diff --git a/policy-F15.patch b/policy-F15.patch
index c7d1ee3..998064a 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -14019,7 +14019,7 @@ index 2be17d2..9440b5f 100644
 +	userdom_execmod_user_home_files(staff_usertype)
 +')
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 4a8d146..d721e34 100644
+index 4a8d146..054eaa8 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -24,20 +24,40 @@ ifndef(`enable_mls',`
@@ -14206,7 +14206,7 @@ index 4a8d146..d721e34 100644
  
  optional_policy(`
  	rsync_exec(sysadm_t)
-@@ -307,7 +334,7 @@ optional_policy(`
+@@ -307,11 +334,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14215,7 +14215,12 @@ index 4a8d146..d721e34 100644
  ')
  
  optional_policy(`
-@@ -332,10 +359,6 @@ optional_policy(`
+ 	ssh_role_template(sysadm, sysadm_r, sysadm_t)
++	ssh_run_keygen(sysadm_t, sysadm_r)
+ ')
+ 
+ optional_policy(`
+@@ -332,10 +360,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14226,7 +14231,7 @@ index 4a8d146..d721e34 100644
  	tripwire_run_siggen(sysadm_t, sysadm_r)
  	tripwire_run_tripwire(sysadm_t, sysadm_r)
  	tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -343,19 +366,15 @@ optional_policy(`
+@@ -343,19 +367,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14248,7 +14253,7 @@ index 4a8d146..d721e34 100644
  ')
  
  optional_policy(`
-@@ -367,17 +386,14 @@ optional_policy(`
+@@ -367,17 +387,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14268,7 +14273,7 @@ index 4a8d146..d721e34 100644
  ')
  
  optional_policy(`
-@@ -389,7 +405,7 @@ optional_policy(`
+@@ -389,7 +406,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14277,7 +14282,7 @@ index 4a8d146..d721e34 100644
  ')
  
  optional_policy(`
-@@ -404,8 +420,15 @@ optional_policy(`
+@@ -404,8 +421,15 @@ optional_policy(`
  	yam_run(sysadm_t, sysadm_r)
  ')
  
@@ -14293,7 +14298,7 @@ index 4a8d146..d721e34 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -452,5 +475,60 @@ ifndef(`distro_redhat',`
+@@ -452,5 +476,60 @@ ifndef(`distro_redhat',`
  	optional_policy(`
  		java_role(sysadm_r, sysadm_t)
  	')
@@ -31420,7 +31425,7 @@ index 8581040..2367841 100644
  
  	allow $1 nagios_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..f1eff62 100644
+index bf64a4c..8a9789c 100644
 --- a/policy/modules/services/nagios.te
 +++ b/policy/modules/services/nagios.te
 @@ -79,6 +79,7 @@ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
@@ -31492,7 +31497,15 @@ index bf64a4c..f1eff62 100644
  
  dev_read_sysfs(nrpe_t)
  dev_read_urand(nrpe_t)
-@@ -270,12 +273,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -211,6 +214,7 @@ domain_read_all_domains_state(nrpe_t)
+ 
+ files_read_etc_runtime_files(nrpe_t)
+ files_read_etc_files(nrpe_t)
++files_read_usr_files(nrpe_t)
+ 
+ fs_getattr_all_fs(nrpe_t)
+ fs_search_auto_mountpoints(nrpe_t)
+@@ -270,12 +274,10 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
  #
  
  allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -31505,7 +31518,7 @@ index bf64a4c..f1eff62 100644
  kernel_read_kernel_sysctls(nagios_mail_plugin_t)
  
  corecmd_read_bin_files(nagios_mail_plugin_t)
-@@ -299,7 +300,7 @@ optional_policy(`
+@@ -299,7 +301,7 @@ optional_policy(`
  
  optional_policy(`
  	postfix_stream_connect_master(nagios_mail_plugin_t)
@@ -31514,7 +31527,7 @@ index bf64a4c..f1eff62 100644
  ')
  
