diff --git a/policy-F15.patch b/policy-F15.patch
index c7d1ee3..998064a 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -14019,7 +14019,7 @@ index 2be17d2..9440b5f 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 4a8d146..d721e34 100644
+index 4a8d146..054eaa8 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,40 @@ ifndef(`enable_mls',`
@@ -14206,7 +14206,7 @@ index 4a8d146..d721e34 100644
optional_policy(`
rsync_exec(sysadm_t)
-@@ -307,7 +334,7 @@ optional_policy(`
+@@ -307,11 +334,12 @@ optional_policy(`
')
optional_policy(`
@@ -14215,7 +14215,12 @@ index 4a8d146..d721e34 100644
')
optional_policy(`
-@@ -332,10 +359,6 @@ optional_policy(`
+ ssh_role_template(sysadm, sysadm_r, sysadm_t)
++ ssh_run_keygen(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
+@@ -332,10 +360,6 @@ optional_policy(`
')
optional_policy(`
@@ -14226,7 +14231,7 @@ index 4a8d146..d721e34 100644
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -343,19 +366,15 @@ optional_policy(`
+@@ -343,19 +367,15 @@ optional_policy(`
')
optional_policy(`
@@ -14248,7 +14253,7 @@ index 4a8d146..d721e34 100644
')
optional_policy(`
-@@ -367,17 +386,14 @@ optional_policy(`
+@@ -367,17 +387,14 @@ optional_policy(`
')
optional_policy(`
@@ -14268,7 +14273,7 @@ index 4a8d146..d721e34 100644
')
optional_policy(`
-@@ -389,7 +405,7 @@ optional_policy(`
+@@ -389,7 +406,7 @@ optional_policy(`
')
optional_policy(`
@@ -14277,7 +14282,7 @@ index 4a8d146..d721e34 100644
')
optional_policy(`
-@@ -404,8 +420,15 @@ optional_policy(`
+@@ -404,8 +421,15 @@ optional_policy(`
yam_run(sysadm_t, sysadm_r)
')
@@ -14293,7 +14298,7 @@ index 4a8d146..d721e34 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -452,5 +475,60 @@ ifndef(`distro_redhat',`
+@@ -452,5 +476,60 @@ ifndef(`distro_redhat',`
optional_policy(`
java_role(sysadm_r, sysadm_t)
')
@@ -31420,7 +31425,7 @@ index 8581040..2367841 100644
allow $1 nagios_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..f1eff62 100644
+index bf64a4c..8a9789c 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -79,6 +79,7 @@ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
@@ -31492,7 +31497,15 @@ index bf64a4c..f1eff62 100644
dev_read_sysfs(nrpe_t)
dev_read_urand(nrpe_t)
-@@ -270,12 +273,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -211,6 +214,7 @@ domain_read_all_domains_state(nrpe_t)
+
+ files_read_etc_runtime_files(nrpe_t)
+ files_read_etc_files(nrpe_t)
++files_read_usr_files(nrpe_t)
+
+ fs_getattr_all_fs(nrpe_t)
+ fs_search_auto_mountpoints(nrpe_t)
+@@ -270,12 +274,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -31505,7 +31518,7 @@ index bf64a4c..f1eff62 100644
kernel_read_kernel_sysctls(nagios_mail_plugin_t)
corecmd_read_bin_files(nagios_mail_plugin_t)
-@@ -299,7 +300,7 @@ optional_policy(`
+@@ -299,7 +301,7 @@ optional_policy(`
optional_policy(`
postfix_stream_connect_master(nagios_mail_plugin_t)
@@ -31514,7 +31527,7 @@ index bf64a4c..f1eff62 100644
')
######################################
-@@ -310,6 +311,9 @@ optional_policy(`
+@@ -310,6 +312,9 @@ optional_policy(`
# needed by ioctl()
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
@@ -31524,7 +31537,7 @@ index bf64a4c..f1eff62 100644
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,7 +327,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -323,7 +328,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
@@ -31532,7 +31545,7 @@ index bf64a4c..f1eff62 100644
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
-@@ -340,6 +343,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +344,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@@ -31541,7 +31554,7 @@ index bf64a4c..f1eff62 100644
')
optional_policy(`
-@@ -363,7 +368,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -363,7 +369,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@@ -48355,7 +48368,7 @@ index cc83689..3388f34 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..de61fb9 100644
+index ea29513..a0980c0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -49061,7 +49074,15 @@ index ea29513..de61fb9 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -810,11 +1101,24 @@ optional_policy(`
+@@ -800,7 +1091,6 @@ optional_policy(`
+ ')
+
+ optional_policy(`
+- udev_rw_db(initrc_t)
+ udev_manage_pid_files(initrc_t)
