@@ -41326,7 +42055,7 @@ index 3c5dba7..e27d755 100644
+ userdom_user_home_dir_filetrans($1, home_cert_t, dir, "certificates")
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..77626dd 100644
+index e2b538b..211263f 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@@ -41414,7 +42143,7 @@ index e2b538b..77626dd 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -70,26 +82,222 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +82,226 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -41482,6 +42211,10 @@ index e2b538b..77626dd 100644
+')
+
+optional_policy(`
++ gssproxy_stream_connect(userdomain)
++')
++
++optional_policy(`
+ gnome_filetrans_home_content(userdomain)
+')
+
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 17919d9..f091d89 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index e4f84de..94697ea 100644
+index e4f84de..4e4cbd4 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,30 +1,38 @@
+@@ -1,30 +1,40 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -15,11 +15,13 @@ index e4f84de..94697ea 100644
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
+
+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
++/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
+
+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
@@ -516,7 +518,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..563c773 100644
+index cc43d25..5e60ff3 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -525,7 +527,7 @@ index cc43d25..563c773 100644
########################################
#
-@@ -6,105 +6,115 @@ policy_module(abrt, 1.3.4)
+@@ -6,105 +6,116 @@ policy_module(abrt, 1.3.4)
#
##
@@ -585,6 +587,7 @@ index cc43d25..563c773 100644
type abrt_var_cache_t;
files_type(abrt_var_cache_t)
+files_tmp_file(abrt_var_cache_t)
++userdom_user_tmp_content(abrt_var_cache_t)
+# pid files
type abrt_var_run_t;
@@ -664,7 +667,8 @@ index cc43d25..563c773 100644
+# abrt local policy
#
- allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
+-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
++allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_ptrace };
dontaudit abrt_t self:capability sys_rawio;
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
@@ -684,7 +688,7 @@ index cc43d25..563c773 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -112,23 +122,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -112,23 +123,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -713,7 +717,7 @@ index cc43d25..563c773 100644
kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
-@@ -137,16 +149,14 @@ corecmd_exec_shell(abrt_t)
+@@ -137,16 +150,14 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -732,7 +736,7 @@ index cc43d25..563c773 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +173,36 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +174,37 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -745,6 +749,7 @@ index cc43d25..563c773 100644
files_dontaudit_read_all_symlinks(abrt_t)
files_dontaudit_getattr_all_sockets(abrt_t)
files_list_mnt(abrt_t)
++fs_list_all(abrt_t)
+fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
@@ -772,7 +777,7 @@ index cc43d25..563c773 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +210,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +212,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -789,7 +794,7 @@ index cc43d25..563c773 100644
')
optional_policy(`
-@@ -209,6 +222,12 @@ optional_policy(`
+@@ -209,6 +224,12 @@ optional_policy(`
')
optional_policy(`
@@ -802,7 +807,7 @@ index cc43d25..563c773 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +239,7 @@ optional_policy(`
+@@ -220,6 +241,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -810,7 +815,7 @@ index cc43d25..563c773 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +250,7 @@ optional_policy(`
+@@ -230,6 +252,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -818,7 +823,7 @@ index cc43d25..563c773 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +261,17 @@ optional_policy(`
+@@ -240,9 +263,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -837,7 +842,7 @@ index cc43d25..563c773 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +282,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +284,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -852,7 +857,7 @@ index cc43d25..563c773 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +301,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +303,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -860,7 +865,7 @@ index cc43d25..563c773 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +310,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +312,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -881,7 +886,7 @@ index cc43d25..563c773 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +331,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +333,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -908,7 +913,7 @@ index cc43d25..563c773 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +367,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +369,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -922,7 +927,7 @@ index cc43d25..563c773 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +385,11 @@ optional_policy(`
+@@ -330,10 +387,11 @@ optional_policy(`
#######################################
#
@@ -936,7 +941,7 @@ index cc43d25..563c773 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,30 +408,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +410,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -978,8 +983,10 @@ index cc43d25..563c773 100644
kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t)
-@@ -384,14 +448,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
+ domain_use_interactive_fds(abrt_dump_oops_t)
+
fs_list_inotifyfs(abrt_dump_oops_t)
++fs_list_pstorefs(abrt_dump_oops_t)
logging_read_generic_logs(abrt_dump_oops_t)
+logging_send_syslog_msg(abrt_dump_oops_t)
@@ -996,7 +1003,7 @@ index cc43d25..563c773 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +465,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +468,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1877,10 +1884,23 @@ index cda6d20..fbe259e 100644
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
diff --git a/amanda.te b/amanda.te
-index ed45974..b09436e 100644
+index ed45974..46e2c0d 100644
--- a/amanda.te
+++ b/amanda.te
-@@ -60,7 +60,7 @@ optional_policy(`
+@@ -9,11 +9,10 @@ attribute_role amanda_recover_roles;
+ roleattribute system_r amanda_recover_roles;
+
+ type amanda_t;
++type amanda_exec_t;
+ type amanda_inetd_exec_t;
+ inetd_service_domain(amanda_t, amanda_inetd_exec_t)
+
+-type amanda_exec_t;
+-domain_entry_file(amanda_t, amanda_exec_t)
+
+ type amanda_log_t;
+ logging_log_file(amanda_log_t)
+@@ -60,7 +59,7 @@ optional_policy(`
#
allow amanda_t self:capability { chown dac_override setuid kill };
@@ -1889,7 +1909,7 @@ index ed45974..b09436e 100644
allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket { accept listen };
allow amanda_t self:tcp_socket { accept listen };
-@@ -71,6 +71,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
+@@ -71,6 +70,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
@@ -1897,7 +1917,7 @@ index ed45974..b09436e 100644
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -100,7 +101,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+@@ -100,7 +100,6 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
@@ -1905,7 +1925,7 @@ index ed45974..b09436e 100644
corenet_all_recvfrom_netlabel(amanda_t)
corenet_tcp_sendrecv_generic_if(amanda_t)
corenet_tcp_sendrecv_generic_node(amanda_t)
-@@ -170,7 +170,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -170,7 +169,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
@@ -1913,7 +1933,7 @@ index ed45974..b09436e 100644
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +194,12 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +193,12 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
@@ -2507,10 +2527,10 @@ index 0000000..df5b3be
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 0000000..b334e9a
+index 0000000..1a35e88
--- /dev/null
+++ b/antivirus.te
-@@ -0,0 +1,245 @@
+@@ -0,0 +1,248 @@
+policy_module(antivirus, 1.0.0)
+
+########################################
@@ -2683,8 +2703,11 @@ index 0000000..b334e9a
+
+tunable_policy(`antivirus_can_scan_system',`
+ files_read_non_security_files(antivirus_domain)
++ files_dontaudit_read_all_non_security_files(antivirus_domain)
+ files_getattr_all_pipes(antivirus_domain)
+ files_getattr_all_sockets(antivirus_domain)
++ dev_getattr_all_blk_files(antivirus_domain)
++ dev_getattr_all_chr_files(antivirus_domain)
+')
+
+tunable_policy(`antivirus_use_jit',`
@@ -4452,7 +4475,7 @@ index 83e899c..c5be77c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..cb872c5 100644
+index 1a82e29..3a12c26 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,360 @@
@@ -4633,18 +4656,12 @@ index 1a82e29..cb872c5 100644
-##
-## Determine whether httpd can send mail.
-##
-+##
-+## Allow http daemon to check spam
-+##
-+##
-+gen_tunable(httpd_can_check_spam, false)
-+
-+##
-+##
-+## Allow http daemon to send mail
-+##
++##
++## Allow http daemon to connect to mythtv
++##
##
- gen_tunable(httpd_can_sendmail, false)
+-gen_tunable(httpd_can_sendmail, false)
++gen_tunable(httpd_can_connect_mythtv, false)
##
-##
@@ -4652,20 +4669,22 @@ index 1a82e29..cb872c5 100644
-## with avahi service via dbus.
-##
+##
-+## Allow Apache to communicate with avahi service via dbus
++## Allow http daemon to check spam
+##
##
- gen_tunable(httpd_dbus_avahi, false)
+-gen_tunable(httpd_dbus_avahi, false)
++gen_tunable(httpd_can_check_spam, false)
##
-##
-## Determine wether httpd can use support.
-##
+##
-+## Allow httpd cgi support
++## Allow http daemon to send mail
+##
##
- gen_tunable(httpd_enable_cgi, false)
+-gen_tunable(httpd_enable_cgi, false)
++gen_tunable(httpd_can_sendmail, false)
##
-##
@@ -4673,11 +4692,11 @@ index 1a82e29..cb872c5 100644
-## FTP server by listening on the ftp port.
-##
+##
-+## Allow httpd to act as a FTP server by
-+## listening on the ftp port.
++## Allow Apache to communicate with avahi service via dbus
+##
##
- gen_tunable(httpd_enable_ftp_server, false)
+-gen_tunable(httpd_enable_ftp_server, false)
++gen_tunable(httpd_dbus_avahi, false)
##
-##
@@ -4685,12 +4704,11 @@ index 1a82e29..cb872c5 100644
-## user home directories.
-##
+##
-+## Allow httpd to act as a FTP client
-+## connecting to the ftp port and ephemeral ports
++## Allow httpd cgi support
+##
##
-gen_tunable(httpd_enable_homedirs, false)
-+gen_tunable(httpd_can_connect_ftp, false)
++gen_tunable(httpd_enable_cgi, false)
##
-##
@@ -4699,12 +4717,13 @@ index 1a82e29..cb872c5 100644
-## transfer services. Directories/Files must
-## be labeled public_content_rw_t.
-##
-+##
-+## Allow httpd to connect to the ldap port
-+##
++##
++## Allow httpd to act as a FTP server by
++## listening on the ftp port.
++##
##
-gen_tunable(httpd_gpg_anon_write, false)
-+gen_tunable(httpd_can_connect_ldap, false)
++gen_tunable(httpd_enable_ftp_server, false)
##
-##
@@ -4712,23 +4731,24 @@ index 1a82e29..cb872c5 100644
-## its temporary content.
-##
+##
-+## Allow httpd to read home directories
++## Allow httpd to act as a FTP client
++## connecting to the ftp port and ephemeral ports
+##
##
-gen_tunable(httpd_tmp_exec, false)
-+gen_tunable(httpd_enable_homedirs, false)
++gen_tunable(httpd_can_connect_ftp, false)
##
-##
-## Determine whether httpd scripts and
-## modules can use execmem and execstack.
-##
-+##
-+## Allow httpd to read user content
-+##
++##
++## Allow httpd to connect to the ldap port
++##
##
-gen_tunable(httpd_execmem, false)
-+gen_tunable(httpd_read_user_content, false)
++gen_tunable(httpd_can_connect_ldap, false)
##
-##
@@ -4736,11 +4756,11 @@ index 1a82e29..cb872c5 100644
-## to port 80 for graceful shutdown.
-##
+##
-+## Allow Apache to run in stickshift mode, not transition to passenger
++## Allow httpd to read home directories
+##
##
-gen_tunable(httpd_graceful_shutdown, false)
-+gen_tunable(httpd_run_stickshift, false)
++gen_tunable(httpd_enable_homedirs, false)
##
-##
@@ -4748,22 +4768,22 @@ index 1a82e29..cb872c5 100644
-## manage IPA content files.
-##
+##
-+## Allow Apache to query NS records
++## Allow httpd to read user content
+##
##
-gen_tunable(httpd_manage_ipa, false)
-+gen_tunable(httpd_verify_dns, false)
++gen_tunable(httpd_read_user_content, false)
##
-##
-## Determine whether httpd can use mod_auth_ntlm_winbind.
