From b15376d724a76e15ffcc3de59e0b78d98add1f82 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Aug 21 2013 06:34:51 +0000
Subject: - Allow boinc to connect to  @/tmp/.X11-unix/X0

- Allow beam.smp to connect to tcp/5984
- Allow named to manage own log files
- Add label for /usr/libexec/dcc/start-dccifd  and domtrans to dccifd_t
- Add virt_transition_userdomain boolean decl
- Allow httpd_t to sendto unix_dgram sockets on its children
- Allow nova domains to execute ifconfig
- bluetooth wants to create fifo_files in /tmp
- exim needs to be able to manage mailman data
- Allow sysstat to getattr on all file systems
- Looks like bluetoothd has moved
- Allow collectd to send ping packets
- Allow svirt_lxc domains to getpgid
- Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_
- Allow frpintd_t to read /dev/urandom
- Allow asterisk_t to create sock_file in /var/run
- Allow usbmuxd to use netlink_kobject
- sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_u
- More cleanup of svirt_lxc policy
- virtd_lxc_t now talks to dbus
- Dontaudit leaked ptmx_t
- Allow processes to use inherited fifo files
- Allow openvpn_t to connect to squid ports
- Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_ch
- Allow ssh_t to use /dev/ptmx
- Make sure /run/pluto dir is created with correct labeling
- Allow syslog to run shell and bin_t commands
- Allow ip to relabel tun_sockets
- Allow mount to create directories in files under /run
- Allow processes to use inherited fifo files
- Allow user roles to connect to the journal socket

---

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 6adc2cb..af6ad9b 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -8473,7 +8473,7 @@ index 6a1e4d1..57cc8d1 100644
 +	allow $1 domain:process transition;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..bcaf613 100644
+index cf04cb5..2b917b5 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8610,7 +8610,7 @@ index cf04cb5..bcaf613 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,295 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,296 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -8887,6 +8887,7 @@ index cf04cb5..bcaf613 100644
 +dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
 +
 +optional_policy(`
++	rpm_rw_script_inherited_pipes(domain)
 +	rpm_use_fds(domain)
 +	rpm_read_pipes(domain)
 +	rpm_search_log(domain)
@@ -20222,7 +20223,7 @@ index fe0c682..225aaa7 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..3448145 100644
+index 5fc0391..2d08ed2 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3)
@@ -20235,15 +20236,15 @@ index 5fc0391..3448145 100644
 +##      <p>
 +##      allow host key based authentication
 +##      </p>
- ## </desc>
--gen_tunable(allow_ssh_keysign, false)
++## </desc>
 +gen_tunable(ssh_keysign, false)
 +
 +## <desc>
 +##	<p>
 +##	Allow ssh logins as sysadm_r:sysadm_t
 +##	</p>
-+## </desc>
+ ## </desc>
+-gen_tunable(allow_ssh_keysign, false)
 +gen_tunable(ssh_sysadm_login, false)
  
  ## <desc>
@@ -20379,8 +20380,12 @@ index 5fc0391..3448145 100644
  dev_read_urand(ssh_t)
  
  fs_getattr_all_fs(ssh_t)
-@@ -156,38 +177,42 @@ logging_read_generic_logs(ssh_t)
+@@ -154,40 +175,46 @@ files_read_var_files(ssh_t)
+ logging_send_syslog_msg(ssh_t)
+ logging_read_generic_logs(ssh_t)
  
++term_use_ptmx(ssh_t)
++
  auth_use_nsswitch(ssh_t)
  
 -miscfiles_read_localization(ssh_t)
@@ -20441,7 +20446,7 @@ index 5fc0391..3448145 100644
  ')
  
  optional_policy(`
-@@ -195,6 +220,7 @@ optional_policy(`
+@@ -195,6 +222,7 @@ optional_policy(`
  	xserver_domtrans_xauth(ssh_t)
  ')
  
@@ -20449,7 +20454,7 @@ index 5fc0391..3448145 100644
  ##############################
  #
  # ssh_keysign_t local policy
-@@ -206,6 +232,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -206,6 +234,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
  allow ssh_keysign_t sshd_key_t:file { getattr read };
  
  dev_read_urand(ssh_keysign_t)
@@ -20457,7 +20462,7 @@ index 5fc0391..3448145 100644
  
  files_read_etc_files(ssh_keysign_t)
  
-@@ -223,33 +250,54 @@ optional_policy(`
+@@ -223,33 +252,54 @@ optional_policy(`
  # so a tunnel can point to another ssh tunnel
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
@@ -20521,7 +20526,7 @@ index 5fc0391..3448145 100644
  ')
  
  optional_policy(`
-@@ -257,11 +305,24 @@ optional_policy(`
+@@ -257,11 +307,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20543,11 +20548,15 @@ index 5fc0391..3448145 100644
  
  optional_policy(`
 -	kerberos_keytab_template(sshd, sshd_t)
++    lvm_domtrans(sshd_t)
++')
++
++optional_policy(`
 +	nx_read_home_files(sshd_t)
  ')
  
  optional_policy(`
-@@ -269,6 +330,10 @@ optional_policy(`
+@@ -269,6 +336,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20558,7 +20567,7 @@ index 5fc0391..3448145 100644
  	rpm_use_script_fds(sshd_t)
  ')
  
-@@ -279,13 +344,69 @@ optional_policy(`
+@@ -279,13 +350,69 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20628,7 +20637,7 @@ index 5fc0391..3448145 100644
  ########################################
  #
  # ssh_keygen local policy
-@@ -294,19 +415,26 @@ optional_policy(`
+@@ -294,19 +421,26 @@ optional_policy(`
  # ssh_keygen_t is the type of the ssh-keygen program when run at install time
  # and by sysadm_t
  
@@ -20656,7 +20665,7 @@ index 5fc0391..3448145 100644
  dev_read_urand(ssh_keygen_t)
  
  term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +451,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +457,12 @@ auth_use_nsswitch(ssh_keygen_t)
  logging_send_syslog_msg(ssh_keygen_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -20669,7 +20678,7 @@ index 5fc0391..3448145 100644
  
  optional_policy(`
  	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +465,138 @@ optional_policy(`
+@@ -331,3 +471,138 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ssh_keygen_t)
  ')
@@ -20966,7 +20975,7 @@ index d1f64a0..8f50bb9 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..ba9536c 100644
+index 6bf0ecc..307cefc 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -18,100 +18,37 @@
@@ -21919,7 +21928,7 @@ index 6bf0ecc..ba9536c 100644
  ')
  
  ########################################
-@@ -1284,10 +1654,622 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1654,623 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -22419,6 +22428,7 @@ index 6bf0ecc..ba9536c 100644
 +	userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
 +	userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
 +	userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
++	userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-n")
 +	userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
 +	userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
 +	userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
@@ -22545,7 +22555,7 @@ index 6bf0ecc..ba9536c 100644
 +	dontaudit $1 xserver_log_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..027e384 100644
+index 2696452..0c869cb 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,28 +26,59 @@ gen_require(`
@@ -22796,7 +22806,7 @@ index 2696452..027e384 100644
  ')
  
  ########################################
-@@ -247,48 +321,83 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,48 +321,89 @@ tunable_policy(`use_samba_home_dirs',`
  # Xauth local policy
  #
  
@@ -22859,6 +22869,12 @@ index 2696452..027e384 100644
 +userdom_use_inherited_user_terminals(xauth_t)
  userdom_read_user_tmp_files(xauth_t)
 +userdom_read_all_users_state(xauth_t)
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-n")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".xauth")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauth")
  
  xserver_rw_xdm_tmp_files(xauth_t)
  
@@ -22891,7 +22907,7 @@ index 2696452..027e384 100644
  	ssh_sigchld(xauth_t)
  	ssh_read_pipes(xauth_t)
  	ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +408,109 @@ optional_policy(`
+@@ -299,64 +414,109 @@ optional_policy(`
  # XDM Local policy
  #
  
@@ -23011,7 +23027,7 @@ index 2696452..027e384 100644
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +519,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +525,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -23043,7 +23059,7 @@ index 2696452..027e384 100644
  corenet_all_recvfrom_netlabel(xdm_t)
  corenet_tcp_sendrecv_generic_if(xdm_t)
  corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +551,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +557,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -23096,7 +23112,7 @@ index 2696452..027e384 100644
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -430,9 +603,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +609,28 @@ files_list_mnt(xdm_t)
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -23125,7 +23141,7 @@ index 2696452..027e384 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +633,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +639,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23174,7 +23190,7 @@ index 2696452..027e384 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +680,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +686,144 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -23325,7 +23341,7 @@ index 2696452..027e384 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -502,11 +831,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +837,26 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
@@ -23352,7 +23368,7 @@ index 2696452..027e384 100644
  ')
  
  optional_policy(`
-@@ -514,12 +858,56 @@ optional_policy(`
+@@ -514,12 +864,56 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23409,7 +23425,7 @@ index 2696452..027e384 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -537,28 +925,78 @@ optional_policy(`
+@@ -537,28 +931,78 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23497,7 +23513,7 @@ index 2696452..027e384 100644
  ')
  
  optional_policy(`
-@@ -570,6 +1008,14 @@ optional_policy(`
+@@ -570,6 +1014,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23512,7 +23528,7 @@ index 2696452..027e384 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -594,8 +1040,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1046,11 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -23525,7 +23541,7 @@ index 2696452..027e384 100644
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1057,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1063,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -23541,7 +23557,7 @@ index 2696452..027e384 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1073,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1079,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
  
  filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
  
@@ -23552,7 +23568,7 @@ index 2696452..027e384 100644
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1088,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1094,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -23574,7 +23590,7 @@ index 2696452..027e384 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1108,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1114,12 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -23588,7 +23604,7 @@ index 2696452..027e384 100644
  corenet_all_recvfrom_netlabel(xserver_t)
  corenet_tcp_sendrecv_generic_if(xserver_t)
  corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1134,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1140,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -23620,7 +23636,7 @@ index 2696452..027e384 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -694,7 +1166,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1172,16 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -23638,7 +23654,7 @@ index 2696452..027e384 100644
  mls_xwin_read_to_clearance(xserver_t)
  
  selinux_validate_context(xserver_t)
-@@ -708,20 +1189,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1195,18 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -23662,7 +23678,7 @@ index 2696452..027e384 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1208,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1214,6 @@ userdom_setattr_user_ttys(xserver_t)
  userdom_read_user_tmp_files(xserver_t)
  userdom_rw_user_tmpfs_files(xserver_t)
  
@@ -23671,7 +23687,7 @@ index 2696452..027e384 100644
  ifndef(`distro_redhat',`
  	allow xserver_t self:process { execmem execheap execstack };
  	domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1252,44 @@ optional_policy(`
+@@ -775,16 +1258,44 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23717,7 +23733,7 @@ index 2696452..027e384 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -793,6 +1298,10 @@ optional_policy(`
+@@ -793,6 +1304,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23728,7 +23744,7 @@ index 2696452..027e384 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -808,10 +1317,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1323,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -23742,7 +23758,7 @@ index 2696452..027e384 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1328,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1334,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -23751,7 +23767,7 @@ index 2696452..027e384 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -832,26 +1341,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1347,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -23786,7 +23802,7 @@ index 2696452..027e384 100644
  ')
  
  optional_policy(`
-@@ -902,7 +1406,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1412,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23795,7 +23811,7 @@ index 2696452..027e384 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -956,11 +1460,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1466,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -23827,7 +23843,7 @@ index 2696452..027e384 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -982,18 +1506,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1512,150 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -28832,7 +28848,7 @@ index 0d4c8d3..a89c4a2 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..a0ba260 100644
+index 9e54bf9..323d9ec 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
 @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -28944,7 +28960,7 @@ index 9e54bf9..a0ba260 100644
  allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
  allow ipsec_mgmt_t self:udp_socket create_socket_perms;
  allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -210,6 +223,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
+@@ -210,10 +223,11 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
  files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
  
  manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -28952,6 +28968,11 @@ index 9e54bf9..a0ba260 100644
  manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
  
  allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
+-files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
++files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, { dir sock_file })
+ 
+ # _realsetup needs to be able to cat /var/run/pluto.pid,
+ # run ps on that pid, and delete the file
 @@ -246,6 +260,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
  kernel_getattr_core_if(ipsec_mgmt_t)
  kernel_getattr_message_if(ipsec_mgmt_t)
@@ -30664,7 +30685,7 @@ index 4e94884..9b82ed0 100644
 +    logging_log_filetrans($1, var_log_t, dir, "anaconda")
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..692b00d 100644
+index 39ea221..aae7b7d 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -30880,7 +30901,7 @@ index 39ea221..692b00d 100644
  
  # Allow access for syslog-ng
  allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,22 +426,31 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -386,22 +426,34 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
  
@@ -30910,12 +30931,15 @@ index 39ea221..692b00d 100644
 +ifdef(`hide_broken_symptoms',`
 +	kernel_rw_unix_dgram_sockets(syslogd_t)
 +')
++
++corecmd_exec_bin(syslogd_t)
++corecmd_exec_shell(syslogd_t)
  
 -corenet_all_recvfrom_unlabeled(syslogd_t)
  corenet_all_recvfrom_netlabel(syslogd_t)
  corenet_udp_sendrecv_generic_if(syslogd_t)
  corenet_udp_sendrecv_generic_node(syslogd_t)
-@@ -427,9 +476,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,9 +479,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
  corenet_sendrecv_postgresql_client_packets(syslogd_t)
  corenet_sendrecv_mysqld_client_packets(syslogd_t)
  
@@ -30943,7 +30967,7 @@ index 39ea221..692b00d 100644
  domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)
-@@ -442,14 +508,19 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -442,14 +511,19 @@ files_read_kernel_symbol_table(syslogd_t)
  files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
  
  fs_getattr_all_fs(syslogd_t)
@@ -30963,7 +30987,7 @@ index 39ea221..692b00d 100644
  # for sending messages to logged in users
  init_read_utmp(syslogd_t)
  init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +532,10 @@ init_use_fds(syslogd_t)
+@@ -461,11 +535,10 @@ init_use_fds(syslogd_t)
  