+ udev_manage_rules_files(initrc_t)
+ ')
+@@ -810,11 +1100,24 @@ optional_policy(`
')
optional_policy(`
@@ -49087,7 +49108,7 @@ index ea29513..de61fb9 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1128,25 @@ optional_policy(`
+@@ -824,6 +1127,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -49113,7 +49134,7 @@ index ea29513..de61fb9 100644
')
optional_policy(`
-@@ -849,3 +1172,42 @@ optional_policy(`
+@@ -849,3 +1171,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -52298,7 +52319,7 @@ index 170e2c7..540a936 100644
+')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..1dc6876 100644
+index 7ed9819..4eb4bae 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -52471,7 +52492,7 @@ index 7ed9819..1dc6876 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(restorecond_t)
-@@ -353,7 +382,7 @@ optional_policy(`
+@@ -353,16 +382,19 @@ optional_policy(`
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -52480,7 +52501,11 @@ index 7ed9819..1dc6876 100644
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -363,6 +392,7 @@ dontaudit run_init_t self:capability { dac_override dac_read_search };
+ # the failed access to the current directory
+ dontaudit run_init_t self:capability { dac_override dac_read_search };
+
++kernel_dontaudit_getattr_core_if(run_init_t)
++
corecmd_exec_bin(run_init_t)
corecmd_exec_shell(run_init_t)
@@ -52488,7 +52513,7 @@ index 7ed9819..1dc6876 100644
dev_dontaudit_list_all_dev_nodes(run_init_t)
domain_use_interactive_fds(run_init_t)
-@@ -380,6 +410,8 @@ selinux_compute_create_context(run_init_t)
+@@ -380,6 +412,8 @@ selinux_compute_create_context(run_init_t)
selinux_compute_relabel_context(run_init_t)
selinux_compute_user_contexts(run_init_t)
@@ -52497,7 +52522,15 @@ index 7ed9819..1dc6876 100644
auth_use_nsswitch(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
auth_domtrans_upd_passwd(run_init_t)
-@@ -405,6 +437,15 @@ ifndef(`direct_sysadm_daemon',`
+@@ -388,6 +422,7 @@ auth_dontaudit_read_shadow(run_init_t)
+ init_spec_domtrans_script(run_init_t)
+ # for utmp
+ init_rw_utmp(run_init_t)
++init_dontaudit_getattr_initctl(run_init_t)
+
+ logging_send_syslog_msg(run_init_t)
+
+@@ -405,6 +440,19 @@ ifndef(`direct_sysadm_daemon',`
')
')
@@ -52507,13 +52540,17 @@ index 7ed9819..1dc6876 100644
+')
+
+optional_policy(`
++ gpm_dontaudit_getattr_gpmctl(run_init_t)
++')
++
++optional_policy(`
+ rpm_domtrans(run_init_t)
+')
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -420,61 +461,22 @@ optional_policy(`
+@@ -420,61 +468,22 @@ optional_policy(`
# semodule local policy
#
@@ -52523,20 +52560,20 @@ index 7ed9819..1dc6876 100644
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-
-allow semanage_t policy_config_t:file rw_file_perms;
--
--allow semanage_t semanage_tmp_t:dir manage_dir_perms;
--allow semanage_t semanage_tmp_t:file manage_file_perms;
--files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
--
--kernel_read_system_state(semanage_t)
--kernel_read_kernel_sysctls(semanage_t)
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
--corecmd_exec_bin(semanage_t)
+-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
+-allow semanage_t semanage_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+-kernel_read_system_state(semanage_t)
+-kernel_read_kernel_sysctls(semanage_t)
+-
+-corecmd_exec_bin(semanage_t)
+-
-dev_read_urand(semanage_t)
-
-domain_use_interactive_fds(semanage_t)
@@ -52562,13 +52599,13 @@ index 7ed9819..1dc6876 100644
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
--
--logging_send_syslog_msg(semanage_t)
--
--miscfiles_read_localization(semanage_t)
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
+-logging_send_syslog_msg(semanage_t)
+-
+-miscfiles_read_localization(semanage_t)
+-
-seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
@@ -52583,7 +52620,7 @@ index 7ed9819..1dc6876 100644
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
-@@ -487,118 +489,69 @@ ifdef(`distro_debian',`
+@@ -487,118 +496,69 @@ ifdef(`distro_debian',`
files_read_var_lib_symlinks(semanage_t)
')
@@ -52658,21 +52695,21 @@ index 7ed9819..1dc6876 100644
-term_use_all_ttys(setfiles_t)
-term_use_all_ptys(setfiles_t)
-term_use_unallocated_ttys(setfiles_t)
--
--# this is to satisfy the assertion:
--auth_relabelto_shadow(setfiles_t)
+init_dontaudit_use_fds(setsebool_t)
--init_use_fds(setfiles_t)
--init_use_script_fds(setfiles_t)
--init_use_script_ptys(setfiles_t)
--init_exec_script_files(setfiles_t)
+-# this is to satisfy the assertion:
+-auth_relabelto_shadow(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
+-init_use_fds(setfiles_t)
+-init_use_script_fds(setfiles_t)
+-init_use_script_ptys(setfiles_t)
+-init_exec_script_files(setfiles_t)
+-
-logging_send_syslog_msg(setfiles_t)
-
-miscfiles_read_localization(setfiles_t)
@@ -53597,27 +53634,29 @@ index 0000000..3c7493b
+ readahead_manage_pid_files(systemd_notify_t)
+')
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 0291685..2be32d4 100644
+index 0291685..7e94f4b 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
-@@ -11,6 +11,10 @@
+@@ -1,6 +1,6 @@
+-/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
+-/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
+-/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
++/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0)
++/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0)
++/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0)
- /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
+ /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
+@@ -21,4 +21,6 @@
-+/var/run/udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
-+/run/udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
-+/run/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
-+
- /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
- /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
- /sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
-@@ -22,3 +26,4 @@
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
- /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
++/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/libgpod(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
++/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 025348a..8b50d5f 100644
+index 025348a..4e2ca03 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@@ -53638,26 +53677,29 @@ index 025348a..8b50d5f 100644
')
########################################
-@@ -185,12 +185,14 @@ interface(`udev_dontaudit_search_db',`
- interface(`udev_read_db',`
+@@ -160,10 +160,10 @@ interface(`udev_manage_rules_files',`
+ #
+ interface(`udev_dontaudit_search_db',`
gen_require(`
- type udev_tbl_t;
-+ type device_t;
+- type udev_tbl_t;
++ type udev_var_run_t;
')
- dev_list_all_dev_nodes($1)
- allow $1 udev_tbl_t:dir list_dir_perms;
- read_files_pattern($1, udev_tbl_t, udev_tbl_t)
- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
-+ allow $1 device_t:file read_file_perms;
+- dontaudit $1 udev_tbl_t:dir search_dir_perms;
++ dontaudit $1 udev_var_run_t:dir search_dir_perms;
')
########################################
-@@ -214,6 +216,24 @@ interface(`udev_rw_db',`
-
- ########################################
- ##
-+## Allow process to modify relabelto udev database
+@@ -183,19 +183,32 @@ interface(`udev_dontaudit_search_db',`
+ ##
+ #
+ interface(`udev_read_db',`
++ udev_read_pid_files($1)
++')
++
++########################################
++##
++## Allow process to modify list of devices.
+##
+##
+##
@@ -53665,21 +53707,73 @@ index 025348a..8b50d5f 100644
+##
+##
+#
++interface(`udev_rw_db',`
+ gen_require(`
+- type udev_tbl_t;
++ type udev_var_run_t;
+ ')
+
++ files_search_pids($1)
+ dev_list_all_dev_nodes($1)
+- allow $1 udev_tbl_t:dir list_dir_perms;
+- read_files_pattern($1, udev_tbl_t, udev_tbl_t)
+- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
++ rw_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ ')
+
+ ########################################
+ ##
+-## Allow process to modify list of devices.
++## Allow process to modify relabelto udev database
+ ##
+ ##
+ ##
+@@ -203,13 +216,36 @@ interface(`udev_read_db',`
+ ##
+ ##
+ #
+-interface(`udev_rw_db',`
+interface(`udev_relabelto_db',`
+ gen_require(`
-+ type udev_tbl_t;
++ type udev_var_run_t;
+ ')
+
-+ allow $1 udev_tbl_t:file relabelto_file_perms;
++ files_search_pids($1)
++ allow $1 udev_var_run_t:file relabelto_file_perms;
+')
+
+########################################
+##
- ## Create, read, write, and delete
- ## udev pid files.
