++##
++## Allow mock to read files in home directories.
++##
++##
++gen_tunable(mock_enable_homedirs, false)
++
+########################################
+#
+# Declarations
@@ -27486,10 +27537,14 @@ index 0000000..5576314
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
++manage_blk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file })
+can_exec(mock_t, mock_var_lib_t)
+allow mock_t mock_var_lib_t:dir mounton;
++allow mock_t mock_var_lib_t:dir relabel_dir_perms;
++allow mock_t mock_var_lib_t:file relabel_file_perms;
++
+
+kernel_list_proc(mock_t)
+kernel_read_irq_sysctls(mock_t)
@@ -27503,20 +27558,24 @@ index 0000000..5576314
+corenet_tcp_connect_http_port(mock_t)
+
+dev_read_urand(mock_t)
++dev_read_sysfs(mock_t)
+
+domain_read_all_domains_state(mock_t)
+domain_use_interactive_fds(mock_t)
+
+files_read_etc_files(mock_t)
+files_read_usr_files(mock_t)
++files_dontaudit_list_boot(mock_t)
+
+fs_getattr_all_fs(mock_t)
++fs_manage_cgroup_dirs(mock_t)
+
+selinux_get_enforce_mode(mock_t)
+
+auth_use_nsswitch(mock_t)
+
+init_exec(mock_t)
++init_dontaudit_stream_connect(mock_t)
+
+libs_domtrans_ldconfig(mock_t)
+
@@ -27527,6 +27586,12 @@ index 0000000..5576314
+
+mount_domtrans(mock_t)
+
++userdom_use_user_ptys(mock_t)
++
++tunable_policy(`mock_enable_homedirs',`
++ userdom_read_user_home_content_files(mock_t)
++')
++
+optional_policy(`
+ rpm_exec(mock_t)
+ rpm_manage_db(mock_t)
@@ -28355,7 +28420,7 @@ index 343cee3..2f948ad 100644
+ ')
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..8974c28 100644
+index 64268e4..0d7da33 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,8 +20,8 @@ files_type(etc_aliases_t)
@@ -28519,7 +28584,18 @@ index 64268e4..8974c28 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -249,11 +250,16 @@ optional_policy(`
+@@ -242,6 +243,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ logwatch_search_cache_dir(mailserver_delivery)
++')
++
++optional_policy(`
+ # so MTA can access /var/lib/mailman/mail/wrapper
+ files_search_var_lib(mailserver_delivery)
+
+@@ -249,11 +254,16 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -28536,7 +28612,7 @@ index 64268e4..8974c28 100644
domain_use_interactive_fds(user_mail_t)
userdom_use_user_terminals(user_mail_t)
-@@ -292,3 +298,44 @@ optional_policy(`
+@@ -292,3 +302,44 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -33452,7 +33528,7 @@ index 2855a44..0456b11 100644
type puppet_tmp_t;
')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..1a07760 100644
+index 64c5f95..dbac1d4 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
@@ -33528,8 +33604,11 @@ index 64c5f95..1a07760 100644
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -214,13 +226,32 @@ domain_read_all_domains_state(puppetmaster_t)
+@@ -212,15 +224,35 @@ dev_read_urand(puppetmaster_t)
+ domain_read_all_domains_state(puppetmaster_t)
+
files_read_etc_files(puppetmaster_t)
++files_read_usr_files(puppetmaster_t)
files_search_var_lib(puppetmaster_t)
+selinux_validate_context(puppetmaster_t)
@@ -33561,7 +33640,7 @@ index 64c5f95..1a07760 100644
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +262,8 @@ optional_policy(`
+@@ -231,3 +263,8 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -36503,7 +36582,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..395fafb 100644
+index e30bb63..00a9125 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -36681,7 +36760,7 @@ index e30bb63..395fafb 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,14 +809,14 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +809,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -36699,9 +36778,11 @@ index e30bb63..395fafb 100644
-files_pid_filetrans(winbind_t, winbind_var_run_t, file)
+files_pid_filetrans(winbind_t, winbind_var_run_t, { file dir })
++kernel_read_network_state(winbind_t)
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +836,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+
+@@ -833,6 +837,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -36709,7 +36790,7 @@ index e30bb63..395fafb 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -922,6 +926,18 @@ optional_policy(`
+@@ -922,6 +927,18 @@ optional_policy(`
#
optional_policy(`
@@ -36728,7 +36809,7 @@ index e30bb63..395fafb 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +948,12 @@ optional_policy(`
+@@ -932,9 +949,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -38868,7 +38949,7 @@ index 941380a..6dbfc01 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..12d37a2 100644
+index 8ffa257..44cbef4 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
@@ -38894,15 +38975,20 @@ index 8ffa257..12d37a2 100644
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-@@ -48,6 +50,7 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+@@ -48,8 +50,12 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
++corenet_udp_bind_generic_port(sssd_t)
++corenet_dontaudit_udp_bind_all_ports(sssd_t)
++
corecmd_exec_bin(sssd_t)
-@@ -60,6 +63,7 @@ domain_obj_id_change_exemption(sssd_t)
+
+ dev_read_urand(sssd_t)
+@@ -60,6 +66,7 @@ domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
@@ -38910,17 +38996,16 @@ index 8ffa257..12d37a2 100644
fs_list_inotifyfs(sssd_t)
-@@ -69,7 +73,8 @@ seutil_read_file_contexts(sssd_t)
+@@ -69,7 +76,7 @@ seutil_read_file_contexts(sssd_t)
mls_file_read_to_clearance(sssd_t)
-auth_use_nsswitch(sssd_t)
-+
+# auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
-@@ -79,6 +84,12 @@ logging_send_syslog_msg(sssd_t)
+@@ -79,6 +86,12 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_localization(sssd_t)
@@ -38933,7 +39018,7 @@ index 8ffa257..12d37a2 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -88,3 +99,11 @@ optional_policy(`
+@@ -88,3 +101,11 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
')
@@ -44702,7 +44787,7 @@ index 6fed22c..06e5395 100644
#
# /var
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..341c578 100644
+index cc83689..2657c0b 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,40 @@ interface(`init_script_domain',`
@@ -44907,7 +44992,32 @@ index cc83689..341c578 100644
mls_rangetrans_target($1)
')
')
-@@ -688,19 +796,24 @@ interface(`init_telinit',`
+@@ -525,6 +633,24 @@ interface(`init_stream_connect',`
+ allow $1 init_t:unix_stream_socket connectto;
+ ')
+
++#######################################
++##