  # cjp: this doesnt make sense
  logging_send_syslog_msg(syslogd_t)
@@ -30977,7 +31001,7 @@ index 39ea221..692b00d 100644
  
  ifdef(`distro_gentoo',`
  	# default gentoo syslog-ng config appends kernel
-@@ -502,15 +572,36 @@ optional_policy(`
+@@ -502,15 +575,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31004,6 +31028,10 @@ index 39ea221..692b00d 100644
  ')
  
  optional_policy(`
++    psad_search_lib_files(syslogd_t)
++')
++
++optional_policy(`
  	seutil_sigchld_newrole(syslogd_t)
 +	snmp_read_snmp_var_lib_files(syslogd_t)
 +	snmp_dontaudit_write_snmp_var_lib_files(syslogd_t)
@@ -31014,7 +31042,7 @@ index 39ea221..692b00d 100644
  ')
  
  optional_policy(`
-@@ -521,3 +612,26 @@ optional_policy(`
+@@ -521,3 +619,26 @@ optional_policy(`
  	# log to the xconsole
  	xserver_rw_console(syslogd_t)
  ')
@@ -31042,10 +31070,10 @@ index 39ea221..692b00d 100644
 +
 +logging_stream_connect_syslog(syslog_client_type)
 diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..7daaff3 100644
+index 879bb1e..5aa4eeb 100644
 --- a/policy/modules/system/lvm.fc
 +++ b/policy/modules/system/lvm.fc
-@@ -23,28 +23,34 @@ ifdef(`distro_gentoo',`
+@@ -23,28 +23,35 @@ ifdef(`distro_gentoo',`
  /etc/lvmtab(/.*)?		gen_context(system_u:object_r:lvm_metadata_t,s0)
  /etc/lvmtab\.d(/.*)?		gen_context(system_u:object_r:lvm_metadata_t,s0)
  
@@ -31062,6 +31090,7 @@ index 879bb1e..7daaff3 100644
  # /sbin
  #
 +/sbin/mount\.crypt	--	gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/umount\.crypt	--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/cryptsetup	--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/dmraid		--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/dmsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -31081,7 +31110,7 @@ index 879bb1e..7daaff3 100644
  /sbin/lvmiopversion	--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/lvmsadc		--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/lvmsar		--	gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -88,8 +94,71 @@ ifdef(`distro_gentoo',`
+@@ -88,8 +95,71 @@ ifdef(`distro_gentoo',`
  #
  # /usr
  #
@@ -31155,7 +31184,7 @@ index 879bb1e..7daaff3 100644
  
  #
  # /var
-@@ -97,5 +166,8 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +167,8 @@ ifdef(`distro_gentoo',`
  /var/cache/multipathd(/.*)?	gen_context(system_u:object_r:lvm_metadata_t,s0)
  /var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
  /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -32571,7 +32600,7 @@ index 4584457..e432df3 100644
 +        domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
  ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..4e5bf09 100644
+index 6a50270..d941116 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
 @@ -5,40 +5,58 @@ policy_module(mount, 1.15.1)
@@ -32656,7 +32685,7 @@ index 6a50270..4e5bf09 100644
  
 +manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
 +manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
-+files_pid_filetrans(mount_t,mount_var_run_t,dir,"mount")
++files_pid_filetrans(mount_t,mount_var_run_t,{ dir file })
 +files_var_filetrans(mount_t,mount_var_run_t,dir)
 +dev_filetrans(mount_t, mount_var_run_t, dir)
 +
@@ -34956,7 +34985,7 @@ index 6944526..ec17624 100644
 +	files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..a5086e8 100644
+index b7686d5..7a9577f 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -35183,7 +35212,7 @@ index b7686d5..a5086e8 100644
  	vmware_append_log(dhcpc_t)
  ')
  
-@@ -259,12 +306,21 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -259,12 +306,23 @@ allow ifconfig_t self:msgq create_msgq_perms;
  allow ifconfig_t self:msg { send receive };
  # Create UDP sockets, necessary when called from dhcpc
  allow ifconfig_t self:udp_socket create_socket_perms;
@@ -35193,6 +35222,8 @@ index b7686d5..a5086e8 100644
 +allow ifconfig_t self:netlink_socket create_socket_perms;
  allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
  allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
++allow ifconfig_t self:tun_socket { relabelfrom relabelto create_socket_perms };
++
  allow ifconfig_t self:tcp_socket { create ioctl };
  
 +can_exec(ifconfig_t, ifconfig_exec_t)
@@ -35205,7 +35236,7 @@ index b7686d5..a5086e8 100644
  kernel_use_fds(ifconfig_t)
  kernel_read_system_state(ifconfig_t)
  kernel_read_network_state(ifconfig_t)
-@@ -274,14 +330,29 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -274,14 +332,29 @@ kernel_rw_net_sysctls(ifconfig_t)
  
  corenet_rw_tun_tap_dev(ifconfig_t)
  
@@ -35235,7 +35266,7 @@ index b7686d5..a5086e8 100644
  
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +365,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,22 +367,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
  term_dontaudit_use_ptmx(ifconfig_t)
  term_dontaudit_use_generic_ptys(ifconfig_t)
  
@@ -35263,7 +35294,7 @@ index b7686d5..a5086e8 100644
  userdom_use_all_users_fds(ifconfig_t)
  
  ifdef(`distro_ubuntu',`
-@@ -318,7 +389,22 @@ ifdef(`distro_ubuntu',`
+@@ -318,7 +391,22 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -35286,7 +35317,7 @@ index b7686d5..a5086e8 100644
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
  	')
-@@ -329,8 +415,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +417,11 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
@@ -35300,7 +35331,7 @@ index b7686d5..a5086e8 100644
  ')
  
  optional_policy(`
-@@ -339,7 +428,15 @@ optional_policy(`
+@@ -339,7 +430,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35317,7 +35348,7 @@ index b7686d5..a5086e8 100644
  ')
  
  optional_policy(`
-@@ -360,3 +457,13 @@ optional_policy(`
+@@ -360,3 +459,13 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -38717,7 +38748,7 @@ index db75976..65191bd 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..2bf0cab 100644
+index 3c5dba7..5dc956a 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -39279,7 +39310,7 @@ index 3c5dba7..2bf0cab 100644
  
  	##############################
  	#
-@@ -501,41 +632,51 @@ template(`userdom_common_user_template',`
+@@ -501,41 +632,52 @@ template(`userdom_common_user_template',`
  	# evolution and gnome-session try to create a netlink socket
  	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
  	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -39302,6 +39333,7 @@ index 3c5dba7..2bf0cab 100644
 -	kernel_read_device_sysctls($1_t)
 +	kernel_read_device_sysctls($1_usertype)
 +	kernel_request_load_module($1_usertype)
++	kernel_stream_connect($1_usertype)
  
 -	corecmd_exec_bin($1_t)
 +	corenet_udp_bind_generic_node($1_usertype)
@@ -39354,7 +39386,7 @@ index 3c5dba7..2bf0cab 100644
  
  	# cjp: some of this probably can be removed
  	selinux_get_fs_mount($1_t)
-@@ -546,93 +687,120 @@ template(`userdom_common_user_template',`
+@@ -546,93 +688,120 @@ template(`userdom_common_user_template',`
  	selinux_compute_user_contexts($1_t)
  
  	# for eject
@@ -39513,7 +39545,7 @@ index 3c5dba7..2bf0cab 100644
  	')
  
  	optional_policy(`
-@@ -642,23 +810,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +811,21 @@ template(`userdom_common_user_template',`
  	optional_policy(`
  		mpd_manage_user_data_content($1_t)
  		mpd_relabel_user_data_content($1_t)
@@ -39542,7 +39574,7 @@ index 3c5dba7..2bf0cab 100644
  			mysql_stream_connect($1_t)
  		')
  	')
-@@ -671,7 +837,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +838,7 @@ template(`userdom_common_user_template',`
  
  	optional_policy(`
  		# to allow monitoring of pcmcia status
@@ -39551,7 +39583,7 @@ index 3c5dba7..2bf0cab 100644
  	')
  
  	optional_policy(`
-@@ -680,9 +846,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +847,9 @@ template(`userdom_common_user_template',`
  	')
  
  	optional_policy(`
@@ -39564,7 +39596,7 @@ index 3c5dba7..2bf0cab 100644
  		')
  	')
  
-@@ -693,32 +859,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +860,35 @@ template(`userdom_common_user_template',`
  	')
  
  	optional_policy(`
@@ -39611,7 +39643,7 @@ index 3c5dba7..2bf0cab 100644
  	')
  ')
  
-@@ -743,17 +912,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +913,33 @@ template(`userdom_common_user_template',`
  template(`userdom_login_user_template', `
  	gen_require(`
  		class context contains;
@@ -39649,7 +39681,7 @@ index 3c5dba7..2bf0cab 100644
  
  	userdom_change_password_template($1)
  
-@@ -761,82 +946,99 @@ template(`userdom_login_user_template', `
+@@ -761,82 +947,99 @@ template(`userdom_login_user_template', `
  	#
  	# User domain Local policy
  	#
@@ -39785,7 +39817,7 @@ index 3c5dba7..2bf0cab 100644
  	')
  ')
  
-@@ -868,6 +1070,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1071,12 @@ template(`userdom_restricted_user_template',`
  	typeattribute $1_t unpriv_userdomain;
  	domain_interactive_fd($1_t)
  
@@ -39798,7 +39830,7 @@ index 3c5dba7..2bf0cab 100644
  	##############################
  	#
  	# Local policy
-@@ -908,41 +1116,97 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -908,41 +1117,97 @@ template(`userdom_restricted_xwindows_user_template',`
  	# Local policy
  	#
  
@@ -39909,7 +39941,7 @@ index 3c5dba7..2bf0cab 100644
  		')
  
  		optional_policy(`
-@@ -951,12 +1215,29 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1216,29 @@ template(`userdom_restricted_xwindows_user_template',`
  	')
  
  	optional_policy(`
@@ -39940,7 +39972,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  #######################################
-@@ -990,27 +1271,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1272,33 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# Inherit rules for ordinary users.
@@ -39978,7 +40010,7 @@ index 3c5dba7..2bf0cab 100644
  			fs_manage_noxattr_fs_files($1_t)
  			fs_manage_noxattr_fs_dirs($1_t)
  			# Write floppies
-@@ -1021,23 +1308,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1309,60 @@ template(`userdom_unpriv_user_template', `
  		')
  	')
  
@@ -40049,7 +40081,7 @@ index 3c5dba7..2bf0cab 100644
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1046,7 +1370,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1371,9 @@ template(`userdom_unpriv_user_template', `
  	')
  
  	optional_policy(`
@@ -40060,7 +40092,7 @@ index 3c5dba7..2bf0cab 100644
  	')
  ')
  
-@@ -1082,7 +1408,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1409,7 @@ template(`userdom_unpriv_user_template', `
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -40069,7 +40101,7 @@ index 3c5dba7..2bf0cab 100644
  	')
  
  	##############################
-@@ -1109,6 +1435,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1436,7 @@ template(`userdom_admin_user_template',`
  	#
  
  	allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -40077,7 +40109,7 @@ index 3c5dba7..2bf0cab 100644
  	allow $1_t self:process { setexec setfscreate };
  	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
  	allow $1_t self:tun_socket create;
-@@ -1117,6 +1444,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1445,9 @@ template(`userdom_admin_user_template',`
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -40087,7 +40119,7 @@ index 3c5dba7..2bf0cab 100644
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1131,6 +1461,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1462,7 @@ template(`userdom_admin_user_template',`
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -40095,7 +40127,7 @@ index 3c5dba7..2bf0cab 100644
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1148,10 +1479,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1480,14 @@ template(`userdom_admin_user_template',`
  	dev_rename_all_blk_files($1_t)
  	dev_rename_all_chr_files($1_t)
  	dev_create_generic_symlinks($1_t)
@@ -40110,7 +40142,7 @@ index 3c5dba7..2bf0cab 100644
  	domain_dontaudit_ptrace_all_domains($1_t)
  	# signal all domains:
  	domain_kill_all_domains($1_t)
-@@ -1162,29 +1497,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1498,38 @@ template(`userdom_admin_user_template',`
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -40153,7 +40185,7 @@ index 3c5dba7..2bf0cab 100644
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1538,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1539,8 @@ template(`userdom_admin_user_template',`
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -40162,7 +40194,7 @@ index 3c5dba7..2bf0cab 100644
  	userdom_manage_user_home_content_dirs($1_t)
  	userdom_manage_user_home_content_files($1_t)
  	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1547,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1548,17 @@ template(`userdom_admin_user_template',`
  	userdom_manage_user_home_content_sockets($1_t)
  	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
  
@@ -40181,7 +40213,7 @@ index 3c5dba7..2bf0cab 100644
  	optional_policy(`
  		postgresql_unconfined($1_t)
  	')
-@@ -1253,6 +1603,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1604,8 @@ template(`userdom_security_admin_template',`
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -40190,7 +40222,7 @@ index 3c5dba7..2bf0cab 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1265,8 +1617,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1618,10 @@ template(`userdom_security_admin_template',`
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
@@ -40202,7 +40234,7 @@ index 3c5dba7..2bf0cab 100644
  	auth_relabel_shadow($1)
  
  	init_exec($1)
-@@ -1277,29 +1631,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1632,31 @@ template(`userdom_security_admin_template',`
  	logging_read_audit_config($1)
  
  	seutil_manage_bin_policy($1)
@@ -40245,7 +40277,7 @@ index 3c5dba7..2bf0cab 100644
  	')
  
  	optional_policy(`
-@@ -1360,14 +1716,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1717,17 @@ interface(`userdom_user_home_content',`
  	gen_require(`
  		attribute user_home_content_type;
  		type user_home_t;
@@ -40264,7 +40296,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -1408,6 +1767,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1768,51 @@ interface(`userdom_user_tmpfs_file',`
  ## <summary>
  ##	Allow domain to attach to TUN devices created by administrative users.
  ## </summary>
@@ -40316,7 +40348,7 @@ index 3c5dba7..2bf0cab 100644
  ## <param name="domain">
  ##	<summary>
  ##	Domain allowed access.
-@@ -1512,11 +1916,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1917,31 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -40348,7 +40380,7 @@ index 3c5dba7..2bf0cab 100644
  ##	Do not audit attempts to search user home directories.
  ## </summary>
  ## <desc>
-@@ -1558,6 +1982,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1983,14 @@ interface(`userdom_list_user_home_dirs',`
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -40363,7 +40395,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -1573,9 +2005,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2006,11 @@ interface(`userdom_list_user_home_dirs',`
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -40375,7 +40407,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -1632,6 +2066,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2067,42 @@ interface(`userdom_relabelto_user_home_dirs',`
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -40418,7 +40450,7 @@ index 3c5dba7..2bf0cab 100644
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1711,6 +2181,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2182,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -40427,7 +40459,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -1744,10 +2216,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2217,12 @@ interface(`userdom_list_all_user_home_content',`
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -40442,7 +40474,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -1772,7 +2246,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2247,25 @@ interface(`userdom_manage_user_home_content_dirs',`
  
