From e02e8f098744a33e7898c00036b8979f2b80f505 Mon Sep 17 00:00:00 2001
From: Miroslav <mgrepl@redhat.com>
Date: Oct 03 2011 19:11:24 +0000
Subject: - Allow logrotate setuid and setgid since logrotate is supposed to do it

- Fixes for thumb policy by grift
- Add new nfsd ports
- Added fix to allow confined apps to execmod on chrome
- Add labeling for additional vdsm directories
- Allow Exim and Dovecot SASL
- Add label for /var/run/nmbd
- Add fixes to make virsh and xen working together
- Colord executes ls
- /var/spool/cron  is now labeled as user_cron_spool_t

---

diff --git a/policy-F16.patch b/policy-F16.patch
index 29e1ca4..9591fd2 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -634,6 +634,22 @@ index 2c2cdb6..73b3814 100644
 +        brctl_domtrans($1)
 +        role $2 types brctl_t;
 +')
+diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
+index 9a62a1d..eb017ef 100644
+--- a/policy/modules/admin/brctl.te
++++ b/policy/modules/admin/brctl.te
+@@ -20,6 +20,11 @@ allow brctl_t self:unix_stream_socket create_stream_socket_perms;
+ allow brctl_t self:unix_dgram_socket create_socket_perms;
+ allow brctl_t self:tcp_socket create_socket_perms;
+ 
++ifdef(`hide_broken_symptoms',`
++    # caused by some bogus kernel code
++	dontaudit brctl_t self:capability sys_module;
++')
++
+ kernel_request_load_module(brctl_t)
+ kernel_read_network_state(brctl_t)
+ kernel_read_sysctl(brctl_t)
 diff --git a/policy/modules/admin/certwatch.te b/policy/modules/admin/certwatch.te
 index 6b02433..1e28e62 100644
 --- a/policy/modules/admin/certwatch.te
@@ -1123,9 +1139,21 @@ index 4f7bd3c..a29af21 100644
 -	unconfined_domain(kudzu_t)
  ')
 diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..b80d4c6 100644
+index 7090dae..db17bbe 100644
 --- a/policy/modules/admin/logrotate.te
 +++ b/policy/modules/admin/logrotate.te
+@@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t)
+ #
+ 
+ # Change ownership on log files.
+-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
++allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
+ # for mailx
+-dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
++dontaudit logrotate_t self:capability { sys_ptrace };
+ 
+ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ 
 @@ -39,6 +39,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi
  allow logrotate_t self:process setfscreate;
  
@@ -4564,10 +4592,10 @@ index 0000000..6f3570a
 +/usr/local/Wolfram/Mathematica(/.*)?MathKernel	  -- gen_context(system_u:object_r:execmem_exec_t,s0)
 diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
 new file mode 100644
-index 0000000..fc9014f
+index 0000000..e23f640
 --- /dev/null
 +++ b/policy/modules/apps/execmem.if
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,132 @@
 +## <summary>execmem domain</summary>
 +
 +########################################
@@ -4636,9 +4664,8 @@ index 0000000..fc9014f
 +
 +	files_execmod_tmp($1_execmem_t)
 +
-+	optional_policy(`
-+		execmem_execmod($1_execmem_t)
-+	')
++	allow $3 execmem_exec_t:file execmod;
++	allow $1_execmem_t execmem_exec_t:file execmod;
 +
 +	# needed by plasma-desktop
 +	optional_policy(`
@@ -4917,10 +4944,10 @@ index 00a19e3..9f6139c 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..19f3c30 100644
+index f5afe78..9a0377f 100644
 --- a/policy/modules/apps/gnome.if
 +++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,731 @@
+@@ -1,44 +1,768 @@
  ## <summary>GNU network object model environment (GNOME)</summary>
  
 -############################################################
@@ -5217,7 +5244,7 @@ index f5afe78..19f3c30 100644
 +		type cache_home_t;
 +	')
 +
-+	filetrans_pattern($1, cache_home_t, $2, $3)
++	filetrans_pattern($1, cache_home_t, $2, $3, $4)
 +	userdom_search_user_home_dirs($1)
 +')
 +
@@ -5362,7 +5389,7 @@ index f5afe78..19f3c30 100644
 +		type data_home_t;
 +	')
 +
-+	filetrans_pattern($1, data_home_t, $2, $3)
++	filetrans_pattern($1, data_home_t, $2, $3, $4)
 +	gnome_search_gconf($1)
 +')
 +
@@ -5596,11 +5623,10 @@ index f5afe78..19f3c30 100644
 +##	search gconf homedir (.local)
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	Role allowed access
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
++##	</summary>
++## </param>
 +#
 +interface(`gnome_search_gconf',`
 +	gen_require(`
@@ -5615,6 +5641,26 @@ index f5afe78..19f3c30 100644
 +## <summary>
 +##	Set attributes of Gnome config dirs.
 +## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	Role allowed access
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++#
++interface(`gnome_setattr_config_dirs',`
++	gen_require(`
++		type gnome_home_t;
++	')
++
++	setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
++	files_search_home($1)
++')
++
++########################################
++## <summary>
++##	Manage generic gnome home files.
++## </summary>
  ## <param name="domain">
  ##	<summary>
 -##	User domain for the role
@@ -5623,7 +5669,7 @@ index f5afe78..19f3c30 100644
  ## </param>
  #
 -interface(`gnome_role',`
-+interface(`gnome_setattr_config_dirs',`
++interface(`gnome_manage_generic_home_files',`
  	gen_require(`
 -		type gconfd_t, gconfd_exec_t;
 -		type gconf_tmp_t;
@@ -5631,19 +5677,37 @@ index f5afe78..19f3c30 100644
  	')
  
 -	role $1 types gconfd_t;
--
++	userdom_search_user_home_dirs($1)
++	manage_files_pattern($1, gnome_home_t, gnome_home_t)
++')
++
++########################################
++## <summary>
++##	Manage generic gnome home directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gnome_manage_generic_home_dirs',`
++	gen_require(`
++		type gnome_home_t;
++	')
+ 
 -	domain_auto_trans($2, gconfd_exec_t, gconfd_t)
 -	allow gconfd_t $2:fd use;
 -	allow gconfd_t $2:fifo_file write;
 -	allow gconfd_t $2:unix_stream_socket connectto;
-+	setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
-+	files_search_home($1)
++	userdom_search_user_home_dirs($1)
++	allow $1 gnome_home_t:dir manage_dir_perms;
 +')
  
 -	ps_process_pattern($2, gconfd_t)
 +########################################
 +## <summary>
-+##	Manage generic gnome home files.
++##	Append gconf home files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -5651,129 +5715,128 @@ index f5afe78..19f3c30 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`gnome_manage_generic_home_files',`
++interface(`gnome_append_gconf_home_files',`
 +	gen_require(`
-+		type gnome_home_t;
++		type gconf_home_t;
 +	')
  
 -	#gnome_stream_connect_gconf_template($1, $2)
 -	read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
 -	allow $2 gconfd_t:unix_stream_socket connectto;
-+	userdom_search_user_home_dirs($1)
-+	manage_files_pattern($1, gnome_home_t, gnome_home_t)
++	append_files_pattern($1, gconf_home_t, gconf_home_t)
  ')
  
  ########################################
  ## <summary>
 -##	Execute gconf programs in
 -##	in the caller domain.
-+##	Manage generic gnome home directories.
++##	manage gconf home files
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -46,37 +733,36 @@ interface(`gnome_role',`
+@@ -46,37 +770,60 @@ interface(`gnome_role',`
  ##	</summary>
  ## </param>
  #
 -interface(`gnome_exec_gconf',`
-+interface(`gnome_manage_generic_home_dirs',`
++interface(`gnome_manage_gconf_home_files',`
  	gen_require(`
 -		type gconfd_exec_t;
-+		type gnome_home_t;
++		type gconf_home_t;
  	')
  
 -	can_exec($1, gconfd_exec_t)
-+	userdom_search_user_home_dirs($1)
-+	allow $1 gnome_home_t:dir manage_dir_perms;
++	allow $1 gconf_home_t:dir list_dir_perms;
++	manage_files_pattern($1, gconf_home_t, gconf_home_t)
  ')
  
  ########################################
  ## <summary>
 -##	Read gconf config files.
-+##	Append gconf home files
++##	Connect to gnome over an unix stream socket.
  ## </summary>
--## <param name="user_domain">
 +## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
+ ## <param name="user_domain">
  ##	<summary>
++##	The type of the user domain.
++##	</summary>
++## </param>
++#
++interface(`gnome_stream_connect',`
++	gen_require(`
++		attribute gnome_home_type;
++	')
++
++	# Connect to pulseaudit server
++	stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
++')
++
++########################################
++## <summary>
++##	list gnome homedir content (.config)
++## </summary>
++## <param name="domain">
++##	<summary>
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
 -template(`gnome_read_gconf_config',`
-+interface(`gnome_append_gconf_home_files',`
++interface(`gnome_list_home_config',`
  	gen_require(`
 -		type gconf_etc_t;
-+		type gconf_home_t;
++		type config_home_t;
  	')
  
 -	allow $1 gconf_etc_t:dir list_dir_perms;
 -	read_files_pattern($1, gconf_etc_t, gconf_etc_t)
 -	files_search_etc($1)
-+	append_files_pattern($1, gconf_home_t, gconf_home_t)
++	allow $1 config_home_t:dir list_dir_perms;
  ')
  
