diff --git a/policy-F15.patch b/policy-F15.patch
index 873d343..716da52 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -1,12 +1,12 @@
 diff --git a/Makefile b/Makefile
-index b8486a0..72a53cc 100644
+index b8486a0..6153c8b 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
  SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
  SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
  SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
-+SEPOLGEN ?= $(tc_usrbindir)/sepolgen-ifgen
++#SEPOLGEN ?= $(tc_usrbindir)/sepolgen-ifgen
  LOADPOLICY ?= $(tc_usrsbindir)/load_policy
  SETFILES ?= $(tc_sbindir)/setfiles
  XMLLINT ?= $(BINDIR)/xmllint
@@ -20,14 +20,14 @@ index b8486a0..72a53cc 100644
  
  all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
 diff --git a/Rules.modular b/Rules.modular
-index 168a14f..c2bf491 100644
+index 168a14f..cc1f793 100644
 --- a/Rules.modular
 +++ b/Rules.modular
 @@ -207,6 +207,7 @@ validate: $(base_pkg) $(mod_pkgs)
  	@echo "Validating policy linking."
  	$(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
  	$(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
-+	$(verbose) $(SEPOLGEN) -p $(tmpdir)/policy.bin -i $(poldir) -o $(tmpdir)/output
++#	$(verbose) $(SEPOLGEN) -p $(tmpdir)/policy.bin -i $(poldir) -o $(tmpdir)/output
  	@echo "Success."
  
  ########################################
@@ -1426,10 +1426,10 @@ index 7077413..56d1ecb 100644
 +
 +/dev/\.systemd/readahead(/.*)?	gen_context(system_u:object_r:readahead_var_run_t,s0)
 diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if
-index 47c4723..c1bed2b 100644
+index 47c4723..1f57c34 100644
 --- a/policy/modules/admin/readahead.if
 +++ b/policy/modules/admin/readahead.if
-@@ -1 +1,42 @@
+@@ -1 +1,43 @@
  ## <summary>Readahead, read files into page cache for improved performance</summary>
 +
 +########################################
@@ -1470,10 +1470,11 @@ index 47c4723..c1bed2b 100644
 +	manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t)
 +	dev_filetrans($1, readahead_var_run_t, { dir  file })
 +	files_search_pids($1)	
++	init_search_pid_dirs($1)
 +')
 +
 diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
-index b4ac57e..9702e8c 100644
+index b4ac57e..275323b 100644
 --- a/policy/modules/admin/readahead.te
 +++ b/policy/modules/admin/readahead.te
 @@ -16,13 +16,14 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
@@ -1492,7 +1493,7 @@ index b4ac57e..9702e8c 100644
  dontaudit readahead_t self:capability { net_admin sys_tty_config };
  allow readahead_t self:process { setsched signal_perms };
  
-@@ -31,7 +32,9 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
+@@ -31,7 +32,10 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
  files_search_var_lib(readahead_t)
  
  manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
@@ -1500,10 +1501,11 @@ index b4ac57e..9702e8c 100644
 +manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
 +files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
 +dev_filetrans(readahead_t, readahead_var_run_t, { dir file })
++init_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
  
  kernel_read_all_sysctls(readahead_t)
  kernel_read_system_state(readahead_t)
-@@ -53,10 +56,18 @@ domain_read_all_domains_state(readahead_t)
+@@ -53,10 +57,18 @@ domain_read_all_domains_state(readahead_t)
  
  files_list_non_security(readahead_t)
  files_read_non_security_files(readahead_t)
@@ -1522,7 +1524,7 @@ index b4ac57e..9702e8c 100644
  
  fs_getattr_all_fs(readahead_t)
  fs_search_auto_mountpoints(readahead_t)
-@@ -66,12 +77,14 @@ fs_read_cgroup_files(readahead_t)
+@@ -66,12 +78,14 @@ fs_read_cgroup_files(readahead_t)
  fs_read_tmpfs_files(readahead_t)
  fs_read_tmpfs_symlinks(readahead_t)
  fs_list_inotifyfs(readahead_t)
@@ -2987,10 +2989,10 @@ index e51e7f5..8e0405f 100644
 +')
 diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
 new file mode 100644
-index 0000000..09f0673
+index 0000000..4540090
 --- /dev/null
 +++ b/policy/modules/apps/execmem.fc
-@@ -0,0 +1,49 @@
+@@ -0,0 +1,50 @@
 +
 +/usr/bin/aticonfig	--	gen_context(system_u:object_r:execmem_exec_t,s0)
 +/usr/bin/darcs 		--	gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -3040,6 +3042,7 @@ index 0000000..09f0673
 +/opt/google/chrome/google-chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
 +/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
 +/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/local/Wolfram/Mathematica(/.*)?MathKernel	  -- gen_context(system_u:object_r:execmem_exec_t,s0)
 diff --git a/policy/modules/apps/execmem.if b/policy/modules/apps/execmem.if
 new file mode 100644
 index 0000000..1bc60f7
@@ -3358,10 +3361,10 @@ index 00a19e3..55075f9 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..8df829d 100644
+index f5afe78..b1b6bf6 100644
 --- a/policy/modules/apps/gnome.if
 +++ b/policy/modules/apps/gnome.if
-@@ -1,43 +1,524 @@
+@@ -1,43 +1,523 @@
  ## <summary>GNU network object model environment (GNOME)</summary>
  
 -############################################################
@@ -3431,11 +3434,10 @@ index f5afe78..8df829d 100644
 +        ')
 +
 +	type $1_gkeyringd_t, gnome_domain, gkeyringd_domain;
-+	typealias $1_gkeyringd_t alias gkeyrind_$1_t;
++	typealias $1_gkeyringd_t alias gkeyringd_$1_t;
 +	application_domain($1_gkeyringd_t, gkeyringd_exec_t)
 +	ubac_constrained($1_gkeyringd_t)
 +	domain_user_exemption_target($1_gkeyringd_t)
-+	permissive $1_gkeyringd_t;
 +
 +	role $2 types $1_gkeyringd_t;
 +
@@ -3904,7 +3906,7 @@ index f5afe78..8df829d 100644
  ##	in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -56,27 +537,26 @@ interface(`gnome_exec_gconf',`
+@@ -56,27 +536,26 @@ interface(`gnome_exec_gconf',`
  
  ########################################
  ## <summary>
@@ -3940,7 +3942,7 @@ index f5afe78..8df829d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -84,37 +564,43 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +563,43 @@ template(`gnome_read_gconf_config',`
  ##	</summary>
  ## </param>
  #
@@ -3995,7 +3997,7 @@ index f5afe78..8df829d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -122,12 +608,13 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +607,13 @@ interface(`gnome_stream_connect_gconf',`
  ##	</summary>
  ## </param>
  #
@@ -4012,7 +4014,7 @@ index f5afe78..8df829d 100644
  ')
  
  ########################################
-@@ -151,40 +638,328 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +637,328 @@ interface(`gnome_setattr_config_dirs',`
  
  ########################################
  ## <summary>
@@ -7980,10 +7982,10 @@ index 0000000..0fedd57
 +')
 diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
 new file mode 100644
-index 0000000..26d0f56
+index 0000000..4f96196
 --- /dev/null
 +++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,476 @@
+@@ -0,0 +1,475 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@@ -8182,7 +8184,7 @@ index 0000000..26d0f56
 +domain_dontaudit_read_all_domains_state(sandbox_x_domain)
 +
 +files_search_home(sandbox_x_domain)
-+files_dontaudit_list_tmp(sandbox_x_domain)
++files_dontaudit_list_all_mountpoints(sandbox_x_domain)
 +
 +kernel_getattr_proc(sandbox_x_domain)
 +kernel_read_network_state(sandbox_x_domain)
@@ -8381,7 +8383,6 @@ index 0000000..26d0f56
 +corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
 +
 +files_dontaudit_getattr_all_dirs(sandbox_web_type)
-+files_dontaudit_list_mnt(sandbox_web_type)
 +
 +fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
 +fs_dontaudit_getattr_all_fs(sandbox_web_type)
@@ -9853,7 +9854,7 @@ index 5a07a43..99c7564 100644
  ## </summary>
  ## <param name="domain">
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 0757523..6346e86 100644
+index 0757523..47f11a4 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -16,6 +16,7 @@ attribute rpc_port_type;
@@ -9952,7 +9953,7 @@ index 0757523..6346e86 100644
  network_port(i18n_input, tcp,9010,s0)
  network_port(imaze, tcp,5323,s0, udp,5323,s0)
  network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -126,43 +150,57 @@ network_port(iscsi, tcp,3260,s0)
+@@ -126,43 +150,58 @@ network_port(iscsi, tcp,3260,s0)
  network_port(isns, tcp,3205,s0, udp,3205,s0)
  network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
  network_port(jabber_interserver, tcp,5269,s0)
@@ -9995,6 +9996,7 @@ index 0757523..6346e86 100644
 +network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
  network_port(ocsp, tcp,9080,s0)
  network_port(openvpn, tcp,1194,s0, udp,1194,s0)
++network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0)
  network_port(pegasus_http, tcp,5988,s0)
  network_port(pegasus_https, tcp,5989,s0)
  network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
@@ -10016,7 +10018,7 @@ index 0757523..6346e86 100644
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
  network_port(pulseaudio, tcp,4713,s0)
-@@ -177,24 +215,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -177,24 +216,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
  network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
  network_port(rlogind, tcp,513,s0)
  network_port(rndc, tcp,953,s0)
@@ -10050,7 +10052,7 @@ index 0757523..6346e86 100644
  network_port(syslogd, udp,514,s0)
  network_port(tcs, tcp, 30003, s0)
  network_port(telnetd, tcp,23,s0)
-@@ -205,16 +248,17 @@ network_port(transproxy, tcp,8081,s0)
+@@ -205,16 +249,17 @@ network_port(transproxy, tcp,8081,s0)
  network_port(ups, tcp,3493,s0)
  type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
  network_port(uucpd, tcp,540,s0)
@@ -10071,7 +10073,7 @@ index 0757523..6346e86 100644
  network_port(zookeeper_client, tcp,2181,s0)
  network_port(zookeeper_election, tcp,3888,s0)
  network_port(zookeeper_leader, tcp,2888,s0)
-@@ -276,5 +320,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
+@@ -276,5 +321,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
  allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
  