  ########################################
  ## <summary>
@@ -40469,7 +40501,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1782,53 +2274,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,53 +2275,70 @@ interface(`userdom_manage_user_home_content_dirs',`
  #
  interface(`userdom_delete_all_user_home_content_dirs',`
  	gen_require(`
@@ -40552,7 +40584,7 @@ index 3c5dba7..2bf0cab 100644
  ##	Do not audit attempts to set the
  ##	attributes of user home files.
  ## </summary>
-@@ -1848,6 +2357,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2358,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -40578,7 +40610,7 @@ index 3c5dba7..2bf0cab 100644
  ##	Mmap user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1878,14 +2406,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2407,36 @@ interface(`userdom_mmap_user_home_content_files',`
  interface(`userdom_read_user_home_content_files',`
  	gen_require(`
  		type user_home_dir_t, user_home_t;
@@ -40616,7 +40648,7 @@ index 3c5dba7..2bf0cab 100644
  ##	Do not audit attempts to read user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1896,11 +2446,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2447,14 @@ interface(`userdom_read_user_home_content_files',`
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -40634,7 +40666,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -1941,7 +2494,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2495,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -40661,7 +40693,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1951,17 +2522,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2523,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  #
  interface(`userdom_delete_all_user_home_content_files',`
  	gen_require(`
@@ -40682,7 +40714,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1969,12 +2538,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2539,48 @@ interface(`userdom_delete_all_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -40733,7 +40765,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -2010,8 +2615,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2616,7 @@ interface(`userdom_read_user_home_content_symlinks',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -40743,7 +40775,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -2027,21 +2631,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,21 +2632,15 @@ interface(`userdom_read_user_home_content_symlinks',`
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -40769,7 +40801,7 @@ index 3c5dba7..2bf0cab 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to execute user home files.
-@@ -2123,7 +2721,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2722,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
  
  ########################################
  ## <summary>
@@ -40778,7 +40810,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2131,19 +2729,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2730,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -40802,7 +40834,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2151,12 +2747,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2748,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -40818,7 +40850,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -2393,11 +2989,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2990,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
  #
  interface(`userdom_read_user_tmp_files',`
  	gen_require(`
@@ -40833,7 +40865,7 @@ index 3c5dba7..2bf0cab 100644
  	files_search_tmp($1)
  ')
  
-@@ -2417,7 +3013,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3014,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -40842,7 +40874,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -2664,6 +3260,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3261,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  	files_tmp_filetrans($1, user_tmp_t, $2, $3)
  ')
  
@@ -40868,7 +40900,7 @@ index 3c5dba7..2bf0cab 100644
  ########################################
  ## <summary>
  ##	Read user tmpfs files.
-@@ -2680,13 +3295,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3296,14 @@ interface(`userdom_read_user_tmpfs_files',`
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -40884,7 +40916,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2707,7 +3323,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3324,7 @@ interface(`userdom_rw_user_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -40893,7 +40925,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2715,14 +3331,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3332,30 @@ interface(`userdom_rw_user_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -40928,7 +40960,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -2817,6 +3449,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3450,24 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
@@ -40953,7 +40985,7 @@ index 3c5dba7..2bf0cab 100644
  ##	Read and write a user domain pty.
  ## </summary>
  ## <param name="domain">
-@@ -2835,22 +3485,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3486,34 @@ interface(`userdom_use_user_ptys',`
  
  ########################################
  ## <summary>
@@ -40996,7 +41028,7 @@ index 3c5dba7..2bf0cab 100644
  ## </desc>
  ## <param name="domain">
  ##	<summary>
-@@ -2859,14 +3521,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3522,33 @@ interface(`userdom_use_user_ptys',`
  ## </param>
  ## <infoflow type="both" weight="10"/>
  #
@@ -41034,7 +41066,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -2885,8 +3566,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3567,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
  		type user_tty_device_t, user_devpts_t;
  	')
  
@@ -41064,7 +41096,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -2958,69 +3658,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3659,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -41165,7 +41197,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3028,12 +3727,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3728,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -41180,7 +41212,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -3097,7 +3796,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3797,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -41189,7 +41221,7 @@ index 3c5dba7..2bf0cab 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -3113,29 +3812,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3813,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -41223,7 +41255,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -3217,7 +3900,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3901,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -41250,7 +41282,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -3272,7 +3973,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3974,64 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -41316,7 +41348,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -3290,7 +4048,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +4049,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
  		type user_tty_device_t;
  	')
  
@@ -41325,7 +41357,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -3309,6 +4067,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4068,7 @@ interface(`userdom_read_all_users_state',`
  	')
  
  	read_files_pattern($1, userdomain, userdomain)
@@ -41333,7 +41365,7 @@ index 3c5dba7..2bf0cab 100644
  	kernel_search_proc($1)
  ')
  
-@@ -3385,6 +4144,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4145,42 @@ interface(`userdom_signal_all_users',`
  	allow $1 userdomain:process signal;
  ')
  
@@ -41376,7 +41408,7 @@ index 3c5dba7..2bf0cab 100644
  ########################################
  ## <summary>
  ##	Send a SIGCHLD signal to all user domains.
-@@ -3405,7 +4200,7 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,7 +4201,7 @@ interface(`userdom_sigchld_all_users',`
  
  ########################################
  ## <summary>
@@ -41385,7 +41417,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3413,17 +4208,17 @@ interface(`userdom_sigchld_all_users',`
+@@ -3413,17 +4209,17 @@ interface(`userdom_sigchld_all_users',`
  ##	</summary>
  ## </param>
  #
@@ -41406,7 +41438,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3431,11 +4226,1516 @@ interface(`userdom_create_all_users_keys',`
+@@ -3431,11 +4227,1516 @@ interface(`userdom_create_all_users_keys',`
  ##	</summary>
  ## </param>
  #
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index e9e4180..eb18323 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -3240,7 +3240,7 @@ index 550a69e..53e5708 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index 83e899c..c5be77c 100644
+index 83e899c..fac6fe5 100644
 --- a/apache.if
 +++ b/apache.if
 @@ -1,9 +1,9 @@
@@ -3256,7 +3256,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="prefix">
  ##	<summary>
-@@ -13,118 +13,100 @@
+@@ -13,118 +13,101 @@
  #
  template(`apache_content_template',`
  	gen_require(`
@@ -3411,6 +3411,7 @@ index 83e899c..c5be77c 100644
 -		filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
 +		# apache runs the script:
 +		domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
++		allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto;
  	')
  ')
  
@@ -3421,7 +3422,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="role">
  ##	<summary>
-@@ -133,47 +115,61 @@ template(`apache_content_template',`
+@@ -133,47 +116,61 @@ template(`apache_content_template',`
  ## </param>
  ## <param name="domain">
  ##	<summary>
@@ -3512,7 +3513,7 @@ index 83e899c..c5be77c 100644
  		domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
  	')
  
-@@ -184,7 +180,7 @@ interface(`apache_role',`
+@@ -184,7 +181,7 @@ interface(`apache_role',`
  
  ########################################
  ## <summary>
@@ -3521,7 +3522,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -204,7 +200,7 @@ interface(`apache_read_user_scripts',`
+@@ -204,7 +201,7 @@ interface(`apache_read_user_scripts',`
  
  ########################################
  ## <summary>
@@ -3530,7 +3531,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -224,7 +220,7 @@ interface(`apache_read_user_content',`
+@@ -224,7 +221,7 @@ interface(`apache_read_user_content',`
  
  ########################################
  ## <summary>
@@ -3539,7 +3540,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -241,27 +237,47 @@ interface(`apache_domtrans',`
+@@ -241,27 +238,47 @@ interface(`apache_domtrans',`
  	domtrans_pattern($1, httpd_exec_t, httpd_t)
  ')
  
@@ -3594,7 +3595,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -279,7 +295,7 @@ interface(`apache_signal',`
+@@ -279,7 +296,7 @@ interface(`apache_signal',`
  
  ########################################
  ## <summary>
@@ -3603,7 +3604,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -297,7 +313,7 @@ interface(`apache_signull',`
+@@ -297,7 +314,7 @@ interface(`apache_signull',`
  
  ########################################
  ## <summary>
@@ -3612,7 +3613,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -315,8 +331,7 @@ interface(`apache_sigchld',`
+@@ -315,8 +332,7 @@ interface(`apache_sigchld',`
  
  ########################################
  ## <summary>
@@ -3622,7 +3623,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -334,8 +349,8 @@ interface(`apache_use_fds',`
+@@ -334,8 +350,8 @@ interface(`apache_use_fds',`
  
  ########################################
  ## <summary>
@@ -3633,7 +3634,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -348,13 +363,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -348,13 +364,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
  		type httpd_t;
  	')
  
@@ -3650,7 +3651,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -372,8 +387,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
+@@ -372,8 +388,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
  
  ########################################
  ## <summary>
@@ -3661,7 +3662,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -391,8 +406,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
+@@ -391,8 +407,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
  
  ########################################
  ## <summary>
@@ -3671,7 +3672,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -417,7 +431,8 @@ interface(`apache_manage_all_content',`
+@@ -417,7 +432,8 @@ interface(`apache_manage_all_content',`
  
  ########################################
  ## <summary>
@@ -3681,7 +3682,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -435,7 +450,8 @@ interface(`apache_setattr_cache_dirs',`
+@@ -435,7 +451,8 @@ interface(`apache_setattr_cache_dirs',`
  
  ########################################
  ## <summary>
@@ -3691,7 +3692,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -453,7 +469,8 @@ interface(`apache_list_cache',`
+@@ -453,7 +470,8 @@ interface(`apache_list_cache',`
  
  ########################################
  ## <summary>
@@ -3701,7 +3702,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -471,7 +488,8 @@ interface(`apache_rw_cache_files',`
+@@ -471,7 +489,8 @@ interface(`apache_rw_cache_files',`
  
  ########################################
  ## <summary>
@@ -3711,7 +3712,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -489,7 +507,8 @@ interface(`apache_delete_cache_dirs',`
+@@ -489,7 +508,8 @@ interface(`apache_delete_cache_dirs',`
  
  ########################################
  ## <summary>
@@ -3721,7 +3722,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -507,49 +526,51 @@ interface(`apache_delete_cache_files',`
+@@ -507,49 +527,51 @@ interface(`apache_delete_cache_files',`
  
  ########################################
  ## <summary>
@@ -3784,7 +3785,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -570,8 +591,8 @@ interface(`apache_manage_config',`
+@@ -570,8 +592,8 @@ interface(`apache_manage_config',`
  
  ########################################
  ## <summary>
@@ -3795,7 +3796,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -608,16 +629,38 @@ interface(`apache_domtrans_helper',`
+@@ -608,16 +630,38 @@ interface(`apache_domtrans_helper',`
  #
  interface(`apache_run_helper',`
  	gen_require(`
@@ -3837,7 +3838,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -639,7 +682,8 @@ interface(`apache_read_log',`
+@@ -639,7 +683,8 @@ interface(`apache_read_log',`
  
  ########################################
  ## <summary>
@@ -3847,7 +3848,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -657,10 +701,29 @@ interface(`apache_append_log',`
+@@ -657,10 +702,29 @@ interface(`apache_append_log',`
  	append_files_pattern($1, httpd_log_t, httpd_log_t)
  ')
  
@@ -3879,7 +3880,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -678,8 +741,8 @@ interface(`apache_dontaudit_append_log',`
+@@ -678,8 +742,8 @@ interface(`apache_dontaudit_append_log',`
  
  ########################################
  ## <summary>
@@ -3890,7 +3891,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -698,47 +761,49 @@ interface(`apache_manage_log',`
+@@ -698,47 +762,49 @@ interface(`apache_manage_log',`
  	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
  ')
  
@@ -3953,7 +3954,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -752,11 +817,13 @@ interface(`apache_list_modules',`
+@@ -752,11 +818,13 @@ interface(`apache_list_modules',`
  	')
  
  	allow $1 httpd_modules_t:dir list_dir_perms;
@@ -3968,7 +3969,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -776,46 +843,63 @@ interface(`apache_exec_modules',`
+@@ -776,46 +844,63 @@ interface(`apache_exec_modules',`
  
  ########################################
  ## <summary>
@@ -4049,7 +4050,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -829,13 +913,14 @@ interface(`apache_list_sys_content',`
+@@ -829,13 +914,14 @@ interface(`apache_list_sys_content',`
  	')
  
  	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -4066,7 +4067,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -844,6 +929,7 @@ interface(`apache_list_sys_content',`
+@@ -844,6 +930,7 @@ interface(`apache_list_sys_content',`
  ## </param>
  ## <rolecap/>
  #
@@ -4074,7 +4075,7 @@ index 83e899c..c5be77c 100644
  interface(`apache_manage_sys_content',`
  	gen_require(`
  		type httpd_sys_content_t;
-@@ -855,32 +941,98 @@ interface(`apache_manage_sys_content',`
+@@ -855,32 +942,98 @@ interface(`apache_manage_sys_content',`
  	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
  ')
  
@@ -4181,7 +4182,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -888,10 +1040,17 @@ interface(`apache_manage_sys_rw_content',`
+@@ -888,10 +1041,17 @@ interface(`apache_manage_sys_rw_content',`
  ##	</summary>
  ## </param>
  #
@@ -4200,7 +4201,7 @@ index 83e899c..c5be77c 100644
  	')
  
  	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -901,9 +1060,8 @@ interface(`apache_domtrans_sys_script',`
+@@ -901,9 +1061,8 @@ interface(`apache_domtrans_sys_script',`
  
  ########################################
  ## <summary>
@@ -4212,7 +4213,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -941,7 +1099,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -941,7 +1100,7 @@ interface(`apache_domtrans_all_scripts',`
  ########################################
  ## <summary>
  ##	Execute all user scripts in the user
@@ -4221,7 +4222,7 @@ index 83e899c..c5be77c 100644
  ##	to the specified role.
  ## </summary>
  ## <param name="domain">
-@@ -954,6 +1112,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -954,6 +1113,7 @@ interface(`apache_domtrans_all_scripts',`
  ##	Role allowed access.
  ##	</summary>
  ## </param>
@@ -4229,7 +4230,7 @@ index 83e899c..c5be77c 100644
  #
  interface(`apache_run_all_scripts',`
  	gen_require(`
-@@ -966,7 +1125,8 @@ interface(`apache_run_all_scripts',`
+@@ -966,7 +1126,8 @@ interface(`apache_run_all_scripts',`
  
  ########################################
  ## <summary>
@@ -4239,7 +4240,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -979,12 +1139,13 @@ interface(`apache_read_squirrelmail_data',`
+@@ -979,12 +1140,13 @@ interface(`apache_read_squirrelmail_data',`
  		type httpd_squirrelmail_t;
  	')
  
@@ -4255,7 +4256,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1002,7 +1163,7 @@ interface(`apache_append_squirrelmail_data',`
+@@ -1002,7 +1164,7 @@ interface(`apache_append_squirrelmail_data',`
  
  ########################################
  ## <summary>
@@ -4264,7 +4265,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1015,13 +1176,12 @@ interface(`apache_search_sys_content',`
+@@ -1015,13 +1177,12 @@ interface(`apache_search_sys_content',`
  		type httpd_sys_content_t;
  	')
  
@@ -4279,7 +4280,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1041,7 +1201,7 @@ interface(`apache_read_sys_content',`
+@@ -1041,7 +1202,7 @@ interface(`apache_read_sys_content',`
  
  ########################################
  ## <summary>
@@ -4288,7 +4289,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1059,8 +1219,7 @@ interface(`apache_search_sys_scripts',`
+@@ -1059,8 +1220,7 @@ interface(`apache_search_sys_scripts',`
  