 -#######################################
 +########################################
  ## <summary>
 -##	Create, read, write, and delete gconf config files.
-+##	manage gconf home files
++##	Set attributes of gnome homedir content (.config)
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -84,37 +770,60 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +831,38 @@ template(`gnome_read_gconf_config',`
  ##	</summary>
  ## </param>
  #
 -interface(`gnome_manage_gconf_config',`
-+interface(`gnome_manage_gconf_home_files',`
++interface(`gnome_setattr_home_config',`
  	gen_require(`
 -		type gconf_etc_t;
-+		type gconf_home_t;
++		type config_home_t;
  	')
  
 -	manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
 -	files_search_etc($1)
-+	allow $1 gconf_home_t:dir list_dir_perms;
-+	manage_files_pattern($1, gconf_home_t, gconf_home_t)
++	setattr_dirs_pattern($1, config_home_t, config_home_t)
++	userdom_search_user_home_dirs($1)
  ')
  
  ########################################
  ## <summary>
 -##	gconf connection template.
-+##	Connect to gnome over an unix stream socket.
++##	read gnome homedir content (.config)
  ## </summary>
+-## <param name="user_domain">
 +## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
- ## <param name="user_domain">
  ##	<summary>
-+##	The type of the user domain.
-+##	</summary>
-+## </param>
-+#
-+interface(`gnome_stream_connect',`
-+	gen_require(`
-+		attribute gnome_home_type;
-+	')
-+
-+	# Connect to pulseaudit server
-+	stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
-+')
-+
-+########################################
-+## <summary>
-+##	list gnome homedir content (.config)
-+## </summary>
-+## <param name="domain">
-+##	<summary>
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
 -interface(`gnome_stream_connect_gconf',`
-+interface(`gnome_list_home_config',`
++interface(`gnome_read_home_config',`
  	gen_require(`
 -		type gconfd_t, gconf_tmp_t;
 +		type config_home_t;
@@ -5781,45 +5844,46 @@ index f5afe78..19f3c30 100644
  
 -	read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
 -	allow $1 gconfd_t:unix_stream_socket connectto;
-+	allow $1 config_home_t:dir list_dir_perms;
++	list_dirs_pattern($1, config_home_t, config_home_t)
++	read_files_pattern($1, config_home_t, config_home_t)
++	read_lnk_files_pattern($1, config_home_t, config_home_t)
  ')
  
  ########################################
  ## <summary>
 -##	Run gconfd in gconfd domain.
-+##	Set attributes of gnome homedir content (.config)
++##	manage gnome homedir content (.config)
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -122,17 +831,18 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +870,17 @@ interface(`gnome_stream_connect_gconf',`
  ##	</summary>
  ## </param>
  #
 -interface(`gnome_domtrans_gconfd',`
-+interface(`gnome_setattr_home_config',`
++interface(`gnome_manage_home_config',`
  	gen_require(`
 -		type gconfd_t, gconfd_exec_t;
 +		type config_home_t;
  	')
  
 -	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
-+	setattr_dirs_pattern($1, config_home_t, config_home_t)
-+	userdom_search_user_home_dirs($1)
++	manage_files_pattern($1, config_home_t, config_home_t)
  ')
  
  ########################################
  ## <summary>
 -##	Set attributes of Gnome config dirs.
-+##	read gnome homedir content (.config)
++##	manage gnome homedir content (.config)
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -140,51 +850,355 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +888,335 @@ interface(`gnome_domtrans_gconfd',`
  ##	</summary>
  ## </param>
  #
 -interface(`gnome_setattr_config_dirs',`
-+interface(`gnome_read_home_config',`
++interface(`gnome_manage_home_config_dirs',`
  	gen_require(`
 -		type gnome_home_t;
 +		type config_home_t;
@@ -5827,15 +5891,13 @@ index f5afe78..19f3c30 100644
  
 -	setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
 -	files_search_home($1)
-+	list_dirs_pattern($1, config_home_t, config_home_t)
-+	read_files_pattern($1, config_home_t, config_home_t)
-+	read_lnk_files_pattern($1, config_home_t, config_home_t)
++	manage_dirs_pattern($1, config_home_t, config_home_t)
  ')
  
  ########################################
  ## <summary>
 -##	Read gnome homedir content (.config)
-+##	manage gnome homedir content (.config)
++##	manage gstreamer home content files.
  ## </summary>
 -## <param name="user_domain">
 +## <param name="domain">
@@ -5845,21 +5907,22 @@ index f5afe78..19f3c30 100644
  ## </param>
  #
 -template(`gnome_read_config',`
-+interface(`gnome_manage_home_config',`
++interface(`gnome_manage_gstreamer_home_files',`
  	gen_require(`
 -		type gnome_home_t;
-+		type config_home_t;
++		type gstreamer_home_t;
  	')
  
 -	list_dirs_pattern($1, gnome_home_t, gnome_home_t)
 -	read_files_pattern($1, gnome_home_t, gnome_home_t)
 -	read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
-+	manage_files_pattern($1, config_home_t, config_home_t)
++	manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
  ')
  
  ########################################
  ## <summary>
- ##	manage gnome homedir content (.config)
+-##	manage gnome homedir content (.config)
++##	Read/Write all inherited gnome home config 
  ## </summary>
 -## <param name="user_domain">
 +## <param name="domain">
@@ -5869,24 +5932,6 @@ index f5afe78..19f3c30 100644
  ## </param>
  #
 -interface(`gnome_manage_config',`
-+interface(`gnome_manage_home_config_dirs',`
-+	gen_require(`
-+		type config_home_t;
-+	')
-+
-+	manage_dirs_pattern($1, config_home_t, config_home_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Read/Write all inherited gnome home config 
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
 +interface(`gnome_rw_inherited_config',`
 +	gen_require(`
 +		attribute gnome_home_type;
@@ -6518,7 +6563,7 @@ index 40e0a2a..93d212c 100644
  ## <summary>
  ##	Send generic signals to user gpg processes.
 diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
-index 9050e8c..538d39e 100644
+index 9050e8c..3b10693 100644
 --- a/policy/modules/apps/gpg.te
 +++ b/policy/modules/apps/gpg.te
 @@ -4,6 +4,7 @@ policy_module(gpg, 2.4.0)
@@ -6666,17 +6711,18 @@ index 9050e8c..538d39e 100644
  	userdom_manage_user_home_content_dirs(gpg_agent_t)
  	userdom_manage_user_home_content_files(gpg_agent_t)
  ')
-@@ -332,6 +358,9 @@ miscfiles_read_localization(gpg_pinentry_t)
+@@ -332,6 +358,10 @@ miscfiles_read_localization(gpg_pinentry_t)
  # for .Xauthority
  userdom_read_user_home_content_files(gpg_pinentry_t)
  userdom_read_user_tmpfs_files(gpg_pinentry_t)
 +# Bug: user pulseaudio files need open,read and unlink:
 +allow gpg_pinentry_t user_tmpfs_t:file unlink;
 +userdom_signull_unpriv_users(gpg_pinentry_t)
++userdom_use_user_terminals(gpg_pinentry_t)
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_read_nfs_files(gpg_pinentry_t)
-@@ -342,11 +371,21 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -342,11 +372,21 @@ tunable_policy(`use_samba_home_dirs',`
  ')
  
  optional_policy(`
@@ -6698,7 +6744,7 @@ index 9050e8c..538d39e 100644
  	pulseaudio_exec(gpg_pinentry_t)
  	pulseaudio_rw_home_files(gpg_pinentry_t)
  	pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -356,4 +395,28 @@ optional_policy(`
+@@ -356,4 +396,28 @@ optional_policy(`
  
  optional_policy(`
  	xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -10638,19 +10684,39 @@ index 7590165..7e6f53c 100644
 +tunable_policy(`use_fusefs_home_dirs',`
 +	fs_mounton_fusefs(seunshare_domain)
 +')
+diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc
+index b07ee19..5d12aa3 100644
+--- a/policy/modules/apps/telepathy.fc
++++ b/policy/modules/apps/telepathy.fc
+@@ -1,8 +1,12 @@
+ HOME_DIR/\.cache/\.mc_connections	--	gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
+-HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
++HOME_DIR/\.cache/telepathy(/.*)?	gen_context(system_u:object_r:telepathy_cache_home_t, s0)
++HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal	--	gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
+ HOME_DIR/\.cache/telepathy/gabble(/.*)?		gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+ HOME_DIR/\.cache/wocky(/.*)?			gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
++HOME_DIR/\.cache/gabble(/.*)?			gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+ HOME_DIR/\.mission-control(/.*)?		gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
++HOME_DIR/\.local/share/telepathy(/.*)?	gen_context(system_u:object_r:telepathy_data_home_t,s0)
++HOME_DIR/\.local/share/telepathy/mission-control(/.*)?		gen_context(system_u:object_r:telepathy_mission_control_data_home_t, s0)
+ HOME_DIR/\.telepathy-sunshine(/.*)?		gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
+ HOME_DIR/\.local/share/TpLogger(/.*)?		gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
+ 
 diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
-index 3cfb128..609921d 100644
+index 3cfb128..d49274d 100644
 --- a/policy/modules/apps/telepathy.if
 +++ b/policy/modules/apps/telepathy.if
-@@ -11,7 +11,6 @@
+@@ -11,9 +11,7 @@
  ##	</summary>
  ## </param>
  #
 -#
  template(`telepathy_domain_template',`
- 
+-
  	gen_require(`
-@@ -23,16 +22,18 @@ template(`telepathy_domain_template',`
+ 		attribute telepathy_domain;
+ 		attribute telepathy_executable;
+@@ -23,16 +21,18 @@ template(`telepathy_domain_template',`
  	type telepathy_$1_exec_t, telepathy_executable;
  	application_domain(telepathy_$1_t, telepathy_$1_exec_t)
  	ubac_constrained(telepathy_$1_t)
@@ -10664,13 +10730,14 @@ index 3cfb128..609921d 100644
  
