diff --git a/policy-F16.patch b/policy-F16.patch
index de11716..eed2aaa 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -4955,7 +4955,7 @@ index 0000000..a03aec4
 +')
 diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
 new file mode 100644
-index 0000000..689a667
+index 0000000..1957119
 --- /dev/null
 +++ b/policy/modules/apps/chrome.te
 @@ -0,0 +1,188 @@
@@ -5141,7 +5141,7 @@ index 0000000..689a667
 +userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
 +userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
 +userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
-+userdom_read_inherited_user_tmp_files(chrome_sandbox_nacl_t)
++userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
 +
 +optional_policy(`
 +	gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
@@ -12909,7 +12909,7 @@ index f9a73d0..e10101a 100644
  		xserver_role($1_r, $1_wine_t)
  	')
 diff --git a/policy/modules/apps/wine.te b/policy/modules/apps/wine.te
-index be9246b..e3de8fa 100644
+index be9246b..90848c7 100644
 --- a/policy/modules/apps/wine.te
 +++ b/policy/modules/apps/wine.te
 @@ -40,7 +40,7 @@ domain_mmap_low(wine_t)
@@ -12921,6 +12921,17 @@ index be9246b..e3de8fa 100644
  
  tunable_policy(`wine_mmap_zero_ignore',`
  	dontaudit wine_t self:memprotect mmap_zero;
+@@ -55,6 +55,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	rtkit_scheduled(wine_t)
++')
++
++optional_policy(`
+ 	unconfined_domain(wine_t)
+ ')
+ 
 diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
 index 8bfe97d..95a3d06 100644
 --- a/policy/modules/apps/wireshark.te
@@ -13028,10 +13039,18 @@ index 223ad43..d95e720 100644
  	rsync_exec(yam_t)
  ')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..b21e0b7 100644
+index 3fae11a..1334cc8 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
-@@ -71,6 +71,11 @@ ifdef(`distro_redhat',`
+@@ -46,6 +46,7 @@ ifdef(`distro_redhat',`
+ /etc/apcupsd/offbattery		--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/apcupsd/onbattery		--	gen_context(system_u:object_r:bin_t,s0)
+ 
++/etc/auto\.[^/]*		--	gen_context(system_u:object_r:bin_t,s0)
+ /etc/avahi/.*\.action 		--	gen_context(system_u:object_r:bin_t,s0)
+ 
+ /etc/cipe/ip-up.*		--	gen_context(system_u:object_r:bin_t,s0)
+@@ -71,6 +72,11 @@ ifdef(`distro_redhat',`
  /etc/kde/env(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /etc/kde/shutdown(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
@@ -13043,7 +13062,7 @@ index 3fae11a..b21e0b7 100644
  /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
  /etc/mcelog/cache-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
  /etc/mcelog/triggers(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-@@ -97,8 +102,6 @@ ifdef(`distro_redhat',`
+@@ -97,8 +103,6 @@ ifdef(`distro_redhat',`
  
  /etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
  
@@ -13052,7 +13071,7 @@ index 3fae11a..b21e0b7 100644
  /etc/sysconfig/crond		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/sysconfig/init		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/sysconfig/libvirtd		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -130,18 +133,15 @@ ifdef(`distro_debian',`
+@@ -130,18 +134,15 @@ ifdef(`distro_debian',`
  
  /lib/readahead(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -13073,7 +13092,7 @@ index 3fae11a..b21e0b7 100644
  
  /lib/rcscripts/addons(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /lib/rcscripts/sh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-@@ -168,6 +168,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +169,7 @@ ifdef(`distro_gentoo',`
  /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
  /opt/google/talkplugin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -13081,7 +13100,7 @@ index 3fae11a..b21e0b7 100644
  
  /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  
-@@ -179,6 +180,8 @@ ifdef(`distro_gentoo',`
+@@ -179,6 +181,8 @@ ifdef(`distro_gentoo',`
  /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -13090,7 +13109,7 @@ index 3fae11a..b21e0b7 100644
  #
  # /usr
  #
-@@ -198,48 +201,51 @@ ifdef(`distro_gentoo',`
+@@ -198,48 +202,51 @@ ifdef(`distro_gentoo',`
  /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/wicd/monitor\.py 	-- 	gen_context(system_u:object_r:bin_t, s0)
@@ -13184,7 +13203,7 @@ index 3fae11a..b21e0b7 100644
  
  /usr/libexec(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /usr/libexec/git-core/git-shell	--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -247,9 +253,13 @@ ifdef(`distro_gentoo',`
+@@ -247,9 +254,13 @@ ifdef(`distro_gentoo',`
  
  /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
  
@@ -13199,7 +13218,7 @@ index 3fae11a..b21e0b7 100644
  /usr/local/linuxprinter/filters(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  
  /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -267,6 +277,10 @@ ifdef(`distro_gentoo',`
+@@ -267,6 +278,10 @@ ifdef(`distro_gentoo',`
  /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
@@ -13210,7 +13229,7 @@ index 3fae11a..b21e0b7 100644
  /usr/share/e16/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
-@@ -286,15 +300,19 @@ ifdef(`distro_gentoo',`
+@@ -286,15 +301,19 @@ ifdef(`distro_gentoo',`
  /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
@@ -13231,7 +13250,7 @@ index 3fae11a..b21e0b7 100644
  
  ifdef(`distro_gentoo', `
  /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +324,11 @@ ifdef(`distro_redhat', `
+@@ -306,10 +325,11 @@ ifdef(`distro_redhat', `
  /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
  
@@ -13245,7 +13264,7 @@ index 3fae11a..b21e0b7 100644
  /usr/lib/vmware-tools/(s)?bin32(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/vmware-tools/(s)?bin64(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +338,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +339,11 @@ ifdef(`distro_redhat', `
  /usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/createrepo(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -13257,7 +13276,7 @@ index 3fae11a..b21e0b7 100644
  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,7 +384,7 @@ ifdef(`distro_redhat', `
+@@ -363,7 +385,7 @@ ifdef(`distro_redhat', `
  ifdef(`distro_suse', `
  /usr/lib/cron/run-crons		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/samba/classic/.*	--	gen_context(system_u:object_r:bin_t,s0)
@@ -13266,7 +13285,7 @@ index 3fae11a..b21e0b7 100644
  /usr/share/apache2/[^/]*	--	gen_context(system_u:object_r:bin_t,s0)
  ')
  
-@@ -375,8 +396,9 @@ ifdef(`distro_suse', `
+@@ -375,8 +397,9 @@ ifdef(`distro_suse', `
  /var/ftp/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
  /var/lib/asterisk/agi-bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -13278,7 +13297,7 @@ index 3fae11a..b21e0b7 100644
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
  /var/qmail/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +407,12 @@ ifdef(`distro_suse', `
+@@ -385,3 +408,12 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -14619,7 +14638,7 @@ index 4f3b542..f4e36ee 100644
  	corenet_udp_recvfrom_labeled($1, $2)
  	corenet_raw_recvfrom_labeled($1, $2)
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..a96b835 100644
+index 99b71cb..43656b7 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -11,11 +11,15 @@ attribute netif_type;
@@ -14760,7 +14779,7 @@ index 99b71cb..a96b835 100644
  network_port(ipmi, udp,623,s0, udp,664,s0)
  network_port(ipp, tcp,631,s0, udp,631,s0, tcp,8610-8614,s0, udp,8610-8614,s0)
  network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
-@@ -129,20 +172,26 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +172,27 @@ network_port(iscsi, tcp,3260,s0)
  network_port(isns, tcp,3205,s0, udp,3205,s0)
  network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
  network_port(jabber_interserver, tcp,5269,s0)
@@ -14775,6 +14794,7 @@ index 99b71cb..a96b835 100644
  network_port(kismet, tcp,2501,s0)
  network_port(kprop, tcp,754,s0)
  network_port(ktalkd, udp,517,s0, udp,518,s0)
++network_port(l2tp, tcp,1701,s0, udp,1701,s0)
  network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
  network_port(lirc, tcp,8765,s0)
 +network_port(luci, tcp,8084,s0)
@@ -14790,7 +14810,7 @@ index 99b71cb..a96b835 100644
  network_port(mpd, tcp,6600,s0)
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
  network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -152,21 +201,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
+@@ -152,21 +202,31 @@ network_port(mysqlmanagerd, tcp,2273,s0)
  network_port(nessus, tcp,1241,s0)
  network_port(netport, tcp,3129,s0, udp,3129,s0)
  network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
@@ -14823,11 +14843,11 @@ index 99b71cb..a96b835 100644
  network_port(prelude, tcp,4690,s0, udp,4690,s0)
  network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
  network_port(printer, tcp,515,s0)
-@@ -179,34 +238,41 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+@@ -179,34 +239,41 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
  network_port(radius, udp,1645,s0, udp,1812,s0)
  network_port(radsec, tcp,2083,s0)
  network_port(razor, tcp,2703,s0)
-+network_port(rdate, tcp,37,s0, udp,37,s0)
++network_port(time, tcp,37,s0, udp,37,s0)
 +network_port(repository, tcp, 6363, s0)
  network_port(ricci, tcp,11111,s0, udp,11111,s0)
  network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
@@ -14870,7 +14890,7 @@ index 99b71cb..a96b835 100644
  network_port(traceroute, udp,64000-64010,s0)
  network_port(transproxy, tcp,8081,s0)
  network_port(ups, tcp,3493,s0)
-@@ -215,9 +281,12 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,9 +282,12 @@ network_port(uucpd, tcp,540,s0)
  network_port(varnishd, tcp,6081-6082,s0)
  network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
  network_port(virt_migration, tcp,49152-49216,s0)
@@ -14884,7 +14904,7 @@ index 99b71cb..a96b835 100644
  network_port(xdmcp, udp,177,s0, tcp,177,s0)
  network_port(xen, tcp,8002,s0)
  network_port(xfs, tcp,7100,s0)
-@@ -229,6 +298,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +299,7 @@ network_port(zookeeper_client, tcp,2181,s0)
  network_port(zookeeper_election, tcp,3888,s0)
  network_port(zookeeper_leader, tcp,2888,s0)
  network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -14892,7 +14912,7 @@ index 99b71cb..a96b835 100644
  network_port(zope, tcp,8021,s0)
  
