diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index fa8a506..dbf6054 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-f24-base.patch b/policy-f24-base.patch
index 22d93ea..518c238 100644
--- a/policy-f24-base.patch
+++ b/policy-f24-base.patch
@@ -5813,7 +5813,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index b191055..6c3e760 100644
+index b191055..25a5cfe 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
@@ -5950,7 +5950,7 @@ index b191055..6c3e760 100644
  network_port(distccd, tcp,3632,s0)
 -network_port(dns, tcp,53,s0, udp,53,s0)
 +network_port(dogtag, tcp,7390,s0)
-+network_port(dns, udp,53,s0, tcp,53,s0)
++network_port(dns, udp,53,s0, tcp,53,s0, tcp,853,s0, udp,853,s0)
 +network_port(dnssec, tcp,8955,s0)
 +network_port(echo, tcp,7,s0, udp,7,s0)
  network_port(efs, tcp,520,s0)
@@ -6463,7 +6463,7 @@ index b31c054..891ace5 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..0aef35e 100644
+index 76f285e..4e020f3 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6964,7 +6964,7 @@ index 76f285e..0aef35e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2043,7 +2285,137 @@ interface(`dev_getattr_framebuffer_dev',`
+@@ -2043,7 +2285,180 @@ interface(`dev_getattr_framebuffer_dev',`
  ##	</summary>
  ## </param>
  #
@@ -6997,6 +6997,49 @@ index 76f285e..0aef35e 100644
 +
 +########################################
 +## <summary>
++##	Manage ipmi devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_manage_ipmi_dev',`
++	gen_require(`
++		type device_t, ipmi_device_t;
++	')
++
++	manage_chr_files_pattern($1, device_t, ipmi_device_t)
++')
++
++########################################
++## <summary>
++##	Automatic type transition to the type
++##	for PCMCIA card manager device nodes when
++##	created in /dev.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`dev_filetrans_ipmi',`
++	gen_require(`
++		type device_t, ipmi_device_t;
++	')
++
++	filetrans_pattern($1, device_t, ipmi_device_t, chr_file, $2)
++')
++
++########################################
++## <summary>
 +##	Read infiniband devices.
 +## </summary>
 +## <param name="domain">
@@ -7103,7 +7146,7 @@ index 76f285e..0aef35e 100644
  	gen_require(`
  		type device_t, framebuf_device_t;
  	')
-@@ -2402,7 +2774,97 @@ interface(`dev_filetrans_lirc',`
+@@ -2402,7 +2817,97 @@ interface(`dev_filetrans_lirc',`
  
  ########################################
  ## <summary>
@@ -7202,7 +7245,7 @@ index 76f285e..0aef35e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2532,6 +2994,24 @@ interface(`dev_read_raw_memory',`
+@@ -2532,6 +3037,24 @@ interface(`dev_read_raw_memory',`
  
  ########################################
  ## <summary>
@@ -7227,7 +7270,7 @@ index 76f285e..0aef35e 100644
  ##	Do not audit attempts to read raw memory devices
  ##	(e.g. /dev/mem).
  ## </summary>
-@@ -2573,6 +3053,24 @@ interface(`dev_write_raw_memory',`
+@@ -2573,6 +3096,24 @@ interface(`dev_write_raw_memory',`
  
  ########################################
  ## <summary>
@@ -7252,7 +7295,7 @@ index 76f285e..0aef35e 100644
  ##	Read and execute raw memory devices (e.g. /dev/mem).
  ## </summary>
  ## <param name="domain">
-@@ -2725,7 +3223,7 @@ interface(`dev_write_misc',`
+@@ -2725,7 +3266,7 @@ interface(`dev_write_misc',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -7261,7 +7304,7 @@ index 76f285e..0aef35e 100644
  ##	</summary>
  ## </param>
  #
-@@ -2811,7 +3309,7 @@ interface(`dev_rw_modem',`
+@@ -2811,7 +3352,7 @@ interface(`dev_rw_modem',`
  
  ########################################
  ## <summary>
@@ -7270,7 +7313,7 @@ index 76f285e..0aef35e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2819,17 +3317,17 @@ interface(`dev_rw_modem',`
+@@ -2819,17 +3360,17 @@ interface(`dev_rw_modem',`
  ##	</summary>
  ## </param>
  #
@@ -7292,7 +7335,7 @@ index 76f285e..0aef35e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2837,17 +3335,17 @@ interface(`dev_getattr_mouse_dev',`
+@@ -2837,17 +3378,17 @@ interface(`dev_getattr_mouse_dev',`
  ##	</summary>
  ## </param>
  #
@@ -7314,7 +7357,7 @@ index 76f285e..0aef35e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2855,17 +3353,17 @@ interface(`dev_setattr_mouse_dev',`
+@@ -2855,12 +3396,84 @@ interface(`dev_setattr_mouse_dev',`
  ##	</summary>
  ## </param>
  #
@@ -7327,94 +7370,29 @@ index 76f285e..0aef35e 100644
  
 -	read_chr_files_pattern($1, device_t, mouse_device_t)
 +	read_chr_files_pattern($1, device_t, monitor_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read and write to mouse devices.
++')
++
++########################################
++## <summary>
 +##	Read and write to monitor devices.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2873,18 +3371,17 @@ interface(`dev_read_mouse',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_rw_mouse',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`dev_rw_monitor_dev',`
- 	gen_require(`
--		type device_t, mouse_device_t;
-+		type device_t, monitor_device_t;
- 	')
- 
--	rw_chr_files_pattern($1, device_t, mouse_device_t)
-+	rw_chr_files_pattern($1, device_t, monitor_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Get the attributes of the memory type range
--##	registers (MTRR) device.
-+##	Get the attributes of the mouse devices.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2892,47 +3389,91 @@ interface(`dev_rw_mouse',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_getattr_mtrr_dev',`
-+interface(`dev_getattr_mouse_dev',`
- 	gen_require(`
--		type device_t, mtrr_device_t;
-+		type device_t, mouse_device_t;
- 	')
- 
--	getattr_files_pattern($1, device_t, mtrr_device_t)
--	getattr_chr_files_pattern($1, device_t, mtrr_device_t)
-+	getattr_chr_files_pattern($1, device_t, mouse_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read the memory type range
--##	registers (MTRR).  (Deprecated)
-+##	Set the attributes of the mouse devices.
- ## </summary>
--## <desc>
--##	<p>
--##	Read the memory type range
--##	registers (MTRR).  This interface has
--##	been deprecated, dev_rw_mtrr() should be
--##	used instead.
--##	</p>
--##	<p>
--##	The MTRR device ioctls can be used for
--##	reading and writing; thus, read access to the
--##	device cannot be separated from write access.
--##	</p>
--## </desc>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`dev_read_mtrr',`
--	refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
--	dev_rw_mtrr($1)
-+interface(`dev_setattr_mouse_dev',`
 +	gen_require(`
-+		type device_t, mouse_device_t;
++		type device_t, monitor_device_t;
 +	')
 +
-+	setattr_chr_files_pattern($1, device_t, mouse_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Write the memory type range
-+##	Read the mouse devices.
++	rw_chr_files_pattern($1, device_t, monitor_device_t)
++')
++
++########################################
++## <summary>
++##	Get the attributes of the mouse devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7422,17 +7400,17 @@ index 76f285e..0aef35e 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_read_mouse',`
++interface(`dev_getattr_mouse_dev',`
 +	gen_require(`
 +		type device_t, mouse_device_t;
 +	')
 +
-+	read_chr_files_pattern($1, device_t, mouse_device_t)
++	getattr_chr_files_pattern($1, device_t, mouse_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read and write to mouse devices.
++##	Set the attributes of the mouse devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7440,18 +7418,17 @@ index 76f285e..0aef35e 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_rw_mouse',`
++interface(`dev_setattr_mouse_dev',`
 +	gen_require(`
 +		type device_t, mouse_device_t;
 +	')
 +
-+	rw_chr_files_pattern($1, device_t, mouse_device_t)
++	setattr_chr_files_pattern($1, device_t, mouse_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Get the attributes of the memory type range
-+##	registers (MTRR) device.
++##	Read the mouse devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7459,47 +7436,108 @@ index 76f285e..0aef35e 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_getattr_mtrr_dev',`
++interface(`dev_read_mouse',`
 +	gen_require(`
-+		type device_t, mtrr_device_t;
++		type device_t, mouse_device_t;
 +	')
 +
-+	getattr_files_pattern($1, device_t, mtrr_device_t)
-+	getattr_chr_files_pattern($1, device_t, mtrr_device_t)
-+')
-+
-+########################################
-+## <summary>
++	read_chr_files_pattern($1, device_t, mouse_device_t)
+ ')
+ 
+ ########################################
+@@ -2903,20 +3516,20 @@ interface(`dev_getattr_mtrr_dev',`
+ 
+ ########################################
+ ## <summary>
+-##	Read the memory type range
 +##	Write the memory type range
  ##	registers (MTRR).  (Deprecated)
  ## </summary>
  ## <desc>
-@@ -2975,8 +3516,47 @@ interface(`dev_dontaudit_write_mtrr',`
- 		type mtrr_device_t;
- 	')
+ ##	<p>
+-##	Read the memory type range
++##	Write the memory type range
+ ##	registers (MTRR).  This interface has
+ ##	been deprecated, dev_rw_mtrr() should be
+ ##	used instead.
+ ##	</p>
+ ##	<p>
+ ##	The MTRR device ioctls can be used for
+-##	reading and writing; thus, read access to the
+-##	device cannot be separated from write access.
++##	reading and writing; thus, write access to the
++##	device cannot be separated from read access.
+ ##	</p>
+ ## </desc>
+ ## <param name="domain">
+@@ -2925,43 +3538,34 @@ interface(`dev_getattr_mtrr_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_read_mtrr',`
++interface(`dev_write_mtrr',`
+ 	refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
+ 	dev_rw_mtrr($1)
+ ')
  
--	dontaudit $1 mtrr_device_t:file write;
--	dontaudit $1 mtrr_device_t:chr_file write;
-+	dontaudit $1 mtrr_device_t:file write_file_perms;
-+	dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to read the memory type
+ ########################################
+ ## <summary>
+-##	Write the memory type range
+-##	registers (MTRR).  (Deprecated)
++##	Do not audit attempts to write the memory type
 +##	range registers (MTRR).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Write the memory type range
+-##	registers (MTRR).  This interface has
+-##	been deprecated, dev_rw_mtrr() should be
+-##	used instead.
+-##	</p>
+-##	<p>
+-##	The MTRR device ioctls can be used for
+-##	reading and writing; thus, write access to the
+-##	device cannot be separated from read access.
+-##	</p>
+-## </desc>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_dontaudit_read_mtrr',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_write_mtrr',`
+-	refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
+-	dev_rw_mtrr($1)
++interface(`dev_dontaudit_write_mtrr',`
 +	gen_require(`
 +		type mtrr_device_t;
 +	')
 +
++	dontaudit $1 mtrr_device_t:file write_file_perms;
++	dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to write the memory type
++##	Do not audit attempts to read the memory type
+ ##	range registers (MTRR).
+ ## </summary>
+ ## <param name="domain">
+@@ -2970,13 +3574,32 @@ interface(`dev_write_mtrr',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_dontaudit_write_mtrr',`
++interface(`dev_dontaudit_read_mtrr',`
+ 	gen_require(`
+ 		type mtrr_device_t;
+ 	')
+ 
+-	dontaudit $1 mtrr_device_t:file write;
+-	dontaudit $1 mtrr_device_t:chr_file write;
 +	dontaudit $1 mtrr_device_t:file { open read };
 +	dontaudit $1 mtrr_device_t:chr_file { open read };
 +')
@@ -7524,7 +7562,7 @@ index 76f285e..0aef35e 100644
  ')
  
  ########################################
-@@ -3144,6 +3724,61 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3767,61 @@ interface(`dev_create_null_dev',`
  
  ########################################
  ## <summary>
@@ -7586,7 +7624,7 @@ index 76f285e..0aef35e 100644
  ##	Do not audit attempts to get the attributes
  ##	of the BIOS non-volatile RAM device.
  ## </summary>
-@@ -3163,6 +3798,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+@@ -3163,6 +3841,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
  
  ########################################
  ## <summary>
@@ -7611,7 +7649,7 @@ index 76f285e..0aef35e 100644
  ##	Read and write BIOS non-volatile RAM.
  ## </summary>
  ## <param name="domain">
-@@ -3254,7 +3907,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3950,25 @@ interface(`dev_rw_printer',`
  
  ########################################
  ## <summary>
@@ -7638,7 +7676,7 @@ index 76f285e..0aef35e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3262,12 +3933,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3976,13 @@ interface(`dev_rw_printer',`
  ##	</summary>
  ## </param>
  #
@@ -7655,7 +7693,7 @@ index 76f285e..0aef35e 100644
  ')
  
  ########################################
-@@ -3399,7 +4071,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +4114,7 @@ interface(`dev_dontaudit_read_rand',`
  
  ########################################
  ## <summary>
@@ -7664,7 +7702,7 @@ index 76f285e..0aef35e 100644
  ##	number generator devices (e.g., /dev/random)
  ## </summary>
  ## <param name="domain">
-@@ -3413,7 +4085,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +4128,7 @@ interface(`dev_dontaudit_append_rand',`
  		type random_device_t;
  	')
  
@@ -7673,7 +7711,7 @@ index 76f285e..0aef35e 100644
  ')
  
  ########################################
-@@ -3855,7 +4527,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4570,7 @@ interface(`dev_getattr_sysfs_dirs',`
  
  ########################################
  ## <summary>
@@ -7682,7 +7720,7 @@ index 76f285e..0aef35e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3863,91 +4535,89 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,91 +4578,89 @@ interface(`dev_getattr_sysfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -7793,7 +7831,7 @@ index 76f285e..0aef35e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3955,68 +4625,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3955,68 +4668,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -7872,7 +7910,7 @@ index 76f285e..0aef35e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4024,53 +4679,279 @@ interface(`dev_rw_sysfs',`
+@@ -4024,17 +4722,243 @@ interface(`dev_rw_sysfs',`
  ##	</summary>
  ## </param>
  #
@@ -7892,45 +7930,19 @@ index 76f285e..0aef35e 100644
  ## <summary>
 -##	Read from pseudo random number generator devices (e.g., /dev/urandom).
 +##	Write in a sysfs directories.
- ## </summary>
--## <desc>
--##	<p>
--##	Allow the specified domain to read from pseudo random number
--##	generator devices (e.g., /dev/urandom).  Typically this is
--##	used in situations when a cryptographically secure random
--##	number is not necessarily needed.  One example is the Stack
--##	Smashing Protector (SSP, formerly known as ProPolice) support
--##	that may be compiled into programs.
--##	</p>
--##	<p>
--##	Related interface:
--##	</p>
--##	<ul>
--##		<li>dev_read_rand()</li>
--##	</ul>
--##	<p>
--##	Related tunable:
--##	</p>
--##	<ul>
--##		<li>global_ssp</li>
--##	</ul>
--## </desc>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <infoflow type="read" weight="10"/>
- #
--interface(`dev_read_urand',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +# cjp: added for cpuspeed
 +interface(`dev_write_sysfs_dirs',`
- 	gen_require(`
--		type device_t, urandom_device_t;
++	gen_require(`
 +		type sysfs_t;
- 	')
- 
--	read_chr_files_pattern($1, device_t, urandom_device_t)
++	')
++
 +	allow $1 sysfs_t:dir write;
 +')
 +
@@ -8143,46 +8155,10 @@ index 76f285e..0aef35e 100644
 +########################################
 +## <summary>
 +##	Read from pseudo random number generator devices (e.g., /dev/urandom).
-+## </summary>
-+## <desc>
-+##	<p>
-+##	Allow the specified domain to read from pseudo random number
-+##	generator devices (e.g., /dev/urandom).  Typically this is
-+##	used in situations when a cryptographically secure random
-+##	number is not necessarily needed.  One example is the Stack
-+##	Smashing Protector (SSP, formerly known as ProPolice) support
-+##	that may be compiled into programs.
-+##	</p>
-+##	<p>
-+##	Related interface:
-+##	</p>
-+##	<ul>
-+##		<li>dev_read_rand()</li>
-+##	</ul>
-+##	<p>
-+##	Related tunable:
-+##	</p>
-+##	<ul>
-+##		<li>global_ssp</li>
-+##	</ul>
-+## </desc>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <infoflow type="read" weight="10"/>
-+#
-+interface(`dev_read_urand',`
-+	gen_require(`
-+		type device_t, urandom_device_t;
-+	')
-+
-+	read_chr_files_pattern($1, device_t, urandom_device_t)
- ')
- 
- ########################################
-@@ -4113,6 +4994,25 @@ interface(`dev_write_urand',`
+ ## </summary>
+ ## <desc>
+ ##	<p>
+@@ -4113,6 +5037,25 @@ interface(`dev_write_urand',`
  
  ########################################
  ## <summary>
@@ -8208,7 +8184,7 @@ index 76f285e..0aef35e 100644
  ##	Getattr generic the USB devices.
  ## </summary>
  ## <param name="domain">
-@@ -4123,7 +5023,7 @@ interface(`dev_write_urand',`
+@@ -4123,7 +5066,7 @@ interface(`dev_write_urand',`
  #
  interface(`dev_getattr_generic_usb_dev',`
  	gen_require(`
@@ -8217,33 +8193,149 @@ index 76f285e..0aef35e 100644
  	')
  
  	getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4330,28 +5230,180 @@ interface(`dev_search_usbfs',`
+@@ -4409,9 +5352,9 @@ interface(`dev_rw_usbfs',`
+ 	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+ ')
+ 
+-########################################
++######################################
+ ## <summary>
+-##	Get the attributes of video4linux devices.
++##	Read and write userio device.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4419,17 +5362,17 @@ interface(`dev_rw_usbfs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_getattr_video_dev',`
++interface(`dev_rw_userio_dev',`
+ 	gen_require(`
+-		type device_t, v4l_device_t;
++		type device_t, userio_device_t;
+ 	')
+ 
+-	getattr_chr_files_pattern($1, device_t, v4l_device_t)
++	rw_chr_files_pattern($1, device_t, userio_device_t)
+ ')
+ 
+-######################################
++########################################
+ ## <summary>
+-##	Read and write userio device.
++##	Get the attributes of video4linux devices.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4437,12 +5380,12 @@ interface(`dev_getattr_video_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_rw_userio_dev',`
++interface(`dev_getattr_video_dev',`
+ 	gen_require(`
+-		type device_t, userio_device_t;
++		type device_t, v4l_device_t;
+ 	')
+ 
+-	rw_chr_files_pattern($1, device_t, userio_device_t)
++	getattr_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
+ 
+ ########################################
+@@ -4539,7 +5482,7 @@ interface(`dev_write_video_dev',`
+ 
+ ########################################
+ ## <summary>
+-##	Allow read/write the vhost net device
++##	Get the attributes of vfio devices.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4547,35 +5490,36 @@ interface(`dev_write_video_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_rw_vhost',`
++interface(`dev_getattr_vfio_dev',`
+ 	gen_require(`
+-		type device_t, vhost_device_t;
++		type device_t, vfio_device_t;
+ 	')
+ 
+-	rw_chr_files_pattern($1, device_t, vhost_device_t)
++	getattr_chr_files_pattern($1, device_t, vfio_device_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write VMWare devices.
++##	Do not audit attempts to get the attributes
++##	of vfio device nodes.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_rw_vmware',`
++interface(`dev_dontaudit_getattr_vfio_dev',`
+ 	gen_require(`
+-		type device_t, vmware_device_t;
++		type vfio_device_t;
+ 	')
+ 
+-	rw_chr_files_pattern($1, device_t, vmware_device_t)
++	dontaudit $1 vfio_device_t:chr_file getattr;
+ ')
  
