diff --git a/policy-F14.patch b/policy-F14.patch
index 5e583d2..3ecd76e 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -304,10 +304,10 @@ index f76ed8a..9a9526a 100644
optional_policy(`
diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
-index 2c2cdb6..b95a47f 100644
+index 2c2cdb6..73b3814 100644
--- a/policy/modules/admin/brctl.if
+++ b/policy/modules/admin/brctl.if
-@@ -18,3 +18,22 @@ interface(`brctl_domtrans',`
+@@ -18,3 +18,28 @@ interface(`brctl_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, brctl_exec_t, brctl_t)
')
@@ -318,9 +318,15 @@ index 2c2cdb6..b95a47f 100644
+##
+##
+##
-+## Domain allowed access.
++## Domain allowed to transition.
+##
+##
++##
++##
++## Role allowed access.
++##
++##
++##
+#
+interface(`brctl_run',`
+ gen_require(`
@@ -868,6 +874,31 @@ index 7077413..70edcd6 100644
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
+/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
+
+diff --git a/policy/modules/admin/readahead.if b/policy/modules/admin/readahead.if
+index 47c4723..4866a08 100644
+--- a/policy/modules/admin/readahead.if
++++ b/policy/modules/admin/readahead.if
+@@ -1 +1,20 @@
+ ## Readahead, read files into page cache for improved performance
++
++########################################
++##
++## Transition to the readahead domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`readahead_domtrans',`
++ gen_require(`
++ type readahead_t, readahead_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, readahead_exec_t, readahead_t)
++')
diff --git a/policy/modules/admin/readahead.te b/policy/modules/admin/readahead.te
index 2df2f1d..c1aaa79 100644
--- a/policy/modules/admin/readahead.te
@@ -1446,6 +1477,18 @@ index 3863241..5280124 100644
+optional_policy(`
xserver_dontaudit_write_log(shutdown_t)
')
+diff --git a/policy/modules/admin/smoltclient.te b/policy/modules/admin/smoltclient.te
+index f48e9dd..b72049a 100644
+--- a/policy/modules/admin/smoltclient.te
++++ b/policy/modules/admin/smoltclient.te
+@@ -46,6 +46,7 @@ fs_list_auto_mountpoints(smoltclient_t)
+
+ files_getattr_generic_locks(smoltclient_t)
+ files_read_etc_files(smoltclient_t)
++files_read_etc_runtime_files(smoltclient_t)
+ files_read_usr_files(smoltclient_t)
+
+ auth_use_nsswitch(smoltclient_t)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 8c5fa3c..1a46f56 100644
--- a/policy/modules/admin/su.if
@@ -1821,7 +1864,7 @@ index 0000000..5ef90cd
+
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..4e92e87
+index 0000000..0958247
--- /dev/null
+++ b/policy/modules/apps/chrome.te
@@ -0,0 +1,92 @@
@@ -1898,7 +1941,7 @@ index 0000000..4e92e87
+
+optional_policy(`
+ gnome_rw_inherited_config(chrome_sandbox_t)
-+ gnome_list_home_config(chrome_sandbox_t)
++ gnome_read_home_config(chrome_sandbox_t)
+')
+
+optional_policy(`
@@ -3873,7 +3916,7 @@ index 9a6d67d..b0c1197 100644
## mozilla over dbus.
##
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..d4cb9c4 100644
+index cbf4bec..25171a6 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -3946,7 +3989,7 @@ index cbf4bec..d4cb9c4 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +291,125 @@ optional_policy(`
+@@ -266,3 +291,127 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -4013,6 +4056,8 @@ index cbf4bec..d4cb9c4 100644
+
+fs_getattr_tmpfs(mozilla_plugin_t)
+
++application_dontaudit_signull(mozilla_plugin_t)
++
+miscfiles_read_localization(mozilla_plugin_t)
+miscfiles_read_fonts(mozilla_plugin_t)
+
@@ -5217,7 +5262,7 @@ index 5c2680c..db96581 100644
+ sandbox_manage_tmpfs_files(pulseaudio_t)
+')
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
-index c1d5f50..f4e1572 100644
+index c1d5f50..989f88c 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -157,6 +157,24 @@ interface(`qemu_domtrans',`
