diff --git a/policy-F16.patch b/policy-F16.patch
index 5e3fd35..5c712f7 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -3823,7 +3823,7 @@ index 7bddc02..2b59ed0 100644
+
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 975af1a..634c47a 100644
+index 975af1a..f681195 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -3865,7 +3865,7 @@ index 975af1a..634c47a 100644
allow $1_sudo_t $3:key search;
-@@ -76,88 +62,19 @@ template(`sudo_role_template',`
+@@ -76,86 +62,25 @@ template(`sudo_role_template',`
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $3)
corecmd_bin_domtrans($1_sudo_t, $3)
@@ -3948,19 +3948,19 @@ index 975af1a..634c47a 100644
- fs_manage_cifs_files($1_sudo_t)
- ')
-
-- optional_policy(`
+ optional_policy(`
- dbus_system_bus_client($1_sudo_t)
-- ')
--
-- optional_policy(`
++ mta_role($2, $1_sudo_t)
+ ')
+
+ optional_policy(`
- fprintd_dbus_chat($1_sudo_t)
-- ')
--
-+ mta_role($2, $1_sudo_t)
- ')
++ kerberos_manage_host_rcache($1_sudo_t)
++ kerberos_read_config($1_sudo_t)
+ ')
- ########################################
-@@ -177,3 +94,22 @@ interface(`sudo_sigchld',`
+ ')
+@@ -177,3 +102,22 @@ interface(`sudo_sigchld',`
allow $1 sudodomain:process sigchld;
')
@@ -5710,7 +5710,7 @@ index 00a19e3..ade1224 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..5bd094e 100644
+index f5afe78..f91a120 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,879 @@
@@ -6780,7 +6780,7 @@ index f5afe78..5bd094e 100644
##
##
##
-@@ -122,17 +1028,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1028,35 @@ interface(`gnome_stream_connect_gconf',`
##
##
#
@@ -6793,6 +6793,24 @@ index f5afe78..5bd094e 100644
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
+ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
++')
++
++#######################################
++##
++## manage gstreamer home content files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_manage_gstreamer_home_dirs',`
++ gen_require(`
++ type gstreamer_home_t;
++ ')
++
++ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
')
########################################
@@ -6802,7 +6820,7 @@ index f5afe78..5bd094e 100644
##
##
##
-@@ -140,51 +1046,303 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1064,303 @@ interface(`gnome_domtrans_gconfd',`
##
##
#
@@ -12389,10 +12407,10 @@ index 0000000..5554dc9
+
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..b4001f1
+index 0000000..6d178d3
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,76 @@
+@@ -0,0 +1,77 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -12468,7 +12486,8 @@ index 0000000..b4001f1
+ gnome_dontaudit_search_config(thumb_t)
+ gnome_read_generic_data_home_files(thumb_t)
+ gnome_manage_gstreamer_home_files(thumb_t)
-+')
++ gnome_manage_gstreamer_home_dirs(thumb_t)
++')
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index 11fe4f2..98bfbf3 100644
--- a/policy/modules/apps/tvtime.te
@@ -24233,19 +24252,22 @@ index e88b95f..1cd57fd 100644
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
-index 1bd5812..0d7d8d1 100644
+index 1bd5812..196cfc9 100644
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
-@@ -1,13 +1,13 @@
+@@ -1,13 +1,16 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
-+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
- /usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
--
++/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
++/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
+
/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
@@ -24253,7 +24275,7 @@ index 1bd5812..0d7d8d1 100644
/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-@@ -15,6 +15,19 @@
+@@ -15,6 +18,19 @@
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -24274,10 +24296,10 @@ index 1bd5812..0d7d8d1 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/policy/modules/services/abrt.if b/policy/modules/services/abrt.if
-index 0b827c5..b2d6129 100644
+index 0b827c5..ac79ca6 100644
--- a/policy/modules/services/abrt.if
+++ b/policy/modules/services/abrt.if
-@@ -71,6 +71,7 @@ interface(`abrt_read_state',`
+@@ -71,12 +71,13 @@ interface(`abrt_read_state',`
type abrt_t;
')
@@ -24285,21 +24307,27 @@ index 0b827c5..b2d6129 100644
ps_process_pattern($1, abrt_t)
')
-@@ -160,8 +161,7 @@ interface(`abrt_run_helper',`
+ ########################################
+ ##
+-## Connect to abrt over an unix stream socket.
++## Connect to abrt over a unix stream socket.
+ ##
+ ##
+ ##
+@@ -160,8 +161,26 @@ interface(`abrt_run_helper',`
########################################
##
-## Send and receive messages from
-## abrt over dbus.