  # Bind to any network address.
@@ -10079,10 +10081,18 @@ index 0757523..6346e86 100644
 +allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
  allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 6cf8784..286aec1 100644
+index 6cf8784..5b25039 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
-@@ -187,8 +187,6 @@ ifdef(`distro_suse', `
+@@ -20,6 +20,7 @@
+ /dev/controlD64		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/crash		-c	gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
+ /dev/dahdi/.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
++/dev/dlm.*		-c	gen_context(system_u:object_r:dlm_control_device_t,s0)
+ /dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+@@ -187,8 +188,6 @@ ifdef(`distro_suse', `
  /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
  /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
  
@@ -10091,7 +10101,7 @@ index 6cf8784..286aec1 100644
  ifdef(`distro_redhat',`
  # originally from named.fc
  /var/named/chroot/dev	-d	gen_context(system_u:object_r:device_t,s0)
-@@ -196,3 +194,8 @@ ifdef(`distro_redhat',`
+@@ -196,3 +195,8 @@ ifdef(`distro_redhat',`
  /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
  /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
  ')
@@ -10861,7 +10871,7 @@ index 16108f6..0f1470f 100644
 +
 +/usr/lib/debug(/.*)?		<<none>>
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..32a3f1d 100644
+index 958ca84..a595aa7 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -11546,7 +11556,7 @@ index 958ca84..32a3f1d 100644
  ##	Read and write files in the /var directory.
  ## </summary>
  ## <param name="domain">
-@@ -5071,6 +5538,24 @@ interface(`files_manage_mounttab',`
+@@ -5071,6 +5538,25 @@ interface(`files_manage_mounttab',`
  
  ########################################
  ## <summary>
@@ -11563,6 +11573,7 @@ index 958ca84..32a3f1d 100644
 +		type var_t, var_lock_t;
 +	')
 +
++	files_search_pids($1)
 +	list_dirs_pattern($1, var_t, var_lock_t)
 +')
 +
@@ -11571,7 +11582,58 @@ index 958ca84..32a3f1d 100644
  ##	Search the locks directory (/var/lock).
  ## </summary>
  ## <param name="domain">
-@@ -5156,12 +5641,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5084,6 +5570,7 @@ interface(`files_search_locks',`
+ 		type var_t, var_lock_t;
+ 	')
+ 
++	files_search_pids($1)
+ 	search_dirs_pattern($1, var_t, var_lock_t)
+ ')
+ 
+@@ -5108,6 +5595,26 @@ interface(`files_dontaudit_search_locks',`
+ 
+ ########################################
+ ## <summary>
++##	create a directory in the /var/lock
++##	directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_create_lock_dirs',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++        allow $1 var_t:dir search_dir_perms;
++        allow $1 var_lock_t:dir create_dir_perms;
++')
++
++########################################
++## <summary>
+ ##	Add and remove entries in the /var/lock
+ ##	directories.
+ ## </summary>
+@@ -5122,6 +5629,7 @@ interface(`files_rw_lock_dirs',`
+ 		type var_t, var_lock_t;
+ 	')
+ 
++	files_search_pids($1)
+ 	rw_dirs_pattern($1, var_t, var_lock_t)
+ ')
+ 
+@@ -5142,6 +5650,7 @@ interface(`files_getattr_generic_locks',`
+ 
+ 	allow $1 var_t:dir search_dir_perms;
+ 	allow $1 var_lock_t:dir list_dir_perms;
++	files_search_pids($1)
+ 	getattr_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+ 
+@@ -5156,12 +5665,13 @@ interface(`files_getattr_generic_locks',`
  ## </param>
  #
  interface(`files_delete_generic_locks',`
@@ -11584,11 +11646,20 @@ index 958ca84..32a3f1d 100644
 -	allow $1 var_t:dir search_dir_perms;
 -	delete_files_pattern($1, var_lock_t, var_lock_t)
 +       allow $1 var_t:dir search_dir_perms;
++       files_search_pids($1)
 +       delete_files_pattern($1, var_lock_t, var_lock_t)
  ')
  
  ########################################
-@@ -5207,6 +5692,27 @@ interface(`files_delete_all_locks',`
+@@ -5181,6 +5691,7 @@ interface(`files_manage_generic_locks',`
+ 	')
+ 
+ 	allow $1 var_t:dir search_dir_perms;
++	files_search_pids($1)
+ 	manage_files_pattern($1, var_lock_t, var_lock_t)
+ ')
+ 
+@@ -5207,6 +5718,27 @@ interface(`files_delete_all_locks',`
  
  ########################################
  ## <summary>
@@ -11616,7 +11687,31 @@ index 958ca84..32a3f1d 100644
  ##	Read all lock files.
  ## </summary>
  ## <param name="domain">
-@@ -5335,6 +5841,43 @@ interface(`files_search_pids',`
+@@ -5224,6 +5756,7 @@ interface(`files_read_all_locks',`
+ 	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ 	allow $1 lockfile:dir list_dir_perms;
+ 	read_files_pattern($1, lockfile, lockfile)
++	files_search_pids($1)
+ 	read_lnk_files_pattern($1, lockfile, lockfile)
+ ')
+ 
+@@ -5244,6 +5777,7 @@ interface(`files_manage_all_locks',`
+ 	')
+ 
+ 	allow $1 { var_t var_lock_t }:dir search_dir_perms;
++	files_search_pids($1)
+ 	manage_dirs_pattern($1, lockfile, lockfile)
+ 	manage_files_pattern($1, lockfile, lockfile)
+ 	manage_lnk_files_pattern($1, lockfile, lockfile)
+@@ -5276,6 +5810,7 @@ interface(`files_lock_filetrans',`
+ 	')
+ 
+ 	allow $1 var_t:dir search_dir_perms;
++	files_search_pids($1)
+ 	filetrans_pattern($1, var_lock_t, $2, $3)
+ ')
+ 
+@@ -5335,6 +5870,43 @@ interface(`files_search_pids',`
  	search_dirs_pattern($1, var_t, var_run_t)
  ')
  
@@ -11660,7 +11755,7 @@ index 958ca84..32a3f1d 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to search
-@@ -5542,6 +6085,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6114,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
  
  ########################################
  ## <summary>
@@ -11723,7 +11818,7 @@ index 958ca84..32a3f1d 100644
  ##	Read all process ID files.
  ## </summary>
  ## <param name="domain">
-@@ -5559,6 +6158,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6187,44 @@ interface(`files_read_all_pids',`
  
  	list_dirs_pattern($1, var_t, pidfile)
  	read_files_pattern($1, pidfile, pidfile)
@@ -11768,7 +11863,7 @@ index 958ca84..32a3f1d 100644
  ')
  