  ########################################
  ## <summary>
@@ -4298,7 +4299,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1070,13 +1229,22 @@ interface(`apache_search_sys_scripts',`
+@@ -1070,13 +1230,22 @@ interface(`apache_search_sys_scripts',`
  ## <rolecap/>
  #
  interface(`apache_manage_all_user_content',`
@@ -4324,7 +4325,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1094,7 +1262,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1094,7 +1263,8 @@ interface(`apache_search_sys_script_state',`
  
  ########################################
  ## <summary>
@@ -4334,7 +4335,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1111,10 +1280,29 @@ interface(`apache_read_tmp_files',`
+@@ -1111,10 +1281,29 @@ interface(`apache_read_tmp_files',`
  	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
  ')
  
@@ -4366,7 +4367,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1127,7 +1315,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1127,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',`
  		type httpd_tmp_t;
  	')
  
@@ -4375,7 +4376,7 @@ index 83e899c..c5be77c 100644
  ')
  
  ########################################
-@@ -1136,6 +1324,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1136,6 +1325,9 @@ interface(`apache_dontaudit_write_tmp_files',`
  ## </summary>
  ##	<desc>
  ##	<p>
@@ -4385,7 +4386,7 @@ index 83e899c..c5be77c 100644
  ##	This is an interface to support third party modules
  ##	and its use is not allowed in upstream reference
  ##	policy.
-@@ -1165,8 +1356,30 @@ interface(`apache_cgi_domain',`
+@@ -1165,8 +1357,30 @@ interface(`apache_cgi_domain',`
  
  ########################################
  ## <summary>
@@ -4418,7 +4419,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1183,18 +1396,19 @@ interface(`apache_cgi_domain',`
+@@ -1183,18 +1397,19 @@ interface(`apache_cgi_domain',`
  interface(`apache_admin',`
  	gen_require(`
  		attribute httpdcontent, httpd_script_exec_type;
@@ -4447,7 +4448,7 @@ index 83e899c..c5be77c 100644
  
  	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -1204,10 +1418,10 @@ interface(`apache_admin',`
+@@ -1204,10 +1419,10 @@ interface(`apache_admin',`
  	apache_manage_all_content($1)
  	miscfiles_manage_public_files($1)
  
@@ -4461,7 +4462,7 @@ index 83e899c..c5be77c 100644
  	admin_pattern($1, httpd_log_t)
  
  	admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1432,129 @@ interface(`apache_admin',`
+@@ -1218,9 +1433,129 @@ interface(`apache_admin',`
  	admin_pattern($1, httpd_var_run_t)
  	files_pid_filetrans($1, httpd_var_run_t, file)
  
@@ -7156,6 +7157,19 @@ index 3590e2f..e1494bd 100644
  ')
  
  optional_policy(`
+diff --git a/apt.if b/apt.if
+index e2414c4..970736b 100644
+--- a/apt.if
++++ b/apt.if
+@@ -152,7 +152,7 @@ interface(`apt_read_cache',`
+ 
+ 	files_search_var($1)
+ 	allow $1 apt_var_cache_t:dir list_dir_perms;
+-	dontaudit $1 apt_var_cache_t:dir write_dir_perms;
++	dontaudit $1 apt_var_cache_t:dir rw_dir_perms;
+ 	allow $1 apt_var_cache_t:file read_file_perms;
+ ')
+ 
 diff --git a/apt.te b/apt.te
 index e2d8d52..d82403c 100644
 --- a/apt.te
@@ -7380,7 +7394,7 @@ index 7268a04..6ffd87d 100644
  	domain_system_change_exemption($1)
  	role_transition $2 asterisk_initrc_exec_t system_r;
 diff --git a/asterisk.te b/asterisk.te
-index 5439f1c..0be374d 100644
+index 5439f1c..74c24a3 100644
 --- a/asterisk.te
 +++ b/asterisk.te
 @@ -19,7 +19,7 @@ type asterisk_log_t;
@@ -7402,7 +7416,7 @@ index 5439f1c..0be374d 100644
  manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
 -files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
 -
-+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file })
++files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file })
  can_exec(asterisk_t, asterisk_exec_t)
  
  kernel_read_kernel_sysctls(asterisk_t)
@@ -8357,7 +8371,7 @@ index 866a1e2..6c2dbe4 100644
 +	allow $1 named_unit_file_t:service all_service_perms;
  ')
 diff --git a/bind.te b/bind.te
-index 076ffee..d4fb2a4 100644
+index 076ffee..1672ca4 100644
 --- a/bind.te
 +++ b/bind.te
 @@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -8390,7 +8404,18 @@ index 076ffee..d4fb2a4 100644
  allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
  allow named_t self:fifo_file rw_fifo_file_perms;
  allow named_t self:unix_stream_socket { accept listen };
-@@ -110,7 +114,6 @@ kernel_read_network_state(named_t)
+@@ -86,9 +90,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
+ 
+ can_exec(named_t, named_exec_t)
+ 
+-append_files_pattern(named_t, named_log_t, named_log_t)
+-create_files_pattern(named_t, named_log_t, named_log_t)
+-setattr_files_pattern(named_t, named_log_t, named_log_t)
++manage_files_pattern(named_t, named_log_t, named_log_t)
+ logging_log_filetrans(named_t, named_log_t, file)
+ 
+ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+@@ -110,7 +112,6 @@ kernel_read_network_state(named_t)
  
  corecmd_search_bin(named_t)
  
@@ -8398,7 +8423,7 @@ index 076ffee..d4fb2a4 100644
  corenet_all_recvfrom_netlabel(named_t)
  corenet_tcp_sendrecv_generic_if(named_t)
  corenet_udp_sendrecv_generic_if(named_t)
-@@ -139,6 +142,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
+@@ -139,6 +140,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
  dev_read_sysfs(named_t)
  dev_read_rand(named_t)
  dev_read_urand(named_t)
@@ -8406,7 +8431,7 @@ index 076ffee..d4fb2a4 100644
  
  domain_use_interactive_fds(named_t)
  
-@@ -170,6 +174,15 @@ tunable_policy(`named_write_master_zones',`
+@@ -170,6 +172,15 @@ tunable_policy(`named_write_master_zones',`
  ')
  
  optional_policy(`
@@ -8422,7 +8447,7 @@ index 076ffee..d4fb2a4 100644
  	dbus_system_domain(named_t, named_exec_t)
  
  	init_dbus_chat_script(named_t)
-@@ -183,6 +196,7 @@ optional_policy(`
+@@ -183,6 +194,7 @@ optional_policy(`
  
  optional_policy(`
  	kerberos_keytab_template(named, named_t)
@@ -8430,7 +8455,7 @@ index 076ffee..d4fb2a4 100644
  ')
  
  optional_policy(`
-@@ -209,7 +223,8 @@ optional_policy(`
+@@ -209,7 +221,8 @@ optional_policy(`
  #
  
  allow ndc_t self:capability { dac_override net_admin };
@@ -8440,7 +8465,7 @@ index 076ffee..d4fb2a4 100644
  allow ndc_t self:fifo_file rw_fifo_file_perms;
  allow ndc_t self:unix_stream_socket { accept listen };
  
-@@ -223,10 +238,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -223,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
  
  allow ndc_t named_zone_t:dir search_dir_perms;
  
@@ -8452,7 +8477,7 @@ index 076ffee..d4fb2a4 100644
  corenet_all_recvfrom_netlabel(ndc_t)
  corenet_tcp_sendrecv_generic_if(ndc_t)
  corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -251,7 +265,7 @@ init_use_script_ptys(ndc_t)
+@@ -251,7 +263,7 @@ init_use_script_ptys(ndc_t)
  
  logging_send_syslog_msg(ndc_t)
  
@@ -8648,10 +8673,10 @@ index bc5c984..63a4b1d 100644
 +	xserver_read_state_xdm(blueman_t)
 +')
 diff --git a/bluetooth.fc b/bluetooth.fc
-index 2b9c7f3..63e4860 100644
+index 2b9c7f3..0086b95 100644
 --- a/bluetooth.fc
 +++ b/bluetooth.fc
-@@ -5,10 +5,13 @@
+@@ -5,10 +5,14 @@
  /etc/rc\.d/init\.d/dund	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/pand	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
  
@@ -8662,6 +8687,7 @@ index 2b9c7f3..63e4860 100644
  /usr/bin/hidd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
  /usr/bin/rfcomm	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 +/usr/bin/pand	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
++/usr/libexec/bluetooth/bluetoothd 	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
  
  /usr/sbin/bluetoothd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
  /usr/sbin/hciattach	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
@@ -8782,7 +8808,7 @@ index c723a0a..3e8a553 100644
 +	allow $1 bluetooth_unit_file_t:service all_service_perms;
  ')
 diff --git a/bluetooth.te b/bluetooth.te
-index 6f09d24..9c48d18 100644
+index 6f09d24..b1ec892 100644
 --- a/bluetooth.te
 +++ b/bluetooth.te
 @@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
@@ -8795,7 +8821,17 @@ index 6f09d24..9c48d18 100644
  ########################################
  #
  # Local policy
-@@ -90,14 +93,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
+@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
+ 
+ manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+ manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
++manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
++files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file })
+ 
+ manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+ manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+@@ -90,14 +94,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
  
  can_exec(bluetooth_t, bluetooth_helper_exec_t)
  
@@ -8822,7 +8858,7 @@ index 6f09d24..9c48d18 100644
  
  dev_read_sysfs(bluetooth_t)
  dev_rw_usbfs(bluetooth_t)
-@@ -110,7 +123,6 @@ domain_use_interactive_fds(bluetooth_t)
+@@ -110,7 +124,6 @@ domain_use_interactive_fds(bluetooth_t)
  domain_dontaudit_search_all_domains_state(bluetooth_t)
  
  files_read_etc_runtime_files(bluetooth_t)
@@ -8830,7 +8866,7 @@ index 6f09d24..9c48d18 100644
  
  fs_getattr_all_fs(bluetooth_t)
  fs_search_auto_mountpoints(bluetooth_t)
-@@ -122,7 +134,6 @@ auth_use_nsswitch(bluetooth_t)
+@@ -122,7 +135,6 @@ auth_use_nsswitch(bluetooth_t)
  
  logging_send_syslog_msg(bluetooth_t)
  
@@ -8838,7 +8874,7 @@ index 6f09d24..9c48d18 100644
  miscfiles_read_fonts(bluetooth_t)
  miscfiles_read_hwdata(bluetooth_t)
  
-@@ -130,8 +141,12 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+@@ -130,8 +142,12 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
  userdom_dontaudit_use_user_terminals(bluetooth_t)
  userdom_dontaudit_search_user_home_dirs(bluetooth_t)
  
@@ -8851,7 +8887,7 @@ index 6f09d24..9c48d18 100644
  
  	optional_policy(`
  		cups_dbus_chat(bluetooth_t)
-@@ -199,7 +214,6 @@ dev_read_urand(bluetooth_helper_t)
+@@ -199,7 +215,6 @@ dev_read_urand(bluetooth_helper_t)
  domain_read_all_domains_state(bluetooth_helper_t)
  
  files_read_etc_runtime_files(bluetooth_helper_t)
@@ -12419,7 +12455,7 @@ index 954309e..f4db2ca 100644
  ')
 +
 diff --git a/collectd.te b/collectd.te
-index 6471fa8..b2709d1 100644
+index 6471fa8..dbb3f45 100644
 --- a/collectd.te
 +++ b/collectd.te
 @@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
@@ -12437,16 +12473,17 @@ index 6471fa8..b2709d1 100644
  ########################################
  #
  # Local policy
-@@ -38,6 +44,8 @@ allow collectd_t self:process { getsched setsched signal };
+@@ -38,6 +44,9 @@ allow collectd_t self:process { getsched setsched signal };
  allow collectd_t self:fifo_file rw_fifo_file_perms;
  allow collectd_t self:packet_socket create_socket_perms;
  allow collectd_t self:unix_stream_socket { accept listen };
 +allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 +allow collectd_t self:udp_socket create_socket_perms;
++allow collectd_t self:rawip_socket create_socket_perms;
  
  manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
  manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-@@ -46,23 +54,25 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
+@@ -46,23 +55,25 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
  manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
  files_pid_filetrans(collectd_t, collectd_var_run_t, file)
  
@@ -12479,7 +12516,7 @@ index 6471fa8..b2709d1 100644
  
  logging_send_syslog_msg(collectd_t)
  
-@@ -75,16 +85,26 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +86,26 @@ tunable_policy(`collectd_tcp_network_connect',`
  ')
  
  optional_policy(`
@@ -19055,6 +19092,19 @@ index 2c2e7e1..493ab48 100644
 +allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
 +allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
 +allow session_bus_type dbusd_unconfined:dbus send_msg;
+diff --git a/dcc.fc b/dcc.fc
+index 62d3c4e..cef59a7 100644
+--- a/dcc.fc
++++ b/dcc.fc
+@@ -10,6 +10,8 @@
+ /usr/libexec/dcc/dccifd	--	gen_context(system_u:object_r:dccifd_exec_t,s0)
+ /usr/libexec/dcc/dccm	--	gen_context(system_u:object_r:dccm_exec_t,s0)
+ 
++/usr/libexec/dcc/start-dccifd   --  gen_context(system_u:object_r:dccifd_exec_t,s0)
++
+ /usr/sbin/dbclean	--	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
+ /usr/sbin/dccd	--	gen_context(system_u:object_r:dccd_exec_t,s0)
+ /usr/sbin/dccifd	--	gen_context(system_u:object_r:dccifd_exec_t,s0)
 diff --git a/dcc.if b/dcc.if
 index a5c21e0..4639421 100644
 --- a/dcc.if
@@ -19068,7 +19118,7 @@ index a5c21e0..4639421 100644
  	stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
  ')
 diff --git a/dcc.te b/dcc.te
-index 15d908f..147dd14 100644
+index 15d908f..cecb0da 100644
 --- a/dcc.te
 +++ b/dcc.te
 @@ -45,7 +45,7 @@ type dcc_var_t;
@@ -19102,7 +19152,16 @@ index 15d908f..147dd14 100644
  
  ########################################
  #
-@@ -123,6 +126,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+@@ -113,6 +116,8 @@ allow dcc_client_t self:capability { setuid setgid };
+ 
+ allow dcc_client_t dcc_client_map_t:file rw_file_perms;
+ 
++domtrans_pattern(dcc_client_t, dccifd_exec_t, dccifd_t)
++
+ manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
+ manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
+ files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
+@@ -123,6 +128,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
  
  kernel_read_system_state(dcc_client_t)
  
@@ -19115,7 +19174,7 @@ index 15d908f..147dd14 100644
  files_read_etc_runtime_files(dcc_client_t)
  
  fs_getattr_all_fs(dcc_client_t)
-@@ -131,12 +140,10 @@ auth_use_nsswitch(dcc_client_t)
+@@ -131,12 +142,10 @@ auth_use_nsswitch(dcc_client_t)
  
  logging_send_syslog_msg(dcc_client_t)
  