  ########################################
  ## <summary>
--##	Allow caller to get a list of usb hardware.
-+##	Allow caller to get a list of usb hardware.
+-##	Read, write, and mmap VMWare devices.
++##	Set the attributes of vfio device nodes.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4583,12 +5527,157 @@ interface(`dev_rw_vmware',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_rwx_vmware',`
++interface(`dev_setattr_vfio_dev',`
+ 	gen_require(`
+-		type device_t, vmware_device_t;
++		type device_t, vfio_device_t;
+ 	')
+ 
+-	dev_rw_vmware($1)
++	setattr_chr_files_pattern($1, device_t, vfio_device_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to set the attributes
++##	of vfio device nodes.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_list_usbfs',`
++interface(`dev_dontaudit_setattr_vfio_dev',`
 +	gen_require(`
-+		type usbfs_t;
++		type vfio_device_t;
 +	')
 +
-+	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+	getattr_files_pattern($1, usbfs_t, usbfs_t)
-+
-+	list_dirs_pattern($1, usbfs_t, usbfs_t)
++	dontaudit $1 vfio_device_t:chr_file setattr;
 +')
 +
 +########################################
 +## <summary>
-+##	Set the attributes of usbfs filesystem.
++##	Read the vfio devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8251,19 +8343,17 @@ index 76f285e..0aef35e 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_setattr_usbfs_files',`
++interface(`dev_read_vfio_dev',`
 +	gen_require(`
-+		type usbfs_t;
++		type device_t, vfio_device_t;
 +	')
 +
-+	setattr_files_pattern($1, usbfs_t, usbfs_t)
-+	list_dirs_pattern($1, usbfs_t, usbfs_t)
++	read_chr_files_pattern($1, device_t, vfio_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read USB hardware information using
-+##	the usbfs filesystem interface.
++##	Write the vfio devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8271,19 +8361,17 @@ index 76f285e..0aef35e 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_read_usbfs',`
++interface(`dev_write_vfio_dev',`
 +	gen_require(`
-+		type usbfs_t;
++		type device_t, vfio_device_t;
 +	')
 +
-+	read_files_pattern($1, usbfs_t, usbfs_t)
-+	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+	list_dirs_pattern($1, usbfs_t, usbfs_t)
++	write_chr_files_pattern($1, device_t, vfio_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Allow caller to modify usb hardware configuration files.
++##	Read and write the VFIO devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8291,19 +8379,17 @@ index 76f285e..0aef35e 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_rw_usbfs',`
++interface(`dev_rw_vfio_dev',`
 +	gen_require(`
-+		type usbfs_t;
++		type device_t, vfio_device_t;
 +	')
 +
-+	list_dirs_pattern($1, usbfs_t, usbfs_t)
-+	rw_files_pattern($1, usbfs_t, usbfs_t)
-+	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++	rw_chr_files_pattern($1, device_t, vfio_device_t)
 +')
 +
-+######################################
++########################################
 +## <summary>
-+##	Read and write userio device.
++##	Allow read/write the vhost net device
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8311,17 +8397,17 @@ index 76f285e..0aef35e 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_rw_userio_dev',`
++interface(`dev_rw_vhost',`
 +	gen_require(`
-+		type device_t, userio_device_t;
++		type device_t, vhost_device_t;
 +	')
 +
-+	rw_chr_files_pattern($1, device_t, userio_device_t)
++	rw_chr_files_pattern($1, device_t, vhost_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Get the attributes of video4linux devices.
++##	Allow read/write inheretid the vhost net device
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8329,36 +8415,35 @@ index 76f285e..0aef35e 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_getattr_video_dev',`
++interface(`dev_rw_inherited_vhost',`
 +	gen_require(`
-+		type device_t, v4l_device_t;
++		type device_t, vhost_device_t;
 +	')
 +
-+	getattr_chr_files_pattern($1, device_t, v4l_device_t)
++	allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to get the attributes
-+##	of video4linux device nodes.
++##	Read and write VMWare devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_dontaudit_getattr_video_dev',`
++interface(`dev_rw_vmware',`
 +	gen_require(`
-+		type v4l_device_t;
++		type device_t, vmware_device_t;
 +	')
 +
-+	dontaudit $1 v4l_device_t:chr_file getattr;
++	rw_chr_files_pattern($1, device_t, vmware_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Set the attributes of video4linux device nodes.
++##	Read, write, and mmap VMWare devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8366,296 +8451,16 @@ index 76f285e..0aef35e 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_setattr_video_dev',`
++interface(`dev_rwx_vmware',`
 +	gen_require(`
-+		type device_t, v4l_device_t;
++		type device_t, vmware_device_t;
 +	')
 +
-+	setattr_chr_files_pattern($1, device_t, v4l_device_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to set the attributes
-+##	of video4linux device nodes.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`dev_list_usbfs',`
-+interface(`dev_dontaudit_setattr_video_dev',`
- 	gen_require(`
--		type usbfs_t;
-+		type v4l_device_t;
- 	')
- 
--	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
--	getattr_files_pattern($1, usbfs_t, usbfs_t)
--
--	list_dirs_pattern($1, usbfs_t, usbfs_t)
-+	dontaudit $1 v4l_device_t:chr_file setattr;
++	dev_rw_vmware($1)
+ 	allow $1 vmware_device_t:chr_file execute;
  ')
  
- ########################################
- ## <summary>
--##	Set the attributes of usbfs filesystem.
-+##	Read the video4linux devices.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4359,19 +5411,17 @@ interface(`dev_list_usbfs',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_setattr_usbfs_files',`
-+interface(`dev_read_video_dev',`
- 	gen_require(`
--		type usbfs_t;
-+		type device_t, v4l_device_t;
- 	')
- 
--	setattr_files_pattern($1, usbfs_t, usbfs_t)
--	list_dirs_pattern($1, usbfs_t, usbfs_t)
-+	read_chr_files_pattern($1, device_t, v4l_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read USB hardware information using
--##	the usbfs filesystem interface.
-+##	Write the video4linux devices.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4379,19 +5429,17 @@ interface(`dev_setattr_usbfs_files',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_read_usbfs',`
-+interface(`dev_write_video_dev',`
- 	gen_require(`
--		type usbfs_t;
-+		type device_t, v4l_device_t;
- 	')
- 
--	read_files_pattern($1, usbfs_t, usbfs_t)
--	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
--	list_dirs_pattern($1, usbfs_t, usbfs_t)
-+	write_chr_files_pattern($1, device_t, v4l_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Allow caller to modify usb hardware configuration files.
-+##	Get the attributes of vfio devices.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4399,37 +5447,36 @@ interface(`dev_read_usbfs',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_rw_usbfs',`
-+interface(`dev_getattr_vfio_dev',`
- 	gen_require(`
--		type usbfs_t;
-+		type device_t, vfio_device_t;
- 	')
- 
--	list_dirs_pattern($1, usbfs_t, usbfs_t)
--	rw_files_pattern($1, usbfs_t, usbfs_t)
--	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+	getattr_chr_files_pattern($1, device_t, vfio_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Get the attributes of video4linux devices.
-+##	Do not audit attempts to get the attributes
-+##	of vfio device nodes.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`dev_getattr_video_dev',`
-+interface(`dev_dontaudit_getattr_vfio_dev',`
- 	gen_require(`
--		type device_t, v4l_device_t;
-+		type vfio_device_t;
- 	')
- 
--	getattr_chr_files_pattern($1, device_t, v4l_device_t)
-+	dontaudit $1 vfio_device_t:chr_file getattr;
- ')
- 
--######################################
-+########################################
- ## <summary>
--##	Read and write userio device.
-+##	Set the attributes of vfio device nodes.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4437,18 +5484,18 @@ interface(`dev_getattr_video_dev',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_rw_userio_dev',`
-+interface(`dev_setattr_vfio_dev',`
- 	gen_require(`
--		type device_t, userio_device_t;
-+		type device_t, vfio_device_t;
- 	')
- 
--	rw_chr_files_pattern($1, device_t, userio_device_t)
-+	setattr_chr_files_pattern($1, device_t, vfio_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to get the attributes
--##	of video4linux device nodes.
-+##	Do not audit attempts to set the attributes
-+##	of vfio device nodes.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4456,17 +5503,17 @@ interface(`dev_rw_userio_dev',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_dontaudit_getattr_video_dev',`
-+interface(`dev_dontaudit_setattr_vfio_dev',`
- 	gen_require(`
--		type v4l_device_t;
-+		type vfio_device_t;
- 	')
- 
--	dontaudit $1 v4l_device_t:chr_file getattr;
-+	dontaudit $1 vfio_device_t:chr_file setattr;
- ')
- 
- ########################################
- ## <summary>
--##	Set the attributes of video4linux device nodes.
-+##	Read the vfio devices.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4474,36 +5521,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_setattr_video_dev',`
-+interface(`dev_read_vfio_dev',`
- 	gen_require(`
--		type device_t, v4l_device_t;
-+		type device_t, vfio_device_t;
- 	')
- 
--	setattr_chr_files_pattern($1, device_t, v4l_device_t)
-+	read_chr_files_pattern($1, device_t, vfio_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to set the attributes
--##	of video4linux device nodes.
-+##	Write the vfio devices.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`dev_dontaudit_setattr_video_dev',`
-+interface(`dev_write_vfio_dev',`
- 	gen_require(`
--		type v4l_device_t;
-+		type device_t, vfio_device_t;
- 	')
- 
--	dontaudit $1 v4l_device_t:chr_file setattr;
-+	write_chr_files_pattern($1, device_t, vfio_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read the video4linux devices.
-+##	Read and write the VFIO devices.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4511,17 +5557,17 @@ interface(`dev_dontaudit_setattr_video_dev',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_read_video_dev',`
-+interface(`dev_rw_vfio_dev',`
- 	gen_require(`
--		type device_t, v4l_device_t;
-+		type device_t, vfio_device_t;
- 	')
- 
--	read_chr_files_pattern($1, device_t, v4l_device_t)
-+	rw_chr_files_pattern($1, device_t, vfio_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Write the video4linux devices.
-+##	Allow read/write the vhost net device
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4529,17 +5575,17 @@ interface(`dev_read_video_dev',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_write_video_dev',`
-+interface(`dev_rw_vhost',`
- 	gen_require(`
--		type device_t, v4l_device_t;
-+		type device_t, vhost_device_t;
- 	')
- 
--	write_chr_files_pattern($1, device_t, v4l_device_t)
-+	rw_chr_files_pattern($1, device_t, vhost_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Allow read/write the vhost net device
-+##	Allow read/write inheretid the vhost net device
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4547,12 +5593,12 @@ interface(`dev_write_video_dev',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_rw_vhost',`
-+interface(`dev_rw_inherited_vhost',`
- 	gen_require(`
- 		type device_t, vhost_device_t;
- 	')
- 
--	rw_chr_files_pattern($1, device_t, vhost_device_t)
-+	allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
- ')
- 
- ########################################
-@@ -4630,6 +5676,24 @@ interface(`dev_write_watchdog',`
+@@ -4630,6 +5719,24 @@ interface(`dev_write_watchdog',`
  
  ########################################
  ## <summary>
@@ -8680,7 +8485,7 @@ index 76f285e..0aef35e 100644
  ##	Read and write the the wireless device.
  ## </summary>
  ## <param name="domain">
-@@ -4762,6 +5826,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5869,44 @@ interface(`dev_rw_xserver_misc',`
  
  ########################################
  ## <summary>
@@ -8725,7 +8530,7 @@ index 76f285e..0aef35e 100644
  ##	Read and write to the zero device (/dev/zero).
  ## </summary>
  ## <param name="domain">
-@@ -4851,3 +5953,1020 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5996,1020 @@ interface(`dev_unconfined',`
  
  	typeattribute $1 devices_unconfined_type;
  ')
@@ -10232,7 +10037,7 @@ index 6a1e4d1..26e5558 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..7b76b77 100644
+index cf04cb5..466882e 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,17 +4,41 @@ policy_module(domain, 1.11.0)
@@ -10365,8 +10170,11 @@ index cf04cb5..7b76b77 100644
  ')
  
  ########################################
-@@ -147,12 +217,18 @@ optional_policy(`
+@@ -145,14 +215,21 @@ optional_policy(`
+ # be used on an attribute.
+ 
  # Use/sendto/connectto sockets created by any domain.
++allow unconfined_domain_type self:cap_userns all_cap_userns_perms;
  allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
  
 +allow unconfined_domain_type domain:system all_system_perms;
@@ -10385,7 +10193,7 @@ index cf04cb5..7b76b77 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +242,373 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +243,373 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -17953,7 +17761,7 @@ index d7c11a0..6b3331d 100644
  /var/run/shm/.*			<<none>>
 -')
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..761fbab 100644
+index 8416beb..c17a25a 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -18452,7 +18260,7 @@ index 8416beb..761fbab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1878,135 +2122,740 @@ interface(`fs_search_fusefs',`
+@@ -1878,95 +2122,169 @@ interface(`fs_search_fusefs',`
  ##	</summary>
  ## </param>
  #
@@ -18609,14 +18417,16 @@ index 8416beb..761fbab 100644
 +#
 +interface(`fs_mount_fusefs',`
 +	gen_require(`
-+		type fusefs_t;
-+	')
-+
+ 		type fusefs_t;
+ 	')
+ 
+-	exec_files_pattern($1, fusefs_t, fusefs_t)
 +	allow $1 fusefs_t:filesystem mount;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete files
 +##	Unmount a FUSE filesystem.
 +## </summary>
 +## <param name="domain">
@@ -18654,226 +18464,277 @@ index 8416beb..761fbab 100644
 +########################################
 +## <summary>
 +##	Search directories
-+##	on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
+ ##	on a FUSEFS filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -1976,19 +2294,18 @@ interface(`fs_exec_fusefs_files',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`fs_manage_fusefs_files',`
 +interface(`fs_search_fusefs',`
-+	gen_require(`
-+		type fusefs_t;
-+	')
-+
+ 	gen_require(`
+ 		type fusefs_t;
+ 	')
+ 
+-	manage_files_pattern($1, fusefs_t, fusefs_t)
 +	allow $1 fusefs_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to create,
+-##	read, write, and delete files
+-##	on a FUSEFS filesystem.
 +##	Do not audit attempts to list the contents
 +##	of directories on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1996,217 +2313,274 @@ interface(`fs_manage_fusefs_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_manage_fusefs_files',`
 +interface(`fs_dontaudit_list_fusefs',`
-+	gen_require(`
-+		type fusefs_t;
-+	')
-+
+ 	gen_require(`
+ 		type fusefs_t;
+ 	')
+ 
+-	dontaudit $1 fusefs_t:file manage_file_perms;
 +	dontaudit $1 fusefs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read symbolic links on a FUSEFS filesystem.
 +##	Create, read, write, and delete directories
 +##	on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`fs_read_fusefs_symlinks',`
 +interface(`fs_manage_fusefs_dirs',`
-+	gen_require(`
-+		type fusefs_t;
-+	')
-+
+ 	gen_require(`
+ 		type fusefs_t;
+ 	')
+ 
+-	allow $1 fusefs_t:dir list_dir_perms;
+-	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
 +	allow $1 fusefs_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of an hugetlbfs
+-##	filesystem.
 +##	Do not audit attempts to create, read,
 +##	write, and delete directories
 +##	on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_getattr_hugetlbfs',`
 +interface(`fs_dontaudit_manage_fusefs_dirs',`
-+	gen_require(`
+ 	gen_require(`
+-		type hugetlbfs_t;
 +		type fusefs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 hugetlbfs_t:filesystem getattr;
 +	dontaudit $1 fusefs_t:dir manage_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List hugetlbfs.
 +##	Read, a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`fs_list_hugetlbfs',`
 +interface(`fs_read_fusefs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type hugetlbfs_t;
 +		type fusefs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 hugetlbfs_t:dir list_dir_perms;
 +	read_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Manage hugetlbfs dirs.
 +##	Execute files on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`fs_manage_hugetlbfs_dirs',`
 +interface(`fs_exec_fusefs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type hugetlbfs_t;
 +		type fusefs_t;
-+	')
-+
+ 	')
+ 
+-	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
 +	exec_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write hugetlbfs files.
 +##	Make general progams in FUSEFS an entrypoint for
 +##	the specified domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	The domain for which fusefs_t is an entrypoint.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_rw_hugetlbfs_files',`
 +interface(`fs_fusefs_entry_type',`
-+	gen_require(`
+ 	gen_require(`
+-		type hugetlbfs_t;
 +		type fusefs_t;
-+	')
-+
+ 	')
+ 
+-	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
 +	domain_entry_file($1, fusefs_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow the type to associate to hugetlbfs filesystems.
 +##	Make general progams in FUSEFS an entrypoint for
 +##	the specified domain.
-+## </summary>
+ ## </summary>
+-## <param name="type">
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	The type of the object to be associated.
 +##	The domain for which fusefs_t is an entrypoint.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_associate_hugetlbfs',`
 +interface(`fs_fusefs_entrypoint',`
-+	gen_require(`
+ 	gen_require(`
+-		type hugetlbfs_t;
 +		type fusefs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 hugetlbfs_t:filesystem associate;
 +    allow $1 fusefs_t:file entrypoint;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search inotifyfs filesystem.
 +##	Create, read, write, and delete files
 +##	on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`fs_search_inotifyfs',`
 +interface(`fs_manage_fusefs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type inotifyfs_t;
 +		type fusefs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 inotifyfs_t:dir search_dir_perms;
 +	manage_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List inotifyfs filesystem.
 +##	Do not audit attempts to create,
 +##	read, write, and delete files
 +##	on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_list_inotifyfs',`
 +interface(`fs_dontaudit_manage_fusefs_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type inotifyfs_t;
 +		type fusefs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 inotifyfs_t:dir list_dir_perms;
 +	dontaudit $1 fusefs_t:file manage_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Dontaudit List inotifyfs filesystem.
 +##	Read symbolic links on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_list_inotifyfs',`
 +interface(`fs_read_fusefs_symlinks',`
-+	gen_require(`
+ 	gen_require(`
+-		type inotifyfs_t;
 +		type fusefs_t;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 inotifyfs_t:dir list_dir_perms;
 +	allow $1 fusefs_t:dir list_dir_perms;
 +	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create an object in a hugetlbfs filesystem, with a private
+-##	type using a type transition.
 +##	Manage symbolic links on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
 +#
 +interface(`fs_manage_fusefs_symlinks',`
 +	gen_require(`
@@ -18908,15 +18769,19 @@ index 8416beb..761fbab 100644
 +##	</p>
 +## </desc>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	The type of the object to be created.
 +##	Domain allowed to transition.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="object">
 +## <param name="target_domain">
-+##	<summary>
+ ##	<summary>
+-##	The object class of the object being created.
 +##	The type of the new process.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="name" optional="true">
 +#
 +interface(`fs_fusefs_domtrans',`
 +	gen_require(`
@@ -18932,37 +18797,46 @@ index 8416beb..761fbab 100644
 +##	Get the attributes of a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	The name of the object being created.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`fs_hugetlbfs_filetrans',`
 +interface(`fs_getattr_fusefs',`
-+	gen_require(`
- 		type fusefs_t;
+ 	gen_require(`
+-		type hugetlbfs_t;
++		type fusefs_t;
  	')
  
