diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index ce5354b..2ea30e4 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -5423,7 +5423,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..cbc0e69 100644
+index 4edc40d..5df4efc 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5509,7 +5509,7 @@ index 4edc40d..cbc0e69 100644
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
network_port(auth, tcp,113,s0)
-@@ -96,18 +118,18 @@ network_port(boinc, tcp,31416,s0)
+@@ -96,19 +118,19 @@ network_port(boinc, tcp,31416,s0)
network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
network_port(biff) # no defined portcon
network_port(certmaster, tcp,51235,s0)
@@ -5527,9 +5527,11 @@ index 4edc40d..cbc0e69 100644
network_port(condor, tcp,9618,s0, udp,9618,s0)
network_port(couchdb, tcp,5984,s0, udp,5984,s0)
-network_port(cslistener, tcp,9000,s0, udp,9000,s0)
- network_port(ctdb, tcp,4379,s0, udp,4397,s0)
+-network_port(ctdb, tcp,4379,s0, udp,4397,s0)
++network_port(ctdb, tcp,4379,s0, udp,4379,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
+ network_port(daap, tcp,3689,s0, udp,3689,s0)
@@ -119,19 +141,26 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
@@ -5555,7 +5557,7 @@ index 4edc40d..cbc0e69 100644
network_port(git, tcp,9418,s0, udp,9418,s0)
+network_port(glance, tcp,9292,s0, udp,9292,s0)
network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
-+network_port(gluster, tcp,24007,s0, tcp, 38465-38469,s0)
++network_port(gluster, tcp,24007-24027,s0, tcp, 38465-38469,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
@@ -5915,7 +5917,7 @@ index b31c054..17e11e0 100644
+/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
+/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..48504fe 100644
+index 76f285e..b708d28 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6807,6 +6809,24 @@ index 76f285e..48504fe 100644
')
########################################
+@@ -3399,7 +3756,7 @@ interface(`dev_dontaudit_read_rand',`
+
+ ########################################
+ ##
+-## Do not audit attempts to append to random
++## Do not audit attempts to append to the random
+ ## number generator devices (e.g., /dev/random)
+ ##
+ ##
+@@ -3413,7 +3770,7 @@ interface(`dev_dontaudit_append_rand',`
+ type random_device_t;
+ ')
+
+- dontaudit $1 random_device_t:chr_file append_chr_file_perms;
++ dontaudit $1 random_device_t:chr_file { append };
+ ')
+
+ ########################################
@@ -3855,7 +4212,7 @@ interface(`dev_getattr_sysfs_dirs',`
########################################
@@ -21044,7 +21064,7 @@ index 5fc0391..337d97e 100644
+ xserver_rw_xdm_pipes(ssh_agent_type)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..8f50bb9 100644
+index d1f64a0..9a5dab5 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -21124,13 +21144,16 @@ index d1f64a0..8f50bb9 100644
# /usr
#
-+/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/(s)?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/(s)?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0)
- /usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/gdm(3)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/(s)?bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/sbin/mdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/s?bin/gdm3? -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/s?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/s?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/s?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/s?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
@@ -26024,19 +26047,23 @@ index 6c4b6ee..f512b72 100644
xen_rw_image_files(fsadm_t)
')
diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
-index e1a1848..c0d34e7 100644
+index e1a1848..4927638 100644
--- a/policy/modules/system/getty.fc
+++ b/policy/modules/system/getty.fc
-@@ -3,6 +3,10 @@
+@@ -3,8 +3,12 @@
/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
+-/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
+-/var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0)
+/usr/lib/systemd/system/[^/]*getty.* -- gen_context(system_u:object_r:getty_unit_file_t,s0)
+
+/usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
+
- /var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
- /var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0)
++/var/log/mgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
++/var/log/vgetty.*\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
+
+ /var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
index e4376aa..2c98c56 100644
@@ -35754,10 +35781,10 @@ index 0000000..431619e
+/var/run/initramfs(/.*)? <>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..bd5a6b7
+index 0000000..f3fed12
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1289 @@
+@@ -0,0 +1,1291 @@
+## SELinux policy for systemd components
+
+######################################
@@ -36079,8 +36106,10 @@ index 0000000..bd5a6b7
+interface(`systemd_write_inherited_logind_sessions_pipes',`
+ gen_require(`
+ type systemd_logind_sessions_t;
++ type systemd_logind_t;
+ ')
+
++ allow $1 systemd_logind_t:fd use;
+ allow $1 systemd_logind_sessions_t:fifo_file write;
+')
+
@@ -37049,10 +37078,10 @@ index 0000000..bd5a6b7
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..6379489
+index 0000000..0753891
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,661 @@
+@@ -0,0 +1,663 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -37609,7 +37638,6 @@ index 0000000..6379489
+corenet_tcp_connect_time_port(systemd_timedated_t)
+
+dev_rw_realtime_clock(systemd_timedated_t)
-+dev_read_urand(systemd_timedated_t)
+dev_write_kmsg(systemd_timedated_t)
+dev_read_sysfs(systemd_timedated_t)
+
@@ -37700,6 +37728,9 @@ index 0000000..6379489
+# Common rules for systemd domains
+#
+allow systemd_domain self:process { setfscreate signal_perms };
++
++dev_read_urand(systemd_domain)
++
+files_read_etc_files(systemd_domain)
+files_read_etc_runtime_files(systemd_domain)
+files_read_usr_files(systemd_domain)
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index 9503f2d..767302a 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -1959,7 +1959,7 @@ index 708b743..c2edd9a 100644
+ ps_process_pattern($1, alsa_t)
+')
diff --git a/alsa.te b/alsa.te
-index cda6d20..fbe259e 100644
+index cda6d20..443ce3c 100644
--- a/alsa.te
+++ b/alsa.te
@@ -21,16 +21,23 @@ files_tmp_file(alsa_tmp_t)
@@ -1980,8 +1980,9 @@ index cda6d20..fbe259e 100644
# Local policy
#
- allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
+-allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
-dontaudit alsa_t self:capability sys_admin;
++allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner sys_nice };
+dontaudit alsa_t self:capability { sys_tty_config sys_admin };
+allow alsa_t self:process { getsched setsched signal_perms };