  # Defaults for reserved ports.	Earlier portcon entries take precedence;
-@@ -238,6 +308,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+@@ -238,6 +309,12 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
  portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
  portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
  portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
@@ -14905,7 +14925,7 @@ index 99b71cb..a96b835 100644
  
  ########################################
  #
-@@ -282,9 +358,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -282,9 +359,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -19060,7 +19080,7 @@ index 22821ff..20251b0 100644
  ########################################
  #
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 97fcdac..fdb4b09 100644
+index 97fcdac..7adc55b 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -19358,7 +19378,76 @@ index 97fcdac..fdb4b09 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to create,
-@@ -2080,6 +2260,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
+@@ -2025,6 +2205,68 @@ interface(`fs_read_fusefs_symlinks',`
+ 
+ ########################################
+ ## <summary>
++##	Manage symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_manage_fusefs_symlinks',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++## <summary>
++##	Execute a file on a FUSE filesystem
++##	in the specified domain.
++## </summary>
++## <desc>
++##	<p>
++##	Execute a file on a FUSE filesystem
++##	in the specified domain.  This allows
++##	the specified domain to execute any file
++##	on these filesystems in the specified
++##	domain.  This is not suggested.
++##	</p>
++##	<p>
++##	No interprocess communication (signals, pipes,
++##	etc.) is provided by this interface since
++##	the domains are not owned by this module.
++##	</p>
++##	<p>
++##	This interface was added to handle
++##	home directories on FUSE filesystems,
++##	in particular used by the ssh-agent policy.
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++## <param name="target_domain">
++##	<summary>
++##	The type of the new process.
++##	</summary>
++## </param>
++#
++interface(`fs_fusefs_domtrans',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	allow $1 fusefs_t:dir search_dir_perms;
++	domain_auto_transition_pattern($1, fusefs_t, $2)
++')
++
++########################################
++## <summary>
+ ##	Get the attributes of an hugetlbfs
+ ##	filesystem.
+ ## </summary>
+@@ -2080,6 +2322,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
  
  ########################################
  ## <summary>
@@ -19383,7 +19472,7 @@ index 97fcdac..fdb4b09 100644
  ##	Read and write hugetlbfs files.
  ## </summary>
  ## <param name="domain">
-@@ -2148,6 +2346,7 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,6 +2408,7 @@ interface(`fs_list_inotifyfs',`
  	')
  
  	allow $1 inotifyfs_t:dir list_dir_perms;
@@ -19391,7 +19480,7 @@ index 97fcdac..fdb4b09 100644
  ')
  
  ########################################
-@@ -2480,6 +2679,7 @@ interface(`fs_read_nfs_files',`
+@@ -2480,6 +2741,7 @@ interface(`fs_read_nfs_files',`
  		type nfs_t;
  	')
  
@@ -19399,7 +19488,7 @@ index 97fcdac..fdb4b09 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	read_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2518,6 +2718,7 @@ interface(`fs_write_nfs_files',`
+@@ -2518,6 +2780,7 @@ interface(`fs_write_nfs_files',`
  		type nfs_t;
  	')
  
@@ -19407,7 +19496,7 @@ index 97fcdac..fdb4b09 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	write_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2544,6 +2745,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2544,6 +2807,25 @@ interface(`fs_exec_nfs_files',`
  
  ########################################
  ## <summary>
@@ -19433,7 +19522,7 @@ index 97fcdac..fdb4b09 100644
  ##	Append files
  ##	on a NFS filesystem.
  ## </summary>
-@@ -2584,6 +2804,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2584,6 +2866,42 @@ interface(`fs_dontaudit_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -19476,7 +19565,7 @@ index 97fcdac..fdb4b09 100644
  ##	Do not audit attempts to read or
  ##	write files on a NFS filesystem.
  ## </summary>
-@@ -2598,7 +2854,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2598,7 +2916,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
  		type nfs_t;
  	')
  
@@ -19485,7 +19574,7 @@ index 97fcdac..fdb4b09 100644
  ')
  
  ########################################
-@@ -2736,7 +2992,7 @@ interface(`fs_search_removable',`
+@@ -2736,7 +3054,7 @@ interface(`fs_search_removable',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -19494,7 +19583,7 @@ index 97fcdac..fdb4b09 100644
  ##	</summary>
  ## </param>
  #
-@@ -2772,7 +3028,7 @@ interface(`fs_read_removable_files',`
+@@ -2772,7 +3090,7 @@ interface(`fs_read_removable_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -19503,7 +19592,7 @@ index 97fcdac..fdb4b09 100644
  ##	</summary>
  ## </param>
  #
-@@ -2965,6 +3221,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2965,6 +3283,7 @@ interface(`fs_manage_nfs_dirs',`
  		type nfs_t;
  	')
  
@@ -19511,7 +19600,7 @@ index 97fcdac..fdb4b09 100644
  	allow $1 nfs_t:dir manage_dir_perms;
  ')
  
-@@ -3005,6 +3262,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3005,6 +3324,7 @@ interface(`fs_manage_nfs_files',`
  		type nfs_t;
  	')
  
@@ -19519,7 +19608,7 @@ index 97fcdac..fdb4b09 100644
  	manage_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3045,6 +3303,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3045,6 +3365,7 @@ interface(`fs_manage_nfs_symlinks',`
  		type nfs_t;
  	')
  
@@ -19527,7 +19616,7 @@ index 97fcdac..fdb4b09 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3258,6 +3517,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3258,6 +3579,24 @@ interface(`fs_getattr_nfsd_files',`
  	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
  ')
  
@@ -19552,7 +19641,7 @@ index 97fcdac..fdb4b09 100644
  ########################################
  ## <summary>
  ##	Read and write NFS server files.
-@@ -3958,6 +4235,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3958,6 +4297,42 @@ interface(`fs_dontaudit_list_tmpfs',`
  
  ########################################
  ## <summary>
@@ -19595,7 +19684,7 @@ index 97fcdac..fdb4b09 100644
  ##	Create, read, write, and delete
  ##	tmpfs directories
  ## </summary>
-@@ -4175,6 +4488,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4175,6 +4550,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  
  ########################################
  ## <summary>
@@ -19620,7 +19709,7 @@ index 97fcdac..fdb4b09 100644
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4251,6 +4582,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4251,6 +4644,25 @@ interface(`fs_manage_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -19646,7 +19735,7 @@ index 97fcdac..fdb4b09 100644
  ##	Read and write, create and delete symbolic
  ##	links on tmpfs filesystems.
  ## </summary>
-@@ -4457,6 +4807,8 @@ interface(`fs_mount_all_fs',`
+@@ -4457,6 +4869,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -19655,7 +19744,7 @@ index 97fcdac..fdb4b09 100644
  ')
  
  ########################################
-@@ -4503,7 +4855,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4503,7 +4917,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -19664,7 +19753,7 @@ index 97fcdac..fdb4b09 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4866,3 +5218,24 @@ interface(`fs_unconfined',`
+@@ -4866,3 +5280,24 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -20651,7 +20740,7 @@ index 57c4a6a..6a19a94 100644
  /dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/mtd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..3e38191 100644
+index 1700ef2..6499ecb 100644
 --- a/policy/modules/kernel/storage.if
 +++ b/policy/modules/kernel/storage.if
 @@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@@ -20671,7 +20760,38 @@ index 1700ef2..3e38191 100644
  	dev_add_entry_generic_dirs($1)
  ')
  
-@@ -808,3 +811,369 @@ interface(`storage_unconfined',`
+@@ -267,6 +270,30 @@ interface(`storage_dev_filetrans_fixed_disk',`
+ 	')
+ 
+ 	dev_filetrans($1, fixed_disk_device_t, blk_file)
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "jsflash")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "lvm")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "megaraid_sas_ioctl_node")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev0")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev1")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev2")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev3")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev4")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev5")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev6")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev7")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev8")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "megadev9")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "device-mapper")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw0")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw1")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw2")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw3")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw4")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw5")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw6")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw7")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw8")
++	dev_filetrans($1, fixed_disk_device_t, chr_file, "raw9")
+ ')
+ 
+ ########################################
+@@ -808,3 +835,369 @@ interface(`storage_unconfined',`
  
  	typeattribute $1 storage_unconfined_type;
  ')
@@ -24423,7 +24543,7 @@ index 0b827c5..b2d6129 100644
 +	dontaudit $1 abrt_t:sock_file write;
 +')
 diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..2006219 100644
+index 30861ec..59f712e 100644
 --- a/policy/modules/services/abrt.te
 +++ b/policy/modules/services/abrt.te
 @@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
@@ -24790,7 +24910,7 @@ index 30861ec..2006219 100644
 +read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
 +read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
 +
-+allow abrt_dump_oops_t abrt_etc_t:file read_file_perms;
++read_files_patter(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
 +
 +kernel_read_kernel_sysctls(abrt_dump_oops_t)
 +kernel_read_ring_buffer(abrt_dump_oops_t)
@@ -24848,7 +24968,7 @@ index c0f858d..d639ae0 100644
  
  	accountsd_manage_lib_files($1)
 diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
-index 1632f10..0359b30 100644
+index 1632f10..9663f02 100644
 --- a/policy/modules/services/accountsd.te
 +++ b/policy/modules/services/accountsd.te
 @@ -8,6 +8,8 @@ policy_module(accountsd, 1.0.0)
@@ -24887,12 +25007,19 @@ index 1632f10..0359b30 100644
  
  miscfiles_read_localization(accountsd_t)
  
-@@ -55,3 +62,8 @@ optional_policy(`
+@@ -50,8 +57,15 @@ usermanage_domtrans_passwd(accountsd_t)
+ 
+ optional_policy(`
+ 	consolekit_read_log(accountsd_t)
++	consolekit_dbus_chat(accountsd_t)
+ ')
+ 
  optional_policy(`
  	policykit_dbus_chat(accountsd_t)
  ')
 +
 +optional_policy(`
++	xserver_read_state_xdm(accountsd_t)
 +	xserver_dbus_chat_xdm(accountsd_t)
 +	xserver_manage_xdm_etc_files(accountsd_t)
 +')
@@ -25218,7 +25345,7 @@ index d96fdfa..e07158f 100644
  ifdef(`distro_debian',`
  /usr/sbin/amavisd-new-cronjob	--	gen_context(system_u:object_r:amavis_exec_t,s0)
 diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
-index deca9d3..ae8c579 100644
+index deca9d3..ac92fce 100644
 --- a/policy/modules/services/amavis.te
 +++ b/policy/modules/services/amavis.te
 @@ -38,7 +38,7 @@ type amavis_quarantine_t;
@@ -25238,7 +25365,15 @@ index deca9d3..ae8c579 100644
  
  domain_use_interactive_fds(amavis_t)
  
