From af863d82512523d5f75fa092a0f9c9b48fc5df0f Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Jan 05 2018 14:16:17 +0000
Subject: * Fri Jan 05 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-309

- auth_use_nsswitch() interface cannot be used for attributes fixing munin policy
- Allow git_script_t to mmap git_user_content_t files BZ(1530937)
- Allow certmonger domain to create temp files BZ(1530795)
- Improve interface mock_read_lib_files() to include also symlinks. BZ(1530563)
- Allow fsdaemon_t to read nvme devices BZ(1530018)
- Dontaudit fsdaemon_t to write to admin homedir. BZ(153030)
- Update munin plugin policy BZ(1528471)
- Allow sendmail_t domain to be system dbusd client BZ(1478735)
- Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645)
- Allow named file transition to create rpmrebuilddb dir with proper SELinux context BZ(1461313)
- Dontaudit httpd_passwd_t domain to read state of systemd BZ(1522672)
- Allow thumb_t to mmap non security files BZ(1517393)
- Allow smbd_t to mmap files with label samba_share_t BZ(1530453)
- Fix broken sysnet_filetrans_named_content() interface
- Allow init_t to create tcp sockets for unconfined services BZ(1366968)
- Allow xdm_t to getattr on xserver_t process files BZ(1506116)
- Allow domains which can create resolv.conf file also create it in systemd_resolved_var_run_t dir BZ(1530297)
- Allow X userdomains to send dgram msgs to xserver_t BZ(1515967)
- Add interface files_map_non_security_files()

---

diff --git a/container-selinux.tgz b/container-selinux.tgz
index 3b80c6c..9a77d66 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index a08c614..2127ca6 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -12724,7 +12724,7 @@ index b876c48ad..2e591a538 100644
 +
 +/sysroot/ostree/deploy/.*-atomic/deploy(/.*)?           gen_context(system_u:object_r:root_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76ad..74a6d0a54 100644
+index f962f76ad..b36aea185 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -13112,7 +13112,7 @@ index f962f76ad..74a6d0a54 100644
  ##	Read all files.
  ## </summary>
  ## <param name="domain">
-@@ -683,88 +960,83 @@ interface(`files_read_non_security_files',`
+@@ -683,129 +960,261 @@ interface(`files_read_non_security_files',`
  		attribute non_security_file_type;
  	')
  
@@ -13125,7 +13125,7 @@ index f962f76ad..74a6d0a54 100644
  ## <summary>
 -##	Read all directories on the filesystem, except
 -##	the listed exceptions.
-+##	Read/Write all inherited non-security files.
++##	Map all non-security files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13141,21 +13141,21 @@ index f962f76ad..74a6d0a54 100644
 +## <rolecap/>
  #
 -interface(`files_read_all_dirs_except',`
-+interface(`files_rw_inherited_non_security_files',`
++interface(`files_map_non_security_files',`
  	gen_require(`
 -		attribute file_type;
 +		attribute non_security_file_type;
  	')
  
 -	allow $1 { file_type $2 }:dir list_dir_perms;
-+	allow $1 non_security_file_type:file { read write };
++    allow $1 non_security_file_type:file map;
  ')
  
  ########################################
  ## <summary>
 -##	Read all files on the filesystem, except
 -##	the listed exceptions.
-+##	Manage all non-security files.
++##	Read/Write all inherited non-security files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13171,22 +13171,21 @@ index f962f76ad..74a6d0a54 100644
 +## <rolecap/>
  #
 -interface(`files_read_all_files_except',`
-+interface(`files_manage_non_security_files',`
++interface(`files_rw_inherited_non_security_files',`
  	gen_require(`
 -		attribute file_type;
 +		attribute non_security_file_type;
  	')
  
 -	read_files_pattern($1, { file_type $2 }, { file_type $2 })
-+	manage_files_pattern($1, non_security_file_type, non_security_file_type)
-+	manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
++	allow $1 non_security_file_type:file { read write };
  ')
  
  ########################################
  ## <summary>
 -##	Read all symbolic links on the filesystem, except
 -##	the listed exceptions.
-+##	Relabel all non-security files.
++##	Manage all non-security files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13202,13 +13201,37 @@ index f962f76ad..74a6d0a54 100644
 +## <rolecap/>
  #
 -interface(`files_read_all_symlinks_except',`
-+interface(`files_relabel_non_security_files',`
++interface(`files_manage_non_security_files',`
  	gen_require(`
 -		attribute file_type;
 +		attribute non_security_file_type;
  	')
  
 -	read_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
++	manage_files_pattern($1, non_security_file_type, non_security_file_type)
++	manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of all symbolic links.
++##	Relabel all non-security files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_getattr_all_symlinks',`
++interface(`files_relabel_non_security_files',`
+ 	gen_require(`
+-		attribute file_type;
++		attribute non_security_file_type;
+ 	')
+ 
+-	getattr_lnk_files_pattern($1, file_type, file_type)
 +	relabel_files_pattern($1, non_security_file_type, non_security_file_type)
 +	allow $1 { non_security_file_type }:dir list_dir_perms;
 +	relabel_dirs_pattern($1, { non_security_file_type }, { non_security_file_type })
@@ -13225,47 +13248,45 @@ index f962f76ad..74a6d0a54 100644
  
  ########################################
  ## <summary>
--##	Get the attributes of all symbolic links.
+-##	Do not audit attempts to get the attributes
+-##	of all symbolic links.
 +##	Search all base file dirs.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -772,40 +1044,158 @@ interface(`files_read_all_symlinks_except',`
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
--interface(`files_getattr_all_symlinks',`
+-interface(`files_dontaudit_getattr_all_symlinks',`
 +interface(`files_search_base_file_types',`
  	gen_require(`
 -		attribute file_type;
 +		attribute base_file_type;
  	')
  
--	getattr_lnk_files_pattern($1, file_type, file_type)
+-	dontaudit $1 file_type:lnk_file getattr;
 +	allow $1 base_file_type:dir search_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Do not audit attempts to get the attributes
--##	of all symbolic links.
+-##	Do not audit attempts to read all symbolic links.
 +##	Relabel all base file types.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
 -##	Domain to not audit.
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_getattr_all_symlinks',`
++##	</summary>
++## </param>
++#
 +interface(`files_relabel_base_file_types',`
- 	gen_require(`
--		attribute file_type;
++	gen_require(`
 +		attribute base_file_type;
- 	')
- 
--	dontaudit $1 file_type:lnk_file getattr;
++	')
++
 +	allow $1 base_file_type:dir list_dir_perms;
 +	relabel_dirs_pattern($1, base_file_type , base_file_type )
 +	relabel_files_pattern($1, base_file_type , base_file_type )
@@ -13274,17 +13295,15 @@ index f962f76ad..74a6d0a54 100644
 +	relabel_sock_files_pattern($1, base_file_type , base_file_type )
 +	relabel_blk_files_pattern($1, base_file_type , base_file_type )
 +	relabel_chr_files_pattern($1, base_file_type , base_file_type )
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to read all symbolic links.
++')
++
++########################################
++## <summary>
 +##	Read all directories on the filesystem, except
 +##	the listed exceptions.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
@@ -13400,7 +13419,7 @@ index f962f76ad..74a6d0a54 100644
  ##	</summary>
  ## </param>
  #
-@@ -953,6 +1343,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+@@ -953,6 +1362,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
  
  ########################################
  ## <summary>
@@ -13426,7 +13445,7 @@ index f962f76ad..74a6d0a54 100644
  ##	Get the attributes of all named sockets.
  ## </summary>
  ## <param name="domain">
-@@ -991,6 +1400,44 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -991,6 +1419,44 @@ interface(`files_dontaudit_getattr_all_sockets',`
  
  ########################################
  ## <summary>
@@ -13471,7 +13490,7 @@ index f962f76ad..74a6d0a54 100644
  ##	Do not audit attempts to get the attributes
  ##	of non security named sockets.
  ## </summary>
-@@ -1073,13 +1520,12 @@ interface(`files_relabel_all_files',`
+@@ -1073,13 +1539,12 @@ interface(`files_relabel_all_files',`
  	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -13488,7 +13507,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -1140,6 +1586,8 @@ interface(`files_manage_all_files',`
+@@ -1140,6 +1605,8 @@ interface(`files_manage_all_files',`
  	# satisfy the assertions:
  	seutil_create_bin_policy($1)
  	files_manage_kernel_modules($1)
@@ -13497,7 +13516,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -1182,24 +1630,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1649,6 @@ interface(`files_list_all',`
  
  ########################################
  ## <summary>
@@ -13522,7 +13541,7 @@ index f962f76ad..74a6d0a54 100644
  ##	Do not audit attempts to search the
  ##	contents of any directories on extended
  ##	attribute filesystems.
-@@ -1444,8 +1874,8 @@ interface(`files_relabel_non_auth_files',`
+@@ -1444,8 +1893,8 @@ interface(`files_relabel_non_auth_files',`
  	relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
  	relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
  
@@ -13533,7 +13552,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  #############################################
-@@ -1601,6 +2031,24 @@ interface(`files_setattr_all_mountpoints',`
+@@ -1601,6 +2050,24 @@ interface(`files_setattr_all_mountpoints',`
  
  ########################################
  ## <summary>
@@ -13558,7 +13577,7 @@ index f962f76ad..74a6d0a54 100644
  ##	Do not audit attempts to set the attributes on all mount points.
  ## </summary>
  ## <param name="domain">
-@@ -1691,6 +2139,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1691,6 +2158,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
  
  ########################################
  ## <summary>
@@ -13583,7 +13602,7 @@ index f962f76ad..74a6d0a54 100644
  ##	Do not audit attempts to write to mount points.
  ## </summary>
  ## <param name="domain">
-@@ -1703,104 +2169,233 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1703,81 +2188,210 @@ interface(`files_dontaudit_write_all_mountpoints',`
  	gen_require(`
  		attribute mountpoint;
  	')
@@ -13681,32 +13700,17 @@ index f962f76ad..74a6d0a54 100644
 -##	The type of the object to be created.
 -##	</summary>
 -## </param>
--## <param name="object">
--##	<summary>
--##	The object class of the object being created.
--##	</summary>
--## </param>
--## <param name="name" optional="true">
--##	<summary>
--##	The name of the object being created.
--##	</summary>
--## </param>
- #
--interface(`files_root_filetrans',`
++#
 +interface(`files_rmdir_all_dirs',`
- 	gen_require(`
--		type root_t;
++	gen_require(`
 +		attribute file_type;
- 	')
- 
--	filetrans_pattern($1, root_t, $2, $3, $4)
++	')
++
 +	allow $1 file_type:dir rmdir;
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to read files in
--##	the root directory.
++')
++
++########################################
++## <summary>
 +##	Write all file type directories.
 +## </summary>
 +## <param name="domain">
@@ -13831,33 +13835,10 @@ index f962f76ad..74a6d0a54 100644
 +##	The type of the object to be created.
 +##	</summary>
 +## </param>
-+## <param name="object">
-+##	<summary>
-+##	The object class of the object being created.
-+##	</summary>
-+## </param>
-+## <param name="name" optional="true">
-+##	<summary>
-+##	The name of the object being created.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_root_filetrans',`
-+	gen_require(`
-+		type root_t;
-+	')
-+
-+	filetrans_pattern($1, root_t, $2, $3, $4)
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to read files in
-+##	the root directory.
- ## </summary>
- ## <param name="domain">
+ ## <param name="object">
  ##	<summary>
-@@ -1892,25 +2487,25 @@ interface(`files_delete_root_dir_entry',`
+ ##	The object class of the object being created.
+@@ -1892,25 +2506,25 @@ interface(`files_delete_root_dir_entry',`
  
  ########################################
  ## <summary>
@@ -13889,7 +13870,7 @@ index f962f76ad..74a6d0a54 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1923,7 +2518,7 @@ interface(`files_relabel_rootfs',`
+@@ -1923,7 +2537,7 @@ interface(`files_relabel_rootfs',`
  		type root_t;
  	')
  
@@ -13898,7 +13879,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -1946,6 +2541,42 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2560,42 @@ interface(`files_unmount_rootfs',`
  
  ########################################
  ## <summary>
@@ -13941,7 +13922,7 @@ index f962f76ad..74a6d0a54 100644
  ##	Get attributes of the /boot directory.
  ## </summary>
  ## <param name="domain">
-@@ -2181,6 +2812,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2831,24 @@ interface(`files_relabelfrom_boot_files',`
  	relabelfrom_files_pattern($1, boot_t, boot_t)
  ')
  
@@ -13966,7 +13947,7 @@ index f962f76ad..74a6d0a54 100644
  ######################################
  ## <summary>
  ##	Read symbolic links in the /boot directory.
-@@ -2557,6 +3206,24 @@ interface(`files_read_default_pipes',`
+@@ -2557,6 +3225,24 @@ interface(`files_read_default_pipes',`
  
  ########################################
  ## <summary>
@@ -13991,7 +13972,7 @@ index f962f76ad..74a6d0a54 100644
  ##	Search the contents of /etc directories.
  ## </summary>
  ## <param name="domain">
-@@ -2645,6 +3312,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3331,24 @@ interface(`files_rw_etc_dirs',`
  	allow $1 etc_t:dir rw_dir_perms;
  ')
  
@@ -14016,7 +13997,7 @@ index f962f76ad..74a6d0a54 100644
  ##########################################
  ## <summary>
  ## 	Manage generic directories in /etc
-@@ -2716,6 +3401,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3420,7 @@ interface(`files_read_etc_files',`
  	allow $1 etc_t:dir list_dir_perms;
  	read_files_pattern($1, etc_t, etc_t)
  	read_lnk_files_pattern($1, etc_t, etc_t)
@@ -14024,7 +14005,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -2724,7 +3410,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3429,7 @@ interface(`files_read_etc_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -14033,7 +14014,7 @@ index f962f76ad..74a6d0a54 100644
  ##	</summary>
  ## </param>
  #
-@@ -2780,6 +3466,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3485,25 @@ interface(`files_manage_etc_files',`
  
  ########################################
  ## <summary>
@@ -14059,7 +14040,7 @@ index f962f76ad..74a6d0a54 100644
  ##	Delete system configuration files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2798,6 +3503,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3522,24 @@ interface(`files_delete_etc_files',`
  
  ########################################
  ## <summary>
@@ -14084,7 +14065,7 @@ index f962f76ad..74a6d0a54 100644
  ##	Execute generic files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2963,26 +3686,8 @@ interface(`files_delete_boot_flag',`
+@@ -2963,24 +3705,6 @@ interface(`files_delete_boot_flag',`
  
  ########################################
  ## <summary>
@@ -14106,14 +14087,10 @@ index f962f76ad..74a6d0a54 100644
 -
 -########################################
 -## <summary>
--##	Read files in /etc that are dynamically
--##	created on boot, such as mtab.
-+##	Read files in /etc that are dynamically
-+##	created on boot, such as mtab.
+ ##	Read files in /etc that are dynamically
+ ##	created on boot, such as mtab.
  ## </summary>
- ## <desc>
- ##	<p>
-@@ -3021,9 +3726,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3021,9 +3745,7 @@ interface(`files_read_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -14124,7 +14101,7 @@ index f962f76ad..74a6d0a54 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3031,18 +3734,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3753,17 @@ interface(`files_read_etc_runtime_files',`
  ##	</summary>
  ## </param>
  #
@@ -14146,7 +14123,7 @@ index f962f76ad..74a6d0a54 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3060,6 +3762,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3781,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -14173,7 +14150,7 @@ index f962f76ad..74a6d0a54 100644
  ##	Read and write files in /etc that are dynamically
  ##	created on boot, such as mtab.
  ## </summary>
-@@ -3077,6 +3799,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3077,6 +3818,7 @@ interface(`files_rw_etc_runtime_files',`
  
  	allow $1 etc_t:dir list_dir_perms;
  	rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -14181,7 +14158,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3098,6 +3821,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3840,7 @@ interface(`files_manage_etc_runtime_files',`
  	')
  
  	manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -14189,7 +14166,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3142,10 +3866,48 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -3142,10 +3885,48 @@ interface(`files_etc_filetrans_etc_runtime',`
  #
  interface(`files_getattr_isid_type_dirs',`
  	gen_require(`
@@ -14240,7 +14217,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3161,10 +3923,10 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3161,10 +3942,10 @@ interface(`files_getattr_isid_type_dirs',`
  #
  interface(`files_dontaudit_search_isid_type_dirs',`
  	gen_require(`
@@ -14253,7 +14230,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3180,10 +3942,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+@@ -3180,10 +3961,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
  #
  interface(`files_list_isid_type_dirs',`
  	gen_require(`
@@ -14266,7 +14243,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3199,10 +3961,10 @@ interface(`files_list_isid_type_dirs',`
+@@ -3199,10 +3980,10 @@ interface(`files_list_isid_type_dirs',`
  #
  interface(`files_rw_isid_type_dirs',`
  	gen_require(`
@@ -14279,7 +14256,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3218,10 +3980,66 @@ interface(`files_rw_isid_type_dirs',`
+@@ -3218,10 +3999,66 @@ interface(`files_rw_isid_type_dirs',`
  #
  interface(`files_delete_isid_type_dirs',`
  	gen_require(`
@@ -14348,7 +14325,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3237,10 +4055,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3237,10 +4074,10 @@ interface(`files_delete_isid_type_dirs',`
  #
  interface(`files_manage_isid_type_dirs',`
  	gen_require(`
@@ -14361,7 +14338,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3256,10 +4074,29 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3256,10 +4093,29 @@ interface(`files_manage_isid_type_dirs',`
  #
  interface(`files_mounton_isid_type_dirs',`
  	gen_require(`
@@ -14393,7 +14370,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3275,10 +4112,10 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3275,10 +4131,10 @@ interface(`files_mounton_isid_type_dirs',`
  #
  interface(`files_read_isid_type_files',`
  	gen_require(`
@@ -14406,7 +14383,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3294,10 +4131,10 @@ interface(`files_read_isid_type_files',`
+@@ -3294,10 +4150,10 @@ interface(`files_read_isid_type_files',`
  #
  interface(`files_delete_isid_type_files',`
  	gen_require(`
@@ -14419,7 +14396,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3313,10 +4150,10 @@ interface(`files_delete_isid_type_files',`
+@@ -3313,10 +4169,10 @@ interface(`files_delete_isid_type_files',`
  #
  interface(`files_delete_isid_type_symlinks',`
  	gen_require(`
@@ -14432,7 +14409,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3332,10 +4169,10 @@ interface(`files_delete_isid_type_symlinks',`
+@@ -3332,10 +4188,10 @@ interface(`files_delete_isid_type_symlinks',`
  #
  interface(`files_delete_isid_type_fifo_files',`
  	gen_require(`
@@ -14445,7 +14422,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3351,10 +4188,10 @@ interface(`files_delete_isid_type_fifo_files',`
+@@ -3351,10 +4207,10 @@ interface(`files_delete_isid_type_fifo_files',`
  #
  interface(`files_delete_isid_type_sock_files',`
  	gen_require(`
@@ -14458,7 +14435,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3370,10 +4207,10 @@ interface(`files_delete_isid_type_sock_files',`
+@@ -3370,10 +4226,10 @@ interface(`files_delete_isid_type_sock_files',`
  #
  interface(`files_delete_isid_type_blk_files',`
  	gen_require(`
@@ -14471,7 +14448,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3389,10 +4226,10 @@ interface(`files_delete_isid_type_blk_files',`
+@@ -3389,10 +4245,10 @@ interface(`files_delete_isid_type_blk_files',`
  #
  interface(`files_dontaudit_write_isid_chr_files',`
  	gen_require(`
@@ -14484,7 +14461,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3408,10 +4245,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+@@ -3408,10 +4264,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
  #
  interface(`files_delete_isid_type_chr_files',`
  	gen_require(`
@@ -14497,7 +14474,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3427,10 +4264,10 @@ interface(`files_delete_isid_type_chr_files',`
+@@ -3427,10 +4283,10 @@ interface(`files_delete_isid_type_chr_files',`
  #
  interface(`files_manage_isid_type_files',`
  	gen_require(`
@@ -14510,7 +14487,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3446,10 +4283,10 @@ interface(`files_manage_isid_type_files',`
+@@ -3446,10 +4302,10 @@ interface(`files_manage_isid_type_files',`
  #
  interface(`files_manage_isid_type_symlinks',`
  	gen_require(`
@@ -14523,7 +14500,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3465,10 +4302,29 @@ interface(`files_manage_isid_type_symlinks',`
+@@ -3465,10 +4321,29 @@ interface(`files_manage_isid_type_symlinks',`
  #
  interface(`files_rw_isid_type_blk_files',`
  	gen_require(`
@@ -14555,7 +14532,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3484,10 +4340,10 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3484,10 +4359,10 @@ interface(`files_rw_isid_type_blk_files',`
  #
  interface(`files_manage_isid_type_blk_files',`
  	gen_require(`
@@ -14568,7 +14545,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3503,10 +4359,29 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4378,29 @@ interface(`files_manage_isid_type_blk_files',`
  #
  interface(`files_manage_isid_type_chr_files',`
  	gen_require(`
@@ -14600,7 +14577,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3552,6 +4427,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3552,6 +4446,27 @@ interface(`files_dontaudit_getattr_home_dir',`
  