allow alsa_t self:sem create_sem_perms;
@@ -2705,10 +2706,10 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..f44287f
+index 0000000..a2cafbc
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,268 @@
+@@ -0,0 +1,269 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -2948,6 +2949,7 @@ index 0000000..f44287f
+
+optional_policy(`
+ mysql_stream_connect(antivirus_domain)
++ corenet_tcp_connect_mysqld_port(antivirus_domain)
+')
+
+optional_policy(`
@@ -7014,7 +7016,7 @@ index f3c0aba..b6afc90 100644
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
')
diff --git a/apcupsd.te b/apcupsd.te
-index b236327..ea24c5d 100644
+index b236327..3128e78 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -7071,7 +7073,7 @@ index b236327..ea24c5d 100644
+init_telinit(apcupsd_t)
-miscfiles_read_localization(apcupsd_t)
-+auth_read_passwd(apcupsd_t)
++auth_use_nsswitch(apcupsd_t)
+
+logging_send_syslog_msg(apcupsd_t)
@@ -12300,7 +12302,7 @@ index c223f81..3bcdf6a 100644
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
')
diff --git a/cobbler.te b/cobbler.te
-index 2a71346..486cdb9 100644
+index 2a71346..8c4ac39 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@@ -12353,7 +12355,7 @@ index 2a71346..486cdb9 100644
apache_search_sys_content(cobblerd_t)
')
-@@ -188,17 +191,21 @@ optional_policy(`
+@@ -188,17 +191,25 @@ optional_policy(`
')
optional_policy(`
@@ -12361,6 +12363,10 @@ index 2a71346..486cdb9 100644
+')
+
+optional_policy(`
++ mysql_stream_connect(cobblerd_t)
++')
++
++optional_policy(`
rpm_exec(cobblerd_t)
')
@@ -13359,7 +13365,7 @@ index 3fe3cb8..5fe84a6 100644
+ ')
')
diff --git a/condor.te b/condor.te
-index 3f2b672..39f85e7 100644
+index 3f2b672..ff94f23 100644
--- a/condor.te
+++ b/condor.te
@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
@@ -13382,7 +13388,7 @@ index 3f2b672..39f85e7 100644
condor_domain_template(collector)
condor_domain_template(negotiator)
condor_domain_template(procd)
-@@ -57,15 +63,20 @@ condor_domain_template(startd)
+@@ -57,15 +63,21 @@ condor_domain_template(startd)
# Global local policy
#
@@ -13398,6 +13404,7 @@ index 3f2b672..39f85e7 100644
+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
+allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
+
++allow condor_domain condor_etc_rw_t:dir list_dir_perms;
+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
@@ -13408,7 +13415,7 @@ index 3f2b672..39f85e7 100644
logging_log_filetrans(condor_domain, condor_log_t, { dir file })
manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
-@@ -86,13 +97,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
+@@ -86,13 +98,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
kernel_read_kernel_sysctls(condor_domain)
kernel_read_network_state(condor_domain)
@@ -13422,7 +13429,7 @@ index 3f2b672..39f85e7 100644
corenet_tcp_sendrecv_generic_if(condor_domain)
corenet_tcp_sendrecv_generic_node(condor_domain)
-@@ -106,9 +114,9 @@ dev_read_rand(condor_domain)
+@@ -106,9 +115,9 @@ dev_read_rand(condor_domain)
dev_read_sysfs(condor_domain)
dev_read_urand(condor_domain)
@@ -13434,7 +13441,7 @@ index 3f2b672..39f85e7 100644
tunable_policy(`condor_tcp_network_connect',`
corenet_sendrecv_all_client_packets(condor_domain)
-@@ -125,7 +133,7 @@ optional_policy(`
+@@ -125,7 +134,7 @@ optional_policy(`
# Master local policy
#
@@ -13443,7 +13450,7 @@ index 3f2b672..39f85e7 100644
allow condor_master_t condor_domain:process { sigkill signal };
-@@ -133,6 +141,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -133,6 +142,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
@@ -13454,7 +13461,7 @@ index 3f2b672..39f85e7 100644
corenet_udp_sendrecv_generic_if(condor_master_t)
corenet_udp_sendrecv_generic_node(condor_master_t)
corenet_tcp_bind_generic_node(condor_master_t)
-@@ -152,6 +164,8 @@ domain_read_all_domains_state(condor_master_t)
+@@ -152,6 +165,8 @@ domain_read_all_domains_state(condor_master_t)
auth_use_nsswitch(condor_master_t)
@@ -13463,7 +13470,7 @@ index 3f2b672..39f85e7 100644
optional_policy(`
mta_send_mail(condor_master_t)
mta_read_config(condor_master_t)
-@@ -169,6 +183,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -169,6 +184,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
kernel_read_network_state(condor_collector_t)
@@ -13472,7 +13479,7 @@ index 3f2b672..39f85e7 100644
#####################################
#
# Negotiator local policy
-@@ -178,6 +194,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -178,6 +195,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_negotiator_t condor_master_t:udp_socket getattr;
@@ -13481,7 +13488,7 @@ index 3f2b672..39f85e7 100644
######################################
#
# Procd local policy
-@@ -185,7 +203,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
+@@ -185,7 +204,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
@@ -13491,7 +13498,7 @@ index 3f2b672..39f85e7 100644
domain_read_all_domains_state(condor_procd_t)
-@@ -201,6 +220,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -201,6 +221,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
@@ -13500,7 +13507,7 @@ index 3f2b672..39f85e7 100644
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
-@@ -209,6 +230,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -209,6 +231,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
@@ -13509,7 +13516,7 @@ index 3f2b672..39f85e7 100644
#####################################
#
# Startd local policy
-@@ -233,11 +256,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -233,11 +257,10 @@ domain_read_all_domains_state(condor_startd_t)
mcs_process_set_categories(condor_startd_t)
init_domtrans_script(condor_startd_t)
@@ -13522,7 +13529,7 @@ index 3f2b672..39f85e7 100644
optional_policy(`
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
ssh_domtrans(condor_startd_t)
-@@ -249,3 +271,7 @@ optional_policy(`
+@@ -249,3 +272,7 @@ optional_policy(`
kerberos_use(condor_startd_ssh_t)
')
')
@@ -16564,8 +16571,21 @@ index 28e1b86..9436993 100644
+ openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
+ openshift_transition(system_cronjob_t)
')
+diff --git a/ctdb.fc b/ctdb.fc
+index 8401fe6..507804b 100644
+--- a/ctdb.fc
++++ b/ctdb.fc
+@@ -2,6 +2,8 @@
+
+ /usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
++/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0)
++
+ /var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
+
+ /var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
diff --git a/ctdb.if b/ctdb.if
-index b25b01d..4f7d237 100644
+index b25b01d..e99c5c6 100644
--- a/ctdb.if
+++ b/ctdb.if
@@ -1,9 +1,144 @@
@@ -16648,9 +16668,11 @@ index b25b01d..4f7d237 100644
+ logging_search_logs($1)
+ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
+')
-+
-+########################################
-+##
+
+ ########################################
+ ##
+-## Create, read, write, and delete
+-## ctdbd lib files.