@@ -5245,7 +5290,26 @@ index c1d5f50..f4e1572 100644
## Execute qemu in the qemu domain.
##
##
-@@ -275,6 +293,67 @@ interface(`qemu_domtrans_unconfined',`
+@@ -169,6 +187,7 @@ interface(`qemu_domtrans',`
+ ## The role to allow the qemu domain.
+ ##
+ ##
++##
+ #
+ interface(`qemu_run',`
+ gen_require(`
+@@ -177,10 +196,6 @@ interface(`qemu_run',`
+
+ qemu_domtrans($1)
+ role $2 types qemu_t;
+-
+- optional_policy(`
+- samba_run_smb(qemu_t, $2, $3)
+- ')
+ ')
+
+ ########################################
+@@ -275,6 +290,67 @@ interface(`qemu_domtrans_unconfined',`
########################################
##
@@ -5313,7 +5377,7 @@ index c1d5f50..f4e1572 100644
## Manage qemu temporary dirs.
##
##
-@@ -308,3 +387,24 @@ interface(`qemu_manage_tmp_files',`
+@@ -308,3 +384,24 @@ interface(`qemu_manage_tmp_files',`
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
@@ -6296,17 +6360,16 @@ index e9134f0..3d2ef30 100644
files_getattr_all_sockets(locate_t)
diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc
new file mode 100644
-index 0000000..809bb65
+index 0000000..7866118
--- /dev/null
+++ b/policy/modules/apps/telepathy.fc
-@@ -0,0 +1,15 @@
+@@ -0,0 +1,14 @@
+HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+HOME_DIR/.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
+
+/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
-+
+/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
+/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0)
+/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
@@ -8283,7 +8346,7 @@ index 3517db2..bd4c23d 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 5302dac..c73febc 100644
+index 5302dac..3966eab 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -8299,7 +8362,7 @@ index 5302dac..c73febc 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1446,6 +1444,42 @@ interface(`files_dontaudit_search_all_mountpoints',`
+@@ -1446,6 +1444,60 @@ interface(`files_dontaudit_search_all_mountpoints',`
########################################
##
@@ -8339,10 +8402,28 @@ index 5302dac..c73febc 100644
+
+########################################
+##
++## Write all file type directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_write_all_dirs',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ allow $1 file_type:dir write;
++')
++
++########################################
++##
## List the contents of the root directory.
##
##
-@@ -2435,6 +2469,24 @@ interface(`files_delete_etc_files',`
+@@ -2435,6 +2487,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -8367,7 +8448,7 @@ index 5302dac..c73febc 100644
## Execute generic files in /etc.
##
##
-@@ -2605,6 +2657,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2605,6 +2675,24 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -8392,7 +8473,7 @@ index 5302dac..c73febc 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -3086,6 +3156,7 @@ interface(`files_getattr_home_dir',`
+@@ -3086,6 +3174,7 @@ interface(`files_getattr_home_dir',`
')
allow $1 home_root_t:dir getattr;
@@ -8400,7 +8481,7 @@ index 5302dac..c73febc 100644
')
########################################
-@@ -3106,6 +3177,7 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3106,6 +3195,7 @@ interface(`files_dontaudit_getattr_home_dir',`
')
dontaudit $1 home_root_t:dir getattr;
@@ -8408,7 +8489,7 @@ index 5302dac..c73febc 100644
')
########################################
-@@ -3347,6 +3419,24 @@ interface(`files_list_mnt',`
+@@ -3347,6 +3437,24 @@ interface(`files_list_mnt',`
allow $1 mnt_t:dir list_dir_perms;
')