  ######################################
-@@ -310,6 +311,9 @@ optional_policy(`
+@@ -310,6 +312,9 @@ optional_policy(`
  # needed by ioctl()
  allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
  
@@ -31524,7 +31537,7 @@ index bf64a4c..f1eff62 100644
  files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
  
  fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,7 +327,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -323,7 +328,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
  
  allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
  allow nagios_services_plugin_t self:process { signal sigkill };
@@ -31532,7 +31545,7 @@ index bf64a4c..f1eff62 100644
  allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
  allow nagios_services_plugin_t self:udp_socket create_socket_perms;
  
-@@ -340,6 +343,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +344,8 @@ files_read_usr_files(nagios_services_plugin_t)
  
  optional_policy(`
  	netutils_domtrans_ping(nagios_services_plugin_t)
@@ -31541,7 +31554,7 @@ index bf64a4c..f1eff62 100644
  ')
  
  optional_policy(`
-@@ -363,7 +368,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -363,7 +369,6 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
  manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
  files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
  
@@ -48355,7 +48368,7 @@ index cc83689..3388f34 100644
 +')
 +
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..de61fb9 100644
+index ea29513..a0980c0 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -16,6 +16,34 @@ gen_require(`
@@ -49061,7 +49074,15 @@ index ea29513..de61fb9 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -810,11 +1101,24 @@ optional_policy(`
+@@ -800,7 +1091,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	udev_rw_db(initrc_t)
+ 	udev_manage_pid_files(initrc_t)
+ 	udev_manage_rules_files(initrc_t)
+ ')
+@@ -810,11 +1100,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49087,7 +49108,7 @@ index ea29513..de61fb9 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1128,25 @@ optional_policy(`
+@@ -824,6 +1127,25 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -49113,7 +49134,7 @@ index ea29513..de61fb9 100644
  ')
  
  optional_policy(`
-@@ -849,3 +1172,42 @@ optional_policy(`
+@@ -849,3 +1171,42 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -52298,7 +52319,7 @@ index 170e2c7..540a936 100644
 +')
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..1dc6876 100644
+index 7ed9819..4eb4bae 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -52471,7 +52492,7 @@ index 7ed9819..1dc6876 100644
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(restorecond_t)
-@@ -353,7 +382,7 @@ optional_policy(`
+@@ -353,16 +382,19 @@ optional_policy(`
  allow run_init_t self:process setexec;
  allow run_init_t self:capability setuid;
  allow run_init_t self:fifo_file rw_file_perms;
@@ -52480,7 +52501,11 @@ index 7ed9819..1dc6876 100644
  
  # often the administrator runs such programs from a directory that is owned
  # by a different user or has restrictive SE permissions, do not want to audit
-@@ -363,6 +392,7 @@ dontaudit run_init_t self:capability { dac_override dac_read_search };
+ # the failed access to the current directory
+ dontaudit run_init_t self:capability { dac_override dac_read_search };
+ 
++kernel_dontaudit_getattr_core_if(run_init_t)
++
  corecmd_exec_bin(run_init_t)
  corecmd_exec_shell(run_init_t)
  
@@ -52488,7 +52513,7 @@ index 7ed9819..1dc6876 100644
  dev_dontaudit_list_all_dev_nodes(run_init_t)
  
  domain_use_interactive_fds(run_init_t)
-@@ -380,6 +410,8 @@ selinux_compute_create_context(run_init_t)
+@@ -380,6 +412,8 @@ selinux_compute_create_context(run_init_t)
  selinux_compute_relabel_context(run_init_t)
  selinux_compute_user_contexts(run_init_t)
  