+## Manage ctdbd log files
+##
+##
@@ -16707,11 +16729,9 @@ index b25b01d..4f7d237 100644
+ files_search_var_lib($1)
+ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
+')
-
- ########################################
- ##
--## Create, read, write, and delete
--## ctdbd lib files.
++
++########################################
++##
+## Manage ctdbd lib files.
##
##
@@ -16729,15 +16749,35 @@ index b25b01d..4f7d237 100644
##
-## Connect to ctdbd with a unix
-## domain stream socket.
-+## Manage ctdbd lib directories.
++## Manage ctdbd lib files.
##
##
##
-@@ -31,19 +165,58 @@ interface(`ctdbd_manage_lib_files',`
+@@ -31,19 +165,77 @@ interface(`ctdbd_manage_lib_files',`
##
##
#
-interface(`ctdbd_stream_connect',`
++interface(`ctdbd_manage_var_files',`
+ gen_require(`
+- type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
++ type ctdbd_var_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, ctdbd_var_t, ctdbd_var_t)
++')
++
++########################################
++##
++## Manage ctdbd lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`ctdbd_manage_lib_dirs',`
+ gen_require(`
+ type ctdbd_var_lib_t;
@@ -16758,8 +16798,7 @@ index b25b01d..4f7d237 100644
+##
+#
+interface(`ctdbd_read_pid_files',`
- gen_require(`
-- type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
++ gen_require(`
+ type ctdbd_var_run_t;
')
@@ -16797,7 +16836,7 @@ index b25b01d..4f7d237 100644
##
##
##
-@@ -57,16 +230,19 @@ interface(`ctdbd_stream_connect',`
+@@ -57,16 +249,19 @@ interface(`ctdbd_stream_connect',`
##
##
#
@@ -16821,7 +16860,7 @@ index b25b01d..4f7d237 100644
domain_system_change_exemption($1)
role_transition $2 ctdbd_initrc_exec_t system_r;
allow $2 system_r;
-@@ -74,12 +250,10 @@ interface(`ctdb_admin',`
+@@ -74,12 +269,10 @@ interface(`ctdb_admin',`
logging_search_logs($1)
admin_pattern($1, ctdbd_log_t)
@@ -16836,10 +16875,44 @@ index b25b01d..4f7d237 100644
')
+
diff --git a/ctdb.te b/ctdb.te
-index 6ce66e7..f2a7a61 100644
+index 6ce66e7..f8e9ecc 100644
--- a/ctdb.te
+++ b/ctdb.te
-@@ -75,6 +75,7 @@ corenet_tcp_bind_generic_node(ctdbd_t)
+@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
+ type ctdbd_var_lib_t;
+ files_type(ctdbd_var_lib_t)
+
++type ctdbd_var_t;
++files_type(ctdbd_var_t)
++
+ type ctdbd_var_run_t;
+ files_pid_file(ctdbd_var_run_t)
+
+@@ -33,6 +36,7 @@ files_pid_file(ctdbd_var_run_t)
+ #
+
+ allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
++allow ctdbd_t self:capability2 block_suspend;
+ allow ctdbd_t self:process { setpgid signal_perms setsched };
+ allow ctdbd_t self:fifo_file rw_fifo_file_perms;
+ allow ctdbd_t self:unix_stream_socket { accept connectto listen };
+@@ -59,6 +63,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
+
++manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
++manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
++manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
++files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb")
++
+ manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
+ manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
+ files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
+@@ -72,9 +81,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
+ corenet_tcp_sendrecv_generic_if(ctdbd_t)
+ corenet_tcp_sendrecv_generic_node(ctdbd_t)
+ corenet_tcp_bind_generic_node(ctdbd_t)
++corenet_udp_bind_generic_node(ctdbd_t)
corenet_sendrecv_ctdb_server_packets(ctdbd_t)
corenet_tcp_bind_ctdb_port(ctdbd_t)
@@ -16847,20 +16920,22 @@ index 6ce66e7..f2a7a61 100644
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
corecmd_exec_bin(ctdbd_t)
-@@ -85,12 +86,10 @@ dev_read_urand(ctdbd_t)
+@@ -85,12 +96,12 @@ dev_read_urand(ctdbd_t)
domain_dontaudit_read_all_domains_state(ctdbd_t)
-files_read_etc_files(ctdbd_t)
files_search_all_mountpoints(ctdbd_t)
++auth_read_passwd(ctdbd_t)
++
logging_send_syslog_msg(ctdbd_t)
-miscfiles_read_localization(ctdbd_t)
miscfiles_read_public_files(ctdbd_t)
optional_policy(`
-@@ -109,6 +108,7 @@ optional_policy(`
+@@ -109,6 +120,7 @@ optional_policy(`
samba_initrc_domtrans(ctdbd_t)
samba_domtrans_net(ctdbd_t)
samba_rw_var_files(ctdbd_t)
@@ -20947,10 +21022,10 @@ index 0000000..b214253
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
-index 0000000..05c070d
+index 0000000..73d1b46
--- /dev/null
+++ b/dirsrv.te
-@@ -0,0 +1,194 @@
+@@ -0,0 +1,196 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
@@ -21009,8 +21084,10 @@ index 0000000..05c070d
+allow dirsrv_t self:sem create_sem_perms;
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
+
++manage_dirs_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
-+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
++manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
++fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file })
+
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
@@ -25484,10 +25561,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..a19c35c
+index 0000000..aacc157
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,170 @@
+@@ -0,0 +1,171 @@
+policy_module(glusterfs, 1.0.1)
+
+##
@@ -25612,6 +25689,7 @@ index 0000000..a19c35c
+corenet_udp_bind_ipp_port(glusterd_t)
+
+corenet_sendrecv_all_client_packets(glusterd_t)
++corenet_tcp_bind_all_unreserved_ports(glusterd_t)
+corenet_tcp_connect_all_unreserved_ports(glusterd_t)
+
+dev_read_sysfs(glusterd_t)
@@ -25938,10 +26016,10 @@ index e39de43..5818f74 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/gnome.if b/gnome.if
-index d03fd43..237de86 100644
+index d03fd43..e814f72 100644
--- a/gnome.if
+++ b/gnome.if
-@@ -1,123 +1,155 @@
+@@ -1,123 +1,157 @@
-## GNU network object model environment.
