From dffef2f53cb644fb125207838520ec259c4c3fea Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: May 26 2011 09:07:52 +0000
Subject: - Add Dominicks patch for dccp_socket

- dnsmasq needs to read nm-dns-dnsmasq.conf in /var/run/
- Colord inherits open file descriptors from the users...'
- cgred needs auth_use_nsswitch()
- apcupsd lock file was missing file context specificatio...
- Make cron work
- Allow clamav to manage amavis spool files
- Use httpd_can_sendmail boolean also for httpd_suexec_t
- Add fenced_can_ssh boolean
- Add dev_dontaudit_read_generic_files() for hplip
- Allow xauthority to create shared memory
- Make postfix user domains application_domains
- Allow xend to sys_admin privs
- Allow mount to read usr files
- Allow logrotate to connect to init script using unix stream socket
- Allow nsplugin_t to getattr on gpmctl

---

diff --git a/policy-F15.patch b/policy-F15.patch
index b1073c0..12492a9 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -1551,7 +1551,7 @@ index 47c4723..64c8889 100644
 +')
 +
 diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
-index b4ac57e..785c319 100644
+index b4ac57e..ef944a4 100644
 --- a/policy/modules/admin/readahead.te
 +++ b/policy/modules/admin/readahead.te
 @@ -16,13 +16,14 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
@@ -1570,7 +1570,7 @@ index b4ac57e..785c319 100644
  dontaudit readahead_t self:capability { net_admin sys_tty_config };
  allow readahead_t self:process { setsched signal_perms };
  
-@@ -31,13 +32,17 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
+@@ -31,13 +32,18 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
  files_search_var_lib(readahead_t)
  
  manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
@@ -1586,10 +1586,11 @@ index b4ac57e..785c319 100644
  
  dev_read_sysfs(readahead_t)
 +dev_read_kmsg(readahead_t)
++dev_write_kmsg(readahead_t)
  dev_getattr_generic_chr_files(readahead_t)
  dev_getattr_generic_blk_files(readahead_t)
  dev_getattr_all_chr_files(readahead_t)
-@@ -53,10 +58,18 @@ domain_read_all_domains_state(readahead_t)
+@@ -53,10 +59,18 @@ domain_read_all_domains_state(readahead_t)
  
  files_list_non_security(readahead_t)
  files_read_non_security_files(readahead_t)
@@ -1608,7 +1609,7 @@ index b4ac57e..785c319 100644
  
  fs_getattr_all_fs(readahead_t)
  fs_search_auto_mountpoints(readahead_t)
-@@ -66,12 +79,14 @@ fs_read_cgroup_files(readahead_t)
+@@ -66,12 +80,14 @@ fs_read_cgroup_files(readahead_t)
  fs_read_tmpfs_files(readahead_t)
  fs_read_tmpfs_symlinks(readahead_t)
  fs_list_inotifyfs(readahead_t)
@@ -1623,7 +1624,7 @@ index b4ac57e..785c319 100644
  
  storage_raw_read_fixed_disk(readahead_t)
  