  #######################################
  ## <summary>
- ##		Role access for telepathy domains
+-##		Role access for telepathy domains
 -###     that executes via dbus-session
-+##     that executes via dbus-session
++##	Role access for telepathy domains
++##	that executes via dbus-session
  ## </summary>
  ## <param name="user_role">
  ##	<summary>
-@@ -44,8 +45,13 @@ template(`telepathy_domain_template',`
+@@ -44,8 +44,13 @@ template(`telepathy_domain_template',`
  ##	The type of the user domain.
  ##	</summary>
  ## </param>
@@ -10685,7 +10752,7 @@ index 3cfb128..609921d 100644
  	gen_require(`
  		attribute telepathy_domain;
  		type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
-@@ -76,6 +82,8 @@ template(`telepathy_role', `
+@@ -76,6 +81,8 @@ template(`telepathy_role', `
  	dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
  	dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
  	dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
@@ -10694,7 +10761,7 @@ index 3cfb128..609921d 100644
  ')
  
  ########################################
-@@ -122,11 +130,6 @@ interface(`telepathy_gabble_dbus_chat', `
+@@ -122,11 +129,6 @@ interface(`telepathy_gabble_dbus_chat', `
  ## <summary>
  ##	Read telepathy mission control state.
  ## </summary>
@@ -10706,117 +10773,194 @@ index 3cfb128..609921d 100644
  ## <param name="domain">
  ## 	<summary>
  ##	Domain allowed access.
-@@ -179,3 +182,75 @@ interface(`telepathy_salut_stream_connect', `
+@@ -166,7 +168,7 @@ interface(`telepathy_msn_stream_connect', `
+ ##	Stream connect to Telepathy Salut
+ ## </summary>
+ ## <param name="domain">
+-## 	<summary>
++##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+@@ -179,3 +181,111 @@ interface(`telepathy_salut_stream_connect', `
  	stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
  	files_search_tmp($1)
  ')
 +
 +#######################################
 +## <summary>
-+##  Send DBus messages to and from
-+##  all Telepathy domain.
++##	Send DBus messages to and from
++##	all Telepathy domain.
 +## </summary>
 +## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
++##	<summary>
++##	Domain allowed access.
++##	</summary>
 +## </param>
 +#
-+interface(`telepathy_dbus_chat', `
-+    gen_require(`
-+        attribute telepathy_domain;
-+        class dbus send_msg;
-+    ')
++interface(`telepathy_dbus_chat',`
++	gen_require(`
++		attribute telepathy_domain;
++		class dbus send_msg;
++	')
 +
-+    allow $1 telepathy_domain:dbus send_msg;
-+    allow telepathy_domain $1:dbus send_msg;
++	allow $1 telepathy_domain:dbus send_msg;
++	allow telepathy_domain $1:dbus send_msg;
 +')
 +
 +######################################
 +## <summary>
-+##  Execute telepathy executable
-+##  in the specified domain.
++##	Execute telepathy executable
++##	in the specified domain.
 +## </summary>
 +## <desc>
-+##  <p>
-+##  Execute a telepathy executable
-+##  in the specified domain.  This allows
-+##  the specified domain to execute any file
-+##  on these filesystems in the specified
-+##  domain. 
-+##  </p>
-+##  <p>
-+##  No interprocess communication (signals, pipes,
-+##  etc.) is provided by this interface since
-+##  the domains are not owned by this module.
-+##  </p>
-+##  <p>
-+##  This interface was added to handle
-+##  the ssh-agent policy.
-+##  </p>
++##	<p>
++##	Execute a telepathy executable
++##	in the specified domain.  This allows
++##	the specified domain to execute any file
++##	on these filesystems in the specified
++##	domain. 
++##	</p>
++##	<p>
++##	No interprocess communication (signals, pipes,
++##	etc.) is provided by this interface since
++##	the domains are not owned by this module.
++##	</p>
 +## </desc>
 +## <param name="domain">
-+##  <summary>
-+##  Domain allowed to transition.
-+##  </summary>
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
 +## </param>
 +## <param name="target_domain">
-+##  <summary>
-+##  The type of the new process.
-+##  </summary>
++##	<summary>
++##	The type of the new process.
++##	</summary>
 +## </param>
 +#
 +interface(`telepathy_command_domtrans', `
++	gen_require(`
++		attribute telepathy_executable;
++	')
 +
-+    gen_require(`
-+        attribute telepathy_executable;
-+    ')
-+
-+    allow $2 telepathy_executable:file entrypoint;
-+    domain_transition_pattern($1, telepathy_executable, $2)
-+    type_transition $1 telepathy_executable:process $2;
++	allow $2 telepathy_executable:file entrypoint;
++	domain_transition_pattern($1, telepathy_executable, $2)
++	type_transition $1 telepathy_executable:process $2;
 +
 +	# needs to dbus chat with unconfined_t and unconfined_dbusd_t
-+    optional_policy(`
-+        telepathy_dbus_chat($1)
-+        telepathy_dbus_chat($2)
-+    ')
++	optional_policy(`
++		telepathy_dbus_chat($1)
++		telepathy_dbus_chat($2)
++	')
++')
++
++########################################
++## <summary>
++##	Create telepathy content in the user home directory
++##	with an correct label.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`telepathy_filetrans_home_content',`
++	gen_require(`
++		type telepathy_mission_control_cache_home_t;
++		type telepathy_mission_control_home_t;
++		type telepathy_logger_cache_home_t;
++		type telepathy_gabble_cache_home_t;
++		type telepathy_sunshine_home_t;
++		type telepathy_logger_data_home_t;
++		type telepathy_cache_home_t, telepathy_data_home_t;
++		type telepathy_mission_control_data_home_t;
++	')
++
++	filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
++	filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, file, "sqlite-data-journal")
++	filetrans_pattern($1, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
++
++	filetrans_pattern($1, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
++
++	userdom_user_home_dir_filetrans($1, telepathy_mission_control_home_t, dir, ".mission-control")
++	userdom_user_home_dir_filetrans($1, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
++
++	gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections")
++	gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble")
++	gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky")
++	gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy")
++
++	gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger")
++	gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
 +')
 diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..11187e0 100644
+index 2533ea0..58f8728 100644
 --- a/policy/modules/apps/telepathy.te
 +++ b/policy/modules/apps/telepathy.te
-@@ -67,6 +67,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
+@@ -26,12 +26,18 @@ attribute telepathy_executable;
+ 
+ telepathy_domain_template(gabble)
+ 
++type telepathy_cache_home_t;
++userdom_user_home_content(telepathy_cache_home_t)
++
+ type telepathy_gabble_cache_home_t;
+ userdom_user_home_content(telepathy_gabble_cache_home_t)
+ 
+ telepathy_domain_template(idle)
+ telepathy_domain_template(logger)
+ 
++type telepathy_data_home_t;
++userdom_user_home_content(telepathy_data_home_t)
++
+ type telepathy_logger_cache_home_t;
+ userdom_user_home_content(telepathy_logger_cache_home_t)
+ 
+@@ -43,6 +49,9 @@ telepathy_domain_template(mission_control)
+ type telepathy_mission_control_home_t;
+ userdom_user_home_content(telepathy_mission_control_home_t)
+ 
++type telepathy_mission_control_data_home_t;
++userdom_user_home_content(telepathy_mission_control_data_home_t)
++
+ type telepathy_mission_control_cache_home_t;
+ userdom_user_home_content(telepathy_mission_control_cache_home_t)
+ 
+@@ -67,6 +76,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
  manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
  files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
  
 +# ~/.cache/gabble/caps-cache.db-journal
-+# optional_policy(`
 +optional_policy(`
-+        manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-+        manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-+        gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, { dir file })
-+')                         
++	manage_dirs_pattern(telepathy_gabble_t, { telepathy_cache_home_t telepathy_gabble_cache_home_t } , { telepathy_cache_home_t telepathy_gabble_cache_home_t })
++	manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
++	filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, { dir file })
++	gnome_cache_filetrans(telepathy_gabble_t, telepathy_cache_home_t, dir)
++')
 +
  corenet_all_recvfrom_netlabel(telepathy_gabble_t)
  corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
  corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
-@@ -112,6 +120,10 @@ optional_policy(`
+@@ -112,6 +129,10 @@ optional_policy(`
  	dbus_system_bus_client(telepathy_gabble_t)
  ')
  
 +optional_policy(`
-+        gnome_read_home_config(telepathy_gabble_t)
++	gnome_manage_home_config(telepathy_gabble_t)
 +')
 +
  #######################################
  #
  # Telepathy Idle local policy.
-@@ -148,9 +160,11 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -147,10 +168,14 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+ 
  allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
  
++manage_dirs_pattern(telepathy_logger_t, { telepathy_cache_home_t telepathy_logger_cache_home_t }, { telepathy_cache_home_t telepathy_logger_cache_home_t })
  manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
-+gnome_cache_filetrans(telepathy_logger_t, telepathy_logger_cache_home_t, file)
++filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, { dir file })
++gnome_cache_filetrans(telepathy_logger_t, telepathy_cache_home_t, dir)
  
  manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
  manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
@@ -10824,27 +10968,32 @@ index 2533ea0..11187e0 100644
  
  files_read_etc_files(telepathy_logger_t)
  files_read_usr_files(telepathy_logger_t)
-@@ -168,6 +182,11 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -168,6 +193,11 @@ tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_files(telepathy_logger_t)
  ')
  
