diff --git a/booleans.subs_dist b/booleans.subs_dist
index 95704b1..d39b6c0 100644
--- a/booleans.subs_dist
+++ b/booleans.subs_dist
@@ -50,3 +50,6 @@ sepgsql_unconfined_dbadm postgresql_selinux_unconfined_dbadm
clamd_use_jit antivirus_use_jit
amavis_use_jit antivirus_use_jit
condor_domain_can_network_connect condor_tcp_network_connect
+icecast_connect_any icecast_use_any_tcp_ports
+named_bind_http_port named_tcp_bind_http_port
+user_rw_noexattrfile selinuxuser_rw_noexattrfile
diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 6be89de..551beda 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -5182,7 +5182,7 @@ index 8e0f9cd..b9f45b9 100644
define(`create_packet_interfaces',``
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..6f8cc7f 100644
+index 4edc40d..17a4eab 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5384,7 +5384,7 @@ index 4edc40d..6f8cc7f 100644
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,24 +220,32 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,26 +220,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
network_port(mxi, tcp,8005,s0, udp,8005,s0)
network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5418,8 +5418,11 @@ index 4edc40d..6f8cc7f 100644
+network_port(pki_ra, tcp,12888-12889,s0)
+network_port(pki_tps, tcp,7888-7889,s0)
network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
- network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
+-network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
++network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0, tcp,10993,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
+ network_port(postfix_policyd, tcp,10031,s0)
+ network_port(postgresql, tcp,5432,s0)
@@ -214,38 +257,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
network_port(printer, tcp,515,s0)
@@ -20907,7 +20910,7 @@ index d1f64a0..8f50bb9 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..266289c 100644
+index 6bf0ecc..188613e 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@@ -21792,7 +21795,7 @@ index 6bf0ecc..266289c 100644
+ type xdm_t;
+ ')
+
-+ dontaudit $1 xdm_t:unix_stream_socket { getattr ioctl read write };
++ dontaudit $1 xdm_t:unix_stream_socket { append getattr ioctl read write };
+')
+
+########################################
@@ -22487,7 +22490,7 @@ index 6bf0ecc..266289c 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..7e081fb 100644
+index 2696452..7d6fc31 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -22950,17 +22953,19 @@ index 2696452..7e081fb 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +517,27 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +517,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
+manage_dirs_pattern(xdm_t, xdm_log_t, xdm_log_t)
+manage_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
++manage_lnk_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
+manage_fifo_files_pattern(xdm_t, xdm_log_t, xdm_log_t)
+logging_log_filetrans(xdm_t, xdm_log_t, { dir file })
+
manage_dirs_pattern(xdm_t, xserver_log_t, xserver_log_t)
manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
++manage_lnk_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
-logging_log_filetrans(xdm_t, xserver_log_t, file)
@@ -22980,7 +22985,7 @@ index 2696452..7e081fb 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +547,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +549,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -23033,7 +23038,7 @@ index 2696452..7e081fb 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +599,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +601,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -23062,7 +23067,7 @@ index 2696452..7e081fb 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +629,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +631,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23109,7 +23114,7 @@ index 2696452..7e081fb 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +674,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +676,144 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -23260,7 +23265,7 @@ index 2696452..7e081fb 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +825,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +827,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -23287,7 +23292,7 @@ index 2696452..7e081fb 100644
')
optional_policy(`
-@@ -514,12 +852,72 @@ optional_policy(`
+@@ -514,12 +854,72 @@ optional_policy(`
')
optional_policy(`
@@ -23360,7 +23365,7 @@ index 2696452..7e081fb 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +935,78 @@ optional_policy(`
+@@ -537,28 +937,78 @@ optional_policy(`
')
optional_policy(`
@@ -23448,7 +23453,7 @@ index 2696452..7e081fb 100644
')
optional_policy(`
-@@ -570,6 +1018,14 @@ optional_policy(`
+@@ -570,6 +1020,14 @@ optional_policy(`
')
optional_policy(`
@@ -23463,7 +23468,7 @@ index 2696452..7e081fb 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +1050,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1052,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23476,7 +23481,7 @@ index 2696452..7e081fb 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1067,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1069,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23492,7 +23497,7 @@ index 2696452..7e081fb 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1083,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1085,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -23503,7 +23508,7 @@ index 2696452..7e081fb 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1098,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1100,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23525,7 +23530,7 @@ index 2696452..7e081fb 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1118,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1120,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -23539,7 +23544,7 @@ index 2696452..7e081fb 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1144,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1146,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -23571,7 +23576,7 @@ index 2696452..7e081fb 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1176,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1178,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23589,7 +23594,7 @@ index 2696452..7e081fb 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1199,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1201,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -23613,7 +23618,7 @@ index 2696452..7e081fb 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1218,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1220,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -23622,7 +23627,7 @@ index 2696452..7e081fb 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1262,44 @@ optional_policy(`
+@@ -775,16 +1264,44 @@ optional_policy(`
')
optional_policy(`
@@ -23668,7 +23673,7 @@ index 2696452..7e081fb 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1308,10 @@ optional_policy(`
+@@ -793,6 +1310,10 @@ optional_policy(`
')
optional_policy(`
@@ -23679,7 +23684,7 @@ index 2696452..7e081fb 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1327,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1329,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -23693,7 +23698,7 @@ index 2696452..7e081fb 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1338,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1340,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -23702,7 +23707,7 @@ index 2696452..7e081fb 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1351,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1353,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23737,7 +23742,7 @@ index 2696452..7e081fb 100644
')
optional_policy(`
-@@ -902,7 +1416,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1418,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23746,7 +23751,7 @@ index 2696452..7e081fb 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1470,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1472,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -23778,7 +23783,7 @@ index 2696452..7e081fb 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1516,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1518,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -24951,7 +24956,7 @@ index 3efd5b6..2f6ba05 100644
+')
+
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..28dbe0b 100644
+index 104037e..f263075 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -25257,7 +25262,7 @@ index 104037e..28dbe0b 100644
')
optional_policy(`
-@@ -463,3 +502,132 @@ optional_policy(`
+@@ -463,3 +502,133 @@ optional_policy(`
samba_read_var_files(nsswitch_domain)
samba_dontaudit_write_var_files(nsswitch_domain)
')
@@ -25348,6 +25353,7 @@ index 104037e..28dbe0b 100644
+userdom_manage_user_tmp_files(login_pgm)
+
+optional_policy(`
++ afs_read_config(login_pgm)
+ afs_rw_udp_sockets(login_pgm)
+')
+
@@ -28779,7 +28785,7 @@ index 0d4c8d3..a89c4a2 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..a0ba260 100644
+index 9e54bf9..b63b6d3 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -28891,8 +28897,14 @@ index 9e54bf9..a0ba260 100644
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -210,6 +223,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
- files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
+@@ -206,10 +219,11 @@ files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
+ manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
+ logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+
+-allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
+-files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
++manage_files_pattern(ipsec_mgmt_t, ipsec_mgmt_var_run_t, ipsec_mgmt_var_run_t)
++files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, { file })
manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_dirs_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -32945,19 +32957,45 @@ index 6a50270..fa545e7 100644
+
+auth_use_nsswitch(mount_ecryptfs_t)
diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
-index b263a8a..9348c8c 100644
+index b263a8a..15576ab 100644
--- a/policy/modules/system/netlabel.fc
+++ b/policy/modules/system/netlabel.fc
-@@ -1 +1,3 @@
+@@ -1 +1,6 @@
/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
+
++/usr/lib/systemd/system/netlabel.* -- gen_context(system_u:object_r:netlabel_mgmt_unit_file_t,s0)
++
+/usr/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
++/usr/sbin/netlabel-config -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
-index cbbda4a..8dcc346 100644
+index cbbda4a..1136c7b 100644
--- a/policy/modules/system/netlabel.te
+++ b/policy/modules/system/netlabel.te
-@@ -23,6 +23,11 @@ kernel_read_network_state(netlabel_mgmt_t)
+@@ -7,9 +7,13 @@ policy_module(netlabel, 1.3.0)
+
+ type netlabel_mgmt_t;
+ type netlabel_mgmt_exec_t;
++init_daemon_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t)
+ application_domain(netlabel_mgmt_t, netlabel_mgmt_exec_t)
+ role system_r types netlabel_mgmt_t;
+
++type netlabel_mgmt_unit_file_t;
++systemd_unit_file(netlabel_mgmt_unit_file_t)
++
+ ########################################
+ #
+ # NetLabel Management Tools Local policy
+@@ -19,10 +23,20 @@ role system_r types netlabel_mgmt_t;
+ allow netlabel_mgmt_t self:capability net_admin;
+ allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
++can_exec(netlabel_mgmt_t, netlabel_mgmt_t)
++
+ kernel_read_network_state(netlabel_mgmt_t)
+
++corecmd_exec_bin(netlabel_mgmt_t)
++corecmd_exec_shell(netlabel_mgmt_t)
++
files_read_etc_files(netlabel_mgmt_t)
+term_use_all_inherited_terms(netlabel_mgmt_t)
@@ -38579,7 +38617,7 @@ index db75976..65191bd 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..e59f458 100644
+index 3c5dba7..29b497d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -40304,58 +40342,73 @@ index 3c5dba7..e59f458 100644
')
########################################
-@@ -1772,7 +2246,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2246,25 @@ interface(`userdom_manage_user_home_content_dirs',`
########################################
##
-## Delete all user home content directories.
+## Delete directories in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_user_home_content_dirs',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:dir delete_dir_perms;
++')
++
++########################################
++##
++## Delete all directories in a user home subdirectory.
##
##
##
-@@ -1780,19 +2254,17 @@ interface(`userdom_manage_user_home_content_dirs',`
- ##
- ##
+@@ -1782,49 +2274,67 @@ interface(`userdom_manage_user_home_content_dirs',`
#
--interface(`userdom_delete_all_user_home_content_dirs',`
-+interface(`userdom_delete_user_home_content_dirs',`
+ interface(`userdom_delete_all_user_home_content_dirs',`
gen_require(`
- attribute user_home_content_type;
- type user_home_dir_t;
-+ type user_home_t;
++ attribute user_home_type;
')
- userdom_search_user_home_dirs($1)
- delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
-+ allow $1 user_home_t:dir delete_dir_perms;
++ allow $1 user_home_type:dir delete_dir_perms;
')
########################################
##
-## Delete directories in a user home subdirectory.
-+## Delete all directories in a user home subdirectory.
++## Set the attributes of user home files.
##
##
##
-@@ -1800,31 +2272,31 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+ ## Domain allowed access.
##
##
++##
#
-interface(`userdom_delete_user_home_content_dirs',`
-+interface(`userdom_delete_all_user_home_content_dirs',`
++interface(`userdom_setattr_user_home_content_files',`
gen_require(`
-- type user_home_t;
-+ attribute user_home_type;
+ type user_home_t;
')
- allow $1 user_home_t:dir delete_dir_perms;
-+ allow $1 user_home_type:dir delete_dir_perms;
++ allow $1 user_home_t:file setattr;
')
########################################
##
-## Set attributes of all user home content directories.
-+## Set the attributes of user home files.
++## Set the attributes of user tmp files.