  ########################################
-@@ -5844,3 +6481,284 @@ interface(`files_unconfined',`
+@@ -5844,3 +6510,284 @@ interface(`files_unconfined',`
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -12054,7 +12149,7 @@ index 958ca84..32a3f1d 100644
 +	dontaudit $1 file_type:dir_file_class_set write;
 +')
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 6e01635..212a736 100644
+index 6e01635..207d34a 100644
 --- a/policy/modules/kernel/files.te
 +++ b/policy/modules/kernel/files.te
 @@ -11,6 +11,7 @@ attribute lockfile;
@@ -12088,6 +12183,14 @@ index 6e01635..212a736 100644
  files_type(etc_runtime_t)
  #Temporarily in policy until FC5 dissappears
  typealias etc_runtime_t alias firstboot_rw_t;
+@@ -167,6 +177,7 @@ files_mountpoint(var_lib_t)
+ #
+ type var_lock_t;
+ files_lock_file(var_lock_t)
++files_mountpoint(var_lock_t)
+ 
+ #
+ # var_run_t is the type of /var/run, usually
 diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
 index 59bae6a..2e55e71 100644
 --- a/policy/modules/kernel/filesystem.fc
@@ -13613,7 +13716,7 @@ index be4de58..cce681a 100644
  ########################################
  #
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..093b48d 100644
+index 2be17d2..9440b5f 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
 @@ -8,12 +8,48 @@ policy_module(staff, 2.2.0)
@@ -13665,7 +13768,7 @@ index 2be17d2..093b48d 100644
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -27,25 +63,137 @@ optional_policy(`
+@@ -27,25 +63,138 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -13688,6 +13791,7 @@ index 2be17d2..093b48d 100644
 +optional_policy(`
 +	gnome_role(staff_r, staff_t)
 +	gnome_role_gkeyringd(staff, staff_r, staff_t)
++	permissive staff_gkeyringd_t;
 +')
 +
 +optional_policy(`
@@ -13805,7 +13909,7 @@ index 2be17d2..093b48d 100644
  
  optional_policy(`
  	vlock_run(staff_t, staff_r)
-@@ -89,10 +237,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +238,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -13816,7 +13920,7 @@ index 2be17d2..093b48d 100644
  		gpg_role(staff_r, staff_t)
  	')
  
-@@ -137,10 +281,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +282,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -13827,7 +13931,7 @@ index 2be17d2..093b48d 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -172,3 +312,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +313,7 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -15801,7 +15905,7 @@ index 0b827c5..9a82e8d 100644
  	admin_pattern($1, abrt_tmp_t)
  ')
 diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..d3996c8 100644
+index 30861ec..de61315 100644
 --- a/policy/modules/services/abrt.te
 +++ b/policy/modules/services/abrt.te
 @@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0)
@@ -15819,9 +15923,12 @@ index 30861ec..d3996c8 100644
  type abrt_t;
  type abrt_exec_t;
  init_daemon_domain(abrt_t, abrt_exec_t)
-@@ -50,7 +58,7 @@ ifdef(`enable_mcs',`
+@@ -48,9 +56,9 @@ ifdef(`enable_mcs',`
+ # abrt local policy
+ #
  
- allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
+-allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
++allow abrt_t self:capability { fowner chown kill setuid setgid sys_nice dac_override };
  dontaudit abrt_t self:capability sys_rawio;
 -allow abrt_t self:process { signal signull setsched getsched };
 +allow abrt_t self:process { sigkill signal signull setsched getsched };
@@ -18350,7 +18457,7 @@ index 8b8143e..c1a2b96 100644
  
  	init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
 diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
-index b3b0176..99f98ff 100644
+index b3b0176..51cb893 100644
 --- a/policy/modules/services/asterisk.te
 +++ b/policy/modules/services/asterisk.te
 @@ -76,10 +76,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
@@ -18366,11 +18473,12 @@ index b3b0176..99f98ff 100644
  
  kernel_read_system_state(asterisk_t)
  kernel_read_kernel_sysctls(asterisk_t)
-@@ -108,6 +109,7 @@ corenet_tcp_bind_generic_port(asterisk_t)
+@@ -108,6 +109,8 @@ corenet_tcp_bind_generic_port(asterisk_t)
  corenet_udp_bind_generic_port(asterisk_t)
  corenet_dontaudit_udp_bind_all_ports(asterisk_t)
  corenet_sendrecv_generic_server_packets(asterisk_t)
 +corenet_tcp_connect_festival_port(asterisk_t)
++corenet_tcp_connect_pktcable_port(asterisk_t)
  corenet_tcp_connect_postgresql_port(asterisk_t)
  corenet_tcp_connect_snmp_port(asterisk_t)
  corenet_tcp_connect_sip_port(asterisk_t)
@@ -18569,10 +18677,10 @@ index 44a1e3d..7e9d2fb 100644
  	files_list_pids($1)
  	admin_pattern($1, named_var_run_t)
 diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
-index 4deca04..42aa033 100644
+index 4deca04..a2bf2dc 100644
 --- a/policy/modules/services/bind.te
 +++ b/policy/modules/services/bind.te
-@@ -6,10 +6,10 @@ policy_module(bind, 1.11.0)
+@@ -6,10 +6,17 @@ policy_module(bind, 1.11.0)
  #
  
  ## <desc>
@@ -18580,6 +18688,13 @@ index 4deca04..42aa033 100644
 -## Allow BIND to write the master zone files.
 -## Generally this is used for dynamic DNS or zone transfers.
 -## </p>
++##  <p>
++##  Allow BIND to bind apache port.
++##  </p>
++## </desc>
++gen_tunable(named_bind_http_port, false)
++
++## <desc>
 +##	<p>
 +##	Allow BIND to write the master zone files.
 +##	Generally this is used for dynamic DNS or zone transfers.
@@ -18587,7 +18702,7 @@ index 4deca04..42aa033 100644
  ## </desc>
  gen_tunable(named_write_master_zones, false)
  
-@@ -27,7 +27,7 @@ init_system_domain(named_t, named_checkconf_exec_t)
+@@ -27,7 +34,7 @@ init_system_domain(named_t, named_checkconf_exec_t)
  
  # A type for configuration files of named.
  type named_conf_t;
@@ -18596,7 +18711,7 @@ index 4deca04..42aa033 100644
  files_mountpoint(named_conf_t)
  
  # for secondary zone files
-@@ -89,9 +89,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+@@ -89,9 +96,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
  manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
  files_tmp_filetrans(named_t, named_tmp_t, { file dir })
  
@@ -18608,7 +18723,18 @@ index 4deca04..42aa033 100644
  
  # read zone files
  allow named_t named_zone_t:dir list_dir_perms;
-@@ -201,12 +202,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
+@@ -147,6 +155,10 @@ miscfiles_read_generic_certs(named_t)
+ userdom_dontaudit_use_unpriv_user_fds(named_t)
+ userdom_dontaudit_search_user_home_dirs(named_t)
+ 
++tunable_policy(`named_bind_http_port',`
++	corenet_tcp_bind_http_port(named_t)
++')
++
+ tunable_policy(`named_write_master_zones',`
+ 	manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
+ 	manage_files_pattern(named_t, named_zone_t, named_zone_t)
+@@ -201,12 +213,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
  allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
  
  allow ndc_t dnssec_t:file read_file_perms;
@@ -18623,7 +18749,7 @@ index 4deca04..42aa033 100644
  
  allow ndc_t named_zone_t:dir search_dir_perms;
  
-@@ -244,7 +245,7 @@ term_dontaudit_use_console(ndc_t)
+@@ -244,7 +256,7 @@ term_dontaudit_use_console(ndc_t)
  
  # for /etc/rndc.key
  ifdef(`distro_redhat',`
@@ -37051,7 +37177,7 @@ index 7dc38d1..9c2c963 100644
 +	admin_pattern($1, rgmanager_var_run_t)
 +')
 diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..1ef4cc6 100644
+index 00fa514..56ecadc 100644
 --- a/policy/modules/services/rgmanager.te
 +++ b/policy/modules/services/rgmanager.te
 @@ -6,17 +6,19 @@ policy_module(rgmanager, 1.0.0)
@@ -37136,16 +37262,16 @@ index 00fa514..1ef4cc6 100644
  
  # needed by resources scripts
  auth_read_all_files_except_shadow(rgmanager_t)
-@@ -100,8 +108,6 @@ logging_send_syslog_msg(rgmanager_t)
+@@ -100,7 +108,7 @@ logging_send_syslog_msg(rgmanager_t)
  
  miscfiles_read_localization(rgmanager_t)
  
 -mount_domtrans(rgmanager_t)
--
++userdom_kill_all_users(rgmanager_t)
+ 
  tunable_policy(`rgmanager_can_network_connect',`
  	corenet_tcp_connect_all_ports(rgmanager_t)
- ')
-@@ -118,6 +124,14 @@ optional_policy(`
+@@ -118,6 +126,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37160,7 +37286,7 @@ index 00fa514..1ef4cc6 100644
  	fstools_domtrans(rgmanager_t)
  ')
  
-@@ -140,6 +154,15 @@ optional_policy(`
+@@ -140,6 +156,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38062,7 +38188,7 @@ index 63e78c6..ffa4f37 100644
  ## </param>
  #
 diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
-index 779fa44..cdfebe3 100644
+index 779fa44..13556c1 100644
 --- a/policy/modules/services/rlogin.te
 +++ b/policy/modules/services/rlogin.te
 @@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
@@ -38091,15 +38217,18 @@ index 779fa44..cdfebe3 100644
  
  manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
  files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
-@@ -71,6 +69,7 @@ fs_search_auto_mountpoints(rlogind_t)
+@@ -69,8 +67,10 @@ fs_getattr_xattr_fs(rlogind_t)
+ fs_search_auto_mountpoints(rlogind_t)
+ 
  auth_domtrans_chk_passwd(rlogind_t)
++auth_signal_chk_passwd(rlogind_t)
  auth_rw_login_records(rlogind_t)
  auth_use_nsswitch(rlogind_t)
 +auth_login_pgm_domain(rlogind_t)
  
  files_read_etc_files(rlogind_t)
  files_read_etc_runtime_files(rlogind_t)
-@@ -88,9 +87,9 @@ seutil_read_config(rlogind_t)
+@@ -88,9 +88,9 @@ seutil_read_config(rlogind_t)
  userdom_setattr_user_ptys(rlogind_t)
  # cjp: this is egregious
  userdom_read_user_home_content_files(rlogind_t)
@@ -38112,7 +38241,7 @@ index 779fa44..cdfebe3 100644
  
  rlogin_read_home_content(rlogind_t)
  