-@@ -82,6 +97,8 @@ auth_dontaudit_read_shadow(readahead_t)
+@@ -82,6 +98,8 @@ auth_dontaudit_read_shadow(readahead_t)
  init_use_fds(readahead_t)
  init_use_script_ptys(readahead_t)
  init_getattr_initctl(readahead_t)
@@ -10070,7 +10071,7 @@ index 9e5c83e..953e0e8 100644
 +/lib/udev/devices/ppp	-c	gen_context(system_u:object_r:ppp_device_t,s0)
 +/lib/udev/devices/net/.* -c	gen_context(system_u:object_r:tun_tap_device_t,s0)
 diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index 5a07a43..99c7564 100644
+index 5a07a43..096bc60 100644
 --- a/policy/modules/kernel/corenetwork.if.in
 +++ b/policy/modules/kernel/corenetwork.if.in
 @@ -32,6 +32,33 @@ interface(`corenet_port',`
@@ -10141,7 +10142,816 @@ index 5a07a43..99c7564 100644
  ##	Define type to be a network client packet type
  ## </summary>
  ## <desc>
-@@ -2168,9 +2222,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -561,6 +615,24 @@ interface(`corenet_raw_sendrecv_all_if',`
+ 
+ ########################################
+ ## <summary>
++##	Send and receive DCCP network traffic on generic nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_sendrecv_generic_node',`
++	gen_require(`
++		type node_t;
++	')
++
++	allow $1 node_t:node { dccp_send dccp_recv sendto recvfrom };
++')
++
++########################################
++## <summary>
+ ##	Send and receive TCP network traffic on generic nodes.
+ ## </summary>
+ ## <desc>
+@@ -735,6 +807,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
+ 
+ ########################################
+ ## <summary>
++##	Bind DCCP sockets to generic nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_bind_generic_node',`
++	gen_require(`
++		type node_t;
++	')
++
++	allow $1 node_t:dccp_socket node_bind;
++')
++
++########################################
++## <summary>
+ ##	Bind TCP sockets to generic nodes.
+ ## </summary>
+ ## <desc>
+@@ -874,6 +964,24 @@ interface(`corenet_inout_generic_node',`
+ 
+ ########################################
+ ## <summary>
++##	Send and receive DCCP network traffic on all nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_sendrecv_all_nodes',`
++	gen_require(`
++		attribute node_type;
++	')
++
++	allow $1 node_type:node { dccp_send dccp_recv sendto recvfrom };
++')
++
++########################################
++## <summary>
+ ##	Send and receive TCP network traffic on all nodes.
+ ## </summary>
+ ## <param name="domain">
+@@ -1048,6 +1156,24 @@ interface(`corenet_raw_sendrecv_all_nodes',`
+ 
+ ########################################
+ ## <summary>
++##	Bind DCCP sockets to all nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_bind_all_nodes',`
++	gen_require(`
++		attribute node_type;
++	')
++
++	allow $1 node_type:dccp_socket node_bind;
++')
++
++########################################
++## <summary>
+ ##	Bind TCP sockets to all nodes.
+ ## </summary>
+ ## <param name="domain">
+@@ -1103,6 +1229,24 @@ interface(`corenet_raw_bind_all_nodes',`
+ 
+ ########################################
+ ## <summary>
++##	Send and receive DCCP network traffic on generic ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_sendrecv_generic_port',`
++	gen_require(`
++		type port_t;
++	')
++
++	allow $1 port_t:dccp_socket { send_msg recv_msg };
++')
++
++########################################
++## <summary>
+ ##	Send and receive TCP network traffic on generic ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -1121,6 +1265,26 @@ interface(`corenet_tcp_sendrecv_generic_port',`
+ 
+ ########################################
+ ## <summary>
++##	Do not audit attempts to send and
++##	receive DCCP network traffic on
++##	generic ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`corenet_dontaudit_dccp_sendrecv_generic_port',`
++	gen_require(`
++		type port_t;
++	')
++
++	dontaudit $1 port_t:dccp_socket { send_msg recv_msg };
++')
++
++########################################
++## <summary>
+ ##	Do not audit send and receive TCP network traffic on generic ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -1190,6 +1354,26 @@ interface(`corenet_udp_sendrecv_generic_port',`
+ 
+ ########################################
+ ## <summary>
++##	Bind DCCP sockets to generic ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_bind_generic_port',`
++	gen_require(`
++		type port_t;
++		attribute port_type;
++	')
++
++	allow $1 port_t:dccp_socket name_bind;
++	dontaudit $1 { port_type -port_t }:dccp_socket name_bind;
++')
++
++########################################
++## <summary>
+ ##	Bind TCP sockets to generic ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -1210,6 +1394,25 @@ interface(`corenet_tcp_bind_generic_port',`
+ 
+ ########################################
+ ## <summary>
++##	Do not audit attempts to bind DCCP
++##	sockets to generic ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`corenet_dontaudit_dccp_bind_generic_port',`
++	gen_require(`
++		type port_t;
++	')
++
++	dontaudit $1 port_t:dccp_socket name_bind;
++')
++
++########################################
++## <summary>
+ ##	Do not audit bind TCP sockets to generic ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -1248,6 +1451,24 @@ interface(`corenet_udp_bind_generic_port',`
+ 
+ ########################################
+ ## <summary>
++##	Connect DCCP sockets to generic ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_connect_generic_port',`
++	gen_require(`
++		type port_t;
++	')
++
++	allow $1 port_t:dccp_socket name_connect;
++')
++
++########################################
++## <summary>
+ ##	Connect TCP sockets to generic ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -1266,6 +1487,24 @@ interface(`corenet_tcp_connect_generic_port',`
+ 
+ ########################################
+ ## <summary>
++##	Send and receive DCCP network traffic on all ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_sendrecv_all_ports',`
++	gen_require(`
++		attribute port_type;
++	')
++
++	allow $1 port_type:dccp_socket { send_msg recv_msg };
++')
++
++########################################
++## <summary>
+ ##	Send and receive TCP network traffic on all ports.
+ ## </summary>
+ ## <desc>
+@@ -1385,6 +1624,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
+ 
+ ########################################
+ ## <summary>
++##	Bind DCCP sockets to all ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_bind_all_ports',`
++	gen_require(`
++		attribute port_type;
++	')
++
++	allow $1 port_type:dccp_socket name_bind;
++	allow $1 self:capability net_bind_service;
++')
++
++########################################
++## <summary>
+ ##	Bind TCP sockets to all ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -1404,6 +1662,24 @@ interface(`corenet_tcp_bind_all_ports',`
+ 
+ ########################################
+ ## <summary>
++##	Do not audit attepts to bind DCCP sockets to any ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`corenet_dontaudit_dccp_bind_all_ports',`
++	gen_require(`
++		attribute port_type;
++	')
++
++	dontaudit $1 port_type:dccp_socket name_bind;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attepts to bind TCP sockets to any ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -1459,6 +1735,24 @@ interface(`corenet_dontaudit_udp_bind_all_ports',`
+ 
+ ########################################
+ ## <summary>
++##	Connect DCCP sockets to all ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_connect_all_ports',`
++	gen_require(`
++		attribute port_type;
++	')
++
++	allow $1 port_type:dccp_socket name_connect;
++')
++
++########################################
++## <summary>
+ ##	Connect TCP sockets to all ports.
+ ## </summary>
+ ## <desc>
+@@ -1505,7 +1799,7 @@ interface(`corenet_tcp_connect_all_ports',`
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to connect TCP sockets
++##	Do not audit attempts to connect DCCP sockets
+ ##	to all ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -1514,35 +1808,72 @@ interface(`corenet_tcp_connect_all_ports',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`corenet_dontaudit_tcp_connect_all_ports',`
++interface(`corenet_dontaudit_dccp_connect_all_ports',`
+ 	gen_require(`
+ 		attribute port_type;
+ 	')
+ 
+-	dontaudit $1 port_type:tcp_socket name_connect;
++	dontaudit $1 port_type:dccp_socket name_connect;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Send and receive TCP network traffic on generic reserved ports.
++##	Do not audit attempts to connect TCP sockets
++##	to all ports.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`corenet_tcp_sendrecv_reserved_port',`
++interface(`corenet_dontaudit_tcp_connect_all_ports',`
+ 	gen_require(`
+-		type reserved_port_t;
++		attribute port_type;
+ 	')
+ 
+-	allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
++	dontaudit $1 port_type:tcp_socket name_connect;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Send UDP network traffic on generic reserved ports.
++##	Send and receive DCCP network traffic on generic reserved ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_sendrecv_reserved_port',`
++	gen_require(`
++		type reserved_port_t;
++	')
++
++	allow $1 reserved_port_t:dccp_socket { send_msg recv_msg };
++')
++
++########################################
++## <summary>
++##	Send and receive TCP network traffic on generic reserved ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_tcp_sendrecv_reserved_port',`
++	gen_require(`
++		type reserved_port_t;
++	')
++
++	allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
++')
++
++########################################
++## <summary>
++##	Send UDP network traffic on generic reserved ports.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1593,6 +1924,25 @@ interface(`corenet_udp_sendrecv_reserved_port',`
+ 
+ ########################################
+ ## <summary>
++##	Bind DCCP sockets to generic reserved ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_bind_reserved_port',`
++	gen_require(`
++		type reserved_port_t;
++	')
++
++	allow $1 reserved_port_t:dccp_socket name_bind;
++	allow $1 self:capability net_bind_service;
++')
++
++########################################
++## <summary>
+ ##	Bind TCP sockets to generic reserved ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -1631,6 +1981,24 @@ interface(`corenet_udp_bind_reserved_port',`
+ 
+ ########################################
+ ## <summary>
++##	Connect DCCP sockets to generic reserved ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_connect_reserved_port',`
++	gen_require(`
++		type reserved_port_t;
++	')
++
++	allow $1 reserved_port_t:dccp_socket name_connect;
++')
++
++########################################
++## <summary>
+ ##	Connect TCP sockets to generic reserved ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -1649,6 +2017,24 @@ interface(`corenet_tcp_connect_reserved_port',`
+ 
+ ########################################
+ ## <summary>
++##	Send and receive DCCP network traffic on all reserved ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_sendrecv_all_reserved_ports',`
++	gen_require(`
++		attribute reserved_port_type;
++	')
++
++	allow $1 reserved_port_type:dccp_socket { send_msg recv_msg };
++')
++
++########################################
++## <summary>
+ ##	Send and receive TCP network traffic on all reserved ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -1718,6 +2104,25 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
+ 
+ ########################################
+ ## <summary>
++##	Bind DCCP sockets to all reserved ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_bind_all_reserved_ports',`
++	gen_require(`
++		attribute reserved_port_type;
++	')
++
++	allow $1 reserved_port_type:dccp_socket name_bind;
++	allow $1 self:capability net_bind_service;
++')
++
++########################################
++## <summary>
+ ##	Bind TCP sockets to all reserved ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -1737,6 +2142,24 @@ interface(`corenet_tcp_bind_all_reserved_ports',`
+ 
+ ########################################
+ ## <summary>
++##	Do not audit attempts to bind DCCP sockets to all reserved ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`corenet_dontaudit_dccp_bind_all_reserved_ports',`
++	gen_require(`
++		attribute reserved_port_type;
++	')
++
++	dontaudit $1 reserved_port_type:dccp_socket name_bind;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to bind TCP sockets to all reserved ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -1792,6 +2215,24 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+ 
+ ########################################
+ ## <summary>
++##	Bind DCCP sockets to all ports > 1024.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_bind_all_unreserved_ports',`
++	gen_require(`
++		attribute port_type, reserved_port_type;
++	')
++
++	allow $1 { port_type -reserved_port_type }:dccp_socket name_bind;
++')
++
++########################################
++## <summary>
+ ##	Bind TCP sockets to all ports > 1024.
+ ## </summary>
+ ## <param name="domain">
+@@ -1828,6 +2269,24 @@ interface(`corenet_udp_bind_all_unreserved_ports',`
+ 
+ ########################################
+ ## <summary>
++##	Connect DCCP sockets to reserved ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_connect_all_reserved_ports',`
++	gen_require(`
++		attribute reserved_port_type;
++	')
++
++	allow $1 reserved_port_type:dccp_socket name_connect;
++')
++
++########################################
++## <summary>
+ ##	Connect TCP sockets to reserved ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -1846,6 +2305,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
+ 
+ ########################################
+ ## <summary>
++##	Connect DCCP sockets to all ports > 1024.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_connect_all_unreserved_ports',`
++	gen_require(`
++		attribute port_type, reserved_port_type;
++	')
++
++	allow $1 { port_type -reserved_port_type }:dccp_socket name_connect;
++')
++
++########################################
++## <summary>
+ ##	Connect TCP sockets to all ports > 1024.
+ ## </summary>
+ ## <param name="domain">
+@@ -1864,6 +2341,25 @@ interface(`corenet_tcp_connect_all_unreserved_ports',`
+ 
+ ########################################
+ ## <summary>
++##	Do not audit attempts to connect DCCP sockets
++##	all reserved ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`corenet_dontaudit_dccp_connect_all_reserved_ports',`
++	gen_require(`
++		attribute reserved_port_type;
++	')
++
++	dontaudit $1 reserved_port_type:dccp_socket name_connect;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to connect TCP sockets
+ ##	all reserved ports.
+ ## </summary>
+@@ -1883,6 +2379,24 @@ interface(`corenet_dontaudit_tcp_connect_all_reserved_ports',`
+ 
+ ########################################
+ ## <summary>
++##	Connect DCCP sockets to rpc ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_connect_all_rpc_ports',`
++	gen_require(`
++		attribute rpc_port_type;
++	')
++
++	allow $1 rpc_port_type:dccp_socket name_connect;
++')
++
++########################################
++## <summary>
+ ##	Connect TCP sockets to rpc ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -1901,6 +2415,25 @@ interface(`corenet_tcp_connect_all_rpc_ports',`
+ 
+ ########################################
+ ## <summary>
++##	Do not audit attempts to connect DCCP sockets
++##	all rpc ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`corenet_dontaudit_dccp_connect_all_rpc_ports',`
++	gen_require(`
++		attribute rpc_port_type;
++	')
++
++	dontaudit $1 rpc_port_type:dccp_socket name_connect;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to connect TCP sockets
+ ##	all rpc ports.
+ ## </summary>
+@@ -1995,6 +2528,25 @@ interface(`corenet_rw_ppp_dev',`
+ 
+ ########################################
+ ## <summary>
++##	Bind DCCP sockets to all RPC ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_bind_all_rpc_ports',`
++	gen_require(`
++		attribute rpc_port_type;
++	')
++
++	allow $1 rpc_port_type:dccp_socket name_bind;
++	allow $1 self:capability net_bind_service;
++')
++
++########################################
++## <summary>
+ ##	Bind TCP sockets to all RPC ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -2014,6 +2566,24 @@ interface(`corenet_tcp_bind_all_rpc_ports',`
+ 
+ ########################################
+ ## <summary>
++##	Do not audit attempts to bind DCCP sockets to all RPC ports.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`corenet_dontaudit_dccp_bind_all_rpc_ports',`
++	gen_require(`
++		attribute rpc_port_type;
++	')
++
++	dontaudit $1 rpc_port_type:dccp_socket name_bind;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to bind TCP sockets to all RPC ports.
+ ## </summary>
+ ## <param name="domain">
+@@ -2140,6 +2710,25 @@ interface(`corenet_tcp_recv_netlabel',`
+ 
+ ########################################
+ ## <summary>
++##	Receive DCCP packets from a NetLabel connection.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_recvfrom_netlabel',`
++	gen_require(`
++		type netlabel_peer_t;
++	')
++
++	allow $1 netlabel_peer_t:peer recv;
++	allow $1 netlabel_peer_t:dccp_socket recvfrom;
++')
++
++########################################
++## <summary>
+ ##	Receive TCP packets from a NetLabel connection.
+ ## </summary>
+ ## <param name="domain">
+@@ -2159,6 +2748,31 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+ 
+ ########################################
+ ## <summary>
++##	Receive DCCP packets from an unlabled connection.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_recvfrom_unlabeled',`
++	gen_require(`
++		attribute corenet_unlabeled_type;
++	')
++
++	kernel_dccp_recvfrom_unlabeled($1)
++	kernel_recvfrom_unlabeled_peer($1)
++
++	typeattribute $1 corenet_unlabeled_type;
++	# XXX - at some point the oubound/send access check will be removed
++	# but for right now we need to keep this in place so as not to break
++	# older systems
++	kernel_sendrecv_unlabeled_association($1)
++')
++
++########################################
++## <summary>
+ ##	Receive TCP packets from an unlabled connection.
+ ## </summary>
+ ## <param name="domain">
+@@ -2168,9 +2782,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
  ## </param>
  #
  interface(`corenet_tcp_recvfrom_unlabeled',`
@@ -10156,10 +10966,79 @@ index 5a07a43..99c7564 100644
  	# XXX - at some point the oubound/send access check will be removed
  	# but for right now we need to keep this in place so as not to break
  	# older systems
-@@ -2522,6 +2581,30 @@ interface(`corenet_all_recvfrom_netlabel',`
+@@ -2195,6 +2814,26 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
+ 
+ ########################################
+ ## <summary>
++##	Do not audit attempts to receive DCCP packets from a NetLabel
++##	connection.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`corenet_dontaudit_dccp_recvfrom_netlabel',`
++	gen_require(`
++		type netlabel_peer_t;
++	')
++
++	dontaudit $1 netlabel_peer_t:peer recv;
++	dontaudit $1 netlabel_peer_t:dccp_socket recvfrom;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to receive TCP packets from a NetLabel
+ ##	connection.
+ ## </summary>
+@@ -2215,6 +2854,27 @@ interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
  