-##
+##
-+## Allow httpd daemon to change its resource limits
++## Allow Apache to run in stickshift mode, not transition to passenger
+##
##
-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
-+gen_tunable(httpd_setrlimit, false)
++gen_tunable(httpd_run_stickshift, false)
##
-##
@@ -4771,11 +4791,11 @@ index 1a82e29..cb872c5 100644
-## generic user home content files.
-##
+##
-+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
++## Allow Apache to query NS records
+##
##
-gen_tunable(httpd_read_user_content, false)
-+gen_tunable(httpd_ssi_exec, false)
++gen_tunable(httpd_verify_dns, false)
##
-##
@@ -4783,11 +4803,10 @@ index 1a82e29..cb872c5 100644
-## its resource limits.
-##
+##
-+## Allow Apache to execute tmp content.
++## Allow httpd daemon to change its resource limits
+##
##
--gen_tunable(httpd_setrlimit, false)
-+gen_tunable(httpd_tmp_exec, false)
+ gen_tunable(httpd_setrlimit, false)
##
-##
@@ -4796,13 +4815,10 @@ index 1a82e29..cb872c5 100644
-## as system CGI scripts.
-##
+##
-+## Unify HTTPD to communicate with the terminal.
-+## Needed for entering the passphrase for certificates at
-+## the terminal.
++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+##
##
--gen_tunable(httpd_ssi_exec, false)
-+gen_tunable(httpd_tty_comm, false)
+ gen_tunable(httpd_ssi_exec, false)
##
-##
@@ -4811,11 +4827,19 @@ index 1a82e29..cb872c5 100644
-## passphrase for certificates at the terminal.
-##
+##
-+## Unify HTTPD handling of all content files.
++## Allow Apache to execute tmp content.
++##
++##
++gen_tunable(httpd_tmp_exec, false)
++
++##
++##
++## Unify HTTPD to communicate with the terminal.
++## Needed for entering the passphrase for certificates at
++## the terminal.
+##
##
--gen_tunable(httpd_tty_comm, false)
-+gen_tunable(httpd_unified, false)
+ gen_tunable(httpd_tty_comm, false)
##
-##
@@ -4823,11 +4847,10 @@ index 1a82e29..cb872c5 100644
-## to its content types.
-##
+##
-+## Allow httpd to access openstack ports
++## Unify HTTPD handling of all content files.
+##
##
--gen_tunable(httpd_unified, false)
-+gen_tunable(httpd_use_openstack, false)
+ gen_tunable(httpd_unified, false)
##
-##
@@ -4835,6 +4858,13 @@ index 1a82e29..cb872c5 100644
-## cifs file systems.
-##
+##
++## Allow httpd to access openstack ports
++##
++##
++gen_tunable(httpd_use_openstack, false)
++
++##
++##
+## Allow httpd to access cifs file systems
+##
##
@@ -4877,13 +4907,6 @@ index 1a82e29..cb872c5 100644
+##
+gen_tunable(httpd_sys_script_anon_write, false)
+
-+##
-+##
-+## Allow httpd to communicate with oddjob to start up a service
-+##
-+##
-+gen_tunable(httpd_use_oddjob, false)
-+
attribute httpdcontent;
-attribute httpd_htaccess_type;
+attribute httpd_user_content_type;
@@ -5361,7 +5384,7 @@ index 1a82e29..cb872c5 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +710,46 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +710,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5395,6 +5418,10 @@ index 1a82e29..cb872c5 100644
+ corenet_tcp_connect_ldap_port(httpd_t)
+')
+
++tunable_policy(`httpd_can_connect_mythtv',`
++ corenet_tcp_connect_mythtv_port(httpd_t)
++')
++
+tunable_policy(`httpd_can_connect_zabbix',`
+ corenet_tcp_connect_zabbix_port(httpd_t)
')
@@ -5417,7 +5444,7 @@ index 1a82e29..cb872c5 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +758,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +762,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5463,18 +5490,18 @@ index 1a82e29..cb872c5 100644
- tunable_policy(`httpd_can_network_connect_zabbix',`
- zabbix_tcp_connect(httpd_t)
- ')
+-')
+-
+-optional_policy(`
+- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
+- spamassassin_domtrans_client(httpd_t)
+- ')
+tunable_policy(`httpd_use_cifs',`
+ fs_manage_cifs_dirs(httpd_t)
+ fs_manage_cifs_files(httpd_t)
+ fs_manage_cifs_symlinks(httpd_t)
')
--optional_policy(`
-- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
-- spamassassin_domtrans_client(httpd_t)
-- ')
--')
--
-tunable_policy(`httpd_graceful_shutdown',`
- corenet_sendrecv_http_client_packets(httpd_t)
- corenet_tcp_connect_http_port(httpd_t)
@@ -5502,7 +5529,7 @@ index 1a82e29..cb872c5 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +799,38 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +803,42 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5523,10 +5550,8 @@ index 1a82e29..cb872c5 100644
- userdom_use_user_terminals(httpd_t)
-',`
- userdom_dontaudit_use_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_t)
-+ userdom_use_inherited_user_terminals(httpd_suexec_t)
- ')
-
+-')
+-
-tunable_policy(`httpd_use_cifs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_cifs_dirs(httpd_t)
@@ -5536,33 +5561,38 @@ index 1a82e29..cb872c5 100644
-
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
--')
--
++ userdom_use_inherited_user_terminals(httpd_t)
++ userdom_use_inherited_user_terminals(httpd_suexec_t)
+ ')
+
-tunable_policy(`httpd_use_fusefs',`
- fs_list_auto_mountpoints(httpd_t)
- fs_manage_fusefs_dirs(httpd_t)
- fs_manage_fusefs_files(httpd_t)
- fs_read_fusefs_symlinks(httpd_t)
-')
--
--tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-- fs_exec_fusefs_files(httpd_t)
--')
+optional_policy(`
+ cobbler_list_config(httpd_t)
+ cobbler_read_config(httpd_t)
--tunable_policy(`httpd_use_nfs',`
-- fs_list_auto_mountpoints(httpd_t)
-- fs_manage_nfs_dirs(httpd_t)
-- fs_manage_nfs_files(httpd_t)
-- fs_manage_nfs_symlinks(httpd_t)
+-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
+- fs_exec_fusefs_files(httpd_t)
+-')
+ tunable_policy(`httpd_serve_cobbler_files',`
+ cobbler_manage_lib_files(httpd_t)
+',`
+ cobbler_read_lib_files(httpd_t)
+ cobbler_search_lib(httpd_t)
+ ')
+
+-tunable_policy(`httpd_use_nfs',`
+- fs_list_auto_mountpoints(httpd_t)
+- fs_manage_nfs_dirs(httpd_t)
+- fs_manage_nfs_files(httpd_t)
+- fs_manage_nfs_symlinks(httpd_t)
++ tunable_policy(`httpd_can_network_connect_cobbler',`
++ corenet_tcp_connect_cobbler_port(httpd_t)
++ ')
')
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
@@ -5576,7 +5606,7 @@ index 1a82e29..cb872c5 100644
')
optional_policy(`
-@@ -743,14 +841,6 @@ optional_policy(`
+@@ -743,14 +849,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5591,7 +5621,7 @@ index 1a82e29..cb872c5 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +855,23 @@ optional_policy(`
+@@ -765,6 +863,23 @@ optional_policy(`
')
optional_policy(`
@@ -5615,7 +5645,7 @@ index 1a82e29..cb872c5 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +888,42 @@ optional_policy(`
+@@ -781,34 +896,42 @@ optional_policy(`
')
optional_policy(`
@@ -5669,7 +5699,7 @@ index 1a82e29..cb872c5 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +931,18 @@ optional_policy(`
+@@ -816,8 +939,18 @@ optional_policy(`
')
optional_policy(`
@@ -5688,7 +5718,7 @@ index 1a82e29..cb872c5 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +951,7 @@ optional_policy(`
+@@ -826,6 +959,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5696,7 +5726,7 @@ index 1a82e29..cb872c5 100644
')
optional_policy(`
-@@ -836,20 +962,38 @@ optional_policy(`
+@@ -836,20 +970,38 @@ optional_policy(`
')
optional_policy(`
@@ -5741,7 +5771,7 @@ index 1a82e29..cb872c5 100644
')
optional_policy(`
-@@ -857,6 +1001,16 @@ optional_policy(`
+@@ -857,6 +1009,16 @@ optional_policy(`
')
optional_policy(`
@@ -5758,7 +5788,7 @@ index 1a82e29..cb872c5 100644
seutil_sigchld_newrole(httpd_t)
')
-@@ -865,6 +1019,7 @@ optional_policy(`
+@@ -865,6 +1027,7 @@ optional_policy(`
')
optional_policy(`
@@ -5766,7 +5796,7 @@ index 1a82e29..cb872c5 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -877,65 +1032,166 @@ optional_policy(`
+@@ -877,65 +1040,166 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -5955,7 +5985,7 @@ index 1a82e29..cb872c5 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1200,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1208,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6110,7 +6140,7 @@ index 1a82e29..cb872c5 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1284,104 @@ optional_policy(`
+@@ -1077,172 +1292,104 @@ optional_policy(`
')
')
@@ -6130,10 +6160,10 @@ index 1a82e29..cb872c5 100644
-allow httpd_script_domains self:fifo_file rw_file_perms;
-allow httpd_script_domains self:unix_stream_socket connectto;
+-
+-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
+allow httpd_sys_script_t self:process getsched;
--allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
--
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-
@@ -6291,7 +6321,8 @@ index 1a82e29..cb872c5 100644
-kernel_read_kernel_sysctls(httpd_sys_script_t)
-
-fs_search_auto_mountpoints(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+
-files_read_var_symlinks(httpd_sys_script_t)
-files_search_var_lib(httpd_sys_script_t)
-files_search_spool(httpd_sys_script_t)
@@ -6307,8 +6338,7 @@ index 1a82e29..cb872c5 100644