--	exec_files_pattern($1, fusefs_t, fusefs_t)
+-	allow $2 hugetlbfs_t:filesystem associate;
+-	filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
 +	allow $1 fusefs_t:filesystem getattr;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Mount an iso9660 filesystem, which
+-##	is usually used on CDs.
 +##	Get the attributes of an hugetlbfs
 +##	filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2214,19 +2588,567 @@ interface(`fs_hugetlbfs_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_mount_iso9660_fs',`
 +interface(`fs_getattr_hugetlbfs',`
-+	gen_require(`
+ 	gen_require(`
+-		type iso9660_t;
 +		type hugetlbfs_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 iso9660_t:filesystem mount;
 +	allow $1 hugetlbfs_t:filesystem getattr;
 +')
 +
@@ -19181,287 +19055,230 @@ index 8416beb..761fbab 100644
 +
 +	allow $2 hugetlbfs_t:filesystem associate;
 +	filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete files
--##	on a FUSEFS filesystem.
++')
++
++########################################
++## <summary>
 +##	Mount an iso9660 filesystem, which
 +##	is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_manage_fusefs_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_mount_iso9660_fs',`
- 	gen_require(`
--		type fusefs_t;
++	gen_require(`
 +		type iso9660_t;
- 	')
- 
--	manage_files_pattern($1, fusefs_t, fusefs_t)
++	')
++
 +	allow $1 iso9660_t:filesystem mount;
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to create,
--##	read, write, and delete files
--##	on a FUSEFS filesystem.
++')
++
++########################################
++## <summary>
 +##	Remount an iso9660 filesystem, which
 +##	is usually used on CDs.  This allows
 +##	some mount options to be changed.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`fs_dontaudit_manage_fusefs_files',`
++##	</summary>
++## </param>
++#
 +interface(`fs_remount_iso9660_fs',`
- 	gen_require(`
--		type fusefs_t;
++	gen_require(`
 +		type iso9660_t;
- 	')
- 
--	dontaudit $1 fusefs_t:file manage_file_perms;
++	')
++
 +	allow $1 iso9660_t:filesystem remount;
- ')
- 
- ########################################
- ## <summary>
--##	Read symbolic links on a FUSEFS filesystem.
++')
++
++########################################
++## <summary>
 +##	Unmount an iso9660 filesystem, which
 +##	is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2014,37 +2863,38 @@ interface(`fs_dontaudit_manage_fusefs_files',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_read_fusefs_symlinks',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_unmount_iso9660_fs',`
- 	gen_require(`
--		type fusefs_t;
++	gen_require(`
 +		type iso9660_t;
- 	')
- 
--	allow $1 fusefs_t:dir list_dir_perms;
--	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++	')
++
 +	allow $1 iso9660_t:filesystem unmount;
- ')
- 
- ########################################
- ## <summary>
--##	Get the attributes of an hugetlbfs
--##	filesystem.
++')
++
++########################################
++## <summary>
 +##	Get the attributes of an iso9660
 +##	filesystem, which is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <rolecap/>
- #
--interface(`fs_getattr_hugetlbfs',`
++#
 +interface(`fs_getattr_iso9660_fs',`
- 	gen_require(`
--		type hugetlbfs_t;
++	gen_require(`
 +		type iso9660_t;
- 	')
- 
--	allow $1 hugetlbfs_t:filesystem getattr;
++	')
++
 +	allow $1 iso9660_t:filesystem getattr;
- ')
- 
- ########################################
- ## <summary>
--##	List hugetlbfs.
++')
++
++########################################
++## <summary>
 +##	Read files on an iso9660 filesystem, which
 +##	is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2052,17 +2902,19 @@ interface(`fs_getattr_hugetlbfs',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_list_hugetlbfs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_getattr_iso9660_files',`
- 	gen_require(`
--		type hugetlbfs_t;
++	gen_require(`
 +		type iso9660_t;
- 	')
- 
--	allow $1 hugetlbfs_t:dir list_dir_perms;
++	')
++
 +	allow $1 iso9660_t:dir list_dir_perms;
 +	allow $1 iso9660_t:file getattr;
- ')
- 
- ########################################
- ## <summary>
--##	Manage hugetlbfs dirs.
++')
++
++########################################
++## <summary>
 +##	Read files on an iso9660 filesystem, which
 +##	is usually used on CDs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2070,17 +2922,20 @@ interface(`fs_list_hugetlbfs',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_manage_hugetlbfs_dirs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_read_iso9660_files',`
- 	gen_require(`
--		type hugetlbfs_t;
++	gen_require(`
 +		type iso9660_t;
- 	')
- 
--	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
++	')
++
 +	allow $1 iso9660_t:dir list_dir_perms;
 +	read_files_pattern($1, iso9660_t, iso9660_t)
 +	read_lnk_files_pattern($1, iso9660_t, iso9660_t)
- ')
- 
++')
 +
- ########################################
- ## <summary>
--##	Read and write hugetlbfs files.
++
++########################################
++## <summary>
 +##	Mount kdbus filesystems.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2088,35 +2943,35 @@ interface(`fs_manage_hugetlbfs_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_rw_hugetlbfs_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_mount_kdbus', `
- 	gen_require(`
--		type hugetlbfs_t;
++	gen_require(`
 +		type kdbusfs_t;
- 	')
- 
--	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++	')
++
 +	allow $1 kdbusfs_t:filesystem mount;
- ')
- 
- ########################################
- ## <summary>
--##	Allow the type to associate to hugetlbfs filesystems.
++')
++
++########################################
++## <summary>
 +##	Remount kdbus filesystems.
- ## </summary>
--## <param name="type">
++## </summary>
 +## <param name="domain">
- ##	<summary>
--##	The type of the object to be associated.
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`fs_associate_hugetlbfs',`
++##	</summary>
++## </param>
++#
 +interface(`fs_remount_kdbus', `
- 	gen_require(`
--		type hugetlbfs_t;
++	gen_require(`
 +		type kdbusfs_t;
- 	')
- 
--	allow $1 hugetlbfs_t:filesystem associate;
++	')
++
 +	allow $1 kdbusfs_t:filesystem remount;
- ')
- 
- ########################################
- ## <summary>
--##	Search inotifyfs filesystem.
++')
++
++########################################
++## <summary>
 +##	Unmount kdbus filesystems.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2124,17 +2979,17 @@ interface(`fs_associate_hugetlbfs',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_search_inotifyfs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_unmount_kdbus', `
- 	gen_require(`
--		type inotifyfs_t;
++	gen_require(`
 +		type kdbusfs_t;
- 	')
- 
--	allow $1 inotifyfs_t:dir search_dir_perms;
++	')
++
 +	allow $1 kdbusfs_t:filesystem unmount;
- ')
- 
- ########################################
- ## <summary>
--##	List inotifyfs filesystem.
++')
++
++########################################
++## <summary>
 +##	Get attributes of kdbus filesystems.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2142,71 +2997,136 @@ interface(`fs_search_inotifyfs',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_list_inotifyfs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_getattr_kdbus',`
- 	gen_require(`
--		type inotifyfs_t;
++	gen_require(`
 +		type kdbusfs_t;
- 	')
- 
--	allow $1 inotifyfs_t:dir list_dir_perms;
++	')
++
 +	allow $1 kdbusfs_t:filesystem getattr;
- ')
- 
- ########################################
- ## <summary>
--##	Dontaudit List inotifyfs filesystem.
++')
++
++########################################
++## <summary>
 +##	Search kdbusfs directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`fs_dontaudit_list_inotifyfs',`
++##	</summary>
++## </param>
++#
 +interface(`fs_search_kdbus_dirs',`
- 	gen_require(`
--		type inotifyfs_t;
++	gen_require(`
 +		type kdbusfs_t;
 +
- 	')
- 
--	dontaudit $1 inotifyfs_t:dir list_dir_perms;
++	')
++
 +	search_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
- ')
- 
- ########################################
- ## <summary>
--##	Create an object in a hugetlbfs filesystem, with a private
--##	type using a type transition.
++')
++
++########################################
++## <summary>
 +##	Relabel kdbusfs directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="private type">
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +#
 +interface(`fs_relabel_kdbus_dirs',`
 +	gen_require(`
@@ -19477,12 +19294,10 @@ index 8416beb..761fbab 100644
 +##	List kdbusfs directories.
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	The type of the object to be created.
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="object">
++##	</summary>
++## </param>
 +#
 +interface(`fs_list_kdbus_dirs',`
 +	gen_require(`
@@ -19518,12 +19333,10 @@ index 8416beb..761fbab 100644
 +##	Delete kdbusfs directories.
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	The object class of the object being created.
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="name" optional="true">
++##	</summary>
++## </param>
 +#
 +interface(`fs_delete_kdbus_dirs', `
 +	gen_require(`
@@ -19540,48 +19353,37 @@ index 8416beb..761fbab 100644
 +##	Manage kdbusfs directories.
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	The name of the object being created.
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`fs_hugetlbfs_filetrans',`
++##	</summary>
++## </param>
++#
 +interface(`fs_manage_kdbus_dirs',`
- 	gen_require(`
--		type hugetlbfs_t;
--	')
++	gen_require(`
 +		type kdbusfs_t;
- 
--	allow $2 hugetlbfs_t:filesystem associate;
--	filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
++
 +	')
 +	manage_dirs_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
 +	dev_search_sysfs($1)
- ')
- 
- ########################################
- ## <summary>
--##	Mount an iso9660 filesystem, which
--##	is usually used on CDs.
++')
++
++########################################
++## <summary>
 +##	Read kdbusfs files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2214,19 +3134,21 @@ interface(`fs_hugetlbfs_filetrans',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_mount_iso9660_fs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`fs_read_kdbus_files',`
- 	gen_require(`
--		type iso9660_t;
++	gen_require(`
 +		type cgroup_t;
 +
- 	')
- 
--	allow $1 iso9660_t:filesystem mount;
++	')
++
 +	read_files_pattern($1, kdbusfs_t, kdbusfs_t)
 +	read_lnk_files_pattern($1, kdbusfs_t, kdbusfs_t)
 +	fs_search_tmpfs($1)
@@ -19725,12 +19527,11 @@ index 8416beb..761fbab 100644
  ########################################
  ## <summary>
  ##	Mount a NFS filesystem.
-@@ -2361,39 +3288,57 @@ interface(`fs_remount_nfs',`
+@@ -2398,6 +3325,24 @@ interface(`fs_getattr_nfs',`
  
  ########################################
  ## <summary>
--##	Unmount a NFS filesystem.
-+##	Unmount a NFS filesystem.
++##	Set the attributes of nfs directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -19738,58 +19539,19 @@ index 8416beb..761fbab 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_unmount_nfs',`
++interface(`fs_setattr_nfs_dirs',`
 +	gen_require(`
 +		type nfs_t;
 +	')
 +
-+	allow $1 nfs_t:filesystem unmount;
++	allow $1 nfs_t:dir setattr;
 +')
 +
 +########################################
 +## <summary>
-+##	Get the attributes of a NFS filesystem.
+ ##	Search directories on a NFS filesystem.
  ## </summary>
  ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
-+## <rolecap/>
- #
--interface(`fs_unmount_nfs',`
-+interface(`fs_getattr_nfs',`
- 	gen_require(`
- 		type nfs_t;
- 	')
- 
--	allow $1 nfs_t:filesystem unmount;
-+	allow $1 nfs_t:filesystem getattr;
- ')
- 
- ########################################
- ## <summary>
--##	Get the attributes of a NFS filesystem.
-+##	Set the attributes of nfs directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`fs_getattr_nfs',`
-+interface(`fs_setattr_nfs_dirs',`
- 	gen_require(`
- 		type nfs_t;
- 	')
- 
--	allow $1 nfs_t:filesystem getattr;
-+	allow $1 nfs_t:dir setattr;
- ')
- 
- ########################################
 @@ -2485,6 +3430,7 @@ interface(`fs_read_nfs_files',`
  		type nfs_t;
  	')
@@ -20054,38 +19816,33 @@ index 8416beb..761fbab 100644
  ##	Mount a NFS server pseudo filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3263,7 +4364,25 @@ interface(`fs_getattr_nfsd_files',`
- 	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+@@ -3190,28 +4291,100 @@ interface(`fs_unmount_nfsd_fs',`
+ 	allow $1 nfsd_fs_t:filesystem unmount;
  ')
  
 -########################################
-+#######################################
++########################################
 +## <summary>
-+##  read files on an nfsd filesystem
++##	Get the attributes of a NFS server
++##	pseudo filesystem.
 +## </summary>
 +## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
++##	<summary>
++##	Domain allowed access.
++##	</summary>
 +## </param>
 +#
-+interface(`fs_read_nfsd_files',`
-+    gen_require(`
-+        type nfsd_fs_t;
-+    ')
++interface(`fs_getattr_nfsd_fs',`
++	gen_require(`
++		type nfsd_fs_t;
++	')
 +
-+    read_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++	allow $1 nfsd_fs_t:filesystem getattr;
 +')
 +
-+#######################################
- ## <summary>
- ##	Read and write NFS server files.
- ## </summary>
-@@ -3283,6 +4402,59 @@ interface(`fs_rw_nfsd_fs',`
- 
- ########################################
- ## <summary>
-+##	Getattr files on an nsfs filesystem
++########################################
++## <summary>
++##	Search NFS server directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -20093,34 +19850,35 @@ index 8416beb..761fbab 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_getattr_nsfs_files',`
++interface(`fs_search_nfsd_fs',`
 +	gen_require(`
-+		type nsfs_t;
++		type nfsd_fs_t;
 +	')
 +
-+	getattr_files_pattern($1, nsfs_t, nsfs_t)
++	allow $1 nfsd_fs_t:dir search_dir_perms;
 +')
-+#######################################
++
++########################################
 +## <summary>
-+##  Read nsfs inodes (e.g. /proc/pid/ns/uts)
++##	List NFS server directories.
 +## </summary>
 +## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
++##	<summary>
++##	Domain allowed access.
++##	</summary>
 +## </param>
 +#
-+interface(`fs_read_nsfs_files',`
++interface(`fs_list_nfsd_fs',`
 +	gen_require(`
-+    	type nsfs_t;
-+    ')
++		type nfsd_fs_t;
++	')
 +
-+    allow $1 nsfs_t:file read_file_perms;
++	allow $1 nfsd_fs_t:dir list_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Manage NFS server files.
++##	Getattr files on an nfsd filesystem
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -20128,19 +19886,135 @@ index 8416beb..761fbab 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_manage_nfsd_fs',`
++interface(`fs_getattr_nfsd_files',`
 +	gen_require(`
 +		type nfsd_fs_t;
 +	')
 +
-+	manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
 +')
 +
-+########################################
-+## <summary>
- ##	Allow the type to associate to ramfs filesystems.
++#######################################
+ ## <summary>
+-##	Get the attributes of a NFS server
+-##	pseudo filesystem.
++##  read files on an nfsd filesystem
  ## </summary>
- ## <param name="type">
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
++##  <summary>
++##  Domain allowed access.
++##  </summary>
+ ## </param>
+ #
+-interface(`fs_getattr_nfsd_fs',`
+-	gen_require(`
+-		type nfsd_fs_t;
+-	')
++interface(`fs_read_nfsd_files',`
++    gen_require(`
++        type nfsd_fs_t;
++    ')
+ 
+-	allow $1 nfsd_fs_t:filesystem getattr;
++    read_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+ ')
+ 
+-########################################
++#######################################
+ ## <summary>
+-##	Search NFS server directories.
++##	Read and write NFS server files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -3219,17 +4392,17 @@ interface(`fs_getattr_nfsd_fs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_search_nfsd_fs',`
++interface(`fs_rw_nfsd_fs',`
+ 	gen_require(`
+ 		type nfsd_fs_t;
+ 	')
+ 
+-	allow $1 nfsd_fs_t:dir search_dir_perms;
++	rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List NFS server directories.
++##	Getattr files on an nsfs filesystem
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -3237,35 +4410,34 @@ interface(`fs_search_nfsd_fs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_list_nfsd_fs',`
++interface(`fs_getattr_nsfs_files',`
+ 	gen_require(`
+-		type nfsd_fs_t;
++		type nsfs_t;
+ 	')
+ 
+-	allow $1 nfsd_fs_t:dir list_dir_perms;
++	getattr_files_pattern($1, nsfs_t, nsfs_t)
+ ')
+-
+-########################################
++#######################################
+ ## <summary>
+-##	Getattr files on an nfsd filesystem
++##  Read nsfs inodes (e.g. /proc/pid/ns/uts)
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
++##  <summary>
++##  Domain allowed access.
++##  </summary>
+ ## </param>
+ #
+-interface(`fs_getattr_nfsd_files',`
++interface(`fs_read_nsfs_files',`
+ 	gen_require(`
+-		type nfsd_fs_t;
+-	')
++    	type nsfs_t;
++    ')
+ 
+-	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++    allow $1 nsfs_t:file read_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write NFS server files.
++##	Manage NFS server files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -3273,12 +4445,12 @@ interface(`fs_getattr_nfsd_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_rw_nfsd_fs',`
++interface(`fs_manage_nfsd_fs',`
+ 	gen_require(`
+ 		type nfsd_fs_t;
+ 	')
+ 
+-	rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
++	manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
+ ')
+ 
+ ########################################
 @@ -3392,7 +4564,7 @@ interface(`fs_search_ramfs',`
  
  ########################################
@@ -20218,186 +20092,116 @@ index 8416beb..761fbab 100644
  ##	Get the attributes of a tmpfs
  ##	filesystem.
  ## </summary>
-@@ -3866,12 +5074,49 @@ interface(`fs_relabelfrom_tmpfs',`
- 		type tmpfs_t;
- 	')
- 
--	allow $1 tmpfs_t:filesystem relabelfrom;
-+	allow $1 tmpfs_t:filesystem relabelfrom;
-+')
-+
-+########################################
-+## <summary>
-+##	Get the attributes of tmpfs directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_getattr_tmpfs_dirs',`
-+	gen_require(`
-+		type tmpfs_t;
-+	')
-+
-+	allow $1 tmpfs_t:dir getattr;
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to get the attributes
-+##	of tmpfs directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_dontaudit_getattr_tmpfs_dirs',`
-+	gen_require(`
-+		type tmpfs_t;
-+	')
-+
-+	dontaudit $1 tmpfs_t:dir getattr;
- ')
+@@ -3908,7 +5116,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  
  ########################################
  ## <summary>
--##	Get the attributes of tmpfs directories.
+-##	Mount on tmpfs directories.
 +##	Set the attributes of tmpfs directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3879,36 +5124,35 @@ interface(`fs_relabelfrom_tmpfs',`
+@@ -3916,17 +5124,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_getattr_tmpfs_dirs',`
+-interface(`fs_mounton_tmpfs',`
 +interface(`fs_setattr_tmpfs_dirs',`
  	gen_require(`
  		type tmpfs_t;
  	')
  