  ########################################
  ## <summary>
@@ -14628,7 +14605,7 @@ index f962f76ad..74a6d0a54 100644
  ##	Search home directories root (/home).
  ## </summary>
  ## <param name="domain">
-@@ -3814,20 +4710,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4729,38 @@ interface(`files_list_mnt',`
  
  ######################################
  ## <summary>
@@ -14672,7 +14649,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -3921,6 +4835,45 @@ interface(`files_read_mnt_symlinks',`
+@@ -3921,6 +4854,45 @@ interface(`files_read_mnt_symlinks',`
  	read_lnk_files_pattern($1, mnt_t, mnt_t)
  ')
  
@@ -14718,7 +14695,7 @@ index f962f76ad..74a6d0a54 100644
  ########################################
  ## <summary>
  ##	Create, read, write, and delete symbolic links in /mnt.
-@@ -4012,6 +4965,7 @@ interface(`files_read_kernel_modules',`
+@@ -4012,6 +4984,7 @@ interface(`files_read_kernel_modules',`
  	allow $1 modules_object_t:dir list_dir_perms;
  	read_files_pattern($1, modules_object_t, modules_object_t)
  	read_lnk_files_pattern($1, modules_object_t, modules_object_t)
@@ -14726,7 +14703,7 @@ index f962f76ad..74a6d0a54 100644
  ')
  
  ########################################
-@@ -4217,48 +5171,235 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,174 +5190,292 @@ interface(`files_read_world_readable_sockets',`
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
@@ -14798,18 +14775,26 @@ index f962f76ad..74a6d0a54 100644
 -##	Do not audit attempts to get the
 -##	attributes of the tmp directory (/tmp).
 +##  File name transition for system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_tmp_dirs',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_filetrans_system_conf_named_files',`
 +    gen_require(`
 +        type etc_t, system_conf_t, usr_t;
 +    ')
-+
+ 
+-	dontaudit $1 tmp_t:dir getattr;
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
@@ -14830,28 +14815,40 @@ index f962f76ad..74a6d0a54 100644
 +	filetrans_pattern($1, etc_t, system_conf_t, dir, "yum.repos.d")
 +	filetrans_pattern($1, etc_t, system_conf_t, dir, "remotes.d")
 +	filetrans_pattern($1, usr_t, system_conf_t, dir, "repo")
-+')
-+
+ ')
+ 
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Search the tmp directory (/tmp).
 +##  Relabel manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_search_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_relabelto_system_conf_files',`
 +    gen_require(`
 +        type usr_t;
 +    ')
-+
+ 
+-	allow $1 tmp_t:dir search_dir_perms;
 +    relabelto_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
+ ')
+ 
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Do not audit attempts to search the tmp directory (/tmp).
 +##  Relabel manageable system configuration files in /etc.
 +## </summary>
 +## <param name="domain">
@@ -14926,8 +14923,8 @@ index f962f76ad..74a6d0a54 100644
 +#####################################
 +## <summary>
 +##  File name transition for system db files in /var/lib.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
@@ -14949,121 +14946,206 @@ index f962f76ad..74a6d0a54 100644
 +##	temporary directory (/tmp).
 +## </summary>
 +## <param name="file_type">
-+##	<summary>
+ ##	<summary>
+-##	Domain to not audit.
 +##	Type of the file to associate.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_tmp',`
 +interface(`files_associate_tmp',`
-+	gen_require(`
-+		type tmp_t;
-+	')
-+
+ 	gen_require(`
+ 		type tmp_t;
+ 	')
+ 
+-	dontaudit $1 tmp_t:dir search_dir_perms;
 +	allow $1 tmp_t:filesystem associate;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read the tmp directory (/tmp).
 +##	Allow the specified type to associate
 +##	to a filesystem with the type of the
 +##	/ file system
-+## </summary>
+ ## </summary>
+-## <param name="domain">
 +## <param name="file_type">
-+##	<summary>
+ ##	<summary>
+-##	Domain allowed access.
 +##	Type of the file to associate.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_tmp',`
 +interface(`files_associate_rootfs',`
-+	gen_require(`
+ 	gen_require(`
+-		type tmp_t;
 +		type root_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 tmp_t:dir list_dir_perms;
 +	allow $1 root_t:filesystem associate;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit listing of the tmp directory (/tmp).
 +##	Get the	attributes of the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4266,6 +5407,45 @@ interface(`files_getattr_tmp_dirs',`
+-##	Domain not to audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
+-interface(`files_dontaudit_list_tmp',`
 +interface(`files_getattr_tmp_dirs',`
-+	gen_require(`
-+		type tmp_t;
-+	')
-+
+ 	gen_require(`
+ 		type tmp_t;
+ 	')
+ 
+-	dontaudit $1 tmp_t:dir list_dir_perms;
 +	read_lnk_files_pattern($1, tmp_t, tmp_t)
 +	allow $1 tmp_t:dir getattr;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Remove entries from the tmp directory.
 +##	Do not audit attempts to check the 
 +##	access on tmp files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_tmp_dir_entry',`
 +interface(`files_dontaudit_access_check_tmp',`
-+	gen_require(`
+ 	gen_require(`
+-		type tmp_t;
 +		type etc_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 tmp_t:dir del_entry_dir_perms;
 +	dontaudit $1 tmp_t:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read files in the tmp directory (/tmp).
 +##	Do not audit attempts to get the
 +##	attributes of the tmp directory (/tmp).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
- interface(`files_dontaudit_getattr_tmp_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_files',`
++interface(`files_dontaudit_getattr_tmp_dirs',`
  	gen_require(`
  		type tmp_t;
-@@ -4289,6 +5469,8 @@ interface(`files_search_tmp',`
+ 	')
+ 
+-	read_files_pattern($1, tmp_t, tmp_t)
++	dontaudit $1 tmp_t:dir getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Manage temporary directories in /tmp.
++##	Search the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4392,35 +5483,37 @@ interface(`files_read_generic_tmp_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_dirs',`
++interface(`files_search_tmp',`
+ 	gen_require(`
  		type tmp_t;
  	')
  
+-	manage_dirs_pattern($1, tmp_t, tmp_t)
 +    fs_search_tmpfs($1)
 +	read_lnk_files_pattern($1, tmp_t, tmp_t)
- 	allow $1 tmp_t:dir search_dir_perms;
++	allow $1 tmp_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Manage temporary files and directories in /tmp.
++##	Do not audit attempts to search the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_files',`
++interface(`files_dontaudit_search_tmp',`
+ 	gen_require(`
+ 		type tmp_t;
+ 	')
+ 
+-	manage_files_pattern($1, tmp_t, tmp_t)
++	dontaudit $1 tmp_t:dir search_dir_perms;
  ')
  
-@@ -4325,6 +5507,7 @@ interface(`files_list_tmp',`
+ ########################################
+ ## <summary>
+-##	Read symbolic links in the tmp directory (/tmp).
++##	Read the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4428,35 +5521,55 @@ interface(`files_manage_generic_tmp_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_symlinks',`
++interface(`files_list_tmp',`
+ 	gen_require(`
  		type tmp_t;
  	')
  
-+	read_lnk_files_pattern($1, tmp_t, tmp_t)
- 	allow $1 tmp_t:dir list_dir_perms;
+ 	read_lnk_files_pattern($1, tmp_t, tmp_t)
++	allow $1 tmp_t:dir list_dir_perms;
  ')
  
-@@ -4334,7 +5517,7 @@ interface(`files_list_tmp',`
+ ########################################
+ ## <summary>
+-##	Read and write generic named sockets in the tmp directory (/tmp).
++##	Do not audit listing of the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain not to audit.
+-##	Domain allowed access.
 +##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
-@@ -4346,6 +5529,25 @@ interface(`files_dontaudit_list_tmp',`
- 	dontaudit $1 tmp_t:dir list_dir_perms;
- ')
+-interface(`files_rw_generic_tmp_sockets',`
++interface(`files_dontaudit_list_tmp',`
+ 	gen_require(`
+ 		type tmp_t;
+ 	')
  
+-	rw_sock_files_pattern($1, tmp_t, tmp_t)
++	dontaudit $1 tmp_t:dir list_dir_perms;
++')
++
 +#######################################
 +## <summary>
 +##  Allow read and write to the tmp directory (/tmp).
@@ -15081,25 +15163,85 @@ index f962f76ad..74a6d0a54 100644
 +
 +    files_search_tmp($1)
 +    allow $1 tmp_t:dir rw_dir_perms;
-+')
-+
+ ')
+ 
  ########################################
  ## <summary>
- ##	Remove entries from the tmp directory.
-@@ -4361,6 +5563,7 @@ interface(`files_delete_tmp_dir_entry',`
- 		type tmp_t;
+-##	Set the attributes of all tmp directories.
++##	Remove entries from the tmp directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4464,17 +5577,18 @@ interface(`files_rw_generic_tmp_sockets',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_all_tmp_dirs',`
++interface(`files_delete_tmp_dir_entry',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
  	')
  
+-	allow $1 tmpfile:dir { search_dir_perms setattr };
 +	files_search_tmp($1)
- 	allow $1 tmp_t:dir del_entry_dir_perms;
++	allow $1 tmp_t:dir del_entry_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List all tmp directories.
++##	Read files in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4482,59 +5596,61 @@ interface(`files_setattr_all_tmp_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_all_tmp',`
++interface(`files_read_generic_tmp_files',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:dir list_dir_perms;
++	read_files_pattern($1, tmp_t, tmp_t)
  ')
  
-@@ -4402,6 +5605,32 @@ interface(`files_manage_generic_tmp_dirs',`
+ ########################################
+ ## <summary>
+-##	Relabel to and from all temporary
+-##	directory types.
++##	Manage temporary directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_dirs',`
++interface(`files_manage_generic_tmp_dirs',`
+ 	gen_require(`
+-		attribute tmpfile;
+-		type var_t;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	relabel_dirs_pattern($1, tmpfile, tmpfile)
++	manage_dirs_pattern($1, tmp_t, tmp_t)
+ ')
  
  ########################################
  ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp files.
 +##	Allow shared library text relocations in tmp files.
-+## </summary>
+ ## </summary>
 +## <desc>
 +##	<p>
 +##	Allow shared library text relocations in tmp files.
@@ -15108,91 +15250,1902 @@ index f962f76ad..74a6d0a54 100644
 +##	This is added to support java policy.
 +##	</p>
 +## </desc>
-+## <param name="domain">
-+##	<summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
 +interface(`files_execmod_tmp',`
-+	gen_require(`
-+		attribute tmpfile;
-+	')
-+
+ 	gen_require(`
+ 		attribute tmpfile;
+ 	')
+ 
+-	dontaudit $1 tmpfile:file getattr;
 +	allow $1 tmpfile:file execmod;
-+')
-+
-+########################################
-+## <summary>
- ##	Manage temporary files and directories in /tmp.
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow attempts to get the attributes
+-##	of all tmp files.
++##	Manage temporary files and directories in /tmp.
  ## </summary>
  ## <param name="domain">
-@@ -4456,6 +5685,42 @@ interface(`files_rw_generic_tmp_sockets',`
+ ##	<summary>
+@@ -4542,58 +5658,53 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_all_tmp_files',`
++interface(`files_manage_generic_tmp_files',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:file getattr;
++	manage_files_pattern($1, tmp_t, tmp_t)
+ ')
  
  ########################################
  ## <summary>
-+##	Relabel a dir from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_relabelfrom_tmp_dirs',`
-+	gen_require(`
+-##	Relabel to and from all temporary
+-##	file types.
++##	Read symbolic links in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_files',`
++interface(`files_read_generic_tmp_symlinks',`
+ 	gen_require(`
+-		attribute tmpfile;
+-		type var_t;
 +		type tmp_t;
-+	')
-+
-+	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Relabel a file from the type used in /tmp.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	relabel_files_pattern($1, tmpfile, tmpfile)
++	read_lnk_files_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp sock_file.
++##	Read and write generic named sockets in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_relabelfrom_tmp_files',`
-+	gen_require(`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_sockets',`
++interface(`files_rw_generic_tmp_sockets',`
+ 	gen_require(`
+-		attribute tmpfile;
 +		type tmp_t;
-+	')
-+
-+	relabelfrom_files_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Set the attributes of all tmp directories.
+ 	')
+ 
+-	dontaudit $1 tmpfile:sock_file getattr;
++	rw_sock_files_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read all tmp files.
++##	Relabel a dir from the type used in /tmp.
  ## </summary>
  ## <param name="domain">
-@@ -4474,6 +5739,60 @@ interface(`files_setattr_all_tmp_dirs',`
+ ##	<summary>
+@@ -4601,51 +5712,35 @@ interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_all_tmp_files',`
++interface(`files_relabelfrom_tmp_dirs',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	read_files_pattern($1, tmpfile, tmpfile)
++	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+ ')
  