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
-
+-
- mta_send_mail(httpd_sys_script_t)
- mta_signal_system_mail(httpd_sys_script_t)
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6346,7 +6376,7 @@ index 1a82e29..cb872c5 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1389,70 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1397,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6369,10 +6399,6 @@ index 1a82e29..cb872c5 100644
fs_manage_fusefs_dirs(httpd_sys_script_t)
fs_manage_fusefs_files(httpd_sys_script_t)
- fs_read_fusefs_symlinks(httpd_sys_script_t)
--')
--
--tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
-- fs_exec_fusefs_files(httpd_sys_script_t)
+ fs_manage_fusefs_symlinks(httpd_sys_script_t)
+ fs_manage_fusefs_dirs(httpd_suexec_t)
+ fs_manage_fusefs_files(httpd_suexec_t)
@@ -6380,25 +6406,26 @@ index 1a82e29..cb872c5 100644
+ fs_exec_fusefs_files(httpd_suexec_t)
')
--tunable_policy(`httpd_use_nfs',`
-- fs_list_auto_mountpoints(httpd_sys_script_t)
-- fs_manage_nfs_dirs(httpd_sys_script_t)
-- fs_manage_nfs_files(httpd_sys_script_t)
-- fs_manage_nfs_symlinks(httpd_sys_script_t)
+-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
+- fs_exec_fusefs_files(httpd_sys_script_t)
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+ fs_read_cifs_files(httpd_sys_script_t)
+ fs_read_cifs_symlinks(httpd_sys_script_t)
')
--tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
-- fs_exec_nfs_files(httpd_sys_script_t)
+-tunable_policy(`httpd_use_nfs',`
+- fs_list_auto_mountpoints(httpd_sys_script_t)
+- fs_manage_nfs_dirs(httpd_sys_script_t)
+- fs_manage_nfs_files(httpd_sys_script_t)
+- fs_manage_nfs_symlinks(httpd_sys_script_t)
+optional_policy(`
+ clamav_domtrans_clamscan(httpd_sys_script_t)
+ clamav_domtrans_clamscan(httpd_t)
')
- optional_policy(`
-- clamav_domtrans_clamscan(httpd_sys_script_t)
+-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
+- fs_exec_nfs_files(httpd_sys_script_t)
++optional_policy(`
+ mysql_stream_connect(httpd_sys_script_t)
+ mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
@@ -6409,14 +6436,20 @@ index 1a82e29..cb872c5 100644
')
optional_policy(`
+- clamav_domtrans_clamscan(httpd_sys_script_t)
+ postgresql_stream_connect(httpd_sys_script_t)
- postgresql_unpriv_client(httpd_sys_script_t)
++ postgresql_unpriv_client(httpd_sys_script_t)
+
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_sys_script_t)
+ ')
')
+ optional_policy(`
+- postgresql_unpriv_client(httpd_sys_script_t)
++ snmp_read_snmp_var_lib_files(httpd_sys_script_t)
+ ')
+
########################################
#
-# Rotatelogs local policy
@@ -6440,7 +6473,7 @@ index 1a82e29..cb872c5 100644
########################################
#
-@@ -1315,8 +1460,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1472,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6457,7 +6490,7 @@ index 1a82e29..cb872c5 100644
')
########################################
-@@ -1324,49 +1476,36 @@ optional_policy(`
+@@ -1324,49 +1488,36 @@ optional_policy(`
# User content local policy
#
@@ -6521,7 +6554,7 @@ index 1a82e29..cb872c5 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1515,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1527,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -10356,10 +10389,10 @@ index 0000000..5977d96
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 0000000..41d3959
+index 0000000..f4a8884
--- /dev/null
+++ b/chrome.te
-@@ -0,0 +1,220 @@
+@@ -0,0 +1,237 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -10393,6 +10426,7 @@ index 0000000..41d3959
+#
+# chrome_sandbox local policy
+#
++allow chrome_sandbox_t self:capability2 block_suspend;
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+dontaudit chrome_sandbox_t self:capability sys_nice;
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
@@ -10429,20 +10463,35 @@ index 0000000..41d3959
+corecmd_exec_bin(chrome_sandbox_t)
+
+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
++corenet_tcp_connect_all_ephemeral_ports(chrome_sandbox_t)
++corenet_tcp_connect_aol_port(chrome_sandbox_t)
+corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
++corenet_tcp_connect_commplex_link_port(chrome_sandbox_t)
++corenet_tcp_connect_couchdb_port(chrome_sandbox_t)
+corenet_tcp_connect_flash_port(chrome_sandbox_t)
-+corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
-+corenet_tcp_connect_rtsp_port(chrome_sandbox_t)
-+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
-+corenet_tcp_connect_http_port(chrome_sandbox_t)
++corenet_tcp_connect_ftp_port(chrome_sandbox_t)
++corenet_tcp_connect_gatekeeper_port(chrome_sandbox_t)
++corenet_tcp_connect_generic_port(chrome_sandbox_t)
+corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
++corenet_tcp_connect_http_port(chrome_sandbox_t)
++corenet_tcp_connect_ipp_port(chrome_sandbox_t)
++corenet_tcp_connect_ipsecnat_port(chrome_sandbox_t)
++corenet_tcp_connect_jabber_client_port(chrome_sandbox_t)
++corenet_tcp_connect_jboss_management_port(chrome_sandbox_t)
++corenet_tcp_connect_mmcc_port(chrome_sandbox_t)
++corenet_tcp_connect_monopd_port(chrome_sandbox_t)
+corenet_tcp_connect_msnp_port(chrome_sandbox_t)
++corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
++corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
++corenet_tcp_connect_rtsp_port(chrome_sandbox_t)
++corenet_tcp_connect_soundd_port(chrome_sandbox_t)
++corenet_tcp_connect_speech_port(chrome_sandbox_t)
+corenet_tcp_connect_squid_port(chrome_sandbox_t)
+corenet_tcp_connect_tor_port(chrome_sandbox_t)
++corenet_tcp_connect_transproxy_port(chrome_sandbox_t)
++corenet_tcp_connect_vnc_port(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
-+corenet_tcp_connect_ipp_port(chrome_sandbox_t)
-+corenet_tcp_connect_speech_port(chrome_sandbox_t)
+
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
+
@@ -10551,6 +10600,7 @@ index 0000000..41d3959
+
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
++ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t)
+
+manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
@@ -10763,7 +10813,7 @@ index 32e8265..0de4af3 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/chronyd.te b/chronyd.te
-index 914ee2d..bd3362e 100644
+index 914ee2d..6567c77 100644
--- a/chronyd.te
+++ b/chronyd.te
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -10776,16 +10826,34 @@ index 914ee2d..bd3362e 100644
type chronyd_var_lib_t;
files_type(chronyd_var_lib_t)
-@@ -35,6 +38,8 @@ files_pid_file(chronyd_var_run_t)
- allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
+@@ -32,11 +35,16 @@ files_pid_file(chronyd_var_run_t)
+ # Local policy
+ #
+
+-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
++allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_resource sys_time };
allow chronyd_t self:process { getcap setcap setrlimit signal };
allow chronyd_t self:shm create_shm_perms;
+allow chronyd_t self:udp_socket create_socket_perms;
+allow chronyd_t self:unix_dgram_socket create_socket_perms;
allow chronyd_t self:fifo_file rw_fifo_file_perms;
++
++allow chronyd_t chronyd_keys_t:file append_file_perms;
++allow chronyd_t chronyd_keys_t:file setattr_file_perms;
allow chronyd_t chronyd_keys_t:file read_file_perms;
-@@ -82,12 +87,8 @@ auth_use_nsswitch(chronyd_t)
+
+ manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
+@@ -76,18 +84,17 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
+ corenet_udp_bind_chronyd_port(chronyd_t)
+ corenet_udp_sendrecv_chronyd_port(chronyd_t)
+
++dev_read_rand(chronyd_t)
++dev_read_urand(chronyd_t)
++
+ dev_rw_realtime_clock(chronyd_t)
+
+ auth_use_nsswitch(chronyd_t)
logging_send_syslog_msg(chronyd_t)
@@ -11601,16 +11669,26 @@ index cc4e7cb..f348d27 100644
domain_system_change_exemption($1)
role_transition $2 cmirrord_initrc_exec_t system_r;
diff --git a/cmirrord.te b/cmirrord.te
-index d8e9958..0046a69 100644
+index d8e9958..d2303a4 100644
--- a/cmirrord.te
+++ b/cmirrord.te
-@@ -42,16 +42,12 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
+@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
+ # Local policy
+ #
+
+-allow cmirrord_t self:capability { net_admin kill };
++allow cmirrord_t self:capability { sys_admin net_admin kill };
+ dontaudit cmirrord_t self:capability sys_tty_config;
+ allow cmirrord_t self:process { setfscreate signal };
+ allow cmirrord_t self:fifo_file rw_fifo_file_perms;
+@@ -42,16 +42,17 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
domain_use_interactive_fds(cmirrord_t)
domain_obj_id_change_exemption(cmirrord_t)
-files_read_etc_files(cmirrord_t)
-
storage_create_fixed_disk_dev(cmirrord_t)
++storage_rw_inherited_fixed_disk_dev(cmirrord_t)
seutil_read_file_contexts(cmirrord_t)
@@ -11621,6 +11699,10 @@ index d8e9958..0046a69 100644
optional_policy(`
corosync_stream_connect(cmirrord_t)
')
++
++optional_policy(`
++ rhcs_rw_cluster_tmpfs(cmirrord_t)
++')