##
##
##
@@ -40365,19 +40418,38 @@ index 3c5dba7..e59f458 100644
+##
#
-interface(`userdom_setattr_all_user_home_content_dirs',`
-+interface(`userdom_setattr_user_home_content_files',`
++interface(`userdom_setattr_user_tmp_files',`
gen_require(`
- attribute user_home_content_type;
-+ type user_home_t;
++ type user_tmp_t;
')
- userdom_search_user_home_dirs($1)
- allow $1 user_home_content_type:dir setattr_dir_perms;
-+ allow $1 user_home_t:file setattr;
++ allow $1 user_tmp_t:file setattr;
++')
++
++########################################
++##
++## Relabel user tmp files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_relabel_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file relabel_file_perms;
')
########################################
-@@ -1848,6 +2320,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2358,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
##
@@ -40403,7 +40475,7 @@ index 3c5dba7..e59f458 100644
## Mmap user home files.
##
##
-@@ -1878,14 +2369,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2407,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -40441,7 +40513,7 @@ index 3c5dba7..e59f458 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1896,11 +2409,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2447,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -40459,7 +40531,7 @@ index 3c5dba7..e59f458 100644
')
########################################
-@@ -1941,7 +2457,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2495,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
########################################
##
@@ -40486,7 +40558,7 @@ index 3c5dba7..e59f458 100644
##
##
##
-@@ -1951,17 +2485,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2523,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
#
interface(`userdom_delete_all_user_home_content_files',`
gen_require(`
@@ -40507,7 +40579,7 @@ index 3c5dba7..e59f458 100644
##
##
##
-@@ -1969,12 +2501,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2539,48 @@ interface(`userdom_delete_all_user_home_content_files',`
##
##
#
@@ -40558,7 +40630,7 @@ index 3c5dba7..e59f458 100644
')
########################################
-@@ -2010,8 +2578,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2616,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -40568,7 +40640,7 @@ index 3c5dba7..e59f458 100644
')
########################################
-@@ -2027,20 +2594,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2632,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -40593,7 +40665,7 @@ index 3c5dba7..e59f458 100644
########################################
##
-@@ -2123,7 +2684,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2722,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
########################################
##
@@ -40602,7 +40674,7 @@ index 3c5dba7..e59f458 100644
##
##
##
-@@ -2131,19 +2692,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2730,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
##
##
#
@@ -40626,7 +40698,7 @@ index 3c5dba7..e59f458 100644
##
##
##
-@@ -2151,12 +2710,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2748,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
##
##
#
@@ -40642,7 +40714,7 @@ index 3c5dba7..e59f458 100644
')
########################################
-@@ -2393,11 +2952,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2990,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -40657,7 +40729,7 @@ index 3c5dba7..e59f458 100644
files_search_tmp($1)
')
-@@ -2417,7 +2976,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3014,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -40666,7 +40738,7 @@ index 3c5dba7..e59f458 100644
')
########################################
-@@ -2664,6 +3223,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3261,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -40692,7 +40764,7 @@ index 3c5dba7..e59f458 100644
########################################
##
## Read user tmpfs files.
-@@ -2680,13 +3258,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3296,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -40708,7 +40780,7 @@ index 3c5dba7..e59f458 100644
##
##
##
-@@ -2707,7 +3286,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3324,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -40717,7 +40789,7 @@ index 3c5dba7..e59f458 100644
##
##
##
-@@ -2715,19 +3294,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3332,30 @@ interface(`userdom_rw_user_tmpfs_files',`
##
##
#
@@ -40731,66 +40803,28 @@ index 3c5dba7..e59f458 100644
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
+ allow $1 user_tmpfs_t:file rw_inherited_file_perms;
- ')
-
- ########################################
- ##
--## Get the attributes of a user domain tty.
-+## Execute user tmpfs files.
- ##
- ##
- ##
-@@ -2735,25 +3312,43 @@ interface(`userdom_manage_user_tmpfs_files',`
- ##
- ##
- #
--interface(`userdom_getattr_user_ttys',`
-+interface(`userdom_execute_user_tmpfs_files',`
- gen_require(`
-- type user_tty_device_t;
-+ type user_tmpfs_t;
- ')
-
-- allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
-+ allow $1 user_tmpfs_t:file execute;
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes of a user domain tty.
-+## Get the attributes of a user domain tty.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`userdom_dontaudit_getattr_user_ttys',`
-+interface(`userdom_getattr_user_ttys',`
-+ gen_require(`
-+ type user_tty_device_t;
-+ ')
-+
-+ allow $1 user_tty_device_t:chr_file getattr_chr_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to get the attributes of a user domain tty.
++## Execute user tmpfs files.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`userdom_dontaudit_getattr_user_ttys',`
- gen_require(`
- type user_tty_device_t;
- ')
-@@ -2817,6 +3412,24 @@ interface(`userdom_use_user_ttys',`
++interface(`userdom_execute_user_tmpfs_files',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ allow $1 user_tmpfs_t:file execute;
+ ')
+
+ ########################################
+@@ -2817,6 +3450,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -40815,7 +40849,7 @@ index 3c5dba7..e59f458 100644
## Read and write a user domain pty.
##
##
-@@ -2835,22 +3448,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3486,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -40858,7 +40892,7 @@ index 3c5dba7..e59f458 100644
##
##
##
-@@ -2859,14 +3484,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3522,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -40896,7 +40930,7 @@ index 3c5dba7..e59f458 100644
')
########################################
-@@ -2885,8 +3529,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3567,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -40926,7 +40960,7 @@ index 3c5dba7..e59f458 100644
')
########################################
-@@ -2958,69 +3621,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3659,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -41027,7 +41061,7 @@ index 3c5dba7..e59f458 100644
##
##
##
-@@ -3028,12 +3690,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3728,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
##
##
#
@@ -41042,7 +41076,7 @@ index 3c5dba7..e59f458 100644
')
########################################
-@@ -3097,7 +3759,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3797,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -41051,7 +41085,7 @@ index 3c5dba7..e59f458 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -3113,29 +3775,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3813,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -41085,7 +41119,7 @@ index 3c5dba7..e59f458 100644
')
########################################
-@@ -3217,7 +3863,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3901,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -41112,7 +41146,7 @@ index 3c5dba7..e59f458 100644
')
########################################
-@@ -3272,7 +3936,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3974,64 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -41178,7 +41212,7 @@ index 3c5dba7..e59f458 100644
')
########################################
-@@ -3290,7 +4011,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +4049,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -41187,7 +41221,7 @@ index 3c5dba7..e59f458 100644
')
########################################
-@@ -3309,6 +4030,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4068,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -41195,7 +41229,7 @@ index 3c5dba7..e59f458 100644
kernel_search_proc($1)
')
-@@ -3385,6 +4107,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4145,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -41238,11 +41272,54 @@ index 3c5dba7..e59f458 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4163,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,7 +4201,7 @@ interface(`userdom_sigchld_all_users',`
########################################
##
+-## Create keys for all user domains.
+## Read keys for all user domains.
+ ##
+ ##
+ ##
+@@ -3413,17 +4209,17 @@ interface(`userdom_sigchld_all_users',`
+ ##
+ ##
+ #
+-interface(`userdom_create_all_users_keys',`
++interface(`userdom_read_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+- allow $1 userdomain:key create;
++ allow $1 userdomain:key read;
+ ')
+
+ ########################################
+ ##
+-## Send a dbus message to all user domains.
++## Create keys for all user domains.
+ ##
+ ##
+ ##
+@@ -3431,11 +4227,1516 @@ interface(`userdom_create_all_users_keys',`
+ ##
+ ##
+ #
+-interface(`userdom_dbus_send_all_users',`
++interface(`userdom_create_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+- class dbus send_msg;
+ ')
+
+- allow $1 userdomain:dbus send_msg;
++ allow $1 userdomain:key create;
++')
++
++########################################
++##
++## Send a dbus message to all user domains.
+##
+##
+##
@@ -41250,23 +41327,13 @@ index 3c5dba7..e59f458 100644
+##
+##
+#
-+interface(`userdom_read_all_users_keys',`
++interface(`userdom_dbus_send_all_users',`
+ gen_require(`
+ attribute userdomain;
++ class dbus send_msg;
+ ')
+
-+ allow $1 userdomain:key read;
-+')
-+
-+########################################
-+##
- ## Create keys for all user domains.
- ##
- ##
-@@ -3438,4 +4214,1491 @@ interface(`userdom_dbus_send_all_users',`
- ')
-
- allow $1 userdomain:dbus send_msg;
++ allow $1 userdomain:dbus send_msg;
+ ps_process_pattern($1, userdomain)
+')
+
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index 33aaaa1..6e928a5 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -518,7 +518,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..b4c749b 100644
+index cc43d25..da5b191 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -630,12 +630,12 @@ index cc43d25..b4c749b 100644
+
+#
+# Support for ABRT retrace server
-+#
-type abrt_retrace_worker_t, abrt_domain;
-type abrt_retrace_worker_exec_t;
-domain_type(abrt_retrace_worker_t)
-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
++#
+abrt_basic_types_template(abrt_retrace_worker)
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
role system_r types abrt_retrace_worker_t;
@@ -795,10 +795,14 @@ index cc43d25..b4c749b 100644
')
optional_policy(`
-@@ -209,6 +224,12 @@ optional_policy(`
+@@ -209,6 +224,16 @@ optional_policy(`
')
optional_policy(`
++ kdump_read_crash(abrt_t)
++')
++
++optional_policy(`
+ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
+ mozilla_plugin_read_rw_files(abrt_t)
+')
@@ -808,7 +812,7 @@ index cc43d25..b4c749b 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +241,7 @@ optional_policy(`
+@@ -220,6 +245,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -816,7 +820,7 @@ index cc43d25..b4c749b 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +252,7 @@ optional_policy(`
+@@ -230,6 +256,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -824,7 +828,7 @@ index cc43d25..b4c749b 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +263,17 @@ optional_policy(`
+@@ -240,9 +267,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -843,7 +847,7 @@ index cc43d25..b4c749b 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +284,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +288,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -858,7 +862,7 @@ index cc43d25..b4c749b 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +303,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +307,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -866,7 +870,7 @@ index cc43d25..b4c749b 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +312,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +316,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -887,7 +891,7 @@ index cc43d25..b4c749b 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +333,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +337,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -914,7 +918,7 @@ index cc43d25..b4c749b 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +369,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +373,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -928,7 +932,7 @@ index cc43d25..b4c749b 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +387,11 @@ optional_policy(`
+@@ -330,10 +391,11 @@ optional_policy(`
#######################################
#
@@ -942,7 +946,7 @@ index cc43d25..b4c749b 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +410,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +414,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1004,7 +1008,7 @@ index cc43d25..b4c749b 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +468,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +472,18 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1021,8 +1025,10 @@ index cc43d25..b4c749b 100644
#
-kernel_read_system_state(abrt_domain)
--
--files_read_etc_files(abrt_domain)
++allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
++allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
+
+ files_read_etc_files(abrt_domain)
-
-logging_send_syslog_msg(abrt_domain)
-
@@ -1253,10 +1259,35 @@ index 8b5ad06..8ce8f26 100644
optional_policy(`
unconfined_domain(ada_t)
diff --git a/afs.if b/afs.if
-index 3b41be6..188db36 100644
+index 3b41be6..97d99f9 100644
--- a/afs.if
+++ b/afs.if
-@@ -95,13 +95,17 @@ interface(`afs_initrc_domtrans',`
+@@ -40,6 +40,24 @@ interface(`afs_rw_udp_sockets',`
+
+ ########################################
+ ##
++## Read AFS config data
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`afs_read_config',`
++ gen_require(`
++ type afs_config_t;
++ ')
++
++ read_files_pattern($1, afs_config_t, afs_config_t)
++')
++
++########################################
++##
+ ## Read and write afs cache files.