  ########################################
  ## <summary>
++##	Do not audit attempts to receive DCCP packets from an unlabeled
++##	connection.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`corenet_dontaudit_dccp_recvfrom_unlabeled',`
++	kernel_dontaudit_dccp_recvfrom_unlabeled($1)
++	kernel_dontaudit_recvfrom_unlabeled_peer($1)
++
++	# XXX - at some point the oubound/send access check will be removed
++	# but for right now we need to keep this in place so as not to break
++	# older systems
++	kernel_dontaudit_sendrecv_unlabeled_association($1)
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to receive TCP packets from an unlabeled
+ ##	connection.
+ ## </summary>
+@@ -2479,6 +3139,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
+ ## <infoflow type="read" weight="10"/>
+ #
+ interface(`corenet_all_recvfrom_unlabeled',`
++	kernel_dccp_recvfrom_unlabeled($1)
+ 	kernel_tcp_recvfrom_unlabeled($1)
+ 	kernel_udp_recvfrom_unlabeled($1)
+ 	kernel_raw_recvfrom_unlabeled($1)
+@@ -2517,7 +3178,31 @@ interface(`corenet_all_recvfrom_netlabel',`
+ 	')
+ 
+ 	allow $1 netlabel_peer_t:peer recv;
+-	allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
++	allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
++')
++
++########################################
++## <summary>
 +##	Enable unlabeled net packets
 +## </summary>
 +## <desc>
@@ -10180,15 +11059,64 @@ index 5a07a43..99c7564 100644
 +	')
 +
 +	kernel_sendrecv_unlabeled_association(corenet_unlabeled_type)
+ ')
+ 
+ ########################################
+@@ -2531,6 +3216,7 @@ interface(`corenet_all_recvfrom_netlabel',`
+ ## </param>
+ #
+ interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
++	kernel_dontaudit_dccp_recvfrom_unlabeled($1)
+ 	kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+ 	kernel_dontaudit_udp_recvfrom_unlabeled($1)
+ 	kernel_dontaudit_raw_recvfrom_unlabeled($1)
+@@ -2559,7 +3245,35 @@ interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+ 	')
+ 
+ 	dontaudit $1 netlabel_peer_t:peer recv;
+-	dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
++	dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket dccp_socket } recvfrom;
 +')
 +
 +########################################
 +## <summary>
- ##	Do not audit attempts to receive packets from an unlabeled connection.
- ## </summary>
- ## <param name="domain">
++##	Rules for receiving labeled DCCP packets.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="peer_domain">
++##	<summary>
++##	Peer domain.
++##	</summary>
++## </param>
++#
++interface(`corenet_dccp_recvfrom_labeled',`
++	allow { $1 $2 } self:association sendto;
++	allow $1 $2:{ association dccp_socket } recvfrom;
++	allow $2 $1:{ association dccp_socket } recvfrom;
++
++	allow $1 $2:peer recv;
++	allow $2 $1:peer recv;
++
++	# allow receiving packets from MLS-only peers using NetLabel
++	corenet_dccp_recvfrom_netlabel($1)
++	corenet_dccp_recvfrom_netlabel($2)
+ ')
+ 
+ ########################################
+@@ -2673,6 +3387,7 @@ interface(`corenet_raw_recvfrom_labeled',`
+ ## </param>
+ #
+ interface(`corenet_all_recvfrom_labeled',`
++	corenet_dccp_recvfrom_labeled($1, $2)
+ 	corenet_tcp_recvfrom_labeled($1, $2)
+ 	corenet_udp_recvfrom_labeled($1, $2)
+ 	corenet_raw_recvfrom_labeled($1, $2)
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..fc98c87 100644
+index 0757523..48d40c2 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -10387,7 +11315,7 @@ index 0757523..fc98c87 100644
  network_port(syslogd, udp,514,s0)
  network_port(tcs, tcp, 30003, s0)
  network_port(telnetd, tcp,23,s0)
-@@ -205,16 +250,17 @@ network_port(transproxy, tcp,8081,s0)
+@@ -205,20 +250,22 @@ network_port(transproxy, tcp,8081,s0)
  network_port(ups, tcp,3493,s0)
  type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
  network_port(uucpd, tcp,540,s0)
@@ -10408,13 +11336,24 @@ index 0757523..fc98c87 100644
  network_port(zookeeper_client, tcp,2181,s0)
  network_port(zookeeper_election, tcp,3888,s0)
  network_port(zookeeper_leader, tcp,2888,s0)
-@@ -276,5 +322,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
+ network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
++network_port(zented, tcp,1229,s0, udp,1229,s0)
+ network_port(zope, tcp,8021,s0)
+ 
+ # Defaults for reserved ports.	Earlier portcon entries take precedence;
+@@ -272,9 +319,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+ allow corenet_unconfined_type node_type:node *;
+ allow corenet_unconfined_type netif_type:netif *;
+ allow corenet_unconfined_type packet_type:packet *;
++allow corenet_unconfined_type port_type:dccp_socket { send_msg recv_msg name_connect };
+ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
  allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
  
  # Bind to any network address.
 -allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
-+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
- allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
++allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind;
++allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind;
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
 index 6cf8784..5a6e602 100644
 --- a/policy/modules/kernel/devices.fc
@@ -10454,7 +11393,7 @@ index 6cf8784..5a6e602 100644
 +#
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index e9313fb..74456ed 100644
+index e9313fb..8ce76cc 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -10518,7 +11457,32 @@ index e9313fb..74456ed 100644
  ##	Add entries to directories in /dev.
  ## </summary>
  ## <param name="domain">
-@@ -444,6 +481,24 @@ interface(`dev_getattr_generic_blk_files',`
+@@ -352,6 +389,24 @@ interface(`dev_read_generic_files',`
+ 	read_files_pattern($1, device_t, device_t)
+ ')
+ 
++#######################################
++## <summary>
++##  Read generic files in /dev.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain to not audit.
++##  </summary>
++## </param>
++#
++interface(`dev_dontaudit_read_generic_files',`
++    gen_require(`
++        type device_t;
++    ')
++
++    dontaudit $1 device_t:file { read getattr };
++')
++
+ ########################################
+ ## <summary>
+ ##	Read and write generic files in /dev.
+@@ -444,6 +499,24 @@ interface(`dev_getattr_generic_blk_files',`
  
  ########################################
  ## <summary>
@@ -10543,7 +11507,7 @@ index e9313fb..74456ed 100644
  ##	Dontaudit getattr on generic block devices.
  ## </summary>
  ## <param name="domain">
-@@ -715,7 +770,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
+@@ -715,7 +788,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
  
  ########################################
  ## <summary>
@@ -10552,7 +11516,7 @@ index e9313fb..74456ed 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -723,17 +778,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
+@@ -723,17 +796,17 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -10573,7 +11537,7 @@ index e9313fb..74456ed 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -741,17 +796,17 @@ interface(`dev_read_generic_symlinks',`
+@@ -741,17 +814,17 @@ interface(`dev_read_generic_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -10594,7 +11558,7 @@ index e9313fb..74456ed 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -759,12 +814,12 @@ interface(`dev_create_generic_symlinks',`
+@@ -759,12 +832,12 @@ interface(`dev_create_generic_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -10609,7 +11573,7 @@ index e9313fb..74456ed 100644
  ')
  
  ########################################
-@@ -1006,6 +1061,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
+@@ -1006,6 +1079,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',`
  interface(`dev_getattr_all_chr_files',`
  	gen_require(`
  		attribute device_node;
@@ -10617,7 +11581,7 @@ index e9313fb..74456ed 100644
  	')
  
  	getattr_chr_files_pattern($1, device_t, device_node)
-@@ -1178,6 +1234,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1178,6 +1252,42 @@ interface(`dev_create_all_chr_files',`
  
  ########################################
  ## <summary>
@@ -10660,7 +11624,7 @@ index e9313fb..74456ed 100644
  ##	Delete all block device files.
  ## </summary>
  ## <param name="domain">
-@@ -3192,24 +3284,6 @@ interface(`dev_rw_printer',`
+@@ -3192,24 +3302,6 @@ interface(`dev_rw_printer',`
  
  ########################################
  ## <summary>
@@ -10685,7 +11649,7 @@ index e9313fb..74456ed 100644
  ##	Get the attributes of the QEMU
  ##	microcode and id interfaces.
  ## </summary>
-@@ -3793,6 +3867,24 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3793,6 +3885,24 @@ interface(`dev_getattr_sysfs_dirs',`
  
  ########################################
  ## <summary>
@@ -10710,7 +11674,7 @@ index e9313fb..74456ed 100644
  ##	Search the sysfs directories.
  ## </summary>
  ## <param name="domain">
-@@ -3884,25 +3976,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3884,25 +3994,6 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
  
  ########################################
  ## <summary>
@@ -10736,7 +11700,7 @@ index e9313fb..74456ed 100644
  ##	Read hardware state information.
  ## </summary>
  ## <desc>
-@@ -3954,6 +4027,42 @@ interface(`dev_rw_sysfs',`
+@@ -3954,6 +4045,42 @@ interface(`dev_rw_sysfs',`
  
  ########################################
  ## <summary>
@@ -10779,7 +11743,7 @@ index e9313fb..74456ed 100644
  ##	Read and write the TPM device.
  ## </summary>
  ## <param name="domain">
-@@ -4514,6 +4623,24 @@ interface(`dev_rwx_vmware',`
+@@ -4514,6 +4641,24 @@ interface(`dev_rwx_vmware',`
  
  ########################################
  ## <summary>
@@ -10804,7 +11768,7 @@ index e9313fb..74456ed 100644
  ##	Write to watchdog devices.
  ## </summary>
  ## <param name="domain">
-@@ -4748,3 +4875,22 @@ interface(`dev_unconfined',`
+@@ -4748,3 +4893,22 @@ interface(`dev_unconfined',`
  
  	typeattribute $1 devices_unconfined_type;
  ')
@@ -13466,7 +14430,7 @@ index e49c148..4d6bbf4 100644
  ########################################
  #
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 069d36c..78a81b3 100644
+index 069d36c..ea92876 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
 @@ -735,6 +735,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',`
@@ -13565,7 +14529,58 @@ index 069d36c..78a81b3 100644
  ')
  
  ########################################
-@@ -2754,6 +2811,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2618,6 +2675,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+ 
+ ########################################
+ ## <summary>
++##	Receive DCCP packets from an unlabeled connection.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_dccp_recvfrom_unlabeled',`
++	gen_require(`
++		type unlabeled_t;
++	')
++
++	allow $1 unlabeled_t:dccp_socket recvfrom;
++')
++
++########################################
++## <summary>
+ ##	Receive TCP packets from an unlabeled connection.
+ ## </summary>
+ ## <desc>
+@@ -2645,6 +2720,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+ 
+ ########################################
+ ## <summary>
++##	Do not audit attempts to receive DCCP packets from an unlabeled
++##	connection.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`kernel_dontaudit_dccp_recvfrom_unlabeled',`
++	gen_require(`
++		type unlabeled_t;
++	')
++
++	dontaudit $1 unlabeled_t:dccp_socket recvfrom;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to receive TCP packets from an unlabeled
+ ##	connection.
+ ## </summary>
+@@ -2754,6 +2848,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
  
  	allow $1 unlabeled_t:rawip_socket recvfrom;
  ')
@@ -13599,7 +14614,7 @@ index 069d36c..78a81b3 100644
  
  ########################################
  ## <summary>
-@@ -2909,6 +2993,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2909,6 +3030,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
  
  ########################################
  ## <summary>
@@ -13624,7 +14639,7 @@ index 069d36c..78a81b3 100644
  ##	Unconfined access to kernel module resources.
  ## </summary>
  ## <param name="domain">
-@@ -2924,3 +3026,23 @@ interface(`kernel_unconfined',`
+@@ -2924,3 +3063,23 @@ interface(`kernel_unconfined',`
  
  	typeattribute $1 kern_unconfined;
  ')
@@ -14247,7 +15262,7 @@ index 1cb7311..1de82b2 100644
 +
 +gen_user(guest_u, user, guest_r, s0, s0)
 diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
-index be4de58..cce681a 100644
+index be4de58..2efb6e9 100644
 --- a/policy/modules/roles/secadm.te
 +++ b/policy/modules/roles/secadm.te
 @@ -9,6 +9,8 @@ role secadm_r;
@@ -14259,8 +15274,18 @@ index be4de58..cce681a 100644
  