+## Read abrt cache
- ##
- ##
- ##
-@@ -169,12 +169,52 @@ interface(`abrt_run_helper',`
- ##
- ##
- #
--interface(`abrt_cache_manage',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`abrt_read_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
@@ -24312,13 +24340,14 @@ index 0b827c5..b2d6129 100644
+########################################
+##
+## Append abrt cache
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -169,12 +188,33 @@ interface(`abrt_run_helper',`
+ ##
+ ##
+ #
+-interface(`abrt_cache_manage',`
+interface(`abrt_append_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
@@ -24349,7 +24378,7 @@ index 0b827c5..b2d6129 100644
')
####################################
-@@ -253,6 +293,24 @@ interface(`abrt_manage_pid_files',`
+@@ -253,6 +293,47 @@ interface(`abrt_manage_pid_files',`
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
')
@@ -24371,10 +24400,49 @@ index 0b827c5..b2d6129 100644
+ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
++########################################
++##
++## Execute abrt server in the abrt domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`abrt_systemctl',`
++ gen_require(`
++ type abrt_t;
++ type abrt_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 abrt_unit_file_t:file read_file_perms;
++ allow $1 abrt_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, abrt_t)
++')
++
#####################################
##
## All of the rules required to administrate
-@@ -286,18 +344,116 @@ interface(`abrt_admin',`
+@@ -276,28 +357,135 @@ interface(`abrt_admin',`
+ type abrt_var_cache_t, abrt_var_log_t;
+ type abrt_var_run_t, abrt_tmp_t;
+ type abrt_initrc_exec_t;
++ type abrt_unit_file_t;
+ ')
+
+- allow $1 abrt_t:process { ptrace signal_perms };
++ allow $1 abrt_t:process { signal_perms };
+ ps_process_pattern($1, abrt_t)
+
++ tunable_policy(`deny_ptrace',`',`
++ allow $1 abrt_t:process ptrace;
++ ')
++
+ init_labeled_script_domtrans($1, abrt_initrc_exec_t)
+ domain_system_change_exemption($1)
role_transition $2 abrt_initrc_exec_t system_r;
allow $2 system_r;
@@ -24397,7 +24465,11 @@ index 0b827c5..b2d6129 100644
- files_search_tmp($1)
+ files_list_tmp($1)
admin_pattern($1, abrt_tmp_t)
- ')
++
++ abrt_systemctl($1)
++ admin_pattern($1, abrt_unit_file_t)
++ allow $1 abrt_unit_file_t:service all_service_perms;
++')
+
+####################################
+##
@@ -24495,12 +24567,12 @@ index 0b827c5..b2d6129 100644
+ ')
+
+ dontaudit $1 abrt_t:sock_file write;
-+')
+ ')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..77c9f63 100644
+index 30861ec..c872f94 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
-@@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0)
+@@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0)
# Declarations
#
@@ -24527,7 +24599,16 @@ index 30861ec..77c9f63 100644
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)
-@@ -32,9 +50,20 @@ files_type(abrt_var_cache_t)
+ type abrt_initrc_exec_t;
+ init_script_file(abrt_initrc_exec_t)
+
++type abrt_unit_file_t;
++systemd_unit_file(abrt_unit_file_t)
++
+ # etc files
+ type abrt_etc_t;
+ files_config_file(abrt_etc_t)
+@@ -32,9 +53,20 @@ files_type(abrt_var_cache_t)
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -24549,7 +24630,7 @@ index 30861ec..77c9f63 100644
type abrt_helper_exec_t;
application_domain(abrt_helper_t, abrt_helper_exec_t)
role system_r types abrt_helper_t;
-@@ -43,14 +72,34 @@ ifdef(`enable_mcs',`
+@@ -43,22 +75,48 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -24573,6 +24654,12 @@ index 30861ec..77c9f63 100644
+type abrt_retrace_spool_t;
+files_spool_file(abrt_retrace_spool_t)
+
++# Support abrt-watch log
++
++type abrt_watch_log_t;
++type abrt_watch_log_exec_t;
++init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
++
########################################
#
# abrt local policy
@@ -24586,15 +24673,16 @@ index 30861ec..77c9f63 100644
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +108,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
- allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
+ allow abrt_t self:udp_socket create_socket_perms;
+ allow abrt_t self:unix_dgram_socket create_socket_perms;
+-allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
+list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -68,7 +118,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -68,7 +126,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
# abrt tmp files
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
@@ -24604,7 +24692,7 @@ index 30861ec..77c9f63 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,10 +134,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,10 +142,10 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -24617,7 +24705,7 @@ index 30861ec..77c9f63 100644