+ ##
+ ##
+@@ -95,13 +113,17 @@ interface(`afs_initrc_domtrans',`
interface(`afs_admin',`
gen_require(`
attribute afs_domain;
@@ -1278,7 +1309,7 @@ index 3b41be6..188db36 100644
afs_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/afs.te b/afs.te
-index 6690cdf..baf390f 100644
+index 6690cdf..7726644 100644
--- a/afs.te
+++ b/afs.te
@@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
@@ -1328,7 +1359,17 @@ index 6690cdf..baf390f 100644
seutil_read_config(afs_bosserver_t)
-@@ -175,12 +187,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t)
+@@ -151,9 +163,6 @@ allow afs_fsserver_t self:process { setsched signal_perms };
+ allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
+ allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
+
+-read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
+-allow afs_fsserver_t afs_config_t:dir list_dir_perms;
+-
+ manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
+ manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
+
+@@ -175,12 +184,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t)
corenet_all_recvfrom_unlabeled(afs_fsserver_t)
corenet_all_recvfrom_netlabel(afs_fsserver_t)
@@ -1345,7 +1386,7 @@ index 6690cdf..baf390f 100644
corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
-@@ -190,7 +204,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
+@@ -190,7 +201,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
files_read_etc_runtime_files(afs_fsserver_t)
files_list_home(afs_fsserver_t)
@@ -1353,7 +1394,7 @@ index 6690cdf..baf390f 100644
files_list_pids(afs_fsserver_t)
files_dontaudit_search_mnt(afs_fsserver_t)
-@@ -224,7 +237,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
+@@ -224,7 +234,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
kernel_read_kernel_sysctls(afs_kaserver_t)
@@ -1361,7 +1402,7 @@ index 6690cdf..baf390f 100644
corenet_all_recvfrom_netlabel(afs_kaserver_t)
corenet_udp_sendrecv_generic_if(afs_kaserver_t)
corenet_udp_sendrecv_generic_node(afs_kaserver_t)
-@@ -239,7 +251,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t)
+@@ -239,7 +248,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t)
corenet_udp_sendrecv_kerberos_port(afs_kaserver_t)
files_list_home(afs_kaserver_t)
@@ -1369,7 +1410,16 @@ index 6690cdf..baf390f 100644
seutil_read_config(afs_kaserver_t)
-@@ -262,7 +273,6 @@ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+@@ -253,16 +261,12 @@ userdom_dontaudit_use_user_terminals(afs_kaserver_t)
+ allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
+ allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
+
+-read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t)
+-allow afs_ptserver_t afs_config_t:dir list_dir_perms;
+-
+ manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+
manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
@@ -1377,7 +1427,7 @@ index 6690cdf..baf390f 100644
corenet_all_recvfrom_netlabel(afs_ptserver_t)
corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
corenet_udp_sendrecv_generic_if(afs_ptserver_t)
-@@ -274,6 +284,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
+@@ -274,6 +278,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
corenet_udp_bind_afs_pt_port(afs_ptserver_t)
corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
@@ -1386,7 +1436,16 @@ index 6690cdf..baf390f 100644
userdom_dontaudit_use_user_terminals(afs_ptserver_t)
########################################
-@@ -293,7 +305,6 @@ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+@@ -284,16 +290,12 @@ userdom_dontaudit_use_user_terminals(afs_ptserver_t)
+ allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
+ allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
+
+-read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t)
+-allow afs_vlserver_t afs_config_t:dir list_dir_perms;
+-
+ manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+
manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
@@ -1394,15 +1453,18 @@ index 6690cdf..baf390f 100644
corenet_all_recvfrom_netlabel(afs_vlserver_t)
corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
corenet_udp_sendrecv_generic_if(afs_vlserver_t)
-@@ -314,8 +325,4 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
+@@ -314,8 +316,8 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
allow afs_domain self:udp_socket create_socket_perms;
-files_read_etc_files(afs_domain)
-
-miscfiles_read_localization(afs_domain)
--
++read_files_pattern(afs_domain, afs_config_t, afs_config_t)
++allow afs_domain afs_config_t:dir list_dir_perms;
+
sysnet_read_config(afs_domain)
++
diff --git a/aiccu.if b/aiccu.if
index 3b5dcb9..fbe187f 100644
--- a/aiccu.if
@@ -4533,7 +4595,7 @@ index 83e899c..c5be77c 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..a68bd53 100644
+index 1a82e29..40e2876 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5511,33 +5573,38 @@ index 1a82e29..a68bd53 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +771,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +771,43 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
- fs_exec_nfs_files(httpd_t)
+-')
+-
+-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+tunable_policy(`httpd_use_nfs',`
-+ fs_list_auto_mountpoints(httpd_t)
+ fs_list_auto_mountpoints(httpd_t)
+- fs_read_cifs_files(httpd_t)
+- fs_read_cifs_symlinks(httpd_t)
+ fs_manage_nfs_dirs(httpd_t)
+ fs_manage_nfs_files(httpd_t)
+ fs_manage_nfs_symlinks(httpd_t)
')
- tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-- fs_list_auto_mountpoints(httpd_t)
- fs_read_cifs_files(httpd_t)
- fs_read_cifs_symlinks(httpd_t)
- ')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
- fs_exec_cifs_files(httpd_t)
--')
--
++
++tunable_policy(`httpd_use_nfs',`
++ automount_search_tmp_dirs(httpd_t)
+ ')
+
-tunable_policy(`httpd_execmem',`
- allow httpd_t self:process { execmem execstack };
--')
--
++tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
++ fs_read_cifs_files(httpd_t)
++ fs_read_cifs_symlinks(httpd_t)
+ ')
+
tunable_policy(`httpd_can_sendmail',`
- corenet_sendrecv_smtp_client_packets(httpd_t)
+ # allow httpd to connect to mail servers
@@ -5557,12 +5624,8 @@ index 1a82e29..a68bd53 100644
- tunable_policy(`httpd_can_network_connect_zabbix',`
- zabbix_tcp_connect(httpd_t)
- ')
-+tunable_policy(`httpd_use_cifs',`
-+ fs_manage_cifs_dirs(httpd_t)
-+ fs_manage_cifs_files(httpd_t)
-+ fs_manage_cifs_symlinks(httpd_t)
- ')
-
+-')
+-
-optional_policy(`
- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
- spamassassin_domtrans_client(httpd_t)
@@ -5585,8 +5648,12 @@ index 1a82e29..a68bd53 100644
- tunable_policy(`httpd_mod_auth_ntlm_winbind',`
- samba_domtrans_winbind_helper(httpd_t)
- ')
--')
--
++tunable_policy(`httpd_use_cifs',`
++ fs_manage_cifs_dirs(httpd_t)
++ fs_manage_cifs_files(httpd_t)
++ fs_manage_cifs_symlinks(httpd_t)
+ ')
+
-tunable_policy(`httpd_read_user_content',`
- userdom_read_user_home_content_files(httpd_t)
+tunable_policy(`httpd_use_fusefs',`
@@ -5596,7 +5663,7 @@ index 1a82e29..a68bd53 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +812,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +817,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5677,7 +5744,7 @@ index 1a82e29..a68bd53 100644
')
optional_policy(`
-@@ -743,14 +864,6 @@ optional_policy(`
+@@ -743,14 +869,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5692,7 +5759,7 @@ index 1a82e29..a68bd53 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +878,23 @@ optional_policy(`
+@@ -765,6 +883,23 @@ optional_policy(`
')
optional_policy(`
@@ -5716,7 +5783,7 @@ index 1a82e29..a68bd53 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +911,42 @@ optional_policy(`
+@@ -781,34 +916,42 @@ optional_policy(`
')
optional_policy(`
@@ -5770,7 +5837,7 @@ index 1a82e29..a68bd53 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +954,18 @@ optional_policy(`
+@@ -816,8 +959,18 @@ optional_policy(`
')
optional_policy(`
@@ -5789,7 +5856,7 @@ index 1a82e29..a68bd53 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +974,7 @@ optional_policy(`
+@@ -826,6 +979,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5797,7 +5864,7 @@ index 1a82e29..a68bd53 100644
')
optional_policy(`
-@@ -836,20 +985,39 @@ optional_policy(`
+@@ -836,20 +990,39 @@ optional_policy(`
')
optional_policy(`
@@ -5831,19 +5898,19 @@ index 1a82e29..a68bd53 100644
- ')
+optional_policy(`
+ puppet_read_lib(httpd_t)
-+')
-+
-+optional_policy(`
-+ pwauth_domtrans(httpd_t)
')
optional_policy(`
- puppet_read_lib_files(httpd_t)
++ pwauth_domtrans(httpd_t)
++')
++
++optional_policy(`
+ rpm_dontaudit_read_db(httpd_t)
')
optional_policy(`
-@@ -857,19 +1025,35 @@ optional_policy(`
+@@ -857,19 +1030,35 @@ optional_policy(`
')
optional_policy(`
@@ -5879,7 +5946,7 @@ index 1a82e29..a68bd53 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1061,170 @@ optional_policy(`
+@@ -877,65 +1066,170 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -5949,10 +6016,11 @@ index 1a82e29..a68bd53 100644
-',`
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
+ userdom_use_inherited_user_terminals(httpd_helper_t)
-+')
-+
-+########################################
-+#
+ ')
+
+ ########################################
+ #
+-# Suexec local policy
+# Apache PHP script local policy
+#
+
@@ -6011,11 +6079,10 @@ index 1a82e29..a68bd53 100644
+ tunable_policy(`httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_php_t)
+ ')
- ')
-
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
+# Apache suexec local policy
#
@@ -6072,7 +6139,7 @@ index 1a82e29..a68bd53 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1233,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1238,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6227,7 +6294,7 @@ index 1a82e29..a68bd53 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1317,104 @@ optional_policy(`
+@@ -1077,172 +1322,104 @@ optional_policy(`
')
')
@@ -6252,7 +6319,8 @@ index 1a82e29..a68bd53 100644
-
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--
++allow httpd_sys_script_t self:process getsched;
+
-kernel_dontaudit_search_sysctl(httpd_script_domains)
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
-
@@ -6260,8 +6328,7 @@ index 1a82e29..a68bd53 100644
-corenet_all_recvfrom_netlabel(httpd_script_domains)
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
-+allow httpd_sys_script_t self:process getsched;
-
+-
-corecmd_exec_all_executables(httpd_script_domains)
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
@@ -6463,7 +6530,7 @@ index 1a82e29..a68bd53 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1422,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1427,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6560,7 +6627,7 @@ index 1a82e29..a68bd53 100644
########################################
#
-@@ -1315,8 +1497,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1502,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6577,14 +6644,15 @@ index 1a82e29..a68bd53 100644
')
########################################
-@@ -1324,49 +1513,36 @@ optional_policy(`
+@@ -1324,49 +1518,38 @@ optional_policy(`
# User content local policy
#
-tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_user_script_t)
-')
--
++auth_use_nsswitch(httpd_user_script_t)
+
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
- fs_list_auto_mountpoints(httpd_user_script_t)
- fs_read_cifs_files(httpd_user_script_t)
@@ -6641,7 +6709,7 @@ index 1a82e29..a68bd53 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1552,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1559,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -7560,7 +7628,7 @@ index 92adb37..0a2ffc6 100644
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
diff --git a/automount.if b/automount.if
-index 089430a..7cd037b 100644
+index 089430a..b0bed70 100644
--- a/automount.if
+++ b/automount.if
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
@@ -7571,7 +7639,33 @@ index 089430a..7cd037b 100644
interface(`automount_signal',`
gen_require(`
type automount_t;
-@@ -134,6 +133,29 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
+@@ -114,6 +113,25 @@ interface(`automount_dontaudit_write_pipes',`
+
+ ########################################
+ ##
++## Allow domain to search of automount temporary
++## directories.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`automount_search_tmp_dirs',`
++ gen_require(`
++ type automount_tmp_t;
++ ')
++
++ search_dirs_pattern($1, automount_tmp_t, automount_tmp_t)
++')
++
++########################################
++##
+ ## Do not audit attempts to get
+ ## attributes of automount temporary
+ ## directories.