  ########################################
  #
+@@ -39,6 +41,9 @@ logging_read_audit_log(secadm_t)
+ logging_read_generic_logs(secadm_t)
+ logging_read_audit_config(secadm_t)
+ 
++seutil_rw_config(secadm_t)
++seutil_rw_default_contexts(secadm_t)
++
+ optional_policy(`
+ 	aide_run(secadm_t, secadm_r)
+ ')
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..01d3647 100644
+index 2be17d2..dc6fd50 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
 @@ -8,12 +8,51 @@ policy_module(staff, 2.2.0)
@@ -14315,7 +15340,7 @@ index 2be17d2..01d3647 100644
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -27,25 +66,137 @@ optional_policy(`
+@@ -27,31 +66,143 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14444,17 +15469,23 @@ index 2be17d2..01d3647 100644
 +optional_policy(`
 +	virt_stream_connect(staff_t)
 +')
-+
-+optional_policy(`
+ 
+ optional_policy(`
+ 	vlock_run(staff_t, staff_r)
+ ')
+ 
+ optional_policy(`
 +	vnstatd_read_lib_files(staff_t)
 +')
 +
 +optional_policy(`
 +	webadm_role_change(staff_r)
 +')
++
++optional_policy(`
+ 	xserver_role(staff_r, staff_t)
+ ')
  
- optional_policy(`
- 	vlock_run(staff_t, staff_r)
 @@ -89,10 +240,6 @@ ifndef(`distro_redhat',`
  	')
  
@@ -14486,7 +15517,7 @@ index 2be17d2..01d3647 100644
 +	userdom_execmod_user_home_files(staff_usertype)
 +')
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 4a8d146..6b0999e 100644
+index 4a8d146..eaef902 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -24,20 +24,41 @@ ifndef(`enable_mls',`
@@ -14674,7 +15705,18 @@ index 4a8d146..6b0999e 100644
  
  optional_policy(`
  	rsync_exec(sysadm_t)
-@@ -307,7 +335,7 @@ optional_policy(`
+@@ -302,12 +330,18 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	setroubleshoot_stream_connect(sysadm_t)
++	setroubleshoot_dbus_chat(sysadm_t)
++	setroubleshoot_dbus_chat_fixit(sysadm_t)
++')
++
++optional_policy(`
+ 	seutil_run_setfiles(sysadm_t, sysadm_r)
+ 	seutil_run_runinit(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
@@ -14683,7 +15725,7 @@ index 4a8d146..6b0999e 100644
  ')
  
  optional_policy(`
-@@ -332,10 +360,6 @@ optional_policy(`
+@@ -332,10 +366,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14694,7 +15736,7 @@ index 4a8d146..6b0999e 100644
  	tripwire_run_siggen(sysadm_t, sysadm_r)
  	tripwire_run_tripwire(sysadm_t, sysadm_r)
  	tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -343,19 +367,15 @@ optional_policy(`
+@@ -343,19 +373,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14716,7 +15758,7 @@ index 4a8d146..6b0999e 100644
  ')
  
  optional_policy(`
-@@ -367,17 +387,14 @@ optional_policy(`
+@@ -367,33 +393,29 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14729,23 +15771,33 @@ index 4a8d146..6b0999e 100644
  	usermanage_run_useradd(sysadm_t, sysadm_r)
  ')
  
-+
  optional_policy(`
 -	vmware_role(sysadm_r, sysadm_t)
-+	vpn_run(sysadm_t, sysadm_r)
++	virt_stream_connect(sysadm_t)
  ')
  
  optional_policy(`
-@@ -389,7 +406,7 @@ optional_policy(`
+-	vpn_run(sysadm_t, sysadm_r)
++	vlock_run(sysadm_t, sysadm_r)
+ ')
+ 
+ optional_policy(`
+-	webalizer_run(sysadm_t, sysadm_r)
++	vpn_run(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
 -	wireshark_role(sysadm_r, sysadm_t)
-+	virt_stream_connect(sysadm_t)
++	vpn_run(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
-@@ -404,8 +421,15 @@ optional_policy(`
+-	vlock_run(sysadm_t, sysadm_r)
++	webalizer_run(sysadm_t, sysadm_r)
+ ')
+ 
+ optional_policy(`
+@@ -404,8 +426,15 @@ optional_policy(`
  	yam_run(sysadm_t, sysadm_r)
  ')
  
@@ -14761,7 +15813,7 @@ index 4a8d146..6b0999e 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -452,5 +476,60 @@ ifndef(`distro_redhat',`
+@@ -452,5 +481,60 @@ ifndef(`distro_redhat',`
  	optional_policy(`
  		java_role(sysadm_r, sysadm_t)
  	')
@@ -17976,7 +19028,7 @@ index 6480167..2d45594 100644
 +	dontaudit $1 httpd_tmp_t:file { read write };
  ')
 diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..63bb9e3 100644
+index 3136c6a..eb95112 100644
 --- a/policy/modules/services/apache.te
 +++ b/policy/modules/services/apache.te
 @@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -18681,7 +19733,16 @@ index 3136c6a..63bb9e3 100644
  ')
  
  ########################################
-@@ -699,17 +915,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -685,6 +901,8 @@ optional_policy(`
+ 
+ allow httpd_suexec_t self:capability { setuid setgid };
+ allow httpd_suexec_t self:process signal_perms;
++
++allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
+ allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+ 
+ domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
+@@ -699,17 +917,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -18707,7 +19768,7 @@ index 3136c6a..63bb9e3 100644
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +961,27 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +963,31 @@ tunable_policy(`httpd_can_network_connect',`
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -18721,6 +19782,10 @@ index 3136c6a..63bb9e3 100644
 +
 +domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
 +
++tunable_policy(`httpd_can_sendmail',`
++	mta_send_mail(httpd_suexec_t)
++')
++
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_sys_script_t httpdcontent:file entrypoint;
  	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
@@ -18736,7 +19801,7 @@ index 3136c6a..63bb9e3 100644
  	fs_read_nfs_files(httpd_suexec_t)
  	fs_read_nfs_symlinks(httpd_suexec_t)
  	fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1004,25 @@ optional_policy(`
+@@ -769,6 +1010,25 @@ optional_policy(`
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -18762,7 +19827,7 @@ index 3136c6a..63bb9e3 100644
  ########################################
  #
  # Apache system script local policy
-@@ -789,12 +1043,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1049,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
  
  kernel_read_kernel_sysctls(httpd_sys_script_t)
  
@@ -18780,7 +19845,7 @@ index 3136c6a..63bb9e3 100644
  ifdef(`distro_redhat',`
  	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
  ')
-@@ -803,18 +1062,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1068,50 @@ tunable_policy(`httpd_can_sendmail',`
  	mta_send_mail(httpd_sys_script_t)
  ')
  
@@ -18837,7 +19902,7 @@ index 3136c6a..63bb9e3 100644
  	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1113,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1119,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
  ')
  
  tunable_policy(`httpd_enable_homedirs',`
@@ -18868,7 +19933,7 @@ index 3136c6a..63bb9e3 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1148,20 @@ optional_policy(`
+@@ -842,10 +1154,20 @@ optional_policy(`
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -18889,7 +19954,7 @@ index 3136c6a..63bb9e3 100644
  ')
  
  ########################################
-@@ -891,11 +1207,21 @@ optional_policy(`
+@@ -891,11 +1213,21 @@ optional_policy(`
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -18915,10 +19980,19 @@ index 3136c6a..63bb9e3 100644
 +	userdom_read_user_home_content_files(httpd_user_script_t)
  ')
 diff --git a/policy/modules/services/apcupsd.fc b/policy/modules/services/apcupsd.fc
-index cd07b96..a87d1dd 100644
+index cd07b96..9b7742f 100644
 --- a/policy/modules/services/apcupsd.fc
 +++ b/policy/modules/services/apcupsd.fc
-@@ -13,3 +13,4 @@
+@@ -4,6 +4,8 @@
+ 
+ /usr/sbin/apcupsd		--	gen_context(system_u:object_r:apcupsd_exec_t,s0)
+ 
++/var/lock/subsys/apcupsd	--	gen_context(system_u:object_r:apcupsd_lock_t,s0)
++
+ /var/log/apcupsd\.events.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
+ /var/log/apcupsd\.status.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
+ 
+@@ -13,3 +15,4 @@
  /var/www/apcupsd/upsfstats\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
  /var/www/apcupsd/upsimage\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
  /var/www/apcupsd/upsstats\.cgi	--	gen_context(system_u:object_r:httpd_apcupsd_cgi_script_exec_t,s0)
@@ -19201,10 +20275,18 @@ index d80a16b..a43e006 100644
  
  	init_labeled_script_domtrans($1, automount_initrc_exec_t)
 diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
-index 39799db..d174b05 100644
+index 39799db..9390ef1 100644
 --- a/policy/modules/services/automount.te
 +++ b/policy/modules/services/automount.te
-@@ -143,9 +143,6 @@ logging_search_logs(automount_t)
+@@ -64,6 +64,7 @@ kernel_read_network_state(automount_t)
+ kernel_list_proc(automount_t)
+ kernel_dontaudit_search_xen_state(automount_t)
+ 
++files_read_usr_files(automount_t)
+ files_search_boot(automount_t)
+ # Automount is slowly adding all mount functionality internally
+ files_search_all(automount_t)
+@@ -143,9 +144,6 @@ logging_search_logs(automount_t)
  miscfiles_read_localization(automount_t)
  miscfiles_read_generic_certs(automount_t)
  
@@ -19214,7 +20296,7 @@ index 39799db..d174b05 100644
  
  userdom_dontaudit_use_unpriv_user_fds(automount_t)
  userdom_dontaudit_search_user_home_dirs(automount_t)
-@@ -155,6 +152,13 @@ optional_policy(`
+@@ -155,6 +153,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20706,7 +21788,7 @@ index d020c93..e5cbcef 100644
  	cgroup_initrc_domtrans_cgconfig($1)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/services/cgroup.te b/policy/modules/services/cgroup.te
-index 8ca2333..09a114b 100644
+index 8ca2333..93c7789 100644
 --- a/policy/modules/services/cgroup.te
 +++ b/policy/modules/services/cgroup.te
 @@ -16,14 +16,17 @@ init_daemon_domain(cgred_t, cgred_exec_t)
@@ -20772,6 +21854,15 @@ index 8ca2333..09a114b 100644
  # rc script creates pid file
  manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
  manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
+@@ -97,6 +103,8 @@ files_read_etc_files(cgred_t)
+ 
+ fs_write_cgroup_files(cgred_t)
+ 
++auth_use_nsswitch(cgred_t)
++
+ logging_send_syslog_msg(cgred_t)
+ 
+ miscfiles_read_localization(cgred_t)
 diff --git a/policy/modules/services/chronyd.if b/policy/modules/services/chronyd.if
 index 9a0da94..2ede737 100644
 --- a/policy/modules/services/chronyd.if
@@ -20954,10 +22045,10 @@ index fa82327..db20d26 100644
  	gpsd_rw_shm(chronyd_t)
  ')
 diff --git a/policy/modules/services/clamav.fc b/policy/modules/services/clamav.fc
-index e8e9a21..0af0260 100644
+index e8e9a21..dd9ba97 100644
 --- a/policy/modules/services/clamav.fc
 +++ b/policy/modules/services/clamav.fc
-@@ -10,6 +10,7 @@
+@@ -10,9 +10,11 @@
  
