diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index b91046c..e12252e 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -24521,7 +24521,7 @@ index 28ad538..ebe81bf 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..362b3af 100644
+index 3efd5b6..a2ab7c9 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -24710,7 +24710,32 @@ index 3efd5b6..362b3af 100644
## Execute a login_program in the target domain,
## with a range transition.
##
-@@ -402,6 +438,8 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -322,6 +358,24 @@ interface(`auth_rw_cache',`
+
+ ########################################
+ ##
++## Create authentication cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`auth_create_cache',`
++ gen_require(`
++ type auth_cache_t;
++ ')
++
++ create_files_pattern($1, auth_cache_t, auth_cache_t)
++')
++
++########################################
++##
+ ## Manage authentication cache
+ ##
+ ##
+@@ -402,6 +456,8 @@ interface(`auth_domtrans_chk_passwd',`
optional_policy(`
samba_stream_connect_winbind($1)
')
@@ -24719,7 +24744,7 @@ index 3efd5b6..362b3af 100644
')
########################################
-@@ -448,6 +486,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +504,25 @@ interface(`auth_run_chk_passwd',`
auth_domtrans_chk_passwd($1)
role $2 types chkpwd_t;
@@ -24745,7 +24770,7 @@ index 3efd5b6..362b3af 100644
')
########################################
-@@ -467,7 +524,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +542,6 @@ interface(`auth_domtrans_upd_passwd',`
domtrans_pattern($1, updpwd_exec_t, updpwd_t)
auth_dontaudit_read_shadow($1)
@@ -24753,7 +24778,7 @@ index 3efd5b6..362b3af 100644
')
########################################
-@@ -664,6 +720,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +738,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -24764,7 +24789,7 @@ index 3efd5b6..362b3af 100644
')
#######################################
-@@ -763,7 +823,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +841,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -24816,7 +24841,7 @@ index 3efd5b6..362b3af 100644
')
#######################################
-@@ -824,9 +927,29 @@ interface(`auth_rw_lastlog',`
+@@ -824,9 +945,29 @@ interface(`auth_rw_lastlog',`
allow $1 lastlog_t:file { rw_file_perms lock setattr };
')
@@ -24847,7 +24872,7 @@ index 3efd5b6..362b3af 100644
##
##
##
-@@ -834,12 +957,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +975,27 @@ interface(`auth_rw_lastlog',`
##
##
#
@@ -24878,7 +24903,7 @@ index 3efd5b6..362b3af 100644
')
########################################
-@@ -854,15 +992,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +1010,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@@ -24897,7 +24922,7 @@ index 3efd5b6..362b3af 100644
##
##
##
-@@ -875,13 +1013,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +1031,33 @@ interface(`auth_signal_pam',`
##
##
#
@@ -24935,7 +24960,7 @@ index 3efd5b6..362b3af 100644
')
########################################
-@@ -959,9 +1117,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1135,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -24969,7 +24994,7 @@ index 3efd5b6..362b3af 100644
')
########################################
-@@ -1040,6 +1219,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1237,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -24980,7 +25005,7 @@ index 3efd5b6..362b3af 100644
')
########################################
-@@ -1176,6 +1359,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1176,6 +1377,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -24988,7 +25013,7 @@ index 3efd5b6..362b3af 100644
')
#######################################
-@@ -1576,6 +1760,25 @@ interface(`auth_setattr_login_records',`
+@@ -1576,6 +1778,25 @@ interface(`auth_setattr_login_records',`
########################################
##
@@ -25014,7 +25039,7 @@ index 3efd5b6..362b3af 100644
## Read login records files (/var/log/wtmp).
##
##
-@@ -1726,24 +1929,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1947,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -25040,7 +25065,7 @@ index 3efd5b6..362b3af 100644
')
########################################
-@@ -1767,11 +1953,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1971,13 @@ interface(`auth_relabel_login_records',`
##
#
interface(`auth_use_nsswitch',`
@@ -25057,7 +25082,7 @@ index 3efd5b6..362b3af 100644
')
########################################
-@@ -1805,3 +1993,241 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2011,241 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -25834,7 +25859,7 @@ index 3694bfe..7fcd27a 100644
')
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index a97a096..f65892c 100644
+index a97a096..bf726c3 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -1,4 +1,3 @@
@@ -25850,7 +25875,14 @@ index a97a096..f65892c 100644
/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -41,7 +39,46 @@
+@@ -35,13 +33,53 @@
+ /sbin/sfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
++/sbin/xfs_growfs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+ /usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -27683,7 +27715,7 @@ index 24e7804..76da5dd 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..478d262 100644
+index dd3be8d..273132b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,24 @@ gen_require(`
@@ -27915,10 +27947,10 @@ index dd3be8d..478d262 100644
+
+miscfiles_manage_localization(init_t)
+miscfiles_filetrans_named_content(init_t)
++
++userdom_use_user_ttys(init_t)
-miscfiles_read_localization(init_t)
-+userdom_use_user_ttys(init_t)
-+
+allow init_t self:process setsched;
ifdef(`distro_gentoo',`
@@ -27953,24 +27985,24 @@ index dd3be8d..478d262 100644
+
+optional_policy(`
+ kdump_read_crash(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- auth_rw_login_records(init_t)
