diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index d5daf33..63fd39f 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -20167,7 +20167,7 @@ index fe0c682..225aaa7 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..dac68b3 100644
+index 5fc0391..2d08ed2 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3)
@@ -20470,7 +20470,7 @@ index 5fc0391..dac68b3 100644
')
optional_policy(`
-@@ -257,11 +307,24 @@ optional_policy(`
+@@ -257,11 +307,28 @@ optional_policy(`
')
optional_policy(`
@@ -20492,11 +20492,15 @@ index 5fc0391..dac68b3 100644
optional_policy(`
- kerberos_keytab_template(sshd, sshd_t)
++ lvm_domtrans(sshd_t)
++')
++
++optional_policy(`
+ nx_read_home_files(sshd_t)
')
optional_policy(`
-@@ -269,6 +332,10 @@ optional_policy(`
+@@ -269,6 +336,10 @@ optional_policy(`
')
optional_policy(`
@@ -20507,7 +20511,7 @@ index 5fc0391..dac68b3 100644
rpm_use_script_fds(sshd_t)
')
-@@ -279,13 +346,69 @@ optional_policy(`
+@@ -279,13 +350,69 @@ optional_policy(`
')
optional_policy(`
@@ -20577,7 +20581,7 @@ index 5fc0391..dac68b3 100644
########################################
#
# ssh_keygen local policy
-@@ -294,19 +417,26 @@ optional_policy(`
+@@ -294,19 +421,26 @@ optional_policy(`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -20605,7 +20609,7 @@ index 5fc0391..dac68b3 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +453,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +457,12 @@ auth_use_nsswitch(ssh_keygen_t)
logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -20618,7 +20622,7 @@ index 5fc0391..dac68b3 100644
optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +467,138 @@ optional_policy(`
+@@ -331,3 +471,138 @@ optional_policy(`
optional_policy(`
udev_read_db(ssh_keygen_t)
')
@@ -20915,7 +20919,7 @@ index d1f64a0..8f50bb9 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..188613e 100644
+index 6bf0ecc..15e1047 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -18,100 +18,37 @@
@@ -21869,7 +21873,7 @@ index 6bf0ecc..188613e 100644
')
########################################
-@@ -1284,10 +1655,622 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1655,623 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -22369,6 +22373,7 @@ index 6bf0ecc..188613e 100644
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
++ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-n")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
+ userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
+ userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
@@ -22495,7 +22500,7 @@ index 6bf0ecc..188613e 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..509319f 100644
+index 2696452..df66dcb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -22745,7 +22750,7 @@ index 2696452..509319f 100644
')
########################################
-@@ -247,48 +321,88 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,48 +321,89 @@ tunable_policy(`use_samba_home_dirs',`
# Xauth local policy
#
@@ -22811,6 +22816,7 @@ index 2696452..509319f 100644
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority")
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l")
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-n")
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".xauth")
+userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauth")
@@ -22845,7 +22851,7 @@ index 2696452..509319f 100644
ssh_sigchld(xauth_t)
ssh_read_pipes(xauth_t)
ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +413,107 @@ optional_policy(`
+@@ -299,64 +414,107 @@ optional_policy(`
# XDM Local policy
#
@@ -22963,7 +22969,7 @@ index 2696452..509319f 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +522,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +523,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -22995,7 +23001,7 @@ index 2696452..509319f 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +554,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +555,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -23048,7 +23054,7 @@ index 2696452..509319f 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +606,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +607,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -23077,7 +23083,7 @@ index 2696452..509319f 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +636,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +637,43 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23124,7 +23130,7 @@ index 2696452..509319f 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +681,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +682,144 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -23275,7 +23281,7 @@ index 2696452..509319f 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +832,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +833,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -23302,7 +23308,7 @@ index 2696452..509319f 100644
')
optional_policy(`
-@@ -514,12 +859,72 @@ optional_policy(`
+@@ -514,12 +860,72 @@ optional_policy(`
')
optional_policy(`