@@ -8433,7 +8514,7 @@ index 5302dac..c73febc 100644
########################################
##
## Mount a filesystem on /mnt.
-@@ -3420,6 +3510,24 @@ interface(`files_read_mnt_files',`
+@@ -3420,6 +3528,24 @@ interface(`files_read_mnt_files',`
read_files_pattern($1, mnt_t, mnt_t)
')
@@ -8458,7 +8539,7 @@ index 5302dac..c73febc 100644
########################################
##
## Create, read, write, and delete symbolic links in /mnt.
-@@ -3711,6 +3819,100 @@ interface(`files_read_world_readable_sockets',`
+@@ -3711,6 +3837,100 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -8559,7 +8640,7 @@ index 5302dac..c73febc 100644
########################################
##
## Allow the specified type to associate
-@@ -3896,6 +4098,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3896,6 +4116,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
@@ -8592,7 +8673,7 @@ index 5302dac..c73febc 100644
## Manage temporary files and directories in /tmp.
##
##
-@@ -4109,6 +4337,13 @@ interface(`files_purge_tmp',`
+@@ -4109,6 +4355,13 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -8606,7 +8687,7 @@ index 5302dac..c73febc 100644
')
########################################
-@@ -4718,6 +4953,24 @@ interface(`files_read_var_files',`
+@@ -4718,6 +4971,24 @@ interface(`files_read_var_files',`
########################################
##
@@ -8631,7 +8712,7 @@ index 5302dac..c73febc 100644
## Read and write files in the /var directory.
##
##
-@@ -5053,6 +5306,24 @@ interface(`files_manage_mounttab',`
+@@ -5053,6 +5324,24 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -8656,7 +8737,7 @@ index 5302dac..c73febc 100644
## Search the locks directory (/var/lock).
##
##
-@@ -5138,12 +5409,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5138,12 +5427,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -8673,7 +8754,7 @@ index 5302dac..c73febc 100644
')
########################################
-@@ -5317,6 +5588,43 @@ interface(`files_search_pids',`
+@@ -5317,6 +5606,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -8717,7 +8798,7 @@ index 5302dac..c73febc 100644
########################################
##
## Do not audit attempts to search
-@@ -5524,6 +5832,44 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5524,6 +5850,44 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -8762,7 +8843,7 @@ index 5302dac..c73febc 100644
## Read all process ID files.
##
##
-@@ -5541,6 +5887,44 @@ interface(`files_read_all_pids',`
+@@ -5541,6 +5905,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -8807,7 +8888,7 @@ index 5302dac..c73febc 100644
')
########################################
-@@ -5826,3 +6210,247 @@ interface(`files_unconfined',`
+@@ -5826,3 +6228,247 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -9112,7 +9193,7 @@ index 59bae6a..2e55e71 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 437a42a..c0e1d3a 100644
+index 437a42a..54a884b 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -9478,7 +9559,16 @@ index 437a42a..c0e1d3a 100644