  ########################################
  ## <summary>
-+##	Allow caller to read inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_read_inherited_tmp_files',`
+-##	Create an object in the tmp directories, with a private
+-##	type using a type transition.
++##	Relabel a file from the type used in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
+-##	<summary>
+-##	The type of the object to be created.
+-##	</summary>
+-## </param>
+-## <param name="object">
+-##	<summary>
+-##	The object class of the object being created.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
+-##	</summary>
+-## </param>
+ #
+-interface(`files_tmp_filetrans',`
++interface(`files_relabelfrom_tmp_files',`
+ 	gen_require(`
+ 		type tmp_t;
+ 	')
+ 
+-	filetrans_pattern($1, tmp_t, $2, $3, $4)
++	relabelfrom_files_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete the contents of /tmp.
++##	Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4653,22 +5748,17 @@ interface(`files_tmp_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_purge_tmp',`
++interface(`files_setattr_all_tmp_dirs',`
+ 	gen_require(`
+ 		attribute tmpfile;
+ 	')
+ 
+-	allow $1 tmpfile:dir list_dir_perms;
+-	delete_dirs_pattern($1, tmpfile, tmpfile)
+-	delete_files_pattern($1, tmpfile, tmpfile)
+-	delete_lnk_files_pattern($1, tmpfile, tmpfile)
+-	delete_fifo_files_pattern($1, tmpfile, tmpfile)
+-	delete_sock_files_pattern($1, tmpfile, tmpfile)
++	allow $1 tmpfile:dir { search_dir_perms setattr };
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of the /usr directory.
++##	Allow caller to read inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4676,17 +5766,17 @@ interface(`files_purge_tmp',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_usr_dirs',`
++interface(`files_read_inherited_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	allow $1 usr_t:dir setattr;
++	allow $1 tmpfile:file { append open read_inherited_file_perms };
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the content of /usr.
++##	Allow caller to append inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4694,18 +5784,17 @@ interface(`files_setattr_usr_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_usr',`
++interface(`files_append_inherited_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	allow $1 usr_t:dir search_dir_perms;
++	allow $1 tmpfile:file append_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of generic
+-##	directories in /usr.
++##	Allow caller to read and write inherited tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4713,54 +5802,58 @@ interface(`files_search_usr',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_usr',`
++interface(`files_rw_inherited_tmp_file',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	allow $1 usr_t:dir list_dir_perms;
++	allow $1 tmpfile:file rw_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit write of /usr dirs
++##	List all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_usr_dirs',`
++interface(`files_list_all_tmp',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	dontaudit $1 usr_t:dir write;
++	allow $1 tmpfile:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Add and remove entries from /usr directories.
++##	Relabel to and from all temporary
++##	directory types.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_rw_usr_dirs',`
++interface(`files_relabel_all_tmp_dirs',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
++		type var_t;
+ 	')
+ 
+-	allow $1 usr_t:dir rw_dir_perms;
++	allow $1 var_t:dir search_dir_perms;
++	relabel_dirs_pattern($1, tmpfile, tmpfile)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to add and remove
+-##	entries from /usr directories.
++##	Do not audit attempts to get the attributes
++##	of all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4768,17 +5861,18 @@ interface(`files_rw_usr_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_rw_usr_dirs',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	dontaudit $1 usr_t:dir rw_dir_perms;
++	dontaudit $1 tmpfile:file getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete generic directories in /usr in the caller domain.
++##	Allow attempts to get the attributes
++##	of all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4786,111 +5880,96 @@ interface(`files_dontaudit_rw_usr_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_usr_dirs',`
++interface(`files_getattr_all_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	delete_dirs_pattern($1, usr_t, usr_t)
++	allow $1 tmpfile:file getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete generic files in /usr in the caller domain.
++##	Relabel to and from all temporary
++##	file types.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_delete_usr_files',`
++interface(`files_relabel_all_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
++		type var_t;
+ 	')
+ 
+-	delete_files_pattern($1, usr_t, usr_t)
++	allow $1 var_t:dir search_dir_perms;
++	relabel_files_pattern($1, tmpfile, tmpfile)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of files in /usr.
++##	Do not audit attempts to get the attributes
++##	of all tmp sock_file.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_usr_files',`
++interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	getattr_files_pattern($1, usr_t, usr_t)
++	dontaudit $1 tmpfile:sock_file getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic files in /usr.
++##	Read all tmp files.
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Allow the specified domain to read generic
+-##	files in /usr. These files are various program
+-##	files that do not have more specific SELinux types.
+-##	Some examples of these files are:
+-##	</p>
+-##	<ul>
+-##		<li>/usr/include/*</li>
+-##		<li>/usr/share/doc/*</li>
+-##		<li>/usr/share/info/*</li>
+-##	</ul>
+-##	<p>
+-##	Generally, it is safe for many domains to have
+-##	this access.
+-##	</p>
+-## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <infoflow type="read" weight="10"/>
+ #
+-interface(`files_read_usr_files',`
++interface(`files_read_all_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	allow $1 usr_t:dir list_dir_perms;
+-	read_files_pattern($1, usr_t, usr_t)
+-	read_lnk_files_pattern($1, usr_t, usr_t)
++	read_files_pattern($1, tmpfile, tmpfile)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Execute generic programs in /usr in the caller domain.
++##	Do not audit attempts to read or write
++##	all leaked tmpfiles files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_exec_usr_files',`
++interface(`files_dontaudit_tmp_file_leaks',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	allow $1 usr_t:dir list_dir_perms;
+-	exec_files_pattern($1, usr_t, usr_t)
+-	read_lnk_files_pattern($1, usr_t, usr_t)
++	dontaudit $1 tmpfile:file rw_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	dontaudit write of /usr files
++##	Do allow attempts to read or write
++##	all leaked tmpfiles files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4898,35 +5977,51 @@ interface(`files_exec_usr_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_usr_files',`
++interface(`files_rw_tmp_file_leaks',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	dontaudit $1 usr_t:file write;
++	allow $1 tmpfile:file rw_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete files in the /usr directory.
++##	Create an object in the tmp directories, with a private
++##	type using a type transition.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <param name="private type">
++##	<summary>
++##	The type of the object to be created.
++##	</summary>
++## </param>
++## <param name="object">
++##	<summary>
++##	The object class of the object being created.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
+ #
+-interface(`files_manage_usr_files',`
++interface(`files_tmp_filetrans',`
+ 	gen_require(`
+-		type usr_t;
++		type tmp_t;
+ 	')
+ 
+-	manage_files_pattern($1, usr_t, usr_t)
++	filetrans_pattern($1, tmp_t, $2, $3, $4)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel a file to the type used in /usr.
++##	Delete the contents of /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4934,17 +6029,32 @@ interface(`files_manage_usr_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_relabelto_usr_files',`
++interface(`files_purge_tmp',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	relabelto_files_pattern($1, usr_t, usr_t)
++	allow $1 tmpfile:dir list_dir_perms;
++	delete_dirs_pattern($1, tmpfile, tmpfile)
++	delete_files_pattern($1, tmpfile, tmpfile)
++	delete_lnk_files_pattern($1, tmpfile, tmpfile)
++	delete_fifo_files_pattern($1, tmpfile, tmpfile)
++	delete_sock_files_pattern($1, tmpfile, tmpfile)
++	delete_chr_files_pattern($1, tmpfile, tmpfile)
++	delete_blk_files_pattern($1, tmpfile, tmpfile)
++	files_list_isid_type_dirs($1)
++	files_delete_isid_type_dirs($1)
++	files_delete_isid_type_files($1)
++	files_delete_isid_type_symlinks($1)
++	files_delete_isid_type_fifo_files($1)
++	files_delete_isid_type_sock_files($1)
++	files_delete_isid_type_blk_files($1)
++	files_delete_isid_type_chr_files($1)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel a file from the type used in /usr.
++##	Set the attributes of the /usr directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4952,17 +6062,17 @@ interface(`files_relabelto_usr_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_relabelfrom_usr_files',`
++interface(`files_setattr_usr_dirs',`
+ 	gen_require(`
+ 		type usr_t;
+ 	')
+ 
+-	relabelfrom_files_pattern($1, usr_t, usr_t)
++	allow $1 usr_t:dir setattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read symbolic links in /usr.
++##	Search the content of /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4970,50 +6080,36 @@ interface(`files_relabelfrom_usr_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_usr_symlinks',`
++interface(`files_search_usr',`
+ 	gen_require(`
+ 		type usr_t;
+ 	')
+ 
+-	read_lnk_files_pattern($1, usr_t, usr_t)
++	allow $1 usr_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in the /usr directory
++##	List the contents of generic
++##	directories in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="file_type">
+-##	<summary>
+-##	The type of the object to be created
+-##	</summary>
+-## </param>
+-## <param name="object_class">
+-##	<summary>
+-##	The object class.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
+-##	</summary>
+-## </param>
+ #
+-interface(`files_usr_filetrans',`
++interface(`files_list_usr',`
+ 	gen_require(`
+ 		type usr_t;
+ 	')
+ 
+-	filetrans_pattern($1, usr_t, $2, $3, $4)
++	allow $1 usr_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search /usr/src.
++##	Do not audit write of /usr dirs
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5021,17 +6117,17 @@ interface(`files_usr_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_src',`
++interface(`files_dontaudit_write_usr_dirs',`
+ 	gen_require(`
+-		type src_t;
++		type usr_t;
+ 	')
+ 
+-	dontaudit $1 src_t:dir search_dir_perms;
++	dontaudit $1 usr_t:dir write;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of files in /usr/src.
++##	Add and remove entries from /usr directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5039,41 +6135,36 @@ interface(`files_dontaudit_search_src',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_usr_src_files',`
++interface(`files_rw_usr_dirs',`
+ 	gen_require(`
+-		type usr_t, src_t;
++		type usr_t;
+ 	')
+ 
+-	getattr_files_pattern($1, src_t, src_t)
+-
+-	# /usr/src/linux symlink:
+-	read_lnk_files_pattern($1, usr_t, src_t)
++	allow $1 usr_t:dir rw_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read files in /usr/src.
++##	Do not audit attempts to add and remove
++##	entries from /usr directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_usr_src_files',`
++interface(`files_dontaudit_rw_usr_dirs',`
+ 	gen_require(`
+-		type usr_t, src_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 usr_t:dir search_dir_perms;
+-	read_files_pattern($1, { usr_t src_t }, src_t)
+-	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
+-	allow $1 src_t:dir list_dir_perms;
++	dontaudit $1 usr_t:dir rw_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Execute programs in /usr/src in the caller domain.
++##	Delete generic directories in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5081,19 +6172,17 @@ interface(`files_read_usr_src_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_exec_usr_src_files',`
++interface(`files_delete_usr_dirs',`
+ 	gen_require(`
+-		type usr_t, src_t;
++		type usr_t;
+ 	')
+ 
+-	list_dirs_pattern($1, usr_t, src_t)
+-	exec_files_pattern($1, src_t, src_t)
+-	read_lnk_files_pattern($1, src_t, src_t)
++	delete_dirs_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Install a system.map into the /boot directory.
++##	Delete generic files in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5101,18 +6190,17 @@ interface(`files_exec_usr_src_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_create_kernel_symbol_table',`
++interface(`files_delete_usr_files',`
+ 	gen_require(`
+-		type boot_t, system_map_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
+-	allow $1 system_map_t:file { create_file_perms rw_file_perms };
++	delete_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read system.map in the /boot directory.
++##	Map files in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5120,18 +6208,17 @@ interface(`files_create_kernel_symbol_table',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_kernel_symbol_table',`
++interface(`files_mmap_usr_files',`
+ 	gen_require(`
+-		type boot_t, system_map_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 boot_t:dir list_dir_perms;
+-	read_files_pattern($1, boot_t, system_map_t)
++	allow $1 usr_t:file map;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete a system.map in the /boot directory.
++##	Get the attributes of files in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5139,54 +6226,55 @@ interface(`files_read_kernel_symbol_table',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_kernel_symbol_table',`
++interface(`files_getattr_usr_files',`
+ 	gen_require(`
+-		type boot_t, system_map_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 boot_t:dir list_dir_perms;
+-	delete_files_pattern($1, boot_t, system_map_t)
++	getattr_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the contents of /var.
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-#
+-interface(`files_search_var',`
+-	gen_require(`
+-		type var_t;
+-	')
+-
+-	allow $1 var_t:dir search_dir_perms;
+-')
+-
+-########################################
+-## <summary>
+-##	Do not audit attempts to write to /var.
++##	Read generic files in /usr.
+ ## </summary>
++## <desc>
++##	<p>
++##	Allow the specified domain to read generic
++##	files in /usr. These files are various program
++##	files that do not have more specific SELinux types.
++##	Some examples of these files are:
++##	</p>
++##	<ul>
++##		<li>/usr/include/*</li>
++##		<li>/usr/share/doc/*</li>
++##		<li>/usr/share/info/*</li>
++##	</ul>
++##	<p>
++##	Generally, it is safe for many domains to have
++##	this access.
++##	</p>
++## </desc>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <infoflow type="read" weight="10"/>
+ #
+-interface(`files_dontaudit_write_var_dirs',`
++interface(`files_read_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	dontaudit $1 var_t:dir write;
++	allow $1 usr_t:dir list_dir_perms;
++	read_files_pattern($1, usr_t, usr_t)
++	read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow attempts to write to /var.dirs
++##	Execute generic programs in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5194,18 +6282,19 @@ interface(`files_dontaudit_write_var_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_write_var_dirs',`
++interface(`files_exec_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 var_t:dir write;
++	allow $1 usr_t:dir list_dir_perms;
++	exec_files_pattern($1, usr_t, usr_t)
++	read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search
+-##	the contents of /var.
++##	dontaudit write of /usr files
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5213,17 +6302,17 @@ interface(`files_write_var_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_var',`
++interface(`files_dontaudit_write_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	dontaudit $1 var_t:dir search_dir_perms;
++	dontaudit $1 usr_t:file write;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of /var.
++##	Create, read, write, and delete files in the /usr directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5231,18 +6320,17 @@ interface(`files_dontaudit_search_var',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_var',`
++interface(`files_manage_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 var_t:dir list_dir_perms;
++	manage_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete directories
+-##	in the /var directory.
++##	Relabel a file to the type used in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5250,17 +6338,17 @@ interface(`files_list_var',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_var_dirs',`
++interface(`files_relabelto_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 var_t:dir manage_dir_perms;
++	relabelto_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read files in the /var directory.
++##	Relabel a file from the type used in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5268,17 +6356,17 @@ interface(`files_manage_var_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_var_files',`
++interface(`files_relabelfrom_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	read_files_pattern($1, var_t, var_t)
++	relabelfrom_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Append files in the /var directory.
++##	Read symbolic links in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5286,36 +6374,50 @@ interface(`files_read_var_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_append_var_files',`
++interface(`files_read_usr_symlinks',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	append_files_pattern($1, var_t, var_t)
++	read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write files in the /var directory.
++##	Create objects in the /usr directory
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <param name="file_type">
++##	<summary>
++##	The type of the object to be created
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The object class.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
+ #
+-interface(`files_rw_var_files',`
++interface(`files_usr_filetrans',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	rw_files_pattern($1, var_t, var_t)
++	filetrans_pattern($1, usr_t, $2, $3, $4)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to read and write
+-##	files in the /var directory.
++##	Do not audit attempts to search /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5323,17 +6425,17 @@ interface(`files_rw_var_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_rw_var_files',`
++interface(`files_dontaudit_search_src',`
+ 	gen_require(`
+-		type var_t;
++		type src_t;
+ 	')
+ 
+-	dontaudit $1 var_t:file rw_file_perms;
++	dontaudit $1 src_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete files in the /var directory.
++##	Get the attributes of files in /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5341,17 +6443,20 @@ interface(`files_dontaudit_rw_var_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_var_files',`
++interface(`files_getattr_usr_src_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t, src_t;
+ 	')
+ 
+-	manage_files_pattern($1, var_t, var_t)
++	getattr_files_pattern($1, src_t, src_t)
++
++	# /usr/src/linux symlink:
++	read_lnk_files_pattern($1, usr_t, src_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read symbolic links in the /var directory.
++##	Read files in /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5359,18 +6464,20 @@ interface(`files_manage_var_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_var_symlinks',`
++interface(`files_read_usr_src_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t, src_t;
+ 	')
+ 
+-	read_lnk_files_pattern($1, var_t, var_t)
++	allow $1 usr_t:dir search_dir_perms;
++	read_files_pattern($1, { usr_t src_t }, src_t)
++	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
++	allow $1 src_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete symbolic
+-##	links in the /var directory.
++##	Execute programs in /usr/src in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5378,50 +6485,75 @@ interface(`files_read_var_symlinks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_var_symlinks',`
++interface(`files_exec_usr_src_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t, src_t;
+ 	')
+ 
+-	manage_lnk_files_pattern($1, var_t, var_t)
++	list_dirs_pattern($1, usr_t, src_t)
++	exec_files_pattern($1, src_t, src_t)
++	read_lnk_files_pattern($1, src_t, src_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in the /var directory
++##	Install a system.map into the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="file_type">
+-##	<summary>
+-##	The type of the object to be created
+-##	</summary>
+-## </param>
+-## <param name="object_class">
++#
++interface(`files_create_kernel_symbol_table',`
++	gen_require(`
++		type boot_t, system_map_t;
++	')
++
++	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
++	allow $1 system_map_t:file { create_file_perms rw_file_perms };
++')
++
++########################################
++## <summary>
++##	Dontaudit getattr attempts on the system.map file
++## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	The object class.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+-## <param name="name" optional="true">
++#
++interface(`files_dontaduit_getattr_kernel_symbol_table',`
++	gen_require(`
++		type system_map_t;
++	')
++
++	dontaudit $1 system_map_t:file getattr;
++')
++
++########################################
++## <summary>
++##	Read system.map in the /boot directory.
++## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	The name of the object being created.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_var_filetrans',`
++interface(`files_read_kernel_symbol_table',`
+ 	gen_require(`
+-		type var_t;
++		type boot_t, system_map_t;
+ 	')
+ 
+-	filetrans_pattern($1, var_t, $2, $3, $4)
++	allow $1 boot_t:dir list_dir_perms;
++	read_files_pattern($1, boot_t, system_map_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of the /var/lib directory.
++##	Delete a system.map in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5429,69 +6561,54 @@ interface(`files_var_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_var_lib_dirs',`
++interface(`files_delete_kernel_symbol_table',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type boot_t, system_map_t;
+ 	')
+ 
+-	getattr_dirs_pattern($1, var_t, var_lib_t)
++	allow $1 boot_t:dir list_dir_perms;
++	delete_files_pattern($1, boot_t, system_map_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the /var/lib directory.
++##	Search the contents of /var.
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Search the /var/lib directory.  This is
+-##	necessary to access files or directories under
+-##	/var/lib that have a private type.  For example, a
+-##	domain accessing a private library file in the
+-##	/var/lib directory:
+-##	</p>
+-##	<p>
+-##	allow mydomain_t mylibfile_t:file read_file_perms;
+-##	files_search_var_lib(mydomain_t)
+-##	</p>
+-## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_search_var_lib',`
++interface(`files_search_var',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	search_dirs_pattern($1, var_t, var_lib_t)
++	allow $1 var_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search the
+-##	contents of /var/lib.
++##	Do not audit attempts to write to /var.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+-## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_dontaudit_search_var_lib',`
++interface(`files_dontaudit_write_var_dirs',`
+ 	gen_require(`
+-		type var_lib_t;
++		type var_t;
+ 	')
+ 
+-	dontaudit $1 var_lib_t:dir search_dir_perms;
++	dontaudit $1 var_t:dir write;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of the /var/lib directory.
++##	Allow attempts to write to /var.dirs
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5499,88 +6616,73 @@ interface(`files_dontaudit_search_var_lib',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_var_lib',`
++interface(`files_write_var_dirs',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	list_dirs_pattern($1, var_t, var_lib_t)
++	allow $1 var_t:dir write;
+ ')
+ 
+-###########################################
++########################################
+ ## <summary>
+-##	Read-write /var/lib directories
++##	Do not audit attempts to search
++##	the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_var_lib_dirs',`
++interface(`files_dontaudit_search_var',`
+ 	gen_require(`
+-		type var_lib_t;
++		type var_t;
+ 	')
+ 
+-	rw_dirs_pattern($1, var_lib_t, var_lib_t)
++	dontaudit $1 var_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in the /var/lib directory
++##	List the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="file_type">
+-##	<summary>
+-##	The type of the object to be created
+-##	</summary>
+-## </param>
+-## <param name="object_class">
+-##	<summary>
+-##	The object class.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
+-##	</summary>
+-## </param>
+ #
+-interface(`files_var_lib_filetrans',`
++interface(`files_list_var',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	filetrans_pattern($1, var_lib_t, $2, $3, $4)
++	allow $1 var_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic files in /var/lib.
++##	Do not audit listing of the var directory (/var).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_var_lib_files',`
++interface(`files_dontaudit_list_var',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_lib_t:dir list_dir_perms;
+-	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++	dontaudit $1 var_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic symbolic links in /var/lib
++##	Create, read, write, and delete directories
++##	in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5588,21 +6690,17 @@ interface(`files_read_var_lib_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_var_lib_symlinks',`
++interface(`files_manage_var_dirs',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++	allow $1 var_t:dir manage_dir_perms;
+ ')
+ 
+-# cjp: the next two interfaces really need to be fixed
+-# in some way.  They really neeed their own types.
+-
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete the
+-##	pseudorandom number generator seed.
++##	Read files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5610,19 +6708,17 @@ interface(`files_read_var_lib_symlinks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_urandom_seed',`
++interface(`files_read_var_files',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_files_pattern($1, var_lib_t, var_lib_t)
++	read_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow domain to manage mount tables
+-##	necessary for rpcd, nfsd, etc.
++##	Append files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5630,18 +6726,17 @@ interface(`files_manage_urandom_seed',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_mounttab',`
++interface(`files_append_var_files',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_files_pattern($1, var_lib_t, var_lib_t)
++	append_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of the generic lock directories.
++##	Read and write files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5649,56 +6744,54 @@ interface(`files_manage_mounttab',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_lock_dirs',`
++interface(`files_rw_var_files',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	setattr_dirs_pattern($1, var_t, var_lock_t)
++	rw_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the locks directory (/var/lock).
++##	Do not audit attempts to read and write
++##	files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_locks',`
++interface(`files_dontaudit_rw_var_files',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	search_dirs_pattern($1, var_t, var_lock_t)
++	dontaudit $1 var_t:file rw_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search the
+-##	locks directory (/var/lock).
++##	Create, read, write, and delete files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_locks',`
++interface(`files_manage_var_files',`
+ 	gen_require(`
+-		type var_lock_t;
++		type var_t;
+ 	')
+ 
+-	dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 var_lock_t:dir search_dir_perms;
++	manage_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List generic lock directories.
++##	Read symbolic links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5706,19 +6799,18 @@ interface(`files_dontaudit_search_locks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_locks',`
++interface(`files_read_var_symlinks',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_lock_t)
++	read_lnk_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Add and remove entries in the /var/lock
+-##	directories.
++##	Create, read, write, and delete symbolic
++##	links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5726,60 +6818,68 @@ interface(`files_list_locks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_lock_dirs',`
++interface(`files_manage_var_symlinks',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	rw_dirs_pattern($1, var_t, var_lock_t)
++	manage_lnk_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-## 	Create lock directories
++##	Create objects in the /var directory
+ ## </summary>
+ ## <param name="domain">
+-## 	<summary>
+-##	Domain allowed access
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="file_type">
++##	<summary>
++##	The type of the object to be created
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The object class.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_create_lock_dirs',`
++interface(`files_var_filetrans',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	create_dirs_pattern($1, var_lock_t, var_lock_t)
++	filetrans_pattern($1, var_t, $2, $3, $4)
+ ')
+ 
++
+ ########################################
+ ## <summary>
+-##	Relabel to and from all lock directory types.
++## Relabel dirs in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_lock_dirs',`
++interface(`files_relabel_var_dirs',`
+ 	gen_require(`
+-		attribute lockfile;
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+-
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	relabel_dirs_pattern($1, lockfile, lockfile)
++    allow $1 var_t:dir relabel_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of generic lock files.
++##	Get the attributes of the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5787,84 +6887,87 @@ interface(`files_relabel_all_lock_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_generic_locks',`
++interface(`files_getattr_var_lib_dirs',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_lock_t:dir list_dir_perms;
+-	getattr_files_pattern($1, var_lock_t, var_lock_t)
++	getattr_dirs_pattern($1, var_t, var_lib_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete generic lock files.
++##	Search the /var/lib directory.
+ ## </summary>
++## <desc>
++##	<p>
++##	Search the /var/lib directory.  This is
++##	necessary to access files or directories under
++##	/var/lib that have a private type.  For example, a
++##	domain accessing a private library file in the
++##	/var/lib directory:
++##	</p>
++##	<p>
++##	allow mydomain_t mylibfile_t:file read_file_perms;
++##	files_search_var_lib(mydomain_t)
++##	</p>
++## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_delete_generic_locks',`
++interface(`files_search_var_lib',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	delete_files_pattern($1, var_lock_t, var_lock_t)
++	search_dirs_pattern($1, var_t, var_lib_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete generic
