)
 +
-+permissive rhsmcertd_t;
-+
 +type rhsmcertd_initrc_exec_t;
 +init_script_file(rhsmcertd_initrc_exec_t)
 +
@@ -50364,10 +50652,10 @@ index 0000000..486d53d
 +')
 diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
 new file mode 100644
-index 0000000..dae577a
+index 0000000..46930eb
 --- /dev/null
 +++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,65 @@
+@@ -0,0 +1,63 @@
 +policy_module(sanlock,1.0.0)
 +
 +########################################
@@ -50379,8 +50667,6 @@ index 0000000..dae577a
 +type sanlock_exec_t;
 +init_daemon_domain(sanlock_t, sanlock_exec_t)
 +
-+permissive sanlock_t;
-+
 +type sanlock_var_run_t;
 +files_pid_file(sanlock_var_run_t)
 +
@@ -50605,10 +50891,10 @@ index 0000000..8aef188
 +
 diff --git a/policy/modules/services/sblim.te b/policy/modules/services/sblim.te
 new file mode 100644
-index 0000000..74080f1
+index 0000000..785c2f3
 --- /dev/null
 +++ b/policy/modules/services/sblim.te
-@@ -0,0 +1,106 @@
+@@ -0,0 +1,102 @@
 +policy_module(sblim, 1.0.0)
 +
 +########################################
@@ -50622,14 +50908,10 @@ index 0000000..74080f1
 +type sblim_gatherd_exec_t;
 +init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t)
 +
-+permissive sblim_gatherd_t;
-+
 +type sblim_reposd_t, sblim_domain;
 +type sblim_reposd_exec_t;
 +init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t)
 +
-+permissive sblim_gatherd_t;
-+
 +type sblim_var_run_t;
 +files_pid_file(sblim_var_run_t)
 +
@@ -51622,10 +51904,10 @@ index c954f31..c7cadcb 100644
 +	admin_pattern($1, spamd_var_run_t)
  ')
 diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
-index ec1eb1e..4d649e1 100644
+index ec1eb1e..659d854 100644
 --- a/policy/modules/services/spamassassin.te
 +++ b/policy/modules/services/spamassassin.te
-@@ -6,56 +6,103 @@ policy_module(spamassassin, 2.4.0)
+@@ -6,56 +6,101 @@ policy_module(spamassassin, 2.4.0)
  #
  
  ## <desc>
@@ -51744,8 +52026,6 @@ index ec1eb1e..4d649e1 100644
 +application_domain(spamd_update_t, spamd_update_exec_t)
 +cron_system_entry(spamd_update_t, spamd_update_exec_t)
 +role system_r types spamd_update_t;
-+
-+permissive spamd_update_t;
  
  type spamd_t;
  type spamd_exec_t;
@@ -51766,7 +52046,7 @@ index ec1eb1e..4d649e1 100644
  
  type spamd_tmp_t;
  files_tmp_file(spamd_tmp_t)
-@@ -108,6 +155,7 @@ kernel_read_kernel_sysctls(spamassassin_t)
+@@ -108,6 +153,7 @@ kernel_read_kernel_sysctls(spamassassin_t)
  dev_read_urand(spamassassin_t)
  
  fs_search_auto_mountpoints(spamassassin_t)
@@ -51774,7 +52054,7 @@ index ec1eb1e..4d649e1 100644
  
  # this should probably be removed
  corecmd_list_bin(spamassassin_t)
-@@ -148,6 +196,9 @@ tunable_policy(`spamassassin_can_network',`
+@@ -148,6 +194,9 @@ tunable_policy(`spamassassin_can_network',`
  	corenet_udp_sendrecv_all_ports(spamassassin_t)
  	corenet_tcp_connect_all_ports(spamassassin_t)
  	corenet_sendrecv_all_client_packets(spamassassin_t)
@@ -51784,7 +52064,7 @@ index ec1eb1e..4d649e1 100644
  
  	sysnet_read_config(spamassassin_t)
  ')
-@@ -184,6 +235,8 @@ optional_policy(`
+@@ -184,6 +233,8 @@ optional_policy(`
  optional_policy(`
  	mta_read_config(spamassassin_t)
  	sendmail_stub(spamassassin_t)
@@ -51793,7 +52073,7 @@ index ec1eb1e..4d649e1 100644
  ')
  
  ########################################
-@@ -206,15 +259,32 @@ allow spamc_t self:unix_stream_socket connectto;
+@@ -206,15 +257,32 @@ allow spamc_t self:unix_stream_socket connectto;
  allow spamc_t self:tcp_socket create_stream_socket_perms;
  allow spamc_t self:udp_socket create_socket_perms;
  
@@ -51826,7 +52106,7 @@ index ec1eb1e..4d649e1 100644
  
  corenet_all_recvfrom_unlabeled(spamc_t)
  corenet_all_recvfrom_netlabel(spamc_t)
-@@ -226,6 +296,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
+@@ -226,6 +294,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
  corenet_udp_sendrecv_all_ports(spamc_t)
  corenet_tcp_connect_all_ports(spamc_t)
  corenet_sendrecv_all_client_packets(spamc_t)
@@ -51834,7 +52114,7 @@ index ec1eb1e..4d649e1 100644
  
  fs_search_auto_mountpoints(spamc_t)
  
-@@ -244,9 +315,14 @@ files_read_usr_files(spamc_t)
+@@ -244,9 +313,14 @@ files_read_usr_files(spamc_t)
  files_dontaudit_search_var(spamc_t)
  # cjp: this may be removable:
  files_list_home(spamc_t)
@@ -51849,7 +52129,7 @@ index ec1eb1e..4d649e1 100644
  miscfiles_read_localization(spamc_t)
  
  # cjp: this should probably be removed:
-@@ -254,27 +330,46 @@ seutil_read_config(spamc_t)
+@@ -254,27 +328,46 @@ seutil_read_config(spamc_t)
  
  sysnet_read_config(spamc_t)
  
@@ -51902,7 +52182,7 @@ index ec1eb1e..4d649e1 100644
  ')
  
  ########################################
-@@ -286,7 +381,7 @@ optional_policy(`
+@@ -286,7 +379,7 @@ optional_policy(`
  # setuids to the user running spamc.  Comment this if you are not
  # using this ability.
  