diff --git a/cobbler.fc b/cobbler.fc
index 973d208..2b650a7 100644
--- a/cobbler.fc
@@ -11634,7 +11716,7 @@ index 973d208..2b650a7 100644
/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
diff --git a/cobbler.if b/cobbler.if
-index c223f81..83d5104 100644
+index c223f81..3bcdf6a 100644
--- a/cobbler.if
+++ b/cobbler.if
@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
@@ -11666,15 +11748,24 @@ index c223f81..83d5104 100644
########################################
##
## Read cobbler configuration files.
-@@ -132,6 +154,7 @@ interface(`cobbler_manage_lib_files',`
+@@ -112,6 +134,7 @@ interface(`cobbler_read_lib_files',`
+
+ files_search_var_lib($1)
+ read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ ')
+
+ ########################################
+@@ -132,6 +155,8 @@ interface(`cobbler_manage_lib_files',`
files_search_var_lib($1)
manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
++ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
')
########################################
-@@ -199,7 +222,4 @@ interface(`cobbler_admin',`
+@@ -199,7 +224,4 @@ interface(`cobbler_admin',`
logging_search_logs($1)
admin_pattern($1, cobbler_var_log_t)
@@ -12082,7 +12173,7 @@ index 8e27a37..825f537 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
-index 09f18e2..f0cade4 100644
+index 09f18e2..9d70983 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
@@ -12133,8 +12224,9 @@ index 09f18e2..f0cade4 100644
files_list_mnt(colord_t)
-files_read_usr_files(colord_t)
- fs_getattr_noxattr_fs(colord_t)
+-fs_getattr_noxattr_fs(colord_t)
-fs_getattr_tmpfs(colord_t)
++fs_getattr_all_fs(colord_t)
fs_list_noxattr_fs(colord_t)
fs_read_noxattr_fs_files(colord_t)
fs_search_all(colord_t)
@@ -16055,10 +16147,10 @@ index 6ce66e7..1d0337a 100644
optional_policy(`
diff --git a/cups.fc b/cups.fc
-index 949011e..0332f88 100644
+index 949011e..afe482b 100644
--- a/cups.fc
+++ b/cups.fc
-@@ -1,77 +1,86 @@
+@@ -1,77 +1,87 @@
-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
@@ -16131,6 +16223,7 @@ index 949011e..0332f88 100644
-/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
++/usr/sbin/cups-browsed -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+/usr/sbin/hpiod -- gen_context(system_u:object_r:cupsd_exec_t,s0)
+/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
@@ -16343,7 +16436,7 @@ index 06da9a0..ca832e1 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..52c170f 100644
+index 9f34c2e..c7268a7 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -16431,7 +16524,7 @@ index 9f34c2e..52c170f 100644
type ptal_t;
type ptal_exec_t;
-@@ -97,21 +94,48 @@ ifdef(`enable_mls',`
+@@ -97,21 +94,49 @@ ifdef(`enable_mls',`
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
')
@@ -16444,6 +16537,7 @@ index 9f34c2e..52c170f 100644
+allow cups_domain self:process { getsched setsched signal_perms };
+allow cups_domain self:fifo_file rw_fifo_file_perms;
+allow cups_domain self:tcp_socket { accept listen };
++allow cups_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(cups_domain)
+kernel_read_network_state(cups_domain)
@@ -16484,7 +16578,7 @@ index 9f34c2e..52c170f 100644
allow cupsd_t self:appletalk_socket create_socket_perms;
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
-@@ -120,6 +144,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -120,6 +145,7 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -16492,7 +16586,7 @@ index 9f34c2e..52c170f 100644
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
-@@ -139,22 +164,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+@@ -139,22 +165,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
@@ -16520,7 +16614,7 @@ index 9f34c2e..52c170f 100644
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -162,11 +188,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -162,11 +189,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
kernel_read_system_state(cupsd_t)
@@ -16532,7 +16626,7 @@ index 9f34c2e..52c170f 100644
corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_generic_if(cupsd_t)
corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -189,12 +213,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+@@ -189,12 +214,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_bind_all_rpc_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -16557,7 +16651,7 @@ index 9f34c2e..52c170f 100644
dev_rw_input_dev(cupsd_t)
dev_rw_generic_usb_dev(cupsd_t)
dev_rw_usbfs(cupsd_t)
-@@ -206,7 +238,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -206,7 +239,6 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
@@ -16565,7 +16659,7 @@ index 9f34c2e..52c170f 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -215,16 +246,17 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,16 +247,17 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -16585,7 +16679,7 @@ index 9f34c2e..52c170f 100644
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -235,6 +267,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -235,6 +268,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -16594,7 +16688,7 @@ index 9f34c2e..52c170f 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,21 +281,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +282,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -16620,7 +16714,7 @@ index 9f34c2e..52c170f 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -275,6 +308,8 @@ optional_policy(`
+@@ -275,6 +309,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -16629,7 +16723,7 @@ index 9f34c2e..52c170f 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +320,10 @@ optional_policy(`
+@@ -285,8 +321,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -16640,7 +16734,7 @@ index 9f34c2e..52c170f 100644
')
')
-@@ -299,8 +336,8 @@ optional_policy(`
+@@ -299,8 +337,8 @@ optional_policy(`
')
optional_policy(`
@@ -16650,7 +16744,7 @@ index 9f34c2e..52c170f 100644
')
optional_policy(`
-@@ -309,7 +346,6 @@ optional_policy(`
+@@ -309,7 +347,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -16658,16 +16752,20 @@ index 9f34c2e..52c170f 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +373,7 @@ optional_policy(`
+@@ -337,7 +374,11 @@ optional_policy(`
')
optional_policy(`
- virt_rw_all_image_chr_files(cupsd_t)
+ virt_rw_chr_files(cupsd_t)
++')
++
++optional_policy(`
++ vmware_read_system_config(cupsd_t)
')
########################################
-@@ -345,12 +381,11 @@ optional_policy(`
+@@ -345,12 +386,11 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -16683,7 +16781,7 @@ index 9f34c2e..52c170f 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +410,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +415,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -16704,7 +16802,7 @@ index 9f34c2e..52c170f 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +428,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +433,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -16725,7 +16823,7 @@ index 9f34c2e..52c170f 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +445,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +450,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -16737,7 +16835,7 @@ index 9f34c2e..52c170f 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +472,12 @@ optional_policy(`
+@@ -452,9 +477,12 @@ optional_policy(`
')
optional_policy(`
@@ -16751,7 +16849,7 @@ index 9f34c2e..52c170f 100644
')
optional_policy(`
-@@ -490,10 +513,6 @@ optional_policy(`
+@@ -490,10 +518,6 @@ optional_policy(`
# Lpd local policy
#
@@ -16762,7 +16860,7 @@ index 9f34c2e..52c170f 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +530,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +535,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -16795,7 +16893,7 @@ index 9f34c2e..52c170f 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +556,6 @@ optional_policy(`
+@@ -546,7 +561,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -16803,7 +16901,7 @@ index 9f34c2e..52c170f 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +571,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +576,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -16955,7 +17053,7 @@ index 9f34c2e..52c170f 100644
########################################
#
-@@ -731,7 +615,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +620,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -16963,7 +17061,7 @@ index 9f34c2e..52c170f 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +624,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +629,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -16977,7 +17075,7 @@ index 9f34c2e..52c170f 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +636,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +641,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -16986,6 +17084,11 @@ index 9f34c2e..52c170f 100644
sysnet_read_config(ptal_t)
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
+@@ -769,3 +653,4 @@ optional_policy(`
+ optional_policy(`
+ udev_read_db(ptal_t)
+ ')
++
diff --git a/cvs.if b/cvs.if
index 9fa7ffb..fd3262c 100644
--- a/cvs.if
@@ -17158,7 +17261,7 @@ index 6508280..a2860e3 100644
domain_system_change_exemption($1)
role_transition $2 cyrus_initrc_exec_t system_r;
diff --git a/cyrus.te b/cyrus.te
-index 395f97c..e157463 100644
+index 395f97c..bf8db3c 100644
--- a/cyrus.te
+++ b/cyrus.te
@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
@@ -17216,14 +17319,17 @@ index 395f97c..e157463 100644
kerberos_keytab_template(cyrus, cyrus_t)
')
-@@ -128,6 +131,7 @@ optional_policy(`
+@@ -128,8 +131,8 @@ optional_policy(`
')
optional_policy(`
+- snmp_read_snmp_var_lib_files(cyrus_t)
+- snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+ files_dontaudit_write_usr_dirs(cyrus_t)
- snmp_read_snmp_var_lib_files(cyrus_t)
- snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
++ snmp_manage_var_lib_files(cyrus_t)
snmp_stream_connect(cyrus_t)
+ ')
+
diff --git a/daemontools.if b/daemontools.if
index 3b3d9a0..6c8106a 100644
--- a/daemontools.if
@@ -19064,7 +19170,7 @@ index d294865..3b4f593 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index ff933af..fc9d3f4 100644
+index ff933af..101bc81 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
@@ -19104,7 +19210,7 @@ index ff933af..fc9d3f4 100644
#
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
-+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_rawio };
++allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio };
+
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
@@ -20570,7 +20676,7 @@ index 19aa0b8..b303b37 100644
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
-index ba14bcf..07bcb8e 100644
+index ba14bcf..869bba7 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -20594,16 +20700,19 @@ index ba14bcf..07bcb8e 100644
corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
-@@ -88,8 +93,6 @@ auth_use_nsswitch(dnsmasq_t)
+@@ -86,9 +91,9 @@ fs_search_auto_mountpoints(dnsmasq_t)
- logging_send_syslog_msg(dnsmasq_t)
+ auth_use_nsswitch(dnsmasq_t)
+
+-logging_send_syslog_msg(dnsmasq_t)
++libs_exec_ldconfig(dnsmasq_t)
-miscfiles_read_localization(dnsmasq_t)
--
++logging_send_syslog_msg(dnsmasq_t)
+
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-
-@@ -98,12 +101,21 @@ optional_policy(`
+@@ -98,12 +103,21 @@ optional_policy(`
')
optional_policy(`
@@ -20626,7 +20735,7 @@ index ba14bcf..07bcb8e 100644
')
optional_policy(`
-@@ -124,6 +136,7 @@ optional_policy(`
+@@ -124,6 +138,13 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
@@ -20634,6 +20743,12 @@ index ba14bcf..07bcb8e 100644
virt_read_pid_files(dnsmasq_t)
virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
')
++
++optional_policy(`
++ quantum_manage_lib_files(dnsmasq_t)
++ quantum_rw_fifo_file(dnsmasq_t)
++ quantum_sigchld(dnsmasq_t)
++')
diff --git a/dnssec.fc b/dnssec.fc
new file mode 100644
index 0000000..9e231a8
@@ -21068,7 +21183,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..5690e77 100644
+index a7bfaf0..457c894 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -21412,7 +21527,7 @@ index a7bfaf0..5690e77 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +303,41 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +303,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -21438,6 +21553,7 @@ index a7bfaf0..5690e77 100644
-logging_search_logs(dovecot_deliver_t)
+files_search_tmp(dovecot_deliver_t)
++files_dontaudit_getattr_all_dirs(dovecot_deliver_t)
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(dovecot_deliver_t)
@@ -21471,7 +21587,7 @@ index a7bfaf0..5690e77 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -326,5 +346,6 @@ optional_policy(`
+@@ -326,5 +347,6 @@ optional_policy(`
')
optional_policy(`
@@ -22790,7 +22906,7 @@ index 21d7b84..0e272bd 100644
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
diff --git a/firewalld.if b/firewalld.if
-index 5cf6ac6..839999e 100644
+index 5cf6ac6..62547ee 100644
--- a/firewalld.if
+++ b/firewalld.if
@@ -2,6 +2,66 @@
@@ -22860,18 +22976,37 @@ index 5cf6ac6..839999e 100644
## Send and receive messages from
## firewalld over dbus.
##
-@@ -23,8 +83,8 @@ interface(`firewalld_dbus_chat',`
+@@ -23,8 +83,27 @@ interface(`firewalld_dbus_chat',`
########################################
##
-## All of the rules required to
-## administrate an firewalld environment.