-@@ -153,24 +154,28 @@ sysnet_use_ldap(amavis_t)
+@@ -137,6 +138,7 @@ files_read_usr_files(amavis_t)
+ 
+ fs_getattr_xattr_fs(amavis_t)
+ 
++auth_use_nsswitch(amavis_t)
+ auth_dontaudit_read_shadow(amavis_t)
+ 
+ # uses uptime which reads utmp - redhat bug 561383
+@@ -153,24 +155,28 @@ sysnet_use_ldap(amavis_t)
  
  userdom_dontaudit_search_user_home_dirs(amavis_t)
  
@@ -26072,10 +26207,10 @@ index 6480167..e12bbc0 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..4845736 100644
+index 3136c6a..ad1e64f 100644
 --- a/policy/modules/services/apache.te
 +++ b/policy/modules/services/apache.te
-@@ -18,130 +18,225 @@ policy_module(apache, 2.2.1)
+@@ -18,130 +18,232 @@ policy_module(apache, 2.2.1)
  # Declarations
  #
  
@@ -26198,7 +26333,10 @@ index 3136c6a..4845736 100644
  gen_tunable(httpd_can_sendmail, false)
  
 +
-+## <desc>
+ ## <desc>
+-## <p>
+-## Allow Apache to communicate with avahi service via dbus
+-## </p>
 +##  <p>
 +##  Allow http daemon to connect to zabbix
 +##  </p>
@@ -26212,10 +26350,7 @@ index 3136c6a..4845736 100644
 +## </desc>
 +gen_tunable(httpd_can_check_spam, false)
 +
- ## <desc>
--## <p>
--## Allow Apache to communicate with avahi service via dbus
--## </p>
++## <desc>
 +##	<p>
 +##	Allow Apache to communicate with avahi service via dbus
 +##	</p>
@@ -26332,6 +26467,13 @@ index 3136c6a..4845736 100644
 -## Allow httpd to run gpg
 -## </p>
 +##	<p>
++##	Allow httpd to access cifs file systems
++##	</p>
++## </desc>
++gen_tunable(httpd_use_fusefs, false)
++
++## <desc>
++##	<p>
 +##	Allow httpd to run gpg in gpg-web domain
 +##	</p>
  ## </desc>
@@ -26357,7 +26499,7 @@ index 3136c6a..4845736 100644
  attribute httpdcontent;
  attribute httpd_user_content_type;
  
-@@ -166,7 +261,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +268,7 @@ files_type(httpd_cache_t)
  
  # httpd_config_t is the type given to the configuration files
  type httpd_config_t;
@@ -26366,7 +26508,7 @@ index 3136c6a..4845736 100644
  
  type httpd_helper_t;
  type httpd_helper_exec_t;
-@@ -177,6 +272,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +279,9 @@ role system_r types httpd_helper_t;
  type httpd_initrc_exec_t;
  init_script_file(httpd_initrc_exec_t)
  
@@ -26376,7 +26518,7 @@ index 3136c6a..4845736 100644
  type httpd_lock_t;
  files_lock_file(httpd_lock_t)
  
-@@ -216,7 +314,17 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +321,17 @@ files_tmp_file(httpd_suexec_tmp_t)
  
  # setup the system domain for system CGI scripts
  apache_content_template(sys)
@@ -26395,7 +26537,7 @@ index 3136c6a..4845736 100644
  
  type httpd_tmp_t;
  files_tmp_file(httpd_tmp_t)
-@@ -226,6 +334,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +341,10 @@ files_tmpfs_file(httpd_tmpfs_t)
  
  apache_content_template(user)
  ubac_constrained(httpd_user_script_t)
@@ -26406,7 +26548,7 @@ index 3136c6a..4845736 100644
  userdom_user_home_content(httpd_user_content_t)
  userdom_user_home_content(httpd_user_htaccess_t)
  userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +345,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +352,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
  userdom_user_home_content(httpd_user_rw_content_t)
  typeattribute httpd_user_script_t httpd_script_domains;
  typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -26414,7 +26556,7 @@ index 3136c6a..4845736 100644
  typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
  typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
  typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +367,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +374,23 @@ files_type(httpd_var_lib_t)
  type httpd_var_run_t;
  files_pid_file(httpd_var_run_t)
  
@@ -26438,7 +26580,7 @@ index 3136c6a..4845736 100644
  ########################################
  #
  # Apache server local policy
-@@ -281,11 +403,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +410,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
  allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow httpd_t self:tcp_socket create_stream_socket_perms;
  allow httpd_t self:udp_socket create_socket_perms;
@@ -26452,7 +26594,7 @@ index 3136c6a..4845736 100644
  
  # Allow the httpd_t to read the web servers config files
  allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +453,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +460,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
  manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -26463,7 +26605,7 @@ index 3136c6a..4845736 100644
  
  manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
  manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -339,8 +464,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -339,8 +471,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
  manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
  fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
  
@@ -26474,7 +26616,7 @@ index 3136c6a..4845736 100644
  
  setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
  manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -355,6 +481,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +488,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  kernel_read_kernel_sysctls(httpd_t)
  # for modules that want to access /proc/meminfo
  kernel_read_system_state(httpd_t)
@@ -26484,7 +26626,7 @@ index 3136c6a..4845736 100644
  
  corenet_all_recvfrom_unlabeled(httpd_t)
  corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +494,16 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +501,16 @@ corenet_udp_sendrecv_generic_node(httpd_t)
  corenet_tcp_sendrecv_all_ports(httpd_t)
  corenet_udp_sendrecv_all_ports(httpd_t)
  corenet_tcp_bind_generic_node(httpd_t)
@@ -26502,7 +26644,7 @@ index 3136c6a..4845736 100644
  
  dev_read_sysfs(httpd_t)
  dev_read_rand(httpd_t)
-@@ -378,12 +512,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +519,12 @@ dev_rw_crypto(httpd_t)
  
  fs_getattr_all_fs(httpd_t)
  fs_search_auto_mountpoints(httpd_t)
@@ -26518,7 +26660,7 @@ index 3136c6a..4845736 100644
  
  domain_use_interactive_fds(httpd_t)
  
-@@ -391,6 +525,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +532,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
  files_read_usr_files(httpd_t)
  files_list_mnt(httpd_t)
  files_search_spool(httpd_t)
@@ -26526,7 +26668,7 @@ index 3136c6a..4845736 100644
  files_read_var_lib_files(httpd_t)
  files_search_home(httpd_t)
  files_getattr_home_dir(httpd_t)
-@@ -402,48 +537,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +544,101 @@ files_read_etc_files(httpd_t)
  files_read_var_lib_symlinks(httpd_t)
  
  fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -26630,8 +26772,14 @@ index 3136c6a..4845736 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,25 +644,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -454,27 +649,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+ 	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
+ ')
  
++tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
++	fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
++')
++
  tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
  	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
 +	filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
@@ -26688,7 +26836,7 @@ index 3136c6a..4845736 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_t)
  	fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +702,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +713,22 @@ tunable_policy(`httpd_can_sendmail',`
  	# allow httpd to connect to mail servers
  	corenet_tcp_connect_smtp_port(httpd_t)
  	corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -26702,10 +26850,16 @@ index 3136c6a..4845736 100644
 +	fs_manage_cifs_dirs(httpd_t)
 +	fs_manage_cifs_files(httpd_t)
 +	fs_manage_cifs_symlinks(httpd_t)
++')
++
++tunable_policy(`httpd_use_fusefs',`
++	fs_manage_fusefs_dirs(httpd_t)
++	fs_manage_fusefs_files(httpd_t)
++	fs_manage_fusefs_symlinks(httpd_t)
  ')
  
  tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +726,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +743,19 @@ tunable_policy(`httpd_ssi_exec',`
  # to run correctly without this permission, so the permission
  # are dontaudited here.
  tunable_policy(`httpd_tty_comm',`
@@ -26726,7 +26880,7 @@ index 3136c6a..4845736 100644
  ')
  
  optional_policy(`
-@@ -513,7 +750,13 @@ optional_policy(`
+@@ -513,7 +767,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26741,7 +26895,7 @@ index 3136c6a..4845736 100644
  ')
  
  optional_policy(`
-@@ -528,7 +771,19 @@ optional_policy(`
+@@ -528,7 +788,19 @@ optional_policy(`
  	daemontools_service_domain(httpd_t, httpd_exec_t)
  ')
  
@@ -26762,7 +26916,7 @@ index 3136c6a..4845736 100644
  	dbus_system_bus_client(httpd_t)
  
  	tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +792,13 @@ optional_policy(`
+@@ -537,8 +809,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26777,7 +26931,7 @@ index 3136c6a..4845736 100644
  	')
  ')
  
-@@ -556,7 +816,21 @@ optional_policy(`
+@@ -556,7 +833,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26799,7 +26953,7 @@ index 3136c6a..4845736 100644
  	mysql_stream_connect(httpd_t)
  	mysql_rw_db_sockets(httpd_t)
  
-@@ -567,6 +841,7 @@ optional_policy(`
+@@ -567,6 +858,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -26807,7 +26961,7 @@ index 3136c6a..4845736 100644
  ')
  
  optional_policy(`
-@@ -577,6 +852,20 @@ optional_policy(`
+@@ -577,6 +869,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26828,7 +26982,7 @@ index 3136c6a..4845736 100644
  	# Allow httpd to work with postgresql
  	postgresql_stream_connect(httpd_t)
  	postgresql_unpriv_client(httpd_t)
-@@ -591,6 +880,11 @@ optional_policy(`
+@@ -591,6 +897,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26840,7 +26994,7 @@ index 3136c6a..4845736 100644
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -603,6 +897,12 @@ optional_policy(`
+@@ -603,6 +914,12 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -26853,7 +27007,7 @@ index 3136c6a..4845736 100644
  ########################################
  #
  # Apache helper local policy
-@@ -616,7 +916,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +933,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
  
  logging_send_syslog_msg(httpd_helper_t)
  