@@ -23375,7 +23381,7 @@ index 2696452..509319f 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +942,78 @@ optional_policy(`
+@@ -537,28 +943,78 @@ optional_policy(`
')
optional_policy(`
@@ -23463,7 +23469,7 @@ index 2696452..509319f 100644
')
optional_policy(`
-@@ -570,6 +1025,14 @@ optional_policy(`
+@@ -570,6 +1026,14 @@ optional_policy(`
')
optional_policy(`
@@ -23478,7 +23484,7 @@ index 2696452..509319f 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +1057,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1058,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -23491,7 +23497,7 @@ index 2696452..509319f 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1074,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1075,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -23507,7 +23513,7 @@ index 2696452..509319f 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1090,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1091,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -23518,7 +23524,7 @@ index 2696452..509319f 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1105,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1106,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -23540,7 +23546,7 @@ index 2696452..509319f 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1125,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1126,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -23554,7 +23560,7 @@ index 2696452..509319f 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1151,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1152,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -23586,7 +23592,7 @@ index 2696452..509319f 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1183,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1184,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -23604,7 +23610,7 @@ index 2696452..509319f 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1206,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1207,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -23628,7 +23634,7 @@ index 2696452..509319f 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1226,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -23637,7 +23643,7 @@ index 2696452..509319f 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1269,44 @@ optional_policy(`
+@@ -775,16 +1270,44 @@ optional_policy(`
')
optional_policy(`
@@ -23683,7 +23689,7 @@ index 2696452..509319f 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1315,10 @@ optional_policy(`
+@@ -793,6 +1316,10 @@ optional_policy(`
')
optional_policy(`
@@ -23694,7 +23700,7 @@ index 2696452..509319f 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1334,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1335,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -23708,7 +23714,7 @@ index 2696452..509319f 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1345,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1346,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -23717,7 +23723,7 @@ index 2696452..509319f 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1358,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1359,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -23752,7 +23758,7 @@ index 2696452..509319f 100644
')
optional_policy(`
-@@ -902,7 +1423,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1424,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23761,7 +23767,7 @@ index 2696452..509319f 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1477,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1478,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -23793,7 +23799,7 @@ index 2696452..509319f 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1523,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1524,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -30638,7 +30644,7 @@ index 4e94884..9b82ed0 100644
+ logging_log_filetrans($1, var_log_t, dir, "anaconda")
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..bb695cf 100644
+index 39ea221..aae7b7d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -30954,7 +30960,7 @@ index 39ea221..bb695cf 100644
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
-@@ -502,15 +575,36 @@ optional_policy(`
+@@ -502,15 +575,40 @@ optional_policy(`
')
optional_policy(`
@@ -30981,6 +30987,10 @@ index 39ea221..bb695cf 100644
')
optional_policy(`
++ psad_search_lib_files(syslogd_t)
++')
++
++optional_policy(`
seutil_sigchld_newrole(syslogd_t)
+ snmp_read_snmp_var_lib_files(syslogd_t)
+ snmp_dontaudit_write_snmp_var_lib_files(syslogd_t)
@@ -30991,7 +31001,7 @@ index 39ea221..bb695cf 100644
')
optional_policy(`
-@@ -521,3 +615,26 @@ optional_policy(`
+@@ -521,3 +619,26 @@ optional_policy(`
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -31019,10 +31029,10 @@ index 39ea221..bb695cf 100644
+
+logging_stream_connect_syslog(syslog_client_type)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..7daaff3 100644
+index 879bb1e..5aa4eeb 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