-@@ -112,5 +111,10 @@ optional_policy(`
+@@ -112,5 +112,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38624,7 +38753,7 @@ index 39015ae..5e7b7cf 100644
 +
  auth_can_read_shadow_passwords(rsync_t)
 diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if
-index 46dad1f..d632bc0 100644
+index 46dad1f..6586da0 100644
 --- a/policy/modules/services/rtkit.if
 +++ b/policy/modules/services/rtkit.if
 @@ -5,9 +5,9 @@
@@ -38639,7 +38768,7 @@ index 46dad1f..d632bc0 100644
  ## </param>
  #
  interface(`rtkit_daemon_domtrans',`
-@@ -41,6 +41,27 @@ interface(`rtkit_daemon_dbus_chat',`
+@@ -41,6 +41,28 @@ interface(`rtkit_daemon_dbus_chat',`
  
  ########################################
  ## <summary>
@@ -38660,6 +38789,7 @@ index 46dad1f..d632bc0 100644
 +
 +	dontaudit $1 rtkit_daemon_t:dbus send_msg;
 +	dontaudit rtkit_daemon_t $1:dbus send_msg;
++	dontaudit rtkit_daemon_t $1:process { getsched setsched };
 +')
 +
 +########################################
@@ -38667,7 +38797,7 @@ index 46dad1f..d632bc0 100644
  ##	Allow rtkit to control scheduling for your process
  ## </summary>
  ## <param name="domain">
-@@ -54,6 +75,7 @@ interface(`rtkit_scheduled',`
+@@ -54,6 +76,7 @@ interface(`rtkit_scheduled',`
  		type rtkit_daemon_t;
  	')
  
@@ -40960,7 +41090,7 @@ index 22adaca..d9913e0 100644
 +	allow $1 sshd_t:process signull;
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..92e24a9 100644
+index 2dad3c8..503a845 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -41055,11 +41185,13 @@ index 2dad3c8..92e24a9 100644
  manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
  manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
  manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -113,20 +114,23 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -113,20 +114,25 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
  manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
  manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
  userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
 +userdom_stream_connect(ssh_t)
++userdom_search_admin_dir(sshd_t)
++userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
  
  # Allow the ssh program to communicate with ssh-agent.
  stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
@@ -41082,7 +41214,7 @@ index 2dad3c8..92e24a9 100644
  
  kernel_read_kernel_sysctls(ssh_t)
  kernel_read_system_state(ssh_t)
-@@ -138,6 +142,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
+@@ -138,6 +144,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
  corenet_tcp_sendrecv_all_ports(ssh_t)
  corenet_tcp_connect_ssh_port(ssh_t)
  corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -41091,7 +41223,7 @@ index 2dad3c8..92e24a9 100644
  
  dev_read_urand(ssh_t)
  
-@@ -162,6 +168,7 @@ logging_read_generic_logs(ssh_t)
+@@ -162,21 +170,28 @@ logging_read_generic_logs(ssh_t)
  auth_use_nsswitch(ssh_t)
  
  miscfiles_read_localization(ssh_t)
@@ -41099,8 +41231,9 @@ index 2dad3c8..92e24a9 100644
  
  seutil_read_config(ssh_t)
  
-@@ -169,14 +176,19 @@ userdom_dontaudit_list_user_home_dirs(ssh_t)
+ userdom_dontaudit_list_user_home_dirs(ssh_t)
  userdom_search_user_home_dirs(ssh_t)
++userdom_search_admin_dir(ssh_t)
  # Write to the user domain tty.
  userdom_use_user_terminals(ssh_t)
 -# needs to read krb tgt
@@ -41124,7 +41257,7 @@ index 2dad3c8..92e24a9 100644
  ')
  
  tunable_policy(`use_nfs_home_dirs',`
-@@ -196,10 +208,15 @@ tunable_policy(`user_tcp_server',`
+@@ -196,10 +211,15 @@ tunable_policy(`user_tcp_server',`
  ')
  
  optional_policy(`
@@ -41140,7 +41273,7 @@ index 2dad3c8..92e24a9 100644
  ##############################
  #
  # ssh_keysign_t local policy
-@@ -209,7 +226,7 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,7 +229,7 @@ tunable_policy(`allow_ssh_keysign',`
  	allow ssh_keysign_t self:capability { setgid setuid };
  	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
  
@@ -41149,7 +41282,7 @@ index 2dad3c8..92e24a9 100644
  
  	dev_read_urand(ssh_keysign_t)
  
-@@ -232,33 +249,43 @@ optional_policy(`
+@@ -232,33 +252,42 @@ optional_policy(`
  # so a tunnel can point to another ssh tunnel
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
@@ -41175,7 +41308,6 @@ index 2dad3c8..92e24a9 100644
  
 +userdom_read_user_home_content_files(sshd_t)
 +userdom_read_user_home_content_symlinks(sshd_t)
-+userdom_search_admin_dir(sshd_t)
 +userdom_manage_tmp_role(system_r, sshd_t)
 +userdom_spec_domtrans_unpriv_users(sshd_t)
 +userdom_signal_unpriv_users(sshd_t)
@@ -41202,7 +41334,7 @@ index 2dad3c8..92e24a9 100644
  ')
  
  optional_policy(`
-@@ -266,11 +293,24 @@ optional_policy(`
+@@ -266,11 +295,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -41228,7 +41360,7 @@ index 2dad3c8..92e24a9 100644
  ')
  
  optional_policy(`
-@@ -284,6 +324,11 @@ optional_policy(`
+@@ -284,6 +326,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -41240,7 +41372,7 @@ index 2dad3c8..92e24a9 100644
  	unconfined_shell_domtrans(sshd_t)
  ')
  
-@@ -292,26 +337,26 @@ optional_policy(`
+@@ -292,26 +339,26 @@ optional_policy(`
  ')
  
  ifdef(`TODO',`
@@ -41286,7 +41418,7 @@ index 2dad3c8..92e24a9 100644
  ') dnl endif TODO
  
  ########################################
-@@ -322,14 +367,18 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,14 +369,18 @@ tunable_policy(`ssh_sysadm_login',`
  # ssh_keygen_t is the type of the ssh-keygen program when run at install time
  # and by sysadm_t
  
@@ -41306,7 +41438,7 @@ index 2dad3c8..92e24a9 100644
  kernel_read_kernel_sysctls(ssh_keygen_t)
  
  fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -353,7 +402,7 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -353,7 +404,7 @@ logging_send_syslog_msg(ssh_keygen_t)
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
  
  optional_policy(`
@@ -46533,7 +46665,7 @@ index 2952cef..d845132 100644
  /var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 42b4f0f..bd258e2 100644
+index 42b4f0f..3c1892d 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -46679,15 +46811,33 @@ index 42b4f0f..bd258e2 100644
  ')
  
  ########################################
-@@ -418,6 +475,7 @@ interface(`auth_run_chk_passwd',`
+@@ -418,6 +475,25 @@ interface(`auth_run_chk_passwd',`
  
  	auth_domtrans_chk_passwd($1)
  	role $2 types chkpwd_t;
 +	auth_run_upd_passwd($1, $2)
++')
++
++########################################
++## <summary>
++##	Send generic signals to chkpwd processes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`auth_signal_chk_passwd',`
++	gen_require(`
++		type chkpwd_t;
++	')
++
++	allow $1 chkpwd_t:process signal;
  ')
  
  ########################################
-@@ -694,7 +752,7 @@ interface(`auth_relabel_shadow',`
+@@ -694,7 +770,7 @@ interface(`auth_relabel_shadow',`
  	')
  
  	files_search_etc($1)
@@ -46696,7 +46846,7 @@ index 42b4f0f..bd258e2 100644
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
  
-@@ -736,6 +794,46 @@ interface(`auth_rw_faillog',`
+@@ -736,6 +812,46 @@ interface(`auth_rw_faillog',`
  	allow $1 faillog_t:file rw_file_perms;
  ')
  
@@ -46743,7 +46893,7 @@ index 42b4f0f..bd258e2 100644
  #######################################
  ## <summary>
  ##	Read the last logins log.
-@@ -874,6 +972,46 @@ interface(`auth_exec_pam',`
+@@ -874,6 +990,46 @@ interface(`auth_exec_pam',`
  