+@@ -134,6 +152,29 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
########################################
##
@@ -7601,7 +7695,7 @@ index 089430a..7cd037b 100644
## All of the rules required to
## administrate an automount environment.
##
-@@ -153,11 +175,16 @@ interface(`automount_admin',`
+@@ -153,11 +194,16 @@ interface(`automount_admin',`
gen_require(`
type automount_t, automount_lock_t, automount_tmp_t;
type automount_var_run_t, automount_initrc_exec_t;
@@ -7619,7 +7713,7 @@ index 089430a..7cd037b 100644
init_labeled_script_domtrans($1, automount_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 automount_initrc_exec_t system_r;
-@@ -171,4 +198,8 @@ interface(`automount_admin',`
+@@ -171,4 +217,8 @@ interface(`automount_admin',`
files_list_pids($1)
admin_pattern($1, automount_var_run_t)
@@ -8266,7 +8360,7 @@ index 866a1e2..6c2dbe4 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 076ffee..9977c4d 100644
+index 076ffee..d4fb2a4 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -8315,7 +8409,7 @@ index 076ffee..9977c4d 100644
domain_use_interactive_fds(named_t)
-@@ -170,6 +174,11 @@ tunable_policy(`named_write_master_zones',`
+@@ -170,6 +174,15 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@@ -8324,10 +8418,14 @@ index 076ffee..9977c4d 100644
+')
+
+optional_policy(`
++ cron_system_entry(named_t, named_exec_t)
++')
++
++optional_policy(`
dbus_system_domain(named_t, named_exec_t)
init_dbus_chat_script(named_t)
-@@ -183,6 +192,7 @@ optional_policy(`
+@@ -183,6 +196,7 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(named, named_t)
@@ -8335,7 +8433,7 @@ index 076ffee..9977c4d 100644
')
optional_policy(`
-@@ -209,7 +219,8 @@ optional_policy(`
+@@ -209,7 +223,8 @@ optional_policy(`
#
allow ndc_t self:capability { dac_override net_admin };
@@ -8345,7 +8443,7 @@ index 076ffee..9977c4d 100644
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
-@@ -223,10 +234,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -223,10 +238,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
allow ndc_t named_zone_t:dir search_dir_perms;
@@ -8357,7 +8455,7 @@ index 076ffee..9977c4d 100644
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -251,7 +261,7 @@ init_use_script_ptys(ndc_t)
+@@ -251,7 +265,7 @@ init_use_script_ptys(ndc_t)
logging_send_syslog_msg(ndc_t)
@@ -15293,7 +15391,7 @@ index 1303b30..058864e 100644
+ logging_log_filetrans($1, cron_log_t, $2, $3)
')
diff --git a/cron.te b/cron.te
-index 28e1b86..bf91ba9 100644
+index 28e1b86..9436993 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
@@ -15637,7 +15735,7 @@ index 28e1b86..bf91ba9 100644
auth_use_nsswitch(crond_t)
logging_send_audit_msgs(crond_t)
-@@ -311,41 +249,42 @@ logging_set_loginuid(crond_t)
+@@ -311,41 +249,46 @@ logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
@@ -15674,6 +15772,10 @@ index 28e1b86..bf91ba9 100644
+
+optional_policy(`
+ logwatch_search_cache_dir(crond_t)
++')
++
++optional_policy(`
++ bind_read_config(crond_t)
')
ifdef(`distro_redhat',`
@@ -15696,7 +15798,7 @@ index 28e1b86..bf91ba9 100644
')
optional_policy(`
-@@ -353,102 +292,136 @@ optional_policy(`
+@@ -353,102 +296,136 @@ optional_policy(`
')
optional_policy(`
@@ -15864,7 +15966,7 @@ index 28e1b86..bf91ba9 100644
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
-@@ -457,11 +430,11 @@ kernel_read_network_state(system_cronjob_t)
+@@ -457,11 +434,11 @@ kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
@@ -15877,7 +15979,7 @@ index 28e1b86..bf91ba9 100644
corenet_all_recvfrom_netlabel(system_cronjob_t)
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -481,6 +454,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -481,6 +458,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
fs_getattr_all_pipes(system_cronjob_t)
fs_getattr_all_sockets(system_cronjob_t)
@@ -15885,7 +15987,7 @@ index 28e1b86..bf91ba9 100644
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
-@@ -491,15 +465,19 @@ files_getattr_all_files(system_cronjob_t)
+@@ -491,15 +469,19 @@ files_getattr_all_files(system_cronjob_t)
files_getattr_all_symlinks(system_cronjob_t)
files_getattr_all_pipes(system_cronjob_t)
files_getattr_all_sockets(system_cronjob_t)
@@ -15908,7 +16010,7 @@ index 28e1b86..bf91ba9 100644
init_domtrans_script(system_cronjob_t)
auth_use_nsswitch(system_cronjob_t)
-@@ -511,20 +489,26 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -511,20 +493,26 @@ logging_read_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
@@ -15938,7 +16040,7 @@ index 28e1b86..bf91ba9 100644
selinux_validate_context(system_cronjob_t)
selinux_compute_access_vector(system_cronjob_t)
selinux_compute_create_context(system_cronjob_t)
-@@ -534,10 +518,17 @@ tunable_policy(`cron_can_relabel',`
+@@ -534,10 +522,17 @@ tunable_policy(`cron_can_relabel',`
')
optional_policy(`
@@ -15956,7 +16058,7 @@ index 28e1b86..bf91ba9 100644
')
optional_policy(`
-@@ -546,10 +537,6 @@ optional_policy(`
+@@ -546,10 +541,6 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(system_cronjob_t)
@@ -15967,7 +16069,7 @@ index 28e1b86..bf91ba9 100644
')
optional_policy(`
-@@ -581,6 +568,7 @@ optional_policy(`
+@@ -581,6 +572,7 @@ optional_policy(`
optional_policy(`
mta_read_config(system_cronjob_t)
mta_send_mail(system_cronjob_t)
@@ -15975,7 +16077,7 @@ index 28e1b86..bf91ba9 100644
')
optional_policy(`
-@@ -588,15 +576,19 @@ optional_policy(`
+@@ -588,15 +580,19 @@ optional_policy(`
')
optional_policy(`
@@ -15997,7 +16099,7 @@ index 28e1b86..bf91ba9 100644
')
optional_policy(`
-@@ -606,6 +598,7 @@ optional_policy(`
+@@ -606,6 +602,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -16005,7 +16107,7 @@ index 28e1b86..bf91ba9 100644
')
optional_policy(`
-@@ -613,12 +606,24 @@ optional_policy(`
+@@ -613,12 +610,24 @@ optional_policy(`
')
optional_policy(`
@@ -16032,7 +16134,7 @@ index 28e1b86..bf91ba9 100644
#
allow cronjob_t self:process { signal_perms setsched };
-@@ -626,12 +631,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -626,12 +635,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
allow cronjob_t self:unix_dgram_socket create_socket_perms;
@@ -16066,7 +16168,7 @@ index 28e1b86..bf91ba9 100644
corenet_all_recvfrom_netlabel(cronjob_t)
corenet_tcp_sendrecv_generic_if(cronjob_t)
corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -639,84 +664,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -639,84 +668,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
corenet_udp_sendrecv_generic_node(cronjob_t)
corenet_tcp_sendrecv_all_ports(cronjob_t)
corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -17920,7 +18022,7 @@ index dda905b..31f269b 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index afcf3a2..0730306 100644
+index afcf3a2..8c49f40 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -18162,7 +18264,7 @@ index afcf3a2..0730306 100644
- allow $1 session_bus_type:unix_stream_socket connectto;
- allow $1 session_bus_type:fd use;
-')
--
+
-#######################################
-##
-## Creating connections to specified
@@ -18188,7 +18290,7 @@ index afcf3a2..0730306 100644
- ')
-
- typeattribute $2 dbusd_session_bus_client;
-
+-
- allow $2 { $1_dbusd_t self }:dbus send_msg;
- allow $1_dbusd_t $2:dbus send_msg;
+ # For connecting to the bus
@@ -18476,7 +18578,7 @@ index afcf3a2..0730306 100644
##
##
##
-@@ -614,10 +448,72 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -614,10 +448,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
##
##
#
@@ -18494,6 +18596,25 @@ index afcf3a2..0730306 100644
+
+########################################
+##
++## Read all dbus pid files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`dbus_read_pid_files',`
++ gen_require(`
++ type system_dbusd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
++')
++
++########################################
++##
+## Do not audit attempts to connect to
+## session bus types with a unix
+## stream socket.
@@ -18553,7 +18674,7 @@ index afcf3a2..0730306 100644
+ dontaudit system_bus_type $1:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 2c2e7e1..78bbb7d 100644
+index 2c2e7e1..493ab48 100644
--- a/dbus.te
+++ b/dbus.te
@@ -1,20 +1,18 @@
@@ -18678,7 +18799,7 @@ index 2c2e7e1..78bbb7d 100644
mls_fd_use_all_levels(system_dbusd_t)
mls_rangetrans_target(system_dbusd_t)
mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +118,155 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +118,159 @@ term_dontaudit_use_console(system_dbusd_t)
auth_use_nsswitch(system_dbusd_t)
auth_read_pam_console_data(system_dbusd_t)
@@ -18736,6 +18857,11 @@ index 2c2e7e1..78bbb7d 100644
+optional_policy(`
+ gnome_exec_gconf(system_dbusd_t)
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
+ ')
+
+ optional_policy(`
+- seutil_sigchld_newrole(system_dbusd_t)
++ nis_use_ypbind(system_dbusd_t)
+')
+
+optional_policy(`
@@ -18751,10 +18877,9 @@ index 2c2e7e1..78bbb7d 100644
+
+optional_policy(`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
- ')
-
- optional_policy(`
-- seutil_sigchld_newrole(system_dbusd_t)
++')
++
++optional_policy(`
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_inhibit_pipes(system_dbusd_t)
@@ -18792,7 +18917,7 @@ index 2c2e7e1..78bbb7d 100644
+init_rw_stream_sockets(system_bus_type)
+
+ps_process_pattern(system_dbusd_t, system_bus_type)
-
++
+userdom_dontaudit_search_admin_dir(system_bus_type)
+userdom_read_all_users_state(system_bus_type)
+
@@ -18807,7 +18932,7 @@ index 2c2e7e1..78bbb7d 100644
+optional_policy(`
+ unconfined_dbus_send(system_bus_type)
+')
-+
+
+ifdef(`hide_broken_symptoms',`
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
+')
@@ -18848,7 +18973,7 @@ index 2c2e7e1..78bbb7d 100644
kernel_read_kernel_sysctls(session_bus_type)
corecmd_list_bin(session_bus_type)
-@@ -191,23 +275,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +279,18 @@ corecmd_read_bin_files(session_bus_type)
corecmd_read_bin_pipes(session_bus_type)
corecmd_read_bin_sockets(session_bus_type)
@@ -18873,7 +18998,7 @@ index 2c2e7e1..78bbb7d 100644
files_dontaudit_search_var(session_bus_type)
fs_getattr_romfs(session_bus_type)
-@@ -215,7 +294,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +298,6 @@ fs_getattr_xattr_fs(session_bus_type)
fs_list_inotifyfs(session_bus_type)
fs_dontaudit_list_nfs(session_bus_type)
@@ -18881,7 +19006,7 @@ index 2c2e7e1..78bbb7d 100644
selinux_validate_context(session_bus_type)
selinux_compute_access_vector(session_bus_type)
selinux_compute_create_context(session_bus_type)
-@@ -225,18 +303,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +307,36 @@ selinux_compute_user_contexts(session_bus_type)
auth_read_pam_console_data(session_bus_type)
logging_send_audit_msgs(session_bus_type)
@@ -18923,7 +19048,7 @@ index 2c2e7e1..78bbb7d 100644
')
########################################
-@@ -244,5 +340,6 @@ optional_policy(`
+@@ -244,5 +344,6 @@ optional_policy(`
# Unconfined access to this module
#
@@ -19594,7 +19719,7 @@ index d294865..3b4f593 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index ff933af..d75b565 100644
+index ff933af..cd1d88d 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
@@ -19616,20 +19741,20 @@ index ff933af..d75b565 100644
type devicekit_tmp_t;
files_tmp_file(devicekit_tmp_t)
-@@ -45,11 +45,10 @@ kernel_read_system_state(devicekit_t)
+@@ -45,11 +45,8 @@ kernel_read_system_state(devicekit_t)
dev_read_sysfs(devicekit_t)
dev_read_urand(devicekit_t)
-files_read_etc_files(devicekit_t)
-
+-
-miscfiles_read_localization(devicekit_t)
-
+-
optional_policy(`
+ dbus_system_domain(devicekit_t, devicekit_exec_t)
dbus_system_bus_client(devicekit_t)
allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg;
-@@ -64,7 +63,8 @@ optional_policy(`
+@@ -64,7 +61,8 @@ optional_policy(`
# Disk local policy
#
@@ -19639,7 +19764,7 @@ index ff933af..d75b565 100644
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -81,10 +81,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
+@@ -81,10 +79,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
@@ -19652,15 +19777,16 @@ index ff933af..d75b565 100644
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
-@@ -98,6 +99,7 @@ corecmd_getattr_all_executables(devicekit_disk_t)
+@@ -98,6 +97,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
+dev_rw_generic_blk_files(devicekit_disk_t)
++dev_rw_loop_control(devicekit_disk_t)
dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
-@@ -116,8 +118,8 @@ files_getattr_all_pipes(devicekit_disk_t)
+@@ -116,8 +117,8 @@ files_getattr_all_pipes(devicekit_disk_t)
files_manage_boot_dirs(devicekit_disk_t)
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
@@ -19670,7 +19796,7 @@ index ff933af..d75b565 100644
fs_getattr_all_fs(devicekit_disk_t)
fs_list_inotifyfs(devicekit_disk_t)