## Relabel character nodes on tmpfs filesystems.
##
##
-@@ -4662,3 +4872,24 @@ interface(`fs_unconfined',`
+@@ -4252,6 +4462,8 @@ interface(`fs_mount_all_fs',`
+ ')
+
+ allow $1 filesystem_type:filesystem mount;
++# Mount checks write access on the dir
++ allow $1 filesystem_type:dir write;
+ ')
+
+ ########################################
+@@ -4662,3 +4874,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -13499,7 +13589,7 @@ index c9e1a44..6918ff2 100644
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 08dfa0c..410ff39 100644
+index 08dfa0c..b9fc802 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.0)
@@ -13862,12 +13952,13 @@ index 08dfa0c..410ff39 100644
libs_read_lib_files(httpd_t)
-@@ -416,34 +508,70 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,34 +508,71 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
+tunable_policy(`httpd_setrlimit',`
+ allow httpd_t self:process setrlimit;
++ allow httpd_t self:capability sys_resource;
+')
+
tunable_policy(`allow_httpd_anon_write',`
@@ -13935,7 +14026,7 @@ index 08dfa0c..410ff39 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +584,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +585,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -13946,7 +14037,7 @@ index 08dfa0c..410ff39 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,8 +598,12 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,8 +599,12 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -13961,7 +14052,7 @@ index 08dfa0c..410ff39 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -475,6 +611,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -475,6 +612,12 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -13974,7 +14065,7 @@ index 08dfa0c..410ff39 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +626,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +627,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -13991,7 +14082,7 @@ index 08dfa0c..410ff39 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -500,8 +651,10 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -500,8 +652,10 @@ tunable_policy(`httpd_ssi_exec',`
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
@@ -14002,7 +14093,7 @@ index 08dfa0c..410ff39 100644
')
optional_policy(`
-@@ -513,7 +666,13 @@ optional_policy(`
+@@ -513,7 +667,13 @@ optional_policy(`
')
optional_policy(`
@@ -14017,7 +14108,7 @@ index 08dfa0c..410ff39 100644
')
optional_policy(`
-@@ -528,7 +687,7 @@ optional_policy(`
+@@ -528,7 +688,7 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -14026,7 +14117,7 @@ index 08dfa0c..410ff39 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +696,12 @@ optional_policy(`
+@@ -537,8 +697,12 @@ optional_policy(`
')
optional_policy(`
@@ -14040,7 +14131,7 @@ index 08dfa0c..410ff39 100644
')
')
-@@ -556,7 +719,13 @@ optional_policy(`
+@@ -556,7 +720,13 @@ optional_policy(`
')
optional_policy(`
@@ -14054,7 +14145,7 @@ index 08dfa0c..410ff39 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +736,7 @@ optional_policy(`
+@@ -567,6 +737,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -14062,7 +14153,7 @@ index 08dfa0c..410ff39 100644
')
optional_policy(`
-@@ -577,6 +747,16 @@ optional_policy(`
+@@ -577,6 +748,16 @@ optional_policy(`
')
optional_policy(`
@@ -14079,7 +14170,7 @@ index 08dfa0c..410ff39 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +771,11 @@ optional_policy(`
+@@ -591,6 +772,11 @@ optional_policy(`
')
optional_policy(`
@@ -14091,7 +14182,7 @@ index 08dfa0c..410ff39 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +788,10 @@ optional_policy(`
+@@ -603,6 +789,10 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -14102,7 +14193,7 @@ index 08dfa0c..410ff39 100644
########################################
#
# Apache helper local policy
-@@ -618,6 +807,10 @@ logging_send_syslog_msg(httpd_helper_t)
+@@ -618,6 +808,10 @@ logging_send_syslog_msg(httpd_helper_t)
userdom_use_user_terminals(httpd_helper_t)
@@ -14113,7 +14204,7 @@ index 08dfa0c..410ff39 100644
########################################
#
# Apache PHP script local policy
-@@ -654,28 +847,27 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +848,27 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -14154,7 +14245,7 @@ index 08dfa0c..410ff39 100644
')
########################################
