diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index e12252e..2d1878f 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -1490,7 +1490,7 @@ index d6cc2d9..0685b19 100644
+
+/usr/bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
-index 72bc6d8..ff164b3 100644
+index 72bc6d8..17357e5 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -9,6 +9,10 @@ type dmesg_t;
@@ -1504,7 +1504,7 @@ index 72bc6d8..ff164b3 100644
########################################
#
# Local policy
-@@ -19,6 +23,7 @@ dontaudit dmesg_t self:capability sys_tty_config;
+@@ -19,14 +23,17 @@ dontaudit dmesg_t self:capability sys_tty_config;
allow dmesg_t self:process signal_perms;
@@ -1512,20 +1512,22 @@ index 72bc6d8..ff164b3 100644
kernel_read_kernel_sysctls(dmesg_t)
kernel_read_ring_buffer(dmesg_t)
kernel_clear_ring_buffer(dmesg_t)
-@@ -27,6 +32,7 @@ kernel_list_proc(dmesg_t)
+ kernel_change_ring_buffer_level(dmesg_t)
+ kernel_list_proc(dmesg_t)
kernel_read_proc_symlinks(dmesg_t)
++kernel_dontaudit_write_kernel_sysctl(dmesg_t)
dev_read_sysfs(dmesg_t)
+dev_read_kmsg(dmesg_t)
fs_search_auto_mountpoints(dmesg_t)
-@@ -44,10 +50,13 @@ init_use_script_ptys(dmesg_t)
+@@ -44,10 +51,12 @@ init_use_script_ptys(dmesg_t)
logging_send_syslog_msg(dmesg_t)
logging_write_generic_logs(dmesg_t)
-miscfiles_read_localization(dmesg_t)
-
+-
userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
-userdom_use_user_terminals(dmesg_t)
+userdom_use_inherited_user_terminals(dmesg_t)
@@ -5424,7 +5426,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..5df4efc 100644
+index 4edc40d..12b06be 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5618,7 +5620,7 @@ index 4edc40d..5df4efc 100644
network_port(matahari, tcp,49000,s0, udp,49000,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
-network_port(milter) # no defined portcon
-+network_port(milter, tcp, 8891, s0) # no defined portcon
++network_port(milter, tcp, 8891, s0, tcp, 8893, s0) # no defined portcon
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0)
network_port(monopd, tcp,1234,s0)
@@ -21225,7 +21227,7 @@ index d1f64a0..9a5dab5 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..15e1047 100644
+index 6bf0ecc..307cefc 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@@ -21712,19 +21714,18 @@ index 6bf0ecc..15e1047 100644
')
########################################
-@@ -765,11 +817,92 @@ interface(`xserver_manage_xdm_spool_files',`
+@@ -765,11 +817,91 @@ interface(`xserver_manage_xdm_spool_files',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
- type xdm_t, xdm_tmp_t;
+ type xdm_t, xdm_tmp_t, xdm_var_run_t;
-+ type xdm_dbusd_t;
')
files_search_tmp($1)
- stream_connect_pattern($1, xdm_tmp_t, xdm_tmp_t, xdm_t)
+ files_search_pids($1)
-+ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, { xdm_t xdm_dbusd_t } )
++ stream_connect_pattern($1, { xdm_tmp_t xdm_var_run_t }, { xdm_tmp_t xdm_var_run_t }, xdm_t)
+')
+
+########################################
@@ -21807,7 +21808,7 @@ index 6bf0ecc..15e1047 100644
')
########################################
-@@ -793,6 +926,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -793,6 +925,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
##
@@ -21833,7 +21834,7 @@ index 6bf0ecc..15e1047 100644
## Set the attributes of XDM temporary directories.
##
##
-@@ -806,7 +958,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -806,7 +957,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -21860,7 +21861,7 @@ index 6bf0ecc..15e1047 100644
')
########################################
-@@ -846,7 +1016,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -846,7 +1015,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -21888,7 +21889,7 @@ index 6bf0ecc..15e1047 100644
')
########################################
-@@ -869,6 +1058,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -869,6 +1057,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
##
@@ -21913,7 +21914,7 @@ index 6bf0ecc..15e1047 100644
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -938,10 +1145,29 @@ interface(`xserver_getattr_log',`
+@@ -938,10 +1144,29 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -21945,7 +21946,7 @@ index 6bf0ecc..15e1047 100644
##
## Do not audit attempts to write the X server
## log files.
-@@ -957,7 +1183,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -957,7 +1182,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -21954,7 +21955,7 @@ index 6bf0ecc..15e1047 100644
')
########################################
-@@ -1004,6 +1230,64 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1229,64 @@ interface(`xserver_read_xkb_libs',`
########################################
##
@@ -22019,7 +22020,7 @@ index 6bf0ecc..15e1047 100644
## Read xdm temporary files.
##
##
-@@ -1017,7 +1301,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1300,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -22028,7 +22029,7 @@ index 6bf0ecc..15e1047 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1079,6 +1363,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,6 +1362,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
##
@@ -22071,7 +22072,7 @@ index 6bf0ecc..15e1047 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
##
-@@ -1093,7 +1413,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1093,7 +1412,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -22080,7 +22081,7 @@ index 6bf0ecc..15e1047 100644
')
########################################
-@@ -1111,8 +1431,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1430,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -22092,7 +22093,7 @@ index 6bf0ecc..15e1047 100644
')
########################################
-@@ -1210,6 +1532,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+@@ -1210,6 +1531,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