@@ -52497,7 +52522,15 @@ index 7ed9819..1dc6876 100644
  auth_use_nsswitch(run_init_t)
  auth_domtrans_chk_passwd(run_init_t)
  auth_domtrans_upd_passwd(run_init_t)
-@@ -405,6 +437,15 @@ ifndef(`direct_sysadm_daemon',`
+@@ -388,6 +422,7 @@ auth_dontaudit_read_shadow(run_init_t)
+ init_spec_domtrans_script(run_init_t)
+ # for utmp
+ init_rw_utmp(run_init_t)
++init_dontaudit_getattr_initctl(run_init_t)
+ 
+ logging_send_syslog_msg(run_init_t)
+ 
+@@ -405,6 +440,19 @@ ifndef(`direct_sysadm_daemon',`
  	')
  ')
  
@@ -52507,13 +52540,17 @@ index 7ed9819..1dc6876 100644
 +')
 +
 +optional_policy(`
++	gpm_dontaudit_getattr_gpmctl(run_init_t)
++')
++
++optional_policy(`
 +	rpm_domtrans(run_init_t)
 +')
 +
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(run_init_t)
-@@ -420,61 +461,22 @@ optional_policy(`
+@@ -420,61 +468,22 @@ optional_policy(`
  # semodule local policy
  #
  
@@ -52523,20 +52560,20 @@ index 7ed9819..1dc6876 100644
 -allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 -
 -allow semanage_t policy_config_t:file rw_file_perms;
--
--allow semanage_t semanage_tmp_t:dir manage_dir_perms;
--allow semanage_t semanage_tmp_t:file manage_file_perms;
--files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
--
--kernel_read_system_state(semanage_t)
--kernel_read_kernel_sysctls(semanage_t)
 +seutil_semanage_policy(semanage_t)
 +allow semanage_t self:fifo_file rw_fifo_file_perms;
  
--corecmd_exec_bin(semanage_t)
+-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
+-allow semanage_t semanage_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
 +manage_dirs_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
 +manage_files_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
  
+-kernel_read_system_state(semanage_t)
+-kernel_read_kernel_sysctls(semanage_t)
+-
+-corecmd_exec_bin(semanage_t)
+-
 -dev_read_urand(semanage_t)
 -
 -domain_use_interactive_fds(semanage_t)
@@ -52562,13 +52599,13 @@ index 7ed9819..1dc6876 100644
 -auth_use_nsswitch(semanage_t)
 -
 -locallogin_use_fds(semanage_t)
--
--logging_send_syslog_msg(semanage_t)
--
--miscfiles_read_localization(semanage_t)
 +# Admins are creating pp files in random locations
 +auth_read_all_files_except_shadow(semanage_t)
  
+-logging_send_syslog_msg(semanage_t)
+-
+-miscfiles_read_localization(semanage_t)
+-
 -seutil_libselinux_linked(semanage_t)
  seutil_manage_file_contexts(semanage_t)
  seutil_manage_config(semanage_t)
@@ -52583,7 +52620,7 @@ index 7ed9819..1dc6876 100644
  # netfilter_contexts:
  seutil_manage_default_contexts(semanage_t)
  
-@@ -487,118 +489,69 @@ ifdef(`distro_debian',`
+@@ -487,118 +496,69 @@ ifdef(`distro_debian',`
  	files_read_var_lib_symlinks(semanage_t)
  ')
  
@@ -52658,21 +52695,21 @@ index 7ed9819..1dc6876 100644
 -term_use_all_ttys(setfiles_t)
 -term_use_all_ptys(setfiles_t)
 -term_use_unallocated_ttys(setfiles_t)
--
--# this is to satisfy the assertion:
--auth_relabelto_shadow(setfiles_t)
 +init_dontaudit_use_fds(setsebool_t)
  
--init_use_fds(setfiles_t)
--init_use_script_fds(setfiles_t)
--init_use_script_ptys(setfiles_t)
--init_exec_script_files(setfiles_t)
+-# this is to satisfy the assertion:
+-auth_relabelto_shadow(setfiles_t)
 +# Bug in semanage
 +seutil_domtrans_setfiles(setsebool_t)
 +seutil_manage_file_contexts(setsebool_t)
 +seutil_manage_default_contexts(setsebool_t)
 +seutil_manage_config(setsebool_t)
  