@@ -19130,7 +19189,7 @@ index 15d908f..147dd14 100644
  ')
  
  optional_policy(`
-@@ -160,15 +167,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
+@@ -160,15 +169,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
  
  kernel_read_system_state(dcc_dbclean_t)
  
@@ -19152,7 +19211,7 @@ index 15d908f..147dd14 100644
  
  ########################################
  #
-@@ -202,7 +212,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
+@@ -202,7 +214,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
  kernel_read_system_state(dccd_t)
  kernel_read_kernel_sysctls(dccd_t)
  
@@ -19160,7 +19219,7 @@ index 15d908f..147dd14 100644
  corenet_all_recvfrom_netlabel(dccd_t)
  corenet_udp_sendrecv_generic_if(dccd_t)
  corenet_udp_sendrecv_generic_node(dccd_t)
-@@ -227,8 +236,6 @@ auth_use_nsswitch(dccd_t)
+@@ -227,8 +238,6 @@ auth_use_nsswitch(dccd_t)
  
  logging_send_syslog_msg(dccd_t)
  
@@ -19169,7 +19228,7 @@ index 15d908f..147dd14 100644
  userdom_dontaudit_use_unpriv_user_fds(dccd_t)
  userdom_dontaudit_search_user_home_dirs(dccd_t)
  
-@@ -269,6 +276,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
+@@ -269,6 +278,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
  kernel_read_system_state(dccifd_t)
  kernel_read_kernel_sysctls(dccifd_t)
  
@@ -19181,7 +19240,7 @@ index 15d908f..147dd14 100644
  dev_read_sysfs(dccifd_t)
  
  domain_use_interactive_fds(dccifd_t)
-@@ -282,8 +294,6 @@ auth_use_nsswitch(dccifd_t)
+@@ -282,8 +296,6 @@ auth_use_nsswitch(dccifd_t)
  
  logging_send_syslog_msg(dccifd_t)
  
@@ -19190,7 +19249,7 @@ index 15d908f..147dd14 100644
  userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
  userdom_dontaudit_search_user_home_dirs(dccifd_t)
  
-@@ -324,6 +334,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
+@@ -324,6 +336,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
  kernel_read_system_state(dccm_t)
  kernel_read_kernel_sysctls(dccm_t)
  
@@ -19202,7 +19261,7 @@ index 15d908f..147dd14 100644
  dev_read_sysfs(dccm_t)
  
  domain_use_interactive_fds(dccm_t)
-@@ -337,8 +352,6 @@ auth_use_nsswitch(dccm_t)
+@@ -337,8 +354,6 @@ auth_use_nsswitch(dccm_t)
  
  logging_send_syslog_msg(dccm_t)
  
@@ -22992,7 +23051,7 @@ index 6041113..ef3b449 100644
  	role_transition $2 exim_initrc_exec_t system_r;
  	allow $2 system_r;
 diff --git a/exim.te b/exim.te
-index 19325ce..5957aad 100644
+index 19325ce..b5c157f 100644
 --- a/exim.te
 +++ b/exim.te
 @@ -49,7 +49,7 @@ type exim_log_t;
@@ -23049,7 +23108,18 @@ index 19325ce..5957aad 100644
  ')
  
  optional_policy(`
-@@ -218,6 +216,7 @@ optional_policy(`
+@@ -192,8 +190,9 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mailman_read_data_files(exim_t)
++	mailman_manage_data_files(exim_t)
+ 	mailman_domtrans(exim_t)
++	mailman_read_log(exim_t)
+ ')
+ 
+ optional_policy(`
+@@ -218,6 +217,7 @@ optional_policy(`
  
  optional_policy(`
  	procmail_domtrans(exim_t)
@@ -24146,7 +24216,7 @@ index c12c067..a415012 100644
  
  optional_policy(`
 diff --git a/fprintd.te b/fprintd.te
-index c81b6e8..fcb022d 100644
+index c81b6e8..34e1f1c 100644
 --- a/fprintd.te
 +++ b/fprintd.te
 @@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t)
@@ -24157,8 +24227,11 @@ index c81b6e8..fcb022d 100644
  
  manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
  manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -30,14 +31,10 @@ dev_list_usbfs(fprintd_t)
+@@ -28,16 +29,13 @@ kernel_read_system_state(fprintd_t)
+ 
+ dev_list_usbfs(fprintd_t)
  dev_read_sysfs(fprintd_t)
++dev_read_urand(fprintd_t)
  dev_rw_generic_usb_dev(fprintd_t)
  
 -files_read_usr_files(fprintd_t)
@@ -24172,7 +24245,7 @@ index c81b6e8..fcb022d 100644
  userdom_use_user_ptys(fprintd_t)
  userdom_read_all_users_state(fprintd_t)
  
-@@ -54,8 +51,13 @@ optional_policy(`
+@@ -54,8 +52,13 @@ optional_policy(`
  	')
  ')
  
@@ -24901,7 +24974,7 @@ index 9eacb2c..229782f 100644
  	init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
  	domain_system_change_exemption($1)
 diff --git a/glance.te b/glance.te
-index e0a4f46..79bc951 100644
+index e0a4f46..95cf77c 100644
 --- a/glance.te
 +++ b/glance.te
 @@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
@@ -24935,7 +25008,7 @@ index e0a4f46..79bc951 100644
  allow glance_domain self:fifo_file rw_fifo_file_perms;
  allow glance_domain self:unix_stream_socket create_stream_socket_perms;
  allow glance_domain self:tcp_socket { accept listen };
-@@ -56,27 +58,22 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,27 +58,23 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
  manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
  manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
  
@@ -24954,6 +25027,7 @@ index e0a4f46..79bc951 100644
  corecmd_exec_shell(glance_domain)
  
  dev_read_urand(glance_domain)
++dev_read_sysfs(glance_domain)
  
 -files_read_etc_files(glance_domain)
 -files_read_usr_files(glance_domain)
@@ -24966,7 +25040,7 @@ index e0a4f46..79bc951 100644
  sysnet_dns_name_resolve(glance_domain)
  
  ########################################
-@@ -88,8 +85,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -88,8 +86,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
  manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
  files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
  
@@ -24981,7 +25055,7 @@ index e0a4f46..79bc951 100644
  
  logging_send_syslog_msg(glance_registry_t)
  
-@@ -108,13 +111,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +112,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
  files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
  can_exec(glance_api_t, glance_tmp_t)
  
@@ -29772,7 +29846,7 @@ index ca07a87..6ea129c 100644
 +
  /usr/sbin/iodined	--	gen_context(system_u:object_r:iodined_exec_t,s0)
 diff --git a/iodine.if b/iodine.if
-index a0bfbd0..6f5dbdf 100644
+index a0bfbd0..47f7c75 100644
 --- a/iodine.if
 +++ b/iodine.if
 @@ -2,6 +2,30 @@
@@ -29794,7 +29868,7 @@ index a0bfbd0..6f5dbdf 100644
 +    ')
 +
 +        systemd_exec_systemctl($1)
-+        systemd_read_fifo_file_password_run($1)
++        systemd_read_fifo_file_passwd_run($1)
 +        allow $1 iodined_unit_file_t:file read_file_perms;
 +        allow $1 iodined_unit_file_t:service manage_service_perms;
 +
@@ -35940,7 +36014,7 @@ index 108c0f1..a248501 100644
  	domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
  ')
 diff --git a/mailman.te b/mailman.te
-index 8eaf51b..3229e0f 100644
+index 8eaf51b..a057913 100644
 --- a/mailman.te
 +++ b/mailman.te
 @@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4)
@@ -35985,7 +36059,7 @@ index 8eaf51b..3229e0f 100644
  ########################################
  #
  # CGI local policy
-@@ -115,8 +112,9 @@ optional_policy(`
+@@ -115,20 +112,23 @@ optional_policy(`
  # Mail local policy
  #
  
@@ -35997,7 +36071,12 @@ index 8eaf51b..3229e0f 100644
  
  manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
  manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
-@@ -127,8 +125,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t)
+ files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
+ 
++can_exec(mailman_mail_t, mailman_mail_exec_t)
++
+ corenet_sendrecv_innd_client_packets(mailman_mail_t)
+ corenet_tcp_connect_innd_port(mailman_mail_t)
  corenet_tcp_sendrecv_innd_port(mailman_mail_t)
  
  corenet_sendrecv_spamd_client_packets(mailman_mail_t)
@@ -36007,7 +36086,7 @@ index 8eaf51b..3229e0f 100644
  
  dev_read_urand(mailman_mail_t)
  
-@@ -142,6 +140,10 @@ optional_policy(`
+@@ -142,6 +142,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36018,7 +36097,7 @@ index 8eaf51b..3229e0f 100644
  	cron_read_pipes(mailman_mail_t)
  ')
  
-@@ -182,3 +184,9 @@ optional_policy(`
+@@ -182,3 +186,9 @@ optional_policy(`
  optional_policy(`
  	su_exec(mailman_queue_t)
  ')
@@ -39137,7 +39216,7 @@ index 6194b80..3209b1c 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..2288b0e 100644
+index 6a306ee..2108bc7 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -1,4 +1,4 @@
@@ -39581,7 +39660,7 @@ index 6a306ee..2288b0e 100644
  ')
  
  optional_policy(`
-@@ -300,221 +324,183 @@ optional_policy(`
+@@ -300,221 +324,184 @@ optional_policy(`
  
  ########################################
  #
@@ -39849,6 +39928,7 @@ index 6a306ee..2288b0e 100644
 +term_getattr_all_ttys(mozilla_plugin_t)
 +term_getattr_all_ptys(mozilla_plugin_t)
 +term_getattr_ptmx(mozilla_plugin_t)
++term_dontaudit_use_ptmx(mozilla_plugin_t)
  
 +userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t)
 +userdom_rw_user_tmpfs_files(mozilla_plugin_t)
@@ -39904,7 +39984,7 @@ index 6a306ee..2288b0e 100644
  ')
  
  optional_policy(`
-@@ -523,36 +509,44 @@ optional_policy(`
+@@ -523,36 +510,44 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39919,13 +39999,6 @@ index 6a306ee..2288b0e 100644
 +	dbus_session_bus_client(mozilla_plugin_t)
 +	dbus_connect_session_bus(mozilla_plugin_t)
 +	dbus_read_lib_files(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+	gnome_manage_config(mozilla_plugin_t)
-+	gnome_read_usr_config(mozilla_plugin_t)
-+	gnome_filetrans_home_content(mozilla_plugin_t)
-+	gnome_exec_gstreamer_home_files(mozilla_plugin_t)
  ')
  
  optional_policy(`
@@ -39933,6 +40006,13 @@ index 6a306ee..2288b0e 100644
 -	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
 -	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
 -	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
++	gnome_manage_config(mozilla_plugin_t)
++	gnome_read_usr_config(mozilla_plugin_t)
++	gnome_filetrans_home_content(mozilla_plugin_t)
++	gnome_exec_gstreamer_home_files(mozilla_plugin_t)
++')
++
++optional_policy(`
 +	gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
  ')
  
@@ -39962,7 +40042,7 @@ index 6a306ee..2288b0e 100644
  ')
  
  optional_policy(`
-@@ -560,7 +554,7 @@ optional_policy(`
+@@ -560,7 +555,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39971,7 +40051,7 @@ index 6a306ee..2288b0e 100644
  ')
  
  optional_policy(`
-@@ -568,108 +562,126 @@ optional_policy(`
+@@ -568,108 +563,128 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -40000,12 +40080,12 @@ index 6a306ee..2288b0e 100644
 -allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
 -allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
 -allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
- 
+-
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
--
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
+ 
 -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
 -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
 -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
@@ -40077,6 +40157,8 @@ index 6a306ee..2288b0e 100644
  fs_getattr_all_fs(mozilla_plugin_config_t)
 -fs_search_auto_mountpoints(mozilla_plugin_config_t)
 -fs_list_inotifyfs(mozilla_plugin_config_t)
++
++term_dontaudit_use_ptmx(mozilla_plugin_config_t)
  
  auth_use_nsswitch(mozilla_plugin_config_t)
  