########################################
##
@@ -22118,7 +22119,7 @@ index 6bf0ecc..15e1047 100644
## Connect to the X server over a unix domain
## stream socket.
##
-@@ -1226,6 +1567,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1566,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -22145,7 +22146,7 @@ index 6bf0ecc..15e1047 100644
')
########################################
-@@ -1251,7 +1612,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1611,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -22154,7 +22155,7 @@ index 6bf0ecc..15e1047 100644
##
##
##
-@@ -1261,13 +1622,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1621,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -22179,7 +22180,7 @@ index 6bf0ecc..15e1047 100644
')
########################################
-@@ -1284,10 +1655,623 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1654,623 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -22806,7 +22807,7 @@ index 6bf0ecc..15e1047 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..2967b77 100644
+index 2696452..2855251 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -22938,10 +22939,11 @@ index 2696452..2967b77 100644
fs_associate_tmpfs(xconsole_device_t)
files_associate_tmp(xconsole_device_t)
+-type xdm_t;
+type xdm_unconfined_exec_t;
+application_executable_file(xdm_unconfined_exec_t)
+
- type xdm_t;
++type xdm_t alias xdm_dbusd_t;
type xdm_exec_t;
auth_login_pgm_domain(xdm_t)
init_domain(xdm_t, xdm_exec_t)
@@ -23389,7 +23391,7 @@ index 2696452..2967b77 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +637,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +637,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23416,6 +23418,8 @@ index 2696452..2967b77 100644
+init_dbus_chat(xdm_t)
+init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x")
+init_status(xdm_t)
++
++application_exec(xdm_t)
libs_exec_lib_files(xdm_t)
+libs_exec_ldconfig(xdm_t)
@@ -23436,7 +23440,7 @@ index 2696452..2967b77 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +682,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +684,144 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -23587,7 +23591,7 @@ index 2696452..2967b77 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +833,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +835,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -23614,29 +23618,12 @@ index 2696452..2967b77 100644
')
optional_policy(`
-@@ -514,12 +860,73 @@ optional_policy(`
+@@ -514,12 +862,56 @@ optional_policy(`
')
optional_policy(`
-+ # Use dbus to start other processes as xdm_t
-+ dbus_role_template(xdm, system_r, xdm_t)
-+ dbus_system_bus_client(xdm_dbusd_t)
+ dbus_system_bus_client(xdm_t)
+
-+ application_dontaudit_exec(xdm_dbusd_t)
-+ #fixes for xfce4-notifyd
-+ allow xdm_dbusd_t self:unix_stream_socket connectto;
-+ allow xdm_dbusd_t xserver_t:unix_stream_socket connectto;
-+
-+
-+ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
-+ xserver_xdm_append_log(xdm_dbusd_t)
-+ xserver_read_xdm_pid(xdm_dbusd_t)
-+
-+ miscfiles_read_fonts(xdm_dbusd_t)
-+
-+ corecmd_bin_entry_type(xdm_t)
-+
+ optional_policy(`
+ bluetooth_dbus_chat(xdm_t)
+ ')
@@ -23688,7 +23675,7 @@ index 2696452..2967b77 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +944,78 @@ optional_policy(`
+@@ -537,28 +929,78 @@ optional_policy(`
')
optional_policy(`
@@ -23776,7 +23763,7 @@ index 2696452..2967b77 100644
')
optional_policy(`
-@@ -570,6 +1027,14 @@ optional_policy(`
+@@ -570,6 +1012,14 @@ optional_policy(`
')
optional_policy(`
@@ -23791,7 +23778,7 @@ index 2696452..2967b77 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +1059,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1044,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23804,7 +23791,7 @@ index 2696452..2967b77 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1076,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1061,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23820,7 +23807,7 @@ index 2696452..2967b77 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1092,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1077,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -23831,7 +23818,7 @@ index 2696452..2967b77 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1107,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1092,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23853,7 +23840,7 @@ index 2696452..2967b77 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1127,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1112,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -23867,7 +23854,7 @@ index 2696452..2967b77 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1153,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1138,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -23899,7 +23886,7 @@ index 2696452..2967b77 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1185,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1170,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23917,7 +23904,7 @@ index 2696452..2967b77 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1208,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1193,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -23941,7 +23928,7 @@ index 2696452..2967b77 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1227,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1212,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -23950,7 +23937,7 @@ index 2696452..2967b77 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1271,44 @@ optional_policy(`
+@@ -775,16 +1256,44 @@ optional_policy(`
')
optional_policy(`
@@ -23996,7 +23983,7 @@ index 2696452..2967b77 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1317,10 @@ optional_policy(`
+@@ -793,6 +1302,10 @@ optional_policy(`
')
optional_policy(`
@@ -24007,7 +23994,7 @@ index 2696452..2967b77 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1336,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1321,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -24021,7 +24008,7 @@ index 2696452..2967b77 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1347,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1332,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -24030,7 +24017,7 @@ index 2696452..2967b77 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1360,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1345,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -24065,7 +24052,7 @@ index 2696452..2967b77 100644
')
optional_policy(`
-@@ -902,7 +1425,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1410,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -24074,7 +24061,7 @@ index 2696452..2967b77 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1479,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1464,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -24106,7 +24093,7 @@ index 2696452..2967b77 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1525,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1510,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -24521,7 +24508,7 @@ index 28ad538..ebe81bf 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..a2ab7c9 100644
+index 3efd5b6..f0151a8 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -24744,7 +24731,32 @@ index 3efd5b6..a2ab7c9 100644
')
########################################
-@@ -448,6 +504,25 @@ interface(`auth_run_chk_passwd',`
+@@ -428,6 +484,24 @@ interface(`auth_domtrans_chkpwd',`
+
+ ########################################
+ ##
++## Execute chkpwd in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`auth_exec_chkpwd',`
++ gen_require(`
++ type chkpwd_exec_t;
++ ')
++
++ allow $1 chkpwd_exec_t:file execute;
++')
++
++########################################
++##
+ ## Execute chkpwd programs in the chkpwd domain.