++## Dontaudit attempts to write
++## firewalld tmp files.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`firewalld_dontaudit_write_tmp_files',`
++ gen_require(`
++ type firewalld_tmp_t;
++ ')
++
++ dontaudit $1 firewalld_tmp_t:file write;
++')
++
++########################################
++##
+## All of the rules required to administrate
+## an firewalld environment
##
##
##
-@@ -45,10 +105,14 @@ interface(`firewalld_admin',`
+@@ -45,10 +124,14 @@ interface(`firewalld_admin',`
type firewalld_var_log_t;
')
@@ -22888,7 +23023,7 @@ index 5cf6ac6..839999e 100644
domain_system_change_exemption($1)
role_transition $2 firewalld_initrc_exec_t system_r;
allow $2 system_r;
-@@ -59,6 +123,9 @@ interface(`firewalld_admin',`
+@@ -59,6 +142,9 @@ interface(`firewalld_admin',`
logging_search_logs($1)
admin_pattern($1, firewalld_var_log_t)
@@ -23303,10 +23438,18 @@ index c12c067..a415012 100644
optional_policy(`
diff --git a/fprintd.te b/fprintd.te
-index c81b6e8..7575a9b 100644
+index c81b6e8..fcb022d 100644
--- a/fprintd.te
+++ b/fprintd.te
-@@ -30,14 +30,10 @@ dev_list_usbfs(fprintd_t)
+@@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t)
+ allow fprintd_t self:capability sys_nice;
+ allow fprintd_t self:process { getsched setsched signal sigkill };
+ allow fprintd_t self:fifo_file rw_fifo_file_perms;
++allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+ manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
+@@ -30,14 +31,10 @@ dev_list_usbfs(fprintd_t)
dev_read_sysfs(fprintd_t)
dev_rw_generic_usb_dev(fprintd_t)
@@ -23321,7 +23464,7 @@ index c81b6e8..7575a9b 100644
userdom_use_user_ptys(fprintd_t)
userdom_read_all_users_state(fprintd_t)
-@@ -54,8 +50,13 @@ optional_policy(`
+@@ -54,8 +51,13 @@ optional_policy(`
')
')
@@ -23444,7 +23587,7 @@ index d062080..97fb494 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index e50f33c..5e6cdb8 100644
+index e50f33c..d9dca45 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
@@ -23605,7 +23748,7 @@ index e50f33c..5e6cdb8 100644
')
tunable_policy(`ftpd_use_passive_mode',`
-@@ -299,9 +330,9 @@ tunable_policy(`ftpd_connect_db',`
+@@ -299,22 +330,19 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -23618,11 +23761,13 @@ index e50f33c..5e6cdb8 100644
')
tunable_policy(`ftp_home_dir',`
-@@ -309,12 +340,9 @@ tunable_policy(`ftp_home_dir',`
+ allow ftpd_t self:capability { dac_override dac_read_search };
- userdom_manage_user_home_content_dirs(ftpd_t)
- userdom_manage_user_home_content_files(ftpd_t)
+- userdom_manage_user_home_content_dirs(ftpd_t)
+- userdom_manage_user_home_content_files(ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
++ userdom_manage_all_user_home_type_dirs(ftpd_t)
++ userdom_manage_all_user_home_type_files(ftpd_t)
userdom_manage_user_tmp_dirs(ftpd_t)
userdom_manage_user_tmp_files(ftpd_t)
- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
@@ -24335,7 +24480,7 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..735cc94
+index 0000000..ab1fd22
--- /dev/null
+++ b/glusterd.te
@@ -0,0 +1,146 @@
@@ -24389,7 +24534,7 @@ index 0000000..735cc94
+files_pid_file(glusterd_var_run_t)
+
+type glusterd_var_lib_t;
-+files_type(glusterd_var_lib_t);
++files_type(glusterd_var_lib_t)
+
+########################################
+#
@@ -28049,10 +28194,10 @@ index 3226f52..68b2eb8 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/gpsd.te b/gpsd.te
-index 25f09ae..aa94571 100644
+index 25f09ae..3085534 100644
--- a/gpsd.te
+++ b/gpsd.te
-@@ -28,7 +28,7 @@ files_pid_file(gpsd_var_run_t)
+@@ -28,11 +28,12 @@ files_pid_file(gpsd_var_run_t)
#
allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
@@ -28061,7 +28206,12 @@ index 25f09ae..aa94571 100644
allow gpsd_t self:process { setsched signal_perms };
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket sendto;
-@@ -62,13 +62,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t)
+ allow gpsd_t self:tcp_socket { accept listen };
++allow gpsd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+ manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
+@@ -62,13 +63,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t)
term_use_unallocated_ttys(gpsd_t)
term_setattr_unallocated_ttys(gpsd_t)
@@ -28077,6 +28227,298 @@ index 25f09ae..aa94571 100644
optional_policy(`
chronyd_rw_shm(gpsd_t)
chronyd_stream_connect(gpsd_t)
+diff --git a/gssproxy.fc b/gssproxy.fc
+new file mode 100644
+index 0000000..404ae4f
+--- /dev/null
++++ b/gssproxy.fc
+@@ -0,0 +1,7 @@
++/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_file_t,s0)
++
++/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
++
++/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
++
++/var/run/gssproxy.pid -- gen_context(system_u:object_r:gssproxy_var_run_t,s0)
+diff --git a/gssproxy.if b/gssproxy.if
+new file mode 100644
+index 0000000..072ddb0
+--- /dev/null
++++ b/gssproxy.if
+@@ -0,0 +1,203 @@
++
++## policy for gssproxy
++
++########################################
++##
++## Execute TEMPLATE in the gssproxy domin.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`gssproxy_domtrans',`
++ gen_require(`
++ type gssproxy_t, gssproxy_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
++')
++
++########################################
++##
++## Search gssproxy lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gssproxy_search_lib',`
++ gen_require(`
++ type gssproxy_var_lib_t;
++ ')
++
++ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Read gssproxy lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gssproxy_read_lib_files',`
++ gen_require(`
++ type gssproxy_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
++')
++
++########################################
++##
++## Manage gssproxy lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gssproxy_manage_lib_files',`
++ gen_require(`
++ type gssproxy_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
++')
++
++########################################
++##
++## Manage gssproxy lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gssproxy_manage_lib_dirs',`
++ gen_require(`
++ type gssproxy_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
++')
++
++########################################
++##
++## Read gssproxy PID files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gssproxy_read_pid_files',`
++ gen_require(`
++ type gssproxy_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t)
++')
++
++########################################
++##
++## Execute gssproxy server in the gssproxy domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`gssproxy_systemctl',`
++ gen_require(`
++ type gssproxy_t;
++ type gssproxy_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 gssproxy_unit_file_t:file read_file_perms;
++ allow $1 gssproxy_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, gssproxy_t)
++')
++
++########################################
++##
++## Connect to gssproxy over an unix
++## domain stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gssproxy_stream_connect',`
++ gen_require(`
++ type gssproxy_t, gssproxy_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an gssproxy environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`gssproxy_admin',`
++ gen_require(`
++ type gssproxy_t;
++ type gssproxy_var_lib_t;
++ type gssproxy_var_run_t;
++ type gssproxy_unit_file_t;
++ ')
++
++ allow $1 gssproxy_t:process { ptrace signal_perms };
++ ps_process_pattern($1, gssproxy_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, gssproxy_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, gssproxy_var_run_t)
++
++ gssproxy_systemctl($1)
++ admin_pattern($1, gssproxy_unit_file_t)
++ allow $1 gssproxy_unit_file_t:service all_service_perms;
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
++')
+diff --git a/gssproxy.te b/gssproxy.te
+new file mode 100644
+index 0000000..6f0253c
+--- /dev/null
++++ b/gssproxy.te
+@@ -0,0 +1,64 @@
++policy_module(gssproxy, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type gssproxy_t;
++type gssproxy_exec_t;
++init_daemon_domain(gssproxy_t, gssproxy_exec_t)
++
++type gssproxy_var_lib_t;
++files_type(gssproxy_var_lib_t)
++
++type gssproxy_var_run_t;
++files_pid_file(gssproxy_var_run_t)
++
++type gssproxy_unit_file_t;
++systemd_unit_file(gssproxy_unit_file_t)
++
++########################################
++#
++# gssproxy local policy
++#
++allow gssproxy_t self:capability2 block_suspend;
++allow gssproxy_t self:fifo_file rw_fifo_file_perms;
++allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
++manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
++manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
++manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
++files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
++
++manage_dirs_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
++manage_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
++manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
++files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file })
++
++kernel_rw_rpc_sysctls(gssproxy_t)
++
++domain_use_interactive_fds(gssproxy_t)
++
++files_read_etc_files(gssproxy_t)
++
++auth_use_nsswitch(gssproxy_t)
++
++dev_read_urand(gssproxy_t)
++
++logging_send_syslog_msg(gssproxy_t)
++
++miscfiles_read_localization(gssproxy_t)
++
++userdom_manage_user_tmp_dirs(gssproxy_t)
++userdom_manage_user_tmp_files(gssproxy_t)
++
++optional_policy(`
++ kerberos_use(gssproxy_t)
++')
++
++optional_policy(`
++ kerberos_keytab_template(gssproxy, gssproxy_t)
++ kerberos_manage_host_rcache(gssproxy_t)
++')
diff --git a/guest.te b/guest.te
index d928711..93d2d83 100644
--- a/guest.te
@@ -32344,7 +32786,7 @@ index d5d1572..82267a7 100644
/var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
diff --git a/l2tp.if b/l2tp.if
-index 73e2803..562d25b 100644
+index 73e2803..2fc7570 100644
--- a/l2tp.if
+++ b/l2tp.if
@@ -1,9 +1,45 @@
@@ -32436,7 +32878,7 @@ index 73e2803..562d25b 100644
##
##
##
-@@ -56,14 +110,32 @@ interface(`l2tpd_stream_connect',`
+@@ -56,14 +110,107 @@ interface(`l2tpd_stream_connect',`
')
files_search_pids($1)
@@ -32468,12 +32910,87 @@ index 73e2803..562d25b 100644
+
+########################################
+##
++## Allow send a signal to l2tpd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_signal',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:process signal;
++')
++
++########################################
++##
++## Allow send signull to l2tpd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_signull',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:process signull;
++')
++
++########################################
++##
++## Allow send sigkill to l2tpd.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_sigkill',`
++ gen_require(`
++ type l2tpd_t;
++ ')
++
++ allow $1 l2tpd_t:process sigkill;
++')
++
++########################################
++##
++## Send and receive messages from
++## l2tpd over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`l2tpd_dbus_chat',`
++ gen_require(`
++ type l2tpd_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 l2tpd_t:dbus send_msg;
++ allow l2tpd_t $1:dbus send_msg;
++')
++
++########################################
++##
+## All of the rules required to administrate
+## an l2tpd environment
##
##
##
-@@ -77,22 +149,26 @@ interface(`l2tpd_stream_connect',`
+@@ -77,22 +224,26 @@ interface(`l2tpd_stream_connect',`
##
##
#
@@ -32506,7 +33023,7 @@ index 73e2803..562d25b 100644
files_search_pids($1)
admin_pattern($1, l2tpd_var_run_t)
diff --git a/l2tp.te b/l2tp.te
-index 19f2b97..23321e4 100644
+index 19f2b97..fbc0e48 100644
--- a/l2tp.te
+++ b/l2tp.te
@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t)
@@ -32518,7 +33035,16 @@ index 19f2b97..23321e4 100644
allow l2tpd_t self:fifo_file rw_fifo_file_perms;
allow l2tpd_t self:netlink_socket create_socket_perms;
allow l2tpd_t self:rawip_socket create_socket_perms;
-@@ -75,19 +75,19 @@ corecmd_exec_bin(l2tpd_t)
+@@ -47,6 +47,8 @@ files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file })
+ manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
+ files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
+
++can_exec(l2tpd_t, l2tpd_exec_t)
++
+ corenet_all_recvfrom_unlabeled(l2tpd_t)
+ corenet_all_recvfrom_netlabel(l2tpd_t)
+ corenet_raw_sendrecv_generic_if(l2tpd_t)
+@@ -75,19 +77,35 @@ corecmd_exec_bin(l2tpd_t)
dev_read_urand(l2tpd_t)
@@ -32535,6 +33061,22 @@ index 19f2b97..23321e4 100644
sysnet_dns_name_resolve(l2tpd_t)
optional_policy(`
++ dbus_system_bus_client(l2tpd_t)
++ dbus_connect_system_bus(l2tpd_t)
++
++ optional_policy(`
++ networkmanager_dbus_chat(l2tpd_t)
++ ')
++')
++
++optional_policy(`
++ ipsec_domtrans_mgmt(l2tpd_t)
++ ipsec_mgmt_read_pid(l2tpd_t)
++ ipsec_filetrans_key_file(l2tpd_t)
++ ipsec_manage_key_file(l2tpd_t)
++')
++
++optional_policy(`
+ networkmanager_read_pid_files(l2tpd_t)
+')
+
@@ -33071,7 +33613,7 @@ index dff21a7..b6981c8 100644
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te
-index 98b5405..b1d3cdf 100644
+index 98b5405..7d982bb 100644
--- a/lircd.te
+++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -33083,7 +33625,15 @@ index 98b5405..b1d3cdf 100644
type lircd_var_run_t alias lircd_sock_t;
files_pid_file(lircd_var_run_t)
-@@ -64,9 +64,8 @@ files_manage_generic_locks(lircd_t)
+@@ -27,6 +27,7 @@ allow lircd_t self:capability { chown kill sys_admin };
+ allow lircd_t self:process signal;
+ allow lircd_t self:fifo_file rw_fifo_file_perms;
+ allow lircd_t self:tcp_socket { accept listen };
++allow lircd_t self:netlink_kobject_uevent_socket create_socket_perms;
+
+ read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
+
+@@ -64,9 +65,8 @@ files_manage_generic_locks(lircd_t)
files_read_all_locks(lircd_t)
term_use_ptmx(lircd_t)
@@ -36573,10 +37123,10 @@ index 4462c0e..84944d1 100644
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..90fd526 100644
+index 6ffaba2..d341a52 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -1,38 +1,63 @@
+@@ -1,38 +1,64 @@
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -36611,6 +37161,7 @@ index 6ffaba2..90fd526 100644
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.icedtea(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -36675,7 +37226,7 @@ index 6ffaba2..90fd526 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..116d9d2 100644
+index 6194b80..879f5db 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -37314,7 +37865,7 @@ index 6194b80..116d9d2 100644
##
##
##
-@@ -530,45 +448,50 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +448,51 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
##
##
#
@@ -37379,6 +37930,7 @@ index 6194b80..116d9d2 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".grl-podcasts")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
@@ -37390,7 +37942,7 @@ index 6194b80..116d9d2 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..66e7ada 100644
+index 6a306ee..30005c3 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -37399,7 +37951,7 @@ index 6a306ee..66e7ada 100644
########################################
#
-@@ -6,17 +6,34 @@ policy_module(mozilla, 2.7.4)
+@@ -6,17 +6,41 @@ policy_module(mozilla, 2.7.4)
#
##
@@ -37423,6 +37975,13 @@ index 6a306ee..66e7ada 100644
+
+##
+##
++## Allow mozilla plugin to support GPS.