-@@ -699,17 +891,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +892,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -14180,7 +14271,7 @@ index 08dfa0c..410ff39 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +937,20 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,10 +938,20 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -14202,7 +14293,7 @@ index 08dfa0c..410ff39 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +976,25 @@ optional_policy(`
+@@ -769,6 +977,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -14228,7 +14319,7 @@ index 08dfa0c..410ff39 100644
########################################
#
# Apache system script local policy
-@@ -792,9 +1018,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
+@@ -792,9 +1019,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -14242,7 +14333,7 @@ index 08dfa0c..410ff39 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +1033,33 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,6 +1034,33 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -14276,7 +14367,7 @@ index 08dfa0c..410ff39 100644
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -822,7 +1079,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,7 +1080,7 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -14285,7 +14376,7 @@ index 08dfa0c..410ff39 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -830,6 +1087,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -830,6 +1088,20 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -14306,7 +14397,7 @@ index 08dfa0c..410ff39 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1113,20 @@ optional_policy(`
+@@ -842,10 +1114,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -14327,7 +14418,7 @@ index 08dfa0c..410ff39 100644
')
########################################
-@@ -891,11 +1172,21 @@ optional_policy(`
+@@ -891,11 +1173,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -18641,7 +18732,7 @@ index f706b99..ab2edfc 100644
+ files_list_pids($1)
')
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..184b4b5 100644
+index f231f17..3aaa784 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
@@ -18669,7 +18760,7 @@ index f231f17..184b4b5 100644
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
files_read_etc_files(devicekit_disk_t)
-@@ -178,17 +182,27 @@ optional_policy(`
+@@ -178,25 +182,37 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -18698,14 +18789,26 @@ index f231f17..184b4b5 100644
manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
-@@ -212,12 +226,14 @@ dev_rw_generic_usb_dev(devicekit_power_t)
+
++kernel_read_fs_sysctls(devicekit_power_t)
+ kernel_read_network_state(devicekit_power_t)
+ kernel_read_system_state(devicekit_power_t)
+ kernel_rw_hotplug_sysctls(devicekit_power_t)
+ kernel_rw_kernel_sysctl(devicekit_power_t)
++kernel_rw_vm_sysctls(devicekit_power_t)
+ kernel_search_debugfs(devicekit_power_t)
+ kernel_write_proc_files(devicekit_power_t)
+
+@@ -212,12 +228,16 @@ dev_rw_generic_usb_dev(devicekit_power_t)
dev_rw_generic_chr_files(devicekit_power_t)
dev_rw_netcontrol(devicekit_power_t)
dev_rw_sysfs(devicekit_power_t)
+dev_read_rand(devicekit_power_t)
++dev_getattr_all_chr_files(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_files(devicekit_power_t)
++files_read_etc_runtime_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
fs_list_inotifyfs(devicekit_power_t)
@@ -18713,7 +18816,7 @@ index f231f17..184b4b5 100644
term_use_all_terms(devicekit_power_t)
-@@ -225,8 +241,11 @@ auth_use_nsswitch(devicekit_power_t)
+@@ -225,8 +245,11 @@ auth_use_nsswitch(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
@@ -18725,7 +18828,7 @@ index f231f17..184b4b5 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -261,6 +280,10 @@ optional_policy(`
+@@ -261,6 +284,10 @@ optional_policy(`
')
optional_policy(`
@@ -18736,7 +18839,7 @@ index f231f17..184b4b5 100644
hal_domtrans_mac(devicekit_power_t)
hal_manage_log(devicekit_power_t)
hal_manage_pid_dirs(devicekit_power_t)
-@@ -269,6 +292,10 @@ optional_policy(`
+@@ -269,6 +296,10 @@ optional_policy(`
')
optional_policy(`
@@ -18747,7 +18850,19 @@ index f231f17..184b4b5 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -280,5 +307,9 @@ optional_policy(`
+@@ -276,9 +307,21 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mount_domtrans(devicekit_power_t)
++')
++
++optional_policy(`
++ readahead_domtrans(devicekit_power_t)
++')
++
++optional_policy(`
+ udev_read_db(devicekit_power_t)
')
optional_policy(`
@@ -23341,7 +23456,7 @@ index 343cee3..2f948ad 100644
+ ')
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..a765618 100644
+index 64268e4..7521b9e 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
@@ -23355,14 +23470,13 @@ index 64268e4..a765618 100644