-@@ -23,28 +23,34 @@ ifdef(`distro_gentoo',`
+@@ -23,28 +23,35 @@ ifdef(`distro_gentoo',`
/etc/lvmtab(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/etc/lvmtab\.d(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
@@ -31039,6 +31049,7 @@ index 879bb1e..7daaff3 100644
# /sbin
#
+/sbin/mount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/umount\.crypt -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmraid -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/dmsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -31058,7 +31069,7 @@ index 879bb1e..7daaff3 100644
/sbin/lvmiopversion -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsadc -- gen_context(system_u:object_r:lvm_exec_t,s0)
/sbin/lvmsar -- gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -88,8 +94,71 @@ ifdef(`distro_gentoo',`
+@@ -88,8 +95,71 @@ ifdef(`distro_gentoo',`
#
# /usr
#
@@ -31132,7 +31143,7 @@ index 879bb1e..7daaff3 100644
#
# /var
-@@ -97,5 +166,8 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +167,8 @@ ifdef(`distro_gentoo',`
/var/cache/multipathd(/.*)? gen_context(system_u:object_r:lvm_metadata_t,s0)
/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
/var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index 4ddf547..34382d4 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index e4f84de..4e4cbd4 100644
+index e4f84de..2fe1152 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,30 +1,40 @@
+@@ -1,30 +1,41 @@
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -22,6 +22,7 @@ index e4f84de..4e4cbd4 100644
+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
@@ -518,7 +519,7 @@ index 058d908..702b716 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..da5b191 100644
+index cc43d25..d345054 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -527,7 +528,7 @@ index cc43d25..da5b191 100644
########################################
#
-@@ -6,105 +6,116 @@ policy_module(abrt, 1.3.4)
+@@ -6,105 +6,128 @@ policy_module(abrt, 1.3.4)
#
##
++## Allow abrt-handle-upload to modify public files ++## used for public file transfer services in /var/spool/abrt-upload/. ++##
++## ++gen_tunable(abrt_upload_watch_anon_write, true) ++ ++##
+## Allow ABRT to run in abrt_handle_event_t domain
+## to handle ABRT event scripts
@@ -627,15 +636,15 @@ index cc43d25..da5b191 100644
+ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
+')
-+
-+#
-+# Support for ABRT retrace server
-type abrt_retrace_worker_t, abrt_domain;
-type abrt_retrace_worker_exec_t;
-domain_type(abrt_retrace_worker_t)
-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+#
++# Support for ABRT retrace server
++
++#
+abrt_basic_types_template(abrt_retrace_worker)
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
role system_r types abrt_retrace_worker_t;
@@ -660,7 +669,10 @@ index cc43d25..da5b191 100644
-ifdef(`enable_mcs',`
- init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
-')
--
++# Support for abrt-upload-watch
++abrt_basic_types_template(abrt_upload_watch)
++init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
+
########################################
#
-# Local policy
@@ -689,7 +701,7 @@ index cc43d25..da5b191 100644
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
-@@ -112,23 +123,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -112,23 +135,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -718,7 +730,7 @@ index cc43d25..da5b191 100644
kernel_request_load_module(abrt_t)
kernel_rw_kernel_sysctl(abrt_t)
-@@ -137,16 +150,14 @@ corecmd_exec_shell(abrt_t)
+@@ -137,16 +162,14 @@ corecmd_exec_shell(abrt_t)
corecmd_read_all_executables(abrt_t)
corenet_all_recvfrom_netlabel(abrt_t)
@@ -737,7 +749,7 @@ index cc43d25..da5b191 100644
dev_getattr_all_chr_files(abrt_t)
dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +174,37 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +186,37 @@ files_getattr_all_files(abrt_t)
files_read_config_files(abrt_t)
files_read_etc_runtime_files(abrt_t)
files_read_var_symlinks(abrt_t)
@@ -778,7 +790,7 @@ index cc43d25..da5b191 100644
tunable_policy(`abrt_anon_write',`
miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +212,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +224,11 @@ tunable_policy(`abrt_anon_write',`
optional_policy(`
apache_list_modules(abrt_t)
@@ -795,7 +807,7 @@ index cc43d25..da5b191 100644
')
optional_policy(`
-@@ -209,6 +224,16 @@ optional_policy(`
+@@ -209,6 +236,16 @@ optional_policy(`
')
optional_policy(`
@@ -812,7 +824,7 @@ index cc43d25..da5b191 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -220,6 +245,7 @@ optional_policy(`
+@@ -220,6 +257,7 @@ optional_policy(`
corecmd_exec_all_executables(abrt_t)
')
@@ -820,7 +832,7 @@ index cc43d25..da5b191 100644
optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +256,7 @@ optional_policy(`
+@@ -230,6 +268,7 @@ optional_policy(`
rpm_signull(abrt_t)
')
@@ -828,7 +840,7 @@ index cc43d25..da5b191 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +267,17 @@ optional_policy(`