+-##	lock files.
++##	Do not audit attempts to search the
++##	contents of /var/lib.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
++## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_manage_generic_locks',`
++interface(`files_dontaudit_search_var_lib',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_lib_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	manage_dirs_pattern($1, var_lock_t, var_lock_t)
+-	manage_files_pattern($1, var_lock_t, var_lock_t)
++	dontaudit $1 var_lib_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete all lock files.
++##	List the contents of the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_delete_all_locks',`
++interface(`files_list_var_lib',`
+ 	gen_require(`
+-		attribute lockfile;
+-		type var_t, var_lock_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	delete_files_pattern($1, lockfile, lockfile)
++	list_dirs_pattern($1, var_t, var_lib_t)
+ ')
+ 
+-########################################
++###########################################
+ ## <summary>
+-##	Read all lock files.
++##	Read-write /var/lib directories
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5872,22 +6975,17 @@ interface(`files_delete_all_locks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_all_locks',`
++interface(`files_rw_var_lib_dirs',`
+ 	gen_require(`
+-		attribute lockfile;
+-		type var_t, var_lock_t;
++		type var_lib_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+-	allow $1 lockfile:dir list_dir_perms;
+-	read_files_pattern($1, lockfile, lockfile)
+-	read_lnk_files_pattern($1, lockfile, lockfile)
++	rw_dirs_pattern($1, var_lib_t, var_lib_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	manage all lock files.
++##	Create directories in /var/lib
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5895,37 +6993,32 @@ interface(`files_read_all_locks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_all_locks',`
++interface(`files_create_var_lib_dirs',`
+ 	gen_require(`
+-		attribute lockfile;
+-		type var_t, var_lock_t;
++		type var_lib_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+-	manage_dirs_pattern($1, lockfile, lockfile)
+-	manage_files_pattern($1, lockfile, lockfile)
+-	manage_lnk_files_pattern($1, lockfile, lockfile)
++	allow $1 var_lib_t:dir { create rw_dir_perms };
+ ')
+ 
++
+ ########################################
+ ## <summary>
+-##	Create an object in the locks directory, with a private
+-##	type using a type transition.
++##	Create objects in the /var/lib directory
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
++## <param name="file_type">
+ ##	<summary>
+-##	The type of the object to be created.
++##	The type of the object to be created
+ ##	</summary>
+ ## </param>
+-## <param name="object">
++## <param name="object_class">
+ ##	<summary>
+-##	The object class of the object being created.
++##	The object class.
+ ##	</summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -5934,20 +7027,1283 @@ interface(`files_manage_all_locks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_lock_filetrans',`
++interface(`files_var_lib_filetrans',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+ 	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	filetrans_pattern($1, var_lock_t, $2, $3, $4)
++	filetrans_pattern($1, var_lib_t, $2, $3, $4)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of the /var/run directory.
++##	Read generic files in /var/lib.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_read_var_lib_files',`
 +	gen_require(`
-+		attribute tmpfile;
++		type var_t, var_lib_t;
 +	')
 +
-+	allow $1 tmpfile:file { append open read_inherited_file_perms };
++	allow $1 var_lib_t:dir list_dir_perms;
++	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Allow caller to append inherited tmp files.
++##	Read generic symbolic links in /var/lib
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -15200,17 +17153,18 @@ index f962f76ad..74a6d0a54 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_append_inherited_tmp_files',`
++interface(`files_read_var_lib_symlinks',`
 +	gen_require(`
-+		attribute tmpfile;
++		type var_t, var_lib_t;
 +	')
 +
-+	allow $1 tmpfile:file append_inherited_file_perms;
++	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Allow caller to read and write inherited tmp files.
++##	manage generic symbolic links
++##	in the /var/lib directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -15218,127 +17172,96 @@ index f962f76ad..74a6d0a54 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_rw_inherited_tmp_file',`
++interface(`files_manage_var_lib_symlinks',`
 +	gen_require(`
-+		attribute tmpfile;
++		type var_lib_t;
 +	')
 +
-+	allow $1 tmpfile:file rw_inherited_file_perms;
++	manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
 +')
 +
++# cjp: the next two interfaces really need to be fixed
++# in some way.  They really neeed their own types.
++
 +########################################
 +## <summary>
- ##	List all tmp directories.
- ## </summary>
- ## <param name="domain">
-@@ -4519,7 +5838,7 @@ interface(`files_relabel_all_tmp_dirs',`
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain not to audit.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
-@@ -4579,7 +5898,7 @@ interface(`files_relabel_all_tmp_files',`
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain not to audit.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
-@@ -4611,20 +5930,58 @@ interface(`files_read_all_tmp_files',`
- 
- ########################################
- ## <summary>
--##	Create an object in the tmp directories, with a private
--##	type using a type transition.
-+##	Do not audit attempts to read or write
-+##	all leaked tmpfiles files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--## <param name="private type">
--##	<summary>
--##	The type of the object to be created.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
--## <param name="object">
++##	Create, read, write, and delete the
++##	pseudorandom number generator seed.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +#
-+interface(`files_dontaudit_tmp_file_leaks',`
++interface(`files_manage_urandom_seed',`
 +	gen_require(`
-+		attribute tmpfile;
++		type var_t, var_lib_t;
 +	')
 +
-+	dontaudit $1 tmpfile:file rw_inherited_file_perms;
++	allow $1 var_t:dir search_dir_perms;
++	manage_files_pattern($1, var_lib_t, var_lib_t)
 +')
 +
++
 +########################################
 +## <summary>
-+##	Do allow attempts to read or write
-+##	all leaked tmpfiles files.
++## Relabel to dirs in the /var/lib directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_rw_tmp_file_leaks',`
++interface(`files_relabelto_var_lib_dirs',`
 +	gen_require(`
-+		attribute tmpfile;
++		type var_lib_t;
 +	')
-+
-+	allow $1 tmpfile:file rw_inherited_file_perms;
++    allow $1 var_lib_t:dir relabelto;
 +')
 +
++
 +########################################
 +## <summary>
-+##	Create an object in the tmp directories, with a private
-+##	type using a type transition.
++## Relabel dirs in the /var/lib directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="private type">
++#
++interface(`files_relabel_var_lib_dirs',`
++	gen_require(`
++		type var_lib_t;
++	')
++    allow $1 var_lib_t:dir relabel_dir_perms;
++')
++
++########################################
++## <summary>
++##	Allow domain to manage mount tables
++##	necessary for rpcd, nfsd, etc.
++## </summary>
++## <param name="domain">
 +##	<summary>
-+##	The type of the object to be created.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="object">
- ##	<summary>
- ##	The object class of the object being created.
- ##	</summary>
-@@ -4664,6 +6021,16 @@ interface(`files_purge_tmp',`
- 	delete_lnk_files_pattern($1, tmpfile, tmpfile)
- 	delete_fifo_files_pattern($1, tmpfile, tmpfile)
- 	delete_sock_files_pattern($1, tmpfile, tmpfile)
-+	delete_chr_files_pattern($1, tmpfile, tmpfile)
-+	delete_blk_files_pattern($1, tmpfile, tmpfile)
-+	files_list_isid_type_dirs($1)
-+	files_delete_isid_type_dirs($1)
-+	files_delete_isid_type_files($1)
-+	files_delete_isid_type_symlinks($1)
-+	files_delete_isid_type_fifo_files($1)
-+	files_delete_isid_type_sock_files($1)
-+	files_delete_isid_type_blk_files($1)
-+	files_delete_isid_type_chr_files($1)
- ')
- 
- ########################################
-@@ -4814,6 +6181,24 @@ interface(`files_delete_usr_files',`
- 
- ########################################
- ## <summary>
-+##	Map files in /usr in the caller domain.
++#
++interface(`files_manage_mounttab',`
++	gen_require(`
++		type var_t, var_lib_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	manage_files_pattern($1, var_lib_t, var_lib_t)
++')
++
++########################################
++## <summary>
++##	List generic lock directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -15346,49 +17269,39 @@ index f962f76ad..74a6d0a54 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_mmap_usr_files',`
++interface(`files_list_locks',`
 +	gen_require(`
-+		type usr_t;
++		type var_t, var_lock_t;
 +	')
 +
-+	allow $1 usr_t:file map;
++	files_search_locks($1)
++	list_dirs_pattern($1, var_t, var_lock_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Get the attributes of files in /usr.
- ## </summary>
- ## <param name="domain">
-@@ -5112,6 +6497,24 @@ interface(`files_create_kernel_symbol_table',`
- 
- ########################################
- ## <summary>
-+##	Dontaudit getattr attempts on the system.map file
++##	Search the locks directory (/var/lock).
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_dontaduit_getattr_kernel_symbol_table',`
++interface(`files_search_locks',`
 +	gen_require(`
-+		type system_map_t;
++		type var_t, var_lock_t;
 +	')
 +
-+	dontaudit $1 system_map_t:file getattr;
++	files_search_pids($1)
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	search_dirs_pattern($1, var_t, var_lock_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Read system.map in the /boot directory.
- ## </summary>
- ## <param name="domain">
-@@ -5241,6 +6644,24 @@ interface(`files_list_var',`
- 
- ########################################
- ## <summary>
-+##	Do not audit listing of the var directory (/var).
++##	Do not audit attempts to search the
++##	locks directory (/var/lock).
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -15396,36 +17309,37 @@ index f962f76ad..74a6d0a54 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_dontaudit_list_var',`
++interface(`files_dontaudit_search_locks',`
 +	gen_require(`
-+		type var_t;
++		type var_lock_t;
 +	')
 +
-+	dontaudit $1 var_t:dir list_dir_perms;
++	dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 var_lock_t:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
- ##	Create, read, write, and delete directories
- ##	in the /var directory.
- ## </summary>
-@@ -5328,7 +6749,7 @@ interface(`files_dontaudit_rw_var_files',`
- 		type var_t;
- 	')
- 
--	dontaudit $1 var_t:file rw_file_perms;
-+	dontaudit $1 var_t:file rw_inherited_file_perms;
- ')
- 
- ########################################
-@@ -5419,6 +6840,24 @@ interface(`files_var_filetrans',`
- 	filetrans_pattern($1, var_t, $2, $3, $4)
- ')
- 
++##	Do not audit attempts to read/write inherited
++##	locks (/var/lock).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_rw_inherited_locks',`
++	gen_require(`
++		type var_lock_t;
++	')
++
++	dontaudit $1 var_lock_t:file rw_inherited_file_perms;
++')
 +
 +########################################
 +## <summary>
-+## Relabel dirs in the /var directory.
++##	Set the attributes of the /var/lock directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -15433,21 +17347,18 @@ index f962f76ad..74a6d0a54 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_relabel_var_dirs',`
++interface(`files_setattr_lock_dirs',`
 +	gen_require(`
-+		type var_t;
++		type var_lock_t;
 +	')
-+    allow $1 var_t:dir relabel_dir_perms;
++
++	allow $1 var_lock_t:dir setattr;
 +')
 +
- ########################################
- ## <summary>
- ##	Get the attributes of the /var/lib directory.
-@@ -5527,6 +6966,25 @@ interface(`files_rw_var_lib_dirs',`
- 
- ########################################
- ## <summary>
-+##	Create directories in /var/lib
++########################################
++## <summary>
++##	Add and remove entries in the /var/lock
++##	directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -15455,28 +17366,38 @@ index f962f76ad..74a6d0a54 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_create_var_lib_dirs',`
++interface(`files_rw_lock_dirs',`
 +	gen_require(`
-+		type var_lib_t;
++		type var_t, var_lock_t;
 +	')
 +
-+	allow $1 var_lib_t:dir { create rw_dir_perms };
++	files_search_locks($1)
++	rw_dirs_pattern($1, var_t, var_lock_t)
 +')
 +
-+
 +########################################
 +## <summary>
- ##	Create objects in the /var/lib directory
- ## </summary>
- ## <param name="domain">
-@@ -5596,6 +7054,25 @@ interface(`files_read_var_lib_symlinks',`
- 	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
- 
++## 	Create lock directories
++## </summary>
++## <param name="domain">
++## 	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++#
++interface(`files_create_lock_dirs',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	create_dirs_pattern($1, var_lock_t, var_lock_t)
++')
++
 +########################################
 +## <summary>
-+##	manage generic symbolic links
-+##	in the /var/lib directory.
++##	Relabel to and from all lock directory types.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -15484,25 +17405,41 @@ index f962f76ad..74a6d0a54 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_manage_var_lib_symlinks',`
++interface(`files_relabel_all_lock_dirs',`
 +	gen_require(`
-+		type var_lib_t;
++		attribute lockfile;
++		type var_t, var_lock_t;
 +	')
 +
-+	manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	relabel_dirs_pattern($1, lockfile, lockfile)
 +')
 +
- # cjp: the next two interfaces really need to be fixed
- # in some way.  They really neeed their own types.
- 
-@@ -5619,6 +7096,42 @@ interface(`files_manage_urandom_seed',`
- 	manage_files_pattern($1, var_lib_t, var_lib_t)
- ')
- 
++########################################
++## <summary>
++##	Relabel to and from all lock file types.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_relabel_all_lock_files',`
++	gen_require(`
++		attribute lockfile;
++		type var_t, var_lock_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	relabel_files_pattern($1, lockfile, lockfile)
++')
 +
 +########################################
 +## <summary>
-+## Relabel to dirs in the /var/lib directory.
++##	Get the attributes of generic lock files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -15510,17 +17447,39 @@ index f962f76ad..74a6d0a54 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_relabelto_var_lib_dirs',`
++interface(`files_getattr_generic_locks',`
 +	gen_require(`
-+		type var_lib_t;
++		type var_t, var_lock_t;
 +	')
-+    allow $1 var_lib_t:dir relabelto;
++
++	files_search_locks($1)
++	allow $1 var_lock_t:dir list_dir_perms;
++	getattr_files_pattern($1, var_lock_t, var_lock_t)
 +')
 +
++########################################
++## <summary>
++##	Delete generic lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_generic_locks',`
++       gen_require(`
++		type var_t, var_lock_t;
++       ')
++
++       files_search_locks($1)
++       delete_files_pattern($1, var_lock_t, var_lock_t)
++')
 +
 +########################################
 +## <summary>
-+## Relabel dirs in the /var/lib directory.
++##	Create, read, write, and delete generic
++##	lock files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -15528,139 +17487,62 @@ index f962f76ad..74a6d0a54 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_relabel_var_lib_dirs',`
++interface(`files_manage_generic_locks',`
 +	gen_require(`
-+		type var_lib_t;
++		type var_t, var_lock_t;
 +	')
-+    allow $1 var_lib_t:dir relabel_dir_perms;
-+')
 +
- ########################################
- ## <summary>
- ##	Allow domain to manage mount tables
-@@ -5641,7 +7154,7 @@ interface(`files_manage_mounttab',`
- 
- ########################################
- ## <summary>
--##	Set the attributes of the generic lock directories.
-+##	List generic lock directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5649,12 +7162,13 @@ interface(`files_manage_mounttab',`
- ##	</summary>
- ## </param>
- #
--interface(`files_setattr_lock_dirs',`
-+interface(`files_list_locks',`
- 	gen_require(`
- 		type var_t, var_lock_t;
- 	')
- 
--	setattr_dirs_pattern($1, var_t, var_lock_t)
 +	files_search_locks($1)
-+	list_dirs_pattern($1, var_t, var_lock_t)
- ')
- 
- ########################################
-@@ -5672,6 +7186,7 @@ interface(`files_search_locks',`
- 		type var_t, var_lock_t;
- 	')
- 
-+	files_search_pids($1)
- 	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- 	search_dirs_pattern($1, var_t, var_lock_t)
- ')
-@@ -5698,7 +7213,26 @@ interface(`files_dontaudit_search_locks',`
- 
- ########################################
- ## <summary>
--##	List generic lock directories.
-+##	Do not audit attempts to read/write inherited
-+##	locks (/var/lock).
++	manage_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Delete all lock files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`files_dontaudit_rw_inherited_locks',`
++interface(`files_delete_all_locks',`
 +	gen_require(`
-+		type var_lock_t;
++		attribute lockfile;
++		type var_t, var_lock_t;
 +	')
 +
-+	dontaudit $1 var_lock_t:file rw_inherited_file_perms;
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	delete_files_pattern($1, lockfile, lockfile)
 +')
 +
 +########################################
 +## <summary>
-+##	Set the attributes of the /var/lock directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5706,13 +7240,12 @@ interface(`files_dontaudit_search_locks',`
- ##	</summary>
- ## </param>
- #
--interface(`files_list_locks',`
-+interface(`files_setattr_lock_dirs',`
- 	gen_require(`
--		type var_t, var_lock_t;
-+		type var_lock_t;
- 	')
- 
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, var_lock_t)
-+	allow $1 var_lock_t:dir setattr;
- ')
- 
- ########################################
-@@ -5731,7 +7264,7 @@ interface(`files_rw_lock_dirs',`
- 		type var_t, var_lock_t;
- 	')
- 
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+	files_search_locks($1)
- 	rw_dirs_pattern($1, var_t, var_lock_t)
- ')
- 
-@@ -5764,7 +7297,6 @@ interface(`files_create_lock_dirs',`
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
- interface(`files_relabel_all_lock_dirs',`
- 	gen_require(`
-@@ -5779,7 +7311,7 @@ interface(`files_relabel_all_lock_dirs',`
- 
- ########################################
- ## <summary>
--##	Get the attributes of generic lock files.
-+##	Relabel to and from all lock file types.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5787,13 +7319,33 @@ interface(`files_relabel_all_lock_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`files_getattr_generic_locks',`
-+interface(`files_relabel_all_lock_files',`
- 	gen_require(`
++##	Read all lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_read_all_locks',`
++	gen_require(`
 +		attribute lockfile;
- 		type var_t, var_lock_t;
- 	')
- 
- 	allow $1 var_t:dir search_dir_perms;
- 	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+	relabel_files_pattern($1, lockfile, lockfile)
++		type var_t, var_lock_t;
++	')
++
++	files_search_locks($1)
++	allow $1 lockfile:dir list_dir_perms;
++	read_files_pattern($1, lockfile, lockfile)
++	read_lnk_files_pattern($1, lockfile, lockfile)
 +')
 +
 +########################################
 +## <summary>
-+##	Get the attributes of generic lock files.
++##	manage all lock files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -15668,92 +17550,113 @@ index f962f76ad..74a6d0a54 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_getattr_generic_locks',`
++interface(`files_manage_all_locks',`
 +	gen_require(`
++		attribute lockfile;
 +		type var_t, var_lock_t;
 +	')
 +
 +	files_search_locks($1)
- 	allow $1 var_lock_t:dir list_dir_perms;
- 	getattr_files_pattern($1, var_lock_t, var_lock_t)
- ')
-@@ -5809,13 +7361,12 @@ interface(`files_getattr_generic_locks',`
- ## </param>
- #
- interface(`files_delete_generic_locks',`
--	gen_require(`
-+       gen_require(`
- 		type var_t, var_lock_t;
--	')
-+       ')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	delete_files_pattern($1, var_lock_t, var_lock_t)
-+       files_search_locks($1)
-+       delete_files_pattern($1, var_lock_t, var_lock_t)
- ')
- 
- ########################################
-@@ -5834,9 +7385,7 @@ interface(`files_manage_generic_locks',`
- 		type var_t, var_lock_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	manage_dirs_pattern($1, var_lock_t, var_lock_t)
-+	files_search_locks($1)
- 	manage_files_pattern($1, var_lock_t, var_lock_t)
- ')
- 
-@@ -5878,8 +7427,7 @@ interface(`files_read_all_locks',`
- 		type var_t, var_lock_t;
- 	')
- 
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+	files_search_locks($1)
- 	allow $1 lockfile:dir list_dir_perms;
- 	read_files_pattern($1, lockfile, lockfile)
- 	read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7449,7 @@ interface(`files_manage_all_locks',`
- 		type var_t, var_lock_t;
- 	')
- 
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+	files_search_locks($1)
- 	manage_dirs_pattern($1, lockfile, lockfile)
- 	manage_files_pattern($1, lockfile, lockfile)
- 	manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7486,7 @@ interface(`files_lock_filetrans',`
- 		type var_t, var_lock_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	manage_dirs_pattern($1, lockfile, lockfile)
++	manage_files_pattern($1, lockfile, lockfile)
++	manage_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++##	Create an object in the locks directory, with a private
++##	type using a type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private type">
++##	<summary>
++##	The type of the object to be created.
++##	</summary>
++## </param>
++## <param name="object">
++##	<summary>
++##	The object class of the object being created.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`files_lock_filetrans',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
 +	files_search_locks($1)
- 	filetrans_pattern($1, var_lock_t, $2, $3, $4)
- ')
- 
-@@ -5979,7 +7525,7 @@ interface(`files_setattr_pid_dirs',`
- 		type var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	filetrans_pattern($1, var_lock_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to get the attributes
++##	of the /var/run directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_pid_dirs',`
++	gen_require(`
++		type var_run_t;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 var_run_t:dir getattr;
++')
++
++########################################
++## <summary>
++##	Set the attributes of the /var/run directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_setattr_pid_dirs',`
++	gen_require(`
++		type var_run_t;
++	')
++
 +	files_search_pids($1)
- 	allow $1 var_run_t:dir setattr;
- ')
- 
-@@ -5999,10 +7545,48 @@ interface(`files_search_pids',`
- 		type var_t, var_run_t;
- 	')
- 
++	allow $1 var_run_t:dir setattr;
++')
++
++########################################
++## <summary>
++##	Search the contents of runtime process
++##	ID directories (/var/run).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_search_pids',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
 +	allow $1 var_t:lnk_file read_lnk_file_perms;
- 	allow $1 var_run_t:lnk_file read_lnk_file_perms;
- 	search_dirs_pattern($1, var_t, var_run_t)
- ')
- 
++	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	search_dirs_pattern($1, var_t, var_run_t)
++')
++
 +######################################
 +## <summary>
 +## Add and remove entries from pid directories.
@@ -15791,59 +17694,60 @@ index f962f76ad..74a6d0a54 100644
 +        allow $1 var_run_t:dir create_dir_perms;
 +')
 +
- ########################################
- ## <summary>
- ##	Do not audit attempts to search
-@@ -6025,42 +7609,79 @@ interface(`files_dontaudit_search_pids',`
- 
- ########################################
- ## <summary>
--##	List the contents of the runtime process
--##	ID directories (/var/run).
++########################################
++## <summary>
++##	Do not audit attempts to search
++##	the /var/run directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_search_pids',`
++	gen_require(`
++		type var_run_t;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 var_run_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to search
 +##	the all /var/run directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_list_pids',`
++##	</summary>
++## </param>
++#
 +interface(`files_dontaudit_search_all_pids',`
- 	gen_require(`
--		type var_t, var_run_t;
++	gen_require(`
 +		attribute pidfile;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, var_run_t)
++	')
++
 +	dontaudit $1 pidfile:dir search_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Read generic process ID files.
++')
++
++########################################
++## <summary>
 +##	Allow search the all /var/run directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_read_generic_pids',`
++##	</summary>
++## </param>
++#
 +interface(`files_search_all_pids',`
- 	gen_require(`
--		type var_t, var_run_t;
++	gen_require(`
 +		attribute pidfile;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, var_run_t)
--	read_files_pattern($1, var_run_t, var_run_t)
++	')
++
 +	allow $1 pidfile:dir search_dir_perms;
 +')
 +
@@ -15885,30 +17789,113 @@ index f962f76ad..74a6d0a54 100644
 +	files_search_pids($1)
 +	list_dirs_pattern($1, var_t, var_run_t)
 +	read_files_pattern($1, var_run_t, var_run_t)
- ')
- 
- ########################################
-@@ -6078,7 +7699,7 @@ interface(`files_write_generic_pid_pipes',`
- 		type var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++')
++
++########################################
++## <summary>
++##	Write named generic process ID pipes
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_write_generic_pid_pipes',`
++	gen_require(`
++		type var_run_t;
++	')
++
 +	files_search_pids($1)
- 	allow $1 var_run_t:fifo_file write;
- ')
- 
-@@ -6140,7 +7761,6 @@ interface(`files_pid_filetrans',`
- 	')
- 
- 	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
- 	filetrans_pattern($1, var_run_t, $2, $3, $4)
- ')
- 
-@@ -6169,6 +7789,24 @@ interface(`files_pid_filetrans_lock_dir',`
- 
- ########################################
- ## <summary>
++	allow $1 var_run_t:fifo_file write;
++')
++
++########################################
++## <summary>
++##	Create an object in the process ID directory, with a private type.
++## </summary>
++## <desc>
++##	<p>
++##	Create an object in the process ID directory (e.g., /var/run)
++##	with a private type.  Typically this is used for creating
++##	private PID files in /var/run with the private type instead
++##	of the general PID file type. To accomplish this goal,
++##	either the program must be SELinux-aware, or use this interface.
++##	</p>
++##	<p>
++##	Related interfaces:
++##	</p>
++##	<ul>
++##		<li>files_pid_file()</li>
++##	</ul>
++##	<p>
++##	Example usage with a domain that can create and
++##	write its PID file with a private PID file type in the
++##	/var/run directory:
++##	</p>
++##	<p>
++##	type mypidfile_t;
++##	files_pid_file(mypidfile_t)
++##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
++##	files_pid_filetrans(mydomain_t, mypidfile_t, file)
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private type">
++##	<summary>
++##	The type of the object to be created.
++##	</summary>
++## </param>
++## <param name="object">
++##	<summary>
++##	The object class of the object being created.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++## <infoflow type="write" weight="10"/>
++#
++interface(`files_pid_filetrans',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	filetrans_pattern($1, var_run_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++## 	Create a generic lock directory within the run directories
++## </summary>
++## <param name="domain">
++## 	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`files_pid_filetrans_lock_dir',`
++	gen_require(`
++		type var_lock_t;
++	')
++
++	files_pid_filetrans($1, var_lock_t, dir, $2)
++')
++
++########################################
++## <summary>
 +##	rw generic pid files inherited from another process
 +## </summary>
 +## <param name="domain">
@@ -15927,319 +17914,300 @@ index f962f76ad..74a6d0a54 100644
 +
 +########################################
 +## <summary>
- ##	Read and write generic process ID files.
- ## </summary>
- ## <param name="domain">
-@@ -6182,7 +7820,7 @@ interface(`files_rw_generic_pids',`
- 		type var_t, var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++##	Read and write generic process ID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_rw_generic_pids',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
 +	files_search_pids($1)
- 	list_dirs_pattern($1, var_t, var_run_t)
- 	rw_files_pattern($1, var_run_t, var_run_t)
- ')
-@@ -6249,55 +7887,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
- 
- ########################################
- ## <summary>
--##	Read all process ID files.
++	list_dirs_pattern($1, var_t, var_run_t)
++	rw_files_pattern($1, var_run_t, var_run_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to get the attributes of
++##	daemon runtime data files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_all_pids',`
++	gen_require(`
++		attribute pidfile;
++		type var_run_t;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 pidfile:file getattr;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to write to daemon runtime data files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_write_all_pids',`
++	gen_require(`
++		attribute pidfile;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 pidfile:file write;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to ioctl daemon runtime data files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_ioctl_all_pids',`
++	gen_require(`
++		attribute pidfile;
++		type var_run_t;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 pidfile:file ioctl;
++')
++
++########################################
++## <summary>
 +##	Relable all pid directories
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_read_all_pids',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_relabel_all_pid_dirs',`
- 	gen_require(`
- 		attribute pidfile;
--		type var_t, var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, pidfile)
--	read_files_pattern($1, pidfile, pidfile)
++	gen_require(`
++		attribute pidfile;
++	')
++
 +	relabel_dirs_pattern($1, pidfile, pidfile)
- ')
- 
- ########################################
- ## <summary>
--##	Delete all process IDs.
++')
++
++########################################
++## <summary>
 +##	Delete all pid sockets
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`files_delete_all_pids',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_delete_all_pid_sockets',`
- 	gen_require(`
- 		attribute pidfile;
--		type var_t, var_run_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	allow $1 var_run_t:dir rmdir;
--	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
--	delete_files_pattern($1, pidfile, pidfile)
--	delete_fifo_files_pattern($1, pidfile, pidfile)
--	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++	gen_require(`
++		attribute pidfile;
++	')
++
 +	allow $1 pidfile:sock_file delete_sock_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Delete all process ID directories.
++')
++
++########################################
++## <summary>
 +##	Create all pid sockets
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6305,42 +7931,35 @@ interface(`files_delete_all_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_delete_all_pid_dirs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_create_all_pid_sockets',`
- 	gen_require(`
- 		attribute pidfile;