+-init_use_fds(setfiles_t)
+-init_use_script_fds(setfiles_t)
+-init_use_script_ptys(setfiles_t)
+-init_exec_script_files(setfiles_t)
+-
 -logging_send_syslog_msg(setfiles_t)
 -
 -miscfiles_read_localization(setfiles_t)
@@ -53597,27 +53634,29 @@ index 0000000..3c7493b
 +	readahead_manage_pid_files(systemd_notify_t)
 +')
 diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 0291685..2be32d4 100644
+index 0291685..7e94f4b 100644
 --- a/policy/modules/system/udev.fc
 +++ b/policy/modules/system/udev.fc
-@@ -11,6 +11,10 @@
+@@ -1,6 +1,6 @@
+-/dev/\.udev(/.*)? --	gen_context(system_u:object_r:udev_tbl_t,s0)
+-/dev/\.udevdb	--	gen_context(system_u:object_r:udev_tbl_t,s0)
+-/dev/udev\.tbl	--	gen_context(system_u:object_r:udev_tbl_t,s0)
++/dev/\.udev(/.*)? --	gen_context(system_u:object_r:udev_var_run_t,s0)
++/dev/\.udevdb	--	gen_context(system_u:object_r:udev_var_run_t,s0)
++/dev/udev\.tbl	--	gen_context(system_u:object_r:udev_var_run_t,s0)
  
- /lib/udev/udev-acl --	gen_context(system_u:object_r:udev_exec_t,s0)
+ /etc/dev\.d/.+	--	gen_context(system_u:object_r:udev_helper_exec_t,s0)
+ 
+@@ -21,4 +21,6 @@
  
-+/var/run/udev(/.*)? --    gen_context(system_u:object_r:udev_tbl_t,s0)
-+/run/udev(/.*)? --    gen_context(system_u:object_r:udev_tbl_t,s0)
-+/run/\.udev(/.*)? --	gen_context(system_u:object_r:udev_tbl_t,s0)
-+
- /sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
- /sbin/udev	--	gen_context(system_u:object_r:udev_exec_t,s0)
- /sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
-@@ -22,3 +26,4 @@
  /usr/bin/udevinfo --	gen_context(system_u:object_r:udev_exec_t,s0)
  
- /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
+-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
++/var/run/PackageKit/udev(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
 +/var/run/libgpod(/.*)?	        gen_context(system_u:object_r:udev_var_run_t,s0)    
++/var/run/udev(/.*)?		gen_context(system_u:object_r:udev_var_run_t,s0)
 diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 025348a..8b50d5f 100644
+index 025348a..4e2ca03 100644
 --- a/policy/modules/system/udev.if
 +++ b/policy/modules/system/udev.if
 @@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@@ -53638,26 +53677,29 @@ index 025348a..8b50d5f 100644
  ')
  
  ########################################
-@@ -185,12 +185,14 @@ interface(`udev_dontaudit_search_db',`
- interface(`udev_read_db',`
+@@ -160,10 +160,10 @@ interface(`udev_manage_rules_files',`
+ #
+ interface(`udev_dontaudit_search_db',`
  	gen_require(`
- 		type udev_tbl_t;
-+		type device_t;
+-		type udev_tbl_t;
++		type udev_var_run_t;
  	')
  
- 	dev_list_all_dev_nodes($1)
- 	allow $1 udev_tbl_t:dir list_dir_perms;
- 	read_files_pattern($1, udev_tbl_t, udev_tbl_t)
- 	read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
-+	allow $1 device_t:file read_file_perms;
+-	dontaudit $1 udev_tbl_t:dir search_dir_perms;
++	dontaudit $1 udev_var_run_t:dir search_dir_perms;
  ')
  