 +optional_policy(`
-+# ~/.config/dconf/user
++	# ~/.config/dconf/user
 +	gnome_manage_home_config(telepathy_logger_t)
 +')
 +
  #######################################
  #
  # Telepathy Mission-Control local policy.
-@@ -176,6 +195,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -176,6 +206,12 @@ tunable_policy(`use_samba_home_dirs',`
  manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
  manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
  userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
 +userdom_search_user_home_dirs(telepathy_mission_control_t)
++
++manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
++manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
++filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file })
++gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir)
  
  dev_read_rand(telepathy_mission_control_t)
  
-@@ -194,6 +214,16 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -194,6 +230,16 @@ tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_files(telepathy_mission_control_t)
  ')
  
@@ -10854,14 +11003,14 @@ index 2533ea0..11187e0 100644
 +
 +# ~/.cache/.mc_connections.
 +optional_policy(`
-+        manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
-+        gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
++	manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
++	gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
 +')
 +
  #######################################
  #
  # Telepathy Butterfly and Haze local policy.
-@@ -205,8 +235,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
+@@ -205,8 +251,11 @@ allow telepathy_msn_t self:unix_dgram_socket { write create connect };
  manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
  manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
  manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
@@ -10873,18 +11022,18 @@ index 2533ea0..11187e0 100644
  
  corenet_all_recvfrom_netlabel(telepathy_msn_t)
  corenet_all_recvfrom_unlabeled(telepathy_msn_t)
-@@ -246,6 +279,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -246,6 +295,10 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
  ')
  
  optional_policy(`
-+        gnome_read_gconf_home_files(telepathy_msn_t)
++	gnome_read_gconf_home_files(telepathy_msn_t)
 +')
 +
 +optional_policy(`
  	dbus_system_bus_client(telepathy_msn_t)
  
  	optional_policy(`
-@@ -365,10 +402,9 @@ dev_read_urand(telepathy_domain)
+@@ -365,10 +418,9 @@ dev_read_urand(telepathy_domain)
  
  kernel_read_system_state(telepathy_domain)
  
@@ -10896,12 +11045,12 @@ index 2533ea0..11187e0 100644
  miscfiles_read_localization(telepathy_domain)
  
  optional_policy(`
-@@ -376,5 +412,23 @@ optional_policy(`
+@@ -376,5 +428,23 @@ optional_policy(`
  ')
  
  optional_policy(`
-+    gnome_read_generic_cache_files(telepathy_domain)
-+    gnome_write_generic_cache_files(telepathy_domain)
++	gnome_read_generic_cache_files(telepathy_domain)
++	gnome_write_generic_cache_files(telepathy_domain)
 +')
 +
 +optional_policy(`
@@ -10914,11 +11063,11 @@ index 2533ea0..11187e0 100644
 +
 +# Just for F15
 +optional_policy(`
-+    gen_require(`
-+        role unconfined_r;
-+    ')
++	gen_require(`
++		role unconfined_r;
++	')
 +
-+    role unconfined_r types telepathy_domain;
++	role unconfined_r types telepathy_domain;
 +')
 diff --git a/policy/modules/apps/thumb.fc b/policy/modules/apps/thumb.fc
 new file mode 100644
@@ -11017,10 +11166,10 @@ index 0000000..b78aa77
 +
 diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
 new file mode 100644
-index 0000000..7eba136
+index 0000000..73e7983
 --- /dev/null
 +++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,127 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -11031,38 +11180,123 @@ index 0000000..7eba136
 +type thumb_t;
 +type thumb_exec_t;
 +application_domain(thumb_t, thumb_exec_t)
-+role system_r types thumb_t;
++ubac_constrained(thumb_t)
++
++role system_r types thumb_t; # why is system_r needed
++
++# this is for liborc: ~/orcexec.*
++# these should normally go to /tmp but it goes to ~ if not executable in /tmp
++# there is also a bug in liborc where it does to ~ by default
++# no longer needed orc fix available
++# type thumb_home_t;
++#userdom_user_home_content(thumb_home_t)
 +
 +type thumb_tmp_t;
 +files_tmp_file(thumb_tmp_t)
++ubac_constrained(thumb_tmp_t)
 +
 +########################################
 +#
 +# thumb local policy
 +#
 +
-+allow thumb_t self:process { setsched signal setrlimit };
++# execmem is for totem-video-thumbnailer
++allow thumb_t self:process { setsched signal setrlimit execmem };
 +
 +allow thumb_t self:fifo_file manage_fifo_file_perms;
 +allow thumb_t self:unix_stream_socket create_stream_socket_perms;
 +
-+domain_use_interactive_fds(thumb_t)
++# please reproduce this, because i cannot
++# manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t)
++# userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir)
++
++# for totem-video-thumbnailer
++allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
++allow thumb_t self:udp_socket create_socket_perms;
++allow thumb_t self:tcp_socket create_socket_perms;
++
++# gst-plugin-scanner/liborc, ~/orcexec.*
++# no longer need fix in latest orc package
++# exec_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
++# manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
++# userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file)
++
++manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
++manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
++exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
++# please reproduce this, because it cannot
++# userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, file)
++files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir })
 +
 +kernel_read_system_state(thumb_t)
 +
++domain_use_interactive_fds(thumb_t)
++
++# /usr/libexec/gstreamer.*/gst-plugin-scanner
++corecmd_exec_bin(thumb_t)
++
++# gst-plugin-scanner
++dev_read_sysfs(thumb_t)
++
++domain_use_interactive_fds(thumb_t)
++
 +files_read_etc_files(thumb_t)
 +files_read_usr_files(thumb_t)
 +
-+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
-+userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, file)
-+
 +miscfiles_read_fonts(thumb_t)
 +miscfiles_read_localization(thumb_t)
 +
++# totem-video-thumbnailer
++sysnet_read_config(thumb_t)
++
++# read files to be thumbed
 +userdom_read_user_tmp_files(thumb_t)
 +userdom_read_user_home_content_files(thumb_t)
-+userdom_dontaudit_write_user_tmp_files(thumb_t)
++# .gnome_desktop_thumbnail.* is created by something in the user domain.
++# probably libgnome.
++userdom_write_user_tmp_files(thumb_t)
++
 +userdom_use_inherited_user_ptys(thumb_t)
++
++optional_policy(`
++	dbus_dontaudit_session_bus_connect(thumb_t)
++')
++
++# optional_policy(`
++#	gnome_read_gconf_home_files(thumb_t)
++#	gnome_read_gstreamer_home_content(thumb_t)
++# ')
++
++# please reproduce this, because i cannot
++# optional_policy(`
++#	gnome_read_gconf_home_files(thumb_t)
++# ')
++
++# these two are inherited
++# should probably create and call xserver_ra_inherited_xdm_home_files()
++xserver_read_xdm_home_files(thumb_t)
++xserver_append_xdm_home_files(thumb_t)
++# seems to not be needed
++xserver_dontaudit_read_xdm_pid(thumb_t)
++# this is required for totem-video-thumbnailer
++# although thumb does not need to write xserver_tmp_t sock_files
++# we probably want a xserver_connect to support but unix stream socket
++# connections as well tcp connections
++# allow thumb_t xserver_port_t:tcp_socket name_connect;
++xserver_stream_connect(thumb_t)
++
++optional_policy(`
++	# This seems not strictly needed
++	dbus_dontaudit_stream_connect_session_bus(thumb_t)
++')
++
++optional_policy(`
++	# this seems to work
++	# thumb_t tries to search data_home_t, config_home_t and gconf_home_t
++	gnome_dontaudit_search_config(thumb_t)
++	# totem-video-thumbnailer
++	gnome_manage_gstreamer_home_files(thumb_t)
++') 
 diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
 index 11fe4f2..98bfbf3 100644
 --- a/policy/modules/apps/tvtime.te
@@ -13055,7 +13289,7 @@ index 4f3b542..54e4c81 100644
  	corenet_udp_recvfrom_labeled($1, $2)
  	corenet_raw_recvfrom_labeled($1, $2)
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..67c5d0f 100644
+index 99b71cb..17d942f 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -11,11 +11,15 @@ attribute netif_type;
@@ -13226,7 +13460,7 @@ index 99b71cb..67c5d0f 100644
  network_port(nessus, tcp,1241,s0)
  network_port(netport, tcp,3129,s0, udp,3129,s0)
  network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
-+network_port(nfs, tcp,2049,s0, udp,2049,s0)
++network_port(nfs, tcp,2049,s0, udp,2049,s0, tcp,20048-20049,s0, udp,20048-20049,s0)
  network_port(nmbd, udp,137,s0, udp,138,s0)
  network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
  network_port(ntp, udp,123,s0)
@@ -13306,21 +13540,20 @@ index 99b71cb..67c5d0f 100644
  network_port(zope, tcp,8021,s0)
  