@@ -26866,7 +27020,7 @@ index 3136c6a..4845736 100644
  
  ########################################
  #
-@@ -654,28 +958,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +975,30 @@ libs_exec_lib_files(httpd_php_t)
  userdom_use_unpriv_users_fds(httpd_php_t)
  
  tunable_policy(`httpd_can_network_connect_db',`
@@ -26910,7 +27064,7 @@ index 3136c6a..4845736 100644
  ')
  
  ########################################
-@@ -685,6 +991,8 @@ optional_policy(`
+@@ -685,6 +1008,8 @@ optional_policy(`
  
  allow httpd_suexec_t self:capability { setuid setgid };
  allow httpd_suexec_t self:process signal_perms;
@@ -26919,7 +27073,7 @@ index 3136c6a..4845736 100644
  allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
  
  domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1007,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1024,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -26945,7 +27099,7 @@ index 3136c6a..4845736 100644
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1053,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1070,31 @@ tunable_policy(`httpd_can_network_connect',`
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -26978,7 +27132,7 @@ index 3136c6a..4845736 100644
  	fs_read_nfs_files(httpd_suexec_t)
  	fs_read_nfs_symlinks(httpd_suexec_t)
  	fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1100,25 @@ optional_policy(`
+@@ -769,6 +1117,25 @@ optional_policy(`
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -27004,7 +27158,7 @@ index 3136c6a..4845736 100644
  ########################################
  #
  # Apache system script local policy
-@@ -789,12 +1139,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1156,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
  
  kernel_read_kernel_sysctls(httpd_sys_script_t)
  
@@ -27022,7 +27176,7 @@ index 3136c6a..4845736 100644
  ifdef(`distro_redhat',`
  	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
  ')
-@@ -803,18 +1158,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1175,50 @@ tunable_policy(`httpd_can_sendmail',`
  	mta_send_mail(httpd_sys_script_t)
  ')
  
@@ -27079,7 +27233,7 @@ index 3136c6a..4845736 100644
  	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1209,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1226,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
  ')
  
  tunable_policy(`httpd_enable_homedirs',`
@@ -27107,10 +27261,20 @@ index 3136c6a..4845736 100644
 +	fs_exec_cifs_files(httpd_suexec_t)
 +')
 +
++tunable_policy(`httpd_use_fusefs',`
++	fs_manage_fusefs_dirs(httpd_sys_script_t)
++	fs_manage_fusefs_files(httpd_sys_script_t)
++	fs_manage_fusefs_symlinks(httpd_sys_script_t)
++	fs_manage_fusefs_dirs(httpd_suexec_t)
++	fs_manage_fusefs_files(httpd_suexec_t)
++	fs_manage_fusefs_symlinks(httpd_suexec_t)
++	fs_exec_fusefs_files(httpd_suexec_t)
++')
++
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1244,20 @@ optional_policy(`
+@@ -842,10 +1271,20 @@ optional_policy(`
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -27131,7 +27295,7 @@ index 3136c6a..4845736 100644
  ')
  
  ########################################
-@@ -891,11 +1303,49 @@ optional_policy(`
+@@ -891,11 +1330,49 @@ optional_policy(`
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -33689,7 +33853,7 @@ index 305ddf4..173cd16 100644
  
  	admin_pattern($1, ptal_etc_t)
 diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..50a94a4 100644
+index 0f28095..5dafe6a 100644
 --- a/policy/modules/services/cups.te
 +++ b/policy/modules/services/cups.te
 @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -33803,7 +33967,16 @@ index 0f28095..50a94a4 100644
  	mta_send_mail(cupsd_t)
  ')
  
-@@ -371,8 +385,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -322,6 +336,8 @@ optional_policy(`
+ 	# cups execs smbtool which reads samba_etc_t files
+ 	samba_read_config(cupsd_t)
+ 	samba_rw_var_files(cupsd_t)
++	# needed by smbspool
++	samba_stream_connect_nmbd(cupsd_t)
+ ')
+ 
+ optional_policy(`
+@@ -371,8 +387,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
  
  allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
  
@@ -33814,7 +33987,7 @@ index 0f28095..50a94a4 100644
  
  domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
  
-@@ -393,6 +408,10 @@ dev_read_sysfs(cupsd_config_t)
+@@ -393,6 +410,10 @@ dev_read_sysfs(cupsd_config_t)
  dev_read_urand(cupsd_config_t)
  dev_read_rand(cupsd_config_t)
  dev_rw_generic_usb_dev(cupsd_config_t)
@@ -33825,7 +33998,7 @@ index 0f28095..50a94a4 100644
  
  files_search_all_mountpoints(cupsd_config_t)
  
-@@ -425,11 +444,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +446,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
  
  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -33839,7 +34012,7 @@ index 0f28095..50a94a4 100644
  ifdef(`distro_redhat',`
  	optional_policy(`
  		rpm_read_db(cupsd_config_t)
-@@ -453,6 +472,10 @@ optional_policy(`
+@@ -453,6 +474,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33850,7 +34023,7 @@ index 0f28095..50a94a4 100644
  	hal_domtrans(cupsd_config_t)
  	hal_read_tmp_files(cupsd_config_t)
  	hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +490,10 @@ optional_policy(`
+@@ -467,6 +492,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33861,7 +34034,7 @@ index 0f28095..50a94a4 100644
  	policykit_dbus_chat(cupsd_config_t)
  	userdom_read_all_users_state(cupsd_config_t)
  ')
-@@ -537,6 +564,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,6 +566,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
  corenet_tcp_bind_generic_node(cupsd_lpd_t)
  corenet_udp_bind_generic_node(cupsd_lpd_t)
  corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -33869,7 +34042,7 @@ index 0f28095..50a94a4 100644
  
  dev_read_urand(cupsd_lpd_t)
  dev_read_rand(cupsd_lpd_t)
-@@ -587,13 +615,17 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,13 +617,17 @@ auth_use_nsswitch(cups_pdf_t)
  
  miscfiles_read_localization(cups_pdf_t)
  miscfiles_read_fonts(cups_pdf_t)
@@ -33889,7 +34062,7 @@ index 0f28095..50a94a4 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_search_auto_mountpoints(cups_pdf_t)
-@@ -606,6 +638,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -606,6 +640,10 @@ tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_files(cups_pdf_t)
  ')
  
@@ -33900,7 +34073,7 @@ index 0f28095..50a94a4 100644
  ########################################
  #
  # HPLIP local policy
-@@ -639,7 +675,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +677,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
  manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
  
  manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -33909,7 +34082,7 @@ index 0f28095..50a94a4 100644
  
  manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
  files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +721,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +723,7 @@ domain_use_interactive_fds(hplip_t)
  files_read_etc_files(hplip_t)
  files_read_etc_runtime_files(hplip_t)
  files_read_usr_files(hplip_t)
@@ -33917,7 +34090,7 @@ index 0f28095..50a94a4 100644
  
  logging_send_syslog_msg(hplip_t)
  
-@@ -696,8 +733,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +735,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
  userdom_dontaudit_search_user_home_dirs(hplip_t)
  userdom_dontaudit_search_user_home_content(hplip_t)
  
@@ -35965,10 +36138,10 @@ index 0000000..c2ac646
 +
 diff --git a/policy/modules/services/dirsrv.fc b/policy/modules/services/dirsrv.fc
 new file mode 100644
-index 0000000..3aae725
+index 0000000..6fc4865
 --- /dev/null
 +++ b/policy/modules/services/dirsrv.fc
-@@ -0,0 +1,20 @@
+@@ -0,0 +1,23 @@
 +/etc/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_config_t,s0)
 +
 +/usr/sbin/ns-slapd			--	gen_context(system_u:object_r:dirsrv_exec_t,s0)
@@ -35982,6 +36155,9 @@ index 0000000..3aae725
 +/var/run/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_run_t,s0)
 +/var/run/ldap-agent\.pid	gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
 +
++# BZ:
++/var/run/slapd.*    -s  gen_context(system_u:object_r:slapd_var_run_t,s0)
++
 +/var/lib/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
 +
 +/var/lock/dirsrv(/.*)?	gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
@@ -40232,10 +40408,10 @@ index 671d8fd..25c7ab8 100644
 +	dontaudit gnomeclock_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..9f468a5 100644
+index 4fde46b..6c3eaea 100644
 --- a/policy/modules/services/gnomeclock.te
 +++ b/policy/modules/services/gnomeclock.te
-@@ -15,18 +15,27 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+@@ -15,18 +15,29 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
  #
  
  allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
@@ -40251,6 +40427,8 @@ index 4fde46b..9f468a5 100644
 +corecmd_exec_shell(gnomeclock_t)
 +corecmd_dontaudit_access_check_bin(gnomeclock_t)
 +
++corenet_tcp_connect_time_port(gnomeclock_t)
++
 +dev_read_sysfs(gnomeclock_t)
  