+ ##
+ ##
+@@ -448,6 +522,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -24770,7 +24782,7 @@ index 3efd5b6..a2ab7c9 100644
')
########################################
-@@ -467,7 +542,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +560,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -24778,7 +24790,7 @@ index 3efd5b6..a2ab7c9 100644
')
########################################
-@@ -664,6 +738,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +756,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -24789,7 +24801,7 @@ index 3efd5b6..a2ab7c9 100644
')
#######################################
-@@ -763,7 +841,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +859,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -24841,7 +24853,7 @@ index 3efd5b6..a2ab7c9 100644
')
#######################################
-@@ -824,9 +945,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +963,29 @@ interface(`auth_rw_lastlog',`
allow $1 lastlog_t:file { rw_file_perms lock setattr };
')
@@ -24872,7 +24884,7 @@ index 3efd5b6..a2ab7c9 100644
##
##
##
-@@ -834,12 +975,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +993,27 @@ interface(`auth_rw_lastlog',`
##
##
#
@@ -24903,7 +24915,7 @@ index 3efd5b6..a2ab7c9 100644
')
########################################
-@@ -854,15 +1010,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +1028,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@@ -24922,7 +24934,7 @@ index 3efd5b6..a2ab7c9 100644
##
##
##
-@@ -875,13 +1031,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1049,33 @@ interface(`auth_signal_pam',`
##
##
#
@@ -24960,7 +24972,7 @@ index 3efd5b6..a2ab7c9 100644
')
########################################
-@@ -959,9 +1135,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1153,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -24994,7 +25006,7 @@ index 3efd5b6..a2ab7c9 100644
')
########################################
-@@ -1040,6 +1237,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1255,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -25005,7 +25017,7 @@ index 3efd5b6..a2ab7c9 100644
')
########################################
-@@ -1176,6 +1377,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1395,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -25013,7 +25025,7 @@ index 3efd5b6..a2ab7c9 100644
')
#######################################
-@@ -1576,6 +1778,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1796,25 @@ interface(`auth_setattr_login_records',`
########################################
##
@@ -25039,7 +25051,7 @@ index 3efd5b6..a2ab7c9 100644
## Read login records files (/var/log/wtmp).
##
##
-@@ -1726,24 +1947,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1965,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -25065,7 +25077,7 @@ index 3efd5b6..a2ab7c9 100644
')
########################################
-@@ -1767,11 +1971,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1989,13 @@ interface(`auth_relabel_login_records',`
##
#
interface(`auth_use_nsswitch',`
@@ -25082,7 +25094,7 @@ index 3efd5b6..a2ab7c9 100644
')
########################################
-@@ -1805,3 +2011,241 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2029,241 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -39251,7 +39263,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..db184a5 100644
+index 3c5dba7..a44c781 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -41784,7 +41796,7 @@ index 3c5dba7..db184a5 100644
')
########################################
-@@ -3272,7 +3977,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3977,83 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -41813,6 +41825,25 @@ index 3c5dba7..db184a5 100644
+
+########################################
+##
++## Do not audit attempts to delete users
++## temporary files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_delete_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ dontaudit $1 user_tmp_t:file delete_file_perms;
++')
++
++########################################
++##
+## Do not audit attempts to read/write users
+## temporary fifo files.
+##
@@ -41850,7 +41881,7 @@ index 3c5dba7..db184a5 100644
')
########################################
-@@ -3290,7 +4052,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +4071,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -41859,7 +41890,7 @@ index 3c5dba7..db184a5 100644
')
########################################
-@@ -3309,6 +4071,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4090,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -41867,97 +41898,82 @@ index 3c5dba7..db184a5 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4148,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,27 +4167,27 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
+-########################################
+#######################################
-+##
+ ##
+-## Send a SIGCHLD signal to all user domains.
+## Send signull to all user domains.
-+##
-+##
+ ##
+ ##
+-##
+-## Domain allowed access.
+-##
+##
+## Domain allowed access.
+##
-+##
-+#
+ ##
+ #
+-interface(`userdom_sigchld_all_users',`
+- gen_require(`
+- attribute userdomain;
+- ')
+interface(`userdom_signull_all_users',`
+ gen_require(`
+ attribute userdomain;
+ ')
-+
+
+- allow $1 userdomain:process sigchld;
+ allow $1 userdomain:process signull;
-+')
-+
-+########################################
-+##
-+## Send kill signals to all user domains.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_kill_all_users',`
-+ gen_require(`
-+ attribute userdomain;
-+ ')
-+
-+ allow $1 userdomain:process sigkill;
-+')
-+
- ########################################
- ##
- ## Send a SIGCHLD signal to all user domains.
-@@ -3405,7 +4204,7 @@ interface(`userdom_sigchld_all_users',`
+ ')
########################################
##
-## Create keys for all user domains.
-+## Read keys for all user domains.
++## Send kill signals to all user domains.
##
##
##
-@@ -3413,17 +4212,17 @@ interface(`userdom_sigchld_all_users',`
+@@ -3413,17 +4195,17 @@ interface(`userdom_sigchld_all_users',`
##
##
#
-interface(`userdom_create_all_users_keys',`
-+interface(`userdom_read_all_users_keys',`
++interface(`userdom_kill_all_users',`
gen_require(`
attribute userdomain;
')
- allow $1 userdomain:key create;
-+ allow $1 userdomain:key read;
++ allow $1 userdomain:process sigkill;
')
########################################
##
-## Send a dbus message to all user domains.
-+## Create keys for all user domains.
++## Send a SIGCHLD signal to all user domains.
##
##
##
-@@ -3431,11 +4230,1516 @@ interface(`userdom_create_all_users_keys',`
+@@ -3431,11 +4213,1552 @@ interface(`userdom_create_all_users_keys',`
##
##
#
-interface(`userdom_dbus_send_all_users',`
-+interface(`userdom_create_all_users_keys',`
- gen_require(`
- attribute userdomain;
-- class dbus send_msg;
- ')
-
-- allow $1 userdomain:dbus send_msg;
-+ allow $1 userdomain:key create;
++interface(`userdom_sigchld_all_users',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:process sigchld;
+')
+
+########################################
+##
-+## Send a dbus message to all user domains.
++## Read keys for all user domains.
+##
+##
+##
@@ -41965,13 +41981,49 @@ index 3c5dba7..db184a5 100644
+##
+##
+#
-+interface(`userdom_dbus_send_all_users',`
++interface(`userdom_read_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
-+ class dbus send_msg;
+ ')
+
-+ allow $1 userdomain:dbus send_msg;
++ allow $1 userdomain:key read;
++')
++
++########################################
++##
++## Create keys for all user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_create_all_users_keys',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:key create;
++')
++
++########################################
++##
++## Send a dbus message to all user domains.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_dbus_send_all_users',`
+ gen_require(`
+ attribute userdomain;
+ class dbus send_msg;
+ ')
+
+ allow $1 userdomain:dbus send_msg;
+ ps_process_pattern($1, userdomain)
+')
+
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index dc594fa..dfef892 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -520,7 +520,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..2b3de55 100644
+index cc43d25..e997e0f 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -685,7 +685,7 @@ index cc43d25..2b3de55 100644
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
-dontaudit abrt_t self:capability sys_rawio;
-+allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace };
++allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
+dontaudit abrt_t self:capability { sys_rawio sys_ptrace };
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
@@ -4677,7 +4677,7 @@ index 83e899c..fac6fe5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..19bd545 100644
+index 1a82e29..25fbcc6 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -6034,7 +6034,7 @@ index 1a82e29..19bd545 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1072,170 @@ optional_policy(`
+@@ -877,65 +1072,171 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6045,6 +6045,7 @@ index 1a82e29..19bd545 100644
+')
+
+optional_policy(`
++ zoneminder_append_log(httpd_t)
+ zoneminder_manage_lib_dirs(httpd_t)
+ zoneminder_manage_lib_files(httpd_t)
+')
@@ -6227,7 +6228,7 @@ index 1a82e29..19bd545 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1244,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1245,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6382,7 +6383,7 @@ index 1a82e29..19bd545 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1328,104 @@ optional_policy(`
+@@ -1077,172 +1329,104 @@ optional_policy(`
')
')
@@ -6618,7 +6619,7 @@ index 1a82e29..19bd545 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1433,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1434,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6715,7 +6716,7 @@ index 1a82e29..19bd545 100644
########################################
#
-@@ -1315,8 +1508,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1509,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6732,7 +6733,7 @@ index 1a82e29..19bd545 100644
')
########################################
-@@ -1324,49 +1524,38 @@ optional_policy(`
+@@ -1324,49 +1525,38 @@ optional_policy(`
# User content local policy
#
@@ -6797,7 +6798,7 @@ index 1a82e29..19bd545 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1565,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1566,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -25590,10 +25591,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..930cbee
+index 0000000..d6a2e10
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,171 @@
+@@ -0,0 +1,187 @@
+policy_module(glusterfs, 1.0.1)
+
+##
@@ -25651,7 +25652,8 @@ index 0000000..930cbee
+# Local policy
+#
+
-+allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search kill fowner setuid net_admin };
++allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin };
++
+allow glusterd_t self:capability2 block_suspend;
+allow glusterd_t self:process { getcap setcap setrlimit signal_perms };
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
@@ -25666,6 +25668,7 @@ index 0000000..930cbee