  /var/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_lib_t,s0)
  /var/lib/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_lib_t,s0)
@@ -20965,6 +22056,10 @@ index e8e9a21..0af0260 100644
  /var/log/clamav.*			gen_context(system_u:object_r:clamd_var_log_t,s0)
  /var/log/clamav/freshclam.*	--	gen_context(system_u:object_r:freshclam_var_log_t,s0)
  /var/log/clamd.*			gen_context(system_u:object_r:clamd_var_log_t,s0)
++/var/log/freshclam.*		--	gen_context(system_u:object_r:freshclam_var_log_t,s0)
+ /var/run/amavis(d)?/clamd\.pid	--	gen_context(system_u:object_r:clamd_var_run_t,s0)
+ /var/run/clamav.*			gen_context(system_u:object_r:clamd_var_run_t,s0)
+ /var/run/clamd.*			gen_context(system_u:object_r:clamd_var_run_t,s0)
 diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
 index 1f11572..7f6a7ab 100644
 --- a/policy/modules/services/clamav.if
@@ -21006,7 +22101,7 @@ index 1f11572..7f6a7ab 100644
  	')
  
 diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index f758323..28166c1 100644
+index f758323..a2e2d35 100644
 --- a/policy/modules/services/clamav.te
 +++ b/policy/modules/services/clamav.te
 @@ -1,9 +1,9 @@
@@ -21155,7 +22250,7 @@ index f758323..28166c1 100644
  
  files_read_etc_files(clamscan_t)
  files_read_etc_runtime_files(clamscan_t)
-@@ -264,7 +286,12 @@ miscfiles_read_public_files(clamscan_t)
+@@ -264,10 +286,15 @@ miscfiles_read_public_files(clamscan_t)
  
  clamav_stream_connect(clamscan_t)
  
@@ -21168,7 +22263,11 @@ index f758323..28166c1 100644
 +')
  
  optional_policy(`
- 	amavis_read_spool_files(clamscan_t)
+-	amavis_read_spool_files(clamscan_t)
++	amavis_manage_spool_files(clamscan_t)
+ ')
+ 
+ optional_policy(`
 diff --git a/policy/modules/services/clogd.if b/policy/modules/services/clogd.if
 index c0a66a4..e438c5f 100644
 --- a/policy/modules/services/clogd.if
@@ -21936,10 +23035,10 @@ index 0000000..939d76e
 +')
 diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
 new file mode 100644
-index 0000000..17e1cf3
+index 0000000..c151fe6
 --- /dev/null
 +++ b/policy/modules/services/colord.te
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,117 @@
 +policy_module(colord,1.0.0)
 +
 +########################################
@@ -21988,6 +23087,7 @@ index 0000000..17e1cf3
 +
 +kernel_getattr_proc_files(colord_t)
 +kernel_read_device_sysctls(colord_t)
++kernel_request_load_module(colord_t)
 +
 +corenet_udp_bind_generic_node(colord_t)
 +corenet_udp_bind_ipp_port(colord_t)
@@ -22003,9 +23103,8 @@ index 0000000..17e1cf3
 +dev_read_urand(colord_t)
 +dev_list_sysfs(colord_t)
 +dev_rw_generic_usb_dev(colord_t)
-+storage_getattr_fixed_disk_dev(colord_t)
-+storage_read_scsi_generic(colord_t)
-+storage_write_scsi_generic(colord_t)
++# bug 705419
++dev_dontaudit_read_generic_files(colord_t)
 +
 +domain_use_interactive_fds(colord_t)
 +
@@ -22013,14 +23112,20 @@ index 0000000..17e1cf3
 +files_read_etc_files(colord_t)
 +files_read_usr_files(colord_t)
 +
++fs_search_all(colord_t)
++fs_read_noxattr_fs_files(colord_t)
++
++storage_getattr_fixed_disk_dev(colord_t)
++storage_read_scsi_generic(colord_t)
++storage_write_scsi_generic(colord_t)
++
 +logging_send_syslog_msg(colord_t)
 +
 +miscfiles_read_localization(colord_t)
 +
 +sysnet_dns_name_resolve(colord_t)
 +
-+fs_search_all(colord_t)
-+fs_read_noxattr_fs_files(colord_t)
++userdom_read_inherited_user_home_content_files(colord_t)
 +
 +tunable_policy(`use_nfs_home_dirs',`
 +        fs_read_nfs_files(colord_t)
@@ -22435,7 +23540,7 @@ index 2eefc08..6030f34 100644
 +
 +/var/log/mcelog.*		--	gen_context(system_u:object_r:cron_log_t,s0)
 diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
-index 35241ed..b6402c9 100644
+index 35241ed..a75e22c 100644
 --- a/policy/modules/services/cron.if
 +++ b/policy/modules/services/cron.if
 @@ -12,6 +12,11 @@
@@ -22450,8 +23555,12 @@ index 35241ed..b6402c9 100644
  	##############################
  	#
  	# Declarations
-@@ -34,8 +39,12 @@ template(`cron_common_crontab_template',`
- 	allow $1_t self:process { setsched signal_perms };
+@@ -31,11 +36,15 @@ template(`cron_common_crontab_template',`
+ 
+ 	# dac_override is to create the file in the directory under /tmp
+ 	allow $1_t self:capability { fowner setuid setgid chown dac_override };
+-	allow $1_t self:process { setsched signal_perms };
++	allow $1_t self:process { getcap setsched signal_perms };
  	allow $1_t self:fifo_file rw_fifo_file_perms;
  
 -	allow $1_t $1_tmp_t:file manage_file_perms;
@@ -22474,7 +23583,20 @@ index 35241ed..b6402c9 100644
  
  	kernel_read_system_state($1_t)
  
-@@ -62,6 +71,7 @@ template(`cron_common_crontab_template',`
+@@ -51,6 +60,8 @@ template(`cron_common_crontab_template',`
+ 	selinux_dontaudit_search_fs($1_t)
+ 
+ 	fs_getattr_xattr_fs($1_t)
++	fs_manage_cgroup_dirs($1_t)
++	fs_manage_cgroup_files($1_t)
+ 
+ 	domain_use_interactive_fds($1_t)
+ 
+@@ -59,12 +70,15 @@ template(`cron_common_crontab_template',`
+ 	files_dontaudit_search_pids($1_t)
+ 
+ 	auth_domtrans_chk_passwd($1_t)
++	auth_rw_var_auth($1_t)
  
  	logging_send_syslog_msg($1_t)
  	logging_send_audit_msgs($1_t)
@@ -22482,7 +23604,11 @@ index 35241ed..b6402c9 100644
  
  	init_dontaudit_write_utmp($1_t)
  	init_read_utmp($1_t)
-@@ -76,6 +86,7 @@ template(`cron_common_crontab_template',`
++	init_read_state($1_t)
+ 
+ 	miscfiles_read_localization($1_t)
+ 
+@@ -76,6 +90,7 @@ template(`cron_common_crontab_template',`
  	userdom_use_user_terminals($1_t)
  	# Read user crontabs
  	userdom_read_user_home_content_files($1_t)
@@ -22490,7 +23616,7 @@ index 35241ed..b6402c9 100644
  
  	tunable_policy(`fcron_crond',`
  		# fcron wants an instant update of a crontab change for the administrator
-@@ -102,10 +113,12 @@ template(`cron_common_crontab_template',`
+@@ -102,10 +117,12 @@ template(`cron_common_crontab_template',`
  ##	User domain for the role
  ##	</summary>
  ## </param>
@@ -22503,7 +23629,7 @@ index 35241ed..b6402c9 100644
  	')
  
  	role $1 types { cronjob_t crontab_t };
-@@ -116,9 +129,16 @@ interface(`cron_role',`
+@@ -116,9 +133,16 @@ interface(`cron_role',`
  	# Transition from the user domain to the derived domain.
  	domtrans_pattern($2, crontab_exec_t, crontab_t)
  
@@ -22512,7 +23638,7 @@ index 35241ed..b6402c9 100644
 +	allow $2 crond_t:process sigchld;
 +
 +	# needs to be authorized SELinux context for cron
-+	allow $2 user_cron_spool_t:file entrypoint;
++	allow $2 user_cron_spool_t:file { getattr read write ioctl entrypoint };
 +
  	# crontab shows up in user ps
  	ps_process_pattern($2, crontab_t)
@@ -22521,7 +23647,7 @@ index 35241ed..b6402c9 100644
  
  	# Run helper programs as the user domain
  	#corecmd_bin_domtrans(crontab_t, $2)
-@@ -132,9 +152,8 @@ interface(`cron_role',`
+@@ -132,9 +156,8 @@ interface(`cron_role',`
  		')
  
  		dbus_stub(cronjob_t)
@@ -22532,7 +23658,7 @@ index 35241ed..b6402c9 100644
  ')
  
  ########################################
-@@ -151,29 +170,18 @@ interface(`cron_role',`
+@@ -151,29 +174,18 @@ interface(`cron_role',`
  ##	User domain for the role
  ##	</summary>
  ## </param>
@@ -22566,7 +23692,7 @@ index 35241ed..b6402c9 100644
  
  	optional_policy(`
  		gen_require(`
-@@ -181,9 +189,8 @@ interface(`cron_unconfined_role',`
+@@ -181,9 +193,8 @@ interface(`cron_unconfined_role',`
  		')
  
  		dbus_stub(unconfined_cronjob_t)
@@ -22577,7 +23703,7 @@ index 35241ed..b6402c9 100644
  ')
  
  ########################################
-@@ -200,6 +207,7 @@ interface(`cron_unconfined_role',`
+@@ -200,6 +211,7 @@ interface(`cron_unconfined_role',`
  ##	User domain for the role
  ##	</summary>
  ## </param>
@@ -22585,7 +23711,7 @@ index 35241ed..b6402c9 100644
  #
  interface(`cron_admin_role',`
  	gen_require(`
-@@ -220,7 +228,7 @@ interface(`cron_admin_role',`
+@@ -220,7 +232,7 @@ interface(`cron_admin_role',`
  
  	# crontab shows up in user ps
  	ps_process_pattern($2, admin_crontab_t)
@@ -22594,7 +23720,7 @@ index 35241ed..b6402c9 100644
  
  	# Run helper programs as the user domain
  	#corecmd_bin_domtrans(admin_crontab_t, $2)
-@@ -234,9 +242,8 @@ interface(`cron_admin_role',`
+@@ -234,9 +246,8 @@ interface(`cron_admin_role',`
  		')
  
  		dbus_stub(admin_cronjob_t)
@@ -22605,7 +23731,7 @@ index 35241ed..b6402c9 100644
  ')
  
  ########################################
-@@ -304,7 +311,7 @@ interface(`cron_exec',`
+@@ -304,7 +315,7 @@ interface(`cron_exec',`
  