  ########################################
  ## <summary>
@@ -46790,7 +46940,7 @@ index 42b4f0f..bd258e2 100644
  ##	Manage var auth files. Used by various other applications
  ##	and pam applets etc.
  ## </summary>
-@@ -896,6 +1034,26 @@ interface(`auth_manage_var_auth',`
+@@ -896,6 +1052,26 @@ interface(`auth_manage_var_auth',`
  
  ########################################
  ## <summary>
@@ -46817,7 +46967,7 @@ index 42b4f0f..bd258e2 100644
  ##	Read PAM PID files.
  ## </summary>
  ## <param name="domain">
-@@ -1093,6 +1251,24 @@ interface(`auth_delete_pam_console_data',`
+@@ -1093,6 +1269,24 @@ interface(`auth_delete_pam_console_data',`
  
  ########################################
  ## <summary>
@@ -46842,7 +46992,7 @@ index 42b4f0f..bd258e2 100644
  ##	Read all directories on the filesystem, except
  ##	the shadow passwords and listed exceptions.
  ## </summary>
-@@ -1326,6 +1502,25 @@ interface(`auth_setattr_login_records',`
+@@ -1326,6 +1520,25 @@ interface(`auth_setattr_login_records',`
  
  ########################################
  ## <summary>
@@ -46868,7 +47018,7 @@ index 42b4f0f..bd258e2 100644
  ##	Read login records files (/var/log/wtmp).
  ## </summary>
  ## <param name="domain">
-@@ -1500,28 +1695,36 @@ interface(`auth_manage_login_records',`
+@@ -1500,28 +1713,36 @@ interface(`auth_manage_login_records',`
  #
  interface(`auth_use_nsswitch',`
  
@@ -46912,7 +47062,7 @@ index 42b4f0f..bd258e2 100644
  	optional_policy(`
  		kerberos_use($1)
  	')
-@@ -1531,7 +1734,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1752,15 @@ interface(`auth_use_nsswitch',`
  	')
  
  	optional_policy(`
@@ -47186,7 +47336,7 @@ index a97a096..ab1e16a 100644
  /usr/bin/raw		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /usr/bin/scsi_unique_id	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index a442acc..8cc63f7 100644
+index a442acc..f7dcebe 100644
 --- a/policy/modules/system/fstools.te
 +++ b/policy/modules/system/fstools.te
 @@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
@@ -47237,7 +47387,7 @@ index a442acc..8cc63f7 100644
  # Recreate /mnt/cdrom.
  files_manage_mnt_dirs(fsadm_t)
  # for tune2fs
-@@ -130,6 +138,7 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -130,10 +138,12 @@ storage_raw_write_fixed_disk(fsadm_t)
  storage_raw_read_removable_device(fsadm_t)
  storage_raw_write_removable_device(fsadm_t)
  storage_read_scsi_generic(fsadm_t)
@@ -47245,7 +47395,12 @@ index a442acc..8cc63f7 100644
  storage_swapon_fixed_disk(fsadm_t)
  
  term_use_console(fsadm_t)
-@@ -142,12 +151,9 @@ logging_send_syslog_msg(fsadm_t)
+ 
++init_read_state(fsadm_t)
+ init_use_fds(fsadm_t)
+ init_use_script_ptys(fsadm_t)
+ init_dontaudit_getattr_initctl(fsadm_t)
+@@ -142,12 +152,9 @@ logging_send_syslog_msg(fsadm_t)
  
  miscfiles_read_localization(fsadm_t)
  
@@ -47259,7 +47414,7 @@ index a442acc..8cc63f7 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -166,6 +172,24 @@ optional_policy(`
+@@ -166,6 +173,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47284,7 +47439,7 @@ index a442acc..8cc63f7 100644
  	nis_use_ypbind(fsadm_t)
  ')
  
-@@ -175,6 +199,14 @@ optional_policy(`
+@@ -175,6 +200,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47369,7 +47524,7 @@ index 882c6a2..d0ff4ec 100644
  ')
  
 diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 354ce93..f7cda1c 100644
+index 354ce93..f97fbb7 100644
 --- a/policy/modules/system/init.fc
 +++ b/policy/modules/system/init.fc
 @@ -33,6 +33,19 @@ ifdef(`distro_gentoo', `
@@ -47402,8 +47557,13 @@ index 354ce93..f7cda1c 100644
  
  #
  # /var
+@@ -76,3 +92,4 @@ ifdef(`distro_suse', `
+ /var/run/setleds-on	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+ /var/run/sysconfig(/.*)?	gen_context(system_u:object_r:initrc_var_run_t,s0)
+ ')
++/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..84c0fb7 100644
+index cc83689..05b4982 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -79,6 +79,41 @@ interface(`init_script_domain',`
@@ -47611,10 +47771,20 @@ index cc83689..84c0fb7 100644
  		mls_rangetrans_target($1)
  	')
  ')
-@@ -525,6 +636,24 @@ interface(`init_stream_connect',`
- 	allow $1 init_t:unix_stream_socket connectto;
- ')
+@@ -519,10 +630,30 @@ interface(`init_sigchld',`
+ #
+ interface(`init_stream_connect',`
+ 	gen_require(`
+-		type init_t;
++		type init_t, init_var_run_t;
+ 	')
  
+-	allow $1 init_t:unix_stream_socket connectto;
++	files_search_pids($1)
++        stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)    
++
++')
++
 +#######################################
 +## <summary>
 +##  Dontaudit Connect to init with a unix socket.
@@ -47631,12 +47801,10 @@ index cc83689..84c0fb7 100644
 +    ')
 +
 +    dontaudit $1 init_t:unix_stream_socket connectto;
-+')
-+
+ ')
+ 
  ########################################
- ## <summary>
- ##	Inherit and use file descriptors from init.
-@@ -688,19 +817,24 @@ interface(`init_telinit',`
+@@ -688,19 +819,24 @@ interface(`init_telinit',`
  		type initctl_t;
  	')
  
@@ -47662,7 +47830,7 @@ index cc83689..84c0fb7 100644
  	')
  ')
  
-@@ -773,18 +907,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +909,19 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -47686,7 +47854,7 @@ index cc83689..84c0fb7 100644
  	')
  ')
  
-@@ -800,19 +935,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,23 +937,45 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -47709,11 +47877,11 @@ index cc83689..84c0fb7 100644
  	ifdef(`enable_mls',`
 -		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
 +		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+	')
-+')
-+
-+########################################
-+## <summary>
+ 	')
+ ')
+ 
+ ########################################
+ ## <summary>
 +##	Execute a file in a bin directory
 +##	in the initrc_t domain 
 +## </summary>
@@ -47726,13 +47894,17 @@ index cc83689..84c0fb7 100644
 +interface(`init_bin_domtrans_spec',`
 +	gen_require(`
 +		type initrc_t;
- 	')
++	')
 +
 +	corecmd_bin_domtrans($1, initrc_t)
- ')
- 
- ########################################
-@@ -868,9 +1025,14 @@ interface(`init_script_file_domtrans',`
++')
++
++########################################
++## <summary>
+ ##	Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -868,9 +1027,14 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -47747,7 +47919,7 @@ index cc83689..84c0fb7 100644
  	files_search_etc($1)
  ')
  
-@@ -1079,6 +1241,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1243,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -47772,7 +47944,7 @@ index cc83689..84c0fb7 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1130,12 +1310,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1312,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -47786,7 +47958,7 @@ index cc83689..84c0fb7 100644
  ')
  
  ########################################
-@@ -1375,6 +1550,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1552,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -47814,7 +47986,7 @@ index cc83689..84c0fb7 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1461,6 +1657,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1659,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -47840,7 +48012,7 @@ index cc83689..84c0fb7 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1519,6 +1734,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1736,24 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -47865,7 +48037,7 @@ index cc83689..84c0fb7 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1674,7 +1907,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1909,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -47874,7 +48046,82 @@ index cc83689..84c0fb7 100644
  ')
  
  ########################################
-@@ -1749,3 +1982,120 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1715,6 +1950,74 @@ interface(`init_pid_filetrans_utmp',`
+ 	files_pid_filetrans($1, initrc_var_run_t, file)
+ ')
+ 
++######################################
++## <summary>
++##  Allow search  directory in the /run/systemd directory.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`init_search_pid_dirs',`
++    gen_require(`
++        type init_var_run_t;
++    ')
++
++    allow $1 init_var_run_t:dir list_dir_perms;
++')
++
++#######################################
++## <summary>
++##  Create a directory in the /run/systemd directory.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`init_create_pid_dirs',`
++    gen_require(`
++        type init_var_run_t;
++    ')
++
++    allow $1 init_var_run_t:dir list_dir_perms;
++    create_dirs_pattern($1, init_var_run_t, init_var_run_t)
++')
++
++#######################################
++## <summary>
++##  Create objects in /run/systemd directory
++##  with an automatic type transition to
++##  a specified private type.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++## <param name="private_type">
++##  <summary>
++##  The type of the object to create.
++##  </summary>
++## </param>
++## <param name="object_class">
++##  <summary>
++##  The class of the object to be created.
++##  </summary>
++## </param>
++#
++interface(`init_pid_filetrans',`
++    gen_require(`
++        type init_var_run_t;
++    ')
++
++    filetrans_pattern($1, init_var_run_t, $2, $3)
++	allow $1 init_var_run_t:dir search_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ##	Allow the specified domain to connect to daemon with a tcp socket
+@@ -1749,3 +2052,120 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -47996,7 +48243,7 @@ index cc83689..84c0fb7 100644
 +')
 +
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..4283571 100644
+index ea29513..de61fb9 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -16,6 +16,34 @@ gen_require(`
@@ -48071,7 +48318,7 @@ index ea29513..4283571 100644
  # is ~sys_module really needed? observed:
  # sys_boot
  # sys_tty_config
-@@ -100,7 +133,9 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -100,11 +133,15 @@ allow init_t self:fifo_file rw_fifo_file_perms;
  # Re-exec itself
  can_exec(init_t, init_exec_t)
  