  # Defaults for reserved ports.	Earlier portcon entries take precedence;
-@@ -238,7 +300,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +300,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
  portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
  portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
  portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
--
 +portcon tcp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
 +portcon tcp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
 +portcon tcp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
 +portcon udp 1024-32767 gen_context(system_u:object_r:unreserved_port_t, s0)
 +portcon udp 32768-61000 gen_context(system_u:object_r:ephemeral_port_t, s0)
 +portcon udp 61001-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+ 
  ########################################
  #
- # Network nodes
-@@ -282,9 +349,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +350,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -17099,7 +17332,7 @@ index 22821ff..20251b0 100644
  ########################################
  #
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..5923a0a 100644
+index 97fcdac..a75dbe4 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -17345,7 +17578,32 @@ index 97fcdac..5923a0a 100644
  #######################################
  ## <summary>
  ##	Create, read, write, and delete dirs
-@@ -2148,6 +2290,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2080,6 +2222,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+ 
+ ########################################
+ ## <summary>
++##	Read hugetlbfs files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_read_hugetlbfs_files',`
++	gen_require(`
++		type hugetlbfs_t;
++	')
++
++	read_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++')
++
++########################################
++## <summary>
+ ##	Read and write hugetlbfs files.
+ ## </summary>
+ ## <param name="domain">
+@@ -2148,6 +2308,7 @@ interface(`fs_list_inotifyfs',`
  	')
  
  	allow $1 inotifyfs_t:dir list_dir_perms;
@@ -17353,7 +17611,7 @@ index 97fcdac..5923a0a 100644
  ')
  
  ########################################
-@@ -2480,6 +2623,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2641,7 @@ interface(`fs_read_nfs_files',`
  		type nfs_t;
  	')
  
@@ -17361,7 +17619,7 @@ index 97fcdac..5923a0a 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	read_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2518,6 +2662,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2680,7 @@ interface(`fs_write_nfs_files',`
  		type nfs_t;
  	')
  
@@ -17369,7 +17627,7 @@ index 97fcdac..5923a0a 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	write_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2544,6 +2689,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2707,25 @@ interface(`fs_exec_nfs_files',`
  
  ########################################
  ## <summary>
@@ -17395,7 +17653,7 @@ index 97fcdac..5923a0a 100644
  ##	Append files
  ##	on a NFS filesystem.
  ## </summary>
-@@ -2584,6 +2748,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +2766,42 @@ interface(`fs_dontaudit_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -17438,7 +17696,7 @@ index 97fcdac..5923a0a 100644
  ##	Do not audit attempts to read or
  ##	write files on a NFS filesystem.
  ## </summary>
-@@ -2598,7 +2798,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2816,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
  		type nfs_t;
  	')
  
@@ -17447,7 +17705,7 @@ index 97fcdac..5923a0a 100644
  ')
  
  ########################################
-@@ -2736,7 +2936,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +2954,7 @@ interface(`fs_search_removable',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -17456,7 +17714,7 @@ index 97fcdac..5923a0a 100644
  ##	</summary>
  ## </param>
  #
-@@ -2772,7 +2972,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +2990,7 @@ interface(`fs_read_removable_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -17465,7 +17723,7 @@ index 97fcdac..5923a0a 100644
  ##	</summary>
  ## </param>
  #
-@@ -2965,6 +3165,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3183,7 @@ interface(`fs_manage_nfs_dirs',`
  		type nfs_t;
  	')
  
@@ -17473,7 +17731,7 @@ index 97fcdac..5923a0a 100644
  	allow $1 nfs_t:dir manage_dir_perms;
  ')
  
-@@ -3005,6 +3206,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3224,7 @@ interface(`fs_manage_nfs_files',`
  		type nfs_t;
  	')
  
@@ -17481,7 +17739,7 @@ index 97fcdac..5923a0a 100644
  	manage_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3045,6 +3247,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3265,7 @@ interface(`fs_manage_nfs_symlinks',`
  		type nfs_t;
  	')
  
@@ -17489,7 +17747,7 @@ index 97fcdac..5923a0a 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3958,6 +4161,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4179,42 @@ interface(`fs_dontaudit_list_tmpfs',`
  
  ########################################
  ## <summary>
@@ -17532,7 +17790,7 @@ index 97fcdac..5923a0a 100644
  ##	Create, read, write, and delete
  ##	tmpfs directories
  ## </summary>
-@@ -4175,6 +4414,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4432,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  
  ########################################
  ## <summary>
@@ -17557,7 +17815,7 @@ index 97fcdac..5923a0a 100644
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4457,6 +4714,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4732,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -17566,7 +17824,7 @@ index 97fcdac..5923a0a 100644
  ')
  
  ########################################
-@@ -4503,7 +4762,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4780,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -17575,7 +17833,7 @@ index 97fcdac..5923a0a 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4866,3 +5125,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5143,24 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -19715,10 +19973,10 @@ index be4de58..7e8b6ec 100644
  init_exec(secadm_t)
  
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..31a210f 100644
+index 2be17d2..bfabe3f 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,53 @@ policy_module(staff, 2.2.0)
+@@ -8,12 +8,55 @@ policy_module(staff, 2.2.0)
  role staff_r;
  
  userdom_unpriv_user_template(staff)
@@ -19738,6 +19996,8 @@ index 2be17d2..31a210f 100644
 +kernel_read_software_raid_state(staff_usertype)
 +kernel_read_fs_sysctls(staff_usertype)
 +
++fs_read_hugetlbfs_files(staff_usertype)
++
 +dev_read_cpuid(staff_usertype)
 +
 +domain_read_all_domains_state(staff_usertype)
@@ -19772,7 +20032,7 @@ index 2be17d2..31a210f 100644
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -27,19 +68,113 @@ optional_policy(`
+@@ -27,19 +70,113 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19888,7 +20148,7 @@ index 2be17d2..31a210f 100644
  ')
  
  optional_policy(`
-@@ -48,10 +183,48 @@ optional_policy(`
+@@ -48,10 +185,48 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19937,7 +20197,7 @@ index 2be17d2..31a210f 100644
  	xserver_role(staff_r, staff_t)
  ')
  
-@@ -89,18 +262,10 @@ ifndef(`distro_redhat',`
+@@ -89,18 +264,10 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -19956,7 +20216,7 @@ index 2be17d2..31a210f 100644
  		java_role(staff_r, staff_t)
  	')
  
-@@ -121,10 +286,6 @@ ifndef(`distro_redhat',`
+@@ -121,10 +288,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -19967,7 +20227,7 @@ index 2be17d2..31a210f 100644
  		pyzor_role(staff_r, staff_t)
  	')
  
-@@ -137,10 +298,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +300,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -19978,7 +20238,7 @@ index 2be17d2..31a210f 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -172,3 +329,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +331,7 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -19987,7 +20247,7 @@ index 2be17d2..31a210f 100644
 +	userdom_execmod_user_home_files(staff_usertype)
 +')
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..c464d3b 100644
+index e14b961..7cd6d4f 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -24,20 +24,51 @@ ifndef(`enable_mls',`
@@ -20072,7 +20332,7 @@ index e14b961..c464d3b 100644
  	certwatch_run(sysadm_t, sysadm_r)
  ')
  
-@@ -110,11 +146,15 @@ optional_policy(`
+@@ -110,11 +146,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20086,21 +20346,25 @@ index e14b961..c464d3b 100644
  optional_policy(`
 -	cvs_exec(sysadm_t)
 +    daemonstools_run_start(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
++	dbus_role_template(sysadm, sysadm_r, sysadm_t)
  ')
  
  optional_policy(`
-@@ -124,6 +164,10 @@ optional_policy(`
+@@ -128,6 +172,10 @@ optional_policy(`
  ')
  
  optional_policy(`
-+	dbus_role_template(sysadm, sysadm_r, sysadm_t)
++	devicekit_filetrans_named_content(sysadm_t)
 +')
 +
 +optional_policy(`
- 	ddcprobe_run(sysadm_t, sysadm_r)
+ 	dmesg_exec(sysadm_t)
  ')
  
-@@ -163,6 +207,13 @@ optional_policy(`
+@@ -163,6 +211,13 @@ optional_policy(`
  	ipsec_stream_connect(sysadm_t)
  	# for lsof
  	ipsec_getattr_key_sockets(sysadm_t)
@@ -20114,7 +20378,7 @@ index e14b961..c464d3b 100644
  ')
  
  optional_policy(`
-@@ -170,15 +221,20 @@ optional_policy(`
+@@ -170,15 +225,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20126,19 +20390,19 @@ index e14b961..c464d3b 100644
 -	libs_run_ldconfig(sysadm_t, sysadm_r)
 +	kerberos_exec_kadmind(sysadm_t)
 +	kerberos_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++	kudzu_run(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
 -	lockdev_role(sysadm_r, sysadm_t)
-+	kudzu_run(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
 +	libs_run_ldconfig(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
-@@ -198,22 +254,19 @@ optional_policy(`
+@@ -198,22 +258,19 @@ optional_policy(`
  	modutils_run_depmod(sysadm_t, sysadm_r)
  	modutils_run_insmod(sysadm_t, sysadm_r)
  	modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -20166,7 +20430,7 @@ index e14b961..c464d3b 100644
  ')
  
  optional_policy(`
-@@ -225,25 +278,47 @@ optional_policy(`
+@@ -225,25 +282,47 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20214,7 +20478,7 @@ index e14b961..c464d3b 100644
  	portage_run(sysadm_t, sysadm_r)
  	portage_run_gcc_config(sysadm_t, sysadm_r)
  ')
-@@ -253,19 +328,19 @@ optional_policy(`
+@@ -253,19 +332,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20238,7 +20502,7 @@ index e14b961..c464d3b 100644
  ')
  
  optional_policy(`
-@@ -274,10 +349,7 @@ optional_policy(`
+@@ -274,10 +353,7 @@ optional_policy(`
  
  optional_policy(`
  	rpm_run(sysadm_t, sysadm_r)
@@ -20250,7 +20514,7 @@ index e14b961..c464d3b 100644
  ')
  
  optional_policy(`
-@@ -302,12 +374,18 @@ optional_policy(`
+@@ -302,12 +378,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20270,7 +20534,7 @@ index e14b961..c464d3b 100644
  ')
  
  optional_policy(`
-@@ -332,7 +410,10 @@ optional_policy(`
+@@ -332,7 +414,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20282,7 +20546,7 @@ index e14b961..c464d3b 100644
  ')
  
  optional_policy(`
-@@ -343,19 +424,15 @@ optional_policy(`
+@@ -343,19 +428,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20304,7 +20568,7 @@ index e14b961..c464d3b 100644
  ')
  
  optional_policy(`
-@@ -367,45 +444,45 @@ optional_policy(`
+@@ -367,45 +448,45 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20361,7 +20625,7 @@ index e14b961..c464d3b 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -418,10 +495,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +499,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -20372,7 +20636,7 @@ index e14b961..c464d3b 100644
  		dbus_role_template(sysadm, sysadm_r, sysadm_t)
  	')
  