@@ -51911,7 +52191,7 @@ index ec1eb1e..4d649e1 100644
  dontaudit spamd_t self:capability sys_tty_config;
  allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow spamd_t self:fd use;
-@@ -302,10 +397,17 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -302,10 +395,17 @@ allow spamd_t self:unix_dgram_socket sendto;
  allow spamd_t self:unix_stream_socket connectto;
  allow spamd_t self:tcp_socket create_stream_socket_perms;
  allow spamd_t self:udp_socket create_socket_perms;
@@ -51930,7 +52210,7 @@ index ec1eb1e..4d649e1 100644
  files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
  
  manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -314,11 +416,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -314,11 +414,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
  
  # var/lib files for spamd
  allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -51948,7 +52228,7 @@ index ec1eb1e..4d649e1 100644
  
  kernel_read_all_sysctls(spamd_t)
  kernel_read_system_state(spamd_t)
-@@ -367,22 +473,27 @@ files_read_var_lib_files(spamd_t)
+@@ -367,22 +471,27 @@ files_read_var_lib_files(spamd_t)
  
  init_dontaudit_rw_utmp(spamd_t)
  
@@ -51980,7 +52260,7 @@ index ec1eb1e..4d649e1 100644
  	fs_manage_cifs_files(spamd_t)
  ')
  
-@@ -399,7 +510,9 @@ optional_policy(`
+@@ -399,7 +508,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -51990,7 +52270,7 @@ index ec1eb1e..4d649e1 100644
  	dcc_stream_connect_dccifd(spamd_t)
  ')
  
-@@ -408,25 +521,17 @@ optional_policy(`
+@@ -408,25 +519,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -52018,7 +52298,7 @@ index ec1eb1e..4d649e1 100644
  	postgresql_stream_connect(spamd_t)
  ')
  
-@@ -437,6 +542,10 @@ optional_policy(`
+@@ -437,6 +540,10 @@ optional_policy(`
  
  optional_policy(`
  	razor_domtrans(spamd_t)
@@ -52029,7 +52309,7 @@ index ec1eb1e..4d649e1 100644
  ')
  
  optional_policy(`
-@@ -451,3 +560,43 @@ optional_policy(`
+@@ -451,3 +558,43 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(spamd_t)
  ')
@@ -54057,10 +54337,10 @@ index 0000000..5a2fd4c
 +')
 diff --git a/policy/modules/services/uuidd.te b/policy/modules/services/uuidd.te
 new file mode 100644
-index 0000000..7826086
+index 0000000..ac053f3
 --- /dev/null
 +++ b/policy/modules/services/uuidd.te
-@@ -0,0 +1,48 @@
+@@ -0,0 +1,46 @@
 +policy_module(uuidd, 1.0.0)
 +
 +########################################
@@ -54072,8 +54352,6 @@ index 0000000..7826086
 +type uuidd_exec_t;
 +init_daemon_domain(uuidd_t, uuidd_exec_t)
 +
-+permissive uuidd_t;
-+
 +type uuidd_initrc_exec_t;
 +init_script_file(uuidd_initrc_exec_t)
 +
@@ -54981,7 +55259,7 @@ index 7c5d8d8..d83a9a2 100644
 +	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
  ')
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..e18ede2 100644
+index 3eca020..9c42952 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
 @@ -5,56 +5,67 @@ policy_module(virt, 1.4.0)
@@ -55118,7 +55396,7 @@ index 3eca020..e18ede2 100644
  ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
  ')
-@@ -99,20 +123,33 @@ ifdef(`enable_mls',`
+@@ -99,20 +123,29 @@ ifdef(`enable_mls',`
  
  ########################################
  #
@@ -55132,10 +55410,6 @@ index 3eca020..e18ede2 100644
 +type virt_lxc_var_run_t;
 +files_pid_file(virt_lxc_var_run_t)
 +
-+permissive virt_lxc_t;
-+
-+permissive virtd_t;
-+
 +########################################
 +#
  # svirt local policy
@@ -55156,7 +55430,7 @@ index 3eca020..e18ede2 100644
  fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
  
  list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -130,9 +167,13 @@ corenet_tcp_connect_all_ports(svirt_t)
+@@ -130,9 +163,13 @@ corenet_tcp_connect_all_ports(svirt_t)
  
  dev_list_sysfs(svirt_t)
  
@@ -55170,7 +55444,7 @@ index 3eca020..e18ede2 100644
  
  tunable_policy(`virt_use_comm',`
  	term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +188,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +184,15 @@ tunable_policy(`virt_use_fusefs',`
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(svirt_t)
  	fs_manage_nfs_files(svirt_t)
@@ -55186,7 +55460,7 @@ index 3eca020..e18ede2 100644
  ')
  
  tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +205,22 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +201,22 @@ tunable_policy(`virt_use_sysfs',`
  
  tunable_policy(`virt_use_usb',`
  	dev_rw_usbfs(svirt_t)
@@ -55209,7 +55483,7 @@ index 3eca020..e18ede2 100644
  	xen_rw_image_files(svirt_t)
  ')
  
-@@ -174,21 +230,35 @@ optional_policy(`
+@@ -174,21 +226,35 @@ optional_policy(`
  #
  
  allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -55250,7 +55524,7 @@ index 3eca020..e18ede2 100644
  
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +270,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +266,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
  
  manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
  manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -55268,7 +55542,7 @@ index 3eca020..e18ede2 100644
  
  manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
  manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +294,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +290,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
  
@@ -55284,7 +55558,7 @@ index 3eca020..e18ede2 100644
  kernel_request_load_module(virtd_t)
  kernel_search_debugfs(virtd_t)
  
-@@ -239,22 +322,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +318,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
  corenet_rw_tun_tap_dev(virtd_t)
  
  dev_rw_sysfs(virtd_t)
@@ -55317,7 +55591,7 @@ index 3eca020..e18ede2 100644
  
  fs_list_auto_mountpoints(virtd_t)
  fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +354,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +350,18 @@ fs_rw_anon_inodefs_files(virtd_t)
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
  fs_rw_cgroup_files(virtd_t)
@@ -55336,14 +55610,14 @@ index 3eca020..e18ede2 100644
  
  mcs_process_set_categories(virtd_t)
  
-@@ -285,16 +389,29 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +385,29 @@ modutils_read_module_config(virtd_t)
  modutils_manage_module_config(virtd_t)
  
  logging_send_syslog_msg(virtd_t)
 +logging_send_audit_msgs(virtd_t)
- 
-+selinux_validate_context(virtd_t)
 +
++selinux_validate_context(virtd_t)
+ 
 +seutil_read_config(virtd_t)
  seutil_read_default_contexts(virtd_t)
 +seutil_read_file_contexts(virtd_t)
@@ -55366,7 +55640,7 @@ index 3eca020..e18ede2 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +430,10 @@ optional_policy(`
+@@ -313,6 +426,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55377,7 +55651,7 @@ index 3eca020..e18ede2 100644
  	dbus_system_bus_client(virtd_t)
  
  	optional_policy(`
-@@ -329,11 +450,17 @@ optional_policy(`
+@@ -329,11 +446,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55395,7 +55669,7 @@ index 3eca020..e18ede2 100644
  ')
  
  optional_policy(`
-@@ -365,6 +492,12 @@ optional_policy(`
+@@ -365,6 +488,12 @@ optional_policy(`
  	qemu_signal(virtd_t)
  	qemu_kill(virtd_t)
  	qemu_setsched(virtd_t)
@@ -55408,19 +55682,7 @@ index 3eca020..e18ede2 100644
  ')
  
  optional_policy(`
-@@ -385,29 +518,45 @@ optional_policy(`
- 	udev_read_db(virtd_t)
- ')
- 
--optional_policy(`
--	unconfined_domain(virtd_t)
--')
-+#optional_policy(`
-+#	unconfined_domain(virtd_t)
-+#')
- 
- ########################################
- #
+@@ -394,20 +523,36 @@ optional_policy(`
  # virtual domains common policy
  #
  
@@ -55459,7 +55721,7 @@ index 3eca020..e18ede2 100644
  corecmd_exec_bin(virt_domain)
  corecmd_exec_shell(virt_domain)
  