+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
++allow glusterd_t glusterd_tmp_t:dir mounton;
+
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
@@ -25680,6 +25683,7 @@ index 0000000..930cbee
+
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
++#manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
+
+can_exec(glusterd_t, glusterd_exec_t)
@@ -25720,6 +25724,7 @@ index 0000000..930cbee
+corenet_sendrecv_all_client_packets(glusterd_t)
+corenet_tcp_bind_all_unreserved_ports(glusterd_t)
+corenet_tcp_connect_all_unreserved_ports(glusterd_t)
++corenet_tcp_connect_ssh_port(glusterd_t)
+
+dev_read_sysfs(glusterd_t)
+dev_read_urand(glusterd_t)
@@ -25729,6 +25734,7 @@ index 0000000..930cbee
+domain_use_interactive_fds(glusterd_t)
+
+fs_mount_all_fs(glusterd_t)
++fs_unmount_all_fs(glusterd_t)
+fs_getattr_all_fs(glusterd_t)
+
+files_mounton_mnt(glusterd_t)
@@ -25740,6 +25746,7 @@ index 0000000..930cbee
+fs_getattr_all_fs(glusterd_t)
+
+logging_send_syslog_msg(glusterd_t)
++libs_exec_ldconfig(glusterd_t)
+
+miscfiles_read_localization(glusterd_t)
+miscfiles_read_public_files(glusterd_t)
@@ -25747,6 +25754,7 @@ index 0000000..930cbee
+userdom_manage_user_home_dirs(glusterd_t)
+userdom_filetrans_home_content(glusterd_t)
+
++mount_domtrans(glusterd_t)
+tunable_policy(`gluster_anon_write',`
+ miscfiles_manage_public_files(glusterd_t)
+')
@@ -25764,6 +25772,15 @@ index 0000000..930cbee
+
+optional_policy(`
+ rpc_domtrans_rpcd(glusterd_t)
++ rpc_kill_rpcd(glusterd_t)
++')
++
++optional_policy(`
++ rsync_exec(glusterd_t)
++')
++
++optional_policy(`
++ ssh_exec(glusterd_t)
+')
diff --git a/glusterfs.fc b/glusterfs.fc
deleted file mode 100644
@@ -39063,6 +39080,290 @@ index 4462c0e..84944d1 100644
sysnet_dns_name_resolve(monopd_t)
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
+diff --git a/motion.fc b/motion.fc
+new file mode 100644
+index 0000000..7415106
+--- /dev/null
++++ b/motion.fc
+@@ -0,0 +1,9 @@
++/usr/bin/motion -- gen_context(system_u:object_r:motion_exec_t,s0)
++
++/usr/lib/systemd/system/motion.* -- gen_context(system_u:object_r:motion_unit_file_t,s0)
++
++/var/log/motion\.log.* -- gen_context(system_u:object_r:motion_log_t,s0)
++
++/var/run/motion\.pid -- gen_context(system_u:object_r:motion_var_run_t,s0)
++
++/var/motion(/.*)? gen_context(system_u:object_r:motion_data_t,s0)
+diff --git a/motion.if b/motion.if
+new file mode 100644
+index 0000000..1b1b04c
+--- /dev/null
++++ b/motion.if
+@@ -0,0 +1,193 @@
++
++## Detect motion using a video4linux device
++
++########################################
++##
++## Execute TEMPLATE in the motion domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`motion_domtrans',`
++ gen_require(`
++ type motion_t, motion_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, motion_exec_t, motion_t)
++')
++########################################
++##
++## Read motion's log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`motion_read_log',`
++ gen_require(`
++ type motion_log_t;
++ ')
++
++ logging_search_logs($1)
++ read_files_pattern($1, motion_log_t, motion_log_t)
++')
++
++########################################
++##
++## Append to motion log files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`motion_append_log',`
++ gen_require(`
++ type motion_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, motion_log_t, motion_log_t)
++')
++
++########################################
++##
++## Manage motion log files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`motion_manage_log',`
++ gen_require(`
++ type motion_log_t;
++ ')
++
++ logging_search_logs($1)
++ manage_dirs_pattern($1, motion_log_t, motion_log_t)
++ manage_files_pattern($1, motion_log_t, motion_log_t)
++ manage_lnk_files_pattern($1, motion_log_t, motion_log_t)
++')
++
++########################################
++##
++## Manage motion pid files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`motion_manage_pid',`
++ gen_require(`
++ type motion_var_run_t;
++ ')
++
++ manage_dirs_pattern($1, motion_var_run_t, motion_var_run_t)
++ manage_files_pattern($1, motion_var_run_t, motion_var_run_t)
++')
++
++########################################
++##
++## Manage motion data files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`motion_manage_data',`
++ gen_require(`
++ type motion_data_t;
++ ')
++
++ manage_dirs_pattern($1, motion_data_t, motion_data_t)
++ manage_files_pattern($1, motion_data_t, motion_data_t)
++')
++
++########################################
++##
++## Execute motion server in the motion domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`motion_systemctl',`
++ gen_require(`
++ type motion_t;
++ type motion_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 motion_unit_file_t:file read_file_perms;
++ allow $1 motion_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, motion_t)
++')
++
++########################################
++##
++## Manage all motion files.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`motion_manage_all_files',`
++
++ motion_manage_log($1)
++ motion_manage_pid($1)
++ motion_manage_data($1)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an motion environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`motion_admin',`
++ gen_require(`
++ type motion_t;
++ type motion_log_t;
++ type motion_unit_file_t;
++ ')
++
++ allow $1 motion_t:process { ptrace signal_perms };
++ ps_process_pattern($1, motion_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, motion_log_t)