@@ -48080,9 +48327,18 @@ index ea29513..4283571 100644
 +allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms };
 +allow initrc_t init_t:fifo_file rw_fifo_file_perms;
  
- # For /var/run/shutdown.pid.
- allow init_t init_var_run_t:file manage_file_perms;
-@@ -114,11 +149,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+-# For /var/run/shutdown.pid.
+-allow init_t init_var_run_t:file manage_file_perms;
+-files_pid_filetrans(init_t, init_var_run_t, file)
++manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t)
++manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
++manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
++manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
++files_pid_filetrans(init_t, init_var_run_t, { dir file })
+ 
+ allow init_t initctl_t:fifo_file manage_fifo_file_perms;
+ dev_filetrans(init_t, initctl_t, fifo_file)
+@@ -114,11 +151,13 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
  
  kernel_read_system_state(init_t)
  kernel_share_state(init_t)
@@ -48096,7 +48352,7 @@ index ea29513..4283571 100644
  # Early devtmpfs
  dev_rw_generic_chr_files(init_t)
  
-@@ -127,11 +164,16 @@ domain_kill_all_domains(init_t)
+@@ -127,11 +166,16 @@ domain_kill_all_domains(init_t)
  domain_signal_all_domains(init_t)
  domain_signull_all_domains(init_t)
  domain_sigstop_all_domains(init_t)
@@ -48113,7 +48369,7 @@ index ea29513..4283571 100644
  files_manage_etc_runtime_files(init_t)
  files_etc_filetrans_etc_runtime(init_t, file)
  # Run /etc/X11/prefdm:
-@@ -151,6 +193,7 @@ mls_file_read_all_levels(init_t)
+@@ -151,6 +195,7 @@ mls_file_read_all_levels(init_t)
  mls_file_write_all_levels(init_t)
  mls_process_write_down(init_t)
  mls_fd_use_all_levels(init_t)
@@ -48121,7 +48377,7 @@ index ea29513..4283571 100644
  
  selinux_set_all_booleans(init_t)
  
-@@ -162,12 +205,15 @@ init_domtrans_script(init_t)
+@@ -162,12 +207,15 @@ init_domtrans_script(init_t)
  libs_rw_ld_so_cache(init_t)
  
  logging_send_syslog_msg(init_t)
@@ -48137,7 +48393,7 @@ index ea29513..4283571 100644
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
  ')
-@@ -178,7 +224,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +226,7 @@ ifdef(`distro_redhat',`
  	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
  ')
  
@@ -48146,7 +48402,7 @@ index ea29513..4283571 100644
  	corecmd_shell_domtrans(init_t, initrc_t)
  ',`
  	# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +232,106 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +234,109 @@ tunable_policy(`init_upstart',`
  	sysadm_shell_domtrans(init_t)
  ')
  
@@ -48192,8 +48448,11 @@ index ea29513..4283571 100644
 +	files_mounton_all_mountpoints(init_t)
 +	files_unmount_all_file_type_fs(init_t)
 +	files_manage_all_pid_dirs(init_t)
++	files_relabel_all_pid_dirs(init_t)
++	files_relabel_all_pid_files(init_t)
 +	files_unlink_all_pid_sockets(init_t)
 +	files_manage_urandom_seed(init_t)
++	files_create_lock_dirs(init_t)
 +
 +	fs_manage_cgroup_dirs(init_t)
 +	fs_manage_hugetlbfs_dirs(init_t)
@@ -48253,7 +48512,7 @@ index ea29513..4283571 100644
  ')
  
  optional_policy(`
-@@ -199,10 +339,25 @@ optional_policy(`
+@@ -199,10 +344,25 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48279,7 +48538,7 @@ index ea29513..4283571 100644
  	unconfined_domain(init_t)
  ')
  
-@@ -212,7 +367,7 @@ optional_policy(`
+@@ -212,7 +372,7 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -48288,11 +48547,12 @@ index ea29513..4283571 100644
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
-@@ -241,12 +396,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +401,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
 +files_manage_generic_pids_symlinks(initrc_t)
++files_create_var_run_dirs(initrc_t)
  
  can_exec(initrc_t, initrc_tmp_t)
  manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
@@ -48303,7 +48563,7 @@ index ea29513..4283571 100644
  
  init_write_initctl(initrc_t)
  
-@@ -258,20 +415,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +421,32 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -48340,7 +48600,7 @@ index ea29513..4283571 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +448,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +454,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -48348,7 +48608,7 @@ index ea29513..4283571 100644
  dev_write_kmsg(initrc_t)
  dev_write_rand(initrc_t)
  dev_write_urand(initrc_t)
-@@ -291,6 +461,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +467,7 @@ dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
  dev_setattr_all_chr_files(initrc_t)
  dev_rw_lvm_control(initrc_t)
@@ -48356,7 +48616,7 @@ index ea29513..4283571 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -298,13 +469,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +475,13 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -48372,7 +48632,7 @@ index ea29513..4283571 100644
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
-@@ -316,6 +487,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +493,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -48380,7 +48640,7 @@ index ea29513..4283571 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -323,8 +495,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +501,10 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -48392,7 +48652,7 @@ index ea29513..4283571 100644
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
-@@ -340,8 +514,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +520,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -48406,7 +48666,7 @@ index ea29513..4283571 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -351,6 +529,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +535,8 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -48415,7 +48675,7 @@ index ea29513..4283571 100644
  
  # initrc_t needs to do a pidof which requires ptrace
  mcs_ptrace_all(initrc_t)
-@@ -363,6 +543,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +549,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -48423,7 +48683,7 @@ index ea29513..4283571 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -374,6 +555,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +561,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -48431,7 +48691,7 @@ index ea29513..4283571 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -394,13 +576,12 @@ logging_read_audit_config(initrc_t)
+@@ -394,13 +582,12 @@ logging_read_audit_config(initrc_t)
  
  miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
@@ -48447,7 +48707,7 @@ index ea29513..4283571 100644
  userdom_read_user_home_content_files(initrc_t)
  # Allow access to the sysadm TTYs. Note that this will give access to the
  # TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -478,7 +659,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +665,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -48456,7 +48716,15 @@ index ea29513..4283571 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -524,6 +705,23 @@ ifdef(`distro_redhat',`
+@@ -493,6 +680,7 @@ ifdef(`distro_redhat',`
+ 	files_create_boot_dirs(initrc_t)
+ 	files_create_boot_flag(initrc_t)
+ 	files_rw_boot_symlinks(initrc_t)
++
+ 	# wants to read /.fonts directory
+ 	files_read_default_files(initrc_t)
+ 	files_mountpoint(initrc_tmp_t)
+@@ -524,6 +712,23 @@ ifdef(`distro_redhat',`
  	optional_policy(`
  		bind_manage_config_dirs(initrc_t)
  		bind_write_config(initrc_t)
@@ -48480,7 +48748,7 @@ index ea29513..4283571 100644
  	')
  
  	optional_policy(`
-@@ -531,10 +729,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +736,17 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -48498,7 +48766,7 @@ index ea29513..4283571 100644
  	')
  
  	optional_policy(`
-@@ -549,6 +754,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +761,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -48538,7 +48806,7 @@ index ea29513..4283571 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +799,8 @@ optional_policy(`
+@@ -561,6 +806,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -48547,7 +48815,7 @@ index ea29513..4283571 100644
  ')
  
  optional_policy(`
-@@ -577,6 +817,7 @@ optional_policy(`
+@@ -577,6 +824,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -48555,7 +48823,7 @@ index ea29513..4283571 100644
  ')
  
  optional_policy(`
-@@ -589,6 +830,11 @@ optional_policy(`
+@@ -589,6 +837,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48567,7 +48835,7 @@ index ea29513..4283571 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -605,9 +851,13 @@ optional_policy(`
+@@ -605,9 +858,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -48581,7 +48849,7 @@ index ea29513..4283571 100644
  	')
  