--	allow $1 tmpfs_t:dir getattr;
+-	allow $1 tmpfs_t:dir mounton;
 +	allow $1 tmpfs_t:dir setattr;
  ')
  
  ########################################
  ## <summary>
--##	Do not audit attempts to get the attributes
--##	of tmpfs directories.
+-##	Set the attributes of tmpfs directories.
 +##	Search tmpfs directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+@@ -3934,17 +5142,17 @@ interface(`fs_mounton_tmpfs',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+-interface(`fs_setattr_tmpfs_dirs',`
 +interface(`fs_search_tmpfs',`
  	gen_require(`
  		type tmpfs_t;
  	')
  
--	dontaudit $1 tmpfs_t:dir getattr;
+-	allow $1 tmpfs_t:dir setattr;
 +	allow $1 tmpfs_t:dir search_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Mount on tmpfs directories.
+-##	Search tmpfs directories.
 +##	List the contents of generic tmpfs directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3916,35 +5160,36 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3952,17 +5160,36 @@ interface(`fs_setattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
--interface(`fs_mounton_tmpfs',`
+-interface(`fs_search_tmpfs',`
 +interface(`fs_list_tmpfs',`
  	gen_require(`
  		type tmpfs_t;
  	')
  
--	allow $1 tmpfs_t:dir mounton;
+-	allow $1 tmpfs_t:dir search_dir_perms;
 +	allow $1 tmpfs_t:dir list_dir_perms;
  ')
  
  ########################################
  ## <summary>
--##	Set the attributes of tmpfs directories.
+-##	List the contents of generic tmpfs directories.
 +##	Do not audit attempts to list the
 +##	contents of generic tmpfs directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`fs_setattr_tmpfs_dirs',`
++##	</summary>
++## </param>
++#
 +interface(`fs_dontaudit_list_tmpfs',`
- 	gen_require(`
- 		type tmpfs_t;
- 	')
- 
--	allow $1 tmpfs_t:dir setattr;
++	gen_require(`
++		type tmpfs_t;
++	')
++
 +	dontaudit $1 tmpfs_t:dir list_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Search tmpfs directories.
++')
++
++########################################
++## <summary>
 +##	Relabel directory  on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3952,17 +5197,17 @@ interface(`fs_setattr_tmpfs_dirs',`
- ##	</summary>
- ## </param>
- #
--interface(`fs_search_tmpfs',`
-+interface(`fs_relabel_tmpfs_dirs',`
- 	gen_require(`
- 		type tmpfs_t;
- 	')
- 
--	allow $1 tmpfs_t:dir search_dir_perms;
-+	relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
- ')
- 
- ########################################
- ## <summary>
--##	List the contents of generic tmpfs directories.
-+##	Relabel fifo_file  on tmpfs filesystems.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -3970,31 +5215,30 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +5197,48 @@ interface(`fs_search_tmpfs',`
  ##	</summary>
  ## </param>
  #
 -interface(`fs_list_tmpfs',`
-+interface(`fs_relabel_tmpfs_fifo_files',`
++interface(`fs_relabel_tmpfs_dirs',`
  	gen_require(`
  		type tmpfs_t;
  	')
  
 -	allow $1 tmpfs_t:dir list_dir_perms;
-+	relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
++	relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
  ')
  
  ########################################
  ## <summary>
 -##	Do not audit attempts to list the
 -##	contents of generic tmpfs directories.
-+##	Relabel files  on tmpfs filesystems.
++##	Relabel fifo_file  on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -20407,64 +20211,67 @@ index 8416beb..761fbab 100644
  ## </param>
  #
 -interface(`fs_dontaudit_list_tmpfs',`
-+interface(`fs_relabel_tmpfs_files',`
++interface(`fs_relabel_tmpfs_fifo_files',`
  	gen_require(`
  		type tmpfs_t;
  	')
  
 -	dontaudit $1 tmpfs_t:dir list_dir_perms;
++	relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++## <summary>
++##	Relabel files  on tmpfs filesystems.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_relabel_tmpfs_files',`
++	gen_require(`
++		type tmpfs_t;
++	')
++
 +	relabel_files_pattern($1, tmpfs_t, tmpfs_t)
  ')
  
  ########################################
-@@ -4105,7 +5349,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4066,33 +5310,161 @@ interface(`fs_tmpfs_filetrans',`
  		type tmpfs_t;
  	')
  
--	dontaudit $1 tmpfs_t:file rw_file_perms;
-+	dontaudit $1 tmpfs_t:file rw_inherited_file_perms;
- ')
- 
- ########################################
-@@ -4165,6 +5409,24 @@ interface(`fs_rw_tmpfs_files',`
- 
- ########################################
- ## <summary>
-+##	Read and write generic tmpfs files.
+-	allow $2 tmpfs_t:filesystem associate;
+-	filetrans_pattern($1, tmpfs_t, $2, $3, $4)
++	allow $2 tmpfs_t:filesystem associate;
++	filetrans_pattern($1, tmpfs_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to getattr
++##	generic tmpfs files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_rw_inherited_tmpfs_files',`
++interface(`fs_dontaudit_getattr_tmpfs_files',`
 +	gen_require(`
 +		type tmpfs_t;
 +	')
 +
-+	allow $1 tmpfs_t:file { read write };
++	dontaudit $1 tmpfs_t:file getattr;
 +')
 +
 +########################################
 +## <summary>
- ##	Read tmpfs link files.
- ## </summary>
- ## <param name="domain">
-@@ -4202,7 +5464,7 @@ interface(`fs_rw_tmpfs_chr_files',`
- 
- ########################################
- ## <summary>
--##	dontaudit Read and write character nodes on tmpfs filesystems.
-+##	Do not audit attempts to read and write character nodes on tmpfs filesystems.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4221,6 +5483,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
- 
- ########################################
- ## <summary>
-+##	Do not audit attempts to create character nodes on tmpfs filesystems.
++##	Do not audit attempts to read or write
++##	generic tmpfs files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -20472,60 +20279,54 @@ index 8416beb..761fbab 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_dontaudit_create_tmpfs_chr_dev',`
++interface(`fs_dontaudit_rw_tmpfs_files',`
 +	gen_require(`
 +		type tmpfs_t;
 +	')
 +
-+	dontaudit $1 tmpfs_t:chr_file create;
++	dontaudit $1 tmpfs_t:file rw_inherited_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to dontaudit read block nodes on tmpfs filesystems.
++##	Create, read, write, and delete
++##	auto moutpoints.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_dontaudit_read_tmpfs_blk_dev',`
++interface(`fs_manage_auto_mountpoints',`
 +	gen_require(`
-+		type tmpfs_t;
++		type autofs_t;
 +	')
 +
-+	dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
++	allow $1 autofs_t:dir manage_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to read files on tmpfs filesystems.
++##	Read generic tmpfs files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_dontaudit_read_tmpfs_files',`
++interface(`fs_read_tmpfs_files',`
 +	gen_require(`
 +		type tmpfs_t;
 +	')
 +
-+	dontaudit $1 tmpfs_t:blk_file read;
++	read_files_pattern($1, tmpfs_t, tmpfs_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Relabel character nodes on tmpfs filesystems.
- ## </summary>
- ## <param name="domain">
-@@ -4278,6 +5594,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
- 
- ########################################
- ## <summary>
-+##	Relabel sock nodes on tmpfs filesystems.
++##	Read and write generic tmpfs files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -20533,18 +20334,17 @@ index 8416beb..761fbab 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_relabel_tmpfs_sock_file',`
++interface(`fs_rw_tmpfs_files',`
 +	gen_require(`
 +		type tmpfs_t;
 +	')
 +
-+	allow $1 tmpfs_t:dir list_dir_perms;
-+	relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t)
++	rw_files_pattern($1, tmpfs_t, tmpfs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Delete generic files in tmpfs directory.
++##	Read and write generic tmpfs files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -20552,46 +20352,307 @@ index 8416beb..761fbab 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_delete_tmpfs_files',`
++interface(`fs_rw_inherited_tmpfs_files',`
 +	gen_require(`
 +		type tmpfs_t;
 +	')
 +
-+	allow $1 tmpfs_t:dir del_entry_dir_perms;
-+	allow $1 tmpfs_t:file_class_set delete_file_perms;
++	allow $1 tmpfs_t:file { read write };
 +')
 +
 +########################################
 +## <summary>
- ##	Read and write, create and delete generic
- ##	files on tmpfs filesystems.
- ## </summary>
-@@ -4297,6 +5651,25 @@ interface(`fs_manage_tmpfs_files',`
- 
- ########################################
- ## <summary>
-+##	Execute files on a tmpfs filesystem.
++##	Read tmpfs link files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
-+interface(`fs_exec_tmpfs_files',`
++interface(`fs_read_tmpfs_symlinks',`
 +	gen_require(`
 +		type tmpfs_t;
 +	')
 +
-+	exec_files_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Read and write, create and delete symbolic
- ##	links on tmpfs filesystems.
++	read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to getattr
+-##	generic tmpfs files.
++##	Read and write character nodes on tmpfs filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_getattr_tmpfs_files',`
++interface(`fs_rw_tmpfs_chr_files',`
+ 	gen_require(`
+ 		type tmpfs_t;
+ 	')
+ 
+-	dontaudit $1 tmpfs_t:file getattr;
++	allow $1 tmpfs_t:dir list_dir_perms;
++	rw_chr_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to read or write
+-##	generic tmpfs files.
++##	Do not audit attempts to read and write character nodes on tmpfs filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4100,72 +5472,72 @@ interface(`fs_dontaudit_getattr_tmpfs_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_rw_tmpfs_files',`
++interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+ 	gen_require(`
+ 		type tmpfs_t;
+ 	')
+ 
+-	dontaudit $1 tmpfs_t:file rw_file_perms;
++	dontaudit $1 tmpfs_t:dir list_dir_perms;
++	dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	auto moutpoints.
++##	Do not audit attempts to create character nodes on tmpfs filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_manage_auto_mountpoints',`
++interface(`fs_dontaudit_create_tmpfs_chr_dev',`
+ 	gen_require(`
+-		type autofs_t;
++		type tmpfs_t;
+ 	')
+ 
+-	allow $1 autofs_t:dir manage_dir_perms;
++	dontaudit $1 tmpfs_t:chr_file create;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic tmpfs files.
++##	Do not audit attempts to dontaudit read block nodes on tmpfs filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_read_tmpfs_files',`
++interface(`fs_dontaudit_read_tmpfs_blk_dev',`
+ 	gen_require(`
+ 		type tmpfs_t;
+ 	')
+ 
+-	read_files_pattern($1, tmpfs_t, tmpfs_t)
++	dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write generic tmpfs files.
++##	Do not audit attempts to read files on tmpfs filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_rw_tmpfs_files',`
++interface(`fs_dontaudit_read_tmpfs_files',`
+ 	gen_require(`
+ 		type tmpfs_t;
+ 	')
+ 
+-	rw_files_pattern($1, tmpfs_t, tmpfs_t)
++	dontaudit $1 tmpfs_t:blk_file read;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read tmpfs link files.
++##	Relabel character nodes on tmpfs filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4173,17 +5545,18 @@ interface(`fs_rw_tmpfs_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_read_tmpfs_symlinks',`
++interface(`fs_relabel_tmpfs_chr_file',`
+ 	gen_require(`
+ 		type tmpfs_t;
+ 	')
+ 
+-	read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
++	allow $1 tmpfs_t:dir list_dir_perms;
++	relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write character nodes on tmpfs filesystems.
++##	Read and write block nodes on tmpfs filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4191,37 +5564,37 @@ interface(`fs_read_tmpfs_symlinks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_rw_tmpfs_chr_files',`
++interface(`fs_rw_tmpfs_blk_files',`
+ 	gen_require(`
+ 		type tmpfs_t;
+ 	')
+ 
+ 	allow $1 tmpfs_t:dir list_dir_perms;
+-	rw_chr_files_pattern($1, tmpfs_t, tmpfs_t)
++	rw_blk_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	dontaudit Read and write character nodes on tmpfs filesystems.
++##	Relabel block nodes on tmpfs filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_dontaudit_use_tmpfs_chr_dev',`
++interface(`fs_relabel_tmpfs_blk_file',`
+ 	gen_require(`
+ 		type tmpfs_t;
+ 	')
+ 
+-	dontaudit $1 tmpfs_t:dir list_dir_perms;
+-	dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
++	allow $1 tmpfs_t:dir list_dir_perms;
++	relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel character nodes on tmpfs filesystems.
++##	Relabel sock nodes on tmpfs filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4229,18 +5602,18 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_relabel_tmpfs_chr_file',`
++interface(`fs_relabel_tmpfs_sock_file',`
+ 	gen_require(`
+ 		type tmpfs_t;
+ 	')
+ 
+ 	allow $1 tmpfs_t:dir list_dir_perms;
+-	relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t)
++	relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write block nodes on tmpfs filesystems.
++##	Delete generic files in tmpfs directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4248,18 +5621,19 @@ interface(`fs_relabel_tmpfs_chr_file',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_rw_tmpfs_blk_files',`
++interface(`fs_delete_tmpfs_files',`
+ 	gen_require(`
+ 		type tmpfs_t;
+ 	')
+ 
+-	allow $1 tmpfs_t:dir list_dir_perms;
+-	rw_blk_files_pattern($1, tmpfs_t, tmpfs_t)
++	allow $1 tmpfs_t:dir del_entry_dir_perms;
++	allow $1 tmpfs_t:file_class_set delete_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel block nodes on tmpfs filesystems.
++##	Read and write, create and delete generic
++##	files on tmpfs filesystems.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4267,32 +5641,31 @@ interface(`fs_rw_tmpfs_blk_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_relabel_tmpfs_blk_file',`
++interface(`fs_manage_tmpfs_files',`
+ 	gen_require(`
+ 		type tmpfs_t;
+ 	')
+ 
+-	allow $1 tmpfs_t:dir list_dir_perms;
+-	relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t)
++	manage_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write, create and delete generic
+-##	files on tmpfs filesystems.
++##	Execute files on a tmpfs filesystem.
  ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`fs_manage_tmpfs_files',`
++interface(`fs_exec_tmpfs_files',`
+ 	gen_require(`
+ 		type tmpfs_t;
+ 	')
+ 
+-	manage_files_pattern($1, tmpfs_t, tmpfs_t)
++	exec_files_pattern($1, tmpfs_t, tmpfs_t)
+ ')
+ 
+ ########################################
 @@ -4407,6 +5780,25 @@ interface(`fs_search_xenfs',`
  	allow $1 xenfs_t:dir search_dir_perms;
  ')
@@ -20689,7 +20750,7 @@ index 8416beb..761fbab 100644
  ##	Search all directories with a filesystem type.
  ## </summary>
  ## <param name="domain">
-@@ -4912,3 +6345,82 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6345,173 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -20772,6 +20833,97 @@ index 8416beb..761fbab 100644
 +	rw_sock_files_pattern($1, onload_fs_t, onload_fs_t)
 +')
 +
++########################################
++## <summary>
++##	Read and write tracefs_t files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_rw_tracefs_files',`
++	gen_require(`
++		type tracefs_t;
++	')
++
++	rw_files_pattern($1, tracefs_t, tracefs_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete dirs
++##	labeled as tracefs_t.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_tracefs_dirs',`
++	gen_require(`
++		type tracefs_t;
++	')
++
++	manage_dirs_pattern($1, tracefs_t, tracefs_t)
++')
++
++########################################
++## <summary>
++##	Mount tracefs filesystems.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_mount_tracefs', `
++	gen_require(`
++		type tracefs_t;
++	')
++
++	allow $1 tracefs_t:filesystem mount;
++')
++
++########################################
++## <summary>
++##	Remount tracefs filesystems.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_remount_tracefs', `
++	gen_require(`
++		type tracefs_t;
++	')
++
++	allow $1 tracefs_t:filesystem remount;
++')
++
++########################################
++## <summary>
++##	Unmount tracefs filesystems.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_unmount_tracefs', `
++	gen_require(`
++		type cgroup_t;
++	')
++
++	allow $1 tracefs_t:filesystem unmount;
++')
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
 index e7d1738..59c1cb8 100644
 --- a/policy/modules/kernel/filesystem.te
@@ -26772,10 +26924,10 @@ index 0000000..03faeac
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..bca9f3c
+index 0000000..270e9a8
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,349 @@
+@@ -0,0 +1,350 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -27084,6 +27236,7 @@ index 0000000..bca9f3c
 +
 +optional_policy(`
 +	oddjob_run_mkhomedir(unconfined_t, unconfined_r)
++	oddjob_run(unconfined_t, unconfined_r)
 +')
 +
 +optional_policy(`
@@ -27988,7 +28141,7 @@ index 76d9f66..7528851 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..0ac21a6 100644
+index fe0c682..d55811f 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
 @@ -32,10 +32,11 @@
@@ -28162,15 +28315,18 @@ index fe0c682..0ac21a6 100644
  
  	auth_rw_login_records($1_t)
  	auth_rw_faillog($1_t)
-@@ -234,6 +264,7 @@ template(`ssh_server_template', `
+@@ -233,7 +263,10 @@ template(`ssh_server_template', `
+ 	# for sshd subsystems, such as sftp-server.
  	corecmd_getattr_bin_files($1_t)
  
++	dev_rw_crypto($1_t)
++
  	domain_interactive_fd($1_t)
 +	domain_dyntrans_type($1_t)
  
  	files_read_etc_files($1_t)
  	files_read_etc_runtime_files($1_t)
-@@ -241,35 +272,33 @@ template(`ssh_server_template', `
+@@ -241,35 +274,33 @@ template(`ssh_server_template', `
  
  	logging_search_logs($1_t)
  
@@ -28217,7 +28373,7 @@ index fe0c682..0ac21a6 100644
  ')
  
  ########################################
-@@ -292,14 +321,15 @@ template(`ssh_server_template', `
+@@ -292,14 +323,15 @@ template(`ssh_server_template', `
  ##	User domain for the role
  ##	</summary>
  ## </param>
@@ -28234,7 +28390,7 @@ index fe0c682..0ac21a6 100644
  	')
  
  	##############################
-@@ -328,103 +358,56 @@ template(`ssh_role_template',`
+@@ -328,103 +360,56 @@ template(`ssh_role_template',`
  
  	# allow ps to show ssh
  	ps_process_pattern($3, ssh_t)
@@ -28334,12 +28490,12 @@ index fe0c682..0ac21a6 100644
 -		# transition back to normal privs upon exec
 -		fs_cifs_domtrans($1_ssh_agent_t, $3)
 -	')
-+	userdom_home_manager($1_ssh_agent_t)
- 
+-
 -	optional_policy(`
 -		nis_use_ypbind($1_ssh_agent_t)
 -	')
--
++	userdom_home_manager($1_ssh_agent_t)
+ 
 -	optional_policy(`
 -		xserver_use_xdm_fds($1_ssh_agent_t)
 -		xserver_rw_xdm_pipes($1_ssh_agent_t)
@@ -28348,7 +28504,7 @@ index fe0c682..0ac21a6 100644
  ')
  