+@@ -240,9 +279,17 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -847,7 +859,7 @@ index cc43d25..da5b191 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +288,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +300,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -862,7 +874,7 @@ index cc43d25..da5b191 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +307,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +319,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -870,7 +882,7 @@ index cc43d25..da5b191 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +316,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +328,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -891,7 +903,7 @@ index cc43d25..da5b191 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +337,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +349,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -918,7 +930,7 @@ index cc43d25..da5b191 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +373,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +385,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -932,7 +944,7 @@ index cc43d25..da5b191 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +391,11 @@ optional_policy(`
+@@ -330,10 +403,11 @@ optional_policy(`
#######################################
#
@@ -946,7 +958,7 @@ index cc43d25..da5b191 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +414,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +426,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1008,7 +1020,7 @@ index cc43d25..da5b191 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +472,18 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +484,29 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -1021,18 +1033,28 @@ index cc43d25..da5b191 100644
#######################################
#
-# Global local policy
-+# Local policy for all abrt domain
++# abrt-upload-watch local policy
#
-kernel_read_system_state(abrt_domain)
++corecmd_exec_bin(abrt_upload_watch_t)
+
+-files_read_etc_files(abrt_domain)
++tunable_policy(`abrt_upload_watch_anon_write',`
++ miscfiles_manage_public_files(abrt_upload_watch_t)
++')
++
++#######################################
++#
++# Local policy for all abrt domain
++#
+
+-logging_send_syslog_msg(abrt_domain)
+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
- files_read_etc_files(abrt_domain)
--
--logging_send_syslog_msg(abrt_domain)
--
-miscfiles_read_localization(abrt_domain)
++files_read_etc_files(abrt_domain)
diff --git a/accountsd.fc b/accountsd.fc
index f9d8d7a..0682710 100644
--- a/accountsd.fc
@@ -4596,7 +4618,7 @@ index 83e899c..fac6fe5 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index 1a82e29..40e2876 100644
+index 1a82e29..12b3640 100644
--- a/apache.te
+++ b/apache.te
@@ -1,297 +1,367 @@
@@ -5284,7 +5306,7 @@ index 1a82e29..40e2876 100644
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +551,164 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +551,165 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -5401,9 +5423,10 @@ index 1a82e29..40e2876 100644
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
miscfiles_read_tetex_data(httpd_t)
-
--seutil_dontaudit_search_config(httpd_t)
-
+-seutil_dontaudit_search_config(httpd_t)
++miscfiles_dontaudit_access_check_cert(httpd_t)
+
userdom_use_unpriv_users_fds(httpd_t)
-ifdef(`TODO',`
@@ -5514,7 +5537,7 @@ index 1a82e29..40e2876 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +719,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +720,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -5574,7 +5597,7 @@ index 1a82e29..40e2876 100644
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +771,43 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +772,43 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
fs_read_nfs_symlinks(httpd_t)
')
@@ -5664,7 +5687,7 @@ index 1a82e29..40e2876 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +817,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +818,48 @@ tunable_policy(`httpd_setrlimit',`
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5745,7 +5768,7 @@ index 1a82e29..40e2876 100644
')
optional_policy(`
-@@ -743,14 +869,6 @@ optional_policy(`
+@@ -743,14 +870,6 @@ optional_policy(`
ccs_read_config(httpd_t)
')
@@ -5760,7 +5783,7 @@ index 1a82e29..40e2876 100644
optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +883,23 @@ optional_policy(`
+@@ -765,6 +884,23 @@ optional_policy(`
')
optional_policy(`
@@ -5784,7 +5807,7 @@ index 1a82e29..40e2876 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +916,42 @@ optional_policy(`
+@@ -781,34 +917,42 @@ optional_policy(`
')
optional_policy(`
@@ -5838,7 +5861,7 @@ index 1a82e29..40e2876 100644
tunable_policy(`httpd_manage_ipa',`
memcached_manage_pid_files(httpd_t)
-@@ -816,8 +959,18 @@ optional_policy(`
+@@ -816,8 +960,18 @@ optional_policy(`
')
optional_policy(`
@@ -5857,7 +5880,7 @@ index 1a82e29..40e2876 100644
tunable_policy(`httpd_can_network_connect_db',`
mysql_tcp_connect(httpd_t)
-@@ -826,6 +979,7 @@ optional_policy(`
+@@ -826,6 +980,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -5865,7 +5888,7 @@ index 1a82e29..40e2876 100644