  ########################################
-@@ -214,6 +216,24 @@ interface(`udev_rw_db',`
- 
- ########################################
- ## <summary>
-+##	Allow process to modify relabelto udev database
+@@ -183,19 +183,32 @@ interface(`udev_dontaudit_search_db',`
+ ## <infoflow type="read" weight="10"/>
+ #
+ interface(`udev_read_db',`
++	udev_read_pid_files($1)
++')
++
++########################################
++## <summary>
++##	Allow process to modify list of devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -53665,21 +53707,73 @@ index 025348a..8b50d5f 100644
 +##	</summary>
 +## </param>
 +#
++interface(`udev_rw_db',`
+ 	gen_require(`
+-		type udev_tbl_t;
++		type udev_var_run_t;
+ 	')
+ 
++	files_search_pids($1)
+ 	dev_list_all_dev_nodes($1)
+-	allow $1 udev_tbl_t:dir list_dir_perms;
+-	read_files_pattern($1, udev_tbl_t, udev_tbl_t)
+-	read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
++	rw_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow process to modify list of devices.
++##	Allow process to modify relabelto udev database
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -203,13 +216,36 @@ interface(`udev_read_db',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`udev_rw_db',`
 +interface(`udev_relabelto_db',`
 +	gen_require(`
-+		type udev_tbl_t;
++		type udev_var_run_t;
 +	')
 +
-+	allow $1 udev_tbl_t:file relabelto_file_perms;
++	files_search_pids($1)
++	allow $1 udev_var_run_t:file relabelto_file_perms;
 +')
 +
 +########################################
 +## <summary>
- ##	Create, read, write, and delete
- ##	udev pid files.
- ## </summary>
-@@ -231,3 +251,62 @@ interface(`udev_manage_pid_files',`
- 	files_search_var_lib($1)
++##	Create, read, write, and delete
++##	udev pid files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`udev_read_pid_files',`
+ 	gen_require(`
+-		type udev_tbl_t;
++		type udev_var_run_t;
+ 	')
+ 
+ 	dev_list_all_dev_nodes($1)
+-	allow $1 udev_tbl_t:file rw_file_perms;
++	files_search_pids($1)
++	allow $1 udev_var_run_t:dir list_dir_perms;
++	read_files_pattern($1, udev_var_run_t, udev_var_run_t)
++	read_lnk_files_pattern($1, udev_var_run_t, udev_var_run_t)
+ ')
+ 
+ ########################################
+@@ -228,6 +264,65 @@ interface(`udev_manage_pid_files',`
+ 		type udev_var_run_t;
+ 	')
+ 
+-	files_search_var_lib($1)
++	files_search_pids($1)
  	manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
  ')
 +
@@ -53742,10 +53836,26 @@ index 025348a..8b50d5f 100644
 +')
 +
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..d8fff39 100644
+index d88f7c3..e1b2016 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
-@@ -38,6 +38,12 @@ ifdef(`enable_mcs',`
+@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
+ type udev_etc_t alias etc_udev_t;
+ files_config_file(udev_etc_t)
+ 
+-type udev_tbl_t alias udev_tdb_t;
+-files_type(udev_tbl_t)
+-
+ type udev_rules_t;
+ files_type(udev_rules_t)
+ 
+ type udev_var_run_t;
+ files_pid_file(udev_var_run_t)
++typealias udev_var_run_t alias udev_tbl_t;
+ 
+ ifdef(`enable_mcs',`
+ 	kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
+@@ -38,6 +36,12 @@ ifdef(`enable_mcs',`
  
  allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
  dontaudit udev_t self:capability sys_tty_config;
@@ -53758,7 +53868,7 @@ index d88f7c3..d8fff39 100644
  allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow udev_t self:process { execmem setfscreate };
  allow udev_t self:fd use;
-@@ -52,6 +58,7 @@ allow udev_t self:unix_dgram_socket sendto;
+@@ -52,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto;
  allow udev_t self:unix_stream_socket connectto;
  allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
  allow udev_t self:rawip_socket create_socket_perms;
@@ -53766,27 +53876,29 @@ index d88f7c3..d8fff39 100644
  
  allow udev_t udev_exec_t:file write;
  can_exec(udev_t, udev_exec_t)
-@@ -64,7 +71,8 @@ allow udev_t udev_etc_t:file read_file_perms;
+@@ -62,17 +67,16 @@ can_exec(udev_t, udev_helper_exec_t)
+ # read udev config
+ allow udev_t udev_etc_t:file read_file_perms;
  