 -files_read_etc_files(gnomeclock_t)
@@ -40266,7 +40444,7 @@ index 4fde46b..9f468a5 100644
  
  miscfiles_read_localization(gnomeclock_t)
  miscfiles_manage_localization(gnomeclock_t)
-@@ -35,10 +44,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +46,34 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
  userdom_read_all_users_state(gnomeclock_t)
  
  optional_policy(`
@@ -40293,6 +40471,7 @@ index 4fde46b..9f468a5 100644
 +	ntp_domtrans_ntpdate(gnomeclock_t)
 +	ntp_initrc_domtrans(gnomeclock_t)
 +	init_dontaudit_getattr_all_script_files(gnomeclock_t)
++	init_dontaudit_getattr_exec(gnomeclock_t)
 +	ntp_systemctl(gnomeclock_t)
 +')
 +
@@ -41060,19 +41239,21 @@ index df48e5e..878d9df 100644
  		type inetd_t;
  	')
 diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
-index c51a7b2..5547c35 100644
+index c51a7b2..b07694c 100644
 --- a/policy/modules/services/inetd.te
 +++ b/policy/modules/services/inetd.te
-@@ -89,6 +89,8 @@ corenet_tcp_bind_ftp_port(inetd_t)
+@@ -89,6 +89,10 @@ corenet_tcp_bind_ftp_port(inetd_t)
  corenet_udp_bind_ftp_port(inetd_t)
  corenet_tcp_bind_inetd_child_port(inetd_t)
  corenet_udp_bind_inetd_child_port(inetd_t)
-++corenet_tcp_bind_rdate_port(inetd_t)
-++corenet_udp_bind_rdate_port(inetd_t)
++corenet_tcp_bind_echo_port(inetd_t)
++corenet_udp_bind_echo_port(inetd_t)
++corenet_tcp_bind_time_port(inetd_t)
++corenet_udp_bind_time_port(inetd_t)
  corenet_tcp_bind_ircd_port(inetd_t)
  corenet_udp_bind_ktalkd_port(inetd_t)
  corenet_tcp_bind_printer_port(inetd_t)
-@@ -149,7 +151,10 @@ miscfiles_read_localization(inetd_t)
+@@ -149,7 +153,10 @@ miscfiles_read_localization(inetd_t)
  mls_fd_share_all_levels(inetd_t)
  mls_socket_read_to_clearance(inetd_t)
  mls_socket_write_to_clearance(inetd_t)
@@ -42327,29 +42508,35 @@ index ca5cfdf..554ad30 100644
  
 diff --git a/policy/modules/services/l2tpd.fc b/policy/modules/services/l2tpd.fc
 new file mode 100644
-index 0000000..76d879e
+index 0000000..6b27066
 --- /dev/null
 +++ b/policy/modules/services/l2tpd.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,18 @@
++/etc/prol2tp(/.*)?	gen_context(system_u:object_r:l2tp_etc_t,s0)
 +
-+/etc/rc\.d/init\.d/xl2tpd	--	gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/openl2tpd	--	gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/prol2tpd	--	gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/xl2tpd	--	gen_context(system_u:object_r:l2tpd_initrc_exec_t,s0)
 +
-+/usr/sbin/xl2tpd		--	gen_context(system_u:object_r:l2tpd_exec_t,s0)
-+/usr/sbin/openl2tpd		--	gen_context(system_u:object_r:l2tpd_exec_t,s0)
-+
-+/var/run/xl2tpd(/.*)?			gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/etc/sysconfig/prol2tpd	--	gen_context(system_u:object_r:l2tp_etc_t,s0)
 +
-+/var/run/xl2tpd\.pid			gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/usr/sbin/openl2tpd	--	gen_context(system_u:object_r:l2tpd_exec_t,s0)
++/usr/sbin/prol2tpd	--	gen_context(system_u:object_r:l2tpd_exec_t,s0)
++/usr/sbin/xl2tpd	--	gen_context(system_u:object_r:l2tpd_exec_t,s0)
 +
++/var/run/openl2tpd\.pid	--	gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/prol2tpd(/.*)?	gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/prol2tpd\.ctl	-s	gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/prol2tpd\.pid	--	gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/xl2tpd(/.*)?	gen_context(system_u:object_r:l2tpd_var_run_t,s0)
++/var/run/xl2tpd\.pid	--	gen_context(system_u:object_r:l2tpd_var_run_t,s0)
 diff --git a/policy/modules/services/l2tpd.if b/policy/modules/services/l2tpd.if
 new file mode 100644
-index 0000000..5783d58
+index 0000000..eb6ac8d
 --- /dev/null
 +++ b/policy/modules/services/l2tpd.if
-@@ -0,0 +1,115 @@
-+
-+## <summary>policy for l2tpd</summary>
+@@ -0,0 +1,156 @@
++## <summary>Layer 2 Tunneling Protocol daemons.</summary>
 +
 +########################################
 +## <summary>
@@ -42370,7 +42557,6 @@ index 0000000..5783d58
 +	domtrans_pattern($1, l2tpd_exec_t, l2tpd_t)
 +')
 +
-+
 +########################################
 +## <summary>
 +##	Execute l2tpd server in the l2tpd domain.
@@ -42389,6 +42575,45 @@ index 0000000..5783d58
 +	init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
 +')
 +
++<<<<<<< HEAD
++=======
++########################################
++## <summary>
++##	Send to l2tpd via a unix dgram socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`l2tpd_dgram_send',`
++	gen_require(`
++		type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t;
++	')
++
++	files_search_tmp($1)
++	dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
++')
++
++########################################
++## <summary>
++##	Read and write l2tpd sockets.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`l2tpd_rw_socket',`
++	gen_require(`
++		type l2tpd_t;
++	')
++
++	allow $1 l2tpd_t:socket rw_socket_perms;
++')
++>>>>>>> 37639db... Add support for proL2TPd.
 +
 +########################################
 +## <summary>
@@ -42446,9 +42671,8 @@ index 0000000..5783d58
 +#
 +interface(`l2tpd_admin',`
 +	gen_require(`
-+		type l2tpd_t;
-+	type l2tpd_initrc_exec_t;
-+	type l2tpd_var_run_t;
++		type l2tpd_t, l2tpd_initrc_exec_t. l2tpd_var_run_t;
++		type l2tp_etc_t, l2tpd_tmp_t;
 +	')
 +
 +	allow $1 l2tpd_t:process { ptrace signal_perms };
@@ -42459,16 +42683,21 @@ index 0000000..5783d58
 +	role_transition $2 l2tpd_initrc_exec_t system_r;
 +	allow $2 system_r;
 +
++	files_search_etc($1)
++	admin_pattern($1, l2tp_etc_t)
++
 +	files_search_pids($1)
 +	admin_pattern($1, l2tpd_var_run_t)
-+')
 +
++	files_search_tmp($1)
++	admin_pattern($1, l2tpd_tmp_t)
++')
 diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te
 new file mode 100644
-index 0000000..4aac893
+index 0000000..d3ce22f
 --- /dev/null
 +++ b/policy/modules/services/l2tpd.te
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,94 @@
 +policy_module(l2tpd, 1.0.0)
 +
 +########################################
@@ -42483,6 +42712,9 @@ index 0000000..4aac893
 +type l2tpd_initrc_exec_t;
 +init_script_file(l2tpd_initrc_exec_t)
 +
++type l2tp_etc_t;
++files_config_file(l2tp_etc_t)
++
 +type l2tpd_tmp_t;
 +files_tmp_file(l2tpd_tmp_t)
 +
@@ -42491,14 +42723,20 @@ index 0000000..4aac893
 +
 +########################################
 +#
-+# l2tpd local policy
++# Local policy
 +#
-+allow l2tpd_t self:capability net_bind_service;
-+allow l2tpd_t self:process signal;
 +
++allow l2tpd_t self:capability { net_admin net_bind_service };
++allow l2tpd_t self:process signal;
 +allow l2tpd_t self:fifo_file rw_fifo_file_perms;
-+allow l2tpd_t self:unix_stream_socket create_stream_socket_perms;
++allow l2tpd_t self:netlink_socket create_socket_perms;
++allow l2tpd_t self:rawip_socket create_socket_perms;
++allow l2tpd_t self:socket create_socket_perms;
 +allow l2tpd_t self:tcp_socket create_stream_socket_perms;
++allow l2tpd_t self:unix_dgram_socket sendto;
++allow l2tpd_t self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(l2tpd_t, l2tp_etc_t, l2tp_etc_t)
 +
 +manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
 +files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
@@ -42509,10 +42747,34 @@ index 0000000..4aac893
 +manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
 +files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file })
 +
++manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
++files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
++
++corenet_all_recvfrom_unlabeled(l2tpd_t)
++corenet_all_recvfrom_netlabel(l2tpd_t)
++corenet_raw_sendrecv_generic_if(l2tpd_t)
++corenet_tcp_sendrecv_generic_if(l2tpd_t)
++corenet_udp_sendrecv_generic_if(l2tpd_t)
++corenet_raw_bind_generic_node(l2tpd_t)
 +corenet_tcp_bind_generic_node(l2tpd_t)
 +corenet_udp_bind_generic_node(l2tpd_t)
-+corenet_udp_bind_generic_port(l2tpd_t)
++corenet_raw_sendrecv_generic_node(l2tpd_t)
++corenet_tcp_sendrecv_generic_node(l2tpd_t)
++corenet_udp_sendrecv_generic_node(l2tpd_t)
++
 +corenet_tcp_bind_all_rpc_ports(l2tpd_t)
++corenet_udp_bind_generic_port(l2tpd_t)
++
++corenet_udp_bind_l2tp_port(l2tpd_t)
++corenet_udp_sendrecv_l2tp_port(l2tpd_t)
++corenet_sendrecv_l2tp_server_packets(l2tpd_t)
++
++kernel_read_network_state(l2tpd_t)
++# net-pf-24 (pppox)
++kernel_request_load_module(l2tpd_t)
++
++# prol2tpc
++corecmd_exec_bin(l2tpd_t)
 +
 +dev_read_urand(l2tpd_t)
 +
@@ -42525,8 +42787,13 @@ index 0000000..4aac893
 +miscfiles_read_localization(l2tpd_t)
 +
 +sysnet_dns_name_resolve(l2tpd_t)
++
++optional_policy(`
++	ppp_domtrans(l2tpd_t)
++	ppp_signal(l2tpd_t)
++')
 diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
-index c62f23e..f8a4301 100644
+index c62f23e..8b7e71f 100644
 --- a/policy/modules/services/ldap.fc
 +++ b/policy/modules/services/ldap.fc
 @@ -1,6 +1,10 @@
@@ -42545,7 +42812,7 @@ index c62f23e..f8a4301 100644
  /var/run/openldap(/.*)?		gen_context(system_u:object_r:slapd_var_run_t,s0)
  /var/run/slapd\.args	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
  /var/run/slapd\.pid	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
-+/var/run/slapd.*	-s	gen_context(system_u:object_r:slapd_var_run_t,s0)
++#/var/run/slapd.*	-s	gen_context(system_u:object_r:slapd_var_run_t,s0)
 diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
 index 3aa8fa7..40b10fa 100644
 --- a/policy/modules/services/ldap.if
@@ -47354,7 +47621,7 @@ index 2324d9e..4f46ff8 100644
 +	files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
 +')
 diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..76e9108 100644
+index 0619395..293aaca 100644
 --- a/policy/modules/services/networkmanager.te
 +++ b/policy/modules/services/networkmanager.te
 @@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -47432,7 +47699,7 @@ index 0619395..76e9108 100644
  
  fs_getattr_all_fs(NetworkManager_t)
  fs_search_auto_mountpoints(NetworkManager_t)
-@@ -113,7 +139,7 @@ corecmd_exec_shell(NetworkManager_t)
+@@ -113,10 +139,11 @@ corecmd_exec_shell(NetworkManager_t)
  corecmd_exec_bin(NetworkManager_t)
  
  domain_use_interactive_fds(NetworkManager_t)
@@ -47441,7 +47708,11 @@ index 0619395..76e9108 100644
  
  files_read_etc_files(NetworkManager_t)
  files_read_etc_runtime_files(NetworkManager_t)
-@@ -133,30 +159,37 @@ logging_send_syslog_msg(NetworkManager_t)
++files_read_system_conf_files(NetworkManager_t)
+ files_read_usr_files(NetworkManager_t)
+ files_read_usr_src_files(NetworkManager_t)
+ 
+@@ -133,30 +160,37 @@ logging_send_syslog_msg(NetworkManager_t)
  miscfiles_read_localization(NetworkManager_t)
  miscfiles_read_generic_certs(NetworkManager_t)
  