-@@ -418,10 +567,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -418,10 +563,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
  corenet_tcp_sendrecv_all_ports(virt_domain)
  corenet_tcp_bind_generic_node(virt_domain)
  corenet_tcp_bind_vnc_port(virt_domain)
@@ -55472,7 +55734,7 @@ index 3eca020..e18ede2 100644
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -429,10 +579,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +575,12 @@ dev_write_sound(virt_domain)
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -55485,7 +55747,7 @@ index 3eca020..e18ede2 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -440,14 +592,20 @@ files_search_all(virt_domain)
+@@ -440,14 +588,20 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -55493,12 +55755,12 @@ index 3eca020..e18ede2 100644
 +fs_rw_inherited_nfs_files(virt_domain)
 +fs_rw_inherited_cifs_files(virt_domain)
 +fs_rw_inherited_noxattr_fs_files(virt_domain)
- 
--term_use_all_terms(virt_domain)
++
 +# I think we need these for now.
 +miscfiles_read_public_files(virt_domain)
 +storage_raw_read_removable_device(virt_domain)
-+
+ 
+-term_use_all_terms(virt_domain)
 +term_use_all_inherited_terms(virt_domain)
  term_getattr_pty_fs(virt_domain)
  term_use_generic_ptys(virt_domain)
@@ -55509,7 +55771,7 @@ index 3eca020..e18ede2 100644
  logging_send_syslog_msg(virt_domain)
  
  miscfiles_read_localization(virt_domain)
-@@ -457,8 +615,176 @@ optional_policy(`
+@@ -457,8 +611,176 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55893,10 +56155,10 @@ index 0000000..a554011
 +')
 diff --git a/policy/modules/services/wdmd.te b/policy/modules/services/wdmd.te
 new file mode 100644
-index 0000000..b9d6149
+index 0000000..307c99e
 --- /dev/null
 +++ b/policy/modules/services/wdmd.te
-@@ -0,0 +1,53 @@
+@@ -0,0 +1,51 @@
 +policy_module(wdmd,1.0.0)
 +
 +########################################
@@ -55908,8 +56170,6 @@ index 0000000..b9d6149
 +type wdmd_exec_t;
 +init_daemon_domain(wdmd_t, wdmd_exec_t)
 +
-+permissive wdmd_t;
-+
 +type wdmd_var_run_t;
 +files_pid_file(wdmd_var_run_t)
 +
@@ -57291,7 +57551,7 @@ index 130ced9..b6fb17a 100644
 +	userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..798589f 100644
+index 143c893..00b270e 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,27 +26,50 @@ gen_require(`
@@ -57459,7 +57719,7 @@ index 143c893..798589f 100644
  # type for /var/lib/xkb
  type xkb_var_lib_t;
  files_type(xkb_var_lib_t)
-@@ -196,15 +247,11 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+@@ -196,15 +247,9 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
  init_system_domain(xserver_t, xserver_exec_t)
  ubac_constrained(xserver_t)
  
@@ -57468,8 +57728,7 @@ index 143c893..798589f 100644
 -typealias xserver_tmp_t alias { auditadm_xserver_tmp_t secadm_xserver_tmp_t xdm_xserver_tmp_t };
 -files_tmp_file(xserver_tmp_t)
 -ubac_constrained(xserver_tmp_t)
-+permissive xserver_t;
- 
+-
  type xserver_tmpfs_t;
 -typealias xserver_tmpfs_t alias { user_xserver_tmpfs_t staff_xserver_tmpfs_t sysadm_xserver_tmpfs_t };
 -typealias xserver_tmpfs_t alias { auditadm_xserver_tmpfs_t secadm_xserver_tmpfs_t xdm_xserver_tmpfs_t };
@@ -57478,7 +57737,7 @@ index 143c893..798589f 100644
  files_tmpfs_file(xserver_tmpfs_t)
  ubac_constrained(xserver_tmpfs_t)
  
-@@ -234,10 +281,17 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
+@@ -234,10 +279,17 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
  
  allow xdm_t iceauth_home_t:file read_file_perms;
  
@@ -57497,7 +57756,7 @@ index 143c893..798589f 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_files(iceauth_t)
-@@ -247,52 +301,113 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,52 +299,113 @@ tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_files(iceauth_t)
  ')
  
@@ -57617,7 +57876,7 @@ index 143c893..798589f 100644
  optional_policy(`
  	ssh_sigchld(xauth_t)
  	ssh_read_pipes(xauth_t)
-@@ -304,20 +419,36 @@ optional_policy(`
+@@ -304,20 +417,36 @@ optional_policy(`
  # XDM Local policy
  #
  
@@ -57658,7 +57917,7 @@ index 143c893..798589f 100644
  
  # Allow gdm to run gdm-binary
  can_exec(xdm_t, xdm_exec_t)
-@@ -325,43 +456,62 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -325,43 +454,62 @@ can_exec(xdm_t, xdm_exec_t)
  allow xdm_t xdm_lock_t:file manage_file_perms;
  files_lock_filetrans(xdm_t, xdm_lock_t, file)
  
@@ -57727,7 +57986,7 @@ index 143c893..798589f 100644
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -370,18 +520,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -370,18 +518,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -57755,7 +58014,7 @@ index 143c893..798589f 100644
  
  corenet_all_recvfrom_unlabeled(xdm_t)
  corenet_all_recvfrom_netlabel(xdm_t)
-@@ -393,38 +551,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -393,38 +549,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -57809,7 +58068,7 @@ index 143c893..798589f 100644
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -435,9 +604,23 @@ files_list_mnt(xdm_t)
+@@ -435,9 +602,23 @@ files_list_mnt(xdm_t)
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -57833,7 +58092,7 @@ index 143c893..798589f 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +629,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +627,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -57873,7 +58132,7 @@ index 143c893..798589f 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -476,9 +668,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,9 +666,30 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -57904,7 +58163,7 @@ index 143c893..798589f 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xdm_t)
-@@ -494,6 +707,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -494,6 +705,14 @@ tunable_policy(`use_samba_home_dirs',`
  	fs_exec_cifs_files(xdm_t)
  ')
  
@@ -57919,7 +58178,7 @@ index 143c893..798589f 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -507,11 +728,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +726,21 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
@@ -57941,7 +58200,7 @@ index 143c893..798589f 100644
  ')
  
  optional_policy(`
-@@ -519,12 +750,62 @@ optional_policy(`
+@@ -519,12 +748,62 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -58004,7 +58263,7 @@ index 143c893..798589f 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -542,28 +823,69 @@ optional_policy(`
+@@ -542,28 +821,69 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -58083,7 +58342,7 @@ index 143c893..798589f 100644
  ')
  
  optional_policy(`
-@@ -575,6 +897,14 @@ optional_policy(`
+@@ -575,6 +895,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -58098,7 +58357,7 @@ index 143c893..798589f 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -599,7 +929,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +927,7 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -58107,7 +58366,7 @@ index 143c893..798589f 100644
  dontaudit xserver_t self:capability chown;
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
-@@ -613,8 +943,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +941,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -58123,7 +58382,7 @@ index 143c893..798589f 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +970,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +968,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -58145,7 +58404,7 @@ index 143c893..798589f 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +990,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +988,7 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -58153,7 +58412,7 @@ index 143c893..798589f 100644
  