+ gnome_filetrans_home_content(init_t)
+ gnome_manage_data(init_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+ iscsi_read_lib_files(init_t)
+')
+
+optional_policy(`
+ modutils_domtrans_insmod(init_t)
+ modutils_list_module_config(init_t)
- ')
-
- optional_policy(`
-- auth_rw_login_records(init_t)
++')
++
++optional_policy(`
+ postfix_exec(init_t)
+ postfix_list_spool(init_t)
+ mta_read_aliases(init_t)
@@ -28094,9 +28126,9 @@ index dd3be8d..478d262 100644
+optional_policy(`
+ lvm_rw_pipes(init_t)
+ lvm_read_config(init_t)
- ')
-
- optional_policy(`
++')
++
++optional_policy(`
+ consolekit_manage_log(init_t)
+')
+
@@ -28758,7 +28790,7 @@ index dd3be8d..478d262 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1366,196 @@ optional_policy(`
+@@ -896,3 +1366,198 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -28955,11 +28987,13 @@ index dd3be8d..478d262 100644
+ allow daemon direct_run_init:process sigchld;
+ allow direct_run_init direct_init_entry:file { getattr open read execute };
+')
++
++
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..3cbc35d 100644
+index 662e79b..a199ffd 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
-@@ -1,14 +1,21 @@
+@@ -1,14 +1,22 @@
/etc/rc\.d/init\.d/ipsec -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
/etc/rc\.d/init\.d/racoon -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/strongswan -- gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
@@ -28976,14 +29010,14 @@ index 662e79b..3cbc35d 100644
/etc/racoon(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
/etc/racoon/certs(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
--/etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/strongswan(/.*)? gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
-+/etc/(strongswan)?/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
+ /etc/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/strongswan/ipsec\.d(/.*)? gen_context(system_u:object_r:ipsec_key_file_t,s0)
/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
-@@ -26,12 +33,15 @@
+@@ -26,16 +34,23 @@
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -28999,8 +29033,10 @@ index 662e79b..3cbc35d 100644
/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
-@@ -39,3 +49,5 @@
+ /var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
++/var/run/charon\.ctl -s gen_context(system_u:object_r:ipsec_var_run_t,s0)
++/var/run/charon.* -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/pluto(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/racoon\.pid -- gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
@@ -31061,7 +31097,7 @@ index 4e94884..9b82ed0 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..0c383ca 100644
+index 39ea221..616d6a8 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -31322,15 +31358,16 @@ index 39ea221..0c383ca 100644
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -417,6 +470,7 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -417,6 +470,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
+corenet_tcp_bind_syslog_tls_port(syslogd_t)
++corenet_tcp_connect_syslog_tls_port(syslogd_t)
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -427,9 +481,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,9 +482,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
@@ -31358,7 +31395,7 @@ index 39ea221..0c383ca 100644
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
-@@ -442,14 +513,19 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -442,14 +514,19 @@ files_read_kernel_symbol_table(syslogd_t)
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
@@ -31378,7 +31415,7 @@ index 39ea221..0c383ca 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +537,11 @@ init_use_fds(syslogd_t)
+@@ -461,11 +538,11 @@ init_use_fds(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
@@ -31393,7 +31430,7 @@ index 39ea221..0c383ca 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -502,15 +578,40 @@ optional_policy(`
+@@ -502,15 +579,40 @@ optional_policy(`
')
optional_policy(`
@@ -31434,7 +31471,7 @@ index 39ea221..0c383ca 100644
')
optional_policy(`
-@@ -521,3 +622,26 @@ optional_policy(`
+@@ -521,3 +623,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -35067,7 +35104,7 @@ index 346a7cc..42a48b6 100644
+/var/run/netns(/.*)? gen_context(system_u:object_r:ifconfig_var_run_t,s0)
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..1f23aab 100644
+index 6944526..b82ccf1 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -35206,7 +35243,48 @@ index 6944526..1f23aab 100644
read_files_pattern($1, net_conf_t, net_conf_t)
')
')
-@@ -433,6 +529,7 @@ interface(`sysnet_manage_config',`
+@@ -415,6 +511,40 @@ interface(`sysnet_etc_filetrans_config',`
+ files_etc_filetrans($1, net_conf_t, file, $2)
+ ')
+
++########################################
++##
++## Transition content to the type used for
++## the network config files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The type of the directory to which the object will be created.
++##
++##
++##
++##
++## The object class.
++##
++##
++##
++##
++## The name of the object being created.
++##
++##
++#
++interface(`sysnet_filetrans_config_fromdir',`
++ gen_require(`
++ type net_conf_t;
++ ')
++
++ filetrans_pattern($1, $2, net_conf_t, $3, $4)
++')
++
+ #######################################
+ ##
+ ## Create, read, write, and delete network config files.
+@@ -433,6 +563,7 @@ interface(`sysnet_manage_config',`
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_redhat',`
@@ -35214,7 +35292,7 @@ index 6944526..1f23aab 100644
manage_files_pattern($1, net_conf_t, net_conf_t)
')
')
-@@ -471,6 +568,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+@@ -471,6 +602,7 @@ interface(`sysnet_delete_dhcpc_pid',`
type dhcpc_var_run_t;
')
@@ -35222,7 +35300,7 @@ index 6944526..1f23aab 100644
allow $1 dhcpc_var_run_t:file unlink;
')