-@@ -439,6 +512,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +516,7 @@ ifndef(`distro_redhat',`
  
  	optional_policy(`
  		gnome_role(sysadm_r, sysadm_t)
@@ -20380,7 +20644,7 @@ index e14b961..c464d3b 100644
  	')
  
  	optional_policy(`
-@@ -446,11 +520,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +524,66 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -20395,9 +20659,8 @@ index e14b961..c464d3b 100644
 +
 +	optional_policy(`
 +		mock_admin(sysadm_t)
- 	')
--')
- 
++	')
++
 +	optional_policy(`
 +		mozilla_role(sysadm_r, sysadm_t)
 +	')
@@ -20444,8 +20707,9 @@ index e14b961..c464d3b 100644
 +
 +	optional_policy(`
 +		wireshark_role(sysadm_r, sysadm_t)
-+	')
-+
+ 	')
+-')
+ 
 +	optional_policy(`
 +		xserver_role(sysadm_r, sysadm_t)
 +	')
@@ -21159,10 +21423,10 @@ index 0000000..8b2cdf3
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..1105ff5
+index 0000000..fcc8949
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,502 @@
+@@ -0,0 +1,503 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -21334,6 +21598,7 @@ index 0000000..1105ff5
 +		devicekit_dbus_chat(unconfined_usertype)
 +		devicekit_dbus_chat_disk(unconfined_usertype)
 +		devicekit_dbus_chat_power(unconfined_usertype)
++		devicekit_filetrans_named_content(unconfined_usertype)
 +	')
 +
 +	optional_policy(`
@@ -21666,14 +21931,15 @@ index 0000000..1105ff5
 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 +
 diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..476f1dc 100644
+index e5bfdd4..e5a8559 100644
 --- a/policy/modules/roles/unprivuser.te
 +++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,92 @@ role user_r;
+@@ -12,15 +12,93 @@ role user_r;
  
  userdom_unpriv_user_template(user)
  
 +fs_exec_noxattr(user_t)
++fs_read_hugetlbfs_files(user_usertype)
 +
 +storage_read_scsi_generic(user_t)
 +storage_write_scsi_generic(user_t)
@@ -21762,7 +22028,7 @@ index e5bfdd4..476f1dc 100644
  	vlock_run(user_t, user_r)
  ')
  
-@@ -62,19 +139,11 @@ ifndef(`distro_redhat',`
+@@ -62,19 +140,11 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -21783,7 +22049,7 @@ index e5bfdd4..476f1dc 100644
  	')
  
  	optional_policy(`
-@@ -98,10 +167,6 @@ ifndef(`distro_redhat',`
+@@ -98,10 +168,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -21794,7 +22060,7 @@ index e5bfdd4..476f1dc 100644
  		postgresql_role(user_r, user_t)
  	')
  
-@@ -118,11 +183,7 @@ ifndef(`distro_redhat',`
+@@ -118,11 +184,7 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -21807,7 +22073,7 @@ index e5bfdd4..476f1dc 100644
  	')
  
  	optional_policy(`
-@@ -157,3 +218,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +219,4 @@ ifndef(`distro_redhat',`
  		wireshark_role(user_r, user_t)
  	')
  ')
@@ -28858,7 +29124,7 @@ index 0000000..1783fe6
 +')
 +
 diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
-index 74505cc..810b790 100644
+index 74505cc..6ff206b 100644
 --- a/policy/modules/services/colord.te
 +++ b/policy/modules/services/colord.te
 @@ -23,6 +23,7 @@ files_type(colord_var_lib_t)
@@ -28879,8 +29145,8 @@ index 74505cc..810b790 100644
  kernel_read_device_sysctls(colord_t)
 +kernel_request_load_module(colord_t)
 +
-+#reads *.ini files
-+corecmd_read_bin_files(colord_t)
++# reads *.ini files
++corecmd_exec_bin(colord_t)
  
  corenet_all_recvfrom_unlabeled(colord_t)
  corenet_all_recvfrom_netlabel(colord_t)
@@ -29457,7 +29723,7 @@ index 13d2f63..861fad7 100644
  ')
  
 diff --git a/policy/modules/services/cron.fc b/policy/modules/services/cron.fc
-index 2eefc08..b0cdf28 100644
+index 2eefc08..6ea5693 100644
 --- a/policy/modules/services/cron.fc
 +++ b/policy/modules/services/cron.fc
 @@ -2,6 +2,7 @@
@@ -29468,7 +29734,7 @@ index 2eefc08..b0cdf28 100644
  
  /usr/bin/at			--	gen_context(system_u:object_r:crontab_exec_t,s0)
  /usr/bin/(f)?crontab		--	gen_context(system_u:object_r:crontab_exec_t,s0)
-@@ -14,9 +15,10 @@
+@@ -14,14 +15,15 @@
  /var/run/anacron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
  /var/run/atd\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
  /var/run/crond?\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -29480,6 +29746,12 @@ index 2eefc08..b0cdf28 100644
  
  /var/spool/anacron(/.*)?		gen_context(system_u:object_r:system_cron_spool_t,s0)
  /var/spool/at(/.*)?			gen_context(system_u:object_r:user_cron_spool_t,s0)
+ 
+-/var/spool/cron			-d	gen_context(system_u:object_r:cron_spool_t,s0)
++/var/spool/cron			-d	gen_context(system_u:object_r:user_cron_spool_t,s0)
+ #/var/spool/cron/root		--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+ /var/spool/cron/[^/]*		--	<<none>>
+ 
 @@ -45,3 +47,5 @@ ifdef(`distro_suse', `
  /var/spool/fcron/systab\.orig	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
  /var/spool/fcron/systab		--	gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -31287,7 +31559,7 @@ index 81eba14..d0ab56c 100644
  /usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:dbusd_exec_t,s0)
  /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
 diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 1a1becd..d4357ec 100644
+index 1a1becd..0ca1861 100644
 --- a/policy/modules/services/dbus.if
 +++ b/policy/modules/services/dbus.if
 @@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -31406,7 +31678,7 @@ index 1a1becd..d4357ec 100644
 -
 -	seutil_read_config($1_dbusd_t)
 -	seutil_read_default_contexts($1_dbusd_t)
--
+ 
 -	term_use_all_terms($1_dbusd_t)
 -
 -	userdom_read_user_home_content_files($1_dbusd_t)
@@ -31418,7 +31690,7 @@ index 1a1becd..d4357ec 100644
 -	optional_policy(`
 -		hal_dbus_chat($1_dbusd_t)
 -	')
- 
+-
 -	optional_policy(`
 -		xserver_use_xdm_fds($1_dbusd_t)
 -		xserver_rw_xdm_pipes($1_dbusd_t)
@@ -31578,7 +31850,7 @@ index 1a1becd..d4357ec 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -491,10 +433,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -491,10 +433,31 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
  ##	</summary>
  ## </param>
  #
@@ -31592,8 +31864,27 @@ index 1a1becd..d4357ec 100644
 -	typeattribute $1 dbusd_unconfined;
 +	files_search_pids($1)
 +	delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
- ')
++')
 +
++########################################
++## <summary>
++##	Do not audit attempts to connect to
++##	session bus types with a unix
++##	stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`dbus_dontaudit_stream_connect_session_bus',`
++	gen_require(`
++		attribute session_bus_type;
++	')
++
++	dontaudit $1 session_bus_type:unix_stream_socket connectto;
+ ')
 diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
 index 1bff6ee..9540fee 100644
 --- a/policy/modules/services/dbus.te
@@ -32096,7 +32387,7 @@ index 418a5a0..c25fbdc 100644
  /var/run/udisks(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
  /var/run/upower(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..13d3a35 100644
+index f706b99..afb61c9 100644
 --- a/policy/modules/services/devicekit.if
 +++ b/policy/modules/services/devicekit.if
 @@ -5,9 +5,9 @@
@@ -32305,7 +32596,7 @@ index f706b99..13d3a35 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -165,21 +308,21 @@ interface(`devicekit_admin',`
+@@ -165,21 +308,39 @@ interface(`devicekit_admin',`
  		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
  	')
  