  # Run helper programs in xserver_t.
  corecmd_exec_bin(xserver_t)
-@@ -672,7 +1017,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,7 +1015,6 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -58161,7 +58420,7 @@ index 143c893..798589f 100644
  dev_create_generic_dirs(xserver_t)
  dev_setattr_generic_dirs(xserver_t)
  # raw memory access is needed if not using the frame buffer
-@@ -682,11 +1026,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -682,11 +1024,17 @@ dev_wx_raw_memory(xserver_t)
  dev_rw_xserver_misc(xserver_t)
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
@@ -58179,7 +58438,7 @@ index 143c893..798589f 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -697,8 +1047,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1045,13 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -58193,7 +58452,7 @@ index 143c893..798589f 100644
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1066,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1064,6 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -58202,7 +58461,7 @@ index 143c893..798589f 100644
  locallogin_use_fds(xserver_t)
  
  logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1073,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1071,12 @@ logging_send_audit_msgs(xserver_t)
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -58217,7 +58476,7 @@ index 143c893..798589f 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1132,40 @@ optional_policy(`
+@@ -778,16 +1130,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -58255,11 +58514,11 @@ index 143c893..798589f 100644
  
  optional_policy(`
 -	unconfined_domain_noaudit(xserver_t)
-+	#unconfined_domain(xserver_t)
++	unconfined_domain(xserver_t)
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -796,6 +1174,10 @@ optional_policy(`
+@@ -796,6 +1172,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -58270,7 +58529,7 @@ index 143c893..798589f 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -811,10 +1193,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1191,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -58284,7 +58543,7 @@ index 143c893..798589f 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1204,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1202,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -58293,7 +58552,7 @@ index 143c893..798589f 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -835,6 +1217,9 @@ init_use_fds(xserver_t)
+@@ -835,6 +1215,9 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -58303,7 +58562,7 @@ index 143c893..798589f 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
-@@ -842,6 +1227,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -842,6 +1225,11 @@ tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_symlinks(xserver_t)
  ')
  
@@ -58315,7 +58574,7 @@ index 143c893..798589f 100644
  tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_dirs(xserver_t)
  	fs_manage_cifs_files(xserver_t)
-@@ -850,11 +1240,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -850,11 +1238,14 @@ tunable_policy(`use_samba_home_dirs',`
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -58332,7 +58591,7 @@ index 143c893..798589f 100644
  ')
  
  optional_policy(`
-@@ -862,6 +1255,10 @@ optional_policy(`
+@@ -862,6 +1253,10 @@ optional_policy(`
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -58343,7 +58602,7 @@ index 143c893..798589f 100644
  ########################################
  #
  # Rules common to all X window domains
-@@ -905,7 +1302,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1300,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -58352,7 +58611,7 @@ index 143c893..798589f 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -959,11 +1356,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1354,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -58384,7 +58643,7 @@ index 143c893..798589f 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -985,18 +1402,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1400,32 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -58582,7 +58841,7 @@ index 21ae664..3e448dd 100644
 +    manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
 +')
 diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
-index 9fb4747..a59cfc2 100644
+index 9fb4747..afe5e5f 100644
 --- a/policy/modules/services/zarafa.te
 +++ b/policy/modules/services/zarafa.te
 @@ -18,6 +18,10 @@ files_config_file(zarafa_etc_t)
@@ -58596,15 +58855,15 @@ index 9fb4747..a59cfc2 100644
  zarafa_domain_template(monitor)
  zarafa_domain_template(server)
  
-@@ -32,6 +36,8 @@ zarafa_domain_template(spooler)
- type zarafa_var_lib_t;
- files_tmp_file(zarafa_var_lib_t)
+@@ -41,6 +45,8 @@ manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t
+ manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
+ files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
  
-+permissive zarafa_indexer_t;
++dev_read_rand(zarafa_deliver_t)
 +
  ########################################
  #
- # zarafa-deliver local policy
+ # zarafa_gateway local policy
 @@ -57,6 +63,20 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
  corenet_tcp_bind_generic_node(zarafa_gateway_t)
  corenet_tcp_bind_pop_port(zarafa_gateway_t)
@@ -59576,7 +59835,7 @@ index a97a096..ab1e16a 100644
  /usr/bin/raw		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/bin/scsi_unique_id	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index c28da1c..bf8ea27 100644
+index c28da1c..38390f5 100644
 --- a/policy/modules/system/fstools.te
 +++ b/policy/modules/system/fstools.te
 @@ -44,6 +44,8 @@ can_exec(fsadm_t, fsadm_exec_t)
@@ -59620,26 +59879,15 @@ index c28da1c..bf8ea27 100644
  init_use_fds(fsadm_t)
  init_use_script_ptys(fsadm_t)
  init_dontaudit_getattr_initctl(fsadm_t)
-@@ -147,13 +156,13 @@ miscfiles_read_localization(fsadm_t)
+@@ -147,7 +156,7 @@ miscfiles_read_localization(fsadm_t)
  
  seutil_read_config(fsadm_t)
  
 -userdom_use_user_terminals(fsadm_t)
 +term_use_all_inherited_terms(fsadm_t)
  
--ifdef(`distro_redhat',`
--	optional_policy(`
--		unconfined_domain(fsadm_t)
--	')
--')
-+#ifdef(`distro_redhat',`
-+#	optional_policy(`
-+#		unconfined_domain(fsadm_t)
-+#	')
-+#')
- 
- optional_policy(`
- 	amanda_rw_dumpdates_files(fsadm_t)
+ ifdef(`distro_redhat',`
+ 	optional_policy(`
 @@ -166,6 +175,11 @@ optional_policy(`
  ')
  
@@ -62615,7 +62863,7 @@ index 808ba93..ed84884 100644
  
  ########################################
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index e5836d3..b32b945 100644
+index e5836d3..c76046b 100644
 --- a/policy/modules/system/libraries.te
 +++ b/policy/modules/system/libraries.te
 @@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@@ -62669,17 +62917,13 @@ index e5836d3..b32b945 100644
  	puppet_rw_tmp(ldconfig_t)
  ')
  
-@@ -141,6 +153,7 @@ optional_policy(`
+@@ -141,6 +153,3 @@ optional_policy(`
  	rpm_manage_script_tmp_files(ldconfig_t)
  ')
  
 -optional_policy(`
 -	unconfined_domain(ldconfig_t)
 -')
-+#optional_policy(`
-+#	unconfined_domain(ldconfig_t)
-+#')
-+
 diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
 index a0b379d..2a55eab 100644
 --- a/policy/modules/system/locallogin.te
@@ -63372,7 +63616,7 @@ index 58bc27f..51e9872 100644
 +	allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index a0a0ebf..4513ab9 100644
+index a0a0ebf..e55e967 100644
 --- a/policy/modules/system/lvm.te
 +++ b/policy/modules/system/lvm.te
 @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -63405,26 +63649,18 @@ index a0a0ebf..4513ab9 100644
  manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
  files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
  