@@ -47481,7 +47752,7 @@ index 0619395..76e9108 100644
  ')
  
  optional_policy(`
-@@ -172,14 +205,21 @@ optional_policy(`
+@@ -172,14 +206,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47504,7 +47775,7 @@ index 0619395..76e9108 100644
  	')
  ')
  
-@@ -191,6 +231,7 @@ optional_policy(`
+@@ -191,6 +232,7 @@ optional_policy(`
  	dnsmasq_kill(NetworkManager_t)
  	dnsmasq_signal(NetworkManager_t)
  	dnsmasq_signull(NetworkManager_t)
@@ -47512,7 +47783,7 @@ index 0619395..76e9108 100644
  ')
  
  optional_policy(`
-@@ -202,23 +243,45 @@ optional_policy(`
+@@ -202,23 +244,45 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47558,7 +47829,7 @@ index 0619395..76e9108 100644
  	openvpn_domtrans(NetworkManager_t)
  	openvpn_kill(NetworkManager_t)
  	openvpn_signal(NetworkManager_t)
-@@ -241,6 +304,7 @@ optional_policy(`
+@@ -241,6 +305,7 @@ optional_policy(`
  	ppp_signal(NetworkManager_t)
  	ppp_signull(NetworkManager_t)
  	ppp_read_config(NetworkManager_t)
@@ -47566,7 +47837,7 @@ index 0619395..76e9108 100644
  ')
  
  optional_policy(`
-@@ -263,6 +327,7 @@ optional_policy(`
+@@ -263,6 +328,7 @@ optional_policy(`
  	vpn_kill(NetworkManager_t)
  	vpn_signal(NetworkManager_t)
  	vpn_signull(NetworkManager_t)
@@ -52908,7 +53179,7 @@ index b64b02f..166e9c3 100644
 +	read_files_pattern($1, procmail_home_t, procmail_home_t)
 +')
 diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..52443cd 100644
+index 29b9295..ec68440 100644
 --- a/policy/modules/services/procmail.te
 +++ b/policy/modules/services/procmail.te
 @@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -52951,7 +53222,7 @@ index 29b9295..52443cd 100644
  # only works until we define a different type for maildir
  userdom_manage_user_home_content_dirs(procmail_t)
  userdom_manage_user_home_content_files(procmail_t)
-@@ -87,8 +100,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
+@@ -87,8 +100,10 @@ userdom_manage_user_home_content_pipes(procmail_t)
  userdom_manage_user_home_content_sockets(procmail_t)
  userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
  
@@ -52959,10 +53230,12 @@ index 29b9295..52443cd 100644
 -userdom_dontaudit_search_user_home_dirs(procmail_t)
 +# Execute user executables
 +userdom_exec_user_bin_files(procmail_t)
++
++userdom_home_manager(procmail_t)
  
  mta_manage_spool(procmail_t)
  mta_read_queue(procmail_t)
-@@ -112,6 +125,12 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -112,6 +127,12 @@ tunable_policy(`use_samba_home_dirs',`
  optional_policy(`
  	clamav_domtrans_clamscan(procmail_t)
  	clamav_search_lib(procmail_t)
@@ -52975,7 +53248,7 @@ index 29b9295..52443cd 100644
  ')
  
  optional_policy(`
-@@ -125,6 +144,11 @@ optional_policy(`
+@@ -125,6 +146,11 @@ optional_policy(`
  	postfix_read_spool_files(procmail_t)
  	postfix_read_local_state(procmail_t)
  	postfix_read_master_state(procmail_t)
@@ -57726,10 +57999,36 @@ index 69a6074..596dbb3 100644
 +/var/lib/samba/scripts(/.*)?		gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
 +')
 diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
-index 82cb169..0a29f68 100644
+index 82cb169..f9c229f 100644
 --- a/policy/modules/services/samba.if
 +++ b/policy/modules/services/samba.if
-@@ -60,6 +60,29 @@ interface(`samba_initrc_domtrans',`
+@@ -42,6 +42,25 @@ interface(`samba_signal_nmbd',`
+ 
+ ########################################
+ ## <summary>
++##	Connect to nmbd.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`samba_stream_connect_nmbd',`
++	gen_require(`
++		type nmbd_t, nmbd_var_run_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
++')
++
++########################################
++## <summary>
+ ##	Execute samba server in the samba domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -60,6 +79,29 @@ interface(`samba_initrc_domtrans',`
  
  ########################################
  ## <summary>
@@ -57759,7 +58058,7 @@ index 82cb169..0a29f68 100644
  ##	Execute samba net in the samba_net domain.
  ## </summary>
  ## <param name="domain">
-@@ -79,6 +102,25 @@ interface(`samba_domtrans_net',`
+@@ -79,6 +121,25 @@ interface(`samba_domtrans_net',`
  
  ########################################
  ## <summary>
@@ -57785,7 +58084,7 @@ index 82cb169..0a29f68 100644
  ##	Execute samba net in the samba_net domain, and
  ##	allow the specified role the samba_net domain.
  ## </summary>
-@@ -103,6 +145,51 @@ interface(`samba_run_net',`
+@@ -103,6 +164,51 @@ interface(`samba_run_net',`
  	role $2 types samba_net_t;
  ')
  
@@ -57837,7 +58136,7 @@ index 82cb169..0a29f68 100644
  ########################################
  ## <summary>
  ##	Execute smbmount in the smbmount domain.
-@@ -327,7 +414,6 @@ interface(`samba_search_var',`
+@@ -327,7 +433,6 @@ interface(`samba_search_var',`
  		type samba_var_t;
  	')
  
@@ -57845,7 +58144,7 @@ index 82cb169..0a29f68 100644
  	files_search_var_lib($1)
  	allow $1 samba_var_t:dir search_dir_perms;
  ')
-@@ -348,7 +434,6 @@ interface(`samba_read_var_files',`
+@@ -348,7 +453,6 @@ interface(`samba_read_var_files',`
  		type samba_var_t;
  	')
  
@@ -57853,7 +58152,7 @@ index 82cb169..0a29f68 100644
  	files_search_var_lib($1)
  	read_files_pattern($1, samba_var_t, samba_var_t)
  ')
-@@ -388,7 +473,6 @@ interface(`samba_rw_var_files',`
+@@ -388,7 +492,6 @@ interface(`samba_rw_var_files',`
  		type samba_var_t;
  	')
  
@@ -57861,7 +58160,7 @@ index 82cb169..0a29f68 100644
  	files_search_var_lib($1)
  	rw_files_pattern($1, samba_var_t, samba_var_t)
  ')
-@@ -409,9 +493,9 @@ interface(`samba_manage_var_files',`
+@@ -409,9 +512,9 @@ interface(`samba_manage_var_files',`
  		type samba_var_t;
  	')
  
@@ -57872,7 +58171,7 @@ index 82cb169..0a29f68 100644
  ')
  
  ########################################
-@@ -419,15 +503,14 @@ interface(`samba_manage_var_files',`
+@@ -419,15 +522,14 @@ interface(`samba_manage_var_files',`
  ##	Execute a domain transition to run smbcontrol.
  ## </summary>
  ## <param name="domain">
@@ -57891,7 +58190,7 @@ index 82cb169..0a29f68 100644
  	')
  
  	domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
-@@ -564,6 +647,7 @@ interface(`samba_domtrans_winbind_helper',`
+@@ -564,6 +666,7 @@ interface(`samba_domtrans_winbind_helper',`
  	')
  
  	domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
@@ -57899,7 +58198,7 @@ index 82cb169..0a29f68 100644
  ')
  
  ########################################
-@@ -644,6 +728,37 @@ interface(`samba_stream_connect_winbind',`
+@@ -644,6 +747,37 @@ interface(`samba_stream_connect_winbind',`
  
  ########################################
  ## <summary>
@@ -57937,7 +58236,7 @@ index 82cb169..0a29f68 100644
  ##	All of the rules required to administrate 
  ##	an samba environment
  ## </summary>
-@@ -661,21 +776,12 @@ interface(`samba_stream_connect_winbind',`
+@@ -661,21 +795,12 @@ interface(`samba_stream_connect_winbind',`
  #
  interface(`samba_admin',`
  	gen_require(`
@@ -57965,7 +58264,7 @@ index 82cb169..0a29f68 100644
  	')
  
  	allow $1 smbd_t:process { ptrace signal_perms };
-@@ -684,6 +790,9 @@ interface(`samba_admin',`
+@@ -684,6 +809,9 @@ interface(`samba_admin',`
  	allow $1 nmbd_t:process { ptrace signal_perms };
  	ps_process_pattern($1, nmbd_t)
  
@@ -57975,7 +58274,7 @@ index 82cb169..0a29f68 100644
  	samba_run_smbcontrol($1, $2, $3)
  	samba_run_winbind_helper($1, $2, $3)
  	samba_run_smbmount($1, $2, $3)
-@@ -709,9 +818,6 @@ interface(`samba_admin',`
+@@ -709,9 +837,6 @@ interface(`samba_admin',`
  	admin_pattern($1, samba_var_t)
  	files_list_var($1)
  
@@ -57985,7 +58284,7 @@ index 82cb169..0a29f68 100644
  	admin_pattern($1, smbd_var_run_t)
  	files_list_pids($1)
  