@@ -32332,6 +32623,24 @@ index f706b99..13d3a35 100644
  	admin_pattern($1, devicekit_var_run_t)
 -	files_search_pids($1)
 +	files_list_pids($1)
++')
++
++########################################
++## <summary>
++##	Transition to devicekit named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`devicekit_filetrans_named_content',`
++	gen_require(`
++		type devicekit_var_run_t;
++	')
++
++	files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
  ')
 diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
 index f231f17..c5244c8 100644
@@ -34780,7 +35089,7 @@ index 6bef7f8..885cd43 100644
 +	admin_pattern($1, exim_var_run_t)
 +')
 diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
-index f28f64b..05784e2 100644
+index f28f64b..9d0a5db 100644
 --- a/policy/modules/services/exim.te
 +++ b/policy/modules/services/exim.te
 @@ -6,24 +6,24 @@ policy_module(exim, 1.5.0)
@@ -34851,7 +35160,18 @@ index f28f64b..05784e2 100644
  files_read_etc_files(exim_t)
  files_read_etc_runtime_files(exim_t)
  files_getattr_all_mountpoints(exim_t)
-@@ -171,6 +175,10 @@ optional_policy(`
+@@ -162,6 +166,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	dovecot_stream_connect(exim_t)
++')
++
++optional_policy(`
+ 	kerberos_keytab_template(exim, exim_t)
+ ')
+ 
+@@ -171,6 +179,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34862,7 +35182,7 @@ index f28f64b..05784e2 100644
  	tunable_policy(`exim_can_connect_db',`
  		mysql_stream_connect(exim_t)
  	')
-@@ -184,6 +192,7 @@ optional_policy(`
+@@ -184,6 +196,7 @@ optional_policy(`
  
  optional_policy(`
  	procmail_domtrans(exim_t)
@@ -41747,7 +42067,7 @@ index 3368699..7a7fc02 100644
  #
  interface(`modemmanager_domtrans',`
 diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
-index b3ace16..812a9ff 100644
+index b3ace16..6c9f30c 100644
 --- a/policy/modules/services/modemmanager.te
 +++ b/policy/modules/services/modemmanager.te
 @@ -16,7 +16,8 @@ typealias modemmanager_exec_t alias ModemManager_exec_t;
@@ -41760,12 +42080,14 @@ index b3ace16..812a9ff 100644
  allow modemmanager_t self:fifo_file rw_file_perms;
  allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
  allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -28,13 +29,24 @@ dev_rw_modem(modemmanager_t)
+@@ -28,13 +29,25 @@ dev_rw_modem(modemmanager_t)
  
  files_read_etc_files(modemmanager_t)
  
+-term_use_unallocated_ttys(modemmanager_t)
 +term_use_generic_ptys(modemmanager_t)
- term_use_unallocated_ttys(modemmanager_t)
++term_use_unallocated_ttys(modemmanager_t) # this should be reproduced, might have been mislabelled usbtty_device_t
++term_use_usb_ttys(modemmanager_t)
  
  miscfiles_read_localization(modemmanager_t)
  
@@ -47480,7 +47802,7 @@ index 46bee12..c22af86 100644
 +	role $2 types postfix_postdrop_t;
 +')
 diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..ef34196 100644
+index a32c4b3..318ef45 100644
 --- a/policy/modules/services/postfix.te
 +++ b/policy/modules/services/postfix.te
 @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
@@ -47622,7 +47944,7 @@ index a32c4b3..ef34196 100644
  
 +manage_files_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 +manage_dirs_pattern(postfix_bounce_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-+allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
++allow postfix_bounce_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
 +
  manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
  manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
@@ -53210,7 +53532,7 @@ index a07b2f4..ee39810 100644
 +
 +userdom_getattr_user_terminals(rwho_t)
 diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
-index 69a6074..c79b415 100644
+index 69a6074..596dbb3 100644
 --- a/policy/modules/services/samba.fc
 +++ b/policy/modules/services/samba.fc
 @@ -11,6 +11,8 @@
@@ -53222,7 +53544,16 @@ index 69a6074..c79b415 100644
  #
  # /usr
  #
-@@ -51,3 +53,7 @@
+@@ -36,6 +38,8 @@
+ 
+ /var/log/samba(/.*)?			gen_context(system_u:object_r:samba_log_t,s0)
+ 
++/var/run/nmbd(/.*)?				gen_context(system_u:object_r:nmbd_var_run_t,s0)
++
+ /var/run/samba/brlock\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/connections\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
+ /var/run/samba/gencache\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
+@@ -51,3 +55,7 @@
  /var/run/winbindd(/.*)?			gen_context(system_u:object_r:winbind_var_run_t,s0)
  
  /var/spool/samba(/.*)?			gen_context(system_u:object_r:samba_var_t,s0)
@@ -55865,7 +56196,7 @@ index 078bcd7..2d60774 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..040ec9b 100644
+index 22adaca..8e3e9de 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
 @@ -32,10 +32,10 @@
@@ -56065,7 +56396,7 @@ index 22adaca..040ec9b 100644
  		type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
  		type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
  		type ssh_agent_tmp_t;
-@@ -327,17 +367,19 @@ template(`ssh_role_template',`
+@@ -327,17 +367,20 @@ template(`ssh_role_template',`
  
  	# allow ps to show ssh
  	ps_process_pattern($3, ssh_t)
@@ -56076,6 +56407,7 @@ index 22adaca..040ec9b 100644
  	allow ssh_t $3:unix_stream_socket rw_socket_perms;
  	allow ssh_t $3:unix_stream_socket connectto;
 +	allow ssh_t $3:key manage_key_perms;
++	allow $3 ssh_t:key read;
  
  	# user can manage the keys and config
  	manage_files_pattern($3, ssh_home_t, ssh_home_t)
@@ -56086,7 +56418,7 @@ index 22adaca..040ec9b 100644
  
  	##############################
  	#
-@@ -359,7 +401,7 @@ template(`ssh_role_template',`
+@@ -359,7 +402,7 @@ template(`ssh_role_template',`
  	stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
  
  	# Allow the user shell to signal the ssh program.
@@ -56095,7 +56427,7 @@ index 22adaca..040ec9b 100644
  
  	# allow ps to show ssh
  	ps_process_pattern($3, $1_ssh_agent_t)
-@@ -381,7 +423,6 @@ template(`ssh_role_template',`
+@@ -381,7 +424,6 @@ template(`ssh_role_template',`
  
  	files_read_etc_files($1_ssh_agent_t)
  	files_read_etc_runtime_files($1_ssh_agent_t)
@@ -56103,7 +56435,7 @@ index 22adaca..040ec9b 100644
  
  	libs_read_lib_files($1_ssh_agent_t)
  
-@@ -393,14 +434,13 @@ template(`ssh_role_template',`
+@@ -393,14 +435,13 @@ template(`ssh_role_template',`
  	seutil_dontaudit_read_config($1_ssh_agent_t)
  
  	# Write to the user domain tty.
@@ -56121,7 +56453,7 @@ index 22adaca..040ec9b 100644
  
  	tunable_policy(`use_nfs_home_dirs',`
  		fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +517,27 @@ interface(`ssh_read_pipes',`
+@@ -477,8 +518,27 @@ interface(`ssh_read_pipes',`
  		type sshd_t;
  	')
  
@@ -56150,7 +56482,7 @@ index 22adaca..040ec9b 100644
  ########################################
  ## <summary>
  ##	Read and write a ssh server unnamed pipe.
-@@ -494,7 +553,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +554,7 @@ interface(`ssh_rw_pipes',`
  		type sshd_t;
  	')
  
@@ -56159,7 +56491,7 @@ index 22adaca..040ec9b 100644
  ')
  
  ########################################
-@@ -586,6 +645,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +646,24 @@ interface(`ssh_domtrans',`
  
  ########################################
  ## <summary>
@@ -56184,7 +56516,7 @@ index 22adaca..040ec9b 100644
  ##	Execute the ssh client in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -618,7 +695,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +696,7 @@ interface(`ssh_setattr_key_files',`
  		type sshd_key_t;
  	')
  
@@ -56193,7 +56525,7 @@ index 22adaca..040ec9b 100644
  	files_search_pids($1)
  ')
  
-@@ -680,6 +757,32 @@ interface(`ssh_domtrans_keygen',`
+@@ -680,6 +758,32 @@ interface(`ssh_domtrans_keygen',`
  	domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
  ')
  
@@ -56226,7 +56558,7 @@ index 22adaca..040ec9b 100644
  ########################################
  ## <summary>
  ##	Read ssh server keys
-@@ -695,7 +798,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +799,7 @@ interface(`ssh_dontaudit_read_server_keys',`
  		type sshd_key_t;
  	')
  
@@ -56235,7 +56567,7 @@ index 22adaca..040ec9b 100644
  ')
  
  ######################################
-@@ -735,3 +838,81 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +839,81 @@ interface(`ssh_delete_tmp',`
  	files_search_tmp($1)
  	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
  ')
@@ -58288,7 +58620,7 @@ index 32a3c13..7baeb6f 100644
  
  optional_policy(`
 diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..49d35d3 100644
+index 2124b6a..c60a0e7 100644
 --- a/policy/modules/services/virt.fc
 +++ b/policy/modules/services/virt.fc
 @@ -1,5 +1,6 @@
@@ -58300,7 +58632,7 @@ index 2124b6a..49d35d3 100644
  HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
  
  /etc/libvirt		-d	gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +13,30 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +13,34 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
  /etc/xen/[^/]*		-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
  /etc/xen/.*/.*			gen_context(system_u:object_r:virt_etc_rw_t,s0)
  
@@ -58321,11 +58653,14 @@ index 2124b6a..49d35d3 100644
 -/var/lib/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_var_run_t,s0)
 +/var/lib/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
  
++/var/log/log(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
  /var/log/libvirt(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
++/var/log/vdsm(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
  /var/run/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
 -/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_var_run_t,s0)
 +/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
 +/var/run/libvirt/lxc(/.*)?	gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
++/var/run/vdsm(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
  