-@@ -580,6 +678,25 @@ interface(`sysnet_signull_ifconfig',`
+@@ -580,6 +712,25 @@ interface(`sysnet_signull_ifconfig',`
########################################
##
@@ -35248,7 +35326,7 @@ index 6944526..1f23aab 100644
## Read the DHCP configuration files.
##
##
-@@ -596,6 +713,7 @@ interface(`sysnet_read_dhcp_config',`
+@@ -596,6 +747,7 @@ interface(`sysnet_read_dhcp_config',`
files_search_etc($1)
allow $1 dhcp_etc_t:dir list_dir_perms;
read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
@@ -35256,7 +35334,7 @@ index 6944526..1f23aab 100644
')
########################################
-@@ -681,8 +799,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -681,8 +833,6 @@ interface(`sysnet_dns_name_resolve',`
allow $1 self:udp_socket create_socket_perms;
allow $1 self:netlink_route_socket r_netlink_socket_perms;
@@ -35265,7 +35343,7 @@ index 6944526..1f23aab 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -692,6 +808,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -692,6 +842,8 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_connect_dns_port($1)
corenet_sendrecv_dns_client_packets($1)
@@ -35274,7 +35352,7 @@ index 6944526..1f23aab 100644
sysnet_read_config($1)
optional_policy(`
-@@ -720,8 +838,6 @@ interface(`sysnet_use_ldap',`
+@@ -720,8 +872,6 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
@@ -35283,7 +35361,7 @@ index 6944526..1f23aab 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_tcp_sendrecv_ldap_port($1)
-@@ -733,6 +849,9 @@ interface(`sysnet_use_ldap',`
+@@ -733,6 +883,9 @@ interface(`sysnet_use_ldap',`
dev_read_urand($1)
sysnet_read_config($1)
@@ -35293,7 +35371,7 @@ index 6944526..1f23aab 100644
')
########################################
-@@ -754,7 +873,6 @@ interface(`sysnet_use_portmap',`
+@@ -754,7 +907,6 @@ interface(`sysnet_use_portmap',`
allow $1 self:udp_socket create_socket_perms;
corenet_all_recvfrom_unlabeled($1)
@@ -35301,7 +35379,7 @@ index 6944526..1f23aab 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +884,74 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +918,74 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -39173,7 +39251,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..bce11fd 100644
+index 3c5dba7..db184a5 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -40105,7 +40183,7 @@ index 3c5dba7..bce11fd 100644
userdom_change_password_template($1)
-@@ -761,82 +946,100 @@ template(`userdom_login_user_template', `
+@@ -761,82 +946,101 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -40164,6 +40242,7 @@ index 3c5dba7..bce11fd 100644
+ fs_rw_anon_inodefs_files($1_usertype)
+ auth_role($1_r, $1_t)
++ auth_create_cache($1_t)
+ auth_rw_cache($1_t)
+ auth_search_pam_console_data($1_t)
+ auth_dontaudit_read_login_records($1_t)
@@ -40242,7 +40321,7 @@ index 3c5dba7..bce11fd 100644
')
')
-@@ -868,6 +1071,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1072,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -40255,7 +40334,7 @@ index 3c5dba7..bce11fd 100644
##############################
#
# Local policy
-@@ -907,42 +1116,99 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,42 +1117,99 @@ template(`userdom_restricted_xwindows_user_template',`
#
# Local policy
#
@@ -40368,7 +40447,7 @@ index 3c5dba7..bce11fd 100644
')
optional_policy(`
-@@ -951,12 +1217,29 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1218,29 @@ template(`userdom_restricted_xwindows_user_template',`
')
optional_policy(`
@@ -40399,7 +40478,7 @@ index 3c5dba7..bce11fd 100644
')
#######################################
-@@ -990,27 +1273,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1274,33 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -40437,7 +40516,7 @@ index 3c5dba7..bce11fd 100644
fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
# Write floppies
-@@ -1021,23 +1310,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1311,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -40508,7 +40587,7 @@ index 3c5dba7..bce11fd 100644
')
# Run pppd in pppd_t by default for user
-@@ -1046,7 +1372,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1373,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -40519,7 +40598,7 @@ index 3c5dba7..bce11fd 100644
')
')
-@@ -1082,7 +1410,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1411,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -40528,7 +40607,7 @@ index 3c5dba7..bce11fd 100644
')
##############################
-@@ -1109,6 +1437,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1438,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -40536,7 +40615,7 @@ index 3c5dba7..bce11fd 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1117,6 +1446,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1447,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -40546,7 +40625,7 @@ index 3c5dba7..bce11fd 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1131,6 +1463,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1464,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -40554,7 +40633,7 @@ index 3c5dba7..bce11fd 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1148,10 +1481,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1482,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -40569,7 +40648,7 @@ index 3c5dba7..bce11fd 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1162,29 +1499,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1500,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -40612,7 +40691,7 @@ index 3c5dba7..bce11fd 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1540,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1541,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -40621,7 +40700,7 @@ index 3c5dba7..bce11fd 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1549,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1550,17 @@ template(`userdom_admin_user_template',`
userdom_manage_user_home_content_sockets($1_t)
userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
@@ -40640,7 +40719,7 @@ index 3c5dba7..bce11fd 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1253,6 +1605,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1606,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -40649,7 +40728,7 @@ index 3c5dba7..bce11fd 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1265,8 +1619,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1620,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -40661,7 +40740,7 @@ index 3c5dba7..bce11fd 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1277,29 +1633,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1634,31 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -40704,7 +40783,7 @@ index 3c5dba7..bce11fd 100644
')
optional_policy(`
-@@ -1360,14 +1718,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1719,17 @@ interface(`userdom_user_home_content',`
gen_require(`
attribute user_home_content_type;
type user_home_t;
@@ -40723,7 +40802,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -1408,6 +1769,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1770,51 @@ interface(`userdom_user_tmpfs_file',`
##
## Allow domain to attach to TUN devices created by administrative users.
##
@@ -40775,7 +40854,7 @@ index 3c5dba7..bce11fd 100644
##
##
## Domain allowed access.
-@@ -1512,11 +1918,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1919,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -40807,7 +40886,7 @@ index 3c5dba7..bce11fd 100644
## Do not audit attempts to search user home directories.
##
##
-@@ -1558,6 +1984,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1985,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -40822,7 +40901,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -1573,9 +2007,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2008,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -40834,7 +40913,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -1632,6 +2068,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2069,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -40877,7 +40956,7 @@ index 3c5dba7..bce11fd 100644
########################################
##
## Create directories in the home dir root with
-@@ -1711,6 +2183,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2184,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -40886,7 +40965,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -1744,10 +2218,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2219,12 @@ interface(`userdom_list_all_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -40901,7 +40980,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -1772,7 +2248,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2249,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
@@ -40928,7 +41007,7 @@ index 3c5dba7..bce11fd 100644
##
##
##
-@@ -1782,49 +2276,67 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,49 +2277,67 @@ interface(`userdom_manage_user_home_content_dirs',`
#
interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
@@ -41008,7 +41087,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -1848,6 +2360,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2361,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
##
@@ -41034,7 +41113,7 @@ index 3c5dba7..bce11fd 100644
## Mmap user home files.
##
##
-@@ -1878,14 +2409,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2410,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -41072,7 +41151,7 @@ index 3c5dba7..bce11fd 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1896,11 +2449,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2450,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -41090,7 +41169,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -1941,7 +2497,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2498,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
##
@@ -41117,7 +41196,7 @@ index 3c5dba7..bce11fd 100644
##
##
##
-@@ -1951,17 +2525,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2526,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
#
interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
@@ -41138,7 +41217,7 @@ index 3c5dba7..bce11fd 100644
##
##
##
-@@ -1969,12 +2541,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2542,48 @@ interface(`userdom_delete_all_user_home_content_files',`
##
##
#
@@ -41189,7 +41268,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -2010,8 +2618,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2619,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -41199,7 +41278,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -2027,20 +2634,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2635,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -41224,7 +41303,7 @@ index 3c5dba7..bce11fd 100644
########################################
##
-@@ -2123,7 +2724,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2725,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -41233,7 +41312,7 @@ index 3c5dba7..bce11fd 100644
##
##
##
-@@ -2131,19 +2732,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2733,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -41257,7 +41336,7 @@ index 3c5dba7..bce11fd 100644
##
##
##
-@@ -2151,12 +2750,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2751,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -41273,7 +41352,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -2393,11 +2992,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2993,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -41288,7 +41367,7 @@ index 3c5dba7..bce11fd 100644
files_search_tmp($1)
')
-@@ -2417,7 +3016,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3017,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -41297,7 +41376,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -2664,6 +3263,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3264,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -41323,7 +41402,7 @@ index 3c5dba7..bce11fd 100644
########################################
##
## Read user tmpfs files.
-@@ -2680,13 +3298,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3299,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -41339,7 +41418,7 @@ index 3c5dba7..bce11fd 100644
##
##
##
-@@ -2707,7 +3326,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3327,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -41348,7 +41427,7 @@ index 3c5dba7..bce11fd 100644
##
##
##
-@@ -2715,14 +3334,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3335,30 @@ interface(`userdom_rw_user_tmpfs_files',`
##
##
#
@@ -41383,7 +41462,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -2817,6 +3452,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3453,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -41408,7 +41487,7 @@ index 3c5dba7..bce11fd 100644
## Read and write a user domain pty.
##
##
-@@ -2835,22 +3488,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3489,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -41451,7 +41530,7 @@ index 3c5dba7..bce11fd 100644
##
##
##
-@@ -2859,14 +3524,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3525,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -41489,7 +41568,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -2885,8 +3569,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3570,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -41519,7 +41598,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -2958,69 +3661,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3662,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -41620,7 +41699,7 @@ index 3c5dba7..bce11fd 100644
##
##
##
-@@ -3028,12 +3730,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3731,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -41635,7 +41714,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -3097,7 +3799,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3800,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -41644,7 +41723,7 @@ index 3c5dba7..bce11fd 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3815,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3816,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -41678,7 +41757,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -3217,7 +3903,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3904,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -41705,7 +41784,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -3272,7 +3976,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3977,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -41771,7 +41850,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -3290,7 +4051,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +4052,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -41780,7 +41859,7 @@ index 3c5dba7..bce11fd 100644
')
########################################
-@@ -3309,6 +4070,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4071,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -41788,7 +41867,7 @@ index 3c5dba7..bce11fd 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4147,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4148,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -41831,7 +41910,7 @@ index 3c5dba7..bce11fd 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3405,7 +4203,7 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,7 +4204,7 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -41840,7 +41919,7 @@ index 3c5dba7..bce11fd 100644
##
##
##
-@@ -3413,17 +4211,17 @@ interface(`userdom_sigchld_all_users',`
+@@ -3413,17 +4212,17 @@ interface(`userdom_sigchld_all_users',`
##
##
#
@@ -41861,7 +41940,7 @@ index 3c5dba7..bce11fd 100644
##
##
##
-@@ -3431,11 +4229,1516 @@ interface(`userdom_create_all_users_keys',`
+@@ -3431,11 +4230,1516 @@ interface(`userdom_create_all_users_keys',`
##
##
#
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index 26085ce..dc594fa 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -16887,7 +16887,7 @@ index b25b01d..e99c5c6 100644
')
+
diff --git a/ctdb.te b/ctdb.te
-index 6ce66e7..f8e9ecc 100644
+index 6ce66e7..03bc338 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -16900,7 +16900,7 @@ index 6ce66e7..f8e9ecc 100644
type ctdbd_var_run_t;
files_pid_file(ctdbd_var_run_t)
-@@ -33,6 +36,7 @@ files_pid_file(ctdbd_var_run_t)
+@@ -33,12 +36,14 @@ files_pid_file(ctdbd_var_run_t)
#
allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
@@ -16908,7 +16908,14 @@ index 6ce66e7..f8e9ecc 100644
allow ctdbd_t self:process { setpgid signal_perms setsched };
allow ctdbd_t self:fifo_file rw_fifo_file_perms;
allow ctdbd_t self:unix_stream_socket { accept connectto listen };
-@@ -59,6 +63,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
+ allow ctdbd_t self:packet_socket create_socket_perms;
+ allow ctdbd_t self:tcp_socket create_stream_socket_perms;
++allow ctdbd_t self:udp_socket create_socket_perms;
+
+ append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
+ create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
+@@ -59,6 +64,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
@@ -16920,7 +16927,7 @@ index 6ce66e7..f8e9ecc 100644
manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
-@@ -72,9 +81,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
+@@ -72,9 +82,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
corenet_tcp_sendrecv_generic_if(ctdbd_t)
corenet_tcp_sendrecv_generic_node(ctdbd_t)
corenet_tcp_bind_generic_node(ctdbd_t)
@@ -16932,7 +16939,7 @@ index 6ce66e7..f8e9ecc 100644
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
corecmd_exec_bin(ctdbd_t)
-@@ -85,12 +96,12 @@ dev_read_urand(ctdbd_t)
+@@ -85,12 +97,12 @@ dev_read_urand(ctdbd_t)
domain_dontaudit_read_all_domains_state(ctdbd_t)
@@ -16947,7 +16954,7 @@ index 6ce66e7..f8e9ecc 100644
miscfiles_read_public_files(ctdbd_t)
optional_policy(`
-@@ -109,6 +120,7 @@ optional_policy(`
+@@ -109,6 +121,7 @@ optional_policy(`
samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t)
@@ -22136,7 +22143,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..9a6a36e 100644
+index a7bfaf0..5c00621 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -22390,7 +22397,7 @@ index a7bfaf0..9a6a36e 100644
sendmail_domtrans(dovecot_t)
')
-@@ -221,46 +214,63 @@ optional_policy(`
+@@ -221,46 +214,65 @@ optional_policy(`
########################################
#
@@ -22447,6 +22454,8 @@ index a7bfaf0..9a6a36e 100644
sysnet_use_ldap(dovecot_auth_t)
++systemd_login_read_pid_files(dovecot_auth_t)
++
+userdom_getattr_user_home_dirs(dovecot_auth_t)
+
optional_policy(`
@@ -22463,7 +22472,7 @@ index a7bfaf0..9a6a36e 100644
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
-@@ -271,15 +281,30 @@ optional_policy(`
+@@ -271,15 +283,30 @@ optional_policy(`
')
optional_policy(`
@@ -22495,7 +22504,7 @@ index a7bfaf0..9a6a36e 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +314,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +316,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -22555,7 +22564,7 @@ index a7bfaf0..9a6a36e 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -326,5 +358,6 @@ optional_policy(`
+@@ -326,5 +360,6 @@ optional_policy(`
')
optional_policy(`
@@ -39930,7 +39939,7 @@ index 6194b80..2ab36ff 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..937a608 100644
+index 6a306ee..e3036c4 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -40766,7 +40775,7 @@ index 6a306ee..937a608 100644
')
optional_policy(`
-@@ -568,108 +564,128 @@ optional_policy(`
+@@ -568,108 +564,129 @@ optional_policy(`
')
optional_policy(`
@@ -40944,6 +40953,7 @@ index 6a306ee..937a608 100644
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_spice',`
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
++ corenet_tcp_bind_vnc_port(mozilla_plugin_t)
')
-optional_policy(`
@@ -45606,10 +45616,10 @@ index 56c0fbd..173a2c0 100644
userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
diff --git a/networkmanager.fc b/networkmanager.fc
-index a1fb3c3..82f8ae6 100644
+index a1fb3c3..2b818b9 100644
--- a/networkmanager.fc
+++ b/networkmanager.fc
-@@ -1,43 +1,44 @@
+@@ -1,43 +1,45 @@
-/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -45675,10 +45685,11 @@ index a1fb3c3..82f8ae6 100644
/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/wicd\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..f8893f8 100644
+index 0e8508c..ee2e3de 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -45955,7 +45966,7 @@ index 0e8508c..f8893f8 100644
##
##
##
-@@ -227,33 +310,132 @@ interface(`networkmanager_read_pid_files',`
+@@ -227,33 +310,133 @@ interface(`networkmanager_read_pid_files',`
##
##
#
@@ -46103,6 +46114,7 @@ index 0e8508c..f8893f8 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf")
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
++ files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf")
@@ -54618,10 +54630,10 @@ index 0000000..20ea9f5
+
diff --git a/piranha.if b/piranha.if
new file mode 100644
-index 0000000..8d681d1
+index 0000000..cf54103
--- /dev/null
+++ b/piranha.if
-@@ -0,0 +1,179 @@
+@@ -0,0 +1,187 @@
+## policy for piranha
+
+#######################################
@@ -54649,6 +54661,10 @@ index 0000000..8d681d1
+ type piranha_$1_exec_t;
+ init_daemon_domain(piranha_$1_t, piranha_$1_exec_t)
+
++ # tmpfs files
++ type piranha_$1_tmpfs_t, piranha_tmpfs;
++ files_tmpfs_file(piranha_$1_tmpfs_t)
++
+ # pid files
+ type piranha_$1_var_run_t;
+ files_pid_file(piranha_$1_var_run_t)
@@ -54658,6 +54674,10 @@ index 0000000..8d681d1
+ # piranha_$1_t local policy
+ #
+
++ manage_dirs_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
++ manage_files_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
++ fs_tmpfs_filetrans(piranha_$1_t, piranha_$1_tmpfs_t, { dir file })
++
+ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
+ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file })
@@ -54803,10 +54823,10 @@ index 0000000..8d681d1
+')
diff --git a/piranha.te b/piranha.te
new file mode 100644
-index 0000000..34e591f
+index 0000000..a989aea
--- /dev/null
+++ b/piranha.te
-@@ -0,0 +1,293 @@
+@@ -0,0 +1,292 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -54822,6 +54842,7 @@ index 0000000..34e591f
+gen_tunable(piranha_lvs_can_network_connect, false)
+
+attribute piranha_domain;
++attribute piranha_tmpfs;
+
+piranha_domain_template(fos)
+
@@ -54834,9 +54855,6 @@ index 0000000..34e591f
+
+piranha_domain_template(web)
+
-+type piranha_web_tmpfs_t;
-+files_tmpfs_file(piranha_web_tmpfs_t)
-+
+type piranha_web_conf_t;
+files_config_file(piranha_web_conf_t)
+
@@ -54898,10 +54916,6 @@ index 0000000..34e591f
+manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
+files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir })
+
-+manage_dirs_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
-+manage_files_pattern(piranha_web_t, piranha_web_tmpfs_t, piranha_web_tmpfs_t)
-+fs_tmpfs_filetrans(piranha_web_t, piranha_web_tmpfs_t, { dir file })
-+
+piranha_pulse_initrc_domtrans(piranha_web_t)
+
+kernel_read_kernel_sysctls(piranha_web_t)
@@ -54951,6 +54965,9 @@ index 0000000..34e591f
+allow piranha_lvs_t self:unix_dgram_socket create_socket_perms;
+allow piranha_lvs_t self:rawip_socket create_socket_perms;
+
++manage_files_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
++manage_dirs_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
++
+kernel_read_kernel_sysctls(piranha_lvs_t)
+
+# needed by nanny
@@ -55084,6 +55101,9 @@ index 0000000..34e591f
+
+read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t)
+
++manage_files_pattern(piranha_pulse_t, piranha_tmpfs,piranha_tmpfs)
++manage_dirs_pattern(piranha_pulse_t, piranha_tmpfs ,piranha_tmpfs)
++
+kernel_read_network_state(piranha_domain)
+
+corenet_tcp_sendrecv_generic_if(piranha_domain)
@@ -55095,7 +55115,6 @@ index 0000000..34e591f
+corenet_tcp_bind_generic_node(piranha_domain)
+corenet_udp_bind_generic_node(piranha_domain)
+
-+
+corecmd_exec_bin(piranha_domain)
+corecmd_exec_shell(piranha_domain)
+
@@ -58864,7 +58883,7 @@ index 2e23946..0b76d72 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..2177e93 100644
+index 191a66f..f19bca4 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -59046,8 +59065,9 @@ index 191a66f..2177e93 100644
-########################################
-#
-# Common postfix user domain local policy
--#
--
++# Postfix master process local policy
+ #
+
-allow postfix_user_domains self:capability dac_override;
-
-domain_use_interactive_fds(postfix_user_domains)
@@ -59055,9 +59075,8 @@ index 191a66f..2177e93 100644
-########################################
-#
-# Master local policy
-+# Postfix master process local policy
- #
-
+-#
+-
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
@@ -59081,10 +59100,10 @@ index 191a66f..2177e93 100644
-allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
+allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
++
++allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
-allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
-+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
-+
+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
+
+manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -59125,29 +59144,29 @@ index 191a66f..2177e93 100644
-manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
--
+
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
-delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
++manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
--
--can_exec(postfix_master_t, postfix_exec_t)
-+manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++kernel_read_all_sysctls(postfix_master_t)
+-can_exec(postfix_master_t, postfix_exec_t)
+-
-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
-+kernel_read_all_sysctls(postfix_master_t)
-
+-
-corenet_all_recvfrom_unlabeled(postfix_master_t)
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -263,50 +165,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -263,64 +165,50 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -59207,32 +59226,30 @@ index 191a66f..2177e93 100644
mta_read_sendmail_bin(postfix_master_t)
mta_getattr_spool(postfix_master_t)
+-optional_policy(`
+- cyrus_stream_connect(postfix_master_t)
+-')
+-
+-optional_policy(`
+- kerberos_keytab_template(postfix, postfix_t)
+ifdef(`distro_redhat',`
+ # for newer main.cf that uses /etc/aliases
+ mta_manage_aliases(postfix_master_t)
+ mta_etc_filetrans_aliases(postfix_master_t)
-+')
-+
- optional_policy(`
- cyrus_stream_connect(postfix_master_t)
- ')
-@@ -316,14 +212,11 @@ optional_policy(`
')
optional_policy(`
-+# for postalias
- mailman_manage_data_files(postfix_master_t)
+- mailman_manage_data_files(postfix_master_t)
++ cyrus_stream_connect(postfix_master_t)
')
optional_policy(`
- mysql_stream_connect(postfix_master_t)
--')
--
--optional_policy(`
- postgrey_search_spool(postfix_master_t)
++ kerberos_keytab_template(postfix, postfix_t)
')
-@@ -333,12 +226,14 @@ optional_policy(`
+ optional_policy(`
+@@ -333,12 +221,14 @@ optional_policy(`
########################################
#
@@ -59249,7 +59266,7 @@ index 191a66f..2177e93 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -355,37 +250,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -355,37 +245,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
########################################
#
@@ -59296,7 +59313,7 @@ index 191a66f..2177e93 100644
optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
-@@ -393,36 +285,50 @@ optional_policy(`
+@@ -393,36 +280,50 @@ optional_policy(`
########################################
#
@@ -59356,7 +59373,7 @@ index 191a66f..2177e93 100644
')
optional_policy(`
-@@ -434,6 +340,7 @@ optional_policy(`
+@@ -434,6 +335,7 @@ optional_policy(`
')
optional_policy(`
@@ -59364,7 +59381,7 @@ index 191a66f..2177e93 100644
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
mailman_read_log(postfix_local_t)
-@@ -444,6 +351,10 @@ optional_policy(`
+@@ -444,6 +346,10 @@ optional_policy(`
')
optional_policy(`
@@ -59375,7 +59392,7 @@ index 191a66f..2177e93 100644
procmail_domtrans(postfix_local_t)
')
-@@ -458,15 +369,17 @@ optional_policy(`
+@@ -458,15 +364,17 @@ optional_policy(`
########################################
#
@@ -59399,7 +59416,7 @@ index 191a66f..2177e93 100644
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +389,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -476,14 +384,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -59419,7 +59436,7 @@ index 191a66f..2177e93 100644
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
-@@ -492,7 +406,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -492,7 +401,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
@@ -59427,7 +59444,7 @@ index 191a66f..2177e93 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -500,21 +413,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -500,21 +408,22 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -59453,7 +59470,7 @@ index 191a66f..2177e93 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,16 +438,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -524,16 +433,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@@ -59473,7 +59490,7 @@ index 191a66f..2177e93 100644
#
allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +489,26 @@ optional_policy(`
+@@ -576,19 +484,26 @@ optional_policy(`
########################################
#
@@ -59505,7 +59522,7 @@ index 191a66f..2177e93 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +523,7 @@ optional_policy(`
+@@ -603,10 +518,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -59517,7 +59534,7 @@ index 191a66f..2177e93 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -621,17 +538,24 @@ optional_policy(`
+@@ -621,17 +533,24 @@ optional_policy(`
#######################################
#
@@ -59545,7 +59562,7 @@ index 191a66f..2177e93 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +571,77 @@ optional_policy(`
+@@ -647,67 +566,77 @@ optional_policy(`
########################################
#
@@ -59641,7 +59658,7 @@ index 191a66f..2177e93 100644
')
optional_policy(`
-@@ -720,29 +654,30 @@ optional_policy(`
+@@ -720,29 +649,30 @@ optional_policy(`
########################################
#
@@ -59680,7 +59697,7 @@ index 191a66f..2177e93 100644
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
dovecot_stream_connect(postfix_smtpd_t)
-@@ -754,6 +689,7 @@ optional_policy(`
+@@ -754,6 +684,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -59688,7 +59705,7 @@ index 191a66f..2177e93 100644
')
optional_policy(`
-@@ -764,31 +700,99 @@ optional_policy(`
+@@ -764,31 +695,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -59994,7 +60011,7 @@ index efcb653..ff2c96a 100644
+/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
diff --git a/ppp.if b/ppp.if
-index cd8b8b9..cde0d62 100644
+index cd8b8b9..6c73980 100644
--- a/ppp.if
+++ b/ppp.if
@@ -1,110 +1,91 @@
@@ -60334,7 +60351,13 @@ index cd8b8b9..cde0d62 100644
##
##
##
-@@ -413,37 +388,25 @@ interface(`ppp_manage_pid_files',`
+@@ -408,42 +383,30 @@ interface(`ppp_manage_pid_files',`
+ ')
+
+ files_search_pids($1)
+- allow $1 pppd_var_run_t:file manage_file_perms;
++ manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
+ ')
########################################
##
@@ -60478,7 +60501,7 @@ index cd8b8b9..cde0d62 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index b2b5dba..7b8a7d1 100644
+index b2b5dba..9bc465c 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,4 +1,4 @@
@@ -60663,7 +60686,7 @@ index b2b5dba..7b8a7d1 100644
corecmd_exec_bin(pppd_t)
corecmd_exec_shell(pppd_t)
-@@ -147,36 +169,30 @@ files_exec_etc_files(pppd_t)
+@@ -147,36 +169,31 @@ files_exec_etc_files(pppd_t)
files_manage_etc_runtime_files(pppd_t)
files_dontaudit_write_etc_files(pppd_t)
@@ -60697,6 +60720,7 @@ index b2b5dba..7b8a7d1 100644
sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
++sysnet_filetrans_config_fromdir(pppd_t, pppd_var_run_t, file, "resolv.conf")
-userdom_use_user_terminals(pppd_t)
+userdom_use_inherited_user_terminals(pppd_t)
@@ -60708,7 +60732,7 @@ index b2b5dba..7b8a7d1 100644
optional_policy(`
ddclient_run(pppd_t, pppd_roles)
-@@ -186,11 +202,13 @@ optional_policy(`
+@@ -186,11 +203,13 @@ optional_policy(`
l2tpd_dgram_send(pppd_t)
l2tpd_rw_socket(pppd_t)
l2tpd_stream_connect(pppd_t)
@@ -60723,7 +60747,7 @@ index b2b5dba..7b8a7d1 100644
')
')
-@@ -218,16 +236,19 @@ optional_policy(`
+@@ -218,16 +237,19 @@ optional_policy(`
########################################
#
@@ -60746,7 +60770,7 @@ index b2b5dba..7b8a7d1 100644
allow pptp_t pppd_etc_t:dir list_dir_perms;
allow pptp_t pppd_etc_t:file read_file_perms;
-@@ -236,45 +257,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+@@ -236,45 +258,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
allow pptp_t pppd_etc_rw_t:file read_file_perms;
allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@@ -60803,7 +60827,7 @@ index b2b5dba..7b8a7d1 100644
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
-@@ -282,12 +301,12 @@ term_ioctl_generic_ptys(pptp_t)
+@@ -282,12 +302,12 @@ term_ioctl_generic_ptys(pptp_t)
term_search_ptys(pptp_t)
term_use_ptmx(pptp_t)
@@ -60818,7 +60842,7 @@ index b2b5dba..7b8a7d1 100644
sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
-@@ -299,6 +318,10 @@ optional_policy(`
+@@ -299,6 +319,10 @@ optional_policy(`
')
optional_policy(`
@@ -76092,7 +76116,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..8854093 100644
+index 57c034b..f177430 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -76722,7 +76746,7 @@ index 57c034b..8854093 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +555,40 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +555,41 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -76784,10 +76808,11 @@ index 57c034b..8854093 100644
- files_manage_non_auth_files(nmbd_t)
+optional_policy(`
+ ctdbd_stream_connect(nmbd_t)
++ ctdbd_manage_var_files(nmbd_t)
')
optional_policy(`
-@@ -600,17 +601,24 @@ optional_policy(`
+@@ -600,17 +602,24 @@ optional_policy(`
########################################
#
@@ -76816,7 +76841,7 @@ index 57c034b..8854093 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -620,16 +628,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -620,16 +629,12 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -76834,7 +76859,7 @@ index 57c034b..8854093 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +641,23 @@ optional_policy(`
+@@ -637,22 +642,23 @@ optional_policy(`
########################################
#
@@ -76866,7 +76891,7 @@ index 57c034b..8854093 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -661,26 +666,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +667,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -76902,7 +76927,7 @@ index 57c034b..8854093 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -692,58 +693,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -692,58 +694,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -76994,7 +77019,7 @@ index 57c034b..8854093 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +772,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -752,17 +773,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -77018,7 +77043,7 @@ index 57c034b..8854093 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -770,36 +786,25 @@ kernel_read_network_state(swat_t)
+@@ -770,36 +787,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -77061,7 +77086,7 @@ index 57c034b..8854093 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -811,10 +816,11 @@ logging_send_syslog_msg(swat_t)
+@@ -811,10 +817,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -77075,7 +77100,7 @@ index 57c034b..8854093 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -834,16 +840,19 @@ optional_policy(`
+@@ -834,16 +841,19 @@ optional_policy(`
#
allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
@@ -77099,7 +77124,7 @@ index 57c034b..8854093 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +862,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +863,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -77110,7 +77135,7 @@ index 57c034b..8854093 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +873,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -866,23 +874,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -77140,7 +77165,7 @@ index 57c034b..8854093 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -891,13 +896,17 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +897,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -77161,7 +77186,7 @@ index 57c034b..8854093 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +914,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +915,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -77172,7 +77197,7 @@ index 57c034b..8854093 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -917,26 +922,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,26 +923,39 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -77214,7 +77239,7 @@ index 57c034b..8854093 100644
')
optional_policy(`
-@@ -952,31 +970,29 @@ optional_policy(`
+@@ -952,31 +971,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -77252,7 +77277,7 @@ index 57c034b..8854093 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -990,25 +1006,38 @@ optional_policy(`
+@@ -990,25 +1007,38 @@ optional_policy(`
########################################
#
@@ -87322,10 +87347,10 @@ index 0000000..5e3637e
+')
diff --git a/thin.te b/thin.te
new file mode 100644
-index 0000000..ff282dc
+index 0000000..39d17b7
--- /dev/null
+++ b/thin.te
-@@ -0,0 +1,114 @@
+@@ -0,0 +1,115 @@
+policy_module(thin, 1.0)
+
+########################################
@@ -87402,6 +87427,7 @@ index 0000000..ff282dc
+#
+
+allow thin_t self:capability { setuid kill setgid dac_override };
++allow thin_t self:capability2 block_suspend;
+
+allow thin_t self:netlink_route_socket r_netlink_socket_perms;
+allow thin_t self:udp_socket create_socket_perms;
@@ -92089,7 +92115,7 @@ index 9dec06c..73549fd 100644
+ virt_stream_connect($1)
')
diff --git a/virt.te b/virt.te
-index 1f22fba..43fdcbe 100644
+index 1f22fba..9c0c607 100644
--- a/virt.te
+++ b/virt.te
@@ -1,147 +1,166 @@
@@ -92988,7 +93014,7 @@ index 1f22fba..43fdcbe 100644
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
-@@ -737,44 +597,262 @@ optional_policy(`
+@@ -737,44 +597,264 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -93024,6 +93050,14 @@ index 1f22fba..43fdcbe 100644
-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
++kernel_read_net_sysctls(virt_domain)
+
+-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+userdom_search_user_home_content(virt_domain)
+userdom_read_user_home_content_symlinks(virt_domain)
+userdom_read_all_users_state(virt_domain)
@@ -93034,19 +93068,14 @@ index 1f22fba..43fdcbe 100644
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
--manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
--manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
+
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -93078,13 +93107,12 @@ index 1f22fba..43fdcbe 100644
+
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+-allow virsh_t svirt_lxc_domain:process transition;
+dontaudit virt_domain virt_tmpfs_type:file { read write };
--allow virsh_t svirt_lxc_domain:process transition;
+-can_exec(virsh_t, virsh_exec_t)
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
--can_exec(virsh_t, virsh_exec_t)
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+corecmd_exec_bin(virt_domain)
@@ -93150,7 +93178,7 @@ index 1f22fba..43fdcbe 100644
+optional_policy(`
+ ptchown_domtrans(virt_domain)
+')
-
++
+optional_policy(`
+ pulseaudio_dontaudit_exec(virt_domain)
+')
@@ -93273,7 +93301,7 @@ index 1f22fba..43fdcbe 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +863,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +865,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -93300,7 +93328,7 @@ index 1f22fba..43fdcbe 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +883,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +885,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -93332,7 +93360,7 @@ index 1f22fba..43fdcbe 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +916,20 @@ optional_policy(`
+@@ -847,14 +918,20 @@ optional_policy(`
')
optional_policy(`
@@ -93354,7 +93382,7 @@ index 1f22fba..43fdcbe 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,49 +954,65 @@ optional_policy(`
+@@ -879,49 +956,65 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -93438,7 +93466,7 @@ index 1f22fba..43fdcbe 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1024,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1026,16 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -93458,7 +93486,7 @@ index 1f22fba..43fdcbe 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1045,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1047,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -93482,7 +93510,7 @@ index 1f22fba..43fdcbe 100644
selinux_get_enforce_mode(virtd_lxc_t)
selinux_get_fs_mount(virtd_lxc_t)
selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1070,254 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1072,254 @@ selinux_compute_create_context(virtd_lxc_t)
selinux_compute_relabel_context(virtd_lxc_t)
selinux_compute_user_contexts(virtd_lxc_t)
@@ -93867,7 +93895,7 @@ index 1f22fba..43fdcbe 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1330,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1332,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -93882,7 +93910,7 @@ index 1f22fba..43fdcbe 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1348,8 @@ optional_policy(`
+@@ -1183,9 +1350,8 @@ optional_policy(`
########################################
#
@@ -93893,7 +93921,7 @@ index 1f22fba..43fdcbe 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1362,124 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1364,124 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 2e6b511..a3fbca8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74.10%{?dist}
+Release: 74.11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,25 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Oct 22 2013 Lukas Vrabec 3.12.1-74.11
+- Back port piranha tmpfs fixes from RHEL6
+- Fix piranha_domain_template()
+- Allow mozilla_plugin to bind to the vnc port if running with spice
+- Allow svirt_domains to read sysctl_net_t
+- Update ppp_manage_pid_files interface
+- Allow ctdbd to create udp_socket. Allow ndmbd to access ctdbd var files.
+- Allow dovecot-auth to read nologin
+- Allow mailserver_domains to manage and transition to mailman data
+- Allow thin_t to block suspend
+- Create resolv.conf in the pppd_var_run_t with the net_conf_t label
+- wicd.pid should be labeled as networkmanager_var_run_t
+- Label /sbin/xfs_growfs as fsadm_exec_t
+- Allow SELinux users to create coolkeypk11sE-Gate in /var/cache/coolkey
+- Create resolv.conf in the pppd_var_run_t with the net_conf_t label
+- Fix labeling for /etc/strongswan/ipsec.d
+- Add labeling for /var/run/charon.ctl socket
+- Allow syslogd_t to connect to the syslog_tls port
+
* Tue Oct 15 2013 Lukas Vrabec 3.12.1-74.10
- Add kill capability in glusterfs policy
- Add postfix_rw_spool_maildrop_files interface