++##
++## Allow colord domain to connect to the network using TCP.
++##
++##
++gen_tunable(colord_can_network_connect, false)
++
+type colord_t;
+type colord_exec_t;
+dbus_system_domain(colord_t, colord_exec_t)
@@ -24708,6 +24749,7 @@ index 0000000..2d54d11
+allow colord_t self:process signal;
+allow colord_t self:fifo_file rw_fifo_file_perms;
+allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow colord_t self:tcp_socket create_stream_socket_perms;
+allow colord_t self:udp_socket create_socket_perms;
+allow colord_t self:unix_dgram_socket create_socket_perms;
+
@@ -24724,12 +24766,14 @@ index 0000000..2d54d11
+files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
+
+kernel_read_network_state(colord_t)
++kernel_read_net_sysctls(colord_t)
+kernel_read_system_state(colord_t)
+kernel_read_device_sysctls(colord_t)
+kernel_request_load_module(colord_t)
+
+# reads *.ini files
+corecmd_exec_bin(colord_t)
++corecmd_exec_shell(colord_t)
+
+corenet_udp_bind_generic_node(colord_t)
+corenet_udp_bind_ipp_port(colord_t)
@@ -24769,8 +24813,13 @@ index 0000000..2d54d11
+miscfiles_read_localization(colord_t)
+
+userdom_read_inherited_user_home_content_files(colord_t)
++fs_getattr_tmpfs(colord_t)
+userdom_rw_user_tmpfs_files(colord_t)
+
++tunable_policy(`colord_can_network_connect',`
++ corenet_tcp_connect_all_ports(colord_t)
++')
++
+tunable_policy(`use_nfs_home_dirs',`
+ fs_read_nfs_files(colord_t)
+')
@@ -25580,7 +25629,7 @@ index 35241ed..372d2c1 100644
+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..319de67 100644
+index f7583ab..1ceda37 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -25947,7 +25996,18 @@ index f7583ab..319de67 100644
')
optional_policy(`
-@@ -480,7 +570,7 @@ optional_policy(`
+@@ -472,6 +562,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ networkmanager_dbus_chat(system_cronjob_t)
++')
++
++optional_policy(`
+ postfix_read_config(system_cronjob_t)
+ ')
+
+@@ -480,7 +574,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -25956,7 +26016,7 @@ index f7583ab..319de67 100644
')
optional_policy(`
-@@ -495,6 +585,7 @@ optional_policy(`
+@@ -495,6 +589,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -25964,7 +26024,7 @@ index f7583ab..319de67 100644
')
optional_policy(`
-@@ -502,7 +593,13 @@ optional_policy(`
+@@ -502,7 +597,13 @@ optional_policy(`
')
optional_policy(`
@@ -25978,7 +26038,7 @@ index f7583ab..319de67 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +692,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +696,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -28320,10 +28380,10 @@ index 9bd812b..c808b31 100644
')
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
-index fdaeeba..06021d4 100644
+index fdaeeba..1859597 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
-@@ -48,11 +48,13 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+@@ -48,11 +48,14 @@ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t)
logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file)
@@ -28334,11 +28394,12 @@ index fdaeeba..06021d4 100644
kernel_read_kernel_sysctls(dnsmasq_t)
kernel_read_system_state(dnsmasq_t)
++kernel_read_network_state(dnsmasq_t)
+kernel_request_load_module(dnsmasq_t)
corenet_all_recvfrom_unlabeled(dnsmasq_t)
corenet_all_recvfrom_netlabel(dnsmasq_t)
-@@ -88,6 +90,8 @@ logging_send_syslog_msg(dnsmasq_t)
+@@ -88,6 +91,8 @@ logging_send_syslog_msg(dnsmasq_t)
miscfiles_read_localization(dnsmasq_t)
@@ -28347,7 +28408,7 @@ index fdaeeba..06021d4 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -96,7 +100,20 @@ optional_policy(`
+@@ -96,7 +101,20 @@ optional_policy(`
')
optional_policy(`
@@ -28368,17 +28429,17 @@ index fdaeeba..06021d4 100644
')
optional_policy(`
-@@ -114,4 +131,5 @@ optional_policy(`
+@@ -114,4 +132,5 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
virt_read_pid_files(dnsmasq_t)
+ virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
')
diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc
-index bfc880b..9a1dcba 100644