-@@ -134,10 +141,15 @@ userdom_dontaudit_search_user_home_dirs(clvmd_t)
- lvm_domtrans(clvmd_t)
- lvm_read_config(clvmd_t)
+@@ -141,6 +148,11 @@ ifdef(`distro_redhat',`
+ ')
  
--ifdef(`distro_redhat',`
--	optional_policy(`
--		unconfined_domain(clvmd_t)
--	')
-+#ifdef(`distro_redhat',`
-+#	optional_policy(`
-+#		unconfined_domain(clvmd_t)
-+#	')
-+#')
-+
-+optional_policy(`
+ optional_policy(`
 +	aisexec_stream_connect(clvmd_t)
 +	corosync_stream_connect(clvmd_t)
++')
++
++optional_policy(`
+ 	ccs_stream_connect(clvmd_t)
  ')
  
- optional_policy(`
 @@ -167,9 +179,10 @@ optional_policy(`
  # net_admin for multipath
  allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
@@ -63530,7 +63766,7 @@ index a0a0ebf..4513ab9 100644
  miscfiles_read_localization(lvm_t)
  
  seutil_read_config(lvm_t)
-@@ -299,15 +324,23 @@ seutil_read_file_contexts(lvm_t)
+@@ -299,7 +324,10 @@ seutil_read_file_contexts(lvm_t)
  seutil_search_default_contexts(lvm_t)
  seutil_sigchld_newrole(lvm_t)
  
@@ -63541,22 +63777,18 @@ index a0a0ebf..4513ab9 100644
  
  ifdef(`distro_redhat',`
  	# this is from the initrd:
- 	files_rw_isid_type_dirs(lvm_t)
+@@ -311,6 +339,11 @@ ifdef(`distro_redhat',`
+ ')
  
--	optional_policy(`
--		unconfined_domain(lvm_t)
--	')
-+	#optional_policy(`
-+	#	unconfined_domain(lvm_t)
-+	#')
+ optional_policy(`
++	aisexec_stream_connect(lvm_t)
++	corosync_stream_connect(lvm_t)
 +')
 +
 +optional_policy(`
-+	aisexec_stream_connect(lvm_t)
-+	corosync_stream_connect(lvm_t)
+ 	bootloader_rw_tmp_files(lvm_t)
  ')
  
- optional_policy(`
 @@ -331,14 +364,26 @@ optional_policy(`
  ')
  
@@ -63705,7 +63937,7 @@ index 9c0faab..dd6530e 100644
  ##	loading modules.
  ## </summary>
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index a0eef20..8b724a5 100644
+index a0eef20..d5408ff 100644
 --- a/policy/modules/system/modutils.te
 +++ b/policy/modules/system/modutils.te
 @@ -18,11 +18,12 @@ type insmod_t;
@@ -63761,21 +63993,15 @@ index a0eef20..8b724a5 100644
  
  ifdef(`distro_ubuntu',`
  	optional_policy(`
-@@ -94,21 +102,22 @@ optional_policy(`
- 	rpm_manage_script_tmp_files(depmod_t)
+@@ -95,7 +103,6 @@ optional_policy(`
  ')
  
--optional_policy(`
+ optional_policy(`
 -	# Read System.map from home directories.
--	unconfined_domain(depmod_t)
--')
-+#optional_policy(`
-+#	# Read System.map from home directories.
-+#	unconfined_domain(depmod_t)
-+#')
+ 	unconfined_domain(depmod_t)
+ ')
  
- ########################################
- #
+@@ -104,11 +111,12 @@ optional_policy(`
  # insmod local policy
  #
  
@@ -63789,7 +64015,7 @@ index a0eef20..8b724a5 100644
  
  # Read module config and dependency information
  list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
-@@ -118,6 +127,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+@@ -118,6 +126,9 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
  
  can_exec(insmod_t, insmod_exec_t)
  
@@ -63799,7 +64025,7 @@ index a0eef20..8b724a5 100644
  kernel_load_module(insmod_t)
  kernel_request_load_module(insmod_t)
  kernel_read_system_state(insmod_t)
-@@ -126,6 +138,7 @@ kernel_write_proc_files(insmod_t)
+@@ -126,6 +137,7 @@ kernel_write_proc_files(insmod_t)
  kernel_mount_debugfs(insmod_t)
  kernel_mount_kvmfs(insmod_t)
  kernel_read_debugfs(insmod_t)
@@ -63807,7 +64033,7 @@ index a0eef20..8b724a5 100644
  # Rules for /proc/sys/kernel/tainted
  kernel_read_kernel_sysctls(insmod_t)
  kernel_rw_kernel_sysctl(insmod_t)
-@@ -143,6 +156,7 @@ dev_rw_agp(insmod_t)
+@@ -143,6 +155,7 @@ dev_rw_agp(insmod_t)
  dev_read_sound(insmod_t)
  dev_write_sound(insmod_t)
  dev_rw_apm_bios(insmod_t)
@@ -63815,7 +64041,7 @@ index a0eef20..8b724a5 100644
  
  domain_signal_all_domains(insmod_t)
  domain_use_interactive_fds(insmod_t)
-@@ -161,11 +175,18 @@ files_write_kernel_modules(insmod_t)
+@@ -161,11 +174,18 @@ files_write_kernel_modules(insmod_t)
  
  fs_getattr_xattr_fs(insmod_t)
  fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -63834,7 +64060,7 @@ index a0eef20..8b724a5 100644
  
  logging_send_syslog_msg(insmod_t)
  logging_search_logs(insmod_t)
-@@ -174,8 +195,7 @@ miscfiles_read_localization(insmod_t)
+@@ -174,8 +194,7 @@ miscfiles_read_localization(insmod_t)
  
  seutil_read_file_contexts(insmod_t)
  
@@ -63844,7 +64070,7 @@ index a0eef20..8b724a5 100644
  userdom_dontaudit_search_user_home_dirs(insmod_t)
  
  if( ! secure_mode_insmod ) {
-@@ -187,28 +207,27 @@ optional_policy(`
+@@ -187,28 +206,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -63879,13 +64105,7 @@ index a0eef20..8b724a5 100644
  ')
  
  optional_policy(`
-@@ -231,11 +250,15 @@ optional_policy(`
- ')
- 
- optional_policy(`
--	unconfined_domain(insmod_t)
-+	#unconfined_domain(insmod_t)
- 	unconfined_dontaudit_rw_pipes(insmod_t)
+@@ -236,6 +254,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -63896,7 +64116,7 @@ index a0eef20..8b724a5 100644
  	# cjp: why is this needed:
  	dev_rw_xserver_misc(insmod_t)
  
-@@ -296,7 +319,7 @@ logging_send_syslog_msg(update_modules_t)
+@@ -296,7 +318,7 @@ logging_send_syslog_msg(update_modules_t)
  
  miscfiles_read_localization(update_modules_t)
  
@@ -64651,7 +64871,7 @@ index b1a85b5..db0d815 100644
  ## </summary>
  ## <desc>
 diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
-index a19ecea..4e2ef36 100644
+index a19ecea..dbcca4d 100644
 --- a/policy/modules/system/raid.te
 +++ b/policy/modules/system/raid.te
 @@ -10,11 +10,9 @@ type mdadm_exec_t;
@@ -64713,16 +64933,6 @@ index a19ecea..4e2ef36 100644
  
  term_dontaudit_list_ptys(mdadm_t)
  