- # create udev database in /dev/.udevdb
- allow udev_t udev_tbl_t:file manage_file_perms;
+-# create udev database in /dev/.udevdb
+-allow udev_t udev_tbl_t:file manage_file_perms;
 -dev_filetrans(udev_t, udev_tbl_t, file)
-+allow udev_t udev_tbl_t:lnk_file manage_file_perms;
-+dev_filetrans(udev_t, udev_tbl_t, { file lnk_file } )
- 
+-
  list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
  read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
-@@ -72,7 +80,8 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+ 
  manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
  manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
  manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 -files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
 +files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
 +allow udev_t udev_var_run_t:file mounton;
++dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
++
  
  kernel_read_system_state(udev_t)
  kernel_request_load_module(udev_t)
-@@ -87,6 +96,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
+@@ -87,6 +91,7 @@ kernel_rw_unix_dgram_sockets(udev_t)
  kernel_dgram_send(udev_t)
  kernel_signal(udev_t)
  kernel_search_debugfs(udev_t)
@@ -53794,7 +53906,7 @@ index d88f7c3..d8fff39 100644
  
  #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
  kernel_rw_net_sysctls(udev_t)
-@@ -111,15 +121,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+@@ -111,15 +116,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
  
  files_read_usr_files(udev_t)
  files_read_etc_runtime_files(udev_t)
@@ -53816,7 +53928,7 @@ index d88f7c3..d8fff39 100644
  
  mcs_ptrace_all(udev_t)
  
-@@ -143,6 +158,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +153,7 @@ auth_use_nsswitch(udev_t)
  init_read_utmp(udev_t)
  init_dontaudit_write_utmp(udev_t)
  init_getattr_initctl(udev_t)
@@ -53824,7 +53936,7 @@ index d88f7c3..d8fff39 100644
  
  logging_search_logs(udev_t)
  logging_send_syslog_msg(udev_t)
-@@ -186,6 +202,7 @@ ifdef(`distro_redhat',`
+@@ -186,6 +197,7 @@ ifdef(`distro_redhat',`
  	fs_manage_tmpfs_chr_files(udev_t)
  	fs_relabel_tmpfs_blk_file(udev_t)
  	fs_relabel_tmpfs_chr_file(udev_t)
@@ -53832,7 +53944,7 @@ index d88f7c3..d8fff39 100644
  
  	term_search_ptys(udev_t)
  
-@@ -216,11 +233,16 @@ optional_policy(`
+@@ -216,11 +228,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53849,7 +53961,7 @@ index d88f7c3..d8fff39 100644
  ')
  
  optional_policy(`
-@@ -233,6 +255,10 @@ optional_policy(`
+@@ -233,6 +250,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53860,7 +53972,7 @@ index d88f7c3..d8fff39 100644
  	lvm_domtrans(udev_t)
  ')
  
-@@ -259,6 +285,10 @@ optional_policy(`
+@@ -259,6 +280,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53871,7 +53983,7 @@ index d88f7c3..d8fff39 100644
  	openct_read_pid_files(udev_t)
  	openct_domtrans(udev_t)
  ')
-@@ -273,6 +303,11 @@ optional_policy(`
+@@ -273,6 +298,11 @@ optional_policy(`
  ')
  
  optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 16a5cc2..f317cd8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.16
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,9 @@ exit 0
 %endif
 
 %changelog
+* Sat Apr 2 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-11
+- Fix label for /var/run/udev to udev_var_run_t
+
 * Fri Apr 1 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-10
 - Add label for /run/udev
 - Mock needs to be able to read network state