++
++ motion_systemctl($1)
++ admin_pattern($1, motion_unit_file_t)
++ allow $1 motion_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/motion.te b/motion.te
+new file mode 100644
+index 0000000..b694afc
+--- /dev/null
++++ b/motion.te
+@@ -0,0 +1,64 @@
++policy_module(motion, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type motion_t;
++type motion_exec_t;
++init_daemon_domain(motion_t, motion_exec_t)
++
++type motion_log_t;
++logging_log_file(motion_log_t)
++
++type motion_unit_file_t;
++systemd_unit_file(motion_unit_file_t)
++
++type motion_var_run_t;
++files_pid_file(motion_var_run_t)
++
++type motion_data_t;
++files_type(motion_data_t)
++
++########################################
++#
++# motion local policy
++#
++allow motion_t self:udp_socket { create connect getattr };
++allow motion_t self:tcp_socket { bind create setopt listen };
++allow motion_t self:netlink_route_socket r_netlink_socket_perms;
++
++manage_dirs_pattern(motion_t, motion_log_t, motion_log_t)
++manage_files_pattern(motion_t, motion_log_t, motion_log_t)
++logging_log_filetrans(motion_t, motion_log_t, { dir file })
++
++manage_dirs_pattern(motion_t, motion_var_run_t, motion_var_run_t)
++manage_files_pattern(motion_t, motion_var_run_t, motion_var_run_t)
++files_pid_filetrans(motion_t, motion_var_run_t, { dir file })
++
++manage_dirs_pattern(motion_t, motion_data_t, motion_data_t)
++manage_files_pattern(motion_t, motion_data_t, motion_data_t)
++files_var_filetrans(motion_t, motion_data_t, { dir file })
++
++corenet_tcp_bind_http_cache_port(motion_t)
++corenet_tcp_bind_transproxy_port(motion_t)
++corenet_tcp_connect_http_port(motion_t)
++corenet_tcp_bind_generic_node(motion_t)
++
++dev_read_video_dev(motion_t)
++dev_write_video_dev(motion_t)
++
++domain_use_interactive_fds(motion_t)
++
++logging_send_syslog_msg(motion_t)
++
++sysnet_read_config(motion_t)
++
++userdom_home_manager(motion_t)
++
++optional_policy(`
++ zoneminder_domtrans(motion_t)
++ zoneminder_manage_lib_files(motion_t)
++')
++
diff --git a/mozilla.fc b/mozilla.fc
index 6ffaba2..d1f0fda 100644
--- a/mozilla.fc
@@ -42491,7 +42792,7 @@ index ed81cac..566684a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index afd2fad..363dd67 100644
+index afd2fad..4ab8177 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
@@ -42521,7 +42822,7 @@ index afd2fad..363dd67 100644
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
-@@ -43,178 +43,78 @@ role system_r types system_mail_t;
+@@ -43,178 +43,79 @@ role system_r types system_mail_t;
mta_base_mail_template(user)
typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
@@ -42655,11 +42956,12 @@ index afd2fad..363dd67 100644
+# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
-
+-
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
-
-read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
--
++dontaudit system_mail_t self:capability net_admin;
+
allow system_mail_t mail_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue")
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward")
@@ -42736,7 +43038,7 @@ index afd2fad..363dd67 100644
')
optional_policy(`
-@@ -223,18 +123,18 @@ optional_policy(`
+@@ -223,18 +124,18 @@ optional_policy(`
')
optional_policy(`
@@ -42758,7 +43060,7 @@ index afd2fad..363dd67 100644
courier_manage_spool_dirs(system_mail_t)
courier_manage_spool_files(system_mail_t)
courier_rw_spool_pipes(system_mail_t)
-@@ -245,13 +145,8 @@ optional_policy(`
+@@ -245,13 +146,8 @@ optional_policy(`
')
optional_policy(`
@@ -42773,7 +43075,7 @@ index afd2fad..363dd67 100644
fail2ban_rw_inherited_tmp_files(system_mail_t)
')
-@@ -264,10 +159,15 @@ optional_policy(`
+@@ -264,10 +160,15 @@ optional_policy(`
')
optional_policy(`
@@ -42789,7 +43091,7 @@ index afd2fad..363dd67 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -278,6 +178,15 @@ optional_policy(`
+@@ -278,6 +179,15 @@ optional_policy(`
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@@ -42805,7 +43107,7 @@ index afd2fad..363dd67 100644
')
optional_policy(`
-@@ -293,42 +202,36 @@ optional_policy(`
+@@ -293,42 +203,36 @@ optional_policy(`
')
optional_policy(`
@@ -42858,7 +43160,7 @@ index afd2fad..363dd67 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -337,40 +240,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -337,40 +241,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -42907,7 +43209,7 @@ index afd2fad..363dd67 100644
files_search_var_lib(mailserver_delivery)
mailman_domtrans(mailserver_delivery)
-@@ -387,24 +276,165 @@ optional_policy(`
+@@ -387,24 +277,165 @@ optional_policy(`
########################################
#
@@ -72206,7 +72508,7 @@ index a6fb30c..b0c22f7 100644
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
diff --git a/rpc.if b/rpc.if
-index 3bd6446..8bde316 100644
+index 3bd6446..a6e9e6d 100644
--- a/rpc.if
+++ b/rpc.if
@@ -1,4 +1,4 @@
@@ -72406,7 +72708,7 @@ index 3bd6446..8bde316 100644
##
##
##
-@@ -167,120 +239,108 @@ interface(`rpc_initrc_domtrans_nfsd',`
+@@ -167,120 +239,126 @@ interface(`rpc_initrc_domtrans_nfsd',`
##
##
#
@@ -72420,29 +72722,40 @@ index 3bd6446..8bde316 100644
- corecmd_search_bin($1)
- domtrans_pattern($1, rpcd_exec_t, rpcd_t)
--')
+ systemd_exec_systemctl($1)
+ allow $1 nfsd_unit_file_t:file read_file_perms;
+ allow $1 nfsd_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, nfsd_t)
+ ')
-#######################################
--##
++########################################
+ ##
-## Execute rpcd init scripts in
-## the initrc domain.