--		type var_t, var_run_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	delete_dirs_pattern($1, pidfile, pidfile)
++	gen_require(`
++		attribute pidfile;
++	')
++
 +	allow $1 pidfile:sock_file create_sock_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write and delete all
--##	var_run (pid) content
++')
++
++########################################
++## <summary>
 +##	Create all pid named pipes
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain alloed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_all_pids',`
++##	</summary>
++## </param>
++#
 +interface(`files_create_all_pid_pipes',`
- 	gen_require(`
- 		attribute pidfile;
- 	')
- 
--	manage_dirs_pattern($1, pidfile, pidfile)
--	manage_files_pattern($1, pidfile, pidfile)
--	manage_lnk_files_pattern($1, pidfile, pidfile)
++	gen_require(`
++		attribute pidfile;
++	')
++
 +	allow $1 pidfile:fifo_file create_fifo_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Mount filesystems on all polyinstantiation
--##	member directories.
++')
++
++########################################
++## <summary>
 +##	Delete all pid named pipes
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6348,18 +7967,18 @@ interface(`files_manage_all_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_mounton_all_poly_members',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_delete_all_pid_pipes',`
- 	gen_require(`
--		attribute polymember;
++	gen_require(`
 +		attribute pidfile;
- 	')
- 
--	allow $1 polymember:dir mounton;
++	')
++
 +	allow $1 pidfile:fifo_file delete_fifo_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Search the contents of generic spool
--##	directories (/var/spool).
++')
++
++########################################
++## <summary>
 +##	manage all pidfile directories
 +##	in the /var/run directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6367,37 +7986,40 @@ interface(`files_mounton_all_poly_members',`
- ##	</summary>
- ## </param>
- #
--interface(`files_search_spool',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_manage_all_pid_dirs',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		attribute pidfile;
- 	')
- 
--	search_dirs_pattern($1, var_t, var_spool_t)
++	')
++
 +	manage_dirs_pattern($1,pidfile,pidfile)
- ')
- 
++')
 +
- ########################################
- ## <summary>
--##	Do not audit attempts to search generic
--##	spool directories.
++
++########################################
++## <summary>
 +##	Read all process ID files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
++##	</summary>
++## </param>
 +## <rolecap/>
- #
--interface(`files_dontaudit_search_spool',`
++#
 +interface(`files_read_all_pids',`
- 	gen_require(`
--		type var_spool_t;
++	gen_require(`
 +		attribute pidfile;
 +		type var_t;
- 	')
- 
--	dontaudit $1 var_spool_t:dir search_dir_perms;
-+	list_dirs_pattern($1, var_t, pidfile)
-+	read_files_pattern($1, pidfile, pidfile)
-+	read_lnk_files_pattern($1, pidfile, pidfile)
- ')
- 
- ########################################
- ## <summary>
--##	List the contents of generic spool
--##	(/var/spool) directories.
++	')
++
++	list_dirs_pattern($1, var_t, pidfile)
++	read_files_pattern($1, pidfile, pidfile)
++	read_lnk_files_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
 +##	Relable all pid files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6405,18 +8027,17 @@ interface(`files_dontaudit_search_spool',`
- ##	</summary>
- ## </param>
- #
--interface(`files_list_spool',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_relabel_all_pid_files',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		attribute pidfile;
- 	')
- 
--	list_dirs_pattern($1, var_t, var_spool_t)
++	')
++
 +	relabel_files_pattern($1, pidfile, pidfile)
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete generic
--##	spool directories (/var/spool).
++')
++
++########################################
++## <summary>
 +##	Execute generic programs in /var/run in the caller domain.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6424,18 +8045,18 @@ interface(`files_list_spool',`
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_generic_spool_dirs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_exec_generic_pid_files',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		type var_run_t;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	manage_dirs_pattern($1, var_spool_t, var_spool_t)
++	')
++
 +	exec_files_pattern($1, var_run_t, var_run_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read generic spool files.
++')
++
++########################################
++## <summary>
 +##	Write all sockets
 +##	in the /var/run directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6443,19 +8064,18 @@ interface(`files_manage_generic_spool_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`files_read_generic_spool',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_write_all_pid_sockets',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		attribute pidfile;
- 	')
- 
--	list_dirs_pattern($1, var_t, var_spool_t)
--	read_files_pattern($1, var_spool_t, var_spool_t)
++	')
++
 +	allow $1 pidfile:sock_file write_sock_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete generic
--##	spool files.
++')
++
++########################################
++## <summary>
 +##	manage all pidfiles 
 +##	in the /var/run directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6463,55 +8083,62 @@ interface(`files_read_generic_spool',`
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_generic_spool',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_manage_all_pids',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		attribute pidfile;
- 	')
- 
--	allow $1 var_t:dir search_dir_perms;
--	manage_files_pattern($1, var_spool_t, var_spool_t)
++	')
++
 +	manage_files_pattern($1,pidfile,pidfile)
- ')
- 
- ########################################
- ## <summary>
--##	Create objects in the spool directory
--##	with a private type with a type transition.
++')
++
++########################################
++## <summary>
 +##	Mount filesystems on all polyinstantiation
 +##	member directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="file">
--##	<summary>
--##	Type to which the created node will be transitioned.
--##	</summary>
--## </param>
--## <param name="class">
--##	<summary>
--##	Object class(es) (single or set including {}) for which this
--##	the transition will occur.
--##	</summary>
--## </param>
--## <param name="name" optional="true">
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +#
 +interface(`files_mounton_all_poly_members',`
 +	gen_require(`
@@ -16254,100 +18222,53 @@ index f962f76ad..74a6d0a54 100644
 +##	Delete all process IDs.
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	The name of the object being created.
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
++##	</summary>
++## </param>
 +## <rolecap/>
- #
--interface(`files_spool_filetrans',`
++#
 +interface(`files_delete_all_pids',`
- 	gen_require(`
--		type var_t, var_spool_t;
++	gen_require(`
 +		attribute pidfile;
 +		type var_t, var_run_t;
- 	')
- 
++	')
++
 +	files_search_pids($1)
- 	allow $1 var_t:dir search_dir_perms;
--	filetrans_pattern($1, var_spool_t, $2, $3, $4)
++	allow $1 var_t:dir search_dir_perms;
 +	allow $1 var_run_t:dir rmdir;
 +	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
 +	delete_files_pattern($1, pidfile, pidfile)
 +	delete_fifo_files_pattern($1, pidfile, pidfile)
 +	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
- ')
- 
- ########################################
- ## <summary>
--##	Allow access to manage all polyinstantiated
--##	directories on the system.
++')
++
++########################################
++## <summary>
 +##	Delete all process ID directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6519,64 +8146,963 @@ interface(`files_spool_filetrans',`
- ##	</summary>
- ## </param>
- #
--interface(`files_polyinstantiate_all',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_delete_all_pid_dirs',`
- 	gen_require(`
--		attribute polydir, polymember, polyparent;
--		type poly_t;
++	gen_require(`
 +		attribute pidfile;
 +		type var_t, var_run_t;
- 	')
- 
--	# Need to give access to /selinux/member
--	selinux_compute_member($1)
--
--	# Need sys_admin capability for mounting
--	allow $1 self:capability { chown fsetid sys_admin fowner };
--
--	# Need to give access to the directories to be polyinstantiated
--	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
--	# Need to give access to the polyinstantiated subdirectories
--	allow $1 polymember:dir search_dir_perms;
--
--	# Need to give access to parent directories where original
--	# is remounted for polyinstantiation aware programs (like gdm)
--	allow $1 polyparent:dir { getattr mounton };
--
--	# Need to give permission to create directories where applicable
--	allow $1 self:process setfscreate;
--	allow $1 polymember: dir { create setattr relabelto };
--	allow $1 polydir: dir { write add_name open };
--	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
--
--	# Default type for mountpoints
--	allow $1 poly_t:dir { create mounton };
--	fs_unmount_xattr_fs($1)
--
--	fs_mount_tmpfs($1)
--	fs_unmount_tmpfs($1)
--
--	ifdef(`distro_redhat',`
--		# namespace.init
--		files_search_tmp($1)
--		files_search_home($1)
--		corecmd_exec_bin($1)
--		seutil_domtrans_setfiles($1)
--	')
++	')
++
 +	files_search_pids($1)
 +	allow $1 var_t:dir search_dir_perms;
 +	delete_dirs_pattern($1, pidfile, pidfile)
- ')
- 
- ########################################
- ## <summary>
--##	Unconfined access to files.
++')
++
++########################################
++## <summary>
 +##	Make the specified type a file
 +##	used for spool files.
- ## </summary>
--## <param name="domain">
++## </summary>
 +## <desc>
 +##	<p>
 +##	Make the specified type usable for spool files.
@@ -16375,22 +18296,18 @@ index f962f76ad..74a6d0a54 100644
 +##	</p>
 +## </desc>
 +## <param name="file_type">
- ##	<summary>
--##	Domain allowed access.
++##	<summary>
 +##	Type of the file to be used as a
 +##	spool file.
- ##	</summary>
- ## </param>
++##	</summary>
++## </param>
 +## <infoflow type="none"/>
- #
--interface(`files_unconfined',`
++#
 +interface(`files_spool_file',`
- 	gen_require(`
--		attribute files_unconfined_type;
++	gen_require(`
 +		attribute spoolfile;
- 	')
- 
--	typeattribute $1 files_unconfined_type;
++	')
++
 +	files_type($1)
 +	typeattribute $1 spoolfile;
 +')
@@ -16475,109 +18392,138 @@ index f962f76ad..74a6d0a54 100644
 +## <summary>
 +##	Do not audit attempts to search generic
 +##	spool directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5955,18 +8311,18 @@ interface(`files_lock_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_pid_dirs',`
 +interface(`files_dontaudit_search_spool',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_run_t;
 +		type var_spool_t;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 var_run_t:dir getattr;
 +	dontaudit $1 var_spool_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of the /var/run directory.
 +##	List the contents of generic spool
 +##	(/var/spool) directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5974,19 +8330,18 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_pid_dirs',`
 +interface(`files_list_spool',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_run_t;
 +		type var_t, var_spool_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:dir setattr;
 +	list_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the contents of runtime process
+-##	ID directories (/var/run).
 +##	Create, read, write, and delete generic
 +##	spool directories (/var/spool).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5994,39 +8349,38 @@ interface(`files_setattr_pid_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_pids',`
 +interface(`files_manage_generic_spool_dirs',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_run_t;
 +		type var_t, var_spool_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	search_dirs_pattern($1, var_t, var_run_t)
 +	allow $1 var_t:dir search_dir_perms;
 +	manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search
+-##	the /var/run directory.
 +##	Read generic spool files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_pids',`
 +interface(`files_read_generic_spool',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_run_t;
 +		type var_t, var_spool_t;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 var_run_t:dir search_dir_perms;
 +	list_dirs_pattern($1, var_t, var_spool_t)
 +	read_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of the runtime process
+-##	ID directories (/var/run).
 +##	Create, read, write, and delete generic
 +##	spool files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6034,38 +8388,55 @@ interface(`files_dontaudit_search_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_pids',`
 +interface(`files_manage_generic_spool',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_run_t;
 +		type var_t, var_spool_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
 +	allow $1 var_t:dir search_dir_perms;
 +	manage_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic process ID files.
 +##	Create objects in the spool directory
 +##	with a private type with a type transition.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <param name="file">
 +##	<summary>
 +##	Type to which the created node will be transitioned.
@@ -16594,33 +18540,43 @@ index f962f76ad..74a6d0a54 100644
 +##	The name of the object being created.
 +##	</summary>
 +## </param>
-+#
+ #
+-interface(`files_read_generic_pids',`
 +interface(`files_spool_filetrans',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_run_t;
 +		type var_t, var_spool_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
+-	read_files_pattern($1, var_run_t, var_run_t)
 +	allow $1 var_t:dir search_dir_perms;
 +	filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Write named generic process ID pipes
 +##	Allow access to manage all polyinstantiated
 +##	directories on the system.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6073,43 +8444,75 @@ interface(`files_read_generic_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_write_generic_pid_pipes',`
 +interface(`files_polyinstantiate_all',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_run_t;
 +		attribute polydir, polymember, polyparent;
 +		type poly_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:fifo_file write;
 +	# Need to give access to /selinux/member
 +	selinux_compute_member($1)
 +
@@ -16657,10 +18613,11 @@ index f962f76ad..74a6d0a54 100644
 +		corecmd_exec_bin($1)
 +		seutil_domtrans_setfiles($1)
 +	')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create an object in the process ID directory, with a private type.
 +##	Unconfined access to files.
 +## </summary>
 +## <param name="domain">
@@ -16680,17 +18637,40 @@ index f962f76ad..74a6d0a54 100644
 +########################################
 +## <summary>
 +##	Create a core files in /
-+## </summary>
-+## <desc>
-+##	<p>
+ ## </summary>
+ ## <desc>
+ ##	<p>
+-##	Create an object in the process ID directory (e.g., /var/run)
+-##	with a private type.  Typically this is used for creating
+-##	private PID files in /var/run with the private type instead
+-##	of the general PID file type. To accomplish this goal,
+-##	either the program must be SELinux-aware, or use this interface.
+-##	</p>
+-##	<p>
+-##	Related interfaces:
+-##	</p>
+-##	<ul>
+-##		<li>files_pid_file()</li>
+-##	</ul>
+-##	<p>
+-##	Example usage with a domain that can create and
+-##	write its PID file with a private PID file type in the
+-##	/var/run directory:
+-##	</p>
+-##	<p>
+-##	type mypidfile_t;
+-##	files_pid_file(mypidfile_t)
+-##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
+-##	files_pid_filetrans(mydomain_t, mypidfile_t, file)
 +##	Create a core file in /,
-+##	</p>
-+## </desc>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ##	</p>
+ ## </desc>
+ ## <param name="domain">
+@@ -6117,14 +8520,82 @@ interface(`files_write_generic_pid_pipes',`
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
 +## <rolecap/>
 +#
 +interface(`files_manage_root_files',`
@@ -16731,12 +18711,14 @@ index f962f76ad..74a6d0a54 100644
 +##	type transition.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	The type of the object to be created.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="object">
-+##	<summary>
+ ##	</summary>
+ ## </param>
+ ## <param name="object">
+ ##	<summary>
+-##	The object class of the object being created.
 +##	The class of the object being created.
 +##	</summary>
 +## </param>
@@ -16767,14 +18749,16 @@ index f962f76ad..74a6d0a54 100644
 +## <param name="object">
 +##	<summary>
 +##	The class of the object being created.
-+##	</summary>
-+## </param>
-+## <param name="name" optional="true">
-+##	<summary>
-+##	The name of the object being created.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -6132,65 +8603,92 @@ interface(`files_write_generic_pid_pipes',`
+ ##	The name of the object being created.
+ ##	</summary>
+ ## </param>
+-## <infoflow type="write" weight="10"/>
+ #
+-interface(`files_pid_filetrans',`
 +interface(`files_filetrans_lib',`
 +       gen_require(`
 +               type lib_t, lib_t;
@@ -16814,292 +18798,399 @@ index f962f76ad..74a6d0a54 100644
 +## </param>
 +#
 +interface(`files_dontaudit_getattr_tmpfs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_run_t;
 +		attribute tmpfsfile;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	filetrans_pattern($1, var_run_t, $2, $3, $4)
 +	allow $1 tmpfsfile:file getattr;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-## 	Create a generic lock directory within the run directories
 +##	Allow delete all tmpfs files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+-## 	<summary>
+-##	Domain allowed access
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+ ##	<summary>
+-##	The name of the object being created.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_pid_filetrans_lock_dir',`
 +interface(`files_delete_tmpfs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_lock_t;
 +		attribute tmpfsfile;
-+	')
-+
+ 	')
+ 
+-	files_pid_filetrans($1, var_lock_t, dir, $2)
 +	allow $1 tmpfsfile:file delete_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write generic process ID files.
 +##	Allow read write all tmpfs files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_generic_pids',`
 +interface(`files_rw_tmpfs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_run_t;
 +		attribute tmpfsfile;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
+-	rw_files_pattern($1, var_run_t, var_run_t)
 +	allow $1 tmpfsfile:file { read write };
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes of
+-##	daemon runtime data files.
 +##	Do not audit attempts to read security files 
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6198,19 +8696,17 @@ interface(`files_rw_generic_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_pids',`
 +interface(`files_dontaudit_read_security_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_run_t;
 +		attribute security_file_type;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 pidfile:file getattr;
 +	dontaudit $1 security_file_type:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to write to daemon runtime data files.
 +##	Do not audit attempts to search security files 
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6218,18 +8714,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_all_pids',`
 +interface(`files_dontaudit_search_security_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
 +		attribute security_file_type;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 pidfile:file write;
 +	dontaudit $1 security_file_type:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to ioctl daemon runtime data files.
 +##	Do not audit attempts to read security dirs 
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6237,41 +8732,43 @@ interface(`files_dontaudit_write_all_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_ioctl_all_pids',`
 +interface(`files_dontaudit_list_security_dirs',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_run_t;
 +		attribute security_file_type;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 pidfile:file ioctl;
 +	dontaudit $1 security_file_type:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read all process ID files.
 +##	rw any files inherited from another process
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
 +## <param name="object_type">
 +##  <summary>
 +##  Object type.
 +##  </summary>
 +## </param>
-+#
+ #
+-interface(`files_read_all_pids',`
 +interface(`files_rw_all_inherited_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_t, var_run_t;
 +		attribute file_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, pidfile)
+-	read_files_pattern($1, pidfile, pidfile)
 +	allow $1 { file_type $2 }:file rw_inherited_file_perms;
 +	allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
 +	allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
 +	allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete all process IDs.
 +##	Allow any file point to be the entrypoint of this domain
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6280,67 +8777,56 @@ interface(`files_read_all_pids',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`files_delete_all_pids',`
 +interface(`files_entrypoint_all_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_t, var_run_t;
 +		attribute file_type;
 +		type unlabeled_t;
-+	')
+ 	')
+-
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:dir rmdir;
+-	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+-	delete_files_pattern($1, pidfile, pidfile)
+-	delete_fifo_files_pattern($1, pidfile, pidfile)
+-	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
 +	allow $1 {file_type -unlabeled_t} :file entrypoint;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete all process ID directories.
 +##	Do not audit attempts to rw inherited file perms
 +##	of non security files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_all_pid_dirs',`
 +interface(`files_dontaudit_all_non_security_leaks',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_t, var_run_t;
 +		attribute non_security_file_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	delete_dirs_pattern($1, pidfile, pidfile)
 +	dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write and delete all
+-##	var_run (pid) content
 +##	Do not audit attempts to read or write
 +##	all leaked files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain alloed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
 +interface(`files_dontaudit_leaks',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute pidfile;
 +		attribute file_type;
-+	')
-+
+ 	')
+ 
+-	manage_dirs_pattern($1, pidfile, pidfile)
+-	manage_files_pattern($1, pidfile, pidfile)
+-	manage_lnk_files_pattern($1, pidfile, pidfile)
 +	dontaudit $1 file_type:file rw_inherited_file_perms;
 +	dontaudit $1 file_type:lnk_file { read };
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Mount filesystems on all polyinstantiation
+-##	member directories.
 +##	Allow domain to create_file_ass all types
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6348,37 +8834,37 @@ interface(`files_manage_all_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
 +interface(`files_create_as_is_all_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute polymember;
 +		attribute file_type;
 +		class kernel_service create_files_as;
-+	')
-+
+ 	')
+ 
+-	allow $1 polymember:dir mounton;
 +	allow $1 file_type:kernel_service create_files_as;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the contents of generic spool
+-##	directories (/var/spool).
 +##	Do not audit attempts to check the 
 +##	access on all files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_spool',`
 +interface(`files_dontaudit_all_access_check',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute file_type;
-+	')
-+
+ 	')
+ 
+-	search_dirs_pattern($1, var_t, var_spool_t)
 +	dontaudit $1 file_type:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search generic
+-##	spool directories.
 +##	Do not audit attempts to write to all files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6386,132 +8872,227 @@ interface(`files_search_spool',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_spool',`
 +interface(`files_dontaudit_write_all_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_spool_t;
 +		attribute file_type;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 var_spool_t:dir search_dir_perms;
 +	dontaudit $1 file_type:dir_file_class_set write;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of generic spool
+-##	(/var/spool) directories.
 +##	Allow domain to delete to all files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_spool',`
 +interface(`files_delete_all_non_security_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute non_security_file_type;
-+	')
-+
+ 	')
+ 
+-	list_dirs_pattern($1, var_t, var_spool_t)
 +	allow $1 non_security_file_type:dir del_entry_dir_perms;
 +	allow $1 non_security_file_type:file_class_set delete_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete generic
+-##	spool directories (/var/spool).
 +##	Allow domain to delete to all dirs
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool_dirs',`
 +interface(`files_delete_all_non_security_dirs',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute non_security_file_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_dirs_pattern($1, var_spool_t, var_spool_t)
 +	allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic spool files.
 +##	Transition named content in the var_run_t directory
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##      Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_spool',`
 +interface(`files_filetrans_named_content',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +        type etc_t;
 +		type mnt_t;
 +		type usr_t;
@@ -17108,8 +19199,10 @@ index f962f76ad..74a6d0a54 100644
 +		type var_run_t;
 +        type var_lock_t;
 +		type tmp_t;
-+	')
-+
+ 	')
+ 
+-	list_dirs_pattern($1, var_t, var_spool_t)
+-	read_files_pattern($1, var_spool_t, var_spool_t)
 +	files_pid_filetrans($1, mnt_t, dir, "media")
 +	files_root_filetrans($1, etc_runtime_t, file, ".readahead")
 +	files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
@@ -17149,13 +19242,16 @@ index f962f76ad..74a6d0a54 100644
 +	files_var_filetrans($1, tmp_t, dir, "tmp")
 +	files_var_filetrans($1, var_run_t, dir, "run")
 +	files_var_filetrans($1, etc_runtime_t, file, ".updated")
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete generic
+-##	spool files.
 +##	Make the specified type a
 +##	base file.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
 +## <desc>
 +##	<p>
 +##	Identify file type as base file type.  Tools will use this attribute,
@@ -17163,35 +19259,46 @@ index f962f76ad..74a6d0a54 100644
 +##	</p>
 +## </desc>
 +## <param name="file_type">
-+##	<summary>
+ ##	<summary>
+-##	Domain allowed access.
 +##	Type to be used as a base files.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
 +## <infoflow type="none"/>
-+#
+ #
+-interface(`files_manage_generic_spool',`
 +interface(`files_base_file',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute base_file_type;
-+	')
+ 	')
+-
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_files_pattern($1, var_spool_t, var_spool_t)
 +	files_type($1)
 +	typeattribute $1 base_file_type;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in the spool directory
+-##	with a private type with a type transition.
 +##	Make the specified type a
 +##	base read only file.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
 +## <desc>
 +##	<p>
 +##	Make the specified type readable for all domains.
 +##	</p>
 +## </desc>
 +## <param name="file_type">
-+##	<summary>
+ ##	<summary>
+-##	Domain allowed access.
 +##	Type to be used as a base read only files.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="file">
 +## <infoflow type="none"/>
 +#
 +interface(`files_ro_base_file',`
@@ -17207,10 +19314,12 @@ index f962f76ad..74a6d0a54 100644
 +##	Read all ro base files.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	Type to which the created node will be transitioned.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="class">
 +## <rolecap/>
 +#
 +interface(`files_read_all_base_ro_files',`
@@ -17228,10 +19337,13 @@ index f962f76ad..74a6d0a54 100644
 +##	Execute all base ro files.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	Object class(es) (single or set including {}) for which this
+-##	the transition will occur.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="name" optional="true">
 +## <rolecap/>
 +#
 +interface(`files_exec_all_base_ro_files',`
@@ -17248,52 +19360,102 @@ index f962f76ad..74a6d0a54 100644
 +##	any file.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	The name of the object being created.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_spool_filetrans',`
 +interface(`files_config_all_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute file_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	filetrans_pattern($1, var_spool_t, $2, $3, $4)
 +	allow $1 file_type:service all_service_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow access to manage all polyinstantiated
+-##	directories on the system.
 +##	Get the status of etc_t files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6519,53 +9100,17 @@ interface(`files_spool_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_polyinstantiate_all',`
 +interface(`files_status_etc',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute polydir, polymember, polyparent;
+-		type poly_t;
 +		type etc_t;
-+	')
-+
+ 	')
+ 
+-	# Need to give access to /selinux/member
+-	selinux_compute_member($1)
+-
+-	# Need sys_admin capability for mounting
+-	allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+-	# Need to give access to the directories to be polyinstantiated
+-	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+-	# Need to give access to the polyinstantiated subdirectories
+-	allow $1 polymember:dir search_dir_perms;
+-
+-	# Need to give access to parent directories where original
+-	# is remounted for polyinstantiation aware programs (like gdm)
+-	allow $1 polyparent:dir { getattr mounton };
+-
+-	# Need to give permission to create directories where applicable
+-	allow $1 self:process setfscreate;
+-	allow $1 polymember: dir { create setattr relabelto };
+-	allow $1 polydir: dir { write add_name open };
+-	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+-	# Default type for mountpoints
+-	allow $1 poly_t:dir { create mounton };
+-	fs_unmount_xattr_fs($1)
+-
+-	fs_mount_tmpfs($1)
+-	fs_unmount_tmpfs($1)
+-
+-	ifdef(`distro_redhat',`
+-		# namespace.init
+-		files_search_tmp($1)
+-		files_search_home($1)
+-		corecmd_exec_bin($1)
+-		seutil_domtrans_setfiles($1)
+-	')
 +	allow $1 etc_t:service status;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Unconfined access to files.
 +##	Dontaudit Mount a modules_object_t
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6573,10 +9118,10 @@ interface(`files_polyinstantiate_all',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_unconfined',`
 +interface(`files_dontaudit_mounton_modules_object',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute files_unconfined_type;
 +		type modules_object_t;
-+	')
-+
+ 	')
+ 
+-	typeattribute $1 files_unconfined_type;
 +	allow $1 modules_object_t:dir mounton;
  ')
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
@@ -32854,7 +35016,7 @@ index 6bf0ecc2d..a6b6087eb 100644
 +')
 +
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b403774f..676215ff3 100644
+index 8b403774f..1d0aeba01 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,28 +26,66 @@ gen_require(`
@@ -33317,7 +35479,7 @@ index 8b403774f..676215ff3 100644
 +files_pid_filetrans(xdm_t, xdm_var_run_t, { dir file fifo_file sock_file })
  