-@@ -727,4 +833,7 @@ interface(`samba_admin',`
+@@ -727,4 +852,7 @@ interface(`samba_admin',`
  	admin_pattern($1, winbind_tmp_t)
  
  	admin_pattern($1, winbind_var_run_t)
@@ -58525,10 +58824,10 @@ index 0000000..486d53d
 +')
 diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
 new file mode 100644
-index 0000000..96adff5
+index 0000000..afa8d37
 --- /dev/null
 +++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,102 @@
 +policy_module(sanlock,1.0.0)
 +
 +########################################
@@ -58597,6 +58896,8 @@ index 0000000..96adff5
 +
 +storage_raw_rw_fixed_disk(sanlock_t)
 +
++auth_use_nsswitch(sanlock_t)
++
 +dev_read_urand(sanlock_t)
 +
 +logging_send_syslog_msg(sanlock_t)
@@ -60440,7 +60741,7 @@ index d2496bd..1d0c078 100644
  
  	allow $1 squid_t:process { ptrace signal_perms };
 diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
-index 4b2230e..7b3d2db 100644
+index 4b2230e..51dc8d8 100644
 --- a/policy/modules/services/squid.te
 +++ b/policy/modules/services/squid.te
 @@ -6,17 +6,17 @@ policy_module(squid, 1.10.0)
@@ -60477,7 +60778,26 @@ index 4b2230e..7b3d2db 100644
  
  type squid_initrc_exec_t;
  init_script_file(squid_initrc_exec_t)
-@@ -90,6 +90,7 @@ files_pid_filetrans(squid_t, squid_var_run_t, file)
+@@ -40,6 +40,9 @@ logging_log_file(squid_log_t)
+ type squid_tmpfs_t;
+ files_tmpfs_file(squid_tmpfs_t)
+ 
++type squid_tmp_t;
++files_tmp_file(squid_tmp_t)
++
+ type squid_var_run_t;
+ files_pid_file(squid_var_run_t)
+ 
+@@ -85,11 +88,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir })
+ manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+ fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
+ 
++manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
++manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
++files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
++
+ manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
+ files_pid_filetrans(squid_t, squid_var_run_t, file)
  
  kernel_read_kernel_sysctls(squid_t)
  kernel_read_system_state(squid_t)
@@ -60485,7 +60805,7 @@ index 4b2230e..7b3d2db 100644
  
  files_dontaudit_getattr_boot_dirs(squid_t)
  
-@@ -169,7 +170,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
+@@ -169,7 +177,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
  tunable_policy(`squid_connect_any',`
  	corenet_tcp_connect_all_ports(squid_t)
  	corenet_tcp_bind_all_ports(squid_t)
@@ -60495,7 +60815,7 @@ index 4b2230e..7b3d2db 100644
  ')
  
  tunable_policy(`squid_use_tproxy',`
-@@ -185,6 +187,7 @@ optional_policy(`
+@@ -185,6 +194,7 @@ optional_policy(`
  	corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
  	corenet_all_recvfrom_netlabel(httpd_squid_script_t)
  	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@@ -60503,7 +60823,7 @@ index 4b2230e..7b3d2db 100644
  
  	sysnet_dns_name_resolve(httpd_squid_script_t)
  
-@@ -206,3 +209,7 @@ optional_policy(`
+@@ -206,3 +216,7 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(squid_t)
  ')
@@ -60536,7 +60856,7 @@ index 078bcd7..84d29ee 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..9001bca 100644
+index 22adaca..8cbaa9a 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
 @@ -32,10 +32,10 @@
@@ -60971,7 +61291,7 @@ index 22adaca..9001bca 100644
  ')
  
  ######################################
-@@ -735,3 +893,81 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +893,82 @@ interface(`ssh_delete_tmp',`
  	files_search_tmp($1)
  	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
  ')
@@ -61011,6 +61331,7 @@ index 22adaca..9001bca 100644
 +
 +    allow sshd_t $1:process dyntransition;
 +    allow $1 sshd_t:process sigchld;
++    allow sshd_t $1:process { getattr sigkill sigstop signull signal };
 +')
 +
 +########################################
@@ -61054,7 +61375,7 @@ index 22adaca..9001bca 100644
 +	userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..e411df0 100644
+index 2dad3c8..7ef3f55 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,26 +6,44 @@ policy_module(ssh, 2.2.0)
@@ -61392,6 +61713,10 @@ index 2dad3c8..e411df0 100644
 -
 -	optional_policy(`
 -		domain_trans(sshd_t, xauth_exec_t, userdomain)
+-	')
+-',`
+-	optional_policy(`
+-		domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
 +	tunable_policy(`ssh_sysadm_login',`
 +		# Relabel and access ptys created by sshd
 +		# ioctl is necessary for logout() processing for utmp entry and for w to
@@ -61412,10 +61737,6 @@ index 2dad3c8..e411df0 100644
 +		# some versions of sshd on the new SE Linux require setattr
 +		allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms };
  	')
--',`
--	optional_policy(`
--		domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain)
--	')
 -	# Relabel and access ptys created by sshd
 -	# ioctl is necessary for logout() processing for utmp entry and for w to
 -	# display the tty.
@@ -61467,7 +61788,7 @@ index 2dad3c8..e411df0 100644
  ')
  
  optional_policy(`
-@@ -363,3 +436,82 @@ optional_policy(`
+@@ -363,3 +436,81 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ssh_keygen_t)
  ')
@@ -61502,7 +61823,6 @@ index 2dad3c8..e411df0 100644
 +# chroot_user_t local policy
 +#
 +
-+
 +userdom_read_user_home_content_files(chroot_user_t)
 +userdom_read_inherited_user_home_content_files(chroot_user_t)
 +userdom_read_user_home_content_symlinks(chroot_user_t)
@@ -61550,6 +61870,19 @@ index 2dad3c8..e411df0 100644
 +optional_policy(`
 +    ssh_rw_dgram_sockets(chroot_user_t)
 +')
+diff --git a/policy/modules/services/sssd.fc b/policy/modules/services/sssd.fc
+index 4271815..4bc00ea 100644
+--- a/policy/modules/services/sssd.fc
++++ b/policy/modules/services/sssd.fc
+@@ -4,6 +4,8 @@
+ 
+ /var/lib/sss(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
+ 
++/var/lib/sss/mc(/.*)?		gen_context(system_u:object_r:sssd_public_t,s0)
++
+ /var/lib/sss/pubconf(/.*)?	gen_context(system_u:object_r:sssd_public_t,s0)
+ 
+ /var/log/sssd(/.*)?		gen_context(system_u:object_r:sssd_var_log_t,s0)
 diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
 index 941380a..ce8c972 100644
 --- a/policy/modules/services/sssd.if
@@ -67963,7 +68296,7 @@ index 28ad538..40f76db 100644
 -/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..2c6ee0e 100644
+index 73554ec..cd2c7cc 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -68096,7 +68429,7 @@ index 73554ec..2c6ee0e 100644
 +
 +	optional_policy(`
 +		fprintd_dbus_chat($1)
- 	')
++	')
 +
 +	optional_policy(`
 +		ssh_agent_exec($1)
@@ -68136,7 +68469,7 @@ index 73554ec..2c6ee0e 100644
 +interface(`authlogin_rw_pipes',`
 +	gen_require(`
 +		attribute polydomain;
-+	')
+ 	')
 +
 +	allow $1 polydomain:fifo_file rw_inherited_fifo_file_perms;
  ')
@@ -68377,7 +68710,7 @@ index 73554ec..2c6ee0e 100644
  ')
  
  ########################################
-@@ -1659,3 +1800,33 @@ interface(`auth_unconfined',`
+@@ -1659,3 +1800,35 @@ interface(`auth_unconfined',`
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -68396,6 +68729,7 @@ index 73554ec..2c6ee0e 100644
 +	gen_require(`
 +		type shadow_t;
 +		type faillog_t;
++		type lastlog_t;
 +		type wtmp_t;
 +	')
 +
@@ -68405,6 +68739,7 @@ index 73554ec..2c6ee0e 100644
 +	files_etc_filetrans($1, shadow_t, file, "gshadow")
 +	files_var_filetrans($1, shadow_t, file, "shadow")
 +	files_var_filetrans($1, shadow_t, file, "shadow-")
++	logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
 +	logging_log_named_filetrans($1, faillog_t, file, "tallylog")
 +	logging_log_named_filetrans($1, faillog_t, file, "faillog")
 +	logging_log_named_filetrans($1, faillog_t, file, "btmp")
@@ -68965,7 +69300,7 @@ index 354ce93..b8b14b9 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..f2689e3 100644
+index 94fd8dd..82d8769 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -69063,17 +69398,17 @@ index 94fd8dd..f2689e3 100644
  		typeattribute $2 direct_init_entry;
  
 -		userdom_dontaudit_use_user_terminals($1)
-+#		userdom_dontaudit_use_user_terminals($1)
- 	')
- 
+-	')
+-
 -	ifdef(`hide_broken_symptoms',`
 -		# RHEL4 systems seem to have a stray
 -		# fds open from the initrd
 -		ifdef(`distro_rhel4',`
 -			kernel_dontaudit_use_fds($1)
 -		')
--	')
--
++#		userdom_dontaudit_use_user_terminals($1)
+ 	')
+ 
 -	optional_policy(`
 -		nscd_socket_use($1)
 +	tunable_policy(`init_upstart || init_systemd',`
@@ -69177,7 +69512,15 @@ index 94fd8dd..f2689e3 100644
  ########################################
  ## <summary>
  ##	Execute init (/sbin/init) with a domain transition.
-@@ -451,6 +501,10 @@ interface(`init_exec',`
+@@ -442,7 +492,6 @@ interface(`init_domtrans',`
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`init_exec',`
+ 	gen_require(`
+@@ -451,6 +500,29 @@ interface(`init_exec',`
  
  	corecmd_search_bin($1)
  	can_exec($1, init_exec_t)
@@ -69185,10 +69528,29 @@ index 94fd8dd..f2689e3 100644
 +	tunable_policy(`init_systemd',`
 +		systemd_exec_systemctl($1)
 +	')
++')
++
++#######################################
++## <summary>
++##  Dontaudit getattr on the init program.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++## <rolecap/>
++#
++interface(`init_dontaudit_getattr_exec',`
++    gen_require(`
++        type init_exec_t;
++    ')
++
++	dontaudit $1 init_exec_t:file getattr;
  ')
  