++##
++##
++gen_tunable(mozilla_plugin_use_gps, false)
++
++##
++##
+## Allow confined web browsers to read home directory content
+##
+##
@@ -37439,7 +37998,7 @@ index 6a306ee..66e7ada 100644
type mozilla_t;
type mozilla_exec_t;
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
-@@ -24,6 +41,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+@@ -24,6 +48,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
role mozilla_roles types mozilla_t;
@@ -37449,7 +38008,7 @@ index 6a306ee..66e7ada 100644
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
-@@ -31,29 +51,24 @@ userdom_user_home_content(mozilla_home_t)
+@@ -31,29 +58,24 @@ userdom_user_home_content(mozilla_home_t)
type mozilla_plugin_t;
type mozilla_plugin_exec_t;
@@ -37484,7 +38043,7 @@ index 6a306ee..66e7ada 100644
type mozilla_tmp_t;
userdom_user_tmp_file(mozilla_tmp_t)
-@@ -63,10 +78,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
+@@ -63,10 +85,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
userdom_user_tmpfs_file(mozilla_tmpfs_t)
@@ -37495,7 +38054,7 @@ index 6a306ee..66e7ada 100644
########################################
#
# Local policy
-@@ -75,27 +86,30 @@ optional_policy(`
+@@ -75,27 +93,30 @@ optional_policy(`
allow mozilla_t self:capability { sys_nice setgid setuid };
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
allow mozilla_t self:fifo_file rw_fifo_file_perms;
@@ -37539,7 +38098,7 @@ index 6a306ee..66e7ada 100644
manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
-@@ -103,76 +117,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+@@ -103,76 +124,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -37647,7 +38206,7 @@ index 6a306ee..66e7ada 100644
term_dontaudit_getattr_pty_dirs(mozilla_t)
-@@ -181,56 +188,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,56 +195,73 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
@@ -37655,15 +38214,15 @@ index 6a306ee..66e7ada 100644
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
-+userdom_use_inherited_user_ptys(mozilla_t)
-
+-
-userdom_manage_user_tmp_dirs(mozilla_t)
-userdom_manage_user_tmp_files(mozilla_t)
-
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
--
++userdom_use_inherited_user_ptys(mozilla_t)
+
-userdom_write_user_tmp_sockets(mozilla_t)
-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -37758,7 +38317,7 @@ index 6a306ee..66e7ada 100644
')
optional_policy(`
-@@ -244,19 +268,12 @@ optional_policy(`
+@@ -244,19 +275,12 @@ optional_policy(`
optional_policy(`
cups_read_rw_config(mozilla_t)
@@ -37780,7 +38339,7 @@ index 6a306ee..66e7ada 100644
optional_policy(`
networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +282,32 @@ optional_policy(`
+@@ -265,33 +289,32 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
@@ -37793,34 +38352,34 @@ index 6a306ee..66e7ada 100644
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
+ gnome_manage_config(mozilla_t)
+ gnome_manage_gconf_home_files(mozilla_t)
++')
++
++optional_policy(`
++ java_domtrans(mozilla_t)
')
optional_policy(`
- java_exec(mozilla_t)
- java_manage_generic_home_content(mozilla_t)
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
-+ java_domtrans(mozilla_t)
++ lpd_domtrans_lpr(mozilla_t)
')
optional_policy(`
- lpd_run_lpr(mozilla_t, mozilla_roles)
-+ lpd_domtrans_lpr(mozilla_t)
++ mplayer_domtrans(mozilla_t)
++ mplayer_read_user_home_files(mozilla_t)
')
optional_policy(`
- mplayer_exec(mozilla_t)
- mplayer_manage_generic_home_content(mozilla_t)
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
-+ mplayer_domtrans(mozilla_t)
-+ mplayer_read_user_home_files(mozilla_t)
++ nscd_socket_use(mozilla_t)
')
optional_policy(`
- pulseaudio_run(mozilla_t, mozilla_roles)
-+ nscd_socket_use(mozilla_t)
-+')
-+
-+optional_policy(`
+ #pulseaudio_role(mozilla_roles, mozilla_t)
+ pulseaudio_exec(mozilla_t)
+ pulseaudio_stream_connect(mozilla_t)
@@ -37828,7 +38387,7 @@ index 6a306ee..66e7ada 100644
')
optional_policy(`
-@@ -300,221 +316,174 @@ optional_policy(`
+@@ -300,221 +323,177 @@ optional_policy(`
########################################
#
@@ -37910,12 +38469,12 @@ index 6a306ee..66e7ada 100644
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
@@ -37936,34 +38495,39 @@ index 6a306ee..66e7ada 100644
-corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
-
-corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t)
++corenet_tcp_bind_generic_node(mozilla_plugin_t)
++corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
++corenet_tcp_connect_aol_port(mozilla_plugin_t)
corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t)
-
-corenet_sendrecv_ftp_client_packets(mozilla_plugin_t)
-+corenet_tcp_connect_generic_port(mozilla_plugin_t)
++corenet_tcp_connect_commplex_link_port(mozilla_plugin_t)
++corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
corenet_tcp_connect_ftp_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ftp_port(mozilla_plugin_t)
-
-corenet_sendrecv_gatekeeper_client_packets(mozilla_plugin_t)
--corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
+ corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_gatekeeper_port(mozilla_plugin_t)
-
-corenet_sendrecv_http_client_packets(mozilla_plugin_t)
- corenet_tcp_connect_http_port(mozilla_plugin_t)
+-corenet_tcp_connect_http_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_http_port(mozilla_plugin_t)
-
-corenet_sendrecv_http_cache_client_packets(mozilla_plugin_t)
-+corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
++corenet_tcp_connect_generic_port(mozilla_plugin_t)
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_http_cache_port(mozilla_plugin_t)
-
-corenet_sendrecv_ipp_client_packets(mozilla_plugin_t)
-+corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t)
++corenet_tcp_connect_http_port(mozilla_plugin_t)
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ipp_port(mozilla_plugin_t)
-
-corenet_sendrecv_ircd_client_packets(mozilla_plugin_t)
++corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t)
corenet_tcp_connect_ircd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_ircd_port(mozilla_plugin_t)
-
@@ -37972,20 +38536,23 @@ index 6a306ee..66e7ada 100644
-corenet_tcp_sendrecv_jabber_client_port(mozilla_plugin_t)
-
-corenet_sendrecv_mmcc_client_packets(mozilla_plugin_t)
++corenet_tcp_connect_jboss_management_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_mmcc_port(mozilla_plugin_t)
-
-corenet_sendrecv_monopd_client_packets(mozilla_plugin_t)
--corenet_tcp_connect_monopd_port(mozilla_plugin_t)
+ corenet_tcp_connect_monopd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t)
-
-corenet_sendrecv_soundd_client_packets(mozilla_plugin_t)
--corenet_tcp_connect_soundd_port(mozilla_plugin_t)
++corenet_tcp_connect_msnp_port(mozilla_plugin_t)
++corenet_tcp_connect_ms_streaming_port(mozilla_plugin_t)
++corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
++corenet_tcp_connect_rtsp_port(mozilla_plugin_t)
+ corenet_tcp_connect_soundd_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t)
-
-corenet_sendrecv_speech_client_packets(mozilla_plugin_t)
-+corenet_tcp_connect_msnp_port(mozilla_plugin_t)
-+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_speech_port(mozilla_plugin_t)
-
@@ -37994,17 +38561,10 @@ index 6a306ee..66e7ada 100644
-corenet_tcp_sendrecv_squid_port(mozilla_plugin_t)
-
-corenet_sendrecv_vnc_client_packets(mozilla_plugin_t)
-+corenet_tcp_connect_ms_streaming_port(mozilla_plugin_t)
-+corenet_tcp_connect_rtsp_port(mozilla_plugin_t)
-+corenet_tcp_connect_soundd_port(mozilla_plugin_t)
+corenet_tcp_connect_tor_port(mozilla_plugin_t)
++corenet_tcp_connect_transproxy_port(mozilla_plugin_t)
corenet_tcp_connect_vnc_port(mozilla_plugin_t)
-corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t)
-+corenet_tcp_connect_commplex_link_port(mozilla_plugin_t)
-+corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
-+corenet_tcp_connect_monopd_port(mozilla_plugin_t)
-+corenet_tcp_connect_transproxy_port(mozilla_plugin_t)
-+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
+corenet_udp_bind_generic_node(mozilla_plugin_t)
+corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t)
@@ -38145,7 +38705,7 @@ index 6a306ee..66e7ada 100644
')
optional_policy(`
-@@ -523,36 +492,47 @@ optional_policy(`
+@@ -523,36 +502,48 @@ optional_policy(`
')
optional_policy(`
@@ -38201,12 +38761,13 @@ index 6a306ee..66e7ada 100644
+ pulseaudio_exec(mozilla_plugin_t)
+ pulseaudio_stream_connect(mozilla_plugin_t)
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
++ pulseaudio_manage_home_dirs(mozilla_plugin_t)
+ pulseaudio_manage_home_files(mozilla_plugin_t)
+ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
')
optional_policy(`
-@@ -560,7 +540,7 @@ optional_policy(`
+@@ -560,7 +551,7 @@ optional_policy(`
')
optional_policy(`
@@ -38215,7 +38776,7 @@ index 6a306ee..66e7ada 100644
')
optional_policy(`
-@@ -568,108 +548,113 @@ optional_policy(`
+@@ -568,108 +559,118 @@ optional_policy(`
')
optional_policy(`
@@ -38331,34 +38892,29 @@ index 6a306ee..66e7ada 100644
+userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t)
-userdom_use_user_ptys(mozilla_plugin_config_t)
--
--mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
--tunable_policy(`allow_execmem',`
-- allow mozilla_plugin_config_t self:process execmem;
+-mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_read_ecryptfs_files(mozilla_plugin_config_t)
++')
+
+-tunable_policy(`allow_execmem',`
+- allow mozilla_plugin_config_t self:process execmem;
++optional_policy(`
++ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
')
-tunable_policy(`mozilla_execstack',`
- allow mozilla_plugin_config_t self:process { execmem execstack };
+optional_policy(`
-+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
++ xserver_use_user_fonts(mozilla_plugin_config_t)
')
-tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(mozilla_plugin_config_t)
- fs_manage_nfs_files(mozilla_plugin_config_t)
- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
-+optional_policy(`
-+ xserver_use_user_fonts(mozilla_plugin_config_t)
- ')
-
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(mozilla_plugin_config_t)
-- fs_manage_cifs_files(mozilla_plugin_config_t)
-- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+ifdef(`distro_redhat',`
+ typealias mozilla_plugin_t alias nsplugin_t;
+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
@@ -38369,8 +38925,10 @@ index 6a306ee..66e7ada 100644
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
')
--optional_policy(`
-- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mozilla_plugin_config_t)
+- fs_manage_cifs_files(mozilla_plugin_config_t)
+- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+#tunable_policy(`mozilla_plugin_enable_homedirs',`
+# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
+#', `
@@ -38384,10 +38942,17 @@ index 6a306ee..66e7ada 100644
')
-optional_policy(`
-- xserver_use_user_fonts(mozilla_plugin_config_t)
+- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_spice',`
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
')
+
+-optional_policy(`
+- xserver_use_user_fonts(mozilla_plugin_config_t)
++tunable_policy(`mozilla_plugin_use_gps',`
++ fs_manage_dos_dirs(mozilla_plugin_t)
++ fs_manage_dos_files(mozilla_plugin_t)
+ ')
diff --git a/mpd.fc b/mpd.fc
index 313ce52..6aa46d2 100644
--- a/mpd.fc
@@ -39833,7 +40398,7 @@ index ed81cac..566684a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index afd2fad..a270fd4 100644
+index afd2fad..363dd67 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
@@ -40031,7 +40596,7 @@ index afd2fad..a270fd4 100644
+init_dontaudit_rw_stream_socket(system_mail_t)
+
+userdom_use_inherited_user_terminals(system_mail_t)
-+userdom_dontaudit_search_user_home_dirs(system_mail_t)
++userdom_dontaudit_list_user_home_dirs(system_mail_t)
+userdom_dontaudit_list_admin_dir(system_mail_t)
+
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
@@ -42896,7 +43461,7 @@ index a1fb3c3..8fe1d63 100644