-@@ -134,16 +136,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -134,16 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
@@ -19691,7 +19817,7 @@ index ff933af..d75b565 100644
dbus_system_bus_client(devicekit_disk_t)
allow devicekit_disk_t devicekit_t:dbus send_msg;
-@@ -167,6 +171,7 @@ optional_policy(`
+@@ -167,6 +170,7 @@ optional_policy(`
optional_policy(`
mount_domtrans(devicekit_disk_t)
@@ -19699,7 +19825,7 @@ index ff933af..d75b565 100644
')
optional_policy(`
-@@ -180,6 +185,11 @@ optional_policy(`
+@@ -180,6 +184,11 @@ optional_policy(`
')
optional_policy(`
@@ -19711,7 +19837,7 @@ index ff933af..d75b565 100644
udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t)
')
-@@ -188,12 +198,19 @@ optional_policy(`
+@@ -188,12 +197,19 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -19732,7 +19858,7 @@ index ff933af..d75b565 100644
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
-@@ -207,9 +224,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
@@ -19743,7 +19869,7 @@ index ff933af..d75b565 100644
logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-@@ -242,17 +257,16 @@ domain_read_all_domains_state(devicekit_power_t)
+@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_runtime_files(devicekit_power_t)
@@ -19763,7 +19889,7 @@ index ff933af..d75b565 100644
sysnet_domtrans_ifconfig(devicekit_power_t)
sysnet_domtrans_dhcpc(devicekit_power_t)
-@@ -269,9 +283,11 @@ optional_policy(`
+@@ -269,9 +282,11 @@ optional_policy(`
optional_policy(`
cron_initrc_domtrans(devicekit_power_t)
@@ -19775,7 +19901,7 @@ index ff933af..d75b565 100644
dbus_system_bus_client(devicekit_power_t)
allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -302,8 +318,11 @@ optional_policy(`
+@@ -302,8 +317,11 @@ optional_policy(`
')
optional_policy(`
@@ -19788,7 +19914,7 @@ index ff933af..d75b565 100644
hal_manage_pid_dirs(devicekit_power_t)
hal_manage_pid_files(devicekit_power_t)
')
-@@ -341,3 +360,9 @@ optional_policy(`
+@@ -341,3 +359,9 @@ optional_policy(`
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
@@ -21664,7 +21790,7 @@ index dbcac59..66d42bb 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..4ebb0ad 100644
+index a7bfaf0..9a6a36e 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -1,4 +1,4 @@
@@ -21712,7 +21838,7 @@ index a7bfaf0..4ebb0ad 100644
type dovecot_var_lib_t;
files_type(dovecot_var_lib_t)
-@@ -56,20 +54,17 @@ logging_log_file(dovecot_var_log_t)
+@@ -56,20 +54,18 @@ logging_log_file(dovecot_var_log_t)
type dovecot_var_run_t;
files_pid_file(dovecot_var_run_t)
@@ -21734,10 +21860,11 @@ index a7bfaf0..4ebb0ad 100644
kernel_read_all_sysctls(dovecot_domain)
-kernel_read_system_state(dovecot_domain)
++kernel_read_network_state(dovecot_domain)
corecmd_exec_bin(dovecot_domain)
corecmd_exec_shell(dovecot_domain)
-@@ -78,37 +73,46 @@ dev_read_sysfs(dovecot_domain)
+@@ -78,37 +74,46 @@ dev_read_sysfs(dovecot_domain)
dev_read_rand(dovecot_domain)
dev_read_urand(dovecot_domain)
@@ -21797,7 +21924,7 @@ index a7bfaf0..4ebb0ad 100644
logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
-@@ -120,45 +124,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+@@ -120,45 +125,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
@@ -21854,7 +21981,7 @@ index a7bfaf0..4ebb0ad 100644
init_getattr_utmp(dovecot_t)
-@@ -166,44 +160,42 @@ auth_use_nsswitch(dovecot_t)
+@@ -166,44 +161,42 @@ auth_use_nsswitch(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
@@ -21917,7 +22044,7 @@ index a7bfaf0..4ebb0ad 100644
sendmail_domtrans(dovecot_t)
')
-@@ -221,46 +213,63 @@ optional_policy(`
+@@ -221,46 +214,63 @@ optional_policy(`
########################################
#
@@ -21990,7 +22117,7 @@ index a7bfaf0..4ebb0ad 100644
mysql_stream_connect(dovecot_auth_t)
mysql_read_config(dovecot_auth_t)
mysql_tcp_connect(dovecot_auth_t)
-@@ -271,15 +280,30 @@ optional_policy(`
+@@ -271,15 +281,30 @@ optional_policy(`
')
optional_policy(`
@@ -22022,7 +22149,7 @@ index a7bfaf0..4ebb0ad 100644
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +313,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +314,42 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -22082,7 +22209,7 @@ index a7bfaf0..4ebb0ad 100644
mta_read_queue(dovecot_deliver_t)
')
-@@ -326,5 +357,6 @@ optional_policy(`
+@@ -326,5 +358,6 @@ optional_policy(`
')
optional_policy(`
@@ -23370,10 +23497,18 @@ index c3f7916..cab3954 100644
admin_pattern($1, fetchmail_etc_t)
diff --git a/fetchmail.te b/fetchmail.te
-index f0388cb..7d63acb 100644
+index f0388cb..df501ec 100644
--- a/fetchmail.te
+++ b/fetchmail.te
-@@ -39,8 +39,6 @@ allow fetchmail_t self:unix_stream_socket { accept listen };
+@@ -32,15 +32,13 @@ files_type(fetchmail_uidl_cache_t)
+ #
+ # Local policy
+ #
+-
++allow fetchmail_t self:capability setuid;
+ dontaudit fetchmail_t self:capability sys_tty_config;
+ allow fetchmail_t self:process { signal_perms setrlimit };
+ allow fetchmail_t self:unix_stream_socket { accept listen };
allow fetchmail_t fetchmail_etc_t:file read_file_perms;
@@ -25055,10 +25190,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..3156ad4
+index 0000000..7244e2c
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,166 @@
+@@ -0,0 +1,167 @@
+policy_module(glusterfs, 1.0.1)
+
+##
@@ -25189,6 +25324,7 @@ index 0000000..3156ad4
+
+domain_use_interactive_fds(glusterd_t)
+
++fs_mount_all_fs(glusterd_t)
+fs_getattr_all_fs(glusterd_t)
+
+files_mounton_mnt(glusterd_t)
@@ -31267,10 +31403,10 @@ index 0000000..dbe3f03
+')
+
diff --git a/kdump.fc b/kdump.fc
-index a49ae4e..1906ffe 100644
+index a49ae4e..913a0e3 100644
--- a/kdump.fc
+++ b/kdump.fc
-@@ -1,13 +1,13 @@
+@@ -1,13 +1,14 @@
/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
+/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
@@ -31291,8 +31427,9 @@ index a49ae4e..1906ffe 100644
-/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
-/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
++/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0)
diff --git a/kdump.if b/kdump.if
-index 3a00b3a..15d521b 100644
+index 3a00b3a..f6402dc 100644
--- a/kdump.if
+++ b/kdump.if
@@ -1,4 +1,4 @@
@@ -31363,12 +31500,50 @@ index 3a00b3a..15d521b 100644
##
##
##
-@@ -56,10 +100,27 @@ interface(`kdump_read_config',`
+@@ -56,10 +100,65 @@ interface(`kdump_read_config',`
allow $1 kdump_etc_t:file read_file_perms;
')
+#####################################
+##
++## Read kdump crash files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kdump_read_crash',`
++ gen_require(`
++ type kdump_crash_t;
++ ')
++
++ files_search_var($1)
++ read_files_pattern($1, kdump_crash_t, kdump_crash_t)
++')
++
++#####################################
++##
++## Read kdump crash files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kdump_manage_crash',`
++ gen_require(`
++ type kdump_crash_t;
++ ')
++
++ files_search_var($1)
++ manage_files_pattern($1, kdump_crash_t, kdump_crash_t)
++')
++
++#####################################
++##
+## Dontaudit read kdump configuration file.
+##
+##
@@ -31393,7 +31568,7 @@ index 3a00b3a..15d521b 100644
##
##
##
-@@ -76,10 +137,31 @@ interface(`kdump_manage_config',`
+@@ -76,10 +175,31 @@ interface(`kdump_manage_config',`
allow $1 kdump_etc_t:file manage_file_perms;
')
@@ -31427,7 +31602,7 @@ index 3a00b3a..15d521b 100644
##
##
##
-@@ -88,19 +170,23 @@ interface(`kdump_manage_config',`
+@@ -88,19 +208,24 @@ interface(`kdump_manage_config',`
##
##
##
@@ -31444,6 +31619,7 @@ index 3a00b3a..15d521b 100644
+ type kdump_t, kdump_etc_t;
+ type kdump_initrc_exec_t;
+ type kdump_unit_file_t;
++ type kdump_crash_t
')
- allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms };
@@ -31456,18 +31632,21 @@ index 3a00b3a..15d521b 100644
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -110,6 +196,7 @@ interface(`kdump_admin',`
+@@ -110,6 +235,10 @@ interface(`kdump_admin',`
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
- files_search_tmp($1)
- admin_pattern($1, kdumpctl_tmp_t)
++ files_search_var($1)
++ admin_pattern($1, kdump_crash_t)
++
+ kdump_systemctl($1)
+ admin_pattern($1, kdump_unit_file_t)
+ allow $1 kdump_unit_file_t:service all_service_perms;
')
diff --git a/kdump.te b/kdump.te
-index 70f3007..bacefd5 100644
+index 70f3007..074a2ee 100644
--- a/kdump.te
+++ b/kdump.te
@@ -1,4 +1,4 @@
@@ -31476,7 +31655,13 @@ index 70f3007..bacefd5 100644
#######################################
#
-@@ -15,30 +15,33 @@ files_config_file(kdump_etc_t)
+@@ -12,35 +12,48 @@ init_system_domain(kdump_t, kdump_exec_t)
+ type kdump_etc_t;
+ files_config_file(kdump_etc_t)
+
++type kdump_crash_t;
++files_type(kdump_crash_t)
++
type kdump_initrc_exec_t;
init_script_file(kdump_initrc_exec_t)
@@ -31502,6 +31687,11 @@ index 70f3007..bacefd5 100644
+allow kdump_t self:capability2 compromise_kernel;
-allow kdump_t kdump_etc_t:file read_file_perms;
++manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
++manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
++manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
++files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash")
++
+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
-files_read_etc_files(kdump_t)
@@ -31514,8 +31704,12 @@ index 70f3007..bacefd5 100644
-kernel_read_system_state(kdump_t)
kernel_request_load_module(kdump_t)
++mls_file_read_all_levels(kdump_t)
++
dev_read_framebuffer(kdump_t)
-@@ -48,22 +51,27 @@ term_use_console(kdump_t)
+ dev_read_sysfs(kdump_t)
+
+@@ -48,22 +61,32 @@ term_use_console(kdump_t)
#######################################
#
@@ -31544,11 +31738,16 @@ index 70f3007..bacefd5 100644
+can_exec(kdumpctl_t, kdumpctl_tmp_t)
-domtrans_pattern(kdumpctl_t, kdump_exec_t, kdump_t)
++manage_dirs_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
++manage_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
++manage_lnk_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
++files_var_filetrans(kdumpctl_t, kdump_crash_t, dir, "crash")
++
+read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t)
kernel_read_system_state(kdumpctl_t)
-@@ -71,46 +79,56 @@ corecmd_exec_bin(kdumpctl_t)
+@@ -71,46 +94,56 @@ corecmd_exec_bin(kdumpctl_t)
corecmd_exec_shell(kdumpctl_t)
dev_read_sysfs(kdumpctl_t)
@@ -34711,7 +34910,7 @@ index dd8e01a..9cd6b0b 100644
##
##
diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..3baae66 100644
+index 7bab8e5..b88bbf3 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -1,20 +1,18 @@
@@ -34924,7 +35123,7 @@ index 7bab8e5..3baae66 100644
')
optional_policy(`
-@@ -198,21 +218,22 @@ optional_policy(`
+@@ -198,21 +218,26 @@ optional_policy(`
')
optional_policy(`
@@ -34938,11 +35137,15 @@ index 7bab8e5..3baae66 100644
- openvswitch_read_pid_files(logrotate_t)
- openvswitch_domtrans(logrotate_t)
+ polipo_named_filetrans_log_files(logrotate_t)
++')
++
++optional_policy(`
++ psad_domtrans(logrotate_t)
')
optional_policy(`
- polipo_log_filetrans_log(logrotate_t, file, "polipo")
-+ psad_domtrans(logrotate_t)
++ rabbitmq_domtrans_beam(logrotate_t)
')
optional_policy(`
@@ -34951,7 +35154,7 @@ index 7bab8e5..3baae66 100644
')
optional_policy(`
-@@ -228,10 +249,20 @@ optional_policy(`
+@@ -228,10 +253,20 @@ optional_policy(`
')
optional_policy(`
@@ -34972,7 +35175,7 @@ index 7bab8e5..3baae66 100644
su_exec(logrotate_t)
')
-@@ -241,13 +272,11 @@ optional_policy(`
+@@ -241,13 +276,11 @@ optional_policy(`
#######################################
#
@@ -38216,7 +38419,7 @@ index 6ffaba2..154cade 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index 6194b80..35b2b47 100644
+index 6194b80..3209b1c 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -1,146 +1,75 @@
@@ -38383,10 +38586,10 @@ index 6194b80..35b2b47 100644
- allow $2 mozilla_plugin_rw_t:dir list_dir_perms;
- allow $2 mozilla_plugin_rw_t:file read_file_perms;
- allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+- can_exec($2, mozilla_plugin_rw_t)
+ mozilla_filetrans_home_content($2)
-- can_exec($2, mozilla_plugin_rw_t)
--
- optional_policy(`
- mozilla_dbus_chat_plugin($2)
- ')
@@ -38532,7 +38735,7 @@ index 6194b80..35b2b47 100644
')
########################################
-@@ -303,102 +195,103 @@ interface(`mozilla_domtrans',`
+@@ -303,102 +195,107 @@ interface(`mozilla_domtrans',`
type mozilla_t, mozilla_exec_t;
')
@@ -38640,9 +38843,12 @@ index 6194b80..35b2b47 100644
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 mozilla_plugin_t:process ptrace;
')
--
+
- corecmd_search_bin($1)
- domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
++ optional_policy(`
++ lpd_run_lpr(mozilla_plugin_t, $2)
++ ')
')
-########################################
@@ -38685,7 +38891,7 @@ index 6194b80..35b2b47 100644
')
########################################
-@@ -424,8 +317,7 @@ interface(`mozilla_dbus_chat',`
+@@ -424,8 +321,7 @@ interface(`mozilla_dbus_chat',`