@@ -46227,10 +46309,10 @@ index 0000000..02dc6dc
 +/var/run/nova(/.*)?     gen_context(system_u:object_r:nova_var_run_t,s0)
 diff --git a/nova.if b/nova.if
 new file mode 100644
-index 0000000..cf8f660
+index 0000000..28936b4
 --- /dev/null
 +++ b/nova.if
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,57 @@
 +## <summary>openstack-nova</summary>
 +
 +######################################
@@ -46285,13 +46367,15 @@ index 0000000..cf8f660
 +
 +	kernel_read_system_state(nova_$1_t)
 +
++    logging_send_syslog_msg(nova_$1_t)
++
 +')
 diff --git a/nova.te b/nova.te
 new file mode 100644
-index 0000000..fc9f771
+index 0000000..d5b54e5
 --- /dev/null
 +++ b/nova.te
-@@ -0,0 +1,328 @@
+@@ -0,0 +1,320 @@
 +policy_module(nova, 1.0.0)
 +
 +########################################
@@ -46305,6 +46389,7 @@ index 0000000..fc9f771
 +#
 +
 +attribute nova_domain;
++attribute nova_sudo_domain;
 +
 +nova_domain_template(ajax)
 +nova_domain_template(api)
@@ -46318,6 +46403,12 @@ index 0000000..fc9f771
 +nova_domain_template(vncproxy)
 +nova_domain_template(volume)
 +
++typeattribute nova_api_t nova_sudo_domain;
++typeattribute nova_cert_t nova_sudo_domain;
++typeattribute nova_console_t nova_sudo_domain;
++typeattribute nova_network_t nova_sudo_domain;
++typeattribute nova_volume_t nova_sudo_domain;
++
 +type nova_log_t;
 +logging_log_file(nova_log_t)
 +
@@ -46349,6 +46440,8 @@ index 0000000..fc9f771
 +corenet_tcp_connect_amqp_port(nova_domain)
 +corenet_tcp_connect_mysqld_port(nova_domain)
 +
++kernel_read_network_state(nova_domain)
++
 +corecmd_exec_bin(nova_domain)
 +corecmd_exec_shell(nova_domain)
 +corenet_tcp_connect_mysqld_port(nova_domain)
@@ -46362,6 +46455,7 @@ index 0000000..fc9f771
 +
 +optional_policy(`
 +	sysnet_read_config(nova_domain)
++	sysnet_exec_ifconfig(nova_domain)
 +')
 +
 +######################################
@@ -46369,9 +46463,9 @@ index 0000000..fc9f771
 +# nova ajax local policy
 +#
 +
-+optional_policy(`
-+	unconfined_domain(nova_ajax_t)
-+')
++#optional_policy(`
++#	unconfined_domain(nova_ajax_t)
++#')
 +
 +#######################################
 +#
@@ -46400,15 +46494,6 @@ index 0000000..fc9f771
 +
 +miscfiles_read_certs(nova_api_t)
 +
-+ifdef(`hide_broken_symptoms',`
-+	optional_policy(`
-+		sudo_exec(nova_api_t)
-+		allow nova_api_t self:capability { setuid sys_resource setgid };
-+		allow nova_api_t self:process { setsched setrlimit };
-+		logging_send_audit_msgs(nova_api_t)
-+	')
-+')
-+
 +optional_policy(`
 +	iptables_domtrans(nova_api_t)
 +')
@@ -46417,9 +46502,9 @@ index 0000000..fc9f771
 +	ssh_exec_keygen(nova_api_t)
 +')
 +
-+optional_policy(`
-+	unconfined_domain(nova_api_t)
-+')
++#optional_policy(`
++#	unconfined_domain(nova_api_t)
++#')
 +
 +######################################
 +#
@@ -46478,9 +46563,9 @@ index 0000000..fc9f771
 +# nova direct local policy
 +#
 +
-+optional_policy(`
-+	unconfined_domain(nova_direct_t)
-+')
++#optional_policy(`
++#	unconfined_domain(nova_direct_t)
++#')
 +
 +#######################################
 +#
@@ -46520,15 +46605,6 @@ index 0000000..fc9f771
 +
 +logging_send_syslog_msg(nova_network_t)
 +
-+ifdef(`hide_broken_symptoms',`
-+    optional_policy(`
-+        sudo_exec(nova_network_t)
-+        allow nova_network_t self:capability { setuid sys_resource setgid };
-+        allow nova_network_t self:process { setsched setrlimit };
-+        logging_send_audit_msgs(nova_network_t)
-+    ')
-+')
-+
 +optional_policy(`
 +	brctl_domtrans(nova_network_t)
 +')
@@ -46539,16 +46615,16 @@ index 0000000..fc9f771
 +')
 +
 +optional_policy(`
-+    iptables_domtrans(nova_network_t)
++	iptables_domtrans(nova_network_t)
 +')
 +
 +optional_policy(`
 +	sysnet_domtrans_ifconfig(nova_network_t)
 +')
 +
-+optional_policy(`
-+	unconfined_domain(nova_network_t)
-+')
++#optional_policy(`
++#	unconfined_domain(nova_network_t)
++#')
 +
 +#######################################
 +#
@@ -46572,18 +46648,18 @@ index 0000000..fc9f771
 +allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
 +allow nova_scheduler_t self:udp_socket create_socket_perms;
 +
-+optional_policy(`
-+	unconfined_domain(nova_scheduler_t)
-+')
++#optional_policy(`
++#	unconfined_domain(nova_scheduler_t)
++#')
 +
 +#######################################
 +#
 +# nova vncproxy local policy
 +#
 +
-+optional_policy(`
-+	unconfined_domain(nova_vncproxy_t)
-+')
++#optional_policy(`
++#	unconfined_domain(nova_vncproxy_t)
++#')
 +
 +#######################################
 +#
@@ -46602,22 +46678,22 @@ index 0000000..fc9f771
 +	lvm_domtrans(nova_volume_t)
 +')
 +
-+ifdef(`hide_broken_symptoms',`
-+	require {
-+		type sudo_exec_t;
-+	}
-+
-+	allow nova_volume_t sudo_exec_t:file { read execute open execute_no_trans };
-+
-+	allow nova_volume_t self:capability { setuid sys_resource setgid audit_write };
-+	allow nova_volume_t self:process { setsched setrlimit };
-+
-+	logging_send_audit_msgs(nova_volume_t)
++#optional_policy(`
++#    unconfined_domain(nova_volume_t)
++#')
 +
-+')
++#######################################
++#
++# nova sudo domain local policy
++#
 +
-+optional_policy(`
-+    unconfined_domain(nova_volume_t)
++ifdef(`hide_broken_symptoms',`
++	optional_policy(`
++		sudo_exec(nova_sudo_domain)
++        allow nova_sudo_domain self:capability { setuid sys_resource setgid audit_write };
++		allow nova_sudo_domain self:process { setsched setrlimit };
++		logging_send_audit_msgs(nova_sudo_domain)
++	')
 +')
 +
 diff --git a/nscd.fc b/nscd.fc
@@ -51534,7 +51610,7 @@ index 6837e9a..21e6dae 100644
  	domain_system_change_exemption($1)
  	role_transition $2 openvpn_initrc_exec_t system_r;
 diff --git a/openvpn.te b/openvpn.te
-index 3270ff9..8a6fbc2 100644
+index 3270ff9..60a7af6 100644
 --- a/openvpn.te
 +++ b/openvpn.te
 @@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
@@ -51551,7 +51627,22 @@ index 3270ff9..8a6fbc2 100644
  ##	<p>
  ##	Determine whether openvpn can
  ##	read generic user home content files.
-@@ -26,12 +33,18 @@ files_config_file(openvpn_etc_t)
+@@ -13,6 +20,14 @@ policy_module(openvpn, 1.11.3)
+ ## </desc>
+ gen_tunable(openvpn_enable_homedirs, false)
+ 
++## <desc>
++##  <p>
++##  Determine whether openvpn can
++##  connect to the TCP network.
++##  </p>
++## </desc>
++gen_tunable(openvpn_can_network_connect, false)
++
+ attribute_role openvpn_roles;
+ 
+ type openvpn_t;
+@@ -26,12 +41,18 @@ files_config_file(openvpn_etc_t)
  type openvpn_etc_rw_t;
  files_config_file(openvpn_etc_rw_t)
  
@@ -51570,7 +51661,7 @@ index 3270ff9..8a6fbc2 100644
  type openvpn_var_log_t;
  logging_log_file(openvpn_var_log_t)
  
-@@ -43,7 +56,7 @@ files_pid_file(openvpn_var_run_t)
+@@ -43,7 +64,7 @@ files_pid_file(openvpn_var_run_t)
  # Local policy
  #
  
@@ -51579,7 +51670,7 @@ index 3270ff9..8a6fbc2 100644
  allow openvpn_t self:process { signal getsched setsched };
  allow openvpn_t self:fifo_file rw_fifo_file_perms;
  allow openvpn_t self:unix_dgram_socket sendto;
-@@ -62,6 +75,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+@@ -62,6 +83,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
  allow openvpn_t openvpn_status_t:file manage_file_perms;
  logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
  
@@ -51592,7 +51683,7 @@ index 3270ff9..8a6fbc2 100644
  manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
  append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
  create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-@@ -83,7 +102,6 @@ kernel_request_load_module(openvpn_t)
+@@ -83,7 +110,6 @@ kernel_request_load_module(openvpn_t)
  corecmd_exec_bin(openvpn_t)
  corecmd_exec_shell(openvpn_t)
  
@@ -51600,8 +51691,11 @@ index 3270ff9..8a6fbc2 100644
  corenet_all_recvfrom_netlabel(openvpn_t)
  corenet_tcp_sendrecv_generic_if(openvpn_t)
  corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -105,11 +123,12 @@ corenet_tcp_bind_http_port(openvpn_t)
+@@ -103,13 +129,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
+ corenet_sendrecv_http_server_packets(openvpn_t)
+ corenet_tcp_bind_http_port(openvpn_t)
  corenet_sendrecv_http_client_packets(openvpn_t)
++corenet_tcp_connect_squid_port(openvpn_t)
  corenet_tcp_connect_http_port(openvpn_t)
  corenet_tcp_sendrecv_http_port(openvpn_t)
 -
@@ -51614,7 +51708,7 @@ index 3270ff9..8a6fbc2 100644
  corenet_rw_tun_tap_dev(openvpn_t)
  
  dev_read_rand(openvpn_t)
-@@ -121,18 +140,24 @@ fs_search_auto_mountpoints(openvpn_t)
+@@ -121,18 +149,24 @@ fs_search_auto_mountpoints(openvpn_t)
  
  auth_use_pam(openvpn_t)
  
@@ -51642,7 +51736,18 @@ index 3270ff9..8a6fbc2 100644
  ')
  
  tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -155,3 +180,27 @@ optional_policy(`
+@@ -143,6 +177,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+ 	fs_read_cifs_files(openvpn_t)
+ ')
+ 
++tunable_policy(`openvpn_can_network_connect',`
++    corenet_tcp_connect_all_ports(openvpn_t)
++')
++
+ optional_policy(`
+ 	daemontools_service_domain(openvpn_t, openvpn_exec_t)
+ ')
+@@ -155,3 +193,27 @@ optional_policy(`
  		networkmanager_dbus_chat(openvpn_t)
  	')
  ')
@@ -53116,7 +53221,7 @@ index d2fc677..ded726f 100644
  ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..ca01f2f 100644
+index 7bcf327..c850b64 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -1,17 +1,16 @@
@@ -53140,7 +53245,7 @@ index 7bcf327..ca01f2f 100644
  type pegasus_cache_t;
  files_type(pegasus_cache_t)
  
-@@ -30,20 +29,237 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,238 @@ files_type(pegasus_mof_t)
  type pegasus_var_run_t;
  files_pid_file(pegasus_var_run_t)
  
@@ -53173,8 +53278,8 @@ index 7bcf327..ca01f2f 100644
 +allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms;
 +allow pegasus_openlmi_domain self:udp_socket create_socket_perms;
 +
-+list_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
-+rw_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
++manage_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
++manage_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
 +
 +corecmd_exec_bin(pegasus_openlmi_domain)
 +corecmd_exec_shell(pegasus_openlmi_domain)
@@ -53309,6 +53414,7 @@ index 7bcf327..ca01f2f 100644
 +# pegasus openlmi storage local policy
 +#
 +
++allow pegasus_openlmi_storage_t self:capability sys_admin;
 +
 +manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
 +manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
@@ -53383,7 +53489,7 @@ index 7bcf327..ca01f2f 100644
  allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
  
  manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +270,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +271,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
  manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -53414,7 +53520,7 @@ index 7bcf327..ca01f2f 100644
  
  kernel_read_network_state(pegasus_t)
  kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +296,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +297,21 @@ kernel_read_net_sysctls(pegasus_t)
  kernel_read_xen_state(pegasus_t)
  kernel_write_xen_state(pegasus_t)
  
@@ -53447,7 +53553,7 @@ index 7bcf327..ca01f2f 100644
  
  corecmd_exec_bin(pegasus_t)
  corecmd_exec_shell(pegasus_t)
-@@ -114,6 +324,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +325,7 @@ files_getattr_all_dirs(pegasus_t)
  
  auth_use_nsswitch(pegasus_t)
  auth_domtrans_chk_passwd(pegasus_t)
@@ -53455,7 +53561,7 @@ index 7bcf327..ca01f2f 100644
  
  domain_use_interactive_fds(pegasus_t)
  domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +339,25 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +340,25 @@ init_stream_connect_script(pegasus_t)
  logging_send_audit_msgs(pegasus_t)
  logging_send_syslog_msg(pegasus_t)
  
@@ -53487,7 +53593,7 @@ index 7bcf327..ca01f2f 100644
  ')
  
  optional_policy(`
-@@ -151,16 +369,24 @@ optional_policy(`
+@@ -151,16 +370,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53516,7 +53622,7 @@ index 7bcf327..ca01f2f 100644
  ')
  
  optional_policy(`
-@@ -168,7 +394,7 @@ optional_policy(`
+@@ -168,7 +395,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -56882,6 +56988,18 @@ index 316d53a..79b5c4f 100644
  
 -miscfiles_read_localization(polipo_daemon)
 +userdom_home_manager(polipo_session_t)
+diff --git a/portage.if b/portage.if
+index 67e8c12..18b89d7 100644
+--- a/portage.if
++++ b/portage.if
+@@ -67,6 +67,7 @@ interface(`portage_compile_domain',`
+ 		class dbus send_msg;
+ 		type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
+ 		type portage_tmpfs_t;
++		type portage_sandbox_t;
+ 	')
+ 
+ 	allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
 diff --git a/portage.te b/portage.te
 index a95fc4a..b9b5418 100644
 --- a/portage.te
@@ -60114,7 +60232,7 @@ index 20d4697..e6605c1 100644
 +	files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
 +')
 diff --git a/prelink.te b/prelink.te
-index c0f047a..6f22887 100644
+index c0f047a..e04bdd6 100644
 --- a/prelink.te
 +++ b/prelink.te
 @@ -1,4 +1,4 @@
@@ -60287,7 +60405,7 @@ index c0f047a..6f22887 100644
  
  	kernel_read_system_state(prelink_cron_system_t)
  
-@@ -184,8 +168,11 @@ optional_policy(`
+@@ -184,23 +168,36 @@ optional_policy(`
  	dev_list_sysfs(prelink_cron_system_t)
  	dev_read_sysfs(prelink_cron_system_t)
  
@@ -60300,7 +60418,11 @@ index c0f047a..6f22887 100644
  
  	auth_use_nsswitch(prelink_cron_system_t)
  
-@@ -196,11 +183,20 @@ optional_policy(`
+ 	init_telinit(prelink_cron_system_t)
+ 	init_exec(prelink_cron_system_t)
++	init_reload_services(prelink_cron_system_t)
+ 
+ 	libs_exec_ld_so(prelink_cron_system_t)
  
  	logging_search_logs(prelink_cron_system_t)
  
@@ -61006,7 +61128,7 @@ index 0000000..96a0d9f
 +/var/run/prosody(/.*)?		gen_context(system_u:object_r:prosody_var_run_t,s0)
 diff --git a/prosody.if b/prosody.if
 new file mode 100644
-index 0000000..8867237
+index 0000000..f1e1209
 --- /dev/null
 +++ b/prosody.if
 @@ -0,0 +1,239 @@
@@ -61144,7 +61266,7 @@ index 0000000..8867237
 +	')
 +
 +	systemd_exec_systemctl($1)
-+        systemd_read_fifo_file_password_run($1)
++        systemd_read_fifo_file_passwd_run($1)
 +	allow $1 prosody_unit_file_t:file read_file_perms;
 +	allow $1 prosody_unit_file_t:service manage_service_perms;
 +
@@ -61331,7 +61453,7 @@ index 0000000..4f6badd
 +
 +miscfiles_read_localization(prosody_t)
 diff --git a/psad.if b/psad.if
-index d4dcf78..59ab964 100644
+index d4dcf78..3cce82e 100644
 --- a/psad.if
 +++ b/psad.if
 @@ -93,9 +93,8 @@ interface(`psad_manage_config',`
@@ -61401,7 +61523,7 @@ index d4dcf78..59ab964 100644
  ##	Read and write psad fifo files.
  ## </summary>
  ## <param name="domain">
-@@ -198,6 +236,26 @@ interface(`psad_rw_fifo_file',`
+@@ -198,6 +236,45 @@ interface(`psad_rw_fifo_file',`
  