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..b9c69d2 100644
+index 0e8508c..0b68b86 100644
--- a/networkmanager.if
+++ b/networkmanager.if
@@ -2,7 +2,7 @@
@@ -43143,7 +43708,7 @@ index 0e8508c..b9c69d2 100644
##
##
##
-@@ -227,33 +292,92 @@ interface(`networkmanager_read_pid_files',`
+@@ -227,33 +292,112 @@ interface(`networkmanager_read_pid_files',`
##
##
#
@@ -43214,6 +43779,25 @@ index 0e8508c..b9c69d2 100644
+ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+')
+
++####################################
++##
++## Connect to NM over a unix domain
++## stream socket.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`networkmanager_stream_connect',`
++ gen_require(`
++ type NetworkManager_t, NetworkManager_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
++')
+
+########################################
+##
@@ -43254,10 +43838,11 @@ index 0e8508c..b9c69d2 100644
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
-+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
++ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf")
++ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..57fe60f 100644
+index 0b48a30..f3320a3 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -43537,7 +44122,7 @@ index 0b48a30..57fe60f 100644
')
optional_policy(`
-@@ -257,11 +279,7 @@ optional_policy(`
+@@ -257,11 +279,10 @@ optional_policy(`
')
optional_policy(`
@@ -43547,10 +44132,13 @@ index 0b48a30..57fe60f 100644
-optional_policy(`
- modutils_domtrans_insmod(NetworkManager_t)
+ l2tpd_domtrans(NetworkManager_t)
++ l2tpd_sigkill(NetworkManager_t)
++ l2tpd_signal(NetworkManager_t)
++ l2tpd_signull(NetworkManager_t)
')
optional_policy(`
-@@ -274,10 +292,17 @@ optional_policy(`
+@@ -274,10 +295,17 @@ optional_policy(`
nscd_signull(NetworkManager_t)
nscd_kill(NetworkManager_t)
nscd_initrc_domtrans(NetworkManager_t)
@@ -43568,7 +44156,7 @@ index 0b48a30..57fe60f 100644
')
optional_policy(`
-@@ -289,6 +314,7 @@ optional_policy(`
+@@ -289,6 +317,7 @@ optional_policy(`
')
optional_policy(`
@@ -43576,7 +44164,7 @@ index 0b48a30..57fe60f 100644
policykit_domtrans_auth(NetworkManager_t)
policykit_read_lib(NetworkManager_t)
policykit_read_reload(NetworkManager_t)
-@@ -296,7 +322,7 @@ optional_policy(`
+@@ -296,7 +325,7 @@ optional_policy(`
')
optional_policy(`
@@ -43585,7 +44173,7 @@ index 0b48a30..57fe60f 100644
')
optional_policy(`
-@@ -307,6 +333,7 @@ optional_policy(`
+@@ -307,6 +336,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -43593,7 +44181,7 @@ index 0b48a30..57fe60f 100644
')
optional_policy(`
-@@ -320,13 +347,15 @@ optional_policy(`
+@@ -320,13 +350,15 @@ optional_policy(`
')
optional_policy(`
@@ -43613,7 +44201,7 @@ index 0b48a30..57fe60f 100644
')
optional_policy(`
-@@ -356,6 +385,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +388,5 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
init_dontaudit_use_fds(wpa_cli_t)
init_use_script_ptys(wpa_cli_t)
@@ -47034,35 +47622,16 @@ index 57c0161..54bd4d7 100644
+ ps_process_pattern($1, swift_t)
')
diff --git a/nut.te b/nut.te
-index 0c9deb7..ea0ba5c 100644
+index 0c9deb7..98a02f8 100644
--- a/nut.te
+++ b/nut.te
-@@ -1,121 +1,108 @@
+@@ -1,4 +1,4 @@
-policy_module(nut, 1.2.4)
+policy_module(nut, 1.2.0)
########################################
#
- # Declarations
- #
-
--attribute nut_domain;
--
- type nut_conf_t;
- files_config_file(nut_conf_t)
-
--type nut_upsd_t, nut_domain;
-+type nut_upsd_t;
- type nut_upsd_exec_t;
- init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
-
--type nut_upsmon_t, nut_domain;
-+type nut_upsmon_t;
- type nut_upsmon_exec_t;
- init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
-
--type nut_upsdrvctl_t, nut_domain;
-+type nut_upsdrvctl_t;
+@@ -22,100 +22,94 @@ type nut_upsdrvctl_t, nut_domain;
type nut_upsdrvctl_exec_t;
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
@@ -47072,11 +47641,12 @@ index 0c9deb7..ea0ba5c 100644
type nut_var_run_t;
files_pid_file(nut_var_run_t)
-init_daemon_run_dir(nut_var_run_t, "nut")
-+
+
+-########################################
+type nut_unit_file_t;
+systemd_unit_file(nut_unit_file_t)
-
- ########################################
++
++#######################################
#
-# Common nut domain local policy
+# Local policy for upsd
@@ -47090,39 +47660,35 @@ index 0c9deb7..ea0ba5c 100644
-allow nut_domain nut_conf_t:dir list_dir_perms;
-allow nut_domain nut_conf_t:file read_file_perms;
-allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms;
-+allow nut_upsd_t self:capability { setgid setuid dac_override };
-+allow nut_upsd_t self:process signal_perms;
-
+-
-manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
-manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
-+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
-
+-
-kernel_read_kernel_sysctls(nut_domain)
-+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
-
+-
-logging_send_syslog_msg(nut_domain)
-
-miscfiles_read_localization(nut_domain)
--
--########################################
--#
++allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms;
+
+ ########################################
+ #
-# Upsd local policy
--#
--
++# Local policy for upsd
+ #
+
-allow nut_upsd_t self:tcp_socket { accept listen };
-+read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
++allow nut_upsd_t self:capability { setgid setuid dac_override };
++allow nut_upsd_t self:process signal_perms;
-+# pid file
-+manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-+manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
- manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
+-manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
-files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file)
-+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
++allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
++allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
-+kernel_read_kernel_sysctls(nut_upsd_t)
++allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
-corenet_all_recvfrom_unlabeled(nut_upsd_t)
-corenet_all_recvfrom_netlabel(nut_upsd_t)
@@ -47130,21 +47696,29 @@ index 0c9deb7..ea0ba5c 100644
-corenet_tcp_sendrecv_generic_node(nut_upsd_t)
-corenet_tcp_sendrecv_all_ports(nut_upsd_t)
-corenet_tcp_bind_generic_node(nut_upsd_t)
--
++read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
+
-corenet_sendrecv_ups_server_packets(nut_upsd_t)
- corenet_tcp_bind_ups_port(nut_upsd_t)
--
+-corenet_tcp_bind_ups_port(nut_upsd_t)
++# pid file
++manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
++manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
++manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
++files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
+
-corenet_sendrecv_generic_server_packets(nut_upsd_t)
- corenet_tcp_bind_generic_port(nut_upsd_t)
-+corenet_tcp_bind_all_nodes(nut_upsd_t)
+-corenet_tcp_bind_generic_port(nut_upsd_t)
++kernel_read_kernel_sysctls(nut_upsd_t)
-files_read_usr_files(nut_upsd_t)
++corenet_tcp_bind_ups_port(nut_upsd_t)
++corenet_tcp_bind_generic_port(nut_upsd_t)
++corenet_tcp_bind_all_nodes(nut_upsd_t)
auth_use_nsswitch(nut_upsd_t)
+logging_send_syslog_msg(nut_upsd_t)
+
-+
########################################
#
-# Upsmon local policy
@@ -47160,12 +47734,12 @@ index 0c9deb7..ea0ba5c 100644
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
+
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
-
++
+# pid file
+manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file)
-+
+
+kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
@@ -47205,7 +47779,7 @@ index 0c9deb7..ea0ba5c 100644
mta_send_mail(nut_upsmon_t)
optional_policy(`
-@@ -124,14 +111,27 @@ optional_policy(`
+@@ -124,14 +118,27 @@ optional_policy(`
########################################
#
@@ -47219,9 +47793,9 @@ index 0c9deb7..ea0ba5c 100644
+allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
+allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
-+
-+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
++read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
++
+# pid file
+manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
+manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
@@ -47235,7 +47809,7 @@ index 0c9deb7..ea0ba5c 100644
corecmd_exec_bin(nut_upsdrvctl_t)
dev_read_sysfs(nut_upsdrvctl_t)
-@@ -139,22 +139,34 @@ dev_read_urand(nut_upsdrvctl_t)
+@@ -139,22 +146,34 @@ dev_read_urand(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
term_use_unallocated_ttys(nut_upsdrvctl_t)
@@ -47523,7 +48097,7 @@ index 8635ea2..eec20b4 100644
+ obex_dbus_chat($2)
')
diff --git a/obex.te b/obex.te
-index cd29ea8..efbf8f8 100644
+index cd29ea8..d01d2c8 100644
--- a/obex.te
+++ b/obex.te
@@ -1,4 +1,4 @@
@@ -47532,7 +48106,7 @@ index cd29ea8..efbf8f8 100644
########################################
#
-@@ -14,30 +14,25 @@ role obex_roles types obex_t;
+@@ -14,30 +14,26 @@ role obex_roles types obex_t;
########################################
#
@@ -47542,6 +48116,7 @@ index cd29ea8..efbf8f8 100644
allow obex_t self:fifo_file rw_fifo_file_perms;
allow obex_t self:socket create_stream_socket_perms;
++allow obex_t self:netlink_kobject_uevent_socket create_socket_perms;
-dev_read_urand(obex_t)
+kernel_request_load_module(obex_t)
@@ -48240,10 +48815,10 @@ index 0000000..f2d6119
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
diff --git a/openshift.if b/openshift.if
new file mode 100644
-index 0000000..8a1731a
+index 0000000..6c841fa
--- /dev/null
+++ b/openshift.if
-@@ -0,0 +1,654 @@
+@@ -0,0 +1,676 @@
+
+## policy for openshift
+
@@ -48482,7 +49057,27 @@ index 0000000..8a1731a
+ type openshift_var_lib_t;
+ ')
+
-+ allow $1 openshift_var_lib_t:dir search_dir_perms;
++ search_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## Getattr openshift lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`openshift_getattr_lib',`
++ gen_require(`
++ type openshift_var_lib_t;
++ ')
++
++ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+ files_search_var_lib($1)
+')
+
@@ -48503,6 +49098,7 @@ index 0000000..8a1731a
+
+ files_search_var_lib($1)
+ read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++ read_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
@@ -48542,6 +49138,7 @@ index 0000000..8a1731a
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
++ manage_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
+')
+
+########################################
@@ -48726,7 +49323,7 @@ index 0000000..8a1731a
+##
+##
+#
-+template(`openshift_net_type',`
++interface(`openshift_net_type',`
+ gen_require(`
+ attribute openshift_net_domain;
+ ')
@@ -50522,7 +51119,7 @@ index bf59ef7..c050b37 100644
+ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
')
diff --git a/passenger.te b/passenger.te
-index 4e114ff..fddaed2 100644
+index 4e114ff..c016f25 100644
--- a/passenger.te
+++ b/passenger.te
@@ -1,4 +1,4 @@
@@ -50611,11 +51208,12 @@ index 4e114ff..fddaed2 100644
userdom_dontaudit_use_user_terminals(passenger_t)
optional_policy(`
-@@ -90,14 +91,15 @@ optional_policy(`
+@@ -90,14 +91,16 @@ optional_policy(`
')
optional_policy(`
- puppet_manage_lib_files(passenger_t)
++ puppet_domtrans_master(passenger_t)
+ puppet_manage_lib(passenger_t)
puppet_read_config(passenger_t)
- puppet_append_log_files(passenger_t)
@@ -52684,7 +53282,7 @@ index 735500f..ef1dd7a 100644
-/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
diff --git a/plymouthd.if b/plymouthd.if
-index 30e751f..17c097d 100644
+index 30e751f..3985ff9 100644
--- a/plymouthd.if
+++ b/plymouthd.if
@@ -1,4 +1,4 @@
@@ -52872,7 +53470,7 @@ index 30e751f..17c097d 100644
gen_require(`
type plymouthd_var_run_t;
')
-@@ -233,36 +228,74 @@ interface(`plymouthd_read_pid_files',`
+@@ -233,36 +228,93 @@ interface(`plymouthd_read_pid_files',`
########################################
##
@@ -52903,14 +53501,11 @@ index 30e751f..17c097d 100644
+## to plymouthd log files.