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
-@@ -50,22 +50,11 @@ ubac_constrained(user_mail_tmp_t)
+@@ -50,22 +50,9 @@ ubac_constrained(user_mail_tmp_t)
# newalias required this, not sure if it is needed in 'if' file
allow system_mail_t self:capability { dac_override fowner };
-allow system_mail_t self:fifo_file rw_fifo_file_perms;
-
+-
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
-+append_files_pattern(system_mail_t, mail_home_t, mail_home_t)
read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
@@ -23379,7 +23493,7 @@ index 64268e4..a765618 100644
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
-@@ -82,6 +71,9 @@ init_use_script_ptys(system_mail_t)
+@@ -82,6 +69,9 @@ init_use_script_ptys(system_mail_t)
userdom_use_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
@@ -23389,7 +23503,7 @@ index 64268e4..a765618 100644
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,17 +84,28 @@ optional_policy(`
+@@ -92,17 +82,28 @@ optional_policy(`
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -23419,7 +23533,7 @@ index 64268e4..a765618 100644
clamav_stream_connect(system_mail_t)
clamav_append_log(system_mail_t)
')
-@@ -111,6 +114,8 @@ optional_policy(`
+@@ -111,6 +112,8 @@ optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
@@ -23428,7 +23542,7 @@ index 64268e4..a765618 100644
')
optional_policy(`
-@@ -124,12 +129,8 @@ optional_policy(`
+@@ -124,12 +127,8 @@ optional_policy(`
')
optional_policy(`
@@ -23442,7 +23556,7 @@ index 64268e4..a765618 100644
')
optional_policy(`
-@@ -146,6 +147,10 @@ optional_policy(`
+@@ -146,6 +145,10 @@ optional_policy(`
')
optional_policy(`
@@ -23453,7 +23567,7 @@ index 64268e4..a765618 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,18 +163,6 @@ optional_policy(`
+@@ -158,18 +161,6 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -23472,7 +23586,7 @@ index 64268e4..a765618 100644
')
optional_policy(`
-@@ -189,6 +182,10 @@ optional_policy(`
+@@ -189,6 +180,10 @@ optional_policy(`
')
optional_policy(`
@@ -23483,7 +23597,7 @@ index 64268e4..a765618 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,7 +196,7 @@ optional_policy(`
+@@ -199,7 +194,7 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -23492,7 +23606,7 @@ index 64268e4..a765618 100644
arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
')
-@@ -220,7 +217,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,7 +215,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -23502,7 +23616,7 @@ index 64268e4..a765618 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -249,11 +247,16 @@ optional_policy(`
+@@ -249,11 +245,16 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -23519,7 +23633,7 @@ index 64268e4..a765618 100644
domain_use_interactive_fds(user_mail_t)
userdom_use_user_terminals(user_mail_t)
-@@ -292,3 +295,42 @@ optional_policy(`
+@@ -292,3 +293,44 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -23532,6 +23646,8 @@ index 64268e4..a765618 100644
+allow user_mail_domain self:fifo_file rw_fifo_file_perms;
+allow user_mail_domain mta_exec_type:file entrypoint;
+
++append_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
++
+read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t)
+
+can_exec(user_mail_domain, mta_exec_type)
@@ -26678,7 +26794,7 @@ index 55e62d2..c114a40 100644
/usr/sbin/postfix -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..7391f7e 100644
+index 46bee12..ff521d5 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -50,7 +50,7 @@ template(`postfix_domain_template',`
@@ -26832,7 +26948,7 @@ index 46bee12..7391f7e 100644
')
########################################
-@@ -621,3 +661,98 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +661,103 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -26921,6 +27037,11 @@ index 46bee12..7391f7e 100644
+## Domain allowed to transition.
+##
+##
++##
++##
++## The role to be allowed the iptables domain.
++##
++##
+##
+#
+interface(`postfix_run_postdrop',`
@@ -27476,7 +27597,7 @@ index ad15fde..6f55445 100644
allow $1 postgrey_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/ppp.if b/policy/modules/services/ppp.if
-index b524673..29e0761 100644
+index b524673..9d90fb3 100644
--- a/policy/modules/services/ppp.if
+++ b/policy/modules/services/ppp.if
@@ -66,7 +66,6 @@ interface(`ppp_sigchld',`
@@ -27515,7 +27636,17 @@ index b524673..29e0761 100644
allow $1 pppd_var_run_t:file manage_file_perms;
')
-@@ -353,16 +353,17 @@ interface(`ppp_initrc_domtrans',`
+@@ -348,21 +348,27 @@ interface(`ppp_initrc_domtrans',`
+ ## Domain allowed access.