 -allow xdm_t xserver_t:process signal;
-+allow xdm_t xserver_t:process { signal signull };
++allow xdm_t xserver_t:process { getattr signal signull };
  allow xdm_t xserver_t:unix_stream_socket connectto;
 +allow xdm_t xserver_t:unix_dgram_socket sendto;
  
@@ -34237,7 +36399,7 @@ index 8b403774f..676215ff3 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -992,18 +1589,148 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1589,150 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -34303,6 +36465,8 @@ index 8b403774f..676215ff3 100644
 +
 +allow xserver_t x_userdomain:shm rw_shm_perms;
 +
++allow x_userdomain xserver_t:unix_dgram_socket sendto;
++
 +allow x_userdomain user_fonts_t:dir list_dir_perms;
 +allow x_userdomain user_fonts_t:file read_file_perms;
 +allow x_userdomain user_fonts_t:lnk_file read_lnk_file_perms;
@@ -38767,7 +40931,7 @@ index 79a45f62e..0244681f0 100644
 +')
 +
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda2480..5bff55bd3 100644
+index 17eda2480..c60c4d8e0 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -39406,7 +41570,7 @@ index 17eda2480..5bff55bd3 100644
  ')
  
  optional_policy(`
-@@ -216,7 +655,35 @@ optional_policy(`
+@@ -216,7 +655,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39440,10 +41604,11 @@ index 17eda2480..5bff55bd3 100644
 +	domain_named_filetrans(init_t)
 +	unconfined_server_domtrans(init_t)
 +    unconfined_server_noatsecure(init_t)
++    unconfined_server_create_tcp_sockets(init_t)
  ')
  
  ########################################
-@@ -225,9 +692,9 @@ optional_policy(`
+@@ -225,9 +693,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -39455,7 +41620,7 @@ index 17eda2480..5bff55bd3 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -258,12 +725,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +726,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -39472,7 +41637,7 @@ index 17eda2480..5bff55bd3 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +750,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +751,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -39515,7 +41680,7 @@ index 17eda2480..5bff55bd3 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +787,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +788,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -39527,7 +41692,7 @@ index 17eda2480..5bff55bd3 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -313,8 +799,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +800,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -39538,7 +41703,7 @@ index 17eda2480..5bff55bd3 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -322,8 +810,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +811,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -39548,7 +41713,7 @@ index 17eda2480..5bff55bd3 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -332,7 +819,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +820,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -39556,7 +41721,7 @@ index 17eda2480..5bff55bd3 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -340,6 +826,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +827,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -39564,7 +41729,7 @@ index 17eda2480..5bff55bd3 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -347,14 +834,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +835,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -39582,7 +41747,7 @@ index 17eda2480..5bff55bd3 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -364,8 +852,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +853,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -39596,7 +41761,7 @@ index 17eda2480..5bff55bd3 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -375,10 +867,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +868,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -39610,7 +41775,7 @@ index 17eda2480..5bff55bd3 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -387,8 +880,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +881,10 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -39621,7 +41786,7 @@ index 17eda2480..5bff55bd3 100644
  
  storage_getattr_fixed_disk_dev(initrc_t)
  storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +893,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +894,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -39629,7 +41794,7 @@ index 17eda2480..5bff55bd3 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -416,20 +912,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +913,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -39653,7 +41818,7 @@ index 17eda2480..5bff55bd3 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +945,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +946,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -39661,7 +41826,7 @@ index 17eda2480..5bff55bd3 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +979,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +980,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -39672,7 +41837,7 @@ index 17eda2480..5bff55bd3 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -506,7 +1003,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +1004,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -39681,7 +41846,7 @@ index 17eda2480..5bff55bd3 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -521,6 +1018,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +1019,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -39689,7 +41854,7 @@ index 17eda2480..5bff55bd3 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +1039,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +1040,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -39697,7 +41862,7 @@ index 17eda2480..5bff55bd3 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +1049,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +1050,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -39742,7 +41907,7 @@ index 17eda2480..5bff55bd3 100644
  	')
  
  	optional_policy(`
-@@ -559,14 +1094,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1095,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -39774,7 +41939,7 @@ index 17eda2480..5bff55bd3 100644
  	')
  ')
  
-@@ -577,6 +1129,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1130,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -39814,7 +41979,7 @@ index 17eda2480..5bff55bd3 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1174,8 @@ optional_policy(`
+@@ -589,6 +1175,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -39823,7 +41988,7 @@ index 17eda2480..5bff55bd3 100644
  ')
  
  optional_policy(`
-@@ -610,6 +1197,7 @@ optional_policy(`
+@@ -610,6 +1198,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -39831,7 +41996,7 @@ index 17eda2480..5bff55bd3 100644
  ')
  
  optional_policy(`
-@@ -626,6 +1214,17 @@ optional_policy(`
+@@ -626,6 +1215,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39849,7 +42014,7 @@ index 17eda2480..5bff55bd3 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -642,9 +1241,13 @@ optional_policy(`
+@@ -642,9 +1242,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -39863,7 +42028,7 @@ index 17eda2480..5bff55bd3 100644
  	')
  
  	optional_policy(`
-@@ -657,15 +1260,11 @@ optional_policy(`
+@@ -657,15 +1261,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39881,7 +42046,7 @@ index 17eda2480..5bff55bd3 100644
  ')
  
  optional_policy(`
-@@ -686,6 +1285,15 @@ optional_policy(`
+@@ -686,6 +1286,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39897,7 +42062,7 @@ index 17eda2480..5bff55bd3 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -726,6 +1334,7 @@ optional_policy(`
+@@ -726,6 +1335,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -39905,7 +42070,7 @@ index 17eda2480..5bff55bd3 100644
  ')
  
  optional_policy(`
-@@ -743,7 +1352,13 @@ optional_policy(`
+@@ -743,7 +1353,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39920,7 +42085,7 @@ index 17eda2480..5bff55bd3 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -766,6 +1381,10 @@ optional_policy(`
+@@ -766,6 +1382,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39931,7 +42096,7 @@ index 17eda2480..5bff55bd3 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -775,10 +1394,20 @@ optional_policy(`
+@@ -775,10 +1395,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39952,7 +42117,7 @@ index 17eda2480..5bff55bd3 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -787,6 +1416,10 @@ optional_policy(`
+@@ -787,6 +1417,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39963,7 +42128,7 @@ index 17eda2480..5bff55bd3 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -808,8 +1441,6 @@ optional_policy(`
+@@ -808,8 +1442,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -39972,7 +42137,7 @@ index 17eda2480..5bff55bd3 100644
  ')
  
  optional_policy(`
-@@ -818,6 +1449,10 @@ optional_policy(`
+@@ -818,6 +1450,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39983,7 +42148,7 @@ index 17eda2480..5bff55bd3 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -827,10 +1462,12 @@ optional_policy(`
+@@ -827,10 +1463,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -39996,7 +42161,7 @@ index 17eda2480..5bff55bd3 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1494,63 @@ optional_policy(`
+@@ -857,21 +1495,63 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -40061,7 +42226,7 @@ index 17eda2480..5bff55bd3 100644
  ')
  
  optional_policy(`
-@@ -887,6 +1566,10 @@ optional_policy(`
+@@ -887,6 +1567,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -40072,7 +42237,7 @@ index 17eda2480..5bff55bd3 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -897,3 +1580,218 @@ optional_policy(`
+@@ -897,3 +1581,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -48083,7 +50248,7 @@ index 40edc18ab..be7317733 100644
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 +
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692c0..853ddefe4 100644
+index 2cea692c0..9c68d9b24 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
 @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -48510,7 +50675,7 @@ index 2cea692c0..853ddefe4 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1057,162 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1057,168 @@ interface(`sysnet_use_portmap',`
  
  	sysnet_read_config($1)
  ')
@@ -48574,6 +50739,7 @@ index 2cea692c0..853ddefe4 100644
 +interface(`sysnet_filetrans_named_content',`
 +	gen_require(`
 +		type net_conf_t;
++		type systemd_resolved_var_run_t;
 +	')
 +
 +	files_etc_filetrans($1, net_conf_t, file, "resolv.conf")
@@ -48598,6 +50764,11 @@ index 2cea692c0..853ddefe4 100644
 +	    networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
 +	    networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
 +    ')
++
++    optional_policy(`
++        sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf")
++        sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf.tmp")
++    ')
 +')
 +
 +########################################
@@ -52763,7 +54934,7 @@ index 0abaf8432..8b34dbc09 100644
 -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 -')
 diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 5ca20a97d..43bb011b3 100644
+index 5ca20a97d..7ffd0e0e3 100644
 --- a/policy/modules/system/unconfined.if
 +++ b/policy/modules/system/unconfined.if
 @@ -12,53 +12,57 @@
@@ -52875,7 +55046,7 @@ index 5ca20a97d..43bb011b3 100644
  ')
  
  ########################################
-@@ -175,258 +185,12 @@ interface(`unconfined_alias_domain',`
+@@ -175,204 +185,12 @@ interface(`unconfined_alias_domain',`
  ## </param>
  #
  interface(`unconfined_execmem_alias_program',`
@@ -53072,36 +55243,44 @@ index 5ca20a97d..43bb011b3 100644
 -	')
 -
 -	allow $1 unconfined_t:process signull;
--')
--
--########################################
--## <summary>
++	refpolicywarn(`$0() has been deprecated.')
+ ')
+ 
+ ########################################
+ ## <summary>
 -##	Send generic signals to the unconfined domain.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--#
++##	Connect to unconfined_server with a unix socket.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -380,17 +198,19 @@ interface(`unconfined_signull',`
+ ##	</summary>
+ ## </param>
+ #
 -interface(`unconfined_signal',`
--	gen_require(`
++interface(`unconfined_server_stream_connect',`
+ 	gen_require(`
 -		type unconfined_t;
--	')
--
++		type unconfined_service_t;
+ 	')
+ 
 -	allow $1 unconfined_t:process signal;
--')
--
--########################################
--## <summary>
++	files_search_pids($1)
++	files_write_generic_pid_pipes($1)
++	allow $1 unconfined_service_t:unix_stream_socket { getattr connectto };
+ ')
+ 
+ ########################################
+ ## <summary>
 -##	Read unconfined domain unnamed pipes.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--#
++##	Connect to unconfined_server with a unix socket.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -398,120 +218,17 @@ interface(`unconfined_signal',`
+ ##	</summary>
+ ## </param>
+ #
 -interface(`unconfined_read_pipes',`
 -	gen_require(`
 -		type unconfined_t;
@@ -53126,20 +55305,18 @@ index 5ca20a97d..43bb011b3 100644
 -	')
 -
 -	dontaudit $1 unconfined_t:fifo_file read;
-+	refpolicywarn(`$0() has been deprecated.')
- ')
- 
- ########################################
- ## <summary>
+-')
+-
+-########################################
+-## <summary>
 -##	Read and write unconfined domain unnamed pipes.
-+##	Connect to unconfined_server with a unix socket.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -434,84 +198,19 @@ interface(`unconfined_dontaudit_read_pipes',`
- ##	</summary>
- ## </param>
- #
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-#
 -interface(`unconfined_rw_pipes',`
 -	gen_require(`
 -		type unconfined_t;
@@ -53208,79 +55385,77 @@ index 5ca20a97d..43bb011b3 100644
 -## </param>
 -#
 -interface(`unconfined_dontaudit_rw_tcp_sockets',`
-+interface(`unconfined_server_stream_connect',`
++interface(`unconfined_server_domtrans',`
  	gen_require(`
 -		type unconfined_t;
 +		type unconfined_service_t;
  	')
  