+##
+##
- ##
--## Role allowed access.
++##
+## Domain allowed access.
- ##
- ##
--##
- #
--interface(`plymouthd_admin',`
++##
++##
++#
+interface(`plymouthd_manage_log',`
+ gen_require(`
+ type plymouthd_var_log_t;
@@ -52922,17 +53517,39 @@ index 30e751f..17c097d 100644
+ read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
+')
+
++#######################################
++##
++## Allow domain to create boot.log
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`plymouthd_create_log',`
++ gen_require(`
++ type plymouthd_var_log_t;
++ ')
++
++ logging_rw_generic_log_dirs($1)
++ logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log")
++')
++
+########################################
+##
+## All of the rules required to administrate
+## an plymouthd environment
+##
+##
-+##
+ ##
+-## Role allowed access.
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+-##
+ #
+-interface(`plymouthd_admin',`
+interface(`plymouthd_admin', `
gen_require(`
type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
@@ -55333,7 +55950,7 @@ index 2e23946..589bbf2 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..e9e96bd 100644
+index 191a66f..aa3e5f0 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -55422,7 +56039,7 @@ index 191a66f..e9e96bd 100644
type postfix_data_t;
files_type(postfix_data_t)
-@@ -102,160 +102,63 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -102,160 +102,64 @@ mta_mailserver_delivery(postfix_virtual_t)
########################################
#
@@ -55548,6 +56165,7 @@ index 191a66f..e9e96bd 100644
+
+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
+
++manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
+
@@ -55607,7 +56225,7 @@ index 191a66f..e9e96bd 100644
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -263,50 +166,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -263,50 +167,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -55676,7 +56294,7 @@ index 191a66f..e9e96bd 100644
optional_policy(`
cyrus_stream_connect(postfix_master_t)
')
-@@ -316,14 +213,11 @@ optional_policy(`
+@@ -316,14 +214,11 @@ optional_policy(`
')
optional_policy(`
@@ -55692,7 +56310,7 @@ index 191a66f..e9e96bd 100644
postgrey_search_spool(postfix_master_t)
')
-@@ -333,12 +227,14 @@ optional_policy(`
+@@ -333,12 +228,14 @@ optional_policy(`
########################################
#
@@ -55709,7 +56327,7 @@ index 191a66f..e9e96bd 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -355,35 +251,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -355,35 +252,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
########################################
#
@@ -55754,7 +56372,7 @@ index 191a66f..e9e96bd 100644
mta_read_aliases(postfix_cleanup_t)
-@@ -393,36 +288,53 @@ optional_policy(`
+@@ -393,36 +289,53 @@ optional_policy(`
########################################
#
@@ -55816,7 +56434,7 @@ index 191a66f..e9e96bd 100644
')
optional_policy(`
-@@ -434,6 +346,7 @@ optional_policy(`
+@@ -434,6 +347,7 @@ optional_policy(`
')
optional_policy(`
@@ -55824,7 +56442,7 @@ index 191a66f..e9e96bd 100644
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
mailman_read_log(postfix_local_t)
-@@ -444,6 +357,10 @@ optional_policy(`
+@@ -444,6 +358,10 @@ optional_policy(`
')
optional_policy(`
@@ -55835,7 +56453,7 @@ index 191a66f..e9e96bd 100644
procmail_domtrans(postfix_local_t)
')
-@@ -458,15 +375,17 @@ optional_policy(`
+@@ -458,15 +376,17 @@ optional_policy(`
########################################
#
@@ -55859,7 +56477,7 @@ index 191a66f..e9e96bd 100644
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +395,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -476,14 +396,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -55879,7 +56497,7 @@ index 191a66f..e9e96bd 100644
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
-@@ -492,7 +412,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -492,7 +413,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
@@ -55887,7 +56505,7 @@ index 191a66f..e9e96bd 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -500,21 +419,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -500,21 +420,22 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -55913,7 +56531,7 @@ index 191a66f..e9e96bd 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,16 +444,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -524,16 +445,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@@ -55933,7 +56551,7 @@ index 191a66f..e9e96bd 100644
#
allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +495,26 @@ optional_policy(`
+@@ -576,19 +496,26 @@ optional_policy(`
########################################
#
@@ -55965,7 +56583,7 @@ index 191a66f..e9e96bd 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +529,7 @@ optional_policy(`
+@@ -603,10 +530,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -55977,7 +56595,7 @@ index 191a66f..e9e96bd 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -621,17 +544,24 @@ optional_policy(`
+@@ -621,17 +545,24 @@ optional_policy(`
#######################################
#
@@ -56005,7 +56623,7 @@ index 191a66f..e9e96bd 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +577,77 @@ optional_policy(`
+@@ -647,67 +578,77 @@ optional_policy(`
########################################
#
@@ -56101,7 +56719,7 @@ index 191a66f..e9e96bd 100644
')
optional_policy(`
-@@ -720,24 +660,27 @@ optional_policy(`
+@@ -720,24 +661,27 @@ optional_policy(`
########################################
#
@@ -56135,7 +56753,7 @@ index 191a66f..e9e96bd 100644
fs_getattr_all_dirs(postfix_smtpd_t)
fs_getattr_all_fs(postfix_smtpd_t)
-@@ -754,6 +697,7 @@ optional_policy(`
+@@ -754,6 +698,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -56143,7 +56761,7 @@ index 191a66f..e9e96bd 100644
')
optional_policy(`
-@@ -764,31 +708,99 @@ optional_policy(`
+@@ -764,31 +709,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -56930,7 +57548,7 @@ index cd8b8b9..cde0d62 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index b2b5dba..89ded87 100644
+index b2b5dba..7b8a7d1 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,4 +1,4 @@
@@ -57121,14 +57739,14 @@ index b2b5dba..89ded87 100644
-fs_getattr_all_fs(pppd_t)
-fs_search_auto_mountpoints(pppd_t)
--
++# for scripts
+
-term_use_unallocated_ttys(pppd_t)
-term_setattr_unallocated_ttys(pppd_t)
-term_ioctl_generic_ptys(pppd_t)
-term_create_pty(pppd_t, pppd_devpts_t)
-term_use_generic_ptys(pppd_t)
-+# for scripts
-
+-
-init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t)
init_read_utmp(pppd_t)
-init_signal_script(pppd_t)
@@ -57160,7 +57778,13 @@ index b2b5dba..89ded87 100644
optional_policy(`
ddclient_run(pppd_t, pppd_roles)
-@@ -190,7 +206,7 @@ optional_policy(`
+@@ -186,11 +202,13 @@ optional_policy(`
+ l2tpd_dgram_send(pppd_t)
+ l2tpd_rw_socket(pppd_t)
+ l2tpd_stream_connect(pppd_t)
++ l2tpd_read_pid_files(pppd_t)
++ l2tpd_dbus_chat(pppd_t)
+ ')
optional_policy(`
tunable_policy(`pppd_can_insmod',`
@@ -57169,7 +57793,7 @@ index b2b5dba..89ded87 100644
')
')
-@@ -218,16 +234,19 @@ optional_policy(`
+@@ -218,16 +236,19 @@ optional_policy(`
########################################
#
@@ -57192,7 +57816,7 @@ index b2b5dba..89ded87 100644
allow pptp_t pppd_etc_t:dir list_dir_perms;
allow pptp_t pppd_etc_t:file read_file_perms;
-@@ -236,45 +255,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+@@ -236,45 +257,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
allow pptp_t pppd_etc_rw_t:file read_file_perms;
allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@@ -57249,7 +57873,7 @@ index b2b5dba..89ded87 100644
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
-@@ -282,12 +299,12 @@ term_ioctl_generic_ptys(pptp_t)
+@@ -282,12 +301,12 @@ term_ioctl_generic_ptys(pptp_t)
term_search_ptys(pptp_t)
term_use_ptmx(pptp_t)
@@ -57264,6 +57888,17 @@ index b2b5dba..89ded87 100644
sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
+@@ -299,6 +318,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_search_config(pppd_t)
++')
++
++optional_policy(`
+ dbus_system_domain(pppd_t, pppd_exec_t)
+
+ optional_policy(`
diff --git a/prelink.fc b/prelink.fc
index a90d623..62af9a4 100644
--- a/prelink.fc
@@ -58514,7 +59149,7 @@ index 6864479..0e7d875 100644
+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/pulseaudio.if b/pulseaudio.if
-index fa3dc8e..59808e5 100644
+index fa3dc8e..99cfa95 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
@@ -2,47 +2,44 @@
@@ -58680,7 +59315,7 @@ index fa3dc8e..59808e5 100644
##
## Domain allowed access.
##
-@@ -205,85 +204,95 @@ interface(`pulseaudio_setattr_home_dir',`
+@@ -205,148 +204,190 @@ interface(`pulseaudio_setattr_home_dir',`
type pulseaudio_home_t;
')
@@ -58742,7 +59377,7 @@ index fa3dc8e..59808e5 100644
##
-## Read and write Pulse Audio files.
+## Create, read, write, and delete pulseaudio
-+## home directory files.
++## home directories.
##
-##
+##
@@ -58752,16 +59387,15 @@ index fa3dc8e..59808e5 100644
##
#
-interface(`pulseaudio_rw_home_files',`
-+interface(`pulseaudio_manage_home_files',`
++interface(`pulseaudio_manage_home_dirs',`
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
- rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
-+ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
- read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
-+ pulseaudio_filetrans_home_content($1)
+- read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++ manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
########################################
@@ -58769,7 +59403,7 @@ index fa3dc8e..59808e5 100644
-## Create, read, write, and delete
-## pulseaudio home content.
+## Create, read, write, and delete pulseaudio
-+## home directory symlinks.
++## home directory files.
##
-##