+ ##
+ ##
++##
++##
++## Role allowed access.
++##
++##
+ ##
+ #
interface(`ppp_admin',`
gen_require(`
type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
@@ -27538,7 +27669,7 @@ index b524673..29e0761 100644
ppp_initrc_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 pppd_initrc_exec_t system_r;
-@@ -374,6 +375,7 @@ interface(`ppp_admin',`
+@@ -374,6 +380,7 @@ interface(`ppp_admin',`
logging_list_logs($1)
admin_pattern($1, pppd_log_t)
@@ -27546,7 +27677,7 @@ index b524673..29e0761 100644
admin_pattern($1, pppd_lock_t)
files_list_etc($1)
-@@ -386,9 +388,6 @@ interface(`ppp_admin',`
+@@ -386,9 +393,6 @@ interface(`ppp_admin',`
files_list_pids($1)
admin_pattern($1, pppd_var_run_t)
@@ -30160,7 +30291,7 @@ index 779fa44..0155ca7 100644
remotelogin_domtrans(rlogind_t)
remotelogin_signal(rlogind_t)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
-index cda37bb..28e7576 100644
+index cda37bb..484e552 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -32,7 +32,11 @@ interface(`rpc_stub',`
@@ -30194,7 +30325,7 @@ index cda37bb..28e7576 100644
')
########################################
-@@ -246,6 +250,26 @@ interface(`rpc_domtrans_rpcd',`
+@@ -246,6 +250,32 @@ interface(`rpc_domtrans_rpcd',`
allow rpcd_t $1:process signal;
')
@@ -30205,9 +30336,15 @@ index cda37bb..28e7576 100644
+##
+##
+##
-+## The role to be allowed the rpcd domain.
++## Domain allowed to transition.
+##
+##
++##
++##
++## Role allowed access.
++##
++##
++##
+#
+interface(`rpc_run_rpcd',`
+ gen_require(`
@@ -30221,7 +30358,7 @@ index cda37bb..28e7576 100644
#######################################
##
## Execute domain in rpcd domain.
-@@ -282,7 +306,7 @@ interface(`rpc_read_nfs_content',`
+@@ -282,7 +312,7 @@ interface(`rpc_read_nfs_content',`
allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
@@ -30230,7 +30367,7 @@ index cda37bb..28e7576 100644
')
########################################
-@@ -375,7 +399,7 @@ interface(`rpc_search_nfs_state_data',`
+@@ -375,7 +405,7 @@ interface(`rpc_search_nfs_state_data',`
')
files_search_var_lib($1)
@@ -30239,7 +30376,7 @@ index cda37bb..28e7576 100644
')
########################################
-@@ -414,4 +438,5 @@ interface(`rpc_manage_nfs_state_data',`
+@@ -414,4 +444,5 @@ interface(`rpc_manage_nfs_state_data',`
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
@@ -37798,16 +37935,34 @@ index f9a06d2..3d407c6 100644
files_read_etc_files(zos_remote_t)
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
-index ac50333..108595b 100644
+index ac50333..42784aa 100644
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
-@@ -130,3 +130,21 @@ interface(`application_signull',`
+@@ -130,3 +130,39 @@ interface(`application_signull',`
allow $1 application_domain_type:process signull;
')
+
+########################################
+##
++## Dontaudit signull sent to all application domains.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`application_dontaudit_signull',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ dontaudit $1 application_domain_type:process signull;
++')
++
++########################################
++##
+## Send signal to all application domains.