--##
--##
++## Send kill signals to rpcd.
+ ##
+ ##
-##
-## Domain allowed to transition.
-##
--##
--#
++##
++## Domain allowed access.
++##
+ ##
+ #
-interface(`rpc_initrc_domtrans_rpcd',`
- gen_require(`
- type rpcd_initrc_exec_t;
- ')
--
++interface(`rpc_kill_rpcd',`
++ gen_require(`
++ type rpcd_t;
++ ')
+
- init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
-+ ps_process_pattern($1, nfsd_t)
++ allow $1 rpcd_t:process sigkill;
')
########################################
@@ -72569,7 +72882,7 @@ index 3bd6446..8bde316 100644
##
##
##
-@@ -312,7 +372,7 @@ interface(`rpc_udp_send_nfs',`
+@@ -312,7 +390,7 @@ interface(`rpc_udp_send_nfs',`
########################################
##
@@ -72578,7 +72891,7 @@ index 3bd6446..8bde316 100644
##
##
##
-@@ -326,12 +386,12 @@ interface(`rpc_search_nfs_state_data',`
+@@ -326,12 +404,12 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
@@ -72593,7 +72906,7 @@ index 3bd6446..8bde316 100644
##
##
##
-@@ -339,19 +399,18 @@ interface(`rpc_search_nfs_state_data',`
+@@ -339,19 +417,18 @@ interface(`rpc_search_nfs_state_data',`
##
##
#
@@ -72616,7 +72929,7 @@ index 3bd6446..8bde316 100644
##
##
##
-@@ -359,62 +418,31 @@ interface(`rpc_read_nfs_state_data',`
+@@ -359,62 +436,31 @@ interface(`rpc_read_nfs_state_data',`
##
##
#
@@ -87628,10 +87941,10 @@ index 0000000..8b2dfff
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..17c737d
+index 0000000..b34af39
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,146 @@
+@@ -0,0 +1,147 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -87729,7 +88042,8 @@ index 0000000..17c737d
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
+userdom_exec_user_home_content_files(thumb_t)
-+userdom_write_user_tmp_files(thumb_t)
++userdom_dontaudit_write_user_tmp_files(thumb_t)
++userdom_dontaudit_delete_user_tmp_files(thumb_t)
+userdom_read_home_audio_files(thumb_t)
+userdom_home_reader(thumb_t)
+
@@ -95197,10 +95511,10 @@ index 7c7f7fa..dfeac3e 100644
-userdom_manage_user_home_content_files(wm_domain)
-userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
diff --git a/xen.fc b/xen.fc
-index 42d83b0..5f18f6e 100644
+index 42d83b0..651d1cb 100644
--- a/xen.fc
+++ b/xen.fc
-@@ -1,38 +1,41 @@
+@@ -1,38 +1,42 @@
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
-/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
@@ -95227,6 +95541,7 @@ index 42d83b0..5f18f6e 100644
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
-/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
-/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
++/usr/sbin/oxenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
+')
-/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
@@ -95526,7 +95841,7 @@ index f93558c..16e29c1 100644
files_search_pids($1)
diff --git a/xen.te b/xen.te
-index ed40676..0706207 100644
+index ed40676..3fe3e35 100644
--- a/xen.te
+++ b/xen.te
@@ -1,42 +1,34 @@
@@ -96045,7 +96360,7 @@ index ed40676..0706207 100644
manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
-@@ -448,157 +456,36 @@ dev_filetrans_xen(xenstored_t)
+@@ -448,157 +456,40 @@ dev_filetrans_xen(xenstored_t)
dev_rw_xen(xenstored_t)
dev_read_sysfs(xenstored_t)
@@ -96068,11 +96383,10 @@ index ed40676..0706207 100644
-
xen_append_log(xenstored_t)
- ########################################
- #
+-########################################
+-#
-# xm local policy
-+# SSH component local policy
- #
+-#
-
-allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
-allow xm_t self:process { getcap getsched setsched setcap signal };
@@ -96168,9 +96482,14 @@ index ed40676..0706207 100644
-
optional_policy(`
- cron_system_entry(xm_t, xm_exec_t)
--')
--
--optional_policy(`
++ virt_read_config(xenstored_t)
+ ')
+
++########################################
++#
++# SSH component local policy
++#
+ optional_policy(`
- dbus_system_bus_client(xm_t)
-
- optional_policy(`
@@ -97583,16 +97902,12 @@ index b0803c2..f1fa5f7 100644
+')
diff --git a/zoneminder.fc b/zoneminder.fc
new file mode 100644
-index 0000000..a468da3
+index 0000000..8c61505
--- /dev/null
+++ b/zoneminder.fc
-@@ -0,0 +1,26 @@
-+/etc/rc\.d/init\.d/motion -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
-+
+@@ -0,0 +1,13 @@
+/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
+
-+/usr/bin/motion -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
-+
+/usr/bin/zmpkg.pl -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
+
+/usr/lib/systemd/system/zoneminder.* -- gen_context(system_u:object_r:zoneminder_unit_file_t,s0)
@@ -97601,24 +97916,15 @@ index 0000000..a468da3
+