+index bfc880b..9089c1a 100644
--- a/policy/modules/services/dovecot.fc
+++ b/policy/modules/services/dovecot.fc
-@@ -25,7 +25,7 @@ ifdef(`distro_debian', `
+@@ -25,13 +25,14 @@ ifdef(`distro_debian', `
ifdef(`distro_redhat', `
/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
@@ -28387,6 +28448,13 @@ index bfc880b..9a1dcba 100644
/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
')
+ #
+ # /var
+ #
++/var/run/stats-mail gen_context(system_u:object_r:dovecot_var_run_t,s0)
+ /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+ /var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+
diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
index e1d7dc5..673f185 100644
--- a/policy/modules/services/dovecot.if
@@ -28481,7 +28549,7 @@ index e1d7dc5..673f185 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index cbe14e4..b0a8e17 100644
+index cbe14e4..2e6b874 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -28526,7 +28594,7 @@ index cbe14e4..b0a8e17 100644
files_search_etc(dovecot_t)
can_exec(dovecot_t, dovecot_exec_t)
-@@ -94,10 +99,11 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
+@@ -94,10 +99,12 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
@@ -28535,11 +28603,12 @@ index cbe14e4..b0a8e17 100644
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, file)
-+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file })
++manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
++files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
-@@ -110,6 +116,8 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
+@@ -110,6 +117,8 @@ corenet_tcp_sendrecv_all_ports(dovecot_t)
corenet_tcp_bind_generic_node(dovecot_t)
corenet_tcp_bind_mail_port(dovecot_t)
corenet_tcp_bind_pop_port(dovecot_t)
@@ -28548,7 +28617,7 @@ index cbe14e4..b0a8e17 100644
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
corenet_sendrecv_pop_server_packets(dovecot_t)
-@@ -159,6 +167,15 @@ optional_policy(`
+@@ -159,6 +168,15 @@ optional_policy(`
')
optional_policy(`
@@ -28564,7 +28633,7 @@ index cbe14e4..b0a8e17 100644
postgresql_stream_connect(dovecot_t)
')
-@@ -179,7 +196,7 @@ optional_policy(`
+@@ -179,7 +197,7 @@ optional_policy(`
# dovecot auth local policy
#
@@ -28573,7 +28642,7 @@ index cbe14e4..b0a8e17 100644
allow dovecot_auth_t self:process { signal_perms getcap setcap };
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
-@@ -189,6 +206,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -189,6 +207,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -28583,7 +28652,7 @@ index cbe14e4..b0a8e17 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -200,6 +220,8 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -200,6 +221,8 @@ dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
@@ -28592,7 +28661,7 @@ index cbe14e4..b0a8e17 100644
logging_send_audit_msgs(dovecot_auth_t)
logging_send_syslog_msg(dovecot_auth_t)
-@@ -235,6 +257,8 @@ optional_policy(`
+@@ -235,6 +258,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -28601,7 +28670,7 @@ index cbe14e4..b0a8e17 100644
')
optional_policy(`
-@@ -242,6 +266,8 @@ optional_policy(`
+@@ -242,6 +267,8 @@ optional_policy(`
')
optional_policy(`
@@ -28610,7 +28679,7 @@ index cbe14e4..b0a8e17 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -249,23 +275,42 @@ optional_policy(`
+@@ -249,23 +276,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -28655,7 +28724,7 @@ index cbe14e4..b0a8e17 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -301,5 +346,15 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -301,5 +347,15 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
@@ -29534,7 +29603,7 @@ index 0000000..0e3e71d
+ policykit_dbus_chat(firewalld_t)
+')
diff --git a/policy/modules/services/fprintd.if b/policy/modules/services/fprintd.if
-index ebad8c4..c02062c 100644
+index ebad8c4..eeddf7b 100644
--- a/policy/modules/services/fprintd.if
+++ b/policy/modules/services/fprintd.if
@@ -5,9 +5,9 @@
@@ -29549,9 +29618,11 @@ index ebad8c4..c02062c 100644