  ########################################
-@@ -509,6 +563,24 @@ interface(`init_sigchld',`
+@@ -509,6 +581,24 @@ interface(`init_sigchld',`
  
  ########################################
  ## <summary>
@@ -69213,7 +69575,7 @@ index 94fd8dd..f2689e3 100644
  ##	Connect to init with a unix socket.
  ## </summary>
  ## <param name="domain">
-@@ -519,10 +591,66 @@ interface(`init_sigchld',`
+@@ -519,10 +609,66 @@ interface(`init_sigchld',`
  #
  interface(`init_stream_connect',`
  	gen_require(`
@@ -69282,7 +69644,7 @@ index 94fd8dd..f2689e3 100644
  ')
  
  ########################################
-@@ -688,19 +816,25 @@ interface(`init_telinit',`
+@@ -688,19 +834,25 @@ interface(`init_telinit',`
  		type initctl_t;
  	')
  
@@ -69309,7 +69671,7 @@ index 94fd8dd..f2689e3 100644
  	')
  ')
  
-@@ -730,7 +864,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +882,7 @@ interface(`init_rw_initctl',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -69318,7 +69680,7 @@ index 94fd8dd..f2689e3 100644
  ##	</summary>
  ## </param>
  #
-@@ -773,18 +907,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +925,19 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -69342,7 +69704,7 @@ index 94fd8dd..f2689e3 100644
  	')
  ')
  
-@@ -800,19 +935,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +953,41 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -69388,7 +69750,7 @@ index 94fd8dd..f2689e3 100644
  ')
  
  ########################################
-@@ -868,9 +1025,14 @@ interface(`init_script_file_domtrans',`
+@@ -868,9 +1043,14 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -69403,7 +69765,7 @@ index 94fd8dd..f2689e3 100644
  	files_search_etc($1)
  ')
  
-@@ -1079,6 +1241,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1259,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -69428,7 +69790,7 @@ index 94fd8dd..f2689e3 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1130,12 +1310,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1328,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -69442,7 +69804,7 @@ index 94fd8dd..f2689e3 100644
  ')
  
  ########################################
-@@ -1375,6 +1550,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1568,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -69470,7 +69832,7 @@ index 94fd8dd..f2689e3 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1461,6 +1657,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1675,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -69496,7 +69858,7 @@ index 94fd8dd..f2689e3 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1519,6 +1734,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1752,24 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -69521,7 +69883,7 @@ index 94fd8dd..f2689e3 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1586,6 +1819,24 @@ interface(`init_read_utmp',`
+@@ -1586,6 +1837,24 @@ interface(`init_read_utmp',`
  
  ########################################
  ## <summary>
@@ -69546,7 +69908,7 @@ index 94fd8dd..f2689e3 100644
  ##	Do not audit attempts to write utmp.
  ## </summary>
  ## <param name="domain">
-@@ -1674,7 +1925,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1943,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -69555,7 +69917,7 @@ index 94fd8dd..f2689e3 100644
  ')
  
  ########################################
-@@ -1715,6 +1966,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1984,128 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file)
  ')
  
@@ -69684,7 +70046,7 @@ index 94fd8dd..f2689e3 100644
  ########################################
  ## <summary>
  ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2122,194 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2140,194 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -75600,7 +75962,7 @@ index ff80d0a..be800df 100644
 +	files_etc_filetrans($1, net_conf_t, file, "yp.conf")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..dac04f8 100644
+index 34d0ec5..a9ce01d 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -75636,6 +75998,15 @@ index 34d0ec5..dac04f8 100644
  
  ########################################
  #
+@@ -44,7 +54,7 @@ allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_s
+ dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
+ # for access("/etc/bashrc", X_OK) on Red Hat
+ dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
++allow dhcpc_t self:process { getsched setsched getcap setcap setfscreate ptrace signal_perms };
+ 
+ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
+ allow dhcpc_t self:tcp_socket create_stream_socket_perms;
 @@ -57,8 +67,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
  exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
  
@@ -76421,10 +76792,10 @@ index 0000000..1688a39
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..b8c56f1
+index 0000000..9106ba4
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,379 @@
+@@ -0,0 +1,381 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -76646,6 +77017,8 @@ index 0000000..b8c56f1
 +files_manage_all_locks(systemd_tmpfiles_t)
 +files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
 +files_delete_all_non_security_files(systemd_tmpfiles_t)
++files_delete_all_pid_sockets(systemd_tmpfiles_t)
++files_delete_all_pid_pipes(systemd_tmpfiles_t)
 +files_purge_tmp(systemd_tmpfiles_t)
 +files_manage_generic_tmp_files(systemd_tmpfiles_t)
 +files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
@@ -81811,7 +82184,7 @@ index 9b4a930..8525f8a 100644
 +    fs_manage_fusefs_symlinks(userdom_home_manager_type)
 +')
 diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
-index a865da7..a5ed06e 100644
+index a865da7..f22f770 100644
 --- a/policy/modules/system/xen.fc
 +++ b/policy/modules/system/xen.fc
 @@ -1,12 +1,10 @@
@@ -81824,7 +82197,7 @@ index a865da7..a5ed06e 100644
  /usr/sbin/tapdisk	--	gen_context(system_u:object_r:blktap_exec_t,s0)
  
 -/usr/lib(64)?/xen/bin/qemu-dm	-- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
-+/usr/lib/xen/bin/qemu-dm	-- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
++#/usr/lib/xen/bin/qemu-dm	-- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
  
  ifdef(`distro_debian',`
  /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
@@ -81915,7 +82288,7 @@ index 77d41b6..7ccb440 100644
  
  	files_search_pids($1)
 diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
-index 4350ba0..b82a902 100644
+index 4350ba0..c4c4bcb 100644
 --- a/policy/modules/system/xen.te
 +++ b/policy/modules/system/xen.te
 @@ -4,6 +4,7 @@ policy_module(xen, 1.10.1)
@@ -81946,7 +82319,18 @@ index 4350ba0..b82a902 100644
  ########################################
  #
  # blktap local policy
-@@ -208,7 +205,7 @@ tunable_policy(`xend_run_qemu',`
+@@ -170,6 +167,10 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
+ #
+ # qemu-dm local policy
+ #
++
++# TODO: This part of policy should be removed
++#       qemu-dm should run in xend_t domain
++
+ # Do we need to allow execution of qemu-dm?
+ tunable_policy(`xend_run_qemu',`
+ 	allow qemu_dm_t self:capability sys_resource;
+@@ -208,9 +209,14 @@ tunable_policy(`xend_run_qemu',`
  # xend local policy
  #
  
@@ -81954,8 +82338,15 @@ index 4350ba0..b82a902 100644
 +allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw };
  dontaudit xend_t self:capability { sys_ptrace };
  allow xend_t self:process { signal sigkill };
++
++# needed by qemu_dm
++allow xend_t self:capability sys_resource;
++allow xend_t self:process setrlimit;
++
  dontaudit xend_t self:process ptrace;
-@@ -320,12 +317,9 @@ locallogin_dontaudit_use_fds(xend_t)
+ # internal communication is often done using fifo and unix sockets.
+ allow xend_t self:fifo_file rw_fifo_file_perms;
+@@ -320,13 +326,9 @@ locallogin_dontaudit_use_fds(xend_t)
  
  logging_send_syslog_msg(xend_t)
  
@@ -81965,10 +82356,11 @@ index 4350ba0..b82a902 100644
  miscfiles_read_hwdata(xend_t)
  
 -mount_domtrans(xend_t)
- 
+-
  sysnet_domtrans_dhcpc(xend_t)
  sysnet_signal_dhcpc(xend_t)
-@@ -339,8 +333,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
+ sysnet_domtrans_ifconfig(xend_t)
+@@ -339,8 +341,6 @@ userdom_dontaudit_search_user_home_dirs(xend_t)
  
  xen_stream_connect_xenstore(xend_t)
  
@@ -81977,7 +82369,7 @@ index 4350ba0..b82a902 100644
  optional_policy(`
  	brctl_domtrans(xend_t)
  ')
-@@ -349,6 +341,23 @@ optional_policy(`
+@@ -349,6 +349,23 @@ optional_policy(`
  	consoletype_exec(xend_t)
  ')
  
@@ -82001,7 +82393,7 @@ index 4350ba0..b82a902 100644
  ########################################
  #
  # Xen console local policy
-@@ -413,9 +422,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -413,9 +430,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
  files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
  
  # pid file
@@ -82013,7 +82405,7 @@ index 4350ba0..b82a902 100644
  
  # log files
  manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,9 +452,11 @@ files_read_etc_files(xenstored_t)
+@@ -442,9 +460,11 @@ files_read_etc_files(xenstored_t)
  
  files_read_usr_files(xenstored_t)
  
@@ -82025,7 +82417,7 @@ index 4350ba0..b82a902 100644
  
  init_use_fds(xenstored_t)
  init_use_script_ptys(xenstored_t)
-@@ -457,96 +469,9 @@ xen_append_log(xenstored_t)
+@@ -457,96 +477,9 @@ xen_append_log(xenstored_t)
  
  ########################################
  #
@@ -82122,7 +82514,7 @@ index 4350ba0..b82a902 100644
  	#Should have a boolean wrapping these
  	fs_list_auto_mountpoints(xend_t)
  	files_search_mnt(xend_t)
-@@ -559,8 +484,4 @@ optional_policy(`
+@@ -559,8 +492,4 @@ optional_policy(`
  		fs_manage_nfs_files(xend_t)
  		fs_read_nfs_symlinks(xend_t)
  	')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b9473eb..8c479a8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 81%{?dist}
+Release: 82%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,21 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Apr 6 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-82
+- Add httpd_use_fusefs boolean
+- /etc/auto.* should be labeled bin_t
+- Allow sshd_t to signal processes that it transitions to
+- Rename rdate port to time port, and allow gnomeclock to connect to it
+- Make amavis as nsswitch domain to allow using NIS
+- Make procmail_t as home manager
+- Allow systemd-tmpfiles to getattr/delete fifo_file and sock_file
+- Add port definition for l2tp ports
+- Make qemu-dm running in xend_t domain
+- Allow accountsd to read /proc data about gdm
+- Allow rtkit to schedule wine processes
+- label /var/lib/sss/mc same as pubconf
+- Allow NM to read system config file
+
 * Wed Mar 13 2012 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-81
 - boinc fixes
 - Allow vnstat to search through var_lib_t directories