########################################
##
@@ -38695,7 +38901,7 @@ index 6194b80..35b2b47 100644
##
##
##
-@@ -433,76 +325,108 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +329,108 @@ interface(`mozilla_dbus_chat',`
##
##
#
@@ -38833,7 +39039,7 @@ index 6194b80..35b2b47 100644
##
##
##
-@@ -510,19 +434,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +438,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
##
##
#
@@ -38858,7 +39064,7 @@ index 6194b80..35b2b47 100644
##
##
##
-@@ -530,45 +453,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +457,53 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
##
##
#
@@ -38937,7 +39143,7 @@ index 6194b80..35b2b47 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..4440013 100644
+index 6a306ee..2288b0e 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -39208,11 +39414,11 @@ index 6a306ee..4440013 100644
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
-userdom_use_user_ptys(mozilla_t)
--
--userdom_manage_user_tmp_dirs(mozilla_t)
--userdom_manage_user_tmp_files(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
+-userdom_manage_user_tmp_dirs(mozilla_t)
+-userdom_manage_user_tmp_files(mozilla_t)
+-
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
@@ -39464,12 +39670,12 @@ index 6a306ee..4440013 100644
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
+can_exec(mozilla_plugin_t, mozilla_exec_t)
@@ -39639,12 +39845,12 @@ index 6a306ee..4440013 100644
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
-userdom_manage_user_tmp_files(mozilla_plugin_t)
-+systemd_read_logind_sessions_files(mozilla_plugin_t)
-
+-
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -39704,7 +39910,7 @@ index 6a306ee..4440013 100644
')
optional_policy(`
-@@ -523,36 +509,48 @@ optional_policy(`
+@@ -523,36 +509,44 @@ optional_policy(`
')
optional_policy(`
@@ -39719,6 +39925,13 @@ index 6a306ee..4440013 100644
+ dbus_session_bus_client(mozilla_plugin_t)
+ dbus_connect_session_bus(mozilla_plugin_t)
+ dbus_read_lib_files(mozilla_plugin_t)
++')
++
++optional_policy(`
++ gnome_manage_config(mozilla_plugin_t)
++ gnome_read_usr_config(mozilla_plugin_t)
++ gnome_filetrans_home_content(mozilla_plugin_t)
++ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
')
optional_policy(`
@@ -39726,13 +39939,6 @@ index 6a306ee..4440013 100644
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
-+ gnome_manage_config(mozilla_plugin_t)
-+ gnome_read_usr_config(mozilla_plugin_t)
-+ gnome_filetrans_home_content(mozilla_plugin_t)
-+ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
+ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
')
@@ -39744,10 +39950,6 @@ index 6a306ee..4440013 100644
optional_policy(`
- lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles)
-+ lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
-+')
-+
-+optional_policy(`
+ mplayer_exec(mozilla_plugin_t)
+ mplayer_manage_generic_home_content(mozilla_plugin_t)
+ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
@@ -39766,7 +39968,7 @@ index 6a306ee..4440013 100644
')
optional_policy(`
-@@ -560,7 +558,7 @@ optional_policy(`
+@@ -560,7 +554,7 @@ optional_policy(`
')
optional_policy(`
@@ -39775,7 +39977,7 @@ index 6a306ee..4440013 100644
')
optional_policy(`
-@@ -568,108 +566,124 @@ optional_policy(`
+@@ -568,108 +562,126 @@ optional_policy(`
')
optional_policy(`
@@ -39850,6 +40052,7 @@ index 6a306ee..4440013 100644
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
++mozilla_filetrans_home_content(mozilla_plugin_t)
-kernel_read_system_state(mozilla_plugin_config_t)
-kernel_request_load_module(mozilla_plugin_config_t)
@@ -39858,6 +40061,7 @@ index 6a306ee..4440013 100644
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+files_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
+userdom_user_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file })
++mozilla_filetrans_home_content(mozilla_plugin_config_t)
corecmd_exec_bin(mozilla_plugin_config_t)
corecmd_exec_shell(mozilla_plugin_config_t)
@@ -43164,7 +43368,7 @@ index 687af38..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 9f6179e..5f38792 100644
+index 9f6179e..0f6abcb 100644
--- a/mysql.te
+++ b/mysql.te
@@ -1,4 +1,4 @@
@@ -43345,7 +43549,8 @@ index 9f6179e..5f38792 100644
+# Local mysqld_safe policy
#
- allow mysqld_safe_t self:capability { chown dac_override fowner kill };
+-allow mysqld_safe_t self:capability { chown dac_override fowner kill };
++allow mysqld_safe_t self:capability { chown dac_override fowner kill sys_nice sys_resource };
allow mysqld_safe_t self:process { setsched getsched setrlimit };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
@@ -43362,7 +43567,7 @@ index 9f6179e..5f38792 100644
-allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
-logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
-+allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
++manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
-delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t)
@@ -44080,7 +44285,7 @@ index 0641e97..d7d9a79 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 44ad3b7..39b7add 100644
+index 44ad3b7..e5b268b 100644
--- a/nagios.te
+++ b/nagios.te
@@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -44162,7 +44367,7 @@ index 44ad3b7..39b7add 100644
manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
-files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
-+manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
++manage_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file})
manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
@@ -52786,7 +52991,7 @@ index d2fc677..ded726f 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..74e4179 100644
+index 7bcf327..92780c3 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -1,17 +1,16 @@
@@ -52810,7 +53015,7 @@ index 7bcf327..74e4179 100644
type pegasus_cache_t;
files_type(pegasus_cache_t)
-@@ -30,20 +29,239 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,240 @@ files_type(pegasus_mof_t)
type pegasus_var_run_t;
files_pid_file(pegasus_var_run_t)
@@ -52990,6 +53195,7 @@ index 7bcf327..74e4179 100644
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
+files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir})
+
++
+kernel_read_all_sysctls(pegasus_openlmi_storage_t)
+
+dev_read_rand(pegasus_openlmi_storage_t)
@@ -53055,7 +53261,7 @@ index 7bcf327..74e4179 100644
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +272,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +273,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -53086,7 +53292,7 @@ index 7bcf327..74e4179 100644
kernel_read_network_state(pegasus_t)
kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +298,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +299,21 @@ kernel_read_net_sysctls(pegasus_t)
kernel_read_xen_state(pegasus_t)
kernel_write_xen_state(pegasus_t)
@@ -53119,7 +53325,7 @@ index 7bcf327..74e4179 100644
corecmd_exec_bin(pegasus_t)
corecmd_exec_shell(pegasus_t)
-@@ -114,6 +326,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +327,7 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -53127,7 +53333,7 @@ index 7bcf327..74e4179 100644
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +341,25 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +342,25 @@ init_stream_connect_script(pegasus_t)
logging_send_audit_msgs(pegasus_t)
logging_send_syslog_msg(pegasus_t)
@@ -53159,7 +53365,7 @@ index 7bcf327..74e4179 100644
')
optional_policy(`
-@@ -151,16 +371,24 @@ optional_policy(`
+@@ -151,16 +372,24 @@ optional_policy(`
')
optional_policy(`
@@ -53188,7 +53394,7 @@ index 7bcf327..74e4179 100644
')
optional_policy(`
-@@ -168,7 +396,7 @@ optional_policy(`
+@@ -168,7 +397,7 @@ optional_policy(`
')
optional_policy(`
@@ -57658,7 +57864,7 @@ index 2e23946..e9ac366 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 191a66f..cddce7d 100644
+index 191a66f..2177e93 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,4 +1,4 @@
@@ -57722,7 +57928,15 @@ index 191a66f..cddce7d 100644
mta_mailserver(postfix_t, postfix_master_exec_t)
type postfix_initrc_exec_t;
-@@ -80,13 +79,13 @@ mta_mailserver_sender(postfix_smtp_t)
+@@ -60,6 +59,7 @@ postfix_server_domain_template(pipe)
+
+ postfix_user_domain_template(postdrop)
+ mta_mailserver_user_agent(postfix_postdrop_t)
++mta_agent_executable(postfix_postdrop_t)
+
+ postfix_user_domain_template(postqueue)
+ mta_mailserver_user_agent(postfix_postqueue_t)
+@@ -80,13 +80,13 @@ mta_mailserver_sender(postfix_smtp_t)
postfix_server_domain_template(smtpd)
type postfix_spool_t, postfix_spool_type;
@@ -57739,7 +57953,7 @@ index 191a66f..cddce7d 100644
type postfix_public_t;
files_type(postfix_public_t)
-@@ -94,6 +93,7 @@ files_type(postfix_public_t)
+@@ -94,6 +94,7 @@ files_type(postfix_public_t)
type postfix_var_run_t;
files_pid_file(postfix_var_run_t)
@@ -57747,7 +57961,7 @@ index 191a66f..cddce7d 100644
type postfix_data_t;
files_type(postfix_data_t)
-@@ -102,160 +102,61 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -102,160 +103,61 @@ mta_mailserver_delivery(postfix_virtual_t)
########################################
#
@@ -57933,7 +58147,7 @@ index 191a66f..cddce7d 100644
corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_generic_if(postfix_master_t)
corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -263,50 +164,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -263,50 +165,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -58002,7 +58216,7 @@ index 191a66f..cddce7d 100644
optional_policy(`
cyrus_stream_connect(postfix_master_t)
')
-@@ -316,14 +211,11 @@ optional_policy(`
+@@ -316,14 +212,11 @@ optional_policy(`
')
optional_policy(`
@@ -58018,7 +58232,7 @@ index 191a66f..cddce7d 100644
postgrey_search_spool(postfix_master_t)
')
-@@ -333,12 +225,14 @@ optional_policy(`
+@@ -333,12 +226,14 @@ optional_policy(`
########################################
#
@@ -58035,7 +58249,7 @@ index 191a66f..cddce7d 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -355,37 +249,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -355,37 +250,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
########################################
#
@@ -58082,7 +58296,7 @@ index 191a66f..cddce7d 100644
optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
-@@ -393,36 +284,50 @@ optional_policy(`
+@@ -393,36 +285,50 @@ optional_policy(`
########################################
#
@@ -58142,7 +58356,7 @@ index 191a66f..cddce7d 100644
')
optional_policy(`
-@@ -434,6 +339,7 @@ optional_policy(`
+@@ -434,6 +340,7 @@ optional_policy(`
')
optional_policy(`
@@ -58150,7 +58364,7 @@ index 191a66f..cddce7d 100644
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
mailman_read_log(postfix_local_t)
-@@ -444,6 +350,10 @@ optional_policy(`
+@@ -444,6 +351,10 @@ optional_policy(`
')
optional_policy(`
@@ -58161,7 +58375,7 @@ index 191a66f..cddce7d 100644
procmail_domtrans(postfix_local_t)
')
-@@ -458,15 +368,17 @@ optional_policy(`
+@@ -458,15 +369,17 @@ optional_policy(`
########################################
#
@@ -58185,7 +58399,7 @@ index 191a66f..cddce7d 100644
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +388,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -476,14 +389,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -58205,7 +58419,7 @@ index 191a66f..cddce7d 100644
corecmd_list_bin(postfix_map_t)
corecmd_read_bin_symlinks(postfix_map_t)
-@@ -492,7 +405,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -492,7 +406,6 @@ corecmd_read_bin_pipes(postfix_map_t)
corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
@@ -58213,7 +58427,7 @@ index 191a66f..cddce7d 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -500,21 +412,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -500,21 +413,22 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -58239,7 +58453,7 @@ index 191a66f..cddce7d 100644
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,16 +437,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -524,16 +438,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
@@ -58259,7 +58473,7 @@ index 191a66f..cddce7d 100644
#
allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +488,26 @@ optional_policy(`
+@@ -576,19 +489,26 @@ optional_policy(`
########################################
#
@@ -58291,7 +58505,7 @@ index 191a66f..cddce7d 100644
term_dontaudit_use_all_ptys(postfix_postdrop_t)
term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +522,7 @@ optional_policy(`
+@@ -603,10 +523,7 @@ optional_policy(`
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -58303,7 +58517,7 @@ index 191a66f..cddce7d 100644
optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
-@@ -621,17 +537,24 @@ optional_policy(`