  #######################################
  ## <summary>
@@ -61425,10 +61547,29 @@ index d4dcf78..59ab964 100644
 +
 +#######################################
 +## <summary>
++##  Allow search to psad lib files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`psad_search_lib_files',`
++    gen_require(`
++        type psad_t, psad_var_lib_t;
++    ')
++
++    files_search_var_lib($1)
++    search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
++')
++
++#######################################
++## <summary>
  ##	Read and write psad temporary files.
  ## </summary>
  ## <param name="domain">
-@@ -235,30 +293,34 @@ interface(`psad_rw_tmp_files',`
+@@ -235,30 +312,34 @@ interface(`psad_rw_tmp_files',`
  interface(`psad_admin',`
  	gen_require(`
  		type psad_t, psad_var_run_t, psad_var_log_t;
@@ -66060,7 +66201,7 @@ index 2c3d338..cf3e5ad 100644
  
  ########################################
 diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..7054723 100644
+index 3698b51..8c4ba04 100644
 --- a/rabbitmq.te
 +++ b/rabbitmq.te
 @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -66118,7 +66259,7 @@ index 3698b51..7054723 100644
  
  corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
  corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-@@ -68,20 +80,42 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+@@ -68,20 +80,44 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
  corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
  corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
  
@@ -66139,6 +66280,8 @@ index 3698b51..7054723 100644
 +fs_getattr_all_dirs(rabbitmq_beam_t)
 +fs_getattr_cgroup(rabbitmq_beam_t)
 +
++corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
++
 +dev_read_sysfs(rabbitmq_beam_t)
 +dev_read_urand(rabbitmq_beam_t)
  
@@ -66165,7 +66308,7 @@ index 3698b51..7054723 100644
  allow rabbitmq_epmd_t self:process signal;
  allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
  allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +133,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +135,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
  corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
  corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
  
@@ -66554,7 +66697,7 @@ index 951db7f..7736755 100644
 +	allow $1 mdadm_exec_t:file { getattr_file_perms execute };
  ')
 diff --git a/raid.te b/raid.te
-index 2c1730b..1e9ad6b 100644
+index 2c1730b..0bf7d02 100644
 --- a/raid.te
 +++ b/raid.te
 @@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t;
@@ -66635,7 +66778,7 @@ index 2c1730b..1e9ad6b 100644
  
  mls_file_read_all_levels(mdadm_t)
  mls_file_write_all_levels(mdadm_t)
-@@ -70,15 +91,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +91,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
  storage_manage_fixed_disk(mdadm_t)
  storage_read_scsi_generic(mdadm_t)
  storage_write_scsi_generic(mdadm_t)
@@ -66653,10 +66796,11 @@ index 2c1730b..1e9ad6b 100644
  
 -miscfiles_read_localization(mdadm_t)
 +systemd_exec_systemctl(mdadm_t)
++systemd_start_systemd_services(mdadm_t)
  
  userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
  userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -97,9 +122,17 @@ optional_policy(`
+@@ -97,9 +123,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -72250,7 +72394,7 @@ index ebe91fc..6392cad 100644
 +/sbin/cpio			--	gen_context(system_u:object_r:rpm_exec_t,s0)
  ')
 diff --git a/rpm.if b/rpm.if
-index 0628d50..84f2fd7 100644
+index 0628d50..3031a82 100644
 --- a/rpm.if
 +++ b/rpm.if
 @@ -1,8 +1,8 @@
@@ -72385,10 +72529,28 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -181,6 +186,42 @@ interface(`rpm_rw_pipes',`
+@@ -181,6 +186,60 @@ interface(`rpm_rw_pipes',`
  
  ########################################
  ## <summary>
++##	Read and write an unnamed RPM script pipe.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rpm_rw_script_inherited_pipes',`
++	gen_require(`
++		type rpm_t;
++	')
++
++	allow $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++## <summary>
 +##	dontaudit read and write an leaked file descriptors
 +## </summary>
 +## <param name="domain">
@@ -72428,7 +72590,7 @@ index 0628d50..84f2fd7 100644
  ##	Send and receive messages from
  ##	rpm over dbus.
  ## </summary>
-@@ -224,7 +265,7 @@ interface(`rpm_dontaudit_dbus_chat',`
+@@ -224,7 +283,7 @@ interface(`rpm_dontaudit_dbus_chat',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -72437,7 +72599,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -244,7 +285,7 @@ interface(`rpm_script_dbus_chat',`
+@@ -244,7 +303,7 @@ interface(`rpm_script_dbus_chat',`
  
  ########################################
  ## <summary>
@@ -72446,7 +72608,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -263,7 +304,8 @@ interface(`rpm_search_log',`
+@@ -263,7 +322,8 @@ interface(`rpm_search_log',`
  
  #####################################
  ## <summary>
@@ -72456,17 +72618,19 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -276,14 +318,30 @@ interface(`rpm_append_log',`
+@@ -276,14 +336,30 @@ interface(`rpm_append_log',`
  		type rpm_log_t;
  	')
  
 -	logging_search_logs($1)
 -	append_files_pattern($1, rpm_log_t, rpm_log_t)
 +	allow $1 rpm_log_t:file append_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	rpm log files.
 +##	Create, read, write, and delete the RPM log.
 +## </summary>
 +## <param name="domain">
@@ -72481,17 +72645,15 @@ index 0628d50..84f2fd7 100644
 +	')
 +
 +    read_files_pattern($1, rpm_log_t, rpm_log_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete
--##	rpm log files.
++')
++
++########################################
++## <summary>
 +##	Create, read, write, and delete the RPM log.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -302,7 +360,7 @@ interface(`rpm_manage_log',`
+@@ -302,7 +378,7 @@ interface(`rpm_manage_log',`
  
  ########################################
  ## <summary>
@@ -72500,7 +72662,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -320,8 +378,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +396,8 @@ interface(`rpm_use_script_fds',`
  
  ########################################
  ## <summary>
@@ -72511,7 +72673,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -335,12 +393,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +411,15 @@ interface(`rpm_manage_script_tmp_files',`
  	')
  
  	files_search_tmp($1)
@@ -72528,7 +72690,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -353,14 +414,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +432,13 @@ interface(`rpm_append_tmp_files',`
  		type rpm_tmp_t;
  	')
  
@@ -72546,7 +72708,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -374,12 +434,14 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +452,14 @@ interface(`rpm_manage_tmp_files',`
  	')
  
  	files_search_tmp($1)
@@ -72562,7 +72724,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -399,7 +461,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +479,7 @@ interface(`rpm_read_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -72571,7 +72733,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -420,8 +482,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +500,7 @@ interface(`rpm_read_cache',`
  
  ########################################
  ## <summary>
@@ -72581,7 +72743,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -442,7 +503,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +521,7 @@ interface(`rpm_manage_cache',`
  
  ########################################
  ## <summary>
@@ -72590,7 +72752,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -459,11 +520,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +538,12 @@ interface(`rpm_read_db',`
  	allow $1 rpm_var_lib_t:dir list_dir_perms;
  	read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
  	read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -72604,7 +72766,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -482,8 +544,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +562,7 @@ interface(`rpm_delete_db',`
  
  ########################################
  ## <summary>
@@ -72614,7 +72776,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -503,8 +564,28 @@ interface(`rpm_manage_db',`
+@@ -503,8 +582,28 @@ interface(`rpm_manage_db',`
  
  ########################################
  ## <summary>
@@ -72644,7 +72806,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -517,7 +598,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +616,7 @@ interface(`rpm_dontaudit_manage_db',`
  		type rpm_var_lib_t;
  	')
  
@@ -72653,7 +72815,7 @@ index 0628d50..84f2fd7 100644
  	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
-@@ -543,8 +624,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +642,7 @@ interface(`rpm_read_pid_files',`
  
  #####################################
  ## <summary>
@@ -72663,7 +72825,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -563,8 +643,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +661,7 @@ interface(`rpm_manage_pid_files',`
  
  ######################################
  ## <summary>
@@ -72673,7 +72835,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -573,94 +652,72 @@ interface(`rpm_manage_pid_files',`
+@@ -573,94 +670,72 @@ interface(`rpm_manage_pid_files',`
  ## </param>
  #
  interface(`rpm_pid_filetrans',`
@@ -72767,16 +72929,16 @@ index 0628d50..84f2fd7 100644
  
 -	allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
 -	ps_process_pattern($1, { rpm_t rpm_script_t })
--
++	typeattribute $1 rpm_transition_domain;
++	allow $1 rpm_script_t:process transition;
+ 
 -	init_labeled_script_domtrans($1, rpm_initrc_exec_t)
 -	domain_system_change_exemption($1)
 -	role_transition $2 rpm_initrc_exec_t system_r;
 -	allow $2 system_r;
 -
 -	admin_pattern($1, rpm_file_t)
-+	typeattribute $1 rpm_transition_domain;
-+	allow $1 rpm_script_t:process transition;
- 
+-
 -	files_list_var($1)
 -	admin_pattern($1, rpm_cache_t)
 -
@@ -81193,10 +81355,28 @@ index 634c6b4..e1edfd9 100644
  
  ########################################
 diff --git a/sosreport.te b/sosreport.te
-index 703efa3..de313d7 100644
+index 703efa3..e3580b2 100644
 --- a/sosreport.te
 +++ b/sosreport.te
-@@ -70,7 +70,6 @@ files_list_all(sosreport_t)
+@@ -33,6 +33,8 @@ allow sosreport_t self:process { setsched signull };
+ allow sosreport_t self:fifo_file rw_fifo_file_perms;
+ allow sosreport_t self:tcp_socket { accept listen };
+ allow sosreport_t self:unix_stream_socket { accept listen };
++allow sosreport_t self:rawip_socket create_socket_perms;
++allow sosreport_t self:netlink_kobject_uevent_socket create_socket_perms;
+ 
+ manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+ manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+@@ -58,6 +60,8 @@ dev_read_rand(sosreport_t)
+ dev_read_urand(sosreport_t)
+ dev_read_raw_memory(sosreport_t)
+ dev_read_sysfs(sosreport_t)
++dev_getattr_all_chr_files(sosreport_t)
++dev_getattr_all_blk_files(sosreport_t)
+ 
+ domain_getattr_all_domains(sosreport_t)
+ domain_read_all_domains_state(sosreport_t)
+@@ -70,7 +74,6 @@ files_list_all(sosreport_t)
  files_read_config_files(sosreport_t)
  files_read_generic_tmp_files(sosreport_t)
  files_read_non_auth_files(sosreport_t)
@@ -81204,10 +81384,19 @@ index 703efa3..de313d7 100644
  files_read_var_lib_files(sosreport_t)
  files_read_var_symlinks(sosreport_t)
  files_read_kernel_modules(sosreport_t)
-@@ -84,6 +83,10 @@ fs_list_inotifyfs(sosreport_t)
+@@ -79,23 +82,31 @@ files_manage_etc_runtime_files(sosreport_t)
+ files_etc_filetrans_etc_runtime(sosreport_t, file)
+ 
+ fs_getattr_all_fs(sosreport_t)
++fs_getattr_all_dirs(sosreport_t)
+ fs_list_inotifyfs(sosreport_t)
+ 
  storage_dontaudit_read_fixed_disk(sosreport_t)
  storage_dontaudit_read_removable_device(sosreport_t)
  
++term_getattr_pty_fs(sosreport_t)
++term_getattr_all_ptys(sosreport_t)
++
 +# some config files do not have configfile attribute
 +# sosreport needs to read various files on system
 +files_read_non_security_files(sosreport_t)
@@ -81215,7 +81404,10 @@ index 703efa3..de313d7 100644
  auth_use_nsswitch(sosreport_t)
  
  init_domtrans_script(sosreport_t)
-@@ -93,9 +96,8 @@ libs_domtrans_ldconfig(sosreport_t)
++init_getattr_initctl(sosreport_t)
+ 
+ libs_domtrans_ldconfig(sosreport_t)
+ 
  logging_read_all_logs(sosreport_t)
  logging_send_syslog_msg(sosreport_t)
  
@@ -81226,7 +81418,18 @@ index 703efa3..de313d7 100644
  
  optional_policy(`
  	abrt_manage_pid_files(sosreport_t)
-@@ -111,6 +113,11 @@ optional_policy(`
+@@ -103,6 +114,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	brctl_domtrans(sosreport_t)
++')
++
++optional_policy(`
+ 	cups_stream_connect(sosreport_t)
+ ')
+ 
+@@ -111,6 +126,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -84006,10 +84209,10 @@ index 0000000..015c2c9
 +')
 diff --git a/swift.te b/swift.te
 new file mode 100644
-index 0000000..39f1ca1
+index 0000000..2d5942c
 --- /dev/null
 +++ b/swift.te
-@@ -0,0 +1,53 @@
+@@ -0,0 +1,61 @@
 +policy_module(swift, 1.0.0)
 +
 +########################################
@@ -84035,7 +84238,10 @@ index 0000000..39f1ca1
 +# swift local policy
 +#
 +
++allow swift_t self:process signal;
++
 +allow swift_t self:fifo_file rw_fifo_file_perms;
++allow swift_t self:tcp_socket create_stream_socket_perms;
 +allow swift_t self:unix_stream_socket create_stream_socket_perms;
 +allow swift_t self:unix_dgram_socket create_socket_perms;
 +
@@ -84051,6 +84257,7 @@ index 0000000..39f1ca1
 +
 +kernel_dgram_send(swift_t)
 +kernel_read_system_state(swift_t)
++kernel_read_network_state(swift_t)
 +
 +corecmd_exec_shell(swift_t)
 +
@@ -84058,11 +84265,15 @@ index 0000000..39f1ca1
 +
 +domain_use_interactive_fds(swift_t)
 +
++files_dontaudit_search_home(swift_t)
++
 +auth_use_nsswitch(swift_t)
 +
 +libs_exec_ldconfig(swift_t)
 +
 +logging_send_syslog_msg(swift_t)
++
++userdom_dontaudit_search_user_home_dirs(swift_t)
 diff --git a/swift_alias.fc b/swift_alias.fc
 new file mode 100644
 index 0000000..b7db254
@@ -84141,7 +84352,7 @@ index c9824cb..1973f71 100644
  
  userdom_dontaudit_use_unpriv_user_fds(sxid_t)
 diff --git a/sysstat.te b/sysstat.te
-index c8b80b2..f041061 100644
+index c8b80b2..c81d332 100644
 --- a/sysstat.te
 +++ b/sysstat.te
 @@ -24,9 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co
@@ -84163,8 +84374,12 @@ index c8b80b2..f041061 100644
  corecmd_exec_bin(sysstat_t)
  
  dev_read_sysfs(sysstat_t)
-@@ -49,8 +48,10 @@ files_read_etc_runtime_files(sysstat_t)
- fs_getattr_xattr_fs(sysstat_t)
+@@ -46,11 +45,13 @@ dev_read_urand(sysstat_t)
+ files_search_var(sysstat_t)
+ files_read_etc_runtime_files(sysstat_t)
+ 
+-fs_getattr_xattr_fs(sysstat_t)
++fs_getattr_all_fs(sysstat_t)
  fs_list_inotifyfs(sysstat_t)
  