-@@ -95,6 +97,6 @@ optional_policy(`
- 	udev_read_db(mdadm_t)
- ')
- 
--optional_policy(`
--	unconfined_domain(mdadm_t)
--')
-+#optional_policy(`
-+#	unconfined_domain(mdadm_t)
-+#')
 diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
 index 2cc4bda..167c358 100644
 --- a/policy/modules/system/selinuxutil.fc
@@ -65190,7 +65400,7 @@ index 170e2c7..b85fc73 100644
 +	')
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..3e78f42 100644
+index 7ed9819..4e8cb38 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -65500,11 +65710,11 @@ index 7ed9819..3e78f42 100644
 -
 -# Running genhomedircon requires this for finding all users
 -auth_use_nsswitch(semanage_t)
--
--locallogin_use_fds(semanage_t)
 +# Admins are creating pp files in random locations
 +files_read_non_security_files(semanage_t)
  
+-locallogin_use_fds(semanage_t)
+-
 -logging_send_syslog_msg(semanage_t)
 -
 -miscfiles_read_localization(semanage_t)
@@ -65594,25 +65804,25 @@ index 7ed9819..3e78f42 100644
 -selinux_compute_create_context(setfiles_t)
 -selinux_compute_relabel_context(setfiles_t)
 -selinux_compute_user_contexts(setfiles_t)
--
++init_dontaudit_use_fds(setsebool_t)
+ 
 -term_use_all_ttys(setfiles_t)
 -term_use_all_ptys(setfiles_t)
 -term_use_unallocated_ttys(setfiles_t)
--
--# this is to satisfy the assertion:
--auth_relabelto_shadow(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
- 
--init_use_fds(setfiles_t)
--init_use_script_fds(setfiles_t)
--init_use_script_ptys(setfiles_t)
--init_exec_script_files(setfiles_t)
 +# Bug in semanage
 +seutil_domtrans_setfiles(setsebool_t)
 +seutil_manage_file_contexts(setsebool_t)
 +seutil_manage_default_contexts(setsebool_t)
 +seutil_manage_config(setsebool_t)
  
+-# this is to satisfy the assertion:
+-auth_relabelto_shadow(setfiles_t)
+-
+-init_use_fds(setfiles_t)
+-init_use_script_fds(setfiles_t)
+-init_use_script_ptys(setfiles_t)
+-init_exec_script_files(setfiles_t)
+-
 -logging_send_syslog_msg(setfiles_t)
 +########################################
 +#
@@ -65679,12 +65889,10 @@ index 7ed9819..3e78f42 100644
  	')
  ')
  
--optional_policy(`
+ optional_policy(`
 -	hotplug_use_fds(setfiles_t)
--')
-+#optional_policy(`
-+#	unconfined_domain(setfiles_mac_t)
-+#')
++	unconfined_domain(setfiles_mac_t)
+ ')
 diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
 index 1447687..cdc0223 100644
 --- a/policy/modules/system/setrans.te
@@ -66634,10 +66842,10 @@ index 0000000..fc27830
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..f4df137
+index 0000000..d1bcd34
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,350 @@
+@@ -0,0 +1,346 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -66649,15 +66857,10 @@ index 0000000..f4df137
 +attribute systemd_domain;
 +attribute systemctl_domain;
 +
-+# New in f16
-+permissive systemd_logger_t;
-+
 +type systemd_logger_t;
 +type systemd_logger_exec_t;
 +init_systemd_domain(systemd_logger_t, systemd_logger_exec_t)
 +
-+permissive systemd_logind_t;
-+
 +type systemd_logind_t;
 +type systemd_logind_exec_t;
 +init_systemd_domain(systemd_logind_t, systemd_logind_exec_t)
@@ -66725,9 +66928,10 @@ index 0000000..f4df137
 +dev_getattr_all_chr_files(systemd_logind_t)
 +dev_getattr_all_blk_files(systemd_logind_t)
 +dev_setattr_dri_dev(systemd_logind_t)
++dev_setattr_kvm_dev(systemd_logind_t)
 +dev_setattr_sound_dev(systemd_logind_t)
++dev_setattr_generic_usb_dev(systemd_logind_t)
 +dev_setattr_video_dev(systemd_logind_t)
-+dev_setattr_kvm_dev(systemd_logind_t)
 +
 +# /etc/udev/udev.conf should probably have a private type if only for confined administration
 +# /etc/nsswitch.conf
@@ -67210,15 +67414,10 @@ index 025348a..c15e57c 100644
 +')
 +
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..91fae52 100644
+index d88f7c3..2627fa4 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
-@@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t)
- domain_interactive_fd(udev_t)
- init_daemon_domain(udev_t, udev_exec_t)
- 
-+permissive udev_t;
-+
+@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
  type udev_etc_t alias etc_udev_t;
  files_config_file(udev_etc_t)
  
@@ -67234,7 +67433,7 @@ index d88f7c3..91fae52 100644
  
  ifdef(`enable_mcs',`
  	kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
-@@ -38,6 +38,12 @@ ifdef(`enable_mcs',`
+@@ -38,6 +36,12 @@ ifdef(`enable_mcs',`
  
  allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
  dontaudit udev_t self:capability sys_tty_config;
@@ -67247,7 +67446,7 @@ index d88f7c3..91fae52 100644
  allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow udev_t self:process { execmem setfscreate };
  allow udev_t self:fd use;
-@@ -52,6 +58,7 @@ allow udev_t self:unix_dgram_socket sendto;
+@@ -52,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto;
  allow udev_t self:unix_stream_socket connectto;
  allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
  allow udev_t self:rawip_socket create_socket_perms;
@@ -67255,7 +67454,7 @@ index d88f7c3..91fae52 100644
  
  allow udev_t udev_exec_t:file write;
  can_exec(udev_t, udev_exec_t)
-@@ -62,17 +69,16 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -62,17 +67,16 @@ can_exec(udev_t, udev_helper_exec_t)
  # read udev config
  allow udev_t udev_etc_t:file read_file_perms;
  
@@ -67278,7 +67477,7 @@ index d88f7c3..91fae52 100644
  
  kernel_read_system_state(udev_t)
  kernel_request_load_module(udev_t)
-@@ -87,6 +93,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
+@@ -87,6 +91,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
  kernel_dgram_send(udev_t)
  kernel_signal(udev_t)
  kernel_search_debugfs(udev_t)
@@ -67286,7 +67485,7 @@ index d88f7c3..91fae52 100644
  
  #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
  kernel_rw_net_sysctls(udev_t)
-@@ -97,6 +104,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -97,6 +102,7 @@ corecmd_exec_all_executables(udev_t)
  
  dev_rw_sysfs(udev_t)
  dev_manage_all_dev_nodes(udev_t)
@@ -67294,7 +67493,7 @@ index d88f7c3..91fae52 100644
  dev_rw_generic_files(udev_t)
  dev_delete_generic_files(udev_t)
  dev_search_usbfs(udev_t)
-@@ -105,21 +113,29 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -105,21 +111,29 @@ dev_relabel_all_dev_nodes(udev_t)
  # preserved, instead of short circuiting the relabel
  dev_relabel_generic_symlinks(udev_t)
  dev_manage_generic_symlinks(udev_t)
@@ -67325,7 +67524,7 @@ index d88f7c3..91fae52 100644
  
  mcs_ptrace_all(udev_t)
  