- ##
-@@ -231,3 +251,62 @@ interface(`udev_manage_pid_files',`
- files_search_var_lib($1)
++## Create, read, write, and delete
++## udev pid files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`udev_read_pid_files',`
+ gen_require(`
+- type udev_tbl_t;
++ type udev_var_run_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+- allow $1 udev_tbl_t:file rw_file_perms;
++ files_search_pids($1)
++ allow $1 udev_var_run_t:dir list_dir_perms;
++ read_files_pattern($1, udev_var_run_t, udev_var_run_t)
++ read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ ')
+
+ ########################################
+@@ -228,6 +264,65 @@ interface(`udev_manage_pid_files',`
+ type udev_var_run_t;
+ ')
+
+- files_search_var_lib($1)
++ files_search_pids($1)
manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
')
+
@@ -53742,10 +53836,26 @@ index 025348a..8b50d5f 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..d8fff39 100644
+index d88f7c3..e1b2016 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
-@@ -38,6 +38,12 @@ ifdef(`enable_mcs',`
+@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
+ type udev_etc_t alias etc_udev_t;
+ files_config_file(udev_etc_t)
+
+-type udev_tbl_t alias udev_tdb_t;
+-files_type(udev_tbl_t)
+-
+ type udev_rules_t;
+ files_type(udev_rules_t)
+
+ type udev_var_run_t;
+ files_pid_file(udev_var_run_t)
++typealias udev_var_run_t alias udev_tbl_t;
+
+ ifdef(`enable_mcs',`
+ kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
+@@ -38,6 +36,12 @@ ifdef(`enable_mcs',`
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
dontaudit udev_t self:capability sys_tty_config;
@@ -53758,7 +53868,7 @@ index d88f7c3..d8fff39 100644
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
-@@ -52,6 +58,7 @@ allow udev_t self:unix_dgram_socket sendto;
+@@ -52,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto;
allow udev_t self:unix_stream_socket connectto;
allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udev_t self:rawip_socket create_socket_perms;
@@ -53766,27 +53876,29 @@ index d88f7c3..d8fff39 100644
allow udev_t udev_exec_t:file write;
can_exec(udev_t, udev_exec_t)
-@@ -64,7 +71,8 @@ allow udev_t udev_etc_t:file read_file_perms;
+@@ -62,17 +67,16 @@ can_exec(udev_t, udev_helper_exec_t)
+ # read udev config
+ allow udev_t udev_etc_t:file read_file_perms;
- # create udev database in /dev/.udevdb
- allow udev_t udev_tbl_t:file manage_file_perms;
+-# create udev database in /dev/.udevdb
+-allow udev_t udev_tbl_t:file manage_file_perms;
-dev_filetrans(udev_t, udev_tbl_t, file)
-+allow udev_t udev_tbl_t:lnk_file manage_file_perms;
-+dev_filetrans(udev_t, udev_tbl_t, { file lnk_file } )
-
+-
list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
-@@ -72,7 +80,8 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
-files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
+files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
+allow udev_t udev_var_run_t:file mounton;
++dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
++
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
-@@ -87,6 +96,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
+@@ -87,6 +91,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
kernel_search_debugfs(udev_t)
@@ -53794,7 +53906,7 @@ index d88f7c3..d8fff39 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -111,15 +121,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+@@ -111,15 +116,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
@@ -53816,7 +53928,7 @@ index d88f7c3..d8fff39 100644
mcs_ptrace_all(udev_t)
-@@ -143,6 +158,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +153,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -53824,7 +53936,7 @@ index d88f7c3..d8fff39 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -186,6 +202,7 @@ ifdef(`distro_redhat',`
+@@ -186,6 +197,7 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -53832,7 +53944,7 @@ index d88f7c3..d8fff39 100644
term_search_ptys(udev_t)
-@@ -216,11 +233,16 @@ optional_policy(`
+@@ -216,11 +228,16 @@ optional_policy(`
')
optional_policy(`
@@ -53849,7 +53961,7 @@ index d88f7c3..d8fff39 100644
')
optional_policy(`
-@@ -233,6 +255,10 @@ optional_policy(`
+@@ -233,6 +250,10 @@ optional_policy(`
')
optional_policy(`
@@ -53860,7 +53972,7 @@ index d88f7c3..d8fff39 100644
lvm_domtrans(udev_t)
')
-@@ -259,6 +285,10 @@ optional_policy(`
+@@ -259,6 +280,10 @@ optional_policy(`
')
optional_policy(`
@@ -53871,7 +53983,7 @@ index d88f7c3..d8fff39 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +303,11 @@ optional_policy(`
+@@ -273,6 +298,11 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 16a5cc2..f317cd8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,9 @@ exit 0
%endif
%changelog
+* Sat Apr 2 2011 Miroslav Grepl 3.9.16-11
+- Fix label for /var/run/udev to udev_var_run_t
+
* Fri Apr 1 2011 Miroslav Grepl 3.9.16-10
- Add label for /run/udev
- Mock needs to be able to read network state