  ########################################
-@@ -496,8 +479,27 @@ interface(`ssh_read_pipes',`
+@@ -496,8 +481,27 @@ interface(`ssh_read_pipes',`
  		type sshd_t;
  	')
  
@@ -28377,7 +28533,7 @@ index fe0c682..0ac21a6 100644
  ########################################
  ## <summary>
  ##	Read and write a ssh server unnamed pipe.
-@@ -513,7 +515,7 @@ interface(`ssh_rw_pipes',`
+@@ -513,7 +517,7 @@ interface(`ssh_rw_pipes',`
  		type sshd_t;
  	')
  
@@ -28386,7 +28542,7 @@ index fe0c682..0ac21a6 100644
  ')
  
  ########################################
-@@ -605,6 +607,24 @@ interface(`ssh_domtrans',`
+@@ -605,6 +609,24 @@ interface(`ssh_domtrans',`
  
  ########################################
  ## <summary>
@@ -28411,7 +28567,7 @@ index fe0c682..0ac21a6 100644
  ##	Execute the ssh client in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -637,7 +657,7 @@ interface(`ssh_setattr_key_files',`
+@@ -637,7 +659,7 @@ interface(`ssh_setattr_key_files',`
  		type sshd_key_t;
  	')
  
@@ -28420,7 +28576,7 @@ index fe0c682..0ac21a6 100644
  	files_search_pids($1)
  ')
  
-@@ -662,6 +682,42 @@ interface(`ssh_agent_exec',`
+@@ -662,6 +684,42 @@ interface(`ssh_agent_exec',`
  
  ########################################
  ## <summary>
@@ -28463,7 +28619,7 @@ index fe0c682..0ac21a6 100644
  ##	Read ssh home directory content
  ## </summary>
  ## <param name="domain">
-@@ -701,6 +757,68 @@ interface(`ssh_domtrans_keygen',`
+@@ -701,6 +759,68 @@ interface(`ssh_domtrans_keygen',`
  
  ########################################
  ## <summary>
@@ -28532,7 +28688,7 @@ index fe0c682..0ac21a6 100644
  ##	Read ssh server keys
  ## </summary>
  ## <param name="domain">
-@@ -714,7 +832,26 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -714,7 +834,26 @@ interface(`ssh_dontaudit_read_server_keys',`
  		type sshd_key_t;
  	')
  
@@ -28560,7 +28716,7 @@ index fe0c682..0ac21a6 100644
  ')
  
  ######################################
-@@ -754,3 +891,151 @@ interface(`ssh_delete_tmp',`
+@@ -754,3 +893,151 @@ interface(`ssh_delete_tmp',`
  	files_search_tmp($1)
  	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
  ')
@@ -36862,7 +37018,7 @@ index 79a45f6..e69fa39 100644
 +    allow $1 init_var_lib_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 17eda24..ef7952e 100644
+index 17eda24..3945e2c 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -36973,20 +37129,21 @@ index 17eda24..ef7952e 100644
  
  type initrc_devpts_t;
  term_pty(initrc_devpts_t)
-@@ -98,7 +146,11 @@ ifdef(`enable_mls',`
+@@ -98,7 +146,12 @@ ifdef(`enable_mls',`
  #
  
  # Use capabilities. old rule:
 -allow init_t self:capability ~sys_module;
 +allow init_t self:capability ~{ audit_control audit_write sys_module };
 +allow init_t self:capability2 ~{ mac_admin mac_override };
++allow init_t self:cap_userns all_cap_userns_perms;
 +allow init_t self:tcp_socket { listen accept };
 +allow init_t self:packet_socket create_socket_perms;
 +allow init_t self:key manage_key_perms;
  # is ~sys_module really needed? observed:
  # sys_boot
  # sys_tty_config
-@@ -108,14 +160,43 @@ allow init_t self:capability ~sys_module;
+@@ -108,14 +161,43 @@ allow init_t self:capability ~sys_module;
  
  allow init_t self:fifo_file rw_fifo_file_perms;
  
@@ -37036,7 +37193,7 @@ index 17eda24..ef7952e 100644
  
  allow init_t initctl_t:fifo_file manage_fifo_file_perms;
  dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +206,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +207,23 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
  
  kernel_read_system_state(init_t)
  kernel_share_state(init_t)
@@ -37061,7 +37218,7 @@ index 17eda24..ef7952e 100644
  
  domain_getpgid_all_domains(init_t)
  domain_kill_all_domains(init_t)
-@@ -139,14 +230,24 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +231,24 @@ domain_signal_all_domains(init_t)
  domain_signull_all_domains(init_t)
  domain_sigstop_all_domains(init_t)
  domain_sigchld_all_domains(init_t)
@@ -37087,7 +37244,7 @@ index 17eda24..ef7952e 100644
  # file descriptors inherited from the rootfs:
  files_dontaudit_rw_root_files(init_t)
  files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +257,64 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +258,64 @@ fs_list_inotifyfs(init_t)
  fs_write_ramfs_sockets(init_t)
  
  mcs_process_set_categories(init_t)
@@ -37157,7 +37314,7 @@ index 17eda24..ef7952e 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +323,264 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +324,264 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -37431,7 +37588,7 @@ index 17eda24..ef7952e 100644
  ')
  
  optional_policy(`
-@@ -216,7 +588,30 @@ optional_policy(`
+@@ -216,7 +589,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37463,7 +37620,7 @@ index 17eda24..ef7952e 100644
  ')
  
  ########################################
-@@ -225,9 +620,9 @@ optional_policy(`
+@@ -225,9 +621,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -37475,7 +37632,7 @@ index 17eda24..ef7952e 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -258,12 +653,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +654,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -37492,7 +37649,7 @@ index 17eda24..ef7952e 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -279,23 +678,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +679,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -37535,7 +37692,7 @@ index 17eda24..ef7952e 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -303,9 +715,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +716,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -37547,7 +37704,7 @@ index 17eda24..ef7952e 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -313,8 +727,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +728,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -37558,7 +37715,7 @@ index 17eda24..ef7952e 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -322,8 +738,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +739,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -37568,7 +37725,7 @@ index 17eda24..ef7952e 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -332,7 +747,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +748,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -37576,7 +37733,7 @@ index 17eda24..ef7952e 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -340,6 +754,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +755,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -37584,7 +37741,7 @@ index 17eda24..ef7952e 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -347,14 +762,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +763,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -37602,7 +37759,7 @@ index 17eda24..ef7952e 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -364,8 +780,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +781,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -37616,7 +37773,7 @@ index 17eda24..ef7952e 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -375,10 +795,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +796,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -37630,7 +37787,7 @@ index 17eda24..ef7952e 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -387,8 +808,10 @@ mls_process_read_up(initrc_t)
+@@ -387,8 +809,10 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -37641,7 +37798,7 @@ index 17eda24..ef7952e 100644
  
  storage_getattr_fixed_disk_dev(initrc_t)
  storage_setattr_fixed_disk_dev(initrc_t)
-@@ -398,6 +821,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +822,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -37649,7 +37806,7 @@ index 17eda24..ef7952e 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -416,20 +840,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +841,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -37673,7 +37830,7 @@ index 17eda24..ef7952e 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -451,7 +873,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +874,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -37681,7 +37838,7 @@ index 17eda24..ef7952e 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -486,6 +907,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +908,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -37692,7 +37849,7 @@ index 17eda24..ef7952e 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -506,7 +931,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +932,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -37701,7 +37858,7 @@ index 17eda24..ef7952e 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -521,6 +946,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +947,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -37709,7 +37866,7 @@ index 17eda24..ef7952e 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -541,6 +967,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +968,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -37717,7 +37874,7 @@ index 17eda24..ef7952e 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -550,8 +977,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +978,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -37762,7 +37919,7 @@ index 17eda24..ef7952e 100644
  	')
  
  	optional_policy(`
-@@ -559,14 +1022,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +1023,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -37794,7 +37951,7 @@ index 17eda24..ef7952e 100644
  	')
  ')
  
-@@ -577,6 +1057,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +1058,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -37834,7 +37991,7 @@ index 17eda24..ef7952e 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -589,6 +1102,8 @@ optional_policy(`
+@@ -589,6 +1103,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -37843,7 +38000,7 @@ index 17eda24..ef7952e 100644
  ')
  
  optional_policy(`
-@@ -610,6 +1125,7 @@ optional_policy(`
+@@ -610,6 +1126,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -37851,7 +38008,7 @@ index 17eda24..ef7952e 100644
  ')
  
  optional_policy(`
-@@ -626,6 +1142,17 @@ optional_policy(`
+@@ -626,6 +1143,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37869,7 +38026,7 @@ index 17eda24..ef7952e 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -642,9 +1169,13 @@ optional_policy(`
+@@ -642,9 +1170,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -37883,7 +38040,7 @@ index 17eda24..ef7952e 100644
  	')
  
  	optional_policy(`
-@@ -657,15 +1188,11 @@ optional_policy(`
+@@ -657,15 +1189,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37901,7 +38058,7 @@ index 17eda24..ef7952e 100644
  ')
  
  optional_policy(`
-@@ -686,6 +1213,15 @@ optional_policy(`
+@@ -686,6 +1214,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37917,7 +38074,7 @@ index 17eda24..ef7952e 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -726,6 +1262,7 @@ optional_policy(`
+@@ -726,6 +1263,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -37925,7 +38082,7 @@ index 17eda24..ef7952e 100644
  ')
  
  optional_policy(`
-@@ -743,7 +1280,13 @@ optional_policy(`
+@@ -743,7 +1281,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37940,7 +38097,7 @@ index 17eda24..ef7952e 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -766,6 +1309,10 @@ optional_policy(`
+@@ -766,6 +1310,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37951,7 +38108,7 @@ index 17eda24..ef7952e 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -775,10 +1322,20 @@ optional_policy(`
+@@ -775,10 +1323,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37972,7 +38129,7 @@ index 17eda24..ef7952e 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -787,6 +1344,10 @@ optional_policy(`
+@@ -787,6 +1345,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37983,7 +38140,7 @@ index 17eda24..ef7952e 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -808,8 +1369,6 @@ optional_policy(`
+@@ -808,8 +1370,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -37992,7 +38149,7 @@ index 17eda24..ef7952e 100644
  ')
  
  optional_policy(`
-@@ -818,6 +1377,10 @@ optional_policy(`
+@@ -818,6 +1378,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38003,7 +38160,7 @@ index 17eda24..ef7952e 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -827,10 +1390,12 @@ optional_policy(`
+@@ -827,10 +1391,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -38016,7 +38173,7 @@ index 17eda24..ef7952e 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -857,21 +1422,60 @@ optional_policy(`
+@@ -857,21 +1423,60 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38078,7 +38235,7 @@ index 17eda24..ef7952e 100644
  ')
  
  optional_policy(`
-@@ -887,6 +1491,10 @@ optional_policy(`
+@@ -887,6 +1492,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38089,7 +38246,7 @@ index 17eda24..ef7952e 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -897,3 +1505,218 @@ optional_policy(`
+@@ -897,3 +1506,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -48410,10 +48567,10 @@ index 0000000..16cd1ac
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..0a20dcb
+index 0000000..540332c
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,952 @@
+@@ -0,0 +1,958 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -48779,6 +48936,8 @@ index 0000000..0a20dcb
 +allow systemd_networkd_t self:udp_socket create_socket_perms;
 +allow systemd_networkd_t self:rawip_socket create_socket_perms;
 +
++allow init_t systemd_networkd_t:netlink_route_socket create_netlink_socket_perms;
++
 +manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
 +manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
 +manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
@@ -49242,6 +49401,7 @@ index 0000000..0a20dcb
 +#
 +# systemd_coredump domains
 +#
++allow systemd_coredump_t self:cap_userns sys_ptrace;
 +
 +manage_files_pattern(systemd_coredump_t, systemd_coredump_tmpfs_t, systemd_coredump_tmpfs_t)
 +fs_tmpfs_filetrans(systemd_coredump_t, systemd_coredump_tmpfs_t, file )
@@ -49312,6 +49472,7 @@ index 0000000..0a20dcb
 +
 +optional_policy(`
 +	dbus_system_bus_client(systemd_resolved_t)
++	dbus_connect_system_bus(systemd_resolved_t)
 +')
 +
 +########################################
@@ -49359,6 +49520,8 @@ index 0000000..0a20dcb
 +# systemd_modules_load domain
 +#
 +
++allow systemd_modules_load_t self:capability sys_module;
++
 +kernel_dgram_send(systemd_modules_load_t)
 +
 +dev_read_sysfs(systemd_modules_load_t)
@@ -50780,7 +50943,7 @@ index db75976..c54480a 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..236692c 100644
+index 9dc60c6..420907f 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -51786,7 +51949,7 @@ index 9dc60c6..236692c 100644
  
  	userdom_change_password_template($1)
  
-@@ -761,82 +1012,112 @@ template(`userdom_login_user_template', `
+@@ -761,82 +1012,113 @@ template(`userdom_login_user_template', `
  	#
  	# User domain Local policy
  	#
@@ -51922,6 +52085,7 @@ index 9dc60c6..236692c 100644
  	optional_policy(`
 -		quota_dontaudit_getattr_db($1_t)
 +		oddjob_run_mkhomedir($1_t, $1_r)
++		oddjob_run($1_t, $1_r)
  	')
  
 +    optional_policy(`
@@ -51935,7 +52099,7 @@ index 9dc60c6..236692c 100644
  	')
  ')
  
-@@ -868,6 +1149,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1150,12 @@ template(`userdom_restricted_user_template',`
  	typeattribute $1_t unpriv_userdomain;
  	domain_interactive_fd($1_t)
  
@@ -51948,7 +52112,7 @@ index 9dc60c6..236692c 100644
  	##############################
  	#
  	# Local policy
-@@ -907,53 +1194,137 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1195,137 @@ template(`userdom_restricted_xwindows_user_template',`
  	#
  	# Local policy
  	#
@@ -52100,7 +52264,7 @@ index 9dc60c6..236692c 100644
  ')
  
  #######################################
-@@ -987,27 +1358,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1359,33 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# Inherit rules for ordinary users.
@@ -52138,7 +52302,7 @@ index 9dc60c6..236692c 100644
  			fs_manage_noxattr_fs_files($1_t)
  			fs_manage_noxattr_fs_dirs($1_t)
  			# Write floppies
-@@ -1018,23 +1395,63 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1396,63 @@ template(`userdom_unpriv_user_template', `
  		')
  	')
  
@@ -52212,7 +52376,7 @@ index 9dc60c6..236692c 100644
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1043,7 +1460,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1461,9 @@ template(`userdom_unpriv_user_template', `
  	')
  
  	optional_policy(`
@@ -52223,7 +52387,7 @@ index 9dc60c6..236692c 100644
  	')
  ')
  
-@@ -1079,7 +1498,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1499,9 @@ template(`userdom_unpriv_user_template', `
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -52234,7 +52398,7 @@ index 9dc60c6..236692c 100644
  	')
  
  	##############################
-@@ -1095,6 +1516,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1517,7 @@ template(`userdom_admin_user_template',`
  	role system_r types $1_t;
  
  	typeattribute $1_t admindomain;
@@ -52242,7 +52406,7 @@ index 9dc60c6..236692c 100644
  
  	ifdef(`direct_sysadm_daemon',`
  		domain_system_change_exemption($1_t)
-@@ -1105,14 +1527,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1528,8 @@ template(`userdom_admin_user_template',`
  	# $1_t local policy
  	#
  
@@ -52259,7 +52423,7 @@ index 9dc60c6..236692c 100644
  
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
-@@ -1128,6 +1544,8 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1545,8 @@ template(`userdom_admin_user_template',`
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -52268,7 +52432,7 @@ index 9dc60c6..236692c 100644
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1145,10 +1563,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1564,15 @@ template(`userdom_admin_user_template',`
  	dev_rename_all_blk_files($1_t)
  	dev_rename_all_chr_files($1_t)
  	dev_create_generic_symlinks($1_t)
@@ -52284,7 +52448,7 @@ index 9dc60c6..236692c 100644
  	domain_dontaudit_ptrace_all_domains($1_t)
  	# signal all domains:
  	domain_kill_all_domains($1_t)
-@@ -1159,29 +1582,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1583,40 @@ template(`userdom_admin_user_template',`
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -52329,7 +52493,7 @@ index 9dc60c6..236692c 100644
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1625,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1626,8 @@ template(`userdom_admin_user_template',`
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -52338,7 +52502,7 @@ index 9dc60c6..236692c 100644
  	userdom_manage_user_home_content_dirs($1_t)
  	userdom_manage_user_home_content_files($1_t)
  	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1634,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1635,21 @@ template(`userdom_admin_user_template',`
  	userdom_manage_user_home_content_sockets($1_t)
  	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
  
@@ -52361,7 +52525,7 @@ index 9dc60c6..236692c 100644
  	optional_policy(`
  		postgresql_unconfined($1_t)
  	')
-@@ -1240,7 +1684,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1685,7 @@ template(`userdom_admin_user_template',`
  ##	</summary>
  ## </param>
  #
@@ -52370,7 +52534,7 @@ index 9dc60c6..236692c 100644
  	allow $1 self:capability { dac_read_search dac_override };
  
  	corecmd_exec_shell($1)
-@@ -1250,6 +1694,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1695,8 @@ template(`userdom_security_admin_template',`
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -52379,7 +52543,7 @@ index 9dc60c6..236692c 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1262,8 +1708,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1709,10 @@ template(`userdom_security_admin_template',`
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
@@ -52391,7 +52555,7 @@ index 9dc60c6..236692c 100644
  	auth_relabel_shadow($1)
  
  	init_exec($1)
-@@ -1274,29 +1722,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1723,31 @@ template(`userdom_security_admin_template',`
  	logging_read_audit_config($1)
  
  	seutil_manage_bin_policy($1)
@@ -52434,7 +52598,7 @@ index 9dc60c6..236692c 100644
  	')
  
  	optional_policy(`
-@@ -1357,14 +1807,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1808,17 @@ interface(`userdom_user_home_content',`
  	gen_require(`
  		attribute user_home_content_type;
  		type user_home_t;
@@ -52453,7 +52617,7 @@ index 9dc60c6..236692c 100644
  ')
  
  ########################################
-@@ -1397,12 +1850,52 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1851,52 @@ interface(`userdom_user_tmp_file',`
  ## </param>
  #
  interface(`userdom_user_tmpfs_file',`
@@ -52507,7 +52671,7 @@ index 9dc60c6..236692c 100644
  ##	Allow domain to attach to TUN devices created by administrative users.
  ## </summary>
  ## <param name="domain">
-@@ -1509,11 +2002,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +2003,31 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -52539,7 +52703,7 @@ index 9dc60c6..236692c 100644
  ##	Do not audit attempts to search user home directories.
  ## </summary>
  ## <desc>
-@@ -1555,6 +2068,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2069,14 @@ interface(`userdom_list_user_home_dirs',`
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -52554,7 +52718,7 @@ index 9dc60c6..236692c 100644
  ')
  