-@@ -143,6 +159,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +157,7 @@ auth_use_nsswitch(udev_t)
  init_read_utmp(udev_t)
  init_dontaudit_write_utmp(udev_t)
  init_getattr_initctl(udev_t)
@@ -67333,7 +67532,7 @@ index d88f7c3..91fae52 100644
  
  logging_search_logs(udev_t)
  logging_send_syslog_msg(udev_t)
-@@ -169,6 +186,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -169,6 +184,8 @@ sysnet_signal_dhcpc(udev_t)
  sysnet_manage_config(udev_t)
  sysnet_etc_filetrans_config(udev_t)
  
@@ -67342,7 +67541,7 @@ index d88f7c3..91fae52 100644
  userdom_dontaudit_search_user_home_content(udev_t)
  
  ifdef(`distro_gentoo',`
-@@ -186,15 +205,16 @@ ifdef(`distro_redhat',`
+@@ -186,8 +203,9 @@ ifdef(`distro_redhat',`
  	fs_manage_tmpfs_chr_files(udev_t)
  	fs_relabel_tmpfs_blk_file(udev_t)
  	fs_relabel_tmpfs_chr_file(udev_t)
@@ -67353,17 +67552,7 @@ index d88f7c3..91fae52 100644
  
  	# for arping used for static IP addresses on PCMCIA ethernet
  	netutils_domtrans(udev_t)
- 
--	optional_policy(`
--		unconfined_domain(udev_t)
--	')
-+	#optional_policy(`
-+	#	unconfined_domain(udev_t)
-+	#')
- ')
- 
- optional_policy(`
-@@ -216,11 +236,16 @@ optional_policy(`
+@@ -216,11 +234,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -67381,7 +67570,7 @@ index d88f7c3..91fae52 100644
  ')
  
  optional_policy(`
-@@ -230,10 +255,20 @@ optional_policy(`
+@@ -230,10 +253,20 @@ optional_policy(`
  optional_policy(`
  	devicekit_read_pid_files(udev_t)
  	devicekit_dgram_send(udev_t)
@@ -67402,7 +67591,7 @@ index d88f7c3..91fae52 100644
  ')
  
  optional_policy(`
-@@ -259,6 +294,10 @@ optional_policy(`
+@@ -259,6 +292,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -67413,7 +67602,7 @@ index d88f7c3..91fae52 100644
  	openct_read_pid_files(udev_t)
  	openct_domtrans(udev_t)
  ')
-@@ -273,6 +312,11 @@ optional_policy(`
+@@ -273,6 +310,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -68200,7 +68389,7 @@ index db75976..cca4cd1 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..07569a4 100644
+index 4b2878a..022f6e7 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -69342,7 +69531,7 @@ index 4b2878a..07569a4 100644
  	files_read_kernel_symbol_table($1_t)
  
  	ifndef(`enable_mls',`
-@@ -978,23 +1238,71 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1238,72 @@ template(`userdom_unpriv_user_template', `
  		')
  	')
  
@@ -69420,10 +69609,11 @@ index 4b2878a..07569a4 100644
 -		netutils_run_ping_cond($1_t, $1_r)
 -		netutils_run_traceroute_cond($1_t, $1_r)
 +		postfix_run_postdrop($1_t, $1_r)
++		postfix_search_spool($1_t)
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1003,7 +1311,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1312,9 @@ template(`userdom_unpriv_user_template', `
  	')
  
  	optional_policy(`
@@ -69434,7 +69624,7 @@ index 4b2878a..07569a4 100644
  	')
  ')
  
-@@ -1039,7 +1349,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1350,7 @@ template(`userdom_unpriv_user_template', `
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -69443,7 +69633,7 @@ index 4b2878a..07569a4 100644
  	')
  
  	##############################
-@@ -1066,6 +1376,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1377,7 @@ template(`userdom_admin_user_template',`
  	#
  
  	allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -69451,7 +69641,7 @@ index 4b2878a..07569a4 100644
  	allow $1_t self:process { setexec setfscreate };
  	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
  	allow $1_t self:tun_socket create;
-@@ -1074,6 +1385,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1386,9 @@ template(`userdom_admin_user_template',`
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -69461,7 +69651,7 @@ index 4b2878a..07569a4 100644
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1088,6 +1402,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1403,7 @@ template(`userdom_admin_user_template',`
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -69469,7 +69659,7 @@ index 4b2878a..07569a4 100644
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1105,10 +1420,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1421,13 @@ template(`userdom_admin_user_template',`
  	dev_rename_all_blk_files($1_t)
  	dev_rename_all_chr_files($1_t)
  	dev_create_generic_symlinks($1_t)
@@ -69483,7 +69673,7 @@ index 4b2878a..07569a4 100644
  	domain_dontaudit_ptrace_all_domains($1_t)
  	# signal all domains:
  	domain_kill_all_domains($1_t)
-@@ -1119,29 +1437,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1438,38 @@ template(`userdom_admin_user_template',`
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -69526,7 +69716,7 @@ index 4b2878a..07569a4 100644
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1478,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1479,8 @@ template(`userdom_admin_user_template',`
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -69535,7 +69725,7 @@ index 4b2878a..07569a4 100644
  	userdom_manage_user_home_content_dirs($1_t)
  	userdom_manage_user_home_content_files($1_t)
  	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1539,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1540,8 @@ template(`userdom_security_admin_template',`
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -69544,7 +69734,7 @@ index 4b2878a..07569a4 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1222,8 +1553,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1554,9 @@ template(`userdom_security_admin_template',`
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
@@ -69555,7 +69745,7 @@ index 4b2878a..07569a4 100644
  	auth_relabel_shadow($1)
  
  	init_exec($1)
-@@ -1234,13 +1566,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1567,24 @@ template(`userdom_security_admin_template',`
  	logging_read_audit_config($1)
  
  	seutil_manage_bin_policy($1)
@@ -69584,7 +69774,7 @@ index 4b2878a..07569a4 100644
  	')
  
  	optional_policy(`
-@@ -1251,12 +1594,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1595,12 @@ template(`userdom_security_admin_template',`
  		dmesg_exec($1)
  	')
  
@@ -69600,7 +69790,7 @@ index 4b2878a..07569a4 100644
  	')
  
  	optional_policy(`
-@@ -1279,54 +1622,66 @@ template(`userdom_security_admin_template',`
+@@ -1279,54 +1623,66 @@ template(`userdom_security_admin_template',`
  interface(`userdom_user_home_content',`
  	gen_require(`
  		type user_home_t;
@@ -69682,7 +69872,7 @@ index 4b2878a..07569a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1334,7 +1689,44 @@ interface(`userdom_setattr_user_ptys',`
+@@ -1334,7 +1690,44 @@ interface(`userdom_setattr_user_ptys',`
  ##	</summary>
  ## </param>
  #
@@ -69728,7 +69918,7 @@ index 4b2878a..07569a4 100644
  	gen_require(`
  		type user_devpts_t;
  	')
-@@ -1395,6 +1787,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1788,7 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -69736,7 +69926,7 @@ index 4b2878a..07569a4 100644
  	files_search_home($1)
  ')
  