 -	dontaudit $1 unconfined_t:tcp_socket { read write };
-+	files_search_pids($1)
-+	files_write_generic_pid_pipes($1)
-+	allow $1 unconfined_service_t:unix_stream_socket { getattr connectto };
++	corecmd_bin_domtrans($1, unconfined_service_t)
  ')
  
  ########################################
  ## <summary>
 -##	Create keys for the unconfined domain.
-+##	Connect to unconfined_server with a unix socket.
++##	Allow caller domain to dbus chat unconfined_server.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -519,17 +218,17 @@ interface(`unconfined_dontaudit_rw_tcp_sockets',`
+@@ -519,17 +236,19 @@ interface(`unconfined_dontaudit_rw_tcp_sockets',`
  ##	</summary>
  ## </param>
  #
 -interface(`unconfined_create_keys',`
-+interface(`unconfined_server_domtrans',`
++interface(`unconfined_server_dbus_chat',`
  	gen_require(`
 -		type unconfined_t;
 +		type unconfined_service_t;
++        class dbus send_msg;
  	')
  
 -	allow $1 unconfined_t:key create;
-+	corecmd_bin_domtrans($1, unconfined_service_t)
++        allow $1 unconfined_service_t:dbus send_msg;
++        allow unconfined_service_t $1:dbus send_msg;
  ')
  
  ########################################
  ## <summary>
 -##	Send messages to the unconfined domain over dbus.
-+##	Allow caller domain to dbus chat unconfined_server.
++##	Send signull to unconfined_service_t.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -537,19 +236,19 @@ interface(`unconfined_create_keys',`
+@@ -537,19 +256,17 @@ interface(`unconfined_create_keys',`
  ##	</summary>
  ## </param>
  #
 -interface(`unconfined_dbus_send',`
-+interface(`unconfined_server_dbus_chat',`
++interface(`unconfined_server_signull',`
  	gen_require(`
 -		type unconfined_t;
 -		class dbus send_msg;
 +		type unconfined_service_t;
-+        class dbus send_msg;
  	')
  
 -	allow $1 unconfined_t:dbus send_msg;
-+        allow $1 unconfined_service_t:dbus send_msg;
-+        allow unconfined_service_t $1:dbus send_msg;
++	allow $1 unconfined_service_t:process signull;
  ')
  
  ########################################
  ## <summary>
 -##	Send and receive messages from
 -##	unconfined_t over dbus.
-+##	Send signull to unconfined_service_t.
++##	Allow noatsecure.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -557,20 +256,17 @@ interface(`unconfined_dbus_send',`
+@@ -557,20 +274,17 @@ interface(`unconfined_dbus_send',`
  ##	</summary>
  ## </param>
  #
 -interface(`unconfined_dbus_chat',`
-+interface(`unconfined_server_signull',`
++interface(`unconfined_server_noatsecure',`
  	gen_require(`
 -		type unconfined_t;
 -		class dbus send_msg;
@@ -53289,23 +55464,23 @@ index 5ca20a97d..43bb011b3 100644
  
 -	allow $1 unconfined_t:dbus send_msg;
 -	allow unconfined_t $1:dbus send_msg;
-+	allow $1 unconfined_service_t:process signull;
++    allow $1 unconfined_service_t:process { noatsecure };
  ')
  
  ########################################
  ## <summary>
 -##	Connect to the the unconfined DBUS
 -##	for service (acquire_svc).
-+##	Allow noatsecure.
++##	Create unconfined_service_t TCP sockets.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -578,11 +274,10 @@ interface(`unconfined_dbus_chat',`
+@@ -578,11 +292,10 @@ interface(`unconfined_dbus_chat',`
  ##	</summary>
  ## </param>
  #
 -interface(`unconfined_dbus_connect',`
-+interface(`unconfined_server_noatsecure',`
++interface(`unconfined_server_create_tcp_sockets',`
  	gen_require(`
 -		type unconfined_t;
 -		class dbus acquire_svc;
@@ -53313,7 +55488,7 @@ index 5ca20a97d..43bb011b3 100644
  	')
  
 -	allow $1 unconfined_t:dbus acquire_svc;
-+    allow $1 unconfined_service_t:process { noatsecure };
++	allow $1 unconfined_service_t:tcp_socket create_stream_socket_perms;
  ')
 diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
 index 5fe902db3..52a051d8a 100644
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index aa773fb..ce3ef55 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -2331,7 +2331,7 @@ index 7f4dfbca3..e5c9f45b8 100644
  /usr/sbin/amrecover	--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
  
 diff --git a/amanda.te b/amanda.te
-index 519051c7d..96bbc0825 100644
+index 519051c7d..48d816150 100644
 --- a/amanda.te
 +++ b/amanda.te
 @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@@ -2425,7 +2425,12 @@ index 519051c7d..96bbc0825 100644
  
  files_read_etc_runtime_files(amanda_t)
  files_list_all(amanda_t)
-@@ -130,6 +145,7 @@ fs_list_all(amanda_t)
+@@ -126,10 +141,12 @@ files_getattr_all_sockets(amanda_t)
+ 
+ fs_getattr_xattr_fs(amanda_t)
+ fs_list_all(amanda_t)
++fs_getattr_tmpfs(amanda_t)
+ 
  storage_raw_read_fixed_disk(amanda_t)
  storage_read_tape(amanda_t)
  storage_write_tape(amanda_t)
@@ -2433,7 +2438,7 @@ index 519051c7d..96bbc0825 100644
  
  auth_use_nsswitch(amanda_t)
  auth_read_shadow(amanda_t)
-@@ -141,7 +157,7 @@ logging_send_syslog_msg(amanda_t)
+@@ -141,7 +158,7 @@ logging_send_syslog_msg(amanda_t)
  # Recover local policy
  #
  
@@ -2442,7 +2447,7 @@ index 519051c7d..96bbc0825 100644
  allow amanda_recover_t self:process { sigkill sigstop signal };
  allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
  allow amanda_recover_t self:unix_stream_socket create_socket_perms;
-@@ -170,7 +186,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -170,7 +187,6 @@ kernel_read_system_state(amanda_recover_t)
  corecmd_exec_shell(amanda_recover_t)
  corecmd_exec_bin(amanda_recover_t)
  
@@ -2450,7 +2455,7 @@ index 519051c7d..96bbc0825 100644
  corenet_all_recvfrom_netlabel(amanda_recover_t)
  corenet_tcp_sendrecv_generic_if(amanda_recover_t)
  corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +210,16 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +211,16 @@ files_search_tmp(amanda_recover_t)
  
  auth_use_nsswitch(amanda_recover_t)
  
@@ -5635,7 +5640,7 @@ index f6eb4851f..3628a384f 100644
 +    allow $1 httpd_t:process { noatsecure };
  ')
 diff --git a/apache.te b/apache.te
-index 6649962b6..1df48fb13 100644
+index 6649962b6..c45ca1fb1 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -7895,39 +7900,47 @@ index 6649962b6..1df48fb13 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1682,110 @@ dev_read_urand(httpd_passwd_t)
+@@ -1384,36 +1684,109 @@ domain_use_interactive_fds(httpd_passwd_t)
  
- domain_use_interactive_fds(httpd_passwd_t)
- 
-+
  auth_use_nsswitch(httpd_passwd_t)
  
 -miscfiles_read_generic_certs(httpd_passwd_t)
 -miscfiles_read_localization(httpd_passwd_t)
-+miscfiles_read_certs(httpd_passwd_t)
++init_dontaudit_read_state(httpd_passwd_t)
  
 -########################################
 -#
 -# GPG local policy
 -#
++miscfiles_read_certs(httpd_passwd_t)
+ 
+-allow httpd_gpg_t self:process setrlimit;
 +systemd_manage_passwd_run(httpd_passwd_t)
 +systemd_manage_passwd_run(httpd_t)
 +#systemd_passwd_agent_dev_template(httpd)
  
--allow httpd_gpg_t self:process setrlimit;
+-allow httpd_gpg_t httpd_t:fd use;
+-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
+-allow httpd_gpg_t httpd_t:process sigchld;
 +domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
 +dontaudit httpd_passwd_t httpd_config_t:file read;
-+
+ 
+-dev_read_rand(httpd_gpg_t)
+-dev_read_urand(httpd_gpg_t)
 +search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
 +corecmd_shell_entry_type(httpd_script_type)
-+
+ 
+-files_read_usr_files(httpd_gpg_t)
 +allow httpd_script_type self:fifo_file rw_file_perms;
 +allow httpd_script_type self:unix_stream_socket connectto;
-+
+ 
+-miscfiles_read_localization(httpd_gpg_t)
 +allow httpd_script_type httpd_t:fifo_file write;
 +# apache should set close-on-exec
 +apache_dontaudit_leaks(httpd_script_type)
-+
+ 
+-tunable_policy(`httpd_gpg_anon_write',`
+-	miscfiles_manage_public_files(httpd_gpg_t)
 +append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
 +logging_search_logs(httpd_script_type)
 +
@@ -7955,29 +7968,20 @@ index 6649962b6..1df48fb13 100644
 +allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
 +allow httpd_t httpd_script_type:process { signal sigkill sigstop signull };
 +allow httpd_t httpd_script_exec_type:dir list_dir_perms;
- 
--allow httpd_gpg_t httpd_t:fd use;
--allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
--allow httpd_gpg_t httpd_t:process sigchld;
++
 +allow httpd_script_type self:process { setsched signal_perms };
 +allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
 +allow httpd_script_type self:unix_dgram_socket create_socket_perms;
 +allow httpd_script_type httpd_t:unix_stream_socket rw_stream_socket_perms;
- 
--dev_read_rand(httpd_gpg_t)
--dev_read_urand(httpd_gpg_t)
++
 +allow httpd_script_type httpd_t:fd use;
 +allow httpd_script_type httpd_t:process sigchld;
- 
--files_read_usr_files(httpd_gpg_t)
++
 +dontaudit httpd_script_type httpd_t:tcp_socket { read write };
 +dontaudit httpd_script_type httpd_t:unix_stream_socket { read write };
- 
--miscfiles_read_localization(httpd_gpg_t)
++
 +fs_getattr_xattr_fs(httpd_script_type)
- 
--tunable_policy(`httpd_gpg_anon_write',`
--	miscfiles_manage_public_files(httpd_gpg_t)
++
 +files_read_etc_runtime_files(httpd_script_type)
 +
 +libs_read_lib_files(httpd_script_type)
@@ -12617,10 +12621,10 @@ index 008f8ef26..144c0740a 100644
  	admin_pattern($1, certmonger_var_run_t)
  ')
 diff --git a/certmonger.te b/certmonger.te
-index 550b287ce..73104ec93 100644
+index 550b287ce..36c9f99b1 100644
 --- a/certmonger.te
 +++ b/certmonger.te
-@@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t)
+@@ -18,18 +18,29 @@ files_type(certmonger_var_lib_t)
  type certmonger_var_run_t;
  files_pid_file(certmonger_var_run_t)
  
@@ -12630,6 +12634,9 @@ index 550b287ce..73104ec93 100644
 +type certmonger_unit_file_t;
 +systemd_unit_file(certmonger_unit_file_t)
 +
++type certmonger_tmp_t;
++files_tmp_file(certmonger_tmp_t)
++
  ########################################
  #
  # Local policy
@@ -12651,15 +12658,21 @@ index 550b287ce..73104ec93 100644
  
  manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
  manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
-@@ -41,6 +49,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
+@@ -39,8 +50,13 @@ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+ manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
  
++manage_dirs_pattern(certmonger_t, certmonger_tmp_t, certmonger_tmp_t)
++manage_files_pattern(certmonger_t, certmonger_tmp_t, certmonger_tmp_t)
++files_tmp_filetrans(certmonger_t, certmonger_tmp_t, { file dir })
++
  kernel_read_kernel_sysctls(certmonger_t)
  kernel_read_system_state(certmonger_t)
 +kernel_read_network_state(certmonger_t)
  
  corenet_all_recvfrom_unlabeled(certmonger_t)
  corenet_all_recvfrom_netlabel(certmonger_t)
-@@ -49,17 +58,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+@@ -49,17 +65,26 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
  
  corenet_sendrecv_certmaster_client_packets(certmonger_t)
  corenet_tcp_connect_certmaster_port(certmonger_t)
@@ -12687,7 +12700,7 @@ index 550b287ce..73104ec93 100644
  
  fs_search_cgroup_dirs(certmonger_t)
  
-@@ -68,18 +86,24 @@ auth_rw_cache(certmonger_t)
+@@ -68,18 +93,24 @@ auth_rw_cache(certmonger_t)
  
  init_getattr_all_script_files(certmonger_t)
  
@@ -12716,7 +12729,7 @@ index 550b287ce..73104ec93 100644
  ')
  
  optional_policy(`
-@@ -92,11 +116,74 @@ optional_policy(`
+@@ -92,11 +123,74 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32849,7 +32862,7 @@ index 1e29af196..6c64f55c3 100644
 +		userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
 +')
 diff --git a/git.te b/git.te
-index dc49c715e..e25890c3d 100644
+index dc49c715e..43f79d6de 100644
 --- a/git.te
 +++ b/git.te
 @@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -32934,7 +32947,7 @@ index dc49c715e..e25890c3d 100644
  ')
  
  tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
-@@ -215,48 +218,53 @@ tunable_policy(`git_system_use_nfs',`
+@@ -215,48 +218,54 @@ tunable_policy(`git_system_use_nfs',`
  # CGI policy
  #
  
@@ -32951,6 +32964,7 @@ index dc49c715e..e25890c3d 100644
 +read_files_pattern(git_script_t, { git_sys_content_t git_user_content_t }, { git_sys_content_t git_user_content_t })
 +files_search_var_lib(git_script_t)
 +allow git_script_t git_sys_content_t:file map;
++allow git_script_t git_user_content_t:file map;
  
 -auth_use_nsswitch(httpd_git_script_t)
 +auth_use_nsswitch(git_script_t)
@@ -33010,7 +33024,7 @@ index dc49c715e..e25890c3d 100644
  ')
  
  ########################################
-@@ -266,12 +274,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -266,12 +275,9 @@ tunable_policy(`git_cgi_use_nfs',`
  
  allow git_daemon self:fifo_file rw_fifo_file_perms;
  
@@ -51743,10 +51757,10 @@ index 000000000..394bc4658
 +/var/cache/mock(/.*)?		gen_context(system_u:object_r:mock_cache_t,s0)
 diff --git a/mock.if b/mock.if
 new file mode 100644
-index 000000000..f5b98e6de
+index 000000000..4807174c8
 --- /dev/null
 +++ b/mock.if
-@@ -0,0 +1,311 @@
+@@ -0,0 +1,312 @@
 +## <summary>policy for mock</summary>
 +
 +########################################
@@ -51804,6 +51818,7 @@ index 000000000..f5b98e6de
 +	files_search_var_lib($1)
 +    list_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
 +	read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
++	read_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
 +')
 +
 +########################################
@@ -57636,7 +57651,7 @@ index b744fe35e..cb0e2af61 100644
 +	admin_pattern($1, munin_content_t)
  ')
 diff --git a/munin.te b/munin.te
-index b70870816..e2a5280c3 100644
+index b70870816..19e70e27c 100644
 --- a/munin.te
 +++ b/munin.te
 @@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
@@ -57697,16 +57712,18 @@ index b70870816..e2a5280c3 100644
  dontaudit munin_t self:capability sys_tty_config;
  allow munin_t self:process { getsched setsched signal_perms };
  allow munin_t self:unix_stream_socket { accept connectto listen };
-@@ -118,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -117,8 +116,9 @@ files_tmp_filetrans(munin_t, munin_tmp_t, { file dir sock_file })
+ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
  manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
  manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
++allow munin_t munin_var_lib_t:file map;
  
 -read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
 +rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
  
  manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
  manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -134,7 +133,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -134,7 +134,6 @@ kernel_read_all_sysctls(munin_t)
  corecmd_exec_bin(munin_t)
  corecmd_exec_shell(munin_t)
  
@@ -57714,7 +57731,7 @@ index b70870816..e2a5280c3 100644
  corenet_all_recvfrom_netlabel(munin_t)
  corenet_tcp_sendrecv_generic_if(munin_t)
  corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -157,7 +155,6 @@ domain_use_interactive_fds(munin_t)
+@@ -157,7 +156,6 @@ domain_use_interactive_fds(munin_t)
  domain_read_all_domains_state(munin_t)
  
  files_read_etc_runtime_files(munin_t)
@@ -57722,7 +57739,7 @@ index b70870816..e2a5280c3 100644
  files_list_spool(munin_t)
  
  fs_getattr_all_fs(munin_t)
-@@ -169,7 +166,6 @@ logging_send_syslog_msg(munin_t)
+@@ -169,7 +167,6 @@ logging_send_syslog_msg(munin_t)
  logging_read_all_logs(munin_t)
  
  miscfiles_read_fonts(munin_t)
@@ -57730,7 +57747,7 @@ index b70870816..e2a5280c3 100644
  miscfiles_setattr_fonts_cache_dirs(munin_t)
  
  sysnet_exec_ifconfig(munin_t)
-@@ -177,13 +173,6 @@ sysnet_exec_ifconfig(munin_t)
+@@ -177,13 +174,6 @@ sysnet_exec_ifconfig(munin_t)
  userdom_dontaudit_use_unpriv_user_fds(munin_t)
  userdom_dontaudit_search_user_home_dirs(munin_t)
  
@@ -57744,7 +57761,7 @@ index b70870816..e2a5280c3 100644
  
  optional_policy(`
  	cron_system_entry(munin_t, munin_exec_t)
-@@ -217,7 +206,6 @@ optional_policy(`
+@@ -217,7 +207,6 @@ optional_policy(`
  
  optional_policy(`
  	postfix_list_spool(munin_t)
@@ -57752,10 +57769,12 @@ index b70870816..e2a5280c3 100644
  ')
  
  optional_policy(`
-@@ -246,21 +234,25 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -246,21 +235,27 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
  
  rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
  
++auth_use_nsswitch(disk_munin_plugin_t)
++
 +kernel_read_fs_sysctls(disk_munin_plugin_t)
 +
  corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
@@ -57782,7 +57801,7 @@ index b70870816..e2a5280c3 100644
  
  sysnet_read_config(disk_munin_plugin_t)
  
-@@ -272,34 +264,50 @@ optional_policy(`
+@@ -272,34 +267,53 @@ optional_policy(`
  	fstools_exec(disk_munin_plugin_t)
  ')
  
@@ -57804,7 +57823,10 @@ index b70870816..e2a5280c3 100644
  
  rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
  
++auth_use_nsswitch(mail_munin_plugin_t)
++
 +kernel_read_net_sysctls(mail_munin_plugin_t)
++kernel_read_network_state(mail_munin_plugin_t)
 +
  dev_read_urand(mail_munin_plugin_t)
  
@@ -57838,7 +57860,16 @@ index b70870816..e2a5280c3 100644
  ')
  
  optional_policy(`
-@@ -339,7 +347,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -311,6 +325,8 @@ optional_policy(`
+ # Selinux local policy
+ #
+ 
++auth_use_nsswitch(selinux_munin_plugin_t)
++
+ selinux_get_enforce_mode(selinux_munin_plugin_t)
+ 
+ ###################################
+@@ -339,7 +355,7 @@ dev_read_rand(services_munin_plugin_t)
  sysnet_read_config(services_munin_plugin_t)
  
  optional_policy(`
@@ -57847,7 +57878,7 @@ index b70870816..e2a5280c3 100644
  ')
  
  optional_policy(`
-@@ -348,6 +356,10 @@ optional_policy(`
+@@ -348,6 +364,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57858,7 +57889,7 @@ index b70870816..e2a5280c3 100644
  	lpd_exec_lpr(services_munin_plugin_t)
  ')
  