  ########################################
-@@ -1570,9 +2091,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2092,11 @@ interface(`userdom_list_user_home_dirs',`
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -52566,7 +52730,7 @@ index 9dc60c6..236692c 100644
  ')
  
  ########################################
-@@ -1613,6 +2136,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2137,24 @@ interface(`userdom_manage_user_home_dirs',`
  
  ########################################
  ## <summary>
@@ -52591,7 +52755,7 @@ index 9dc60c6..236692c 100644
  ##	Relabel to user home directories.
  ## </summary>
  ## <param name="domain">
-@@ -1631,6 +2172,59 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1631,6 +2173,59 @@ interface(`userdom_relabelto_user_home_dirs',`
  
  ########################################
  ## <summary>
@@ -52651,7 +52815,7 @@ index 9dc60c6..236692c 100644
  ##	Create directories in the home dir root with
  ##	the user home directory type.
  ## </summary>
-@@ -1704,10 +2298,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2299,12 @@ interface(`userdom_user_home_domtrans',`
  #
  interface(`userdom_dontaudit_search_user_home_content',`
  	gen_require(`
@@ -52666,7 +52830,7 @@ index 9dc60c6..236692c 100644
  ')
  
  ########################################
-@@ -1741,10 +2337,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2338,12 @@ interface(`userdom_list_all_user_home_content',`
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -52681,7 +52845,7 @@ index 9dc60c6..236692c 100644
  ')
  
  ########################################
-@@ -1769,7 +2367,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2368,7 @@ interface(`userdom_manage_user_home_content_dirs',`
  
  ########################################
  ## <summary>
@@ -52690,7 +52854,7 @@ index 9dc60c6..236692c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1777,19 +2375,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2376,17 @@ interface(`userdom_manage_user_home_content_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -52714,7 +52878,7 @@ index 9dc60c6..236692c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1797,55 +2393,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2394,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -52785,7 +52949,7 @@ index 9dc60c6..236692c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1853,18 +2449,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2450,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -52813,7 +52977,7 @@ index 9dc60c6..236692c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1872,18 +2469,71 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,18 +2470,71 @@ interface(`userdom_mmap_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -52893,7 +53057,7 @@ index 9dc60c6..236692c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1891,13 +2541,113 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1891,13 +2542,113 @@ interface(`userdom_read_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -53010,7 +53174,7 @@ index 9dc60c6..236692c 100644
  ')
  
  ########################################
-@@ -1938,7 +2688,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2689,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -53019,7 +53183,7 @@ index 9dc60c6..236692c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1946,10 +2696,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2697,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -53032,7 +53196,7 @@ index 9dc60c6..236692c 100644
  	')
  
  	userdom_search_user_home_content($1)
-@@ -1958,7 +2707,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2708,7 @@ interface(`userdom_delete_all_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -53041,7 +53205,7 @@ index 9dc60c6..236692c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1966,12 +2715,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2716,66 @@ interface(`userdom_delete_all_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -53110,7 +53274,7 @@ index 9dc60c6..236692c 100644
  ')
  
  ########################################
-@@ -2007,8 +2810,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2811,7 @@ interface(`userdom_read_user_home_content_symlinks',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -53120,7 +53284,7 @@ index 9dc60c6..236692c 100644
  ')
  
  ########################################
-@@ -2024,20 +2826,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2827,14 @@ interface(`userdom_read_user_home_content_symlinks',`
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -53145,7 +53309,7 @@ index 9dc60c6..236692c 100644
  
  ########################################
  ## <summary>
-@@ -2120,7 +2916,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2917,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
  
  ########################################
  ## <summary>
@@ -53154,7 +53318,7 @@ index 9dc60c6..236692c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2128,19 +2924,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2925,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -53178,7 +53342,7 @@ index 9dc60c6..236692c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2148,12 +2942,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2943,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -53194,7 +53358,7 @@ index 9dc60c6..236692c 100644
  ')
  
  ########################################
-@@ -2388,18 +3182,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3183,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -53252,7 +53416,7 @@ index 9dc60c6..236692c 100644
  ##	Do not audit attempts to read users
  ##	temporary files.
  ## </summary>
-@@ -2414,7 +3244,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3245,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -53261,7 +53425,7 @@ index 9dc60c6..236692c 100644
  ')
  
  ########################################
-@@ -2455,6 +3285,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3286,25 @@ interface(`userdom_rw_user_tmp_files',`
  	rw_files_pattern($1, user_tmp_t, user_tmp_t)
  	files_search_tmp($1)
  ')
@@ -53287,7 +53451,7 @@ index 9dc60c6..236692c 100644
  
  ########################################
  ## <summary>
-@@ -2538,7 +3387,27 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3388,27 @@ interface(`userdom_manage_user_tmp_files',`
  ########################################
  ## <summary>
  ##	Create, read, write, and delete user
@@ -53316,7 +53480,7 @@ index 9dc60c6..236692c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2566,6 +3435,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
+@@ -2566,6 +3436,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -53344,7 +53508,7 @@ index 9dc60c6..236692c 100644
  interface(`userdom_manage_user_tmp_pipes',`
  	gen_require(`
  		type user_tmp_t;
-@@ -2661,6 +3551,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3552,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  	files_tmp_filetrans($1, user_tmp_t, $2, $3)
  ')
  
@@ -53366,7 +53530,7 @@ index 9dc60c6..236692c 100644
  ########################################
  ## <summary>
  ##	Read user tmpfs files.
-@@ -2672,18 +3577,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3578,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  ## </param>
  #
  interface(`userdom_read_user_tmpfs_files',`
@@ -53388,7 +53552,7 @@ index 9dc60c6..236692c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2692,19 +3592,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3593,13 @@ interface(`userdom_read_user_tmpfs_files',`
  ## </param>
  #
  interface(`userdom_rw_user_tmpfs_files',`
@@ -53411,7 +53575,7 @@ index 9dc60c6..236692c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2713,13 +3607,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3608,56 @@ interface(`userdom_rw_user_tmpfs_files',`
  ## </param>
  #
  interface(`userdom_manage_user_tmpfs_files',`
@@ -53472,7 +53636,7 @@ index 9dc60c6..236692c 100644
  ')
  
  ########################################
-@@ -2814,6 +3751,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3752,24 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
@@ -53497,7 +53661,7 @@ index 9dc60c6..236692c 100644
  ##	Read and write a user domain pty.
  ## </summary>
  ## <param name="domain">
-@@ -2832,22 +3787,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3788,34 @@ interface(`userdom_use_user_ptys',`
  
  ########################################
  ## <summary>
@@ -53540,7 +53704,7 @@ index 9dc60c6..236692c 100644
  ## </desc>
  ## <param name="domain">
  ##	<summary>
-@@ -2856,14 +3823,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3824,33 @@ interface(`userdom_use_user_ptys',`
  ## </param>
  ## <infoflow type="both" weight="10"/>
  #
@@ -53578,7 +53742,7 @@ index 9dc60c6..236692c 100644
  ')
  
  ########################################
-@@ -2882,8 +3868,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3869,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
  		type user_tty_device_t, user_devpts_t;
  	')
  
@@ -53608,7 +53772,7 @@ index 9dc60c6..236692c 100644
  ')
  
  ########################################
-@@ -2955,6 +3960,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,6 +3961,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -53651,7 +53815,7 @@ index 9dc60c6..236692c 100644
  ########################################
  ## <summary>
  ##	Execute an Xserver session in all unprivileged user domains.  This
-@@ -2978,24 +4019,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2978,24 +4020,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -53676,7 +53840,7 @@ index 9dc60c6..236692c 100644
  ########################################
  ## <summary>
  ##	Manage unpriviledged user SysV sempaphores.
-@@ -3014,9 +4037,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3014,9 +4038,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  	allow $1 unpriv_userdomain:sem create_sem_perms;
  ')
  
@@ -53688,7 +53852,7 @@ index 9dc60c6..236692c 100644
  ##	memory segments.
  ## </summary>
  ## <param name="domain">
-@@ -3025,17 +4048,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,17 +4049,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -53709,7 +53873,7 @@ index 9dc60c6..236692c 100644
  ##	memory segments.
  ## </summary>
  ## <param name="domain">
-@@ -3044,12 +4067,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
+@@ -3044,12 +4068,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
  ##	</summary>
  ## </param>
  #
@@ -53724,7 +53888,7 @@ index 9dc60c6..236692c 100644
  ')
  
  ########################################
-@@ -3094,7 +4117,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4118,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -53733,7 +53897,7 @@ index 9dc60c6..236692c 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -3110,29 +4133,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4134,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -53767,7 +53931,7 @@ index 9dc60c6..236692c 100644
  ')
  
  ########################################
-@@ -3214,7 +4221,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4222,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -53794,7 +53958,7 @@ index 9dc60c6..236692c 100644
  ')
  
  ########################################
-@@ -3269,12 +4294,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4295,13 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -53810,7 +53974,7 @@ index 9dc60c6..236692c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3282,54 +4308,56 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,54 +4309,56 @@ interface(`userdom_write_user_tmp_files',`
  ##	</summary>
  ## </param>
  #
@@ -53882,7 +54046,7 @@ index 9dc60c6..236692c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3337,17 +4365,91 @@ interface(`userdom_getattr_all_users',`
+@@ -3337,17 +4366,91 @@ interface(`userdom_getattr_all_users',`
  ##	</summary>
  ## </param>
  #
@@ -53977,7 +54141,7 @@ index 9dc60c6..236692c 100644
  ##	descriptors from any user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3382,6 +4484,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4485,42 @@ interface(`userdom_signal_all_users',`
  	allow $1 userdomain:process signal;
  ')
  
@@ -54020,7 +54184,7 @@ index 9dc60c6..236692c 100644
  ########################################
  ## <summary>
  ##	Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4540,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4541,60 @@ interface(`userdom_sigchld_all_users',`
  
  ########################################
  ## <summary>
@@ -54081,7 +54245,7 @@ index 9dc60c6..236692c 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3435,4 +4627,1781 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4628,1781 @@ interface(`userdom_dbus_send_all_users',`
  	')
  
  	allow $1 userdomain:dbus send_msg;
diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch
index 3a31564..f6615c4 100644
--- a/policy-f24-contrib.patch
+++ b/policy-f24-contrib.patch
@@ -19101,7 +19101,7 @@ index 1303b30..f13c532 100644
 +    logging_log_filetrans($1, cron_log_t, $2, $3)
  ')
 diff --git a/cron.te b/cron.te
-index 7de3859..1444c2f 100644
+index 7de3859..e8010ba 100644
 --- a/cron.te
 +++ b/cron.te
 @@ -11,46 +11,54 @@ gen_require(`
@@ -19454,7 +19454,7 @@ index 7de3859..1444c2f 100644
  auth_use_nsswitch(crond_t)
  
  logging_send_audit_msgs(crond_t)
-@@ -312,41 +264,46 @@ logging_set_loginuid(crond_t)
+@@ -312,41 +264,49 @@ logging_set_loginuid(crond_t)
  
  seutil_read_config(crond_t)
  seutil_read_default_contexts(crond_t)
@@ -19476,9 +19476,11 @@ index 7de3859..1444c2f 100644
 -	allow crond_t cronjob_t:process transition;
 -	allow crond_t cronjob_t:fd use;
 -	allow crond_t cronjob_t:key manage_key_perms;
--')
-+mta_send_mail(crond_t)
-+mta_system_content(cron_spool_t)
++optional_policy(`
++	mta_send_mail(crond_t)
++	mta_filetrans_admin_home_content(crond_t)
++	mta_system_content(cron_spool_t)
+ ')
  
  ifdef(`distro_debian',`
 +	# pam_limits is used
@@ -19517,7 +19519,7 @@ index 7de3859..1444c2f 100644
  ')
  
  optional_policy(`
-@@ -354,103 +311,141 @@ optional_policy(`
+@@ -354,103 +314,141 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19690,7 +19692,7 @@ index 7de3859..1444c2f 100644
  allow system_cronjob_t cron_spool_t:dir list_dir_perms;
  allow system_cronjob_t cron_spool_t:file rw_file_perms;
  
-@@ -461,11 +456,11 @@ kernel_read_network_state(system_cronjob_t)
+@@ -461,11 +459,11 @@ kernel_read_network_state(system_cronjob_t)
  kernel_read_system_state(system_cronjob_t)
  kernel_read_software_raid_state(system_cronjob_t)
  
@@ -19703,7 +19705,7 @@ index 7de3859..1444c2f 100644
  corenet_all_recvfrom_netlabel(system_cronjob_t)
  corenet_tcp_sendrecv_generic_if(system_cronjob_t)
  corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -485,6 +480,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -485,6 +483,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
  fs_getattr_all_pipes(system_cronjob_t)
  fs_getattr_all_sockets(system_cronjob_t)
  
@@ -19711,7 +19713,7 @@ index 7de3859..1444c2f 100644
  domain_dontaudit_read_all_domains_state(system_cronjob_t)
  
  files_exec_etc_files(system_cronjob_t)
-@@ -495,17 +491,22 @@ files_getattr_all_files(system_cronjob_t)
+@@ -495,17 +494,22 @@ files_getattr_all_files(system_cronjob_t)
  files_getattr_all_symlinks(system_cronjob_t)
  files_getattr_all_pipes(system_cronjob_t)
  files_getattr_all_sockets(system_cronjob_t)
@@ -19736,7 +19738,7 @@ index 7de3859..1444c2f 100644
  
  auth_use_nsswitch(system_cronjob_t)
  
-@@ -516,20 +517,26 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -516,20 +520,26 @@ logging_read_generic_logs(system_cronjob_t)
  logging_send_audit_msgs(system_cronjob_t)
  logging_send_syslog_msg(system_cronjob_t)
  
@@ -19766,7 +19768,7 @@ index 7de3859..1444c2f 100644
  	selinux_validate_context(system_cronjob_t)
  	selinux_compute_access_vector(system_cronjob_t)
  	selinux_compute_create_context(system_cronjob_t)
-@@ -539,10 +546,18 @@ tunable_policy(`cron_can_relabel',`
+@@ -539,10 +549,18 @@ tunable_policy(`cron_can_relabel',`
  ')
  
  optional_policy(`
@@ -19785,7 +19787,7 @@ index 7de3859..1444c2f 100644
  ')
  
  optional_policy(`
-@@ -551,10 +566,6 @@ optional_policy(`
+@@ -551,10 +569,6 @@ optional_policy(`
  
  optional_policy(`
  	dbus_system_bus_client(system_cronjob_t)
@@ -19796,7 +19798,7 @@ index 7de3859..1444c2f 100644
  ')
  
  optional_policy(`
-@@ -567,6 +578,10 @@ optional_policy(`
+@@ -567,6 +581,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19807,15 +19809,16 @@ index 7de3859..1444c2f 100644
  	ftp_read_log(system_cronjob_t)
  ')
  
-@@ -591,6 +606,7 @@ optional_policy(`
+@@ -591,6 +609,8 @@ optional_policy(`
  optional_policy(`
  	mta_read_config(system_cronjob_t)
  	mta_send_mail(system_cronjob_t)
++	mta_filetrans_admin_home_content(system_cronjob_t)
 +	mta_system_content(system_cron_spool_t)
  ')
  
  optional_policy(`
-@@ -598,7 +614,23 @@ optional_policy(`
+@@ -598,7 +618,23 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19839,7 +19842,7 @@ index 7de3859..1444c2f 100644
  ')
  
  optional_policy(`
-@@ -607,7 +639,12 @@ optional_policy(`
+@@ -607,7 +643,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19852,7 +19855,7 @@ index 7de3859..1444c2f 100644
  ')
  
  optional_policy(`
-@@ -615,12 +652,27 @@ optional_policy(`
+@@ -615,12 +656,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19882,7 +19885,7 @@ index 7de3859..1444c2f 100644
  #
  
  allow cronjob_t self:process { signal_perms setsched };
-@@ -628,12 +680,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +684,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
  allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
  allow cronjob_t self:unix_dgram_socket create_socket_perms;
  
@@ -19916,7 +19919,7 @@ index 7de3859..1444c2f 100644
  corenet_all_recvfrom_netlabel(cronjob_t)
  corenet_tcp_sendrecv_generic_if(cronjob_t)
  corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -641,66 +713,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +717,141 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
  corenet_udp_sendrecv_generic_node(cronjob_t)
  corenet_tcp_sendrecv_all_ports(cronjob_t)
  corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -20794,7 +20797,7 @@ index 3023be7..4f0fe46 100644
 +	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
  ')
 diff --git a/cups.te b/cups.te
-index c91813c..65e9a4d 100644
+index c91813c..8aececf 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -21196,8 +21199,11 @@ index c91813c..65e9a4d 100644
  allow cupsd_config_t cupsd_t:process signal;
  ps_process_pattern(cupsd_config_t, cupsd_t)
  
-@@ -372,18 +436,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -370,20 +434,19 @@ allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
+ 
+ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
  manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
++manage_sock_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
  files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
  
 -read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
@@ -21217,7 +21223,7 @@ index c91813c..65e9a4d 100644
  corenet_all_recvfrom_netlabel(cupsd_config_t)
  corenet_tcp_sendrecv_generic_if(cupsd_config_t)
  corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -392,20 +454,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -392,20 +455,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
  corenet_sendrecv_all_client_packets(cupsd_config_t)
  corenet_tcp_connect_all_ports(cupsd_config_t)
  
@@ -21238,7 +21244,7 @@ index c91813c..65e9a4d 100644
  fs_search_auto_mountpoints(cupsd_config_t)
  
  domain_use_interactive_fds(cupsd_config_t)
-@@ -417,11 +471,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,11 +472,6 @@ auth_use_nsswitch(cupsd_config_t)
  
  logging_send_syslog_msg(cupsd_config_t)
  
@@ -21250,7 +21256,7 @@ index c91813c..65e9a4d 100644
  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
  userdom_read_all_users_state(cupsd_config_t)
-@@ -449,9 +498,12 @@ optional_policy(`
+@@ -449,9 +499,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21264,7 +21270,7 @@ index c91813c..65e9a4d 100644
  ')
  
  optional_policy(`
-@@ -467,6 +519,10 @@ optional_policy(`
+@@ -467,6 +520,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21275,7 +21281,7 @@ index c91813c..65e9a4d 100644
  	rpm_read_db(cupsd_config_t)
  ')
  
-@@ -487,10 +543,6 @@ optional_policy(`
+@@ -487,10 +544,6 @@ optional_policy(`
  # Lpd local policy
  #
  
@@ -21286,7 +21292,7 @@ index c91813c..65e9a4d 100644
  allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
  
  allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -508,15 +560,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +561,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
  
  kernel_read_kernel_sysctls(cupsd_lpd_t)
  kernel_read_system_state(cupsd_lpd_t)
@@ -21304,7 +21310,7 @@ index c91813c..65e9a4d 100644
  corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
  
  corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
-@@ -537,9 +589,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -537,9 +590,6 @@ auth_use_nsswitch(cupsd_lpd_t)
  
  logging_send_syslog_msg(cupsd_lpd_t)
  
@@ -21314,7 +21320,7 @@ index c91813c..65e9a4d 100644
  optional_policy(`
  	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
  ')
-@@ -550,7 +599,6 @@ optional_policy(`
+@@ -550,7 +600,6 @@ optional_policy(`
  #
  
  allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -21322,7 +21328,7 @@ index c91813c..65e9a4d 100644
  allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
  
  append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -566,148 +614,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +615,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
  
  kernel_read_system_state(cups_pdf_t)
  