  	optional_policy(`
-@@ -649,6 +899,11 @@ optional_policy(`
+@@ -649,6 +906,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48593,7 +48861,7 @@ index ea29513..4283571 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -706,7 +961,13 @@ optional_policy(`
+@@ -706,7 +968,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48607,7 +48875,7 @@ index ea29513..4283571 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -729,6 +990,10 @@ optional_policy(`
+@@ -729,6 +997,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48618,7 +48886,7 @@ index ea29513..4283571 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -738,10 +1003,20 @@ optional_policy(`
+@@ -738,10 +1010,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48639,7 +48907,7 @@ index ea29513..4283571 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -750,6 +1025,10 @@ optional_policy(`
+@@ -750,6 +1032,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48650,7 +48918,7 @@ index ea29513..4283571 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -771,8 +1050,6 @@ optional_policy(`
+@@ -771,8 +1057,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -48659,7 +48927,7 @@ index ea29513..4283571 100644
  ')
  
  optional_policy(`
-@@ -781,14 +1058,21 @@ optional_policy(`
+@@ -781,14 +1065,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48681,7 +48949,7 @@ index ea29513..4283571 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -810,11 +1094,24 @@ optional_policy(`
+@@ -810,11 +1101,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48707,7 +48975,7 @@ index ea29513..4283571 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1121,25 @@ optional_policy(`
+@@ -824,6 +1128,25 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -48733,7 +49001,7 @@ index ea29513..4283571 100644
  ')
  
  optional_policy(`
-@@ -849,3 +1165,37 @@ optional_policy(`
+@@ -849,3 +1172,42 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -48771,6 +49039,11 @@ index ea29513..4283571 100644
 +')
 +
 +init_rw_stream_sockets(daemon)
++
++allow init_t var_run_t:dir relabelto;
++
++init_stream_connect(initrc_t)
++
 diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
 index 07eba2b..942bea1 100644
 --- a/policy/modules/system/ipsec.fc
@@ -50055,7 +50328,7 @@ index c7cfb62..6160239 100644
  	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b5a9ed..4c9a5eb 100644
+index 9b5a9ed..d3522be 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -19,6 +19,11 @@ type auditd_log_t;
@@ -50084,7 +50357,7 @@ index 9b5a9ed..4c9a5eb 100644
  
  type syslogd_initrc_exec_t;
  init_script_file(syslogd_initrc_exec_t)
-@@ -179,6 +185,8 @@ logging_send_syslog_msg(auditd_t)
+@@ -179,10 +185,13 @@ logging_send_syslog_msg(auditd_t)
  logging_domtrans_dispatcher(auditd_t)
  logging_signal_dispatcher(auditd_t)
  
@@ -50093,7 +50366,12 @@ index 9b5a9ed..4c9a5eb 100644
  miscfiles_read_localization(auditd_t)
  
  mls_file_read_all_levels(auditd_t)
-@@ -234,7 +242,12 @@ domain_use_interactive_fds(audisp_t)
+ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
++mls_socket_write_all_levels(auditd_t)
+ 
+ seutil_dontaudit_read_config(auditd_t)
+ 
+@@ -234,7 +243,12 @@ domain_use_interactive_fds(audisp_t)
  files_read_etc_files(audisp_t)
  files_read_etc_runtime_files(audisp_t)
  
@@ -50106,7 +50384,7 @@ index 9b5a9ed..4c9a5eb 100644
  
  logging_send_syslog_msg(audisp_t)
  
-@@ -244,14 +257,26 @@ sysnet_dns_name_resolve(audisp_t)
+@@ -244,14 +258,26 @@ sysnet_dns_name_resolve(audisp_t)
  
  optional_policy(`
  	dbus_system_bus_client(audisp_t)
@@ -50134,9 +50412,12 @@ index 9b5a9ed..4c9a5eb 100644
  
  corenet_all_recvfrom_unlabeled(audisp_remote_t)
  corenet_all_recvfrom_netlabel(audisp_remote_t)
-@@ -266,9 +291,16 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -265,10 +291,19 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+ 
  files_read_etc_files(audisp_remote_t)
  
++mls_socket_write_all_levels(audisp_remote_t)
++
  logging_send_syslog_msg(audisp_remote_t)
 +logging_send_audit_msgs(audisp_remote_t)
 +
@@ -50151,7 +50432,7 @@ index 9b5a9ed..4c9a5eb 100644
  sysnet_dns_name_resolve(audisp_remote_t)
  
  ########################################
-@@ -338,11 +370,12 @@ optional_policy(`
+@@ -338,11 +373,12 @@ optional_policy(`
  # chown fsetid for syslog-ng
  # sys_admin for the integrated klog of syslog-ng and metalog
  # cjp: why net_admin!
@@ -50166,7 +50447,7 @@ index 9b5a9ed..4c9a5eb 100644
  # receive messages to be logged
  allow syslogd_t self:unix_dgram_socket create_socket_perms;
  allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -360,6 +393,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -360,6 +396,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
  # create/append log files.
  manage_files_pattern(syslogd_t, var_log_t, var_log_t)
  rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -50174,7 +50455,7 @@ index 9b5a9ed..4c9a5eb 100644
  
  # Allow access for syslog-ng
  allow syslogd_t var_log_t:dir { create setattr };
-@@ -369,9 +403,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -369,9 +406,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
  
@@ -50190,7 +50471,7 @@ index 9b5a9ed..4c9a5eb 100644
  # manage pid file
  manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
  files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -412,6 +452,9 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
+@@ -412,6 +455,9 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
  
  dev_filetrans(syslogd_t, devlog_t, sock_file)
  dev_read_sysfs(syslogd_t)
@@ -50200,7 +50481,15 @@ index 9b5a9ed..4c9a5eb 100644
  
  domain_use_interactive_fds(syslogd_t)
  
-@@ -480,6 +523,10 @@ optional_policy(`
+@@ -432,6 +478,7 @@ term_write_console(syslogd_t)
+ # Allow syslog to a terminal
+ term_write_unallocated_ttys(syslogd_t)
+ 
++init_stream_connect(syslogd_t)
+ # for sending messages to logged in users
+ init_read_utmp(syslogd_t)
+ init_dontaudit_write_utmp(syslogd_t)
+@@ -480,6 +527,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50211,7 +50500,7 @@ index 9b5a9ed..4c9a5eb 100644
  	postgresql_stream_connect(syslogd_t)
  ')
  
-@@ -488,6 +535,10 @@ optional_policy(`
+@@ -488,6 +539,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50700,16 +50989,17 @@ index a0eef20..75e256f 100644
  	dev_rw_xserver_misc(insmod_t)
  
 diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
-index 72c746e..3d0bc28 100644
+index 72c746e..9f9124f 100644
 --- a/policy/modules/system/mount.fc
 +++ b/policy/modules/system/mount.fc
-@@ -1,4 +1,14 @@
+@@ -1,4 +1,15 @@
 +/bin/fusermount    		--      gen_context(system_u:object_r:fusermount_exec_t,s0)
  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
  
 -/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
 +/dev/\.mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
++/run/mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
 +
 +/sbin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 +/sbin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
@@ -51896,7 +52186,7 @@ index 170e2c7..540a936 100644
 +')
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..293555e 100644
+index 7ed9819..1dc6876 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -51980,7 +52270,15 @@ index 7ed9819..293555e 100644
  
  miscfiles_read_localization(load_policy_t)
  
-@@ -204,7 +222,7 @@ ifdef(`hide_broken_symptoms',`
+@@ -183,6 +201,7 @@ seutil_libselinux_linked(load_policy_t)
+ 
+ userdom_use_user_terminals(load_policy_t)
+ userdom_use_all_users_fds(load_policy_t)
++userdom_dontaudit_read_user_tmp_files(load_policy_t)
+ 
+ ifdef(`distro_ubuntu',`
+ 	optional_policy(`
+@@ -204,7 +223,7 @@ ifdef(`hide_broken_symptoms',`
  # Newrole local policy
  #
  
@@ -51989,7 +52287,7 @@ index 7ed9819..293555e 100644
  allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
  allow newrole_t self:process setexec;
  allow newrole_t self:fd use;
-@@ -216,7 +234,7 @@ allow newrole_t self:msgq create_msgq_perms;
+@@ -216,7 +235,7 @@ allow newrole_t self:msgq create_msgq_perms;
  allow newrole_t self:msg { send receive };
  allow newrole_t self:unix_dgram_socket sendto;
  allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -51998,7 +52296,7 @@ index 7ed9819..293555e 100644
  
  read_files_pattern(newrole_t, default_context_t, default_context_t)
  read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
-@@ -233,6 +251,7 @@ domain_use_interactive_fds(newrole_t)
+@@ -233,6 +252,7 @@ domain_use_interactive_fds(newrole_t)
  # for when the user types "exec newrole" at the command line:
  domain_sigchld_interactive_fds(newrole_t)
  
@@ -52006,7 +52304,7 @@ index 7ed9819..293555e 100644
  files_read_etc_files(newrole_t)
  files_read_var_files(newrole_t)
  files_read_var_symlinks(newrole_t)
-@@ -260,25 +279,30 @@ term_relabel_all_ptys(newrole_t)
+@@ -260,25 +280,30 @@ term_relabel_all_ptys(newrole_t)
  term_getattr_unallocated_ttys(newrole_t)
  term_dontaudit_use_unallocated_ttys(newrole_t)
  