+## GNU network object model environment (GNOME)
@@ -26058,39 +26136,40 @@ index d03fd43..237de86 100644
+ ubac_constrained($1_gkeyringd_t)
domain_user_exemption_target($1_gkeyringd_t)
-- role $2 types $1_gkeyringd_t;
+ userdom_home_manager($1_gkeyringd_t)
++
+ role $2 types $1_gkeyringd_t;
- ########################################
- #
- # Gconf policy
- #
-+ role $2 types $1_gkeyringd_t;
++ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
- domtrans_pattern($3, gconfd_exec_t, gconfd_t)
-+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
++ allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
++ allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
- allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
- userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
-+ allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
-+ allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
-
-- allow $3 gconfd_t:process { ptrace signal_perms };
-- ps_process_pattern($3, gconfd_t)
+ allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
+ allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
-- ########################################
-- #
-- # Gkeyringd policy
-- #
+- allow $3 gconfd_t:process { ptrace signal_perms };
+- ps_process_pattern($3, gconfd_t)
+ corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
+ corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
+ allow $1_gkeyringd_t $3:process sigkill;
+ allow $3 $1_gkeyringd_t:fd use;
+ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
++ dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write };
+
+- ########################################
+- #
+- # Gkeyringd policy
+- #
- domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
+ kernel_read_system_state($1_gkeyringd_t)
@@ -26111,12 +26190,12 @@ index d03fd43..237de86 100644
ps_process_pattern($3, $1_gkeyringd_t)
- allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
+-
+- corecmd_bin_domtrans($1_gkeyringd_t, $3)
+- corecmd_shell_domtrans($1_gkeyringd_t, $3)
+ allow $3 $1_gkeyringd_t:process signal_perms;
+ dontaudit $3 gkeyringd_exec_t:file entrypoint;
-- corecmd_bin_domtrans($1_gkeyringd_t, $3)
-- corecmd_shell_domtrans($1_gkeyringd_t, $3)
--
- gnome_stream_connect_gkeyringd($1, $3)
+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
@@ -26174,7 +26253,7 @@ index d03fd43..237de86 100644
##
##
##
-@@ -125,18 +157,18 @@ template(`gnome_role_template',`
+@@ -125,18 +159,18 @@ template(`gnome_role_template',`
##
##
#
@@ -26198,7 +26277,7 @@ index d03fd43..237de86 100644
##
##
##
-@@ -144,119 +176,114 @@ interface(`gnome_exec_gconf',`
+@@ -144,119 +178,114 @@ interface(`gnome_exec_gconf',`
##
##
#
@@ -26355,7 +26434,7 @@ index d03fd43..237de86 100644
##
##
##
-@@ -264,15 +291,21 @@ interface(`gnome_create_generic_home_dirs',`
+@@ -264,15 +293,21 @@ interface(`gnome_create_generic_home_dirs',`
##
##
#
@@ -26382,7 +26461,7 @@ index d03fd43..237de86 100644
##
##
##
-@@ -280,57 +313,89 @@ interface(`gnome_setattr_config_dirs',`
+@@ -280,57 +315,89 @@ interface(`gnome_setattr_config_dirs',`
##
##
#
@@ -26490,7 +26569,7 @@ index d03fd43..237de86 100644
##
##
##
-@@ -338,15 +403,18 @@ interface(`gnome_read_generic_home_content',`
+@@ -338,15 +405,18 @@ interface(`gnome_read_generic_home_content',`
##
##
#
@@ -26514,7 +26593,7 @@ index d03fd43..237de86 100644
##
##
##
-@@ -354,22 +422,18 @@ interface(`gnome_manage_config',`
+@@ -354,22 +424,18 @@ interface(`gnome_manage_config',`
##
##
#
@@ -26542,7 +26621,7 @@ index d03fd43..237de86 100644
##
##
##
-@@ -377,53 +441,37 @@ interface(`gnome_manage_generic_home_content',`
+@@ -377,53 +443,37 @@ interface(`gnome_manage_generic_home_content',`
##
##
#
@@ -26604,7 +26683,7 @@ index d03fd43..237de86 100644
##
##
##
-@@ -431,17 +479,18 @@ interface(`gnome_home_filetrans',`
+@@ -431,17 +481,18 @@ interface(`gnome_home_filetrans',`
##
##
#
@@ -26627,7 +26706,7 @@ index d03fd43..237de86 100644
##
##
##
-@@ -449,23 +498,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+@@ -449,23 +500,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
##
##
#
@@ -26655,7 +26734,7 @@ index d03fd43..237de86 100644
##
##
##
-@@ -473,82 +517,73 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -473,82 +519,73 @@ interface(`gnome_read_generic_gconf_home_content',`
##
##
#
@@ -26762,7 +26841,7 @@ index d03fd43..237de86 100644
##
##
##
-@@ -557,52 +592,76 @@ interface(`gnome_home_filetrans_gconf_home',`
+@@ -557,52 +594,76 @@ interface(`gnome_home_filetrans_gconf_home',`
##
##
#
@@ -26860,7 +26939,7 @@ index d03fd43..237de86 100644
##
##
##
-@@ -610,93 +669,126 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -610,93 +671,126 @@ interface(`gnome_gconf_home_filetrans',`
##
##
#
@@ -27021,7 +27100,7 @@ index d03fd43..237de86 100644
##
##
##
-@@ -704,12 +796,851 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +798,851 @@ interface(`gnome_stream_connect_gkeyringd',`
##
##
#
@@ -28198,19 +28277,21 @@ index 20f726b..c6ff2a1 100644
+
+userdom_use_inherited_user_terminals(gnomedomain)
diff --git a/gnomeclock.fc b/gnomeclock.fc
-index b687443..5d92f4e 100644
+index b687443..e4c1b83 100644
--- a/gnomeclock.fc
+++ b/gnomeclock.fc
-@@ -1,5 +1,7 @@
+@@ -1,5 +1,9 @@
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
++
++/usr/libexec/kde3/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
++/usr/libexec/kde4/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-+/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
diff --git a/gnomeclock.if b/gnomeclock.if
index 3f55702..25c7ab8 100644
--- a/gnomeclock.if
@@ -38953,7 +39034,7 @@ index 4462c0e..84944d1 100644
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..154cade 100644
+index 6ffaba2..d1f0fda 100644
--- a/mozilla.fc
+++ b/mozilla.fc
@@ -1,38 +1,67 @@
@@ -38993,14 +39074,14 @@ index 6ffaba2..154cade 100644
+HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedtea(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.juniper_networks(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-+
+#
+# /bin
+#
@@ -39014,7 +39095,7 @@ index 6ffaba2..154cade 100644
-/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
-/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
--
+
-/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -39025,7 +39106,6 @@ index 6ffaba2..154cade 100644
-/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
-/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-+
+ifdef(`distro_redhat',`
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
@@ -39059,7 +39139,7 @@ index 6ffaba2..154cade 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..f1a5676 100644
+index 6194b80..2ab36ff 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -39749,7 +39829,7 @@ index 6194b80..f1a5676 100644
##
##
##
-@@ -530,45 +498,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +498,54 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
##
##
#
@@ -39821,6 +39901,7 @@ index 6194b80..f1a5676 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc")
@@ -39828,7 +39909,7 @@ index 6194b80..f1a5676 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..bcecbbd 100644
+index 6a306ee..937a608 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -40272,7 +40353,7 @@ index 6a306ee..bcecbbd 100644
')
optional_policy(`
-@@ -300,221 +324,184 @@ optional_policy(`
+@@ -300,221 +324,185 @@ optional_policy(`
########################################
#
@@ -40459,6 +40540,7 @@ index 6a306ee..bcecbbd 100644
+corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t)
-dev_read_generic_usb_dev(mozilla_plugin_t)
++dev_dontaudit_append_rand(mozilla_plugin_t)
dev_read_rand(mozilla_plugin_t)
-dev_read_realtime_clock(mozilla_plugin_t)
-dev_read_sound(mozilla_plugin_t)
@@ -40596,7 +40678,7 @@ index 6a306ee..bcecbbd 100644
')
optional_policy(`
-@@ -523,36 +510,44 @@ optional_policy(`
+@@ -523,36 +511,44 @@ optional_policy(`
')
optional_policy(`
@@ -40654,7 +40736,7 @@ index 6a306ee..bcecbbd 100644
')
optional_policy(`
-@@ -560,7 +555,7 @@ optional_policy(`
+@@ -560,7 +556,7 @@ optional_policy(`
')
optional_policy(`
@@ -40663,7 +40745,7 @@ index 6a306ee..bcecbbd 100644
')
optional_policy(`
-@@ -568,108 +563,128 @@ optional_policy(`
+@@ -568,108 +564,128 @@ optional_policy(`
')
optional_policy(`
@@ -40911,7 +40993,7 @@ index 5fa77c7..2e01c7d 100644
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
-index 7c8afcc..41f4352 100644
+index 7c8afcc..33b18c8 100644
--- a/mpd.te
+++ b/mpd.te
@@ -62,18 +62,25 @@ files_type(mpd_var_lib_t)
@@ -40976,18 +41058,36 @@ index 7c8afcc..41f4352 100644
fs_list_inotifyfs(mpd_t)
fs_rw_anon_inodefs_files(mpd_t)
fs_search_auto_mountpoints(mpd_t)
-@@ -150,7 +166,9 @@ auth_use_nsswitch(mpd_t)
+@@ -150,15 +166,26 @@ auth_use_nsswitch(mpd_t)
logging_send_syslog_msg(mpd_t)
-miscfiles_read_localization(mpd_t)
-+userdom_read_home_audio_files(mpd_t)
-+userdom_read_user_tmpfs_files(mpd_t)
+userdom_home_reader(mpd_t)
tunable_policy(`mpd_enable_homedirs',`
- userdom_search_user_home_dirs(mpd_t)
-@@ -191,7 +209,7 @@ optional_policy(`
+- userdom_search_user_home_dirs(mpd_t)
++ userdom_stream_connect(mpd_t)
++ userdom_read_home_audio_files(mpd_t)
++ userdom_list_user_tmp(mpd_t)
++ userdom_read_user_tmpfs_files(mpd_t)
++ userdom_dontaudit_setattr_user_tmp(mpd_t)
++')
++
++optional_policy(`
++ tunable_policy(`mpd_enable_homedirs',`
++ pulseaudio_read_home_files(mpd_t)
++ ')
+ ')
+
+ tunable_policy(`mpd_enable_homedirs && use_nfs_home_dirs',`
+ fs_read_nfs_files(mpd_t)
+ fs_read_nfs_symlinks(mpd_t)
++
+ ')
+
+ tunable_policy(`mpd_enable_homedirs && use_samba_home_dirs',`
+@@ -191,7 +218,7 @@ optional_policy(`
')
optional_policy(`
@@ -40996,7 +41096,7 @@ index 7c8afcc..41f4352 100644
')
optional_policy(`
-@@ -199,6 +217,16 @@ optional_policy(`
+@@ -199,6 +226,16 @@ optional_policy(`
')
optional_policy(`
@@ -51704,10 +51804,10 @@ index 0000000..fdc4a03
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..55c843c
+index 0000000..1911441
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,549 @@
+@@ -0,0 +1,551 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -52151,6 +52251,8 @@ index 0000000..55c843c
+
+term_dontaudit_use_generic_ptys(openshift_cgroup_read_t)
+
++auth_read_passwd(openshift_cgroup_read_t)
++
+miscfiles_read_localization(openshift_cgroup_read_t)
+
+optional_policy(`
@@ -52321,7 +52423,7 @@ index 6837e9a..21e6dae 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 3270ff9..60a7af6 100644
+index 3270ff9..5b046fe 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
@@ -52381,7 +52483,7 @@ index 3270ff9..60a7af6 100644
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
-@@ -62,6 +83,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+@@ -62,10 +83,14 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
allow openvpn_t openvpn_status_t:file manage_file_perms;
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
@@ -52392,9 +52494,14 @@ index 3270ff9..60a7af6 100644
+files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file })
+
manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
- append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
- create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-@@ -83,7 +110,6 @@ kernel_request_load_module(openvpn_t)
+-append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
+-create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
+-setattr_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
++manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
+ logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
+
+ manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
+@@ -83,7 +108,6 @@ kernel_request_load_module(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
@@ -52402,7 +52509,7 @@ index 3270ff9..60a7af6 100644
corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_generic_if(openvpn_t)
corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -103,13 +129,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
+@@ -103,13 +127,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
corenet_sendrecv_http_server_packets(openvpn_t)
corenet_tcp_bind_http_port(openvpn_t)
corenet_sendrecv_http_client_packets(openvpn_t)
@@ -52419,7 +52526,7 @@ index 3270ff9..60a7af6 100644
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -121,18 +149,24 @@ fs_search_auto_mountpoints(openvpn_t)
+@@ -121,18 +147,24 @@ fs_search_auto_mountpoints(openvpn_t)
auth_use_pam(openvpn_t)
@@ -52447,7 +52554,7 @@ index 3270ff9..60a7af6 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -143,6 +177,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+@@ -143,6 +175,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(openvpn_t)
')
@@ -52458,7 +52565,7 @@ index 3270ff9..60a7af6 100644
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
')
-@@ -155,3 +193,27 @@ optional_policy(`
+@@ -155,3 +191,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -57355,7 +57462,7 @@ index ae27bb7..d00f6ba 100644
+ allow $1 polipo_unit_file_t:service all_service_perms;
')
diff --git a/polipo.te b/polipo.te
-index 316d53a..388d659 100644
+index 316d53a..35d9018 100644
--- a/polipo.te
+++ b/polipo.te
@@ -1,4 +1,4 @@
@@ -57431,7 +57538,7 @@ index 316d53a..388d659 100644
type polipo_cache_t;
files_type(polipo_cache_t)
-@@ -56,112 +63,96 @@ files_type(polipo_cache_t)
+@@ -56,112 +63,97 @@ files_type(polipo_cache_t)
type polipo_log_t;
logging_log_file(polipo_log_t)
@@ -57485,6 +57592,7 @@ index 316d53a..388d659 100644
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
+corenet_tcp_connect_http_port(polipo_daemon)
+corenet_tcp_connect_tor_port(polipo_daemon)
++corenet_tcp_connect_flash_port(polipo_daemon)
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(polipo_session_t)
@@ -68165,7 +68273,7 @@ index 661bb88..06f69c4 100644
+')
+
diff --git a/readahead.te b/readahead.te
-index f1512d6..bc627d7 100644
+index f1512d6..8ee7e70 100644
--- a/readahead.te
+++ b/readahead.te
@@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
@@ -68176,7 +68284,7 @@ index f1512d6..bc627d7 100644
init_daemon_run_dir(readahead_var_run_t, "readahead")
########################################
-@@ -31,13 +32,17 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
+@@ -31,13 +32,18 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
@@ -68191,11 +68299,12 @@ index f1512d6..bc627d7 100644
-dev_read_sysfs(readahead_t)
+dev_rw_sysfs(readahead_t)
+dev_read_kmsg(readahead_t)
++dev_read_urand(readahead_t)
+dev_write_kmsg(readahead_t)
dev_getattr_generic_chr_files(readahead_t)
dev_getattr_generic_blk_files(readahead_t)
dev_getattr_all_chr_files(readahead_t)
-@@ -51,12 +56,22 @@ domain_use_interactive_fds(readahead_t)
+@@ -51,12 +57,22 @@ domain_use_interactive_fds(readahead_t)
domain_read_all_domains_state(readahead_t)
files_create_boot_flag(readahead_t)
@@ -68218,7 +68327,7 @@ index f1512d6..bc627d7 100644
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
-@@ -66,13 +81,12 @@ fs_read_cgroup_files(readahead_t)
+@@ -66,13 +82,12 @@ fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
@@ -68233,7 +68342,7 @@ index f1512d6..bc627d7 100644
mls_file_read_all_levels(readahead_t)
storage_raw_read_fixed_disk(readahead_t)
-@@ -84,13 +98,15 @@ auth_dontaudit_read_shadow(readahead_t)
+@@ -84,13 +99,15 @@ auth_dontaudit_read_shadow(readahead_t)
init_use_fds(readahead_t)
init_use_script_ptys(readahead_t)
init_getattr_initctl(readahead_t)
@@ -75939,7 +76048,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..d48911d 100644
+index 57c034b..8854093 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -76251,10 +76360,10 @@ index 57c034b..d48911d 100644
+allow smbd_t self:udp_socket create_socket_perms;
+allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+
-+allow smbd_t nmbd_t:process { signal signull };
-allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull };
++allow smbd_t nmbd_t:process { signal signull };
++
+allow smbd_t nmbd_var_run_t:file rw_file_perms;
+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
@@ -76475,7 +76584,15 @@ index 57c034b..d48911d 100644
optional_policy(`
ccs_read_config(smbd_t)
')
-@@ -473,6 +459,11 @@ optional_policy(`
+@@ -460,6 +446,7 @@ optional_policy(`
+ optional_policy(`
+ ctdbd_stream_connect(smbd_t)
+ ctdbd_manage_lib_files(smbd_t)
++ ctdbd_manage_var_files(smbd_t)
+ ')
+
+ optional_policy(`
+@@ -473,6 +460,11 @@ optional_policy(`
')
optional_policy(`
@@ -76487,7 +76604,7 @@ index 57c034b..d48911d 100644
lpd_exec_lpr(smbd_t)
')
-@@ -493,9 +484,33 @@ optional_policy(`
+@@ -493,9 +485,33 @@ optional_policy(`
udev_read_db(smbd_t)
')
@@ -76522,7 +76639,7 @@ index 57c034b..d48911d 100644
#
dontaudit nmbd_t self:capability sys_tty_config;
-@@ -506,9 +521,11 @@ allow nmbd_t self:msg { send receive };
+@@ -506,9 +522,11 @@ allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -76537,7 +76654,7 @@ index 57c034b..d48911d 100644
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -520,20 +537,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -520,20 +538,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -76561,7 +76678,7 @@ index 57c034b..d48911d 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +554,40 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +555,40 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -76626,7 +76743,7 @@ index 57c034b..d48911d 100644
')
optional_policy(`
-@@ -600,17 +600,24 @@ optional_policy(`
+@@ -600,17 +601,24 @@ optional_policy(`
########################################
#
@@ -76655,7 +76772,7 @@ index 57c034b..d48911d 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -620,16 +627,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -620,16 +628,12 @@ domain_use_interactive_fds(smbcontrol_t)
dev_read_urand(smbcontrol_t)
@@ -76673,7 +76790,7 @@ index 57c034b..d48911d 100644
optional_policy(`
ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +640,23 @@ optional_policy(`
+@@ -637,22 +641,23 @@ optional_policy(`
########################################
#
@@ -76705,7 +76822,7 @@ index 57c034b..d48911d 100644
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -661,26 +665,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +666,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
@@ -76741,7 +76858,7 @@ index 57c034b..d48911d 100644
fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
-@@ -692,58 +692,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -692,58 +693,77 @@ fs_read_cifs_files(smbmount_t)
storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)
@@ -76833,7 +76950,7 @@ index 57c034b..d48911d 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +771,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -752,17 +772,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
files_pid_filetrans(swat_t, swat_var_run_t, file)
@@ -76857,7 +76974,7 @@ index 57c034b..d48911d 100644
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -770,36 +785,25 @@ kernel_read_network_state(swat_t)
+@@ -770,36 +786,25 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -76900,7 +77017,7 @@ index 57c034b..d48911d 100644
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -811,10 +815,11 @@ logging_send_syslog_msg(swat_t)
+@@ -811,10 +816,11 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -76914,7 +77031,7 @@ index 57c034b..d48911d 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -834,16 +839,19 @@ optional_policy(`
+@@ -834,16 +840,19 @@ optional_policy(`
#
allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
@@ -76938,7 +77055,7 @@ index 57c034b..d48911d 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +861,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +862,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -76949,7 +77066,7 @@ index 57c034b..d48911d 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +872,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -866,23 +873,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -76979,7 +77096,7 @@ index 57c034b..d48911d 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -891,13 +895,17 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +896,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -77000,7 +77117,7 @@ index 57c034b..d48911d 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +913,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +914,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -77011,7 +77128,7 @@ index 57c034b..d48911d 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -917,18 +921,24 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,26 +922,39 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -77038,20 +77155,22 @@ index 57c034b..d48911d 100644
optional_policy(`
ctdbd_stream_connect(winbind_t)
-@@ -936,7 +946,12 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dirsrv_stream_connect(winbind_t)
+ ctdbd_manage_lib_files(winbind_t)
++ ctdbd_manage_var_files(winbind_t)
+')
+
++
+optional_policy(`
++ dirsrv_stream_connect(winbind_t)
+ ')
+
+ optional_policy(`
kerberos_use(winbind_t)
+ kerberos_filetrans_named_content(winbind_t)
')
optional_policy(`
-@@ -952,31 +967,29 @@ optional_policy(`
+@@ -952,31 +970,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -77089,7 +77208,7 @@ index 57c034b..d48911d 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -990,25 +1003,38 @@ optional_policy(`
+@@ -990,25 +1006,38 @@ optional_policy(`
########################################
#
@@ -85938,7 +86057,7 @@ index 42946bc..741f2f4 100644
+ can_exec($1, telepathy_executable)
')
diff --git a/telepathy.te b/telepathy.te
-index e9c0964..ed2f217 100644
+index e9c0964..716a285 100644
--- a/telepathy.te
+++ b/telepathy.te
@@ -1,29 +1,28 @@
@@ -86439,7 +86558,7 @@ index e9c0964..ed2f217 100644
optional_policy(`
xserver_read_xdm_pid(telepathy_sunshine_t)
xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +382,48 @@ optional_policy(`
+@@ -452,31 +382,49 @@ optional_policy(`
#######################################
#
@@ -86485,6 +86604,7 @@ index e9c0964..ed2f217 100644
+
+optional_policy(`
+ systemd_dbus_chat_logind(telepathy_domain)
++ systemd_write_inhibit_pipes(telepathy_domain)
+')
+
+optional_policy(`
@@ -88481,7 +88601,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..971952e 100644
+index 7116181..935ec1d 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -88510,7 +88630,7 @@ index 7116181..971952e 100644
read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
-@@ -41,10 +47,12 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
+@@ -41,14 +47,18 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
@@ -88524,18 +88644,25 @@ index 7116181..971952e 100644
+manage_dirs_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
+manage_files_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
+files_tmp_filetrans(tuned_t, tuned_tmp_t, { file dir })
++can_exec(tuned_t, tuned_tmp_t)
manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
-@@ -57,6 +65,7 @@ kernel_request_load_module(tuned_t)
+ files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
++can_exec(tuned_t, tuned_var_run_t)
+
+ kernel_read_system_state(tuned_t)
+ kernel_read_network_state(tuned_t)
+@@ -57,6 +67,8 @@ kernel_request_load_module(tuned_t)
kernel_rw_kernel_sysctl(tuned_t)
kernel_rw_hotplug_sysctls(tuned_t)
kernel_rw_vm_sysctls(tuned_t)
+kernel_setsched(tuned_t)
++kernel_rw_all_sysctls(tuned_t)
corecmd_exec_bin(tuned_t)
corecmd_exec_shell(tuned_t)
-@@ -64,31 +73,52 @@ corecmd_exec_shell(tuned_t)
+@@ -64,31 +76,55 @@ corecmd_exec_shell(tuned_t)
dev_getattr_all_blk_files(tuned_t)
dev_getattr_all_chr_files(tuned_t)
dev_read_urand(tuned_t)
@@ -88544,12 +88671,15 @@ index 7116181..971952e 100644
dev_rw_netcontrol(tuned_t)
-files_read_usr_files(tuned_t)
++files_dontaudit_all_access_check(tuned_t)
files_dontaudit_search_home(tuned_t)
-files_dontaudit_list_tmp(tuned_t)
+files_list_tmp(tuned_t)
-fs_getattr_xattr_fs(tuned_t)
+fs_getattr_all_fs(tuned_t)
++fs_search_all(tuned_t)
++fs_rw_hugetlbfs_files(tuned_t)
+
+auth_use_nsswitch(tuned_t)
@@ -94991,10 +95121,10 @@ index 7c7f7fa..dfeac3e 100644
-userdom_manage_user_home_content_files(wm_domain)
-userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
diff --git a/xen.fc b/xen.fc
-index 42d83b0..7977c2c 100644
+index 42d83b0..5f18f6e 100644
--- a/xen.fc
+++ b/xen.fc
-@@ -1,38 +1,40 @@
+@@ -1,38 +1,41 @@
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
-/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
@@ -95036,6 +95166,7 @@ index 42d83b0..7977c2c 100644
/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
/var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
/var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
++/var/log/xenstored.* gen_context(system_u:object_r:xenstored_var_log_t,s0)
/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
@@ -96648,10 +96779,10 @@ index 46e4cd3..dea93eb 100644
+')
+
diff --git a/zarafa.fc b/zarafa.fc
-index faf99ed..a451e97 100644
+index faf99ed..fb336ae 100644
--- a/zarafa.fc
+++ b/zarafa.fc
-@@ -1,20 +1,18 @@
+@@ -1,20 +1,19 @@
-/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0)
+/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0)
@@ -96661,6 +96792,7 @@ index faf99ed..a451e97 100644
+/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
+/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
+/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
++/usr/bin/zarafa-search -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
+/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
+/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
@@ -96683,7 +96815,7 @@ index faf99ed..a451e97 100644
/var/log/zarafa/gateway\.log.* -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
/var/log/zarafa/ical\.log.* -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
/var/log/zarafa/indexer\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
-@@ -22,11 +20,11 @@
+@@ -22,11 +21,11 @@
/var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0)
/var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e90f9c4..7313cdc 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 74.8%{?dist}
+Release: 74.9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,38 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Oct 08 2013 Lukas Vrabec 3.12.1-74.9
+- Allow systemd domains to read /dev/urand
+- Remove duplicated interfaces
+- Fix port definition for ctdb ports
+- Dontaudit attempts for mozilla_plugin to append to /dev/random
+- Allow domains that communicate with systemd_logind_sessions to use systemd_logind_t fd
+- Match upstream labeling
+- Fix labeling for mgetty.* logs
+- glusterd binds to random unreserved ports
+- add type defintion for ctdbd_var_t
+- Fix ctdb.te
+- Add support for /var/ctdb. Allow ctdb block_suspend and read /etc/passwd file
+- apcupsd needs to send a message to all users on the system so needs to look them up
+- Allow polipo_daemon to connect to flash ports
+- Dontaudit attempts for mozilla_plugin to append to /dev/random
+- Fix the label on ~/.juniper_networks
+- Allow readahead to read /dev/urand
+- Fix lots of avcs about tuned
+- Any file names xenstored in /var/log should be treated as xenstored_var_log_t
+- Allow condor domains to list etc rw dirs
+- Allow cobblerd to connect to mysql
+- Label zarafa-search as zarafa-indexer
+- Openshift cgroup wants to read /etc/passwd
+- Allow mpd to interact with pulseaudio if mpd_enable_homedirs is turned on
+- Fix labeling for /usr/libexec/kde4/kcmdatetimehelper
+- Allow tuned to search all file system directories
+- Allow alsa_t to sys_nice, to get top performance for sound management
+- Dontaudit leaked unix_stream_sockets into gnome keyring
+- Allow telepathy domains to inhibit pipes on telepathy domains
+- Allow dirsrv_t to create tmpfs_t directories
+- Allow openvpn_t to manage openvpn_var_log_t files.
+
* Thu Sep 26 2013 Lukas Vrabec 3.12.1-74.8
- Get labeling right on ipsec.secrets
- Allow systemd to read dhcpc_state