+@@ -621,17 +538,24 @@ optional_policy(`
#######################################
#
@@ -58331,7 +58545,7 @@ index 191a66f..cddce7d 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +570,77 @@ optional_policy(`
+@@ -647,67 +571,77 @@ optional_policy(`
########################################
#
@@ -58427,7 +58641,7 @@ index 191a66f..cddce7d 100644
')
optional_policy(`
-@@ -720,29 +653,30 @@ optional_policy(`
+@@ -720,29 +654,30 @@ optional_policy(`
########################################
#
@@ -58466,7 +58680,7 @@ index 191a66f..cddce7d 100644
optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
dovecot_stream_connect(postfix_smtpd_t)
-@@ -754,6 +688,7 @@ optional_policy(`
+@@ -754,6 +689,7 @@ optional_policy(`
optional_policy(`
milter_stream_connect_all(postfix_smtpd_t)
@@ -58474,7 +58688,7 @@ index 191a66f..cddce7d 100644
')
optional_policy(`
-@@ -764,31 +699,99 @@ optional_policy(`
+@@ -764,31 +700,99 @@ optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -65687,24 +65901,78 @@ index 4b2c272..1aee969 100644
+ dbus_connect_system_bus(quota_nld_t)
')
diff --git a/rabbitmq.fc b/rabbitmq.fc
-index c5ad6de..c67dbef 100644
+index c5ad6de..a48c318 100644
--- a/rabbitmq.fc
+++ b/rabbitmq.fc
-@@ -4,7 +4,9 @@
+@@ -4,7 +4,11 @@
/usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
+/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
++
++/var/lock/ejabberdctl(/.*)? gen_context(system_u:object_r:rabbitmq_var_lock_t,s0)
/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
+/var/log/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
/var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0)
+diff --git a/rabbitmq.if b/rabbitmq.if
+index 2c3d338..cf3e5ad 100644
+--- a/rabbitmq.if
++++ b/rabbitmq.if
+@@ -10,13 +10,13 @@
+ ##
+ ##
+ #
+-interface(`rabbitmq_domtrans',`
++interface(`rabbitmq_domtrans_beam',`
+ gen_require(`
+- type rabbitmq_t, rabbitmq_exec_t;
++ type rabbitmq_beam_t, rabbitmq_beam_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+- domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
++ domtrans_pattern($1, rabbitmq_beam_exec_t, rabbitmq_beam_t)
+ ')
+
+ ########################################
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..b0e67e8 100644
+index 3698b51..7054723 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
-@@ -45,6 +45,8 @@ setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
+ type rabbitmq_var_lib_t;
+ files_type(rabbitmq_var_lib_t)
+
++type rabbitmq_var_lock_t;
++files_lock_file(rabbitmq_var_lock_t)
++
+ type rabbitmq_var_log_t;
+ logging_log_file(rabbitmq_var_log_t)
+
+@@ -30,6 +33,8 @@ files_pid_file(rabbitmq_var_run_t)
+ # Beam local policy
+ #
+
++allow rabbitmq_beam_t self:capability setuid;
++
+ allow rabbitmq_beam_t self:process { setsched signal signull };
+ allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
+ allow rabbitmq_beam_t self:tcp_socket { accept listen };
+@@ -38,13 +43,17 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+ manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+
+ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+-append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+-create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+-setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++
++manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
++files_lock_filetrans(rabbitmq_beam_t, rabbitmq_var_lock_t, file)
+
manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
@@ -65713,7 +65981,7 @@ index 3698b51..b0e67e8 100644
can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
-@@ -54,6 +56,8 @@ kernel_read_system_state(rabbitmq_beam_t)
+@@ -54,11 +63,14 @@ kernel_read_system_state(rabbitmq_beam_t)
corecmd_exec_bin(rabbitmq_beam_t)
corecmd_exec_shell(rabbitmq_beam_t)
@@ -65722,7 +65990,13 @@ index 3698b51..b0e67e8 100644
corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
-@@ -68,20 +72,35 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+ corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
+ corenet_tcp_bind_generic_node(rabbitmq_beam_t)
++corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
+
+ corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
+ corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
+@@ -68,20 +80,42 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
@@ -65733,6 +66007,7 @@ index 3698b51..b0e67e8 100644
+domain_read_all_domains_state(rabbitmq_beam_t)
+
+auth_read_passwd(rabbitmq_beam_t)
++auth_use_pam(rabbitmq_beam_t)
-files_read_etc_files(rabbitmq_beam_t)
+files_getattr_all_mountpoints(rabbitmq_beam_t)
@@ -65747,12 +66022,18 @@ index 3698b51..b0e67e8 100644
sysnet_dns_name_resolve(rabbitmq_beam_t)
++logging_send_syslog_msg(rabbitmq_beam_t)
++
+optional_policy(`
+ couchdb_read_conf_files(rabbitmq_beam_t)
+ couchdb_read_log_files(rabbitmq_beam_t)
+ couchdb_manage_lib_files(rabbitmq_beam_t)
+')
+
++optional_policy(`
++ dbus_system_bus_client(rabbitmq_beam_t)
++')
++
########################################
#
# Epmd local policy
@@ -65762,7 +66043,7 @@ index 3698b51..b0e67e8 100644
allow rabbitmq_epmd_t self:process signal;
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +118,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +133,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
@@ -68744,7 +69025,7 @@ index 56bc01f..4699b1b 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..a4a6d82 100644
+index 2c2de9a..6b7a0f6 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -69142,18 +69423,23 @@ index 2c2de9a..a4a6d82 100644
')
optional_policy(`
-@@ -190,10 +469,6 @@ optional_policy(`
+@@ -190,12 +469,12 @@ optional_policy(`
')
optional_policy(`
- gnome_read_generic_home_content(fenced_t)
--')
--
--optional_policy(`
- lvm_domtrans(fenced_t)
- lvm_read_config(fenced_t)
++ lvm_domtrans(fenced_t)
++ lvm_read_config(fenced_t)
')
-@@ -203,6 +478,13 @@ optional_policy(`
+
+ optional_policy(`
+- lvm_domtrans(fenced_t)
+- lvm_read_config(fenced_t)
++ sanlock_domtrans(fenced_t)
+ ')
+
+ optional_policy(`
+@@ -203,6 +482,13 @@ optional_policy(`
snmp_manage_var_lib_dirs(fenced_t)
')
@@ -69167,7 +69453,7 @@ index 2c2de9a..a4a6d82 100644
#######################################
#
# foghorn local policy
-@@ -221,16 +503,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +507,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
corenet_tcp_connect_agentx_port(foghorn_t)
corenet_tcp_sendrecv_agentx_port(foghorn_t)
@@ -69188,7 +69474,7 @@ index 2c2de9a..a4a6d82 100644
snmp_stream_connect(foghorn_t)
')
-@@ -257,6 +541,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +545,8 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
@@ -69197,7 +69483,7 @@ index 2c2de9a..a4a6d82 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +561,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +565,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -69239,7 +69525,7 @@ index 2c2de9a..a4a6d82 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +636,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +640,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -74593,7 +74879,7 @@ index aee75af..a6bab06 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 57c034b..ea8d79d 100644
+index 57c034b..aa2be40 100644
--- a/samba.te
+++ b/samba.te
@@ -1,4 +1,4 @@
@@ -75567,7 +75853,11 @@ index 57c034b..ea8d79d 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -837,13 +841,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+@@ -834,16 +838,19 @@ optional_policy(`
+ #
+
+ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
++allow winbind_t self:capability2 block_suspend;
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
@@ -75587,7 +75877,7 @@ index 57c034b..ea8d79d 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +859,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +860,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -75598,7 +75888,7 @@ index 57c034b..ea8d79d 100644
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +870,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -866,23 +871,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
@@ -75628,7 +75918,7 @@ index 57c034b..ea8d79d 100644
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
kernel_read_network_state(winbind_t)
-@@ -891,13 +893,17 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +894,17 @@ kernel_read_system_state(winbind_t)
corecmd_exec_bin(winbind_t)
@@ -75649,7 +75939,7 @@ index 57c034b..ea8d79d 100644
corenet_tcp_connect_smbd_port(winbind_t)
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +911,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +912,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
@@ -75660,7 +75950,7 @@ index 57c034b..ea8d79d 100644
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
-@@ -917,18 +919,24 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,18 +920,24 @@ auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
auth_manage_cache(winbind_t)
@@ -75687,7 +75977,7 @@ index 57c034b..ea8d79d 100644
optional_policy(`
ctdbd_stream_connect(winbind_t)
-@@ -936,7 +944,12 @@ optional_policy(`
+@@ -936,7 +945,12 @@ optional_policy(`
')
optional_policy(`
@@ -75700,7 +75990,7 @@ index 57c034b..ea8d79d 100644
')
optional_policy(`
-@@ -952,31 +965,29 @@ optional_policy(`
+@@ -952,31 +966,29 @@ optional_policy(`
# Winbind helper local policy
#
@@ -75738,7 +76028,7 @@ index 57c034b..ea8d79d 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -990,25 +1001,38 @@ optional_policy(`
+@@ -990,25 +1002,38 @@ optional_policy(`
########################################
#
@@ -79874,10 +80164,18 @@ index 1fa51c1..82e111c 100644
smokeping_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/smokeping.te b/smokeping.te
-index a8b1aaf..a09f2fe 100644
+index a8b1aaf..fc0a2be 100644
--- a/smokeping.te
+++ b/smokeping.te
-@@ -39,7 +39,6 @@ corecmd_exec_bin(smokeping_t)
+@@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t)
+ #
+
+ dontaudit smokeping_t self:capability { dac_read_search dac_override };
++allow smokeping_t self:process signal_perms;
+ allow smokeping_t self:fifo_file rw_fifo_file_perms;
+ allow smokeping_t self:unix_stream_socket { accept listen };
+
+@@ -39,7 +40,6 @@ corecmd_exec_bin(smokeping_t)
dev_read_urand(smokeping_t)
@@ -79885,7 +80183,7 @@ index a8b1aaf..a09f2fe 100644
files_search_tmp(smokeping_t)
auth_use_nsswitch(smokeping_t)
-@@ -47,8 +46,6 @@ auth_dontaudit_read_shadow(smokeping_t)
+@@ -47,8 +47,6 @@ auth_dontaudit_read_shadow(smokeping_t)
logging_send_syslog_msg(smokeping_t)
@@ -79894,7 +80192,7 @@ index a8b1aaf..a09f2fe 100644
mta_send_mail(smokeping_t)
netutils_domtrans_ping(smokeping_t)
-@@ -70,6 +67,8 @@ optional_policy(`
+@@ -70,6 +68,8 @@ optional_policy(`
files_search_tmp(httpd_smokeping_cgi_script_t)
files_search_var_lib(httpd_smokeping_cgi_script_t)
@@ -85336,7 +85634,7 @@ index 9957e30..cf0b925 100644
+ tftp_manage_config($1)
')
diff --git a/tftp.te b/tftp.te
-index f455e70..d2778d3 100644
+index f455e70..a3b440c 100644
--- a/tftp.te
+++ b/tftp.te
@@ -1,4 +1,4 @@
@@ -85444,7 +85742,7 @@ index f455e70..d2778d3 100644
domain_use_interactive_fds(tftpd_t)
files_read_etc_runtime_files(tftpd_t)
-@@ -84,43 +88,44 @@ files_read_var_files(tftpd_t)
+@@ -84,43 +88,46 @@ files_read_var_files(tftpd_t)
files_read_var_symlinks(tftpd_t)
files_search_var(tftpd_t)
@@ -85462,6 +85760,8 @@ index f455e70..d2778d3 100644
userdom_dontaudit_use_user_terminals(tftpd_t)
-userdom_user_home_dir_filetrans_user_home_content(tftpd_t, { dir file lnk_file })
+userdom_dontaudit_search_user_home_dirs(tftpd_t)
++
++userdom_home_manager(tftpd_t)
tunable_policy(`tftp_anon_write',`
miscfiles_manage_public_files(tftpd_t)
@@ -85810,10 +86110,10 @@ index 0000000..92b6843
+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
diff --git a/thumb.if b/thumb.if
new file mode 100644
-index 0000000..74cd27c
+index 0000000..8b2dfff
--- /dev/null
+++ b/thumb.if
-@@ -0,0 +1,129 @@
+@@ -0,0 +1,130 @@
+
+## policy for thumb
+
@@ -85865,9 +86165,10 @@ index 0000000..74cd27c
+
+ dontaudit thumb_t $1:dir list_dir_perms;
+ dontaudit thumb_t $1:file read_file_perms;
++ dontaudit thumb_t $1:unix_stream_socket rw_socket_perms;
+
-+ allow thumb_t $1:shm rw_shm_perms;
-+ allow thumb_t $1:sem create_sem_perms;
++ allow thumb_t $1:shm create_shm_perms;
++ allow thumb_t $1:sem create_sem_perms;
+')
+
+########################################
@@ -88739,7 +89040,7 @@ index c30da4c..898ce74 100644
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
diff --git a/virt.if b/virt.if
-index 9dec06c..378880d 100644
+index 9dec06c..bdba959 100644
--- a/virt.if
+++ b/virt.if
@@ -1,120 +1,51 @@
@@ -89245,16 +89546,16 @@ index 9dec06c..378880d 100644
########################################
##
-## Relabel virt content.