  /var/vdsm(/.*)?			gen_context(system_u:object_r:virt_var_run_t,s0)
 +
@@ -58334,6 +58669,7 @@ index 2124b6a..49d35d3 100644
 +/var/cache/oz(/.*)?					gen_context(system_u:object_r:virt_cache_t,s0)
 +/var/lib/oz(/.*)?					gen_context(system_u:object_r:virt_var_lib_t,s0)
 +/var/lib/oz/isos(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
++/var/lib/vdsm(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
 diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
 index 7c5d8d8..d711fd5 100644
 --- a/policy/modules/services/virt.if
@@ -58880,7 +59216,7 @@ index 7c5d8d8..d711fd5 100644
 +')
 +
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..8ae6778 100644
+index 3eca020..52df08a 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
 @@ -5,56 +5,74 @@ policy_module(virt, 1.4.0)
@@ -59408,12 +59744,12 @@ index 3eca020..8ae6778 100644
 +fs_rw_inherited_nfs_files(virt_domain)
 +fs_rw_inherited_cifs_files(virt_domain)
 +fs_rw_inherited_noxattr_fs_files(virt_domain)
- 
--term_use_all_terms(virt_domain)
++
 +# I think we need these for now.
 +miscfiles_read_public_files(virt_domain)
 +storage_raw_read_removable_device(virt_domain)
-+
+ 
+-term_use_all_terms(virt_domain)
 +term_use_all_inherited_terms(virt_domain)
  term_getattr_pty_fs(virt_domain)
  term_use_generic_ptys(virt_domain)
@@ -59424,7 +59760,7 @@ index 3eca020..8ae6778 100644
  logging_send_syslog_msg(virt_domain)
  
  miscfiles_read_localization(virt_domain)
-@@ -457,8 +635,315 @@ optional_policy(`
+@@ -457,8 +635,319 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59504,6 +59840,7 @@ index 3eca020..8ae6778 100644
 +optional_policy(`
 +	xen_manage_image_dirs(virsh_t)
 +	xen_append_log(virsh_t)
++	xen_domtrans(virsh_t)
 +	xen_stream_connect(virsh_t)
 +	xen_stream_connect_xenstore(virsh_t)
 +')
@@ -59567,6 +59904,13 @@ index 3eca020..8ae6778 100644
 +manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 +files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir })
 +
++manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++
 +kernel_read_network_state(virtd_lxc_t)
 +kernel_search_network_sysctl(virtd_lxc_t)
 +kernel_read_sysctl(virtd_lxc_t)
@@ -59635,17 +59979,13 @@ index 3eca020..8ae6778 100644
 +allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
 +dontaudit svirt_lxc_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 +
-+manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+
 +manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 +manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 +manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 +manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
 +manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
++rw_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
++rw_blk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
 +can_exec(svirt_lxc_domain, svirt_lxc_file_t)
 +
 +kernel_getattr_proc(svirt_lxc_domain)
@@ -71587,7 +71927,7 @@ index 025348a..c15e57c 100644
 +')
 +
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..2627fa4 100644
+index d88f7c3..e5fef27 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
 @@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -71666,7 +72006,7 @@ index d88f7c3..2627fa4 100644
  dev_rw_generic_files(udev_t)
  dev_delete_generic_files(udev_t)
  dev_search_usbfs(udev_t)
-@@ -105,21 +111,29 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -105,21 +111,30 @@ dev_relabel_all_dev_nodes(udev_t)
  # preserved, instead of short circuiting the relabel
  dev_relabel_generic_symlinks(udev_t)
  dev_manage_generic_symlinks(udev_t)
@@ -71678,6 +72018,7 @@ index d88f7c3..2627fa4 100644
  files_read_usr_files(udev_t)
  files_read_etc_runtime_files(udev_t)
 -files_read_etc_files(udev_t)
++files_read_kernel_modules(udev_t)
 +files_read_system_conf_files(udev_t)
 +
 +# console_init manages files in /etc/sysconfig
@@ -71697,7 +72038,7 @@ index d88f7c3..2627fa4 100644
  
  mcs_ptrace_all(udev_t)
  
-@@ -143,6 +157,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +158,7 @@ auth_use_nsswitch(udev_t)
  init_read_utmp(udev_t)
  init_dontaudit_write_utmp(udev_t)
  init_getattr_initctl(udev_t)
@@ -71705,7 +72046,7 @@ index d88f7c3..2627fa4 100644
  
  logging_search_logs(udev_t)
  logging_send_syslog_msg(udev_t)
-@@ -169,6 +184,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -169,6 +185,8 @@ sysnet_signal_dhcpc(udev_t)
  sysnet_manage_config(udev_t)
  sysnet_etc_filetrans_config(udev_t)
  
@@ -71714,7 +72055,7 @@ index d88f7c3..2627fa4 100644
  userdom_dontaudit_search_user_home_content(udev_t)
  
  ifdef(`distro_gentoo',`
-@@ -186,8 +203,9 @@ ifdef(`distro_redhat',`
+@@ -186,8 +204,9 @@ ifdef(`distro_redhat',`
  	fs_manage_tmpfs_chr_files(udev_t)
  	fs_relabel_tmpfs_blk_file(udev_t)
  	fs_relabel_tmpfs_chr_file(udev_t)
@@ -71725,7 +72066,7 @@ index d88f7c3..2627fa4 100644
  
  	# for arping used for static IP addresses on PCMCIA ethernet
  	netutils_domtrans(udev_t)
-@@ -216,11 +234,16 @@ optional_policy(`
+@@ -216,11 +235,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -71743,7 +72084,7 @@ index d88f7c3..2627fa4 100644
  ')
  
  optional_policy(`
-@@ -230,10 +253,20 @@ optional_policy(`
+@@ -230,10 +254,20 @@ optional_policy(`
  optional_policy(`
  	devicekit_read_pid_files(udev_t)
  	devicekit_dgram_send(udev_t)
@@ -71764,7 +72105,7 @@ index d88f7c3..2627fa4 100644
  ')
  
  optional_policy(`
-@@ -259,6 +292,10 @@ optional_policy(`
+@@ -259,6 +293,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -71775,7 +72116,7 @@ index d88f7c3..2627fa4 100644
  	openct_read_pid_files(udev_t)
  	openct_domtrans(udev_t)
  ')
-@@ -273,6 +310,11 @@ optional_policy(`
+@@ -273,6 +311,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -71808,7 +72149,7 @@ index ce2fbb9..8b34dbc 100644
 -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 -')
 diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 416e668..683497a 100644
+index 416e668..46f9aaf 100644
 --- a/policy/modules/system/unconfined.if
 +++ b/policy/modules/system/unconfined.if
 @@ -12,27 +12,29 @@
@@ -71881,10 +72222,21 @@ index 416e668..683497a 100644
  	unconfined_domain_noaudit($1)
  
  	tunable_policy(`allow_execheap',`
-@@ -178,412 +192,3 @@ interface(`unconfined_alias_domain',`
- interface(`unconfined_execmem_alias_program',`
- 	refpolicywarn(`$0($1) has been deprecated.')
+@@ -150,7 +164,7 @@ interface(`unconfined_domain',`
+ ## </param>
+ #
+ interface(`unconfined_alias_domain',`
+-	refpolicywarn(`$0($1) has been deprecated.')
++	refpolicywarn(`$0() has been deprecated.')
  ')
+ 
+ ########################################
+@@ -176,414 +190,5 @@ interface(`unconfined_alias_domain',`
+ ## </param>
+ #
+ interface(`unconfined_execmem_alias_program',`
+-	refpolicywarn(`$0($1) has been deprecated.')
+-')
 -
 -########################################
 -## <summary>
@@ -72293,7 +72645,8 @@ index 416e668..683497a 100644
 -	')
 -
 -	allow $1 unconfined_t:dbus acquire_svc;
--')
++	refpolicywarn(`$0() has been deprecated.')
+ ')
 diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
 index eae5001..71e46b2 100644
 --- a/policy/modules/system/unconfined.te
@@ -75995,7 +76348,7 @@ index 4b2878a..e7a65ae 100644
 +   allow $1 unpriv_userdomain:sem rw_sem_perms;
 +')
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..5cd0c45 100644
+index 9b4a930..04d748b 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
 @@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@@ -76048,7 +76401,7 @@ index 9b4a930..5cd0c45 100644
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
  files_type(user_home_dir_t)
-@@ -71,26 +98,74 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +98,78 @@ ubac_constrained(user_home_dir_t)
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -76123,6 +76476,10 @@ index 9b4a930..5cd0c45 100644
 +')
 +
 +optional_policy(`
++	telepathy_filetrans_home_content(userdomain)
++')
++
++optional_policy(`
 +	xserver_filetrans_home_content(userdomain)
 +')
 diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d5c1773..2a0d606 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 35%{?dist}
+Release: 36%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,18 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Oct 3 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-36
+- Allow logrotate setuid and setgid since logrotate is supposed to do it
+- Fixes for thumb policy by grift
+- Add new nfsd ports
+- Added fix to allow confined apps to execmod on chrome
+- Add labeling for additional vdsm directories
+- Allow Exim and Dovecot SASL
+- Add label for /var/run/nmbd
+- Add fixes to make virsh and xen working together
+- Colord executes ls
+- /var/spool/cron  is now labeled as user_cron_spool_t
+
 * Thu Sep 29 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-35
 - Stop complaining about leaked file descriptors during install