@@ -21474,7 +21480,7 @@ index c91813c..65e9a4d 100644
  
  ########################################
  #
-@@ -735,7 +658,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +659,6 @@ kernel_read_kernel_sysctls(ptal_t)
  kernel_list_proc(ptal_t)
  kernel_read_proc_symlinks(ptal_t)
  
@@ -21482,7 +21488,7 @@ index c91813c..65e9a4d 100644
  corenet_all_recvfrom_netlabel(ptal_t)
  corenet_tcp_sendrecv_generic_if(ptal_t)
  corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -745,13 +667,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +668,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
  corenet_tcp_bind_ptal_port(ptal_t)
  corenet_tcp_sendrecv_ptal_port(ptal_t)
  
@@ -21496,7 +21502,7 @@ index c91813c..65e9a4d 100644
  files_read_etc_runtime_files(ptal_t)
  
  fs_getattr_all_fs(ptal_t)
-@@ -759,8 +679,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +680,6 @@ fs_search_auto_mountpoints(ptal_t)
  
  logging_send_syslog_msg(ptal_t)
  
@@ -21505,7 +21511,7 @@ index c91813c..65e9a4d 100644
  sysnet_read_config(ptal_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -773,3 +691,4 @@ optional_policy(`
+@@ -773,3 +692,4 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ptal_t)
  ')
@@ -25138,10 +25144,10 @@ index 0000000..b214253
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 0000000..aa290b1
+index 0000000..89f1271
 --- /dev/null
 +++ b/dirsrv.te
-@@ -0,0 +1,200 @@
+@@ -0,0 +1,203 @@
 +policy_module(dirsrv,1.0.0)
 +
 +########################################
@@ -25235,6 +25241,9 @@ index 0000000..aa290b1
 +files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
 +allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms;
 +
++read_files_pattern(dirsrv_t, dirsrv_share_t, dirsrv_share_t)
++list_dirs_pattern(dirsrv_t, dirsrv_share_t, dirsrv_share_t)
++
 +kernel_read_network_state(dirsrv_t)
 +kernel_read_system_state(dirsrv_t)
 +kernel_read_kernel_sysctls(dirsrv_t)
@@ -28811,7 +28820,7 @@ index c62c567..a74f123 100644
 +	allow $1 firewalld_unit_file_t:service all_service_perms;
  ')
 diff --git a/firewalld.te b/firewalld.te
-index 98072a3..73c5573 100644
+index 98072a3..9670e41 100644
 --- a/firewalld.te
 +++ b/firewalld.te
 @@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
@@ -28855,7 +28864,7 @@ index 98072a3..73c5573 100644
  
  kernel_read_network_state(firewalld_t)
  kernel_read_system_state(firewalld_t)
-@@ -63,20 +77,21 @@ dev_search_sysfs(firewalld_t)
+@@ -63,20 +77,23 @@ dev_search_sysfs(firewalld_t)
  
  domain_use_interactive_fds(firewalld_t)
  
@@ -28881,10 +28890,12 @@ index 98072a3..73c5573 100644
 +sysnet_dns_name_resolve(firewalld_t)
 +sysnet_manage_config_dirs(firewalld_t)
 +sysnet_manage_config(firewalld_t)
++sysnet_relabelfrom_net_conf(firewalld_t)
++sysnet_relabelto_net_conf(firewalld_t)
  
  optional_policy(`
  	dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -95,6 +110,10 @@ optional_policy(`
+@@ -95,6 +112,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29213,11 +29224,14 @@ index 5010f04..3b73741 100644
  
  optional_policy(`
 diff --git a/fprintd.te b/fprintd.te
-index 92a6479..addf8a6 100644
+index 92a6479..59a65a4 100644
 --- a/fprintd.te
 +++ b/fprintd.te
-@@ -20,23 +20,26 @@ files_type(fprintd_var_lib_t)
+@@ -18,25 +18,29 @@ files_type(fprintd_var_lib_t)
+ #
+ 
  allow fprintd_t self:capability sys_nice;
++allow fprintd_t self:capability2 wake_alarm;
  allow fprintd_t self:process { getsched setsched signal sigkill };
  allow fprintd_t self:fifo_file rw_fifo_file_perms;
 +allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -29246,7 +29260,7 @@ index 92a6479..addf8a6 100644
  
  userdom_use_user_ptys(fprintd_t)
  userdom_read_all_users_state(fprintd_t)
-@@ -54,8 +57,17 @@ optional_policy(`
+@@ -54,8 +58,17 @@ optional_policy(`
  	')
  ')
  
@@ -37443,10 +37457,10 @@ index 6517fad..f183748 100644
 +	allow $1 hypervkvp_unit_file_t:service all_service_perms;
  ')
 diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..b7b9201 100644
+index 4eb7041..097bd50 100644
 --- a/hypervkvp.te
 +++ b/hypervkvp.te
-@@ -5,24 +5,148 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,150 @@ policy_module(hypervkvp, 1.0.0)
  # Declarations
  #
  
@@ -37534,6 +37548,8 @@ index 4eb7041..b7b9201 100644
 +files_dontaudit_search_home(hypervkvp_t)
 +
 +fs_getattr_all_fs(hypervkvp_t)
++fs_read_hugetlbfs_files(hypervkvp_t)
++fs_list_hugetlbfs(hypervkvp_t)
 +
 +auth_use_nsswitch(hypervkvp_t)
 +
@@ -38571,10 +38587,10 @@ index 0000000..1a30961
 +')
 diff --git a/ipa.te b/ipa.te
 new file mode 100644
-index 0000000..e3b22a3
+index 0000000..81f38fe
 --- /dev/null
 +++ b/ipa.te
-@@ -0,0 +1,201 @@
+@@ -0,0 +1,202 @@
 +policy_module(ipa, 1.0.0)
 +
 +########################################
@@ -38668,6 +38684,7 @@ index 0000000..e3b22a3
 +logging_log_filetrans(ipa_helper_t, ipa_log_t, file)
 +
 +kernel_read_system_state(ipa_helper_t)
++kernel_read_network_state(ipa_helper_t)
 +
 +corenet_tcp_connect_ldap_port(ipa_helper_t)
 +corenet_tcp_connect_smbd_port(ipa_helper_t)
@@ -38778,14 +38795,16 @@ index 0000000..e3b22a3
 +')
 diff --git a/ipmievd.fc b/ipmievd.fc
 new file mode 100644
-index 0000000..caf1fe5
+index 0000000..afe4e83
 --- /dev/null
 +++ b/ipmievd.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,7 @@
 +/usr/lib/systemd/system/ipmievd\.service	--	gen_context(system_u:object_r:ipmievd_unit_file_t,s0)
 +
 +/usr/sbin/ipmievd				--	gen_context(system_u:object_r:ipmievd_exec_t,s0)
 +
++/usr/libexec/openipmi-helper	--	gen_context(system_u:object_r:ipmievd_exec_t,s0)
++
 +/var/run/ipmievd\.pid				--	gen_context(system_u:object_r:ipmievd_var_run_t,s0)
 diff --git a/ipmievd.if b/ipmievd.if
 new file mode 100644
@@ -38915,10 +38934,10 @@ index 0000000..e86db54
 +')
 diff --git a/ipmievd.te b/ipmievd.te
 new file mode 100644
-index 0000000..f8428ca
+index 0000000..32d7f6c
 --- /dev/null
 +++ b/ipmievd.te
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,33 @@
 +policy_module(ipmievd, 1.0.0)
 +
 +########################################
@@ -38947,7 +38966,8 @@ index 0000000..f8428ca
 +manage_files_pattern(ipmievd_t, ipmievd_var_run_t, ipmievd_var_run_t)
 +files_pid_filetrans(ipmievd_t, ipmievd_var_run_t, { file })
 +
-+dev_rw_ipmi_dev(ipmievd_t)
++dev_manage_ipmi_dev(ipmievd_t)
++dev_filetrans_ipmi(ipmievd_t)
 +
 +logging_send_syslog_msg(ipmievd_t)
 +
@@ -41349,7 +41369,7 @@ index 3a00b3a..92f125f 100644
 +')
 +
 diff --git a/kdump.te b/kdump.te
-index 715fc21..e8792ed 100644
+index 715fc21..b75739b 100644
 --- a/kdump.te
 +++ b/kdump.te
 @@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t)
@@ -41390,10 +41410,10 @@ index 715fc21..e8792ed 100644
 +manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
 +manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
 +files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash")
++
++read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
  
 -allow kdump_t kdump_etc_t:file read_file_perms;
-+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
-+
 +manage_dirs_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
 +manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
 +manage_lnk_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
@@ -41456,7 +41476,7 @@ index 715fc21..e8792ed 100644
  
  kernel_read_system_state(kdumpctl_t)
  
-@@ -71,46 +107,56 @@ corecmd_exec_bin(kdumpctl_t)
+@@ -71,46 +107,60 @@ corecmd_exec_bin(kdumpctl_t)
  corecmd_exec_shell(kdumpctl_t)
  
  dev_read_sysfs(kdumpctl_t)
@@ -41493,6 +41513,10 @@ index 715fc21..e8792ed 100644
  
 -miscfiles_read_localization(kdumpctl_t)
 +optional_policy(`
++	networkmanager_dbus_chat(kdumpctl_t)
++')
++
++optional_policy(`
 +        gpg_exec(kdumpctl_t)
 +')
  
@@ -45880,7 +45904,7 @@ index dd8e01a..9cd6b0b 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index be0ab84..9059174 100644
+index be0ab84..6f39336 100644
 --- a/logrotate.te
 +++ b/logrotate.te
 @@ -5,16 +5,29 @@ policy_module(logrotate, 1.15.0)
@@ -46013,12 +46037,13 @@ index be0ab84..9059174 100644
  files_manage_generic_spool(logrotate_t)
  files_manage_generic_spool_dirs(logrotate_t)
  files_getattr_generic_locks(logrotate_t)
-@@ -95,32 +134,55 @@ mls_process_write_to_clearance(logrotate_t)
+@@ -95,32 +134,56 @@ mls_process_write_to_clearance(logrotate_t)
  selinux_get_fs_mount(logrotate_t)
  selinux_get_enforce_mode(logrotate_t)
  
 +application_exec_all(logrotate_t)
 +
++auth_domtrans_chk_passwd(logrotate_t)
  auth_manage_login_records(logrotate_t)
  auth_use_nsswitch(logrotate_t)
  
@@ -46075,7 +46100,7 @@ index be0ab84..9059174 100644
  ')
  
  optional_policy(`
-@@ -135,16 +197,17 @@ optional_policy(`
+@@ -135,16 +198,17 @@ optional_policy(`
  
  optional_policy(`
  	apache_read_config(logrotate_t)
@@ -46095,7 +46120,7 @@ index be0ab84..9059174 100644
  ')
  
  optional_policy(`
-@@ -170,6 +233,11 @@ optional_policy(`
+@@ -170,6 +234,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46107,7 +46132,7 @@ index be0ab84..9059174 100644
  	fail2ban_stream_connect(logrotate_t)
  ')
  
-@@ -178,7 +246,7 @@ optional_policy(`
+@@ -178,7 +247,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46116,7 +46141,7 @@ index be0ab84..9059174 100644
  ')
  
  optional_policy(`
-@@ -198,17 +266,18 @@ optional_policy(`
+@@ -198,17 +267,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46138,7 +46163,7 @@ index be0ab84..9059174 100644
  ')
  
  optional_policy(`
-@@ -216,6 +285,14 @@ optional_policy(`
+@@ -216,6 +286,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -46153,7 +46178,7 @@ index be0ab84..9059174 100644
  	samba_exec_log(logrotate_t)
  ')
  
-@@ -228,26 +305,50 @@ optional_policy(`
+@@ -228,26 +306,50 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49849,10 +49874,10 @@ index 0000000..f5b98e6
 +')
 diff --git a/mock.te b/mock.te
 new file mode 100644
-index 0000000..d854e6c
+index 0000000..123d4bf
 --- /dev/null
 +++ b/mock.te
-@@ -0,0 +1,287 @@
+@@ -0,0 +1,289 @@
 +policy_module(mock,1.0.0)
 +
 +## <desc>
@@ -50006,6 +50031,8 @@ index 0000000..d854e6c
 +lvm_read_metadata(mock_t)
 +lvm_getattr_exec_files(mock_t)
 +
++miscfiles_dontaudit_write_generic_cert_files(mock_t)
++
 +userdom_use_user_ptys(mock_t)
 +userdom_use_user_ttys(mock_t)
 +
@@ -50220,7 +50247,7 @@ index b1ac8b5..24782b3 100644
 +	')
 +')
 diff --git a/modemmanager.te b/modemmanager.te
-index d15eb5b..7f3c31d 100644
+index d15eb5b..2055876 100644
 --- a/modemmanager.te
 +++ b/modemmanager.te
 @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@@ -50262,14 +50289,18 @@ index d15eb5b..7f3c31d 100644
  
  logging_send_syslog_msg(modemmanager_t)
  
-@@ -56,3 +63,7 @@ optional_policy(`
- 	udev_read_db(modemmanager_t)
- 	udev_manage_pid_files(modemmanager_t)
- ')
+@@ -50,6 +57,11 @@ optional_policy(`
+ 	optional_policy(`
+ 		policykit_dbus_chat(modemmanager_t)
+ 	')
 +
-+optional_policy(`
-+	systemd_dbus_chat_logind(modemmanager_t)
-+')
++	optional_policy(`
++		systemd_dbus_chat_logind(modemmanager_t)
++		systemd_write_inhibit_pipes(modemmanager_t)
++	')
+ ')
+ 
+ optional_policy(`
 diff --git a/mojomojo.fc b/mojomojo.fc
 index 7b827ca..5ee8a0f 100644
 --- a/mojomojo.fc
@@ -63020,10 +63051,10 @@ index 57c0161..c554eb6 100644
 +    ps_process_pattern($1, nut_t)
  ')
 diff --git a/nut.te b/nut.te
-index 5b2cb0d..7655e0b 100644
+index 5b2cb0d..1ac5cf5 100644
 --- a/nut.te
 +++ b/nut.te
-@@ -7,154 +7,148 @@ policy_module(nut, 1.3.0)
+@@ -7,154 +7,153 @@ policy_module(nut, 1.3.0)
  
  attribute nut_domain;
  
@@ -63137,9 +63168,9 @@ index 5b2cb0d..7655e0b 100644
 +allow nut_upsmon_t self:tcp_socket create_socket_perms;
 +allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
 +allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
-+
-+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
  
++read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
++
 +kernel_read_kernel_sysctls(nut_upsmon_t)
  kernel_read_system_state(nut_upsmon_t)
  
@@ -63184,6 +63215,11 @@ index 5b2cb0d..7655e0b 100644
  	shutdown_domtrans(nut_upsmon_t)
  ')
  
++optional_policy(`
++	dbus_system_bus_client(nut_upsmon_t)
++	systemd_dbus_chat_logind(nut_upsmon_t)
++')
++
  ########################################
  #
 -# Upsdrvctl local policy
@@ -63541,10 +63577,10 @@ index cd29ea8..d01d2c8 100644
  	')
  ')
 diff --git a/oddjob.fc b/oddjob.fc
-index dd1d9ef..fbbe3ff 100644
+index dd1d9ef..c48733a 100644
 --- a/oddjob.fc
 +++ b/oddjob.fc
-@@ -1,10 +1,10 @@
+@@ -1,10 +1,12 @@
 -/sbin/mkhomedir_helper	--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
  
 -/usr/lib/oddjob/mkhomedir	--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
@@ -63555,13 +63591,15 @@ index dd1d9ef..fbbe3ff 100644
  
 -/usr/sbin/oddjobd	--	gen_context(system_u:object_r:oddjob_exec_t,s0)
 -/usr/sbin/mkhomedir_helper	--	gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
++/usr/bin/oddjob_request		--	gen_context(system_u:object_r:oddjob_exec_t,s0)
++
 +/usr/sbin/mkhomedir_helper     --      gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
 +/usr/sbin/oddjobd		--	gen_context(system_u:object_r:oddjob_exec_t,s0)
  
 -/var/run/oddjobd\.pid	gen_context(system_u:object_r:oddjob_var_run_t,s0)
 +/var/run/oddjobd\.pid			gen_context(system_u:object_r:oddjob_var_run_t,s0)
 diff --git a/oddjob.if b/oddjob.if
-index c87bd2a..4c17c99 100644
+index c87bd2a..284e4de 100644
 --- a/oddjob.if
 +++ b/oddjob.if
 @@ -1,4 +1,8 @@
@@ -63673,7 +63711,7 @@ index c87bd2a..4c17c99 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -105,46 +141,71 @@ interface(`oddjob_domtrans_mkhomedir',`
+@@ -105,46 +141,96 @@ interface(`oddjob_domtrans_mkhomedir',`
  #
  interface(`oddjob_run_mkhomedir',`
  	gen_require(`
@@ -63687,25 +63725,48 @@ index c87bd2a..4c17c99 100644
  ')
  
 -#####################################
-+#######################################
++########################################
  ## <summary>
 -##	Do not audit attempts to read and write 
 -##	oddjob fifo files.
-+##  Execute oddjob in the oddjob domain.
++##	Execute the oddjob program in the oddjob domain.
  ## </summary>
  ## <param name="domain">
--##	<summary>
+ ##	<summary>
 -##	Domain to not audit.
--##	</summary>
-+##  <summary>
-+##  Domain allowed to transition.
-+##  </summary>
++##	Domain allowed to transition.
+ ##	</summary>
  ## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
  #
 -interface(`oddjob_dontaudit_rw_fifo_files',`
--	gen_require(`
--		type oddjob_t;
--	')
++interface(`oddjob_run',`
+ 	gen_require(`
+ 		type oddjob_t;
+ 	')
+ 
+-	dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms;
++	oddjob_domtrans($1)
++	role $2 types oddjob_t;
+ ')
+ 
+-######################################
++#######################################
+ ## <summary>
+-##	Send child terminated signals to oddjob.
++##  Execute oddjob in the oddjob domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
++## </param>
++#
 +interface(`oddjob_systemctl',`
 +    gen_require(`
 +        type oddjob_unit_file_t;
@@ -63716,15 +63777,12 @@ index c87bd2a..4c17c99 100644
 +	init_reload_services($1)
 +    allow $1 oddjob_unit_file_t:file read_file_perms;
 +    allow $1 oddjob_unit_file_t:service manage_service_perms;
- 
--	dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms;
++
 +    ps_process_pattern($1, oddjob_t)
- ')
- 
--######################################
++')
++
 +########################################
- ## <summary>
--##	Send child terminated signals to oddjob.
++## <summary>
 +##	Create a domain which can be started by init,
 +##	with a range transition.
  ## </summary>
@@ -79162,7 +79220,7 @@ index 7cb8b1f..bef7217 100644
 +    allow $1 puppet_var_run_t:dir search_dir_perms;
  ')
 diff --git a/puppet.te b/puppet.te
-index 618dcfe..8e08251 100644
+index 618dcfe..9f36ed5 100644
 --- a/puppet.te
 +++ b/puppet.te
 @@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
@@ -79224,7 +79282,7 @@ index 618dcfe..8e08251 100644
  
  type puppetmaster_t;
  type puppetmaster_exec_t;
-@@ -56,161 +62,170 @@ files_tmp_file(puppetmaster_tmp_t)
+@@ -56,161 +62,174 @@ files_tmp_file(puppetmaster_tmp_t)
  