')
optional_policy(`
-@@ -836,20 +990,39 @@ optional_policy(`
+@@ -836,20 +991,39 @@ optional_policy(`
')
optional_policy(`
@@ -5911,7 +5934,7 @@ index 1a82e29..40e2876 100644
')
optional_policy(`
-@@ -857,19 +1030,35 @@ optional_policy(`
+@@ -857,19 +1031,35 @@ optional_policy(`
')
optional_policy(`
@@ -5947,7 +5970,7 @@ index 1a82e29..40e2876 100644
udev_read_db(httpd_t)
')
-@@ -877,65 +1066,170 @@ optional_policy(`
+@@ -877,65 +1067,170 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -6140,7 +6163,7 @@ index 1a82e29..40e2876 100644
files_dontaudit_search_pids(httpd_suexec_t)
files_search_home(httpd_suexec_t)
-@@ -944,123 +1238,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1239,74 @@ auth_use_nsswitch(httpd_suexec_t)
logging_search_logs(httpd_suexec_t)
logging_send_syslog_msg(httpd_suexec_t)
@@ -6295,7 +6318,7 @@ index 1a82e29..40e2876 100644
mysql_read_config(httpd_suexec_t)
tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1322,104 @@ optional_policy(`
+@@ -1077,172 +1323,104 @@ optional_policy(`
')
')
@@ -6531,7 +6554,7 @@ index 1a82e29..40e2876 100644
')
tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1427,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1428,74 @@ tunable_policy(`httpd_read_user_content',`
')
tunable_policy(`httpd_use_cifs',`
@@ -6628,7 +6651,7 @@ index 1a82e29..40e2876 100644
########################################
#
-@@ -1315,8 +1502,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1503,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
#
optional_policy(`
@@ -6645,7 +6668,7 @@ index 1a82e29..40e2876 100644
')
########################################
-@@ -1324,49 +1518,38 @@ optional_policy(`
+@@ -1324,49 +1519,38 @@ optional_policy(`
# User content local policy
#
@@ -6710,7 +6733,7 @@ index 1a82e29..40e2876 100644
kernel_read_system_state(httpd_passwd_t)
corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1559,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1560,99 @@ dev_read_urand(httpd_passwd_t)
domain_use_interactive_fds(httpd_passwd_t)
@@ -12458,7 +12481,7 @@ index 954309e..f4db2ca 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8..dbb3f45 100644
+index 6471fa8..dc0423c 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
@@ -12486,7 +12509,7 @@ index 6471fa8..dbb3f45 100644
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-@@ -46,23 +55,25 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
+@@ -46,23 +55,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
files_pid_filetrans(collectd_t, collectd_var_run_t, file)
@@ -12494,6 +12517,9 @@ index 6471fa8..dbb3f45 100644
+kernel_read_all_sysctls(collectd_t)
+kernel_read_all_proc(collectd_t)
+kernel_list_all_proc(collectd_t)
++
++auth_getattr_passwd(collectd_t)
++auth_read_passwd(collectd_t)
-kernel_read_network_state(collectd_t)
-kernel_read_net_sysctls(collectd_t)
@@ -12519,7 +12545,7 @@ index 6471fa8..dbb3f45 100644
logging_send_syslog_msg(collectd_t)
-@@ -75,16 +86,26 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +89,26 @@ tunable_policy(`collectd_tcp_network_connect',`
')
optional_policy(`
@@ -24977,7 +25003,7 @@ index 9eacb2c..229782f 100644
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
domain_system_change_exemption($1)
diff --git a/glance.te b/glance.te
-index e0a4f46..79bc951 100644
+index e0a4f46..95cf77c 100644
--- a/glance.te
+++ b/glance.te
@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
@@ -25011,7 +25037,7 @@ index e0a4f46..79bc951 100644
allow glance_domain self:fifo_file rw_fifo_file_perms;
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
allow glance_domain self:tcp_socket { accept listen };
-@@ -56,27 +58,22 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,27 +58,23 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
@@ -25030,6 +25056,7 @@ index e0a4f46..79bc951 100644
corecmd_exec_shell(glance_domain)
dev_read_urand(glance_domain)
++dev_read_sysfs(glance_domain)
-files_read_etc_files(glance_domain)
-files_read_usr_files(glance_domain)
@@ -25042,7 +25069,7 @@ index e0a4f46..79bc951 100644
sysnet_dns_name_resolve(glance_domain)
########################################
-@@ -88,8 +85,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -88,8 +86,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
@@ -25057,7 +25084,7 @@ index e0a4f46..79bc951 100644
logging_send_syslog_msg(glance_registry_t)
-@@ -108,13 +111,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +112,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
can_exec(glance_api_t, glance_tmp_t)
@@ -25264,10 +25291,10 @@ index 0000000..1ed97fe
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..7244e2c
+index 0000000..06e17e3
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,169 @@
+policy_module(glusterfs, 1.0.1)
+
+##
## Determine whether openvpn can
## read generic user home content files.
-@@ -26,12 +33,18 @@ files_config_file(openvpn_etc_t)
+@@ -13,6 +20,14 @@ policy_module(openvpn, 1.11.3)
+ ##
++## Determine whether openvpn can
++## connect to the TCP network.
++##