-@@ -361,7 +373,11 @@ optional_policy(`
+@@ -361,7 +381,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -57871,7 +57902,7 @@ index b70870816..e2a5280c3 100644
  ')
  
  optional_policy(`
-@@ -393,6 +409,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -393,6 +417,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
  
  kernel_read_network_state(system_munin_plugin_t)
  kernel_read_all_sysctls(system_munin_plugin_t)
@@ -57879,7 +57910,7 @@ index b70870816..e2a5280c3 100644
  
  dev_read_sysfs(system_munin_plugin_t)
  dev_read_urand(system_munin_plugin_t)
-@@ -421,3 +438,33 @@ optional_policy(`
+@@ -421,3 +446,33 @@ optional_policy(`
  optional_policy(`
  	unconfined_domain(unconfined_munin_plugin_t)
  ')
@@ -57908,7 +57939,7 @@ index b70870816..e2a5280c3 100644
 +
 +files_search_var_lib(munin_script_t)
 +
-+auth_read_passwd(munin_script_t)
++auth_use_nsswitch(munin_script_t)
 +
 +optional_policy(`
 +	apache_search_sys_content(munin_t)
@@ -94607,7 +94638,7 @@ index ebe91fc70..6ba4338cb 100644
 +/sbin/cpio			--	gen_context(system_u:object_r:rpm_exec_t,s0)
  ')
 diff --git a/rpm.if b/rpm.if
-index ef3b22507..79518530e 100644
+index ef3b22507..b7bd65539 100644
 --- a/rpm.if
 +++ b/rpm.if
 @@ -1,8 +1,8 @@
@@ -94886,7 +94917,7 @@ index ef3b22507..79518530e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -302,7 +398,32 @@ interface(`rpm_manage_log',`
+@@ -302,7 +398,33 @@ interface(`rpm_manage_log',`
  
  ########################################
  ## <summary>
@@ -94912,6 +94943,7 @@ index ef3b22507..79518530e 100644
 +	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf")
 +	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum")
 +	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm")
++	files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpmrebuilddb")
 +')
 +
 +########################################
@@ -94920,7 +94952,7 @@ index ef3b22507..79518530e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -320,8 +441,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +442,8 @@ interface(`rpm_use_script_fds',`
  
  ########################################
  ## <summary>
@@ -94931,7 +94963,7 @@ index ef3b22507..79518530e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -335,12 +456,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +457,15 @@ interface(`rpm_manage_script_tmp_files',`
  	')
  
  	files_search_tmp($1)
@@ -94948,7 +94980,7 @@ index ef3b22507..79518530e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -353,14 +477,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +478,13 @@ interface(`rpm_append_tmp_files',`
  		type rpm_tmp_t;
  	')
  
@@ -94966,7 +94998,7 @@ index ef3b22507..79518530e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -374,12 +497,34 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +498,34 @@ interface(`rpm_manage_tmp_files',`
  	')
  
  	files_search_tmp($1)
@@ -95002,7 +95034,7 @@ index ef3b22507..79518530e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -399,7 +544,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +545,7 @@ interface(`rpm_read_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -95011,7 +95043,7 @@ index ef3b22507..79518530e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -420,8 +565,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +566,7 @@ interface(`rpm_read_cache',`
  
  ########################################
  ## <summary>
@@ -95021,7 +95053,7 @@ index ef3b22507..79518530e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -442,7 +586,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +587,7 @@ interface(`rpm_manage_cache',`
  
  ########################################
  ## <summary>
@@ -95030,7 +95062,7 @@ index ef3b22507..79518530e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -459,11 +603,13 @@ interface(`rpm_read_db',`
+@@ -459,11 +604,13 @@ interface(`rpm_read_db',`
  	allow $1 rpm_var_lib_t:dir list_dir_perms;
  	read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
  	read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -95045,7 +95077,7 @@ index ef3b22507..79518530e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -482,8 +628,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +629,7 @@ interface(`rpm_delete_db',`
  
  ########################################
  ## <summary>
@@ -95055,7 +95087,7 @@ index ef3b22507..79518530e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -499,12 +644,33 @@ interface(`rpm_manage_db',`
+@@ -499,12 +645,33 @@ interface(`rpm_manage_db',`
  	files_search_var_lib($1)
  	manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
  	manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -95090,7 +95122,7 @@ index ef3b22507..79518530e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -517,9 +683,10 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,9 +684,10 @@ interface(`rpm_dontaudit_manage_db',`
  		type rpm_var_lib_t;
  	')
  
@@ -95102,7 +95134,7 @@ index ef3b22507..79518530e 100644
  ')
  
  #####################################
-@@ -543,8 +710,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +711,7 @@ interface(`rpm_read_pid_files',`
  
  #####################################
  ## <summary>
@@ -95112,7 +95144,7 @@ index ef3b22507..79518530e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -563,8 +729,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +730,7 @@ interface(`rpm_manage_pid_files',`
  
  ######################################
  ## <summary>
@@ -95122,7 +95154,7 @@ index ef3b22507..79518530e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -573,43 +738,54 @@ interface(`rpm_manage_pid_files',`
+@@ -573,43 +739,54 @@ interface(`rpm_manage_pid_files',`
  ## </param>
  #
  interface(`rpm_pid_filetrans',`
@@ -95194,7 +95226,7 @@ index ef3b22507..79518530e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -617,22 +793,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
+@@ -617,22 +794,57 @@ interface(`rpm_pid_filetrans_rpm_pid',`
  ##	</summary>
  ## </param>
  ## <param name="role">
@@ -95263,7 +95295,7 @@ index ef3b22507..79518530e 100644
  
  	init_labeled_script_domtrans($1, rpm_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -641,9 +852,6 @@ interface(`rpm_admin',`
+@@ -641,9 +853,6 @@ interface(`rpm_admin',`
  
  	admin_pattern($1, rpm_file_t)
  
@@ -97896,7 +97928,7 @@ index 50d07fb2e..a15cd5b6b 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 2b7c441e7..0f95635dd 100644
+index 2b7c441e7..1bfd11b61 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -98194,7 +98226,7 @@ index 2b7c441e7..0f95635dd 100644
  ')
  
  optional_policy(`
-@@ -249,46 +261,59 @@ optional_policy(`
+@@ -249,47 +261,61 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -98265,9 +98297,11 @@ index 2b7c441e7..0f95635dd 100644
 +manage_fifo_files_pattern(smbd_t, samba_share_t, samba_share_t)
 +manage_sock_files_pattern(smbd_t, samba_share_t, samba_share_t)
  manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
++allow smbd_t samba_share_t:file { map };
  allow smbd_t samba_share_t:filesystem { getattr quotaget };
  
-@@ -297,66 +322,74 @@ manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
+ manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
+@@ -297,66 +323,74 @@ manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
  manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -98366,7 +98400,7 @@ index 2b7c441e7..0f95635dd 100644
  
  fs_getattr_all_fs(smbd_t)
  fs_getattr_all_dirs(smbd_t)
-@@ -366,44 +399,53 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -366,44 +400,53 @@ fs_getattr_rpc_dirs(smbd_t)
  fs_list_inotifyfs(smbd_t)
  fs_get_all_fs_quotas(smbd_t)
  
@@ -98432,7 +98466,7 @@ index 2b7c441e7..0f95635dd 100644
  ')
  
  tunable_policy(`samba_domain_controller',`
-@@ -419,20 +461,16 @@ tunable_policy(`samba_domain_controller',`
+@@ -419,20 +462,16 @@ tunable_policy(`samba_domain_controller',`
  ')
  
  tunable_policy(`samba_enable_home_dirs',`
@@ -98459,7 +98493,7 @@ index 2b7c441e7..0f95635dd 100644
  tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_dirs(smbd_t)
  	fs_manage_nfs_files(smbd_t)
-@@ -441,6 +479,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -441,6 +480,7 @@ tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_named_sockets(smbd_t)
  ')
  
@@ -98467,7 +98501,7 @@ index 2b7c441e7..0f95635dd 100644
  tunable_policy(`samba_share_fusefs',`
  	fs_manage_fusefs_dirs(smbd_t)
  	fs_manage_fusefs_files(smbd_t)
-@@ -448,15 +487,10 @@ tunable_policy(`samba_share_fusefs',`
+@@ -448,15 +488,10 @@ tunable_policy(`samba_share_fusefs',`
  	fs_search_fusefs(smbd_t)
  ')
  
@@ -98487,7 +98521,7 @@ index 2b7c441e7..0f95635dd 100644
  ')
  
  optional_policy(`
-@@ -466,6 +500,7 @@ optional_policy(`
+@@ -466,6 +501,7 @@ optional_policy(`
  optional_policy(`
  	ctdbd_stream_connect(smbd_t)
  	ctdbd_manage_lib_files(smbd_t)
@@ -98495,7 +98529,7 @@ index 2b7c441e7..0f95635dd 100644
  ')
  
  optional_policy(`
-@@ -474,11 +509,31 @@ optional_policy(`
+@@ -474,11 +510,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -98527,7 +98561,7 @@ index 2b7c441e7..0f95635dd 100644
  	lpd_exec_lpr(smbd_t)
  ')
  
-@@ -488,6 +543,10 @@ optional_policy(`
+@@ -488,6 +544,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -98538,7 +98572,7 @@ index 2b7c441e7..0f95635dd 100644
  	rpc_search_nfs_state_data(smbd_t)
  ')
  
-@@ -499,12 +558,53 @@ optional_policy(`
+@@ -499,12 +559,53 @@ optional_policy(`
  	udev_read_db(smbd_t)
  ')
  
@@ -98593,7 +98627,7 @@ index 2b7c441e7..0f95635dd 100644
  allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow nmbd_t self:fd use;
  allow nmbd_t self:fifo_file rw_fifo_file_perms;
-@@ -512,9 +612,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +613,11 @@ allow nmbd_t self:msg { send receive };
  allow nmbd_t self:msgq create_msgq_perms;
  allow nmbd_t self:sem create_sem_perms;
  allow nmbd_t self:shm create_shm_perms;
@@ -98608,7 +98642,7 @@ index 2b7c441e7..0f95635dd 100644
  
  manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
  manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -526,20 +628,17 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +629,17 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  
  manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -98634,7 +98668,7 @@ index 2b7c441e7..0f95635dd 100644
  
  kernel_getattr_core_if(nmbd_t)
  kernel_getattr_message_if(nmbd_t)
-@@ -547,53 +646,44 @@ kernel_read_kernel_sysctls(nmbd_t)
+@@ -547,53 +647,44 @@ kernel_read_kernel_sysctls(nmbd_t)
  kernel_read_network_state(nmbd_t)
  kernel_read_software_raid_state(nmbd_t)
  kernel_read_system_state(nmbd_t)
@@ -98703,7 +98737,7 @@ index 2b7c441e7..0f95635dd 100644
  ')
  
  optional_policy(`
-@@ -606,18 +696,29 @@ optional_policy(`
+@@ -606,18 +697,29 @@ optional_policy(`
  
  ########################################
  #
@@ -98739,7 +98773,7 @@ index 2b7c441e7..0f95635dd 100644
  
  samba_read_config(smbcontrol_t)
  samba_search_var(smbcontrol_t)
-@@ -627,39 +728,38 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,39 +729,38 @@ domain_use_interactive_fds(smbcontrol_t)
  
  dev_read_urand(smbcontrol_t)
  
@@ -98791,7 +98825,7 @@ index 2b7c441e7..0f95635dd 100644
  
  allow smbmount_t samba_secrets_t:file manage_file_perms;
  
-@@ -668,26 +768,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +769,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
  
@@ -98827,7 +98861,7 @@ index 2b7c441e7..0f95635dd 100644
  
  fs_getattr_cifs(smbmount_t)
  fs_mount_cifs(smbmount_t)
-@@ -699,58 +795,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +796,77 @@ fs_read_cifs_files(smbmount_t)
  storage_raw_read_fixed_disk(smbmount_t)
  storage_raw_write_fixed_disk(smbmount_t)
  
@@ -98920,7 +98954,7 @@ index 2b7c441e7..0f95635dd 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -759,17 +874,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +875,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
  manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
@@ -98944,7 +98978,7 @@ index 2b7c441e7..0f95635dd 100644
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -777,36 +888,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +889,25 @@ kernel_read_network_state(swat_t)
  
  corecmd_search_bin(swat_t)
  
@@ -98987,7 +99021,7 @@ index 2b7c441e7..0f95635dd 100644
  
  auth_domtrans_chk_passwd(swat_t)
  auth_use_nsswitch(swat_t)
-@@ -818,10 +918,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +919,11 @@ logging_send_syslog_msg(swat_t)
  logging_send_audit_msgs(swat_t)
  logging_search_logs(swat_t)
  
@@ -99001,7 +99035,7 @@ index 2b7c441e7..0f95635dd 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -840,17 +941,20 @@ optional_policy(`
+@@ -840,17 +942,20 @@ optional_policy(`
  # Winbind local policy
  #
  
@@ -99028,7 +99062,7 @@ index 2b7c441e7..0f95635dd 100644
  
  allow winbind_t samba_etc_t:dir list_dir_perms;
  read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -860,9 +964,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +965,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
  filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
  
  manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -99039,7 +99073,7 @@ index 2b7c441e7..0f95635dd 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -870,41 +972,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
+@@ -870,41 +973,46 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
  manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
  files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
@@ -99098,7 +99132,7 @@ index 2b7c441e7..0f95635dd 100644
  corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -912,38 +1019,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,38 +1020,52 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
  
@@ -99157,7 +99191,7 @@ index 2b7c441e7..0f95635dd 100644
  ')
  
  optional_policy(`
-@@ -959,31 +1080,36 @@ optional_policy(`
+@@ -959,31 +1081,36 @@ optional_policy(`
  # Winbind helper local policy
  #
  
@@ -99201,7 +99235,7 @@ index 2b7c441e7..0f95635dd 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -997,25 +1123,38 @@ optional_policy(`
+@@ -997,25 +1124,38 @@ optional_policy(`
  
  ########################################
  #
@@ -102451,7 +102485,7 @@ index 35ad2a733..afdc7da29 100644
 +	admin_pattern($1, mail_spool_t)
  ')
 diff --git a/sendmail.te b/sendmail.te
-index 12700b413..debacc88b 100644
+index 12700b413..e28f69e3e 100644
 --- a/sendmail.te
 +++ b/sendmail.te
 @@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
@@ -102594,7 +102628,18 @@ index 12700b413..debacc88b 100644
  ')
  
  optional_policy(`
-@@ -164,6 +171,10 @@ optional_policy(`
+@@ -143,6 +150,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    dbus_system_bus_client(sendmail_t)
++')
++
++optional_policy(`
+ 	dovecot_write_inherited_tmp_files(sendmail_t)
+ ')
+ 
+@@ -164,6 +175,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -102605,7 +102650,7 @@ index 12700b413..debacc88b 100644
  	milter_stream_connect_all(sendmail_t)
  ')
  
-@@ -172,6 +183,11 @@ optional_policy(`
+@@ -172,6 +187,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -102617,7 +102662,7 @@ index 12700b413..debacc88b 100644
  	postfix_domtrans_postdrop(sendmail_t)
  	postfix_domtrans_master(sendmail_t)
  	postfix_domtrans_postqueue(sendmail_t)
-@@ -193,6 +209,10 @@ optional_policy(`
+@@ -193,6 +213,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -102628,7 +102673,7 @@ index 12700b413..debacc88b 100644
  	udev_read_db(sendmail_t)
  ')
  
-@@ -206,8 +226,6 @@ optional_policy(`
+@@ -206,8 +230,6 @@ optional_policy(`
  #
  
  optional_policy(`
@@ -104096,7 +104141,7 @@ index e0644b5cf..ea347ccd5 100644
  	domain_system_change_exemption($1)
  	role_transition $2 fsdaemon_initrc_exec_t system_r;
 diff --git a/smartmon.te b/smartmon.te
-index 9cf6582d2..d0be162c8 100644
+index 9cf6582d2..97d1e6d7c 100644
 --- a/smartmon.te
 +++ b/smartmon.te
 @@ -38,7 +38,7 @@ ifdef(`enable_mls',`
@@ -104108,7 +104153,7 @@ index 9cf6582d2..d0be162c8 100644
  dontaudit fsdaemon_t self:capability sys_tty_config;
  allow fsdaemon_t self:process { getcap setcap signal_perms };
  allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
-@@ -58,23 +58,31 @@ kernel_read_network_state(fsdaemon_t)
+@@ -58,23 +58,32 @@ kernel_read_network_state(fsdaemon_t)
  kernel_read_software_raid_state(fsdaemon_t)
  kernel_read_system_state(fsdaemon_t)
  
@@ -104123,6 +104168,7 @@ index 9cf6582d2..d0be162c8 100644
 +
  dev_read_sysfs(fsdaemon_t)
  dev_read_urand(fsdaemon_t)
++dev_read_nvme(fsdaemon_t)
  
  domain_use_interactive_fds(fsdaemon_t)
  
@@ -104142,7 +104188,7 @@ index 9cf6582d2..d0be162c8 100644
  storage_raw_read_fixed_disk(fsdaemon_t)
  storage_raw_write_fixed_disk(fsdaemon_t)
  storage_raw_read_removable_device(fsdaemon_t)
-@@ -83,7 +91,9 @@ storage_write_scsi_generic(fsdaemon_t)
+@@ -83,7 +92,9 @@ storage_write_scsi_generic(fsdaemon_t)
  
  term_dontaudit_search_ptys(fsdaemon_t)
  
@@ -104153,7 +104199,7 @@ index 9cf6582d2..d0be162c8 100644
  
  init_read_utmp(fsdaemon_t)
  
-@@ -92,12 +102,13 @@ libs_exec_lib_files(fsdaemon_t)
+@@ -92,12 +103,14 @@ libs_exec_lib_files(fsdaemon_t)
  
  logging_send_syslog_msg(fsdaemon_t)
  
@@ -104164,11 +104210,12 @@ index 9cf6582d2..d0be162c8 100644
  
  userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
  userdom_dontaudit_search_user_home_dirs(fsdaemon_t)
++userdom_dontaudit_manage_admin_dir(fsdaemon_t)
 +userdom_use_user_terminals(fsdaemon_t)
  
  tunable_policy(`smartmon_3ware',`
  	allow fsdaemon_t self:process setfscreate;
-@@ -116,9 +127,9 @@ optional_policy(`
+@@ -116,9 +129,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -112077,10 +112124,10 @@ index 000000000..d371f62f6
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 000000000..6c04973ea
+index 000000000..a82cab79b
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,176 @@
+@@ -0,0 +1,177 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -112169,6 +112216,7 @@ index 000000000..6c04973ea
 +domain_dontaudit_read_all_domains_state(thumb_t)
 +
 +files_read_non_security_files(thumb_t)
++files_map_non_security_files(thumb_t)
 +
 +fs_getattr_all_fs(thumb_t)
 +fs_read_dos_files(thumb_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9f49a3e..68e0e8d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 308%{?dist}
+Release: 309%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -717,6 +717,27 @@ exit 0
 %endif
 
 %changelog
+* Fri Jan 05 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-309
+- auth_use_nsswitch() interface cannot be used for attributes fixing munin policy
+- Allow git_script_t to mmap git_user_content_t files BZ(1530937)
+- Allow certmonger domain to create temp files BZ(1530795)
+- Improve interface mock_read_lib_files() to include also symlinks. BZ(1530563)
+- Allow fsdaemon_t to read nvme devices BZ(1530018)
+- Dontaudit fsdaemon_t to write to admin homedir. BZ(153030)
+- Update munin plugin policy BZ(1528471)
+- Allow sendmail_t domain to be system dbusd client BZ(1478735)
+- Allow amanda_t domain to getattr on tmpfs filesystem BZ(1527645)
+- Allow named file transition to create rpmrebuilddb dir with proper SELinux context BZ(1461313)
+- Dontaudit httpd_passwd_t domain to read state of systemd BZ(1522672)
+- Allow thumb_t to mmap non security files BZ(1517393)
+- Allow smbd_t to mmap files with label samba_share_t BZ(1530453)
+- Fix broken sysnet_filetrans_named_content() interface
+- Allow init_t to create tcp sockets for unconfined services BZ(1366968)
+- Allow xdm_t to getattr on xserver_t process files BZ(1506116)
+- Allow domains which can create resolv.conf file also create it in systemd_resolved_var_run_t dir BZ(1530297)
+- Allow X userdomains to send dgram msgs to xserver_t BZ(1515967)
+- Add interface files_map_non_security_files()
+
 * Thu Jan 04 2018 Lukas Vrabec <lvrabec@redhat.com> - 3.13.1-308
 - Make working SELinux sandbox with Wayland. BZ(1474082)
 - Allow postgrey_t domain to mmap postgrey_spool_t files BZ(1529169)