-+## Read virt PID files.
++## Read virt PID symlinks files.
##
##
##
-@@ -495,53 +312,40 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +312,37 @@ interface(`virt_manage_virt_content',`
##
##
#
-interface(`virt_relabel_virt_content',`
-+interface(`virt_read_pid_files',`
++interface(`virt_read_pid_symlinks',`
gen_require(`
- type virt_content_t;
+ type virt_var_run_t;
@@ -89268,14 +89569,14 @@ index 9dec06c..378880d 100644
- allow $1 virt_content_t:sock_file relabel_sock_file_perms;
- allow $1 virt_content_t:blk_file relabel_blk_file_perms;
+ files_search_pids($1)
-+ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
++ read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
')
########################################
##
-## Create specified objects in user home
-## directories with the virt content type.
-+## Manage virt pid directories.
++## Read virt PID files.
##
##
##
@@ -89294,34 +89595,31 @@ index 9dec06c..378880d 100644
-##
#
-interface(`virt_home_filetrans_virt_content',`
-+interface(`virt_manage_pid_dirs',`
++interface(`virt_read_pid_files',`
gen_require(`
- type virt_content_t;
+ type virt_var_run_t;
-+ type virt_lxc_var_run_t;
')
- virt_home_filetrans($1, virt_content_t, $2, $3)
+ files_search_pids($1)
-+ manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t)
-+ manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
-+ virt_filetrans_named_content($1)
++ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
')
########################################
##
-## Create, read, write, and delete
-## svirt home content.
-+## Manage virt pid files.
++## Manage virt pid directories.
##
##
##
-@@ -549,67 +353,36 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,34 +350,21 @@ interface(`virt_home_filetrans_virt_content',`
##
##
#
-interface(`virt_manage_svirt_home_content',`
-+interface(`virt_manage_pid_files',`
++interface(`virt_manage_pid_dirs',`
gen_require(`
- type svirt_home_t;
- ')
@@ -89347,48 +89645,59 @@ index 9dec06c..378880d 100644
- fs_manage_cifs_symlinks($1)
- ')
+ files_search_pids($1)
-+ manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+ manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
++ manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t)
++ manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
++ virt_filetrans_named_content($1)
')
########################################
##
-## Relabel svirt home content.
-+## Create objects in the pid directory
-+## with a private type with a type transition.
++## Manage virt pid files.
##
##
##
- ## Domain allowed access.
+@@ -584,32 +372,36 @@ interface(`virt_manage_svirt_home_content',`
##
##
--#
+ #
-interface(`virt_relabel_svirt_home_content',`
-- gen_require(`
++interface(`virt_manage_pid_files',`
+ gen_require(`
- type svirt_home_t;
-- ')
--
++ type virt_var_run_t;
++ type virt_lxc_var_run_t;
+ ')
+
- userdom_search_user_home_dirs($1)
- allow $1 svirt_home_t:dir relabel_dir_perms;
- allow $1 svirt_home_t:file relabel_file_perms;
- allow $1 svirt_home_t:fifo_file relabel_fifo_file_perms;
- allow $1 svirt_home_t:lnk_file relabel_lnk_file_perms;
- allow $1 svirt_home_t:sock_file relabel_sock_file_perms;
--')
--
--########################################
--##
++ files_search_pids($1)
++ manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
++ manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
+ ')
+
+ ########################################
+ ##
-## Create specified objects in user home
-## directories with the svirt home type.
--##
--##
-+##
++## Create objects in the pid directory
++## with a private type with a type transition.
+ ##
+ ##
##
--## Domain allowed access.
-+## Type to which the created node will be transitioned.
+ ## Domain allowed access.
##
##
-##
++##
++##
++## Type to which the created node will be transitioned.
++##
++##
+##
##
-## Class of the object being created.
@@ -89397,7 +89706,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -618,54 +391,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +410,36 @@ interface(`virt_relabel_svirt_home_content',`
##
##
#
@@ -89461,7 +89770,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -673,54 +428,38 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +447,38 @@ interface(`virt_home_filetrans',`
##
##
#
@@ -89528,7 +89837,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -728,52 +467,39 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +486,39 @@ interface(`virt_manage_generic_virt_home_content',`
##
##
#
@@ -89593,7 +89902,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -781,19 +507,18 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +526,18 @@ interface(`virt_home_filetrans_virt_home',`
##
##
#
@@ -89618,7 +89927,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -801,18 +526,19 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +545,19 @@ interface(`virt_read_pid_files',`
##
##
#
@@ -89643,7 +89952,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -820,18 +546,18 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +565,18 @@ interface(`virt_manage_pid_files',`
##
##
#
@@ -89667,7 +89976,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -839,20 +565,73 @@ interface(`virt_search_lib',`
+@@ -839,20 +584,73 @@ interface(`virt_search_lib',`
##
##
#
@@ -89746,7 +90055,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -860,115 +639,245 @@ interface(`virt_read_lib_files',`
+@@ -860,115 +658,245 @@ interface(`virt_read_lib_files',`
##
##
#
@@ -89957,13 +90266,13 @@ index 9dec06c..378880d 100644
##
-## Domain allowed access.
+## Domain allowed access
- ##
- ##
++##
++##
+##
+##
+## The role to be allowed the sandbox domain.
-+##
-+##
+ ##
+ ##
+##
#
-interface(`virt_append_log',`
@@ -90029,7 +90338,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -976,18 +885,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +904,17 @@ interface(`virt_manage_log',`
##
##
#
@@ -90052,7 +90361,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -995,36 +903,35 @@ interface(`virt_search_images',`
+@@ -995,36 +922,35 @@ interface(`virt_search_images',`
##
##
#
@@ -90108,7 +90417,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -1032,58 +939,57 @@ interface(`virt_read_images',`
+@@ -1032,58 +958,57 @@ interface(`virt_read_images',`
##
##
#
@@ -90188,7 +90497,7 @@ index 9dec06c..378880d 100644
##
##
##
-@@ -1091,95 +997,169 @@ interface(`virt_manage_virt_cache',`
+@@ -1091,95 +1016,169 @@ interface(`virt_manage_virt_cache',`
##
##
#
@@ -90418,7 +90727,7 @@ index 9dec06c..378880d 100644
+ allow $1 svirt_image_t:chr_file rw_file_perms;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..6b715d6 100644
+index 1f22fba..2757963 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,97 @@
@@ -91146,7 +91455,7 @@ index 1f22fba..6b715d6 100644
selinux_validate_context(virtd_t)
-@@ -613,18 +444,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +444,26 @@ seutil_read_file_contexts(virtd_t)
sysnet_signull_ifconfig(virtd_t)
sysnet_signal_ifconfig(virtd_t)
sysnet_domtrans_ifconfig(virtd_t)
@@ -91170,6 +91479,8 @@ index 1f22fba..6b715d6 100644
+userdom_list_user_home_content(virtd_t)
+userdom_read_all_users_state(virtd_t)
+userdom_read_user_home_content_files(virtd_t)
++userdom_relabel_user_tmp_files(virtd_t)
++userdom_setattr_user_tmp_files(virtd_t)
+userdom_relabel_user_home_files(virtd_t)
+userdom_setattr_user_home_content_files(virtd_t)
+manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
@@ -91181,7 +91492,7 @@ index 1f22fba..6b715d6 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +470,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +472,7 @@ tunable_policy(`virt_use_nfs',`
')
tunable_policy(`virt_use_samba',`
@@ -91190,7 +91501,7 @@ index 1f22fba..6b715d6 100644
fs_manage_cifs_files(virtd_t)
fs_read_cifs_symlinks(virtd_t)
')
-@@ -658,95 +495,325 @@ optional_policy(`
+@@ -658,95 +497,326 @@ optional_policy(`
')
optional_policy(`
@@ -91448,6 +91759,7 @@ index 1f22fba..6b715d6 100644
+ virt_read_lib_files(virt_domain)
+ virt_read_content(virt_domain)
+ virt_stream_connect(virt_domain)
++ virt_read_pid_symlinks(virt_domain)
+ virt_domtrans_bridgehelper(virt_domain)
')
@@ -91562,7 +91874,7 @@ index 1f22fba..6b715d6 100644
manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +825,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +828,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -91593,7 +91905,7 @@ index 1f22fba..6b715d6 100644
kernel_read_system_state(virsh_t)
kernel_read_network_state(virsh_t)
kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +845,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +848,18 @@ kernel_write_xen_state(virsh_t)
corecmd_exec_bin(virsh_t)
corecmd_exec_shell(virsh_t)
@@ -91620,7 +91932,7 @@ index 1f22fba..6b715d6 100644
fs_getattr_all_fs(virsh_t)
fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +865,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +868,22 @@ fs_search_auto_mountpoints(virsh_t)
storage_raw_read_fixed_disk(virsh_t)
@@ -91652,7 +91964,7 @@ index 1f22fba..6b715d6 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virsh_t)
fs_manage_nfs_files(virsh_t)
-@@ -847,14 +898,20 @@ optional_policy(`
+@@ -847,14 +901,20 @@ optional_policy(`
')
optional_policy(`
@@ -91674,7 +91986,7 @@ index 1f22fba..6b715d6 100644
xen_stream_connect(virsh_t)
xen_stream_connect_xenstore(virsh_t)
')
-@@ -879,34 +936,45 @@ optional_policy(`
+@@ -879,34 +939,45 @@ optional_policy(`
kernel_read_xen_state(virsh_ssh_t)
kernel_write_xen_state(virsh_ssh_t)
@@ -91729,7 +92041,7 @@ index 1f22fba..6b715d6 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +984,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +987,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -91747,7 +92059,7 @@ index 1f22fba..6b715d6 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +1006,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +1009,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -91758,7 +92070,7 @@ index 1f22fba..6b715d6 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +1015,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +1018,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -91766,7 +92078,7 @@ index 1f22fba..6b715d6 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1027,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1030,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -91785,7 +92097,7 @@ index 1f22fba..6b715d6 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1041,39 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1044,39 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -91833,7 +92145,7 @@ index 1f22fba..6b715d6 100644
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1081,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,18 +1084,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -91860,7 +92172,7 @@ index 1f22fba..6b715d6 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1099,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1102,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -91880,7 +92192,7 @@ index 1f22fba..6b715d6 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1118,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1121,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -91907,7 +92219,7 @@ index 1f22fba..6b715d6 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1143,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1146,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -92047,7 +92359,7 @@ index 1f22fba..6b715d6 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1242,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1245,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -92062,7 +92374,7 @@ index 1f22fba..6b715d6 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1260,8 @@ optional_policy(`
+@@ -1183,9 +1263,8 @@ optional_policy(`
########################################
#
@@ -92073,7 +92385,7 @@ index 1f22fba..6b715d6 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1274,115 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1277,115 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index cbfc18d..cbdeaac 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 69%{?dist}
+Release: 70%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,42 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Aug 8 2013 Miroslav Grepl 3.12.1-70
+- Add label for /var/crash
+- Allow fenced to domtrans to sanclok_t
+- Allow nagios to manage nagios spool files
+- Make tfptd as home_manager
+- Allow kdump to read kcore on MLS system
+- Allow mysqld-safe sys_nice/sys_resource caps
+- Allow apache to search automount tmp dirs if http_use_nfs is enabled
+- Allow crond to transition to named_t, for use with unbound
+- Allow crond to look at named_conf_t, for unbound
+- Allow mozilla_plugin_t to transition its home content
+- Allow dovecot_domain to read all system and network state
+- Allow semanage to read pid files
+- Dontaudit leaked file descriptors from user domain into thumb
+- Add fixes for rabbit to fix ##992920,#99293
+- Make NFS home, NIS authentication and dbus-daemon working
+- Fix thumb_run()
+- winbind wants block_suspend
+- Fix typo in smokeping.te
+- Fix rabbit.te
+- Remove dup rule for dovecot.te
+- Fix abrt.te
+- Allow afs domains to read afs_config files
+- Allow login programs to read afs config
+- Allow virt_domain to read virt_var_run_t symlinks
+- Allow smokeping to send its process signals
+- Allow fetchmail to setuid
+- Add kdump_manage_crash() interface
+- Allow abrt domain to write abrt.socket
+- Add append to the dontaudit for unix_stream_socket of xdm_t leak
+- Allow xdm_t to create symlinks in log direcotries
+- Allow login programs to read afs config
+- Fix rules for creating pluto pid files
+- Fix userdom_relabel_user_tmp_files()
+- Label 10933 as a pop port, for dovecot
+
* Fri Aug 2 2013 Miroslav Grepl 3.12.1-69
- Add fix for pand service
- Fix pegasus.te