##
#
interface(`fprintd_domtrans',`
-@@ -38,4 +38,3 @@ interface(`fprintd_dbus_chat',`
+@@ -37,5 +37,5 @@ interface(`fprintd_dbus_chat',`
+
allow $1 fprintd_t:dbus send_msg;
allow fprintd_t $1:dbus send_msg;
++ allow fprintd_t $1:file read;
')
-
diff --git a/policy/modules/services/fprintd.te b/policy/modules/services/fprintd.te
@@ -30658,10 +30729,10 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..4417f4e 100644
+index 4fde46b..a1f7269 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -9,24 +9,31 @@ type gnomeclock_t;
+@@ -9,24 +9,33 @@ type gnomeclock_t;
type gnomeclock_exec_t;
dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
@@ -30688,15 +30759,16 @@ index 4fde46b..4417f4e 100644
+files_read_etc_runtime_files(gnomeclock_t)
files_read_usr_files(gnomeclock_t)
--auth_use_nsswitch(gnomeclock_t)
+fs_getattr_xattr_fs(gnomeclock_t)
++
+ auth_use_nsswitch(gnomeclock_t)
-clock_domtrans(gnomeclock_t)
-+auth_use_nsswitch(gnomeclock_t)
++logging_send_syslog_msg(gnomeclock_t)
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,12 +42,51 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,12 +44,51 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -38919,10 +38991,10 @@ index 55e62d2..c0e0959 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..c22af86 100644
+index 46bee12..f4b60ab 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
-@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
+@@ -34,11 +34,13 @@ template(`postfix_domain_template',`
domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
role system_r types postfix_$1_t;
@@ -38933,7 +39005,11 @@ index 46bee12..c22af86 100644
allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_$1_t self:unix_stream_socket connectto;
-@@ -50,7 +51,7 @@ template(`postfix_domain_template',`
++ allow postfix_$1_t self:fifo_file rw_fifo_file_perms;
+
+ allow postfix_master_t postfix_$1_t:process signal;
+ #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+@@ -50,7 +52,7 @@ template(`postfix_domain_template',`
can_exec(postfix_$1_t, postfix_$1_exec_t)
@@ -38942,7 +39018,7 @@ index 46bee12..c22af86 100644
allow postfix_$1_t postfix_master_t:process sigchld;
-@@ -77,6 +78,7 @@ template(`postfix_domain_template',`
+@@ -77,6 +79,7 @@ template(`postfix_domain_template',`
files_read_etc_files(postfix_$1_t)
files_read_etc_runtime_files(postfix_$1_t)
@@ -38950,7 +39026,7 @@ index 46bee12..c22af86 100644
files_read_usr_symlinks(postfix_$1_t)
files_search_spool(postfix_$1_t)
files_getattr_tmp_dirs(postfix_$1_t)
-@@ -115,7 +117,7 @@ template(`postfix_server_domain_template',`
+@@ -115,7 +118,7 @@ template(`postfix_server_domain_template',`
type postfix_$1_tmp_t;
files_tmp_file(postfix_$1_tmp_t)
@@ -38959,7 +39035,7 @@ index 46bee12..c22af86 100644
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow postfix_$1_t self:tcp_socket create_socket_perms;
allow postfix_$1_t self:udp_socket create_socket_perms;
-@@ -165,6 +167,8 @@ template(`postfix_user_domain_template',`
+@@ -165,6 +168,8 @@ template(`postfix_user_domain_template',`
domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
domain_use_interactive_fds(postfix_$1_t)
@@ -38968,7 +39044,7 @@ index 46bee12..c22af86 100644
')
########################################
-@@ -272,7 +276,8 @@ interface(`postfix_read_local_state',`
+@@ -272,7 +277,8 @@ interface(`postfix_read_local_state',`
type postfix_local_t;
')
@@ -38978,7 +39054,7 @@ index 46bee12..c22af86 100644
')
########################################
-@@ -290,7 +295,27 @@ interface(`postfix_read_master_state',`
+@@ -290,7 +296,27 @@ interface(`postfix_read_master_state',`
type postfix_master_t;
')
@@ -39007,7 +39083,7 @@ index 46bee12..c22af86 100644
')
########################################
-@@ -376,6 +401,25 @@ interface(`postfix_domtrans_master',`
+@@ -376,6 +402,25 @@ interface(`postfix_domtrans_master',`
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
@@ -39033,7 +39109,7 @@ index 46bee12..c22af86 100644
########################################
##