  ########################################
  ## <summary>
@@ -22614,7 +23740,7 @@ index 35241ed..b6402c9 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -408,7 +415,43 @@ interface(`cron_rw_pipes',`
+@@ -408,7 +419,43 @@ interface(`cron_rw_pipes',`
  		type crond_t;
  	')
  
@@ -22659,7 +23785,7 @@ index 35241ed..b6402c9 100644
  ')
  
  ########################################
-@@ -481,6 +524,7 @@ interface(`cron_manage_pid_files',`
+@@ -481,6 +528,7 @@ interface(`cron_manage_pid_files',`
  		type crond_var_run_t;
  	')
  
@@ -22667,7 +23793,7 @@ index 35241ed..b6402c9 100644
  	manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
  ')
  
-@@ -536,7 +580,7 @@ interface(`cron_write_system_job_pipes',`
+@@ -536,7 +584,7 @@ interface(`cron_write_system_job_pipes',`
  		type system_cronjob_t;
  	')
  
@@ -22676,7 +23802,7 @@ index 35241ed..b6402c9 100644
  ')
  
  ########################################
-@@ -554,7 +598,7 @@ interface(`cron_rw_system_job_pipes',`
+@@ -554,7 +602,7 @@ interface(`cron_rw_system_job_pipes',`
  		type system_cronjob_t;
  	')
  
@@ -22685,7 +23811,7 @@ index 35241ed..b6402c9 100644
  ')
  
  ########################################
-@@ -587,11 +631,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+@@ -587,11 +635,14 @@ interface(`cron_rw_system_job_stream_sockets',`
  #
  interface(`cron_read_system_job_tmp_files',`
  	gen_require(`
@@ -22701,7 +23827,7 @@ index 35241ed..b6402c9 100644
  ')
  
  ########################################
-@@ -627,7 +674,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -627,7 +678,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
  interface(`cron_dontaudit_write_system_job_tmp_files',`
  	gen_require(`
  		type system_cronjob_tmp_t;
@@ -22750,7 +23876,7 @@ index 35241ed..b6402c9 100644
 +	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
  ')
 diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..254e671 100644
+index f7583ab..e6ddde9 100644
 --- a/policy/modules/services/cron.te
 +++ b/policy/modules/services/cron.te
 @@ -10,18 +10,18 @@ gen_require(`
@@ -22866,9 +23992,12 @@ index f7583ab..254e671 100644
  	# fcron wants an instant update of a crontab change for the administrator
  	# also crontab does a security check for crontab -u
  	allow admin_crontab_t self:process setfscreate;
-@@ -138,7 +151,7 @@ tunable_policy(`fcron_crond', `
+@@ -136,9 +149,9 @@ tunable_policy(`fcron_crond', `
+ # Cron daemon local policy
+ #
  
- allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
+-allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
++allow crond_t self:capability { dac_override chown setgid setuid sys_nice dac_read_search };
  dontaudit crond_t self:capability { sys_resource sys_tty_config };
 -allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 +allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
@@ -23237,7 +24366,7 @@ index 305ddf4..777091a 100644
  
  	admin_pattern($1, ptal_etc_t)
 diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..a3a6265 100644
+index 0f28095..f54f6cc 100644
 --- a/policy/modules/services/cups.te
 +++ b/policy/modules/services/cups.te
 @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -23425,7 +24554,17 @@ index 0f28095..a3a6265 100644
  
  manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
  files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +714,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -673,6 +702,9 @@ dev_read_rand(hplip_t)
+ dev_rw_generic_usb_dev(hplip_t)
+ dev_rw_usbfs(hplip_t)
+ 
++# bug 680612
++dev_dontaudit_read_generic_files(hplip_t)
++
+ fs_getattr_all_fs(hplip_t)
+ fs_search_auto_mountpoints(hplip_t)
+ fs_rw_anon_inodefs_files(hplip_t)
+@@ -685,6 +717,7 @@ domain_use_interactive_fds(hplip_t)
  files_read_etc_files(hplip_t)
  files_read_etc_runtime_files(hplip_t)
  files_read_usr_files(hplip_t)
@@ -23433,7 +24572,7 @@ index 0f28095..a3a6265 100644
  
  logging_send_syslog_msg(hplip_t)
  
-@@ -696,8 +726,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +729,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
  userdom_dontaudit_search_user_home_dirs(hplip_t)
  userdom_dontaudit_search_user_home_content(hplip_t)
  
@@ -25334,7 +26473,7 @@ index 9bd812b..c808b31 100644
  ')
  
 diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..df87ba8 100644
+index fdaeeba..bdbd777 100644
 --- a/policy/modules/services/dnsmasq.te
 +++ b/policy/modules/services/dnsmasq.te
 @@ -48,8 +48,9 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
@@ -25357,7 +26496,7 @@ index fdaeeba..df87ba8 100644
  userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
  userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
  
-@@ -96,7 +99,16 @@ optional_policy(`
+@@ -96,7 +99,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25370,11 +26509,15 @@ index fdaeeba..df87ba8 100644
 +')
 +
 +optional_policy(`
++	networkmanager_read_pid_files(dnsmasq_t)
++')
++
++optional_policy(`
 +	ppp_read_pid_files(dnsmasq_t)
  ')
  
  optional_policy(`
-@@ -114,4 +126,5 @@ optional_policy(`
+@@ -114,4 +130,5 @@ optional_policy(`
  optional_policy(`
  	virt_manage_lib_files(dnsmasq_t)
  	virt_read_pid_files(dnsmasq_t)
@@ -35314,7 +36457,7 @@ index 55e62d2..6082184 100644
  /var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
  /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
 diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..37bd751 100644
+index 46bee12..f064487 100644
 --- a/policy/modules/services/postfix.if
 +++ b/policy/modules/services/postfix.if
 @@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -35345,7 +36488,16 @@ index 46bee12..37bd751 100644
  	files_read_usr_symlinks(postfix_$1_t)
  	files_search_spool(postfix_$1_t)
  	files_getattr_tmp_dirs(postfix_$1_t)
-@@ -272,7 +274,8 @@ interface(`postfix_read_local_state',`
+@@ -165,6 +167,8 @@ template(`postfix_user_domain_template',`
+ 	domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
+ 
+ 	domain_use_interactive_fds(postfix_$1_t)
++
++	application_domain(postfix_$1_t, postfix_$1_exec_t)
+ ')
+ 
+ ########################################
+@@ -272,7 +276,8 @@ interface(`postfix_read_local_state',`
  		type postfix_local_t;
  	')
  
@@ -35355,7 +36507,7 @@ index 46bee12..37bd751 100644
  ')
  
  ########################################
-@@ -290,7 +293,8 @@ interface(`postfix_read_master_state',`
+@@ -290,7 +295,8 @@ interface(`postfix_read_master_state',`
  		type postfix_master_t;
  	')
  
@@ -35365,7 +36517,7 @@ index 46bee12..37bd751 100644
  ')
  
  ########################################
-@@ -376,6 +380,25 @@ interface(`postfix_domtrans_master',`
+@@ -376,6 +382,25 @@ interface(`postfix_domtrans_master',`
  	domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
  ')
  
@@ -35391,7 +36543,7 @@ index 46bee12..37bd751 100644
  ########################################
  ## <summary>
  ##	Execute the master postfix program in the
-@@ -404,7 +427,6 @@ interface(`postfix_exec_master',`
+@@ -404,7 +429,6 @@ interface(`postfix_exec_master',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -35399,7 +36551,7 @@ index 46bee12..37bd751 100644
  #
  interface(`postfix_stream_connect_master',`
  	gen_require(`
-@@ -416,6 +438,24 @@ interface(`postfix_stream_connect_master',`
+@@ -416,6 +440,24 @@ interface(`postfix_stream_connect_master',`
  
  ########################################
  ## <summary>
@@ -35424,7 +36576,7 @@ index 46bee12..37bd751 100644
  ##	Execute the master postdrop in the
  ##	postfix_postdrop domain.
  ## </summary>
-@@ -462,7 +502,7 @@ interface(`postfix_domtrans_postqueue',`
+@@ -462,7 +504,7 @@ interface(`postfix_domtrans_postqueue',`
  ##	</summary>
  ## </param>
  #
@@ -35433,7 +36585,7 @@ index 46bee12..37bd751 100644
  	gen_require(`
  		type postfix_postqueue_exec_t;
  	')
-@@ -529,6 +569,25 @@ interface(`postfix_domtrans_smtp',`
+@@ -529,6 +571,25 @@ interface(`postfix_domtrans_smtp',`
  
  ########################################
  ## <summary>
@@ -35459,7 +36611,7 @@ index 46bee12..37bd751 100644
  ##	Search postfix mail spool directories.
  ## </summary>
  ## <param name="domain">
-@@ -539,10 +598,10 @@ interface(`postfix_domtrans_smtp',`
+@@ -539,10 +600,10 @@ interface(`postfix_domtrans_smtp',`
  #
  interface(`postfix_search_spool',`
  	gen_require(`
@@ -35472,7 +36624,7 @@ index 46bee12..37bd751 100644
  	files_search_spool($1)
  ')
  
-@@ -558,10 +617,10 @@ interface(`postfix_search_spool',`
+@@ -558,10 +619,10 @@ interface(`postfix_search_spool',`
  #
  interface(`postfix_list_spool',`
  	gen_require(`
@@ -35485,7 +36637,7 @@ index 46bee12..37bd751 100644
  	files_search_spool($1)
  ')
  
-@@ -577,11 +636,11 @@ interface(`postfix_list_spool',`
+@@ -577,11 +638,11 @@ interface(`postfix_list_spool',`
  #
  interface(`postfix_read_spool_files',`
  	gen_require(`
@@ -35499,7 +36651,7 @@ index 46bee12..37bd751 100644
  ')
  
  ########################################
-@@ -596,11 +655,11 @@ interface(`postfix_read_spool_files',`
+@@ -596,11 +657,11 @@ interface(`postfix_read_spool_files',`
  #
  interface(`postfix_manage_spool_files',`
  	gen_require(`
@@ -35513,7 +36665,7 @@ index 46bee12..37bd751 100644
  ')
  
  ########################################
-@@ -621,3 +680,103 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +682,103 @@ interface(`postfix_domtrans_user_mail_handler',`
  
  	typeattribute $1 postfix_user_domtrans;
  ')
@@ -38526,10 +39678,10 @@ index de37806..229a3c7 100644
 +	read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
 diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
-index 93c896a..b161b6b 100644
+index 93c896a..11e586f 100644
 --- a/policy/modules/services/rhcs.te
 +++ b/policy/modules/services/rhcs.te
-@@ -6,13 +6,15 @@ policy_module(rhcs, 1.1.0)
+@@ -6,13 +6,22 @@ policy_module(rhcs, 1.1.0)
  #
  
  ## <desc>
@@ -38542,13 +39694,20 @@ index 93c896a..b161b6b 100644
  ## </desc>
  gen_tunable(fenced_can_network_connect, false)
  