+/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0)
+
-+/var/motion(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0)
-+
+/var/log/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_log_t,s0)
+
-+/var/log/motion\.log.* -- gen_context(system_u:object_r:zoneminder_log_t,s0)
-+
-+/var/run/motion\.pid -- gen_context(system_u:object_r:zoneminder_var_run_t,s0)
-+
+/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0)
-+
-+
-+
diff --git a/zoneminder.if b/zoneminder.if
new file mode 100644
-index 0000000..c72a70d
+index 0000000..d02a6f4
--- /dev/null
+++ b/zoneminder.if
-@@ -0,0 +1,337 @@
+@@ -0,0 +1,374 @@
+## policy for zoneminder
+
+########################################
@@ -97640,6 +97946,26 @@ index 0000000..c72a70d
+ domtrans_pattern($1, zoneminder_exec_t, zoneminder_t)
+')
+
++########################################
++##
++## Allow the specified domain to execute zoneminder
++## in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`zoneminder_exec',`
++ gen_require(`
++ type zoneminder_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, zoneminder_exec_t)
++')
++
+
+########################################
+##
@@ -97796,6 +98122,23 @@ index 0000000..c72a70d
+ manage_dirs_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
+')
+
++########################################
++##
++## Manage zoneminder sock_files files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`zoneminder_manage_lib_sock_files',`
++ gen_require(`
++ type sock_var_lib_t;
++ ')
++ files_search_var_lib($1)
++ manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
++')
+
+########################################
+##
@@ -97958,10 +98301,10 @@ index 0000000..c72a70d
+
diff --git a/zoneminder.te b/zoneminder.te
new file mode 100644
-index 0000000..bdb821a
+index 0000000..add28f7
--- /dev/null
+++ b/zoneminder.te
-@@ -0,0 +1,174 @@
+@@ -0,0 +1,187 @@
+policy_module(zoneminder, 1.0.0)
+
+########################################
@@ -97987,6 +98330,7 @@ index 0000000..bdb821a
+
+gen_require(`
+ class passwd rootok;
++ class passwd passwd;
+ ')
+
+type zoneminder_t;
@@ -98023,6 +98367,7 @@ index 0000000..bdb821a
+allow zoneminder_t self:shm create_shm_perms;
+allow zoneminder_t self:fifo_file rw_fifo_file_perms;
+allow zoneminder_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow zoneminder_t self:netlink_selinux_socket create_socket_perms;
+
+manage_dirs_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
+manage_files_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
@@ -98066,6 +98411,7 @@ index 0000000..bdb821a
+dev_write_video_dev(zoneminder_t)
+
+auth_use_nsswitch(zoneminder_t)
++#auth_read_shadow(zoneminder_t) need to debug zmpkg.pl to see why is needed this rule.
+
+logging_send_syslog_msg(zoneminder_t)
+logging_send_audit_msgs(zoneminder_t)
@@ -98080,9 +98426,11 @@ index 0000000..bdb821a
+ allow zoneminder_t self:capability { setuid setgid sys_resource };
+ allow zoneminder_t self:process { setrlimit setsched };
+ allow zoneminder_t self:key write;
-+ allow zoneminder_t self:passwd rootok;
++ allow zoneminder_t self:passwd { passwd rootok };
+
+ auth_rw_lastlog(zoneminder_t)
++ auth_rw_faillog(zoneminder_t)
++ auth_exec_chkpwd(zoneminder_t)
+
+ selinux_compute_access_vector(zoneminder_t)
+
@@ -98108,6 +98456,14 @@ index 0000000..bdb821a
+ mysql_stream_connect(zoneminder_t)
+')
+
++optional_policy(`
++ fprintd_dbus_chat(zoneminder_t)
++')
++
++optional_policy(`
++ motion_manage_all_files(zoneminder_t)
++')
++
+########################################
+#
+# zoneminder cgi local policy
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a3fbca8..cf7fb4e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74.11%{?dist}
+Release: 74.12%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,22 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Nov 08 2013 Lukas Vrabec 3.12.1-74.12
+- Fixed userdom_dontaudit_delete_user_tmp_files
+- Add auth_exec_chkpwd interface
+- Add interface to dontaudit attempts to delete user_tmp_t files on thumbnails
+- Add tcp/8893 as milter port
+- Dontaudit leaked write descriptor to dmesg
+- Add rpc_kill_rpcd interface
+- Dontaudit attempts to write/delete user_tmp_t files
+- Dontaudit attempts by system_mail to modify network config
+- Allow ipc_lock for abrt to run journalctl.
+- Update zoneminder policy
+- Add policy for motion service
+- Allow glusterd_t to mounton glusterd_tmp_t
+- Allow glusterd to unmout al filesystems
+- Allow xenstored to read virt config
+
* Tue Oct 22 2013 Lukas Vrabec 3.12.1-74.11
- Back port piranha tmpfs fixes from RHEL6
- Fix piranha_domain_template()