 +storage_getattr_fixed_disk_dev(sysstat_t)
@@ -84481,7 +84696,7 @@ index c7de0cf..9813503 100644
 +/usr/libexec/telepathy-stream-engine	--	gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
 +/usr/libexec/telepathy-sunshine		--	gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
 diff --git a/telepathy.if b/telepathy.if
-index 42946bc..3d30062 100644
+index 42946bc..741f2f4 100644
 --- a/telepathy.if
 +++ b/telepathy.if
 @@ -2,45 +2,39 @@
@@ -84561,7 +84776,7 @@ index 42946bc..3d30062 100644
  		type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
  		type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t;
  		type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t;
-@@ -63,91 +62,79 @@ template(`telepathy_role_template',`
+@@ -63,91 +62,84 @@ template(`telepathy_role_template',`
  		type telepathy_mission_control_exec_t, telepathy_salut_exec_t;
  		type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
  		type telepathy_msn_exec_t;
@@ -84667,11 +84882,15 @@ index 42946bc..3d30062 100644
  ## <param name="domain">
 -##	<summary>
 +## 	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`telepathy_gabble_dbus_chat',`
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
 +interface(`telepathy_gabble_stream_connect_to', `
 +	gen_require(`
 +		type telepathy_gabble_t;
@@ -84687,15 +84906,16 @@ index 42946bc..3d30062 100644
 +## </summary>
 +## <param name="domain">
 +## 	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`telepathy_gabble_dbus_chat',`
 +interface(`telepathy_gabble_dbus_chat', `
  	gen_require(`
  		type telepathy_gabble_t;
  		class dbus send_msg;
-@@ -159,10 +146,10 @@ interface(`telepathy_gabble_dbus_chat',`
+@@ -159,10 +151,10 @@ interface(`telepathy_gabble_dbus_chat',`
  
  ########################################
  ## <summary>
@@ -84708,7 +84928,7 @@ index 42946bc..3d30062 100644
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
-@@ -173,15 +160,12 @@ interface(`telepathy_mission_control_read_state',`
+@@ -173,15 +165,12 @@ interface(`telepathy_mission_control_read_state',`
  	')
  
  	kernel_search_proc($1)
@@ -84726,7 +84946,7 @@ index 42946bc..3d30062 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -189,19 +173,18 @@ interface(`telepathy_mission_control_read_state',`
+@@ -189,19 +178,18 @@ interface(`telepathy_mission_control_read_state',`
  ##	</summary>
  ## </param>
  #
@@ -84749,7 +84969,7 @@ index 42946bc..3d30062 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -209,11 +192,138 @@ interface(`telepathy_msn_stream_connect',`
+@@ -209,11 +197,138 @@ interface(`telepathy_msn_stream_connect',`
  ##	</summary>
  ## </param>
  #
@@ -87915,7 +88135,7 @@ index 1ec5e99..88e287d 100644
 +	allow $1 usbmuxd_unit_file_t:service all_service_perms;
 +')
 diff --git a/usbmuxd.te b/usbmuxd.te
-index 8840be6..285680c 100644
+index 8840be6..d2c7596 100644
 --- a/usbmuxd.te
 +++ b/usbmuxd.te
 @@ -10,12 +10,16 @@ roleattribute system_r usbmuxd_roles;
@@ -87935,7 +88155,15 @@ index 8840be6..285680c 100644
  ########################################
  #
  # Local policy
-@@ -38,6 +42,10 @@ dev_rw_generic_usb_dev(usbmuxd_t)
+@@ -24,6 +28,7 @@ files_pid_file(usbmuxd_var_run_t)
+ allow usbmuxd_t self:capability { kill setgid setuid };
+ allow usbmuxd_t self:process { signal signull };
+ allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
++allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms;
+ 
+ manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+ manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+@@ -38,6 +43,10 @@ dev_rw_generic_usb_dev(usbmuxd_t)
  
  auth_use_nsswitch(usbmuxd_t)
  
@@ -89035,10 +89263,10 @@ index 0be8535..b96e329 100644
  
  optional_policy(`
 diff --git a/virt.fc b/virt.fc
-index c30da4c..898ce74 100644
+index c30da4c..b81eaa0 100644
 --- a/virt.fc
 +++ b/virt.fc
-@@ -1,52 +1,87 @@
+@@ -1,52 +1,86 @@
 -HOME_DIR/\.libvirt(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
 -HOME_DIR/\.libvirt/qemu(/.*)?	gen_context(system_u:object_r:svirt_home_t,s0)
 -HOME_DIR/\.virtinst(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
@@ -89091,7 +89319,6 @@ index c30da4c..898ce74 100644
  /usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 +/usr/sbin/virtlockd --  gen_context(system_u:object_r:virtd_exec_t,s0)
 +/usr/bin/virsh		--	gen_context(system_u:object_r:virsh_exec_t,s0)
-+/usr/bin/virt-sandbox-service.*	--	gen_context(system_u:object_r:virsh_exec_t,s0)
 +/usr/sbin/condor_vm-gahp	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 +/usr/sbin/xl		--	gen_context(system_u:object_r:virsh_exec_t,s0)
 +/usr/sbin/xm		--	gen_context(system_u:object_r:virsh_exec_t,s0)
@@ -89107,14 +89334,14 @@ index c30da4c..898ce74 100644
 -/var/log/log(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
 -/var/log/libvirt(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
 -/var/log/vdsm(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
+-
+-/var/vdsm(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
 +/var/lib/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_lib_t,s0)
 +/var/lib/libvirt/boot(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
 +/var/lib/libvirt/images(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
 +/var/lib/libvirt/isos(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
 +/var/lib/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
  
--/var/vdsm(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
--
 -/var/run/libguestfs(/.*)?	gen_context(system_u:object_r:virt_var_run_t,s0)
 +/var/lock/xl		--	gen_context(system_u:object_r:virt_log_t,s0)
 +/var/log/log(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
@@ -90853,7 +91080,7 @@ index 9dec06c..bdba959 100644
 +	allow $1 svirt_image_t:chr_file rw_file_perms;
  ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..cd628f9 100644
+index 1f22fba..65dbdd3 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,94 +1,104 @@
@@ -92210,7 +92437,7 @@ index 1f22fba..cd628f9 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1037,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1037,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -92218,48 +92445,53 @@ index 1f22fba..cd628f9 100644
 +
  selinux_mount_fs(virtd_lxc_t)
  selinux_unmount_fs(virtd_lxc_t)
--selinux_get_enforce_mode(virtd_lxc_t)
--selinux_get_fs_mount(virtd_lxc_t)
--selinux_validate_context(virtd_lxc_t)
--selinux_compute_access_vector(virtd_lxc_t)
--selinux_compute_create_context(virtd_lxc_t)
--selinux_compute_relabel_context(virtd_lxc_t)
--selinux_compute_user_contexts(virtd_lxc_t)
 +seutil_read_config(virtd_lxc_t)
++
++term_use_generic_ptys(virtd_lxc_t)
++term_use_ptmx(virtd_lxc_t)
++term_relabel_pty_fs(virtd_lxc_t)
++
++auth_use_nsswitch(virtd_lxc_t)
++
++logging_send_syslog_msg(virtd_lxc_t)
++
++seutil_domtrans_setfiles(virtd_lxc_t)
++seutil_read_default_contexts(virtd_lxc_t)
++
+ selinux_get_enforce_mode(virtd_lxc_t)
+ selinux_get_fs_mount(virtd_lxc_t)
+ selinux_validate_context(virtd_lxc_t)
+@@ -965,29 +1062,33 @@ selinux_compute_create_context(virtd_lxc_t)
+ selinux_compute_relabel_context(virtd_lxc_t)
+ selinux_compute_user_contexts(virtd_lxc_t)
  
- term_use_generic_ptys(virtd_lxc_t)
- term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1051,39 @@ auth_use_nsswitch(virtd_lxc_t)
+-term_use_generic_ptys(virtd_lxc_t)
+-term_use_ptmx(virtd_lxc_t)
+-term_relabel_pty_fs(virtd_lxc_t)
++sysnet_exec_ifconfig(virtd_lxc_t)
  
- logging_send_syslog_msg(virtd_lxc_t)
+-auth_use_nsswitch(virtd_lxc_t)
++userdom_read_admin_home_files(virtd_lxc_t)
  
--miscfiles_read_localization(virtd_lxc_t)
--
- seutil_domtrans_setfiles(virtd_lxc_t)
--seutil_read_config(virtd_lxc_t)
- seutil_read_default_contexts(virtd_lxc_t)
+-logging_send_syslog_msg(virtd_lxc_t)
++optional_policy(`
++	dbus_system_bus_client(virtd_lxc_t)
++	init_dbus_chat(virtd_lxc_t)
++')
  
--sysnet_domtrans_ifconfig(virtd_lxc_t)
-+selinux_get_enforce_mode(virtd_lxc_t)
-+selinux_get_fs_mount(virtd_lxc_t)
-+selinux_validate_context(virtd_lxc_t)
-+selinux_compute_access_vector(virtd_lxc_t)
-+selinux_compute_create_context(virtd_lxc_t)
-+selinux_compute_relabel_context(virtd_lxc_t)
-+selinux_compute_user_contexts(virtd_lxc_t)
-+
-+sysnet_exec_ifconfig(virtd_lxc_t)
-+
-+userdom_read_admin_home_files(virtd_lxc_t)
-+
+-miscfiles_read_localization(virtd_lxc_t)
 +optional_policy(`
 +	gnome_read_generic_cache_files(virtd_lxc_t)
 +')
-+
+ 
+-seutil_domtrans_setfiles(virtd_lxc_t)
+-seutil_read_config(virtd_lxc_t)
+-seutil_read_default_contexts(virtd_lxc_t)
 +optional_policy(`
 +	setrans_manage_pid_files(virtd_lxc_t)
 +')
-+
+ 
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
 +optional_policy(`
 +	unconfined_domain(virtd_lxc_t)
 +')
@@ -92273,11 +92505,11 @@ index 1f22fba..cd628f9 100644
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
 -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
 +allow svirt_lxc_domain self:key manage_key_perms;
-+allow svirt_lxc_domain self:process { getattr signal_perms getsched setsched setcap setpgid setrlimit };
++allow svirt_lxc_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
  allow svirt_lxc_domain self:fifo_file manage_file_perms;
  allow svirt_lxc_domain self:sem create_sem_perms;
  allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1091,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1096,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
  allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
  allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
  
@@ -92304,7 +92536,7 @@ index 1f22fba..cd628f9 100644
  
  manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1109,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1114,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -92324,7 +92556,7 @@ index 1f22fba..cd628f9 100644
  kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
  
  corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1128,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1133,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
  files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
  files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
  files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -92351,11 +92583,12 @@ index 1f22fba..cd628f9 100644
  auth_dontaudit_read_login_records(svirt_lxc_domain)
  auth_dontaudit_write_login_records(svirt_lxc_domain)
  auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1153,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1158,94 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
  
  libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
  
 -miscfiles_read_localization(svirt_lxc_domain)
++miscfiles_dontaudit_access_check_cert(svirt_lxc_domain)
  miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
  miscfiles_read_fonts(svirt_lxc_domain)
 +miscfiles_read_hwdata(svirt_lxc_domain)
@@ -92491,7 +92724,7 @@ index 1f22fba..cd628f9 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1165,12 +1252,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1258,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -92506,7 +92739,7 @@ index 1f22fba..cd628f9 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1183,9 +1270,8 @@ optional_policy(`
+@@ -1183,9 +1276,8 @@ optional_policy(`
  
  ########################################
  #
@@ -92517,7 +92750,7 @@ index 1f22fba..cd628f9 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1284,121 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1290,120 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
@@ -92640,7 +92873,6 @@ index 1f22fba..cd628f9 100644
 +	userdom_transition(virtd_t)
 +	userdom_transition(virtd_lxc_t)
 +')
-+
 diff --git a/vlock.te b/vlock.te
 index 9ead775..b5285e7 100644
 --- a/vlock.te
@@ -93063,10 +93295,20 @@ index 9329eae..824e86f 100644
 -	seutil_use_newrole_fds(vpnc_t)
 -')
 diff --git a/watchdog.te b/watchdog.te
-index 29f79e8..c58abd5 100644
+index 29f79e8..9e403ee 100644
 --- a/watchdog.te
 +++ b/watchdog.te
-@@ -63,7 +63,6 @@ domain_signull_all_domains(watchdog_t)
+@@ -30,7 +30,8 @@ allow watchdog_t self:fifo_file rw_fifo_file_perms;
+ allow watchdog_t self:tcp_socket { accept listen };
+ 
+ allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+-logging_log_filetrans(watchdog_t, watchdog_log_t, file)
++manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
++logging_log_filetrans(watchdog_t, watchdog_log_t,{dir file})
+ 
+ manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
+ files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
+@@ -63,7 +64,6 @@ domain_signull_all_domains(watchdog_t)
  domain_signal_all_domains(watchdog_t)
  domain_kill_all_domains(watchdog_t)
  
@@ -93074,7 +93316,7 @@ index 29f79e8..c58abd5 100644
  files_manage_etc_runtime_files(watchdog_t)
  files_etc_filetrans_etc_runtime(watchdog_t, file)
  
-@@ -75,8 +74,6 @@ auth_append_login_records(watchdog_t)
+@@ -75,8 +75,6 @@ auth_append_login_records(watchdog_t)
  
  logging_send_syslog_msg(watchdog_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1d7d795..1d44ca8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 70%{?dist}
+Release: 71%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -538,6 +538,39 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Aug 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-71
+- Allow boinc to connect to  @/tmp/.X11-unix/X0
+- Allow beam.smp to connect to tcp/5984
+- Allow named to manage own log files
+- Add label for /usr/libexec/dcc/start-dccifd  and domtrans to dccifd_t
+- Add virt_transition_userdomain boolean decl
+- Allow httpd_t to sendto unix_dgram sockets on its children
+- Allow nova domains to execute ifconfig
+- bluetooth wants to create fifo_files in /tmp
+- exim needs to be able to manage mailman data
+- Allow sysstat to getattr on all file systems
+- Looks like bluetoothd has moved
+- Allow collectd to send ping packets
+- Allow svirt_lxc domains to getpgid
+- Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff
+- Allow frpintd_t to read /dev/urandom
+- Allow asterisk_t to create sock_file in /var/run
+- Allow usbmuxd to use netlink_kobject
+- sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket
+- More cleanup of svirt_lxc policy
+- virtd_lxc_t now talks to dbus
+- Dontaudit leaked ptmx_t
+- Allow processes to use inherited fifo files
+- Allow openvpn_t to connect to squid ports
+- Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert()
+- Allow ssh_t to use /dev/ptmx
+- Make sure /run/pluto dir is created with correct labeling
+- Allow syslog to run shell and bin_t commands
+- Allow ip to relabel tun_sockets
+- Allow mount to create directories in files under /run
+- Allow processes to use inherited fifo files
+- Allow user roles to connect to the journal socket
+
 * Thu Aug 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-70
 - selinux_set_enforce_mode needs to be used with type
 - Add append to the dontaudit for unix_stream_socket of xdm_t leak