  ########################################
  #
@@ -79459,6 +79517,10 @@ index 618dcfe..8e08251 100644
  
  optional_policy(`
 -	files_rw_var_files(puppet_t)
++	networkmanager_dbus_chat(puppetagent_t)
++')
++
++optional_policy(`
 +        firewalld_dbus_chat(puppetagent_t)
 +')
  
@@ -79469,28 +79531,28 @@ index 618dcfe..8e08251 100644
 +	portage_domtrans(puppetagent_t)
 +	portage_domtrans_fetch(puppetagent_t)
 +	portage_domtrans_gcc_config(puppetagent_t)
- ')
- 
- optional_policy(`
--	unconfined_domain(puppet_t)
++')
++
++optional_policy(`
 +	files_rw_var_files(puppetagent_t)
 +
 +	rpm_domtrans(puppetagent_t)
 +	rpm_manage_db(puppetagent_t)
 +	rpm_manage_log(puppetagent_t)
++')
++
++optional_policy(`
++        shorewall_domtrans(puppetagent_t)
+ ')
+ 
+ optional_policy(`
+-	unconfined_domain(puppet_t)
++    unconfined_domain_noaudit(puppetagent_t)
  ')
  
  optional_policy(`
 -	usermanage_domtrans_groupadd(puppet_t)
 -	usermanage_domtrans_useradd(puppet_t)
-+        shorewall_domtrans(puppetagent_t)
-+')
-+
-+optional_policy(`
-+    unconfined_domain_noaudit(puppetagent_t)
-+')
-+
-+optional_policy(`
 +        shorewall_domtrans(puppet_t)
  ')
  
@@ -79511,7 +79573,7 @@ index 618dcfe..8e08251 100644
  
  allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
  manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-@@ -221,6 +236,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+@@ -221,6 +240,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
  allow puppetca_t puppet_var_run_t:dir search_dir_perms;
  
  kernel_read_system_state(puppetca_t)
@@ -79519,7 +79581,7 @@ index 618dcfe..8e08251 100644
  kernel_read_kernel_sysctls(puppetca_t)
  
  corecmd_exec_bin(puppetca_t)
-@@ -229,15 +245,12 @@ corecmd_exec_shell(puppetca_t)
+@@ -229,15 +249,12 @@ corecmd_exec_shell(puppetca_t)
  dev_read_urand(puppetca_t)
  dev_search_sysfs(puppetca_t)
  
@@ -79535,7 +79597,7 @@ index 618dcfe..8e08251 100644
  miscfiles_read_generic_certs(puppetca_t)
  
  seutil_read_file_contexts(puppetca_t)
-@@ -246,38 +259,48 @@ optional_policy(`
+@@ -246,38 +263,48 @@ optional_policy(`
  	hostname_exec(puppetca_t)
  ')
  
@@ -79600,7 +79662,7 @@ index 618dcfe..8e08251 100644
  
  kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
  kernel_read_network_state(puppetmaster_t)
-@@ -289,23 +312,24 @@ corecmd_exec_bin(puppetmaster_t)
+@@ -289,23 +316,24 @@ corecmd_exec_bin(puppetmaster_t)
  corecmd_exec_shell(puppetmaster_t)
  
  corenet_all_recvfrom_netlabel(puppetmaster_t)
@@ -79631,7 +79693,7 @@ index 618dcfe..8e08251 100644
  
  selinux_validate_context(puppetmaster_t)
  
-@@ -314,26 +338,31 @@ auth_use_nsswitch(puppetmaster_t)
+@@ -314,26 +342,31 @@ auth_use_nsswitch(puppetmaster_t)
  logging_send_syslog_msg(puppetmaster_t)
  
  miscfiles_read_generic_certs(puppetmaster_t)
@@ -79668,7 +79730,7 @@ index 618dcfe..8e08251 100644
  ')
  
  optional_policy(`
-@@ -342,3 +371,9 @@ optional_policy(`
+@@ -342,3 +375,9 @@ optional_policy(`
  	rpm_exec(puppetmaster_t)
  	rpm_read_db(puppetmaster_t)
  ')
@@ -83661,10 +83723,10 @@ index 951db7f..00e699d 100644
 +    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
  ')
 diff --git a/raid.te b/raid.te
-index c99753f..c7b77bc 100644
+index c99753f..357db0b 100644
 --- a/raid.te
 +++ b/raid.te
-@@ -15,54 +15,102 @@ role mdadm_roles types mdadm_t;
+@@ -15,54 +15,103 @@ role mdadm_roles types mdadm_t;
  type mdadm_initrc_exec_t;
  init_script_file(mdadm_initrc_exec_t)
  
@@ -83753,6 +83815,7 @@ index c99753f..c7b77bc 100644
 +dev_read_kvm(mdadm_t)
 +dev_read_mei(mdadm_t)
 +dev_read_nvram(mdadm_t)
++dev_read_nvme(mdadm_t)
 +dev_read_generic_files(mdadm_t)
 +dev_read_generic_usb_dev(mdadm_t)
 +dev_read_urand(mdadm_t)
@@ -83776,7 +83839,7 @@ index c99753f..c7b77bc 100644
  
  mls_file_read_all_levels(mdadm_t)
  mls_file_write_all_levels(mdadm_t)
-@@ -71,15 +119,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -71,15 +120,25 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
  storage_manage_fixed_disk(mdadm_t)
  storage_read_scsi_generic(mdadm_t)
  storage_write_scsi_generic(mdadm_t)
@@ -83803,7 +83866,7 @@ index c99753f..c7b77bc 100644
  
  userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
  userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -90,17 +148,38 @@ optional_policy(`
+@@ -90,17 +149,38 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -84022,10 +84085,10 @@ index 0000000..d57006d
 +')
 diff --git a/rasdaemon.te b/rasdaemon.te
 new file mode 100644
-index 0000000..6731d5c
+index 0000000..dcdca44
 --- /dev/null
 +++ b/rasdaemon.te
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,51 @@
 +policy_module(rasdaemon, 1.0.0)
 +
 +########################################
@@ -84062,6 +84125,11 @@ index 0000000..6731d5c
 +dev_read_urand(rasdaemon_t)
 +dev_rw_cpu_microcode(rasdaemon_t)
 +
++fs_rw_tracefs_files(rasdaemon_t)
++fs_manage_tracefs_dirs(rasdaemon_t)
++fs_mount_tracefs(rasdaemon_t)
++fs_unmount_tracefs(rasdaemon_t)
++
 +modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277
 +
 +auth_use_nsswitch(rasdaemon_t)
@@ -86131,10 +86199,10 @@ index c8a1e16..2d409bf 100644
  	xen_domtrans_xm(rgmanager_t)
  ')
 diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..bc62d96 100644
+index 47de2d6..aa2272c 100644
 --- a/rhcs.fc
 +++ b/rhcs.fc
-@@ -1,31 +1,96 @@
+@@ -1,31 +1,101 @@
 -/etc/rc\.d/init\.d/dlm	--	gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/foghorn	--	gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
 +/usr/sbin/dlm_controld			--	gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -86208,12 +86276,16 @@ index 47de2d6..bc62d96 100644
 +/etc/rc\.d/init\.d/pacemaker    --  gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
 +
 +/usr/lib/systemd/system/corosync.*  -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
++/usr/lib/systemd/system/corosync-qnetd.*  -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
++/usr/lib/systemd/system/corosync-qdevice.*  -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
++
 +/usr/lib/systemd/system/pacemaker.* --  gen_context(system_u:object_r:cluster_unit_file_t,s0)
 +/usr/lib/systemd/system/pcsd.*      --  gen_context(system_u:object_r:cluster_unit_file_t,s0)
 +
 +/usr/sbin/aisexec   		--  gen_context(system_u:object_r:cluster_exec_t,s0)
 +/usr/sbin/corosync  		--  gen_context(system_u:object_r:cluster_exec_t,s0)
 +/usr/sbin/corosync-notifyd  --  gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/bin/corosync-qnetd		--	gen_context(system_u:object_r:cluster_exec_t,s0)
 +/usr/sbin/cpglockd			--	gen_context(system_u:object_r:cluster_exec_t,s0)
 +/usr/sbin/ccs_tool      	--  gen_context(system_u:object_r:cluster_exec_t,s0)
 +/usr/sbin/cman_tool     	--  gen_context(system_u:object_r:cluster_exec_t,s0)
@@ -86223,6 +86295,7 @@ index 47de2d6..bc62d96 100644
 +/usr/sbin/pacemaker_remoted --  gen_context(system_u:object_r:cluster_exec_t,s0)
 +
 +/usr/share/corosync/corosync    --  gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/share/corosync/corosync-qdevice	--	gen_context(system_u:object_r:cluster_exec_t,s0)
 +
 +/usr/share/cluster/fence_scsi_check\.pl   --  gen_context(system_u:object_r:fenced_exec_t,s0)
 +/usr/share/cluster/fence_scsi_check_hardreboot     --  gen_context(system_u:object_r:fenced_exec_t,s0)
@@ -97527,10 +97600,10 @@ index 0000000..7a058a8
 +')
 diff --git a/sbd.te b/sbd.te
 new file mode 100644
-index 0000000..8666aec
+index 0000000..f6e5b0f
 --- /dev/null
 +++ b/sbd.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,52 @@
 +policy_module(sbd, 1.0.0)
 +
 +########################################
@@ -97556,6 +97629,7 @@ index 0000000..8666aec
 +allow sbd_t self:process { fork setsched signal_perms };
 +allow sbd_t self:fifo_file rw_fifo_file_perms;
 +allow sbd_t self:unix_stream_socket create_stream_socket_perms;
++allow sbd_t self:unix_dgram_socket create_socket_perms;
 +
 +manage_dirs_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t)
 +manage_files_pattern(sbd_t, sbd_var_run_t, sbd_var_run_t)
@@ -97563,6 +97637,8 @@ index 0000000..8666aec
 +files_pid_filetrans(sbd_t, sbd_var_run_t, { dir file lnk_file })
 +
 +kernel_read_system_state(sbd_t)
++kernel_dgram_send(sbd_t)
++kernel_rw_kernel_sysctl(sbd_t)
 +
 +dev_read_rand(sbd_t)
 +dev_write_watchdog(sbd_t)
@@ -97573,6 +97649,8 @@ index 0000000..8666aec
 +
 +miscfiles_read_localization(sbd_t)
 +
++logging_send_syslog_msg(sbd_t)
++
 +optional_policy(`
 +    rhcs_rw_cluster_tmpfs(sbd_t)
 +    rhcs_stream_connect_cluster(sbd_t)
@@ -104335,7 +104413,7 @@ index a240455..04419ae 100644
 -	admin_pattern($1, sssd_log_t)
  ')
 diff --git a/sssd.te b/sssd.te
-index 2d8db1f..864ea2f 100644
+index 2d8db1f..a28dfe7 100644
 --- a/sssd.te
 +++ b/sssd.te
 @@ -28,19 +28,28 @@ logging_log_file(sssd_var_log_t)
@@ -104357,7 +104435,7 @@ index 2d8db1f..864ea2f 100644
  #
  
 -allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
-+allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource };
++allow sssd_t self:capability { ipc_lock chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource };
  allow sssd_t self:capability2 block_suspend;
  allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
  allow sssd_t self:fifo_file rw_fifo_file_perms;
@@ -104381,7 +104459,7 @@ index 2d8db1f..864ea2f 100644
  logging_log_filetrans(sssd_t, sssd_var_log_t, file)
  
  manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -62,17 +69,13 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+@@ -62,17 +69,14 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
  
  kernel_read_network_state(sssd_t)
  kernel_read_system_state(sssd_t)
@@ -104400,10 +104478,11 @@ index 2d8db1f..864ea2f 100644
 +corenet_tcp_connect_kerberos_password_port(sssd_t)
 +corenet_tcp_connect_smbd_port(sssd_t)
 +corenet_tcp_connect_http_port(sssd_t)
++corenet_tcp_connect_http_cache_port(sssd_t)
  
  corecmd_exec_bin(sssd_t)
  
-@@ -83,28 +86,36 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,28 +87,36 @@ domain_read_all_domains_state(sssd_t)
  domain_obj_id_change_exemption(sssd_t)
  
  files_list_tmp(sssd_t)
@@ -104444,7 +104523,7 @@ index 2d8db1f..864ea2f 100644
  
  init_read_utmp(sssd_t)
  
-@@ -112,18 +123,64 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +124,64 @@ logging_send_syslog_msg(sssd_t)
  logging_send_audit_msgs(sssd_t)
  
  miscfiles_read_generic_certs(sssd_t)
@@ -113135,7 +113214,7 @@ index facdee8..816d860 100644
 +        ps_process_pattern(virtd_t, $1)
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..06e97a2 100644
+index f03dcf5..da66f68 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,451 +1,402 @@
@@ -114147,7 +114226,7 @@ index f03dcf5..06e97a2 100644
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
-@@ -746,44 +707,332 @@ optional_policy(`
+@@ -746,44 +707,335 @@ optional_policy(`
  	udev_read_pid_files(virtd_t)
  ')
  
@@ -114211,6 +114290,8 @@ index f03dcf5..06e97a2 100644
 +
 +manage_files_pattern(virtlogd_t, virt_log_t, virt_log_t)
 +
++append_files_pattern(virtlogd_t, svirt_image_t, svirt_image_t)
++
 +
 +# Allow virtlogd to look at /proc/$PID/status
 +# to authenticate the connecting libvirtd
@@ -114319,9 +114400,10 @@ index f03dcf5..06e97a2 100644
 +dev_rw_qemu(virt_domain)
 +dev_rw_inherited_vhost(virt_domain)
 +dev_rw_infiniband_dev(virt_domain)
++dev_rw_dri(virt_domain)
 +
 +domain_use_interactive_fds(virt_domain)
-+
+ 
 +files_read_mnt_symlinks(virt_domain)
 +files_read_var_files(virt_domain)
 +files_search_all(virt_domain)
@@ -114377,7 +114459,7 @@ index f03dcf5..06e97a2 100644
 +	sssd_dontaudit_read_lib(virt_domain)
 +	sssd_dontaudit_read_public_files(virt_domain)
 +')
- 
++
 +optional_policy(`
 +	virt_read_config(virt_domain)
 +	virt_read_lib_files(virt_domain)
@@ -114502,7 +114584,7 @@ index f03dcf5..06e97a2 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -794,25 +1043,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +1046,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -114529,7 +114611,7 @@ index f03dcf5..06e97a2 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -821,23 +1063,25 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +1066,25 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -114563,7 +114645,7 @@ index f03dcf5..06e97a2 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
-@@ -856,14 +1100,20 @@ optional_policy(`
+@@ -856,14 +1103,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -114585,7 +114667,7 @@ index f03dcf5..06e97a2 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -888,49 +1138,66 @@ optional_policy(`
+@@ -888,49 +1141,66 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -114670,7 +114752,7 @@ index f03dcf5..06e97a2 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -942,17 +1209,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1212,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -114690,7 +114772,7 @@ index f03dcf5..06e97a2 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -964,8 +1230,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1233,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -114714,7 +114796,7 @@ index f03dcf5..06e97a2 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1255,354 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1258,354 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -115210,7 +115292,7 @@ index f03dcf5..06e97a2 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1615,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1618,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -115225,7 +115307,7 @@ index f03dcf5..06e97a2 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,7 +1633,7 @@ optional_policy(`
+@@ -1192,7 +1636,7 @@ optional_policy(`
  
  ########################################
  #
@@ -115234,7 +115316,7 @@ index f03dcf5..06e97a2 100644
  #
  
  allow virt_bridgehelper_t self:process { setcap getcap };
-@@ -1201,11 +1642,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
+@@ -1201,11 +1645,255 @@ allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
  allow virt_bridgehelper_t self:tun_socket create_socket_perms;
  allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b092fc6..7d86f93 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 191.10%{?dist}
+Release: 191.11%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -645,6 +645,46 @@ exit 0
 %endif
 
 %changelog
+* Fri  Aug 12 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-191.11
+- Allow cups_config_t domain also mange sock_files. BZ(1361299)
+- Add wake_alarm capability to fprintd domain BZ(1362430)
+- Allow firewalld_t to relabel net_conf_t files. BZ(1365178)
+- Allow nut_upsmon_t domain to chat with logind vie dbus about scheduleing a shutdown when UPS battery is low. BZ(1361802)
+- Allow virtual machines to use dri devices. This allows use openCL GPU calculations. BZ(1337333)
+- Allow crond and cronjob domains to creating mail_home_rw_t objects in admin_home_t BZ(1366173)
+- Dontaudit mock to write to generic certs.
+- Add labeling for corosync-qdevice and corosync-qnetd daemons, to run as cluster_t
+- Revert "Label corosync-qnetd and corosync-qdevice as corosync_t domain"
+- Allow modemmanager to write to systemd inhibit pipes
+- Label corosync-qnetd and corosync-qdevice as corosync_t domain
+- Allow ipa_helper to read network state
+- Label oddjob_reqiest as oddjob_exec_t
+- Add interface oddjob_run()
+- Allow modemmanager chat with systemd_logind via dbus
+- Allow NetworkManager chat with puppetagent via dbus
+- Allow NetworkManager chat with kdumpctl via dbus
+- Allow sbd send msgs to syslog Allow sbd create dgram sockets. Allow sbd to communicate with kernel via dgram socket Allow sbd r/w kernel sysctls.
+- Allow ipmievd_t domain to re-create ipmi devices Label /usr/libexec/openipmi-helper as ipmievd_exec_t
+- Allow rasdaemon to use tracefs filesystem
+- Fix typo bug in dirsrv policy
+- Some logrotate scripts run su and then su runs unix_chkpwd. Allow logrotate_t domain to check passwd.
+- Add ipc_lock capability to sssd domain. Allow sssd connect to http_cache_t
+- Allow dirsrv to read dirsrv_share_t content
+- Allow virtlogd_t to append svirt_image_t files.
+- Allow hypervkvp domain to read hugetlbfs dir/files.
+- Allow mdadm daemon to read nvme_device_t blk files
+- Allow systemd_resolved to connect on system bus. BZ(1366334)
+- Allow systemd to create netlink_route_socket and communicate with systemd_networkd BZ(1306344)
+- Allow systemd-modules-load to load kernel modules in early boot. BZ(1322625)
+- label tcp/udp port 853 as dns_port_t. BZ(1365609)
+- Allow selinuxusers and unconfineduser to run oddjob_request
+- Allow sshd server to acces to Crypto Express 4 (CEX4) devices.
+- Fix typo in device interfaces
+- Add interfaces for managing ipmi devices
+- Add interfaces to allow mounting/umounting tracefs filesystem
+- Add interfaces to allow rw tracefs filesystem
+- Add support for user namespace
+
 * Tue Aug 02 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-191.10
 - collectd: update policy for 5.5
 - Allow puppet_t transtition to shorewall_t