-@@ -1441,6 +1834,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1835,14 @@ interface(`userdom_list_user_home_dirs',`
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -69751,7 +69941,7 @@ index 4b2878a..07569a4 100644
  ')
  
  ########################################
-@@ -1456,9 +1857,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1858,11 @@ interface(`userdom_list_user_home_dirs',`
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -69763,7 +69953,7 @@ index 4b2878a..07569a4 100644
  ')
  
  ########################################
-@@ -1515,6 +1918,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1919,42 @@ interface(`userdom_relabelto_user_home_dirs',`
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -69806,7 +69996,7 @@ index 4b2878a..07569a4 100644
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1589,6 +2028,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2029,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -69815,7 +70005,7 @@ index 4b2878a..07569a4 100644
  ')
  
  ########################################
-@@ -1603,10 +2044,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2045,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -69830,7 +70020,7 @@ index 4b2878a..07569a4 100644
  ')
  
  ########################################
-@@ -1649,6 +2092,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2093,43 @@ interface(`userdom_delete_user_home_content_dirs',`
  
  ########################################
  ## <summary>
@@ -69874,7 +70064,7 @@ index 4b2878a..07569a4 100644
  ##	Do not audit attempts to set the
  ##	attributes of user home files.
  ## </summary>
-@@ -1668,6 +2148,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2149,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -69900,7 +70090,7 @@ index 4b2878a..07569a4 100644
  ##	Mmap user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1700,12 +2199,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2200,32 @@ interface(`userdom_read_user_home_content_files',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -69933,7 +70123,7 @@ index 4b2878a..07569a4 100644
  ##	Do not audit attempts to read user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1716,11 +2235,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2236,14 @@ interface(`userdom_read_user_home_content_files',`
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -69951,7 +70141,7 @@ index 4b2878a..07569a4 100644
  ')
  
  ########################################
-@@ -1779,6 +2301,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2302,60 @@ interface(`userdom_delete_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -70012,7 +70202,7 @@ index 4b2878a..07569a4 100644
  ##	Do not audit attempts to write user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1810,8 +2386,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2387,7 @@ interface(`userdom_read_user_home_content_symlinks',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -70022,7 +70212,7 @@ index 4b2878a..07569a4 100644
  ')
  
  ########################################
-@@ -1827,20 +2402,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2403,14 @@ interface(`userdom_read_user_home_content_symlinks',`
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -70047,7 +70237,7 @@ index 4b2878a..07569a4 100644
  
  ########################################
  ## <summary>
-@@ -1941,6 +2510,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2511,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
  
  ########################################
  ## <summary>
@@ -70072,7 +70262,7 @@ index 4b2878a..07569a4 100644
  ##	Create, read, write, and delete named pipes
  ##	in a user home subdirectory.
  ## </summary>
-@@ -2008,7 +2595,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2596,7 @@ interface(`userdom_user_home_dir_filetrans',`
  		type user_home_dir_t;
  	')
  
@@ -70081,7 +70271,7 @@ index 4b2878a..07569a4 100644
  	files_search_home($1)
  ')
  
-@@ -2182,7 +2769,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2770,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -70090,7 +70280,7 @@ index 4b2878a..07569a4 100644
  ')
  
  ########################################
-@@ -2390,7 +2977,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2978,7 @@ interface(`userdom_user_tmp_filetrans',`
  		type user_tmp_t;
  	')
  
@@ -70099,7 +70289,7 @@ index 4b2878a..07569a4 100644
  	files_search_tmp($1)
  ')
  
-@@ -2435,13 +3022,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3023,14 @@ interface(`userdom_read_user_tmpfs_files',`
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -70115,7 +70305,7 @@ index 4b2878a..07569a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2462,26 +3050,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +3051,6 @@ interface(`userdom_rw_user_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -70142,7 +70332,7 @@ index 4b2878a..07569a4 100644
  ##	Get the attributes of a user domain tty.
  ## </summary>
  ## <param name="domain">
-@@ -2572,7 +3140,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3141,7 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
@@ -70151,7 +70341,7 @@ index 4b2878a..07569a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2580,70 +3148,138 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,70 +3149,138 @@ interface(`userdom_use_user_ttys',`
  ##	</summary>
  ## </param>
  #
@@ -70320,7 +70510,7 @@ index 4b2878a..07569a4 100644
  ########################################
  ## <summary>
  ##	Execute a shell in all user domains.  This
-@@ -2736,24 +3372,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2736,24 +3373,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -70345,7 +70535,7 @@ index 4b2878a..07569a4 100644
  ########################################
  ## <summary>
  ##	Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3390,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3391,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  	allow $1 unpriv_userdomain:sem create_sem_perms;
  ')
  
@@ -70371,7 +70561,7 @@ index 4b2878a..07569a4 100644
  ########################################
  ## <summary>
  ##	Manage unpriviledged user SysV shared
-@@ -2852,7 +3451,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3452,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -70380,7 +70570,7 @@ index 4b2878a..07569a4 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -2868,29 +3467,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3468,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -70414,7 +70604,7 @@ index 4b2878a..07569a4 100644
  ')
  
  ########################################
-@@ -2972,7 +3555,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3556,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -70423,7 +70613,7 @@ index 4b2878a..07569a4 100644
  ')
  
  ########################################
-@@ -3027,7 +3610,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3611,45 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -70470,7 +70660,7 @@ index 4b2878a..07569a4 100644
  ')
  
  ########################################
-@@ -3064,6 +3685,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3686,7 @@ interface(`userdom_read_all_users_state',`
  	')
  
  	read_files_pattern($1, userdomain, userdomain)
@@ -70478,7 +70668,7 @@ index 4b2878a..07569a4 100644
  	kernel_search_proc($1)
  ')
  
-@@ -3142,6 +3764,24 @@ interface(`userdom_signal_all_users',`
+@@ -3142,6 +3765,24 @@ interface(`userdom_signal_all_users',`
  
  ########################################
  ## <summary>
@@ -70503,7 +70693,7 @@ index 4b2878a..07569a4 100644
  ##	Send a SIGCHLD signal to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3194,3 +3834,1076 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3835,1076 @@ interface(`userdom_dbus_send_all_users',`
  
  	allow $1 userdomain:dbus send_msg;
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cca2336..23c0704 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 21%{?dist}
+Release: 22%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,16 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Aug 29 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-22
+- Allow Postfix to deliver to Dovecot LMTP socket
+- Ignore bogus sys_module for lldpad
+- Allow chrony and gpsd to send dgrams, gpsd needs to write to the real time clock
+- systemd_logind_t sets the attributes on usb devices
+- Allow hddtemp_t to read etc_t files
+- Add permissivedomains module
+- Move all permissive domains calls to permissivedomain.te
+- Allow pegasis to send kill signals to other UIDs
+
 * Wed Aug 24 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-21
 - Allow insmod_t to use fds leaked from devicekit
 - dontaudit getattr between insmod_t and init_t unix_stream_sockets