++## <desc>
++##  <p>
++##  Allow fenced domain to execute ssh.
++##  </p>
++## </desc>
++gen_tunable(fenced_can_ssh, false)
++
  attribute cluster_domain;
 +attribute cluster_tmpfs;
 +attribute cluster_pid;
  
  rhcs_domain_template(dlm_controld)
  
-@@ -24,6 +26,9 @@ files_lock_file(fenced_lock_t)
+@@ -24,6 +33,9 @@ files_lock_file(fenced_lock_t)
  type fenced_tmp_t;
  files_tmp_file(fenced_tmp_t)
  
@@ -38558,7 +39717,7 @@ index 93c896a..b161b6b 100644
  rhcs_domain_template(gfs_controld)
  
  rhcs_domain_template(groupd)
-@@ -33,6 +38,10 @@ rhcs_domain_template(qdiskd)
+@@ -33,6 +45,10 @@ rhcs_domain_template(qdiskd)
  type qdiskd_var_lib_t;
  files_type(qdiskd_var_lib_t)
  
@@ -38569,7 +39728,7 @@ index 93c896a..b161b6b 100644
  #####################################
  #
  # dlm_controld local policy
-@@ -55,20 +64,17 @@ fs_manage_configfs_dirs(dlm_controld_t)
+@@ -55,20 +71,17 @@ fs_manage_configfs_dirs(dlm_controld_t)
  
  init_rw_script_tmp_files(dlm_controld_t)
  
@@ -38592,7 +39751,7 @@ index 93c896a..b161b6b 100644
  
  can_exec(fenced_t, fenced_exec_t)
  
-@@ -82,7 +88,10 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -82,8 +95,12 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
  
  stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
  
@@ -38601,24 +39760,37 @@ index 93c896a..b161b6b 100644
  corecmd_exec_bin(fenced_t)
 +corecmd_exec_shell(fenced_t)
  
++corenet_tcp_bind_zented_port(fenced_t)
  corenet_tcp_connect_http_port(fenced_t)
  
-@@ -104,9 +113,13 @@ tunable_policy(`fenced_can_network_connect',`
- 	corenet_tcp_connect_all_ports(fenced_t)
+ dev_read_sysfs(fenced_t)
+@@ -105,8 +122,24 @@ tunable_policy(`fenced_can_network_connect',`
  ')
  
+ optional_policy(`
++    tunable_policy(`fenced_can_ssh',`
++
++        allow fenced_t self:capability { setuid setgid };
++
++        corenet_tcp_connect_ssh_port(fenced_t)
++
++        ssh_exec(fenced_t)
++        ssh_read_user_home_files(fenced_t)
++    ')
++')
++
 +# needed by fence_scsi
 +optional_policy(`
 +	corosync_exec(fenced_t)
 +')
 +
- optional_policy(`
++optional_policy(`
  	ccs_read_config(fenced_t)
 -	ccs_stream_connect(fenced_t)
  ')
  
  optional_policy(`
-@@ -114,13 +127,37 @@ optional_policy(`
+@@ -114,13 +147,37 @@ optional_policy(`
  	lvm_read_config(fenced_t)
  ')
  
@@ -38657,7 +39829,7 @@ index 93c896a..b161b6b 100644
  allow gfs_controld_t self:shm create_shm_perms;
  allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
  
-@@ -139,10 +176,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -139,10 +196,6 @@ storage_getattr_removable_dev(gfs_controld_t)
  init_rw_script_tmp_files(gfs_controld_t)
  
  optional_policy(`
@@ -38668,7 +39840,7 @@ index 93c896a..b161b6b 100644
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
  ')
-@@ -154,9 +187,10 @@ optional_policy(`
+@@ -154,9 +207,10 @@ optional_policy(`
  
  allow groupd_t self:capability { sys_nice sys_resource };
  allow groupd_t self:process setsched;
@@ -38680,7 +39852,7 @@ index 93c896a..b161b6b 100644
  dev_list_sysfs(groupd_t)
  
  files_read_etc_files(groupd_t)
-@@ -168,8 +202,7 @@ init_rw_script_tmp_files(groupd_t)
+@@ -168,8 +222,7 @@ init_rw_script_tmp_files(groupd_t)
  # qdiskd local policy
  #
  
@@ -38690,7 +39862,7 @@ index 93c896a..b161b6b 100644
  allow qdiskd_t self:tcp_socket create_stream_socket_perms;
  allow qdiskd_t self:udp_socket create_socket_perms;
  
-@@ -199,6 +232,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
+@@ -199,6 +252,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
  files_dontaudit_getattr_all_pipes(qdiskd_t)
  files_read_etc_files(qdiskd_t)
  
@@ -38699,7 +39871,7 @@ index 93c896a..b161b6b 100644
  storage_raw_read_removable_device(qdiskd_t)
  storage_raw_write_removable_device(qdiskd_t)
  storage_raw_read_fixed_disk(qdiskd_t)
-@@ -207,10 +242,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -207,10 +262,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
  auth_use_nsswitch(qdiskd_t)
  
  optional_policy(`
@@ -38710,7 +39882,7 @@ index 93c896a..b161b6b 100644
  	netutils_domtrans_ping(qdiskd_t)
  ')
  
-@@ -223,18 +254,28 @@ optional_policy(`
+@@ -223,18 +274,28 @@ optional_policy(`
  # rhcs domains common policy
  #
  
@@ -46166,7 +47338,7 @@ index 130ced9..33c8170 100644
 +	manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 6c01261..0f60717 100644
+index 6c01261..125a426 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,27 +26,50 @@ gen_require(`
@@ -46370,7 +47542,7 @@ index 6c01261..0f60717 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_files(iceauth_t)
-@@ -247,50 +299,109 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,50 +299,110 @@ tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_files(iceauth_t)
  ')
  
@@ -46398,6 +47570,7 @@ index 6c01261..0f60717 100644
  
 +allow xauth_t self:capability dac_override;
  allow xauth_t self:process signal;
++allow xauth_t self:shm create_shm_perms;
  allow xauth_t self:unix_stream_socket create_stream_socket_perms;
  
 +allow xauth_t xdm_t:process sigchld;
@@ -46485,7 +47658,7 @@ index 6c01261..0f60717 100644
  optional_policy(`
  	ssh_sigchld(xauth_t)
  	ssh_read_pipes(xauth_t)
-@@ -302,20 +413,33 @@ optional_policy(`
+@@ -302,20 +414,33 @@ optional_policy(`
  # XDM Local policy
  #
  
@@ -46523,7 +47696,7 @@ index 6c01261..0f60717 100644
  
  # Allow gdm to run gdm-binary
  can_exec(xdm_t, xdm_exec_t)
-@@ -323,43 +447,62 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -323,43 +448,62 @@ can_exec(xdm_t, xdm_exec_t)
  allow xdm_t xdm_lock_t:file manage_file_perms;
  files_lock_filetrans(xdm_t, xdm_lock_t, file)
  
@@ -46592,7 +47765,7 @@ index 6c01261..0f60717 100644
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -368,18 +511,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -368,18 +512,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -46620,7 +47793,7 @@ index 6c01261..0f60717 100644
  
  corenet_all_recvfrom_unlabeled(xdm_t)
  corenet_all_recvfrom_netlabel(xdm_t)
-@@ -391,18 +542,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -391,18 +543,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -46644,7 +47817,7 @@ index 6c01261..0f60717 100644
  dev_setattr_apm_bios_dev(xdm_t)
  dev_rw_dri(xdm_t)
  dev_rw_agp(xdm_t)
-@@ -411,18 +566,24 @@ dev_setattr_xserver_misc_dev(xdm_t)
+@@ -411,18 +567,24 @@ dev_setattr_xserver_misc_dev(xdm_t)
  dev_getattr_misc_dev(xdm_t)
  dev_setattr_misc_dev(xdm_t)
  dev_dontaudit_rw_misc(xdm_t)
@@ -46672,7 +47845,7 @@ index 6c01261..0f60717 100644
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -433,9 +594,23 @@ files_list_mnt(xdm_t)
+@@ -433,9 +595,23 @@ files_list_mnt(xdm_t)
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -46696,7 +47869,7 @@ index 6c01261..0f60717 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -444,28 +619,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -444,28 +620,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -46735,7 +47908,7 @@ index 6c01261..0f60717 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -474,9 +657,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -474,9 +658,30 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -46766,7 +47939,7 @@ index 6c01261..0f60717 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xdm_t)
-@@ -492,6 +696,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -492,6 +697,14 @@ tunable_policy(`use_samba_home_dirs',`
  	fs_exec_cifs_files(xdm_t)
  ')
  
@@ -46781,7 +47954,7 @@ index 6c01261..0f60717 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -505,11 +717,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -505,11 +718,21 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
@@ -46803,7 +47976,7 @@ index 6c01261..0f60717 100644
  ')
  
  optional_policy(`
-@@ -517,7 +739,43 @@ optional_policy(`
+@@ -517,7 +740,43 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46848,7 +48021,7 @@ index 6c01261..0f60717 100644
  ')
  
  optional_policy(`
-@@ -527,6 +785,16 @@ optional_policy(`
+@@ -527,6 +786,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46865,7 +48038,7 @@ index 6c01261..0f60717 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -544,28 +812,65 @@ optional_policy(`
+@@ -544,28 +813,65 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46940,7 +48113,7 @@ index 6c01261..0f60717 100644
  ')
  
  optional_policy(`
-@@ -577,6 +882,14 @@ optional_policy(`
+@@ -577,6 +883,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46955,7 +48128,7 @@ index 6c01261..0f60717 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -601,7 +914,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -601,7 +915,7 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -46964,7 +48137,7 @@ index 6c01261..0f60717 100644
  dontaudit xserver_t self:capability chown;
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
-@@ -615,8 +928,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -615,8 +929,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -46980,7 +48153,7 @@ index 6c01261..0f60717 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -635,12 +955,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -635,12 +956,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -47002,7 +48175,7 @@ index 6c01261..0f60717 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -648,6 +975,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -648,6 +976,7 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -47010,7 +48183,7 @@ index 6c01261..0f60717 100644
  
  # Run helper programs in xserver_t.
  corecmd_exec_bin(xserver_t)
-@@ -674,7 +1002,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -674,7 +1003,6 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -47018,7 +48191,7 @@ index 6c01261..0f60717 100644
  dev_create_generic_dirs(xserver_t)
  dev_setattr_generic_dirs(xserver_t)
  # raw memory access is needed if not using the frame buffer
-@@ -684,11 +1011,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -684,11 +1012,17 @@ dev_wx_raw_memory(xserver_t)
  dev_rw_xserver_misc(xserver_t)
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
@@ -47036,7 +48209,7 @@ index 6c01261..0f60717 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -699,8 +1032,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -699,8 +1033,13 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -47050,7 +48223,7 @@ index 6c01261..0f60717 100644
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -713,8 +1051,6 @@ init_getpgid(xserver_t)
+@@ -713,8 +1052,6 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -47059,7 +48232,7 @@ index 6c01261..0f60717 100644
  locallogin_use_fds(xserver_t)
  
  logging_send_syslog_msg(xserver_t)
-@@ -722,11 +1058,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -722,11 +1059,12 @@ logging_send_audit_msgs(xserver_t)
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -47074,7 +48247,7 @@ index 6c01261..0f60717 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -780,16 +1117,36 @@ optional_policy(`
+@@ -780,16 +1118,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47112,7 +48285,7 @@ index 6c01261..0f60717 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -798,6 +1155,10 @@ optional_policy(`
+@@ -798,6 +1156,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47123,7 +48296,7 @@ index 6c01261..0f60717 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -813,10 +1174,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -813,10 +1175,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -47137,7 +48310,7 @@ index 6c01261..0f60717 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -824,7 +1185,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -824,7 +1186,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -47146,7 +48319,7 @@ index 6c01261..0f60717 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -837,6 +1198,9 @@ init_use_fds(xserver_t)
+@@ -837,6 +1199,9 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -47156,7 +48329,7 @@ index 6c01261..0f60717 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
-@@ -844,6 +1208,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -844,6 +1209,11 @@ tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_symlinks(xserver_t)
  ')
  