@@ -52043,7 +52341,7 @@ index 7ed9819..293555e 100644
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(newrole_t)
-@@ -312,6 +336,8 @@ kernel_use_fds(restorecond_t)
+@@ -312,6 +337,8 @@ kernel_use_fds(restorecond_t)
  kernel_rw_pipes(restorecond_t)
  kernel_read_system_state(restorecond_t)
  
@@ -52052,7 +52350,7 @@ index 7ed9819..293555e 100644
  fs_relabelfrom_noxattr_fs(restorecond_t)
  fs_dontaudit_list_nfs(restorecond_t)
  fs_getattr_xattr_fs(restorecond_t)
-@@ -335,6 +361,8 @@ miscfiles_read_localization(restorecond_t)
+@@ -335,6 +362,8 @@ miscfiles_read_localization(restorecond_t)
  
  seutil_libselinux_linked(restorecond_t)
  
@@ -52061,7 +52359,7 @@ index 7ed9819..293555e 100644
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(restorecond_t)
-@@ -353,7 +381,7 @@ optional_policy(`
+@@ -353,7 +382,7 @@ optional_policy(`
  allow run_init_t self:process setexec;
  allow run_init_t self:capability setuid;
  allow run_init_t self:fifo_file rw_file_perms;
@@ -52070,7 +52368,15 @@ index 7ed9819..293555e 100644
  
  # often the administrator runs such programs from a directory that is owned
  # by a different user or has restrictive SE permissions, do not want to audit
-@@ -380,6 +408,8 @@ selinux_compute_create_context(run_init_t)
+@@ -363,6 +392,7 @@ dontaudit run_init_t self:capability { dac_override dac_read_search };
+ corecmd_exec_bin(run_init_t)
+ corecmd_exec_shell(run_init_t)
+ 
++dev_dontaudit_getattr_all(run_init_t)
+ dev_dontaudit_list_all_dev_nodes(run_init_t)
+ 
+ domain_use_interactive_fds(run_init_t)
+@@ -380,6 +410,8 @@ selinux_compute_create_context(run_init_t)
  selinux_compute_relabel_context(run_init_t)
  selinux_compute_user_contexts(run_init_t)
  
@@ -52079,7 +52385,7 @@ index 7ed9819..293555e 100644
  auth_use_nsswitch(run_init_t)
  auth_domtrans_chk_passwd(run_init_t)
  auth_domtrans_upd_passwd(run_init_t)
-@@ -405,6 +435,15 @@ ifndef(`direct_sysadm_daemon',`
+@@ -405,6 +437,15 @@ ifndef(`direct_sysadm_daemon',`
  	')
  ')
  
@@ -52095,7 +52401,7 @@ index 7ed9819..293555e 100644
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(run_init_t)
-@@ -420,61 +459,22 @@ optional_policy(`
+@@ -420,61 +461,22 @@ optional_policy(`
  # semodule local policy
  #
  
@@ -52165,7 +52471,7 @@ index 7ed9819..293555e 100644
  # netfilter_contexts:
  seutil_manage_default_contexts(semanage_t)
  
-@@ -487,118 +487,69 @@ ifdef(`distro_debian',`
+@@ -487,118 +489,69 @@ ifdef(`distro_debian',`
  	files_read_var_lib_symlinks(semanage_t)
  ')
  
@@ -52842,10 +53148,10 @@ index df32316..e8d03fb 100644
 +')
 diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
 new file mode 100644
-index 0000000..50aed3b
+index 0000000..266e9b0
 --- /dev/null
 +++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,12 @@
 +/bin/systemd-notify					--		gen_context(system_u:object_r:systemd_notify_exec_t,s0)
 +
 +/bin/systemd-tty-ask-password-agent			--		gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
@@ -52855,14 +53161,15 @@ index 0000000..50aed3b
 +
 +/lib/systemd/systemd-tmpfiles				--		gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
 +
++/var/run/systemd/ask-password-block/[^/]*		-p	gen_context(system_u:object_r:systemd_device_t,s0)
 +/dev/\.systemd/ask-password-block/[^/]*		-p	gen_context(system_u:object_r:systemd_device_t,s0)
 +
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..1d17a7b
+index 0000000..aabfb0d
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,139 @@
+@@ -0,0 +1,140 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +#######################################
@@ -52995,6 +53302,7 @@ index 0000000..1d17a7b
 +        dev_associate(systemd_$1_device_t)
 +
 +		dev_filetrans($1_t, systemd_$1_device_t, { file sock_file })
++		init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file })
 +        allow $1_t systemd_$1_device_t:file manage_file_perms;
 +        allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms;
 +
@@ -53004,10 +53312,10 @@ index 0000000..1d17a7b
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..6c68924
+index 0000000..a0f5414
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,153 @@
+@@ -0,0 +1,163 @@
 +
 +policy_module(systemd, 1.0.0)
 +
@@ -53054,6 +53362,7 @@ index 0000000..6c68924
 +
 +allow systemd_passwd_agent_t systemd_device_t:fifo_file manage_fifo_file_perms;
 +dev_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file)
++init_pid_filetrans(systemd_passwd_agent_t, systemd_device_t, fifo_file)
 +
 +kernel_stream_connect(systemd_passwd_agent_t)
 +
@@ -53066,6 +53375,7 @@ index 0000000..6c68924
 +auth_use_nsswitch(systemd_passwd_agent_t)
 +
 +init_read_utmp(systemd_passwd_agent_t)
++init_create_pid_dirs(systemd_passwd_agent_t)
 +
 +miscfiles_read_localization(systemd_passwd_agent_t)
 +
@@ -53140,6 +53450,14 @@ index 0000000..6c68924
 +	rpm_delete_db(systemd_tmpfiles_t)
 +')
 +
++optional_policy(`
++	sandbox_list(systemd_tmpfiles_t)
++	sandbox_delete_dirs(systemd_tmpfiles_t)
++	sandbox_delete_files(systemd_tmpfiles_t)
++	sandbox_delete_sock_files(systemd_tmpfiles_t)
++	sandbox_setattr_dirs(systemd_tmpfiles_t)
++')
++
 +########################################
 +#
 +# systemd_notify local policy
@@ -53162,10 +53480,19 @@ index 0000000..6c68924
 +	readahead_manage_pid_files(systemd_notify_t)
 +')
 diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 0291685..44fe366 100644
+index 0291685..9dcdfe7 100644
 --- a/policy/modules/system/udev.fc
 +++ b/policy/modules/system/udev.fc
-@@ -22,3 +22,4 @@
+@@ -11,6 +11,8 @@
+ 
+ /lib/udev/udev-acl --	gen_context(system_u:object_r:udev_exec_t,s0)
+ 
++/run/\.udev(/.*)? --	gen_context(system_u:object_r:udev_tbl_t,s0)
++
+ /sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/udev	--	gen_context(system_u:object_r:udev_exec_t,s0)
+ /sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
+@@ -22,3 +24,4 @@
  /usr/bin/udevinfo --	gen_context(system_u:object_r:udev_exec_t,s0)
  
  /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
@@ -54196,7 +54523,7 @@ index db75976..392d1ee 100644
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 +HOME_DIR/\.debug(/.*)?	<<none>>
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..012c198 100644
+index 28b88de..8e51296 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -55905,7 +56232,32 @@ index 28b88de..012c198 100644
  	kernel_search_proc($1)
  ')
  
-@@ -3139,3 +3543,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3087,6 +3491,24 @@ interface(`userdom_signal_all_users',`
+ 
+ ########################################
+ ## <summary>
++##	Send kill signals to all user domains.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_kill_all_users',`
++	gen_require(`
++		attribute userdomain;
++	')
++
++	allow $1 userdomain:process sigkill;
++')
++
++########################################
++## <summary>
+ ##	Send a SIGCHLD signal to all user domains.
+ ## </summary>
+ ## <param name="domain">
+@@ -3139,3 +3561,1058 @@ interface(`userdom_dbus_send_all_users',`
  
  	allow $1 userdomain:dbus send_msg;
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6075a5c..c971b22 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -471,8 +471,21 @@ exit 0
 %endif
 
 %changelog
-* Wed Mar 30 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-8
+* Thu Mar 31 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-8
+- A lot of fixes making /run change working
 - Add subs file to equate /var/run with /run and /var/lock with /run/lock
+- Allow rgmanager to send the kill signal to all users
+- Allow ssh_t to search /root/.ssh and create it if it does not exist
+- dontaudit read of user_tmp_t from load_policy
+- Allow abrt fowner capability
+- Allow audit daemons to change the run level in MLS environments
+- Since /var/lock is moving to /run/lock.  We need to allow all interfaces for lock files to search var_run_t
+- Add file labelfor MathKernel
+- Add label for /dev/dlm*
+- Allow systemd_tmpfiles_t to manage sandbox data
+- More /run directories labels
+- rlogind sends kill signal to chkpwd_t
+- systemd is now mounting on /var/lock
 
 * Fri Mar 25 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-7
 - Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs