##
## Allow the specified domain to
@@ -20898,7 +20954,7 @@ index 8416beb..737bfbc 100644
## Example attributes:
##
##
-@@ -4596,6 +6065,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +6104,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
########################################
##
@@ -20925,7 +20981,7 @@ index 8416beb..737bfbc 100644
## Get the quotas of all filesystems.
##
##
-@@ -4671,6 +6160,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +6199,25 @@ interface(`fs_getattr_all_dirs',`
########################################
##
@@ -20951,7 +21007,7 @@ index 8416beb..737bfbc 100644
## Search all directories with a filesystem type.
##
##
-@@ -4912,3 +6420,173 @@ interface(`fs_unconfined',`
+@@ -4912,3 +6459,173 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -40392,7 +40448,7 @@ index 0e3c2a9..ea9bd57 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 446fa99..22f539c 100644
+index 446fa99..d66491c 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -40416,7 +40472,7 @@ index 446fa99..22f539c 100644
+')
+
+ifdef(`enable_mls',`
-+ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, mls_systemhigh)
++ init_ranged_daemon_domain(sulogin_t, sulogin_exec_t, s0 - mls_systemhigh)
+')
+
########################################
@@ -44289,7 +44345,7 @@ index d43f3b1..c5053db 100644
+/etc/share/selinux/targeted(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
-index 3822072..593c90d 100644
+index 3822072..d358162 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -135,6 +135,42 @@ interface(`seutil_exec_loadpolicy',`
@@ -44780,7 +44836,15 @@ index 3822072..593c90d 100644
')
########################################
-@@ -999,6 +1363,26 @@ interface(`seutil_domtrans_semanage',`
+@@ -846,6 +1210,7 @@ interface(`seutil_manage_file_contexts',`
+ files_search_etc($1)
+ allow $1 { selinux_config_t default_context_t }:dir search_dir_perms;
+ manage_files_pattern($1, file_context_t, file_context_t)
++ manage_dirs_pattern($1, file_context_t, file_context_t)
+ ')
+
+ ########################################
+@@ -999,6 +1364,26 @@ interface(`seutil_domtrans_semanage',`
########################################
##
@@ -44807,7 +44871,7 @@ index 3822072..593c90d 100644
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -1017,11 +1401,105 @@ interface(`seutil_domtrans_semanage',`
+@@ -1017,11 +1402,105 @@ interface(`seutil_domtrans_semanage',`
#
interface(`seutil_run_semanage',`
gen_require(`
@@ -44915,7 +44979,7 @@ index 3822072..593c90d 100644
')
########################################
-@@ -1041,9 +1519,15 @@ interface(`seutil_manage_module_store',`
+@@ -1041,9 +1520,15 @@ interface(`seutil_manage_module_store',`
')
files_search_etc($1)
@@ -44931,7 +44995,7 @@ index 3822072..593c90d 100644
')
#######################################
-@@ -1067,6 +1551,24 @@ interface(`seutil_get_semanage_read_lock',`
+@@ -1067,6 +1552,24 @@ interface(`seutil_get_semanage_read_lock',`
#######################################
##
@@ -44956,7 +45020,7 @@ index 3822072..593c90d 100644
## Get trans lock on module store
##
##
-@@ -1137,3 +1639,121 @@ interface(`seutil_dontaudit_libselinux_linked',`
+@@ -1137,3 +1640,121 @@ interface(`seutil_dontaudit_libselinux_linked',`
selinux_dontaudit_get_fs_mount($1)
seutil_dontaudit_read_config($1)
')
@@ -46041,7 +46105,7 @@ index 40edc18..95f4458 100644
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
+
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 2cea692..bf86a31 100644
+index 2cea692..b363779 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -46458,7 +46522,7 @@ index 2cea692..bf86a31 100644
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
-@@ -796,3 +1053,125 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +1053,126 @@ interface(`sysnet_use_portmap',`
sysnet_read_config($1)
')
@@ -46532,6 +46596,7 @@ index 2cea692..bf86a31 100644
+ files_etc_filetrans($1, net_conf_t, file, ".resolv.conf.dnssec-trigger")
+ files_etc_filetrans($1, net_conf_t, file, ".resolv-secure.conf.dnssec-trigger")
+ files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf")
++ files_etc_filetrans($1, net_conf_t, lnk_file, "resolv.conf")
+ files_etc_filetrans($1, net_conf_t, lnk_file, ".resolv.conf.NetworkManager")
+ files_etc_filetrans($1, net_conf_t, file, "denyhosts")
+ files_etc_filetrans($1, net_conf_t, file, "hosts")
@@ -46585,7 +46650,7 @@ index 2cea692..bf86a31 100644
+ files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4..8a3cec2 100644
+index a392fc4..50c946e 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -46627,7 +46692,7 @@ index a392fc4..8a3cec2 100644
ifdef(`distro_debian',`
init_daemon_run_dir(net_conf_t, "network")
-@@ -48,10 +61,10 @@ ifdef(`distro_debian',`
+@@ -48,10 +61,11 @@ ifdef(`distro_debian',`
# DHCP client local policy
#
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
@@ -46637,10 +46702,11 @@ index a392fc4..8a3cec2 100644
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
+allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate signal_perms };
++allow dhcpc_t self:cap_userns { net_bind_service };
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
-@@ -64,8 +77,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+@@ -64,8 +78,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
allow dhcpc_t dhcp_state_t:file read_file_perms;
@@ -46652,7 +46718,7 @@ index a392fc4..8a3cec2 100644
# create pid file
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-@@ -74,6 +90,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
+@@ -74,6 +91,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
@@ -46661,7 +46727,7 @@ index a392fc4..8a3cec2 100644
sysnet_manage_config(dhcpc_t)
files_etc_filetrans(dhcpc_t, net_conf_t, file)
-@@ -95,14 +113,13 @@ kernel_rw_net_sysctls(dhcpc_t)
+@@ -95,14 +114,13 @@ kernel_rw_net_sysctls(dhcpc_t)
corecmd_exec_bin(dhcpc_t)
corecmd_exec_shell(dhcpc_t)
@@ -46682,7 +46748,7 @@ index a392fc4..8a3cec2 100644
corenet_tcp_sendrecv_all_ports(dhcpc_t)
corenet_udp_sendrecv_all_ports(dhcpc_t)
corenet_tcp_bind_all_nodes(dhcpc_t)
-@@ -112,22 +129,25 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
+@@ -112,22 +130,25 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
corenet_udp_bind_all_unreserved_ports(dhcpc_t)
corenet_tcp_connect_all_ports(dhcpc_t)
corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
@@ -46710,7 +46776,7 @@ index a392fc4..8a3cec2 100644
fs_getattr_all_fs(dhcpc_t)
fs_search_auto_mountpoints(dhcpc_t)
-@@ -137,11 +157,17 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+@@ -137,11 +158,17 @@ term_dontaudit_use_all_ptys(dhcpc_t)
term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
@@ -46729,7 +46795,7 @@ index a392fc4..8a3cec2 100644
modutils_run_insmod(dhcpc_t, dhcpc_roles)
-@@ -161,7 +187,21 @@ ifdef(`distro_ubuntu',`
+@@ -161,7 +188,21 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -46752,7 +46818,7 @@ index a392fc4..8a3cec2 100644
')
optional_policy(`
-@@ -179,10 +219,6 @@ optional_policy(`
+@@ -179,10 +220,6 @@ optional_policy(`
')
optional_policy(`
@@ -46763,7 +46829,7 @@ index a392fc4..8a3cec2 100644
hotplug_getattr_config_dirs(dhcpc_t)
hotplug_search_config(dhcpc_t)
-@@ -195,23 +231,31 @@ optional_policy(`
+@@ -195,23 +232,31 @@ optional_policy(`
optional_policy(`
netutils_run_ping(dhcpc_t, dhcpc_roles)
netutils_run(dhcpc_t, dhcpc_roles)
@@ -46798,7 +46864,7 @@ index a392fc4..8a3cec2 100644
')
optional_policy(`
-@@ -221,7 +265,16 @@ optional_policy(`
+@@ -221,7 +266,16 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
@@ -46816,7 +46882,7 @@ index a392fc4..8a3cec2 100644
')
optional_policy(`
-@@ -233,6 +286,10 @@ optional_policy(`
+@@ -233,6 +287,10 @@ optional_policy(`
')
optional_policy(`
@@ -46827,7 +46893,7 @@ index a392fc4..8a3cec2 100644
vmware_append_log(dhcpc_t)
')
-@@ -264,12 +321,26 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,12 +322,26 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -46854,7 +46920,7 @@ index a392fc4..8a3cec2 100644
kernel_use_fds(ifconfig_t)
kernel_read_system_state(ifconfig_t)
kernel_read_network_state(ifconfig_t)
-@@ -279,14 +350,32 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -279,14 +351,32 @@ kernel_rw_net_sysctls(ifconfig_t)
corenet_rw_tun_tap_dev(ifconfig_t)
@@ -46887,7 +46953,7 @@ index a392fc4..8a3cec2 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -299,33 +388,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,33 +389,51 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -46945,7 +47011,7 @@ index a392fc4..8a3cec2 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -336,7 +443,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +444,11 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -46958,7 +47024,7 @@ index a392fc4..8a3cec2 100644
')
optional_policy(`
-@@ -350,7 +461,16 @@ optional_policy(`
+@@ -350,7 +462,16 @@ optional_policy(`
')
optional_policy(`
@@ -46976,7 +47042,7 @@ index a392fc4..8a3cec2 100644
')
optional_policy(`
-@@ -371,3 +491,13 @@ optional_policy(`
+@@ -371,3 +492,13 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/policy-f24-contrib.patch b/policy-f24-contrib.patch
index 4715777..78350e7 100644
--- a/policy-f24-contrib.patch
+++ b/policy-f24-contrib.patch
@@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f07..22f5977 100644
+index eb50f07..22e6c69 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -902,7 +902,7 @@ index eb50f07..22f5977 100644
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
policykit_read_reload(abrt_t)
-@@ -234,6 +292,11 @@ optional_policy(`
+@@ -234,15 +292,22 @@ optional_policy(`
')
optional_policy(`
@@ -914,7 +914,10 @@ index eb50f07..22f5977 100644
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
-@@ -243,6 +306,7 @@ optional_policy(`
+ rpm_manage_log(abrt_t)
+ rpm_manage_pid_files(abrt_t)
++ rpm_read_tmp_files(abrt_t)
+ rpm_read_db(abrt_t)
rpm_signull(abrt_t)
')
@@ -922,7 +925,7 @@ index eb50f07..22f5977 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -253,9 +317,21 @@ optional_policy(`
+@@ -253,9 +318,21 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -945,7 +948,7 @@ index eb50f07..22f5977 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -266,9 +342,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +343,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -960,7 +963,7 @@ index eb50f07..22f5977 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -281,6 +361,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +362,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -968,7 +971,7 @@ index eb50f07..22f5977 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -289,15 +370,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +371,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -989,7 +992,7 @@ index eb50f07..22f5977 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -305,11 +391,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +392,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -1016,7 +1019,7 @@ index eb50f07..22f5977 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -327,10 +427,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +428,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -1030,7 +1033,7 @@ index eb50f07..22f5977 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -343,10 +445,11 @@ optional_policy(`
+@@ -343,10 +446,11 @@ optional_policy(`
#######################################
#
@@ -1044,7 +1047,7 @@ index eb50f07..22f5977 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +468,78 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +469,78 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1127,7 +1130,7 @@ index eb50f07..22f5977 100644
#######################################
#
-@@ -404,25 +547,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +548,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
#
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1190,7 +1193,7 @@ index eb50f07..22f5977 100644
')
#######################################
-@@ -430,10 +608,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +609,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
# Global local policy
#
@@ -2275,7 +2278,7 @@ index 7f4dfbc..e5c9f45 100644
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
-index 519051c..0f871e6 100644
+index 519051c..69a4c66 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@@ -2313,7 +2316,15 @@ index 519051c..0f871e6 100644
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+@@ -81,6 +85,7 @@ allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
+
+ manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
+ manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
++files_var_lib_filetrans(amanda_t, amanda_var_lib_t, dir)
+
+ manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
+ manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
+@@ -100,13 +105,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
@@ -2330,7 +2341,7 @@ index 519051c..0f871e6 100644
corenet_sendrecv_all_server_packets(amanda_t)
corenet_tcp_bind_all_rpc_ports(amanda_t)
corenet_tcp_bind_generic_port(amanda_t)
-@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+@@ -114,6 +121,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
dev_getattr_all_blk_files(amanda_t)
dev_getattr_all_chr_files(amanda_t)
@@ -2338,7 +2349,7 @@ index 519051c..0f871e6 100644
files_read_etc_runtime_files(amanda_t)
files_list_all(amanda_t)
-@@ -130,6 +137,7 @@ fs_list_all(amanda_t)
+@@ -130,6 +138,7 @@ fs_list_all(amanda_t)
storage_raw_read_fixed_disk(amanda_t)
storage_read_tape(amanda_t)
storage_write_tape(amanda_t)
@@ -2346,7 +2357,7 @@ index 519051c..0f871e6 100644
auth_use_nsswitch(amanda_t)
auth_read_shadow(amanda_t)
-@@ -170,7 +178,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -170,7 +179,6 @@ kernel_read_system_state(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
@@ -2354,7 +2365,7 @@ index 519051c..0f871e6 100644
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +202,16 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +203,16 @@ files_search_tmp(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
@@ -22107,7 +22118,7 @@ index dda905b..5587295 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index 62d22cb..d578ac1 100644
+index 62d22cb..f9c33f4 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -22256,9 +22267,9 @@ index 62d22cb..d578ac1 100644
- files_search_var_lib($1)
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ files_search_var_lib($1)
-+
-+ dev_read_urand($1)
++ dev_read_urand($1)
++
+ # For connecting to the bus
files_search_pids($1)
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
@@ -22771,7 +22782,7 @@ index 62d22cb..d578ac1 100644
##
##
##
-@@ -498,98 +497,100 @@ interface(`dbus_connect_system_bus',`
+@@ -498,98 +497,122 @@ interface(`dbus_connect_system_bus',`
##
##
#
@@ -22872,12 +22883,30 @@ index 62d22cb..d578ac1 100644
- ps_process_pattern(system_dbusd_t, $1)
-
- userdom_read_all_users_state($1)
--
-- ifdef(`hide_broken_symptoms', `
-- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
-- ')
+ allow $1 session_bus_type:dbus send_msg;
+ allow session_bus_type $1:dbus send_msg;
++')
+
+- ifdef(`hide_broken_symptoms', `
+- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
++########################################
++##
++## Do not audit attempts to send dbus
++## messages to session bus types.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dbus_dontaudit_chat_session_bus',`
++ gen_require(`
++ attribute session_bus_type;
++ class dbus send_msg;
+ ')
++
++ dontaudit $1 session_bus_type:dbus send_msg;
')
########################################
@@ -22885,7 +22914,7 @@ index 62d22cb..d578ac1 100644
-## Use and inherit DBUS system bus
-## file descriptors.
+## Do not audit attempts to send dbus
-+## messages to session bus types.
++## messages to system bus types.
##