@@ -47168,7 +48341,7 @@ index 6c01261..0f60717 100644
  tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_dirs(xserver_t)
  	fs_manage_cifs_files(xserver_t)
-@@ -852,11 +1221,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -852,11 +1222,14 @@ tunable_policy(`use_samba_home_dirs',`
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -47185,7 +48358,7 @@ index 6c01261..0f60717 100644
  ')
  
  optional_policy(`
-@@ -864,6 +1236,10 @@ optional_policy(`
+@@ -864,6 +1237,10 @@ optional_policy(`
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -47196,7 +48369,7 @@ index 6c01261..0f60717 100644
  ########################################
  #
  # Rules common to all X window domains
-@@ -907,7 +1283,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -907,7 +1284,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -47205,7 +48378,7 @@ index 6c01261..0f60717 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -961,11 +1337,31 @@ allow x_domain self:x_resource { read write };
+@@ -961,11 +1338,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -47237,7 +48410,7 @@ index 6c01261..0f60717 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -987,18 +1383,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -987,18 +1384,32 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -52450,7 +53623,7 @@ index 72c746e..704d2d7 100644
 +/var/run/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 +/var/run/mount(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 8b5c196..6dc92dd 100644
+index 8b5c196..98652f7 100644
 --- a/policy/modules/system/mount.if
 +++ b/policy/modules/system/mount.if
 @@ -16,6 +16,16 @@ interface(`mount_domtrans',`
@@ -52595,7 +53768,7 @@ index 8b5c196..6dc92dd 100644
  ##	Execute mount in the unconfined mount domain.
  ## </summary>
  ## <param name="domain">
-@@ -176,4 +271,110 @@ interface(`mount_run_unconfined',`
+@@ -176,4 +271,112 @@ interface(`mount_run_unconfined',`
  
  	mount_domtrans_unconfined($1)
  	role $2 types unconfined_mount_t;
@@ -52626,6 +53799,8 @@ index 8b5c196..6dc92dd 100644
 +
 +	domtrans_pattern($1, fusermount_exec_t, mount_t)
 +	ps_process_pattern(mount_t, $1)
++
++	allow mount_t $1:unix_stream_socket { read write };
 +')
 +
 +########################################
@@ -53259,7 +54434,7 @@ index 2cc4bda..9e81136 100644
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
 diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 170e2c7..540a936 100644
+index 170e2c7..e29a4eb 100644
 --- a/policy/modules/system/selinuxutil.if
 +++ b/policy/modules/system/selinuxutil.if
 @@ -85,6 +85,10 @@ interface(`seutil_domtrans_loadpolicy',`
@@ -53385,7 +54560,37 @@ index 170e2c7..540a936 100644
  	manage_files_pattern($1, selinux_config_t, selinux_config_t)
  	read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
  ')
-@@ -1005,6 +1086,30 @@ interface(`seutil_domtrans_semanage',`
+@@ -756,6 +837,29 @@ interface(`seutil_read_default_contexts',`
+ 	read_files_pattern($1, default_context_t, default_context_t)
+ ')
+ 
++#######################################
++## <summary>
++##  Read and write the default_contexts files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++## <rolecap/>
++#
++interface(`seutil_rw_default_contexts',`
++    gen_require(`
++        type default_context_t;
++		type selinux_config_t;
++    ')
++
++    files_search_etc($1)
++    allow $1 selinux_config_t:dir list_dir_perms;
++	allow $1 default_context_t:dir list_dir_perms;
++    rw_files_pattern($1, default_context_t, default_context_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Create, read, write, and delete the default_contexts files.
+@@ -1005,6 +1109,30 @@ interface(`seutil_domtrans_semanage',`
  	files_search_usr($1)
  	corecmd_search_bin($1)
  	domtrans_pattern($1, semanage_exec_t, semanage_t)
@@ -53416,7 +54621,7 @@ index 170e2c7..540a936 100644
  ')
  
  ########################################
-@@ -1038,6 +1143,54 @@ interface(`seutil_run_semanage',`
+@@ -1038,6 +1166,54 @@ interface(`seutil_run_semanage',`
  
  ########################################
  ## <summary>
@@ -53471,7 +54676,7 @@ index 170e2c7..540a936 100644
  ##	Full management of the semanage
  ##	module store.
  ## </summary>
-@@ -1149,3 +1302,194 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1149,3 +1325,194 @@ interface(`seutil_dontaudit_libselinux_linked',`
  	selinux_dontaudit_get_fs_mount($1)
  	seutil_dontaudit_read_config($1)
  ')
@@ -54402,7 +55607,7 @@ index ff80d0a..7f1a21c 100644
 +	role_transition $1 dhcpc_exec_t system_r;
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index df32316..37f1cfa 100644
+index df32316..773c572 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.1)
@@ -54520,7 +55725,7 @@ index df32316..37f1cfa 100644
  userdom_use_user_terminals(dhcpc_t)
  userdom_dontaudit_search_user_home_dirs(dhcpc_t)
  
-@@ -155,6 +175,14 @@ optional_policy(`
+@@ -155,6 +175,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -54528,6 +55733,7 @@ index df32316..37f1cfa 100644
 +')
 +
 +optional_policy(`
++	devicekit_dontaudit_rw_log(dhcpc_t)
 +	devicekit_dontaudit_read_pid_files(dhcpc_t)
 +')
 +
@@ -54535,7 +55741,7 @@ index df32316..37f1cfa 100644
  	init_dbus_chat_script(dhcpc_t)
  
  	dbus_system_bus_client(dhcpc_t)
-@@ -171,6 +199,8 @@ optional_policy(`
+@@ -171,6 +200,8 @@ optional_policy(`
  
  optional_policy(`
  	hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -54544,7 +55750,7 @@ index df32316..37f1cfa 100644
  ')
  
  optional_policy(`
-@@ -192,6 +222,17 @@ optional_policy(`
+@@ -192,6 +223,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -54562,7 +55768,7 @@ index df32316..37f1cfa 100644
  	nis_read_ypbind_pid(dhcpc_t)
  ')
  
-@@ -213,6 +254,11 @@ optional_policy(`
+@@ -213,6 +255,11 @@ optional_policy(`
  optional_policy(`
  	seutil_sigchld_newrole(dhcpc_t)
  	seutil_dontaudit_search_config(dhcpc_t)
@@ -54574,7 +55780,7 @@ index df32316..37f1cfa 100644
  ')
  
  optional_policy(`
-@@ -276,8 +322,11 @@ dev_read_urand(ifconfig_t)
+@@ -276,8 +323,11 @@ dev_read_urand(ifconfig_t)
  
  domain_use_interactive_fds(ifconfig_t)
  
@@ -54586,7 +55792,7 @@ index df32316..37f1cfa 100644
  
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
-@@ -301,10 +350,10 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -301,10 +351,10 @@ logging_send_syslog_msg(ifconfig_t)
  
  miscfiles_read_localization(ifconfig_t)
  
@@ -54599,7 +55805,7 @@ index df32316..37f1cfa 100644
  userdom_use_user_terminals(ifconfig_t)
  userdom_use_all_users_fds(ifconfig_t)
  
-@@ -314,7 +363,15 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +364,15 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -54615,7 +55821,7 @@ index df32316..37f1cfa 100644
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
  	')
-@@ -325,12 +382,31 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,12 +383,31 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
@@ -54647,7 +55853,7 @@ index df32316..37f1cfa 100644
  ')
  
  optional_policy(`
-@@ -355,3 +431,9 @@ optional_policy(`
+@@ -355,3 +432,9 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -59326,7 +60532,7 @@ index 77d41b6..4aa96c6 100644
  
  	files_search_pids($1)
 diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
-index 4350ba0..c8b1d3b 100644
+index 4350ba0..e50a784 100644
 --- a/policy/modules/system/xen.te
 +++ b/policy/modules/system/xen.te
 @@ -4,6 +4,7 @@ policy_module(xen, 1.10.1)
@@ -59357,6 +60563,15 @@ index 4350ba0..c8b1d3b 100644
  ########################################
  #
  # blktap local policy
+@@ -208,7 +205,7 @@ tunable_policy(`xend_run_qemu',`
+ # xend local policy
+ #
+ 
+-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
++allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw };
+ dontaudit xend_t self:capability { sys_ptrace };
+ allow xend_t self:process { signal sigkill };
+ dontaudit xend_t self:process ptrace;
 @@ -320,12 +317,9 @@ locallogin_dontaudit_use_fds(xend_t)
  
  logging_send_syslog_msg(xend_t)
@@ -59560,7 +60775,7 @@ index 22ca011..df6b5de 100644
  
  #
 diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index f7380b3..51867f6 100644
+index f7380b3..5989a3c 100644
 --- a/policy/support/obj_perm_sets.spt
 +++ b/policy/support/obj_perm_sets.spt
 @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -59569,7 +60784,7 @@ index f7380b3..51867f6 100644
  #
 -define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
 -
-+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
++define(`socket_class_set', `{ socket dccp_socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
  
  #
  # Datagram socket classes.
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8e46c93..51a4f13 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.16
-Release: 24%{?dist}
+Release: 25%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,24 @@ exit 0
 %endif
 
 %changelog
+* Thu May 26 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-25
+- Add Dominicks patch for dccp_socket
+- dnsmasq needs to read nm-dns-dnsmasq.conf in /var/run/
+- Colord inherits open file descriptors from the users...'
+- cgred needs auth_use_nsswitch()
+- apcupsd lock file was missing file context specificatio...
+- Make cron work
+- Allow clamav to manage amavis spool files
+- Use httpd_can_sendmail boolean also for httpd_suexec_t
+- Add fenced_can_ssh boolean
+- Add dev_dontaudit_read_generic_files() for hplip
+- Allow xauthority to create shared memory
+- Make postfix user domains application_domains
+- Allow xend to sys_admin privs
+- Allow mount to read usr files
+- Allow logrotate to connect to init script using unix stream socket
+- Allow nsplugin_t to getattr on gpmctl
+
 * Tue May 17 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-24
 - Allow logrotate to connect to init script using unix domain stream socket
 - Allow shorewall read and write inherited user domain pty/tty