+##
+##
@@ -41265,7 +41420,7 @@ index 8b5c196..3490497 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index fca6947..cfb8758 100644
+index fca6947..7fbc4c9 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@@ -41315,7 +41470,7 @@ index fca6947..cfb8758 100644
allow mount_t mount_loopback_t:file read_file_perms;
-@@ -46,60 +68,94 @@ can_exec(mount_t, mount_exec_t)
+@@ -46,60 +68,95 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@@ -41382,6 +41537,7 @@ index fca6947..cfb8758 100644
# For reading cert files
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
++files_write_all_dirs(mount_t)
-fs_getattr_xattr_fs(mount_t)
-fs_getattr_cifs(mount_t)
@@ -41417,7 +41573,7 @@ index fca6947..cfb8758 100644
term_use_all_terms(mount_t)
-@@ -108,6 +164,8 @@ auth_use_nsswitch(mount_t)
+@@ -108,6 +165,8 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -41426,7 +41582,7 @@ index fca6947..cfb8758 100644
logging_send_syslog_msg(mount_t)
-@@ -118,6 +176,12 @@ sysnet_use_portmap(mount_t)
+@@ -118,6 +177,12 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@@ -41439,7 +41595,7 @@ index fca6947..cfb8758 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -133,10 +197,17 @@ ifdef(`distro_ubuntu',`
+@@ -133,10 +198,17 @@ ifdef(`distro_ubuntu',`
')
')
@@ -41457,7 +41613,7 @@ index fca6947..cfb8758 100644
')
optional_policy(`
-@@ -166,6 +237,8 @@ optional_policy(`
+@@ -166,6 +238,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -41466,7 +41622,7 @@ index fca6947..cfb8758 100644
')
optional_policy(`
-@@ -173,6 +246,25 @@ optional_policy(`
+@@ -173,6 +247,25 @@ optional_policy(`
')
optional_policy(`
@@ -41492,7 +41648,7 @@ index fca6947..cfb8758 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -180,13 +272,40 @@ optional_policy(`
+@@ -180,13 +273,40 @@ optional_policy(`
')
')
@@ -41533,7 +41689,7 @@ index fca6947..cfb8758 100644
')
########################################
-@@ -195,6 +314,42 @@ optional_policy(`
+@@ -195,6 +315,42 @@ optional_policy(`
#
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 0a118da..493bce8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.7
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,10 @@ exit 0
%endif
%changelog
+* Fri Oct 15 2010 Dan Walsh 3.9.7-2
+- Fixup for the latest version of upowed
+- Dontaudit sandbox sending SIGNULL to desktop apps
+
* Wed Oct 13 2010 Dan Walsh 3.9.7-1
- Update to upstream
diff --git a/telepathy_removal.patch b/telepathy_removal.patch
index 78b6e3f..50ead4e 100644
--- a/telepathy_removal.patch
+++ b/telepathy_removal.patch
@@ -1,15 +1,16 @@
-diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
-index 3d12484..21b65bc 100644
---- a/policy/modules/apps/telepathy.if
-+++ b/policy/modules/apps/telepathy.if
-@@ -29,7 +29,9 @@ template(`telepathy_domain_template',`
- files_tmp_file(telepathy_$1_tmp_t)
- ubac_constrained(telepathy_$1_tmp_t)
+diff -up serefpolicy-3.9.7/policy/modules/apps/telepathy.fc.orig serefpolicy-3.9.7/policy/modules/apps/telepathy.fc
+--- serefpolicy-3.9.7/policy/modules/apps/telepathy.fc.orig 2010-10-15 08:53:01.000000000 -0400
++++ serefpolicy-3.9.7/policy/modules/apps/telepathy.fc 2010-10-15 08:54:01.000000000 -0400
+@@ -3,6 +3,7 @@ HOME_DIR/\.cache/\.mc_connections -- g
+ HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
+ HOME_DIR/.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
-- dbus_session_domain(telepathy_$1_t, telepathy_$1_exec_t)
-+ ifdef(`TODO',`
-+ dbus_session_domain(telepathy_$1_t, telepathy_$1_exec_t)
-+ ')
- ')
-
- #######################################
++ifdef(`TODO',`
+ /usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
+ /usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
+ /usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0)
+@@ -12,3 +13,4 @@ HOME_DIR/.telepathy-sunshine(/.*)? gen
+ /usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0)
+ /usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
+ /usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
++')