kernel_rw_kernel_sysctl(abrt_t)
corecmd_exec_bin(abrt_t)
-@@ -104,6 +156,8 @@ corenet_tcp_connect_all_ports(abrt_t)
+@@ -104,6 +164,8 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -24626,7 +24714,7 @@ index 30861ec..77c9f63 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +167,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +175,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -24636,24 +24724,26 @@ index 30861ec..77c9f63 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +176,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +184,9 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
+files_dontaudit_read_all_symlinks(abrt_t)
+files_dontaudit_getattr_all_sockets(abrt_t)
++files_list_mnt(abrt_t)
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,15 +188,23 @@ fs_read_nfs_files(abrt_t)
+@@ -131,22 +197,26 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
-sysnet_read_config(abrt_t)
-+sysnet_dns_name_resolve(abrt_t)
-
+-
logging_read_generic_logs(abrt_t)
-logging_send_syslog_msg(abrt_t)
++
++auth_use_nsswitch(abrt_t)
miscfiles_read_generic_certs(abrt_t)
-miscfiles_read_localization(abrt_t)
@@ -24664,26 +24754,19 @@ index 30861ec..77c9f63 100644
+tunable_policy(`abrt_anon_write',`
+ miscfiles_manage_public_files(abrt_t)
+')
-+
-+optional_policy(`
+
+ optional_policy(`
+- dbus_system_domain(abrt_t, abrt_exec_t)
+ apache_list_modules(abrt_t)
+ apache_read_modules(abrt_t)
-+')
+ ')
optional_policy(`
- dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +215,11 @@ optional_policy(`
+- nis_use_ypbind(abrt_t)
++ dbus_system_domain(abrt_t, abrt_exec_t)
')
optional_policy(`
-+ nsplugin_read_rw_files(abrt_t)
-+ nsplugin_read_home(abrt_t)
-+')
-+
-+optional_policy(`
- policykit_dbus_chat(abrt_t)
- policykit_domtrans_auth(abrt_t)
- policykit_read_lib(abrt_t)
@@ -167,6 +237,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
@@ -24758,7 +24841,7 @@ index 30861ec..77c9f63 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +317,128 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +317,146 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -24766,7 +24849,7 @@ index 30861ec..77c9f63 100644
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
- ')
++')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
@@ -24877,6 +24960,24 @@ index 30861ec..77c9f63 100644
+
+#######################################
+#
++# abrt_watch_log local policy
++#
++
++allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
++allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
++
++domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
++
++logging_read_all_logs(abrt_watch_log_t)
++
++optional_policy(`
++ unconfined_domain(abrt_watch_log_t)
+ ')
++
++#######################################
++#
+# Local policy for all abrt domain
+#
+
@@ -25364,7 +25465,7 @@ index deca9d3..ac92fce 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..a5571ff 100644
+index 9e39aa5..9067769 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,21 +1,30 @@
@@ -25449,7 +25550,7 @@ index 9e39aa5..a5571ff 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,20 +87,26 @@ ifdef(`distro_suse', `
+@@ -73,20 +87,27 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25460,6 +25561,7 @@ index 9e39aa5..a5571ff 100644
+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -25478,7 +25580,7 @@ index 9e39aa5..a5571ff 100644
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -105,7 +125,30 @@ ifdef(`distro_debian', `
+@@ -105,7 +126,30 @@ ifdef(`distro_debian', `
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -31680,10 +31782,10 @@ index 0000000..ed13d1e
+
diff --git a/policy/modules/services/collectd.te b/policy/modules/services/collectd.te
new file mode 100644
-index 0000000..7bd44e8
+index 0000000..faad53d
--- /dev/null
+++ b/policy/modules/services/collectd.te
-@@ -0,0 +1,85 @@
+@@ -0,0 +1,86 @@
+policy_module(collectd, 1.0.0)
+
+########################################
@@ -31718,6 +31820,7 @@ index 0000000..7bd44e8
+#
+
+allow collectd_t self:capability ipc_lock;
++dontaudit collectd_t self:capability net_admin;
+allow collectd_t self:process { signal fork };
+
+allow collectd_t self:fifo_file rw_fifo_file_perms;
@@ -47380,7 +47483,7 @@ index 8581040..3983667 100644
allow $1 nagios_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index bf64a4c..2275f40 100644
+index bf64a4c..add7b8f 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -5,6 +5,8 @@ policy_module(nagios, 1.10.0)
@@ -47586,7 +47689,7 @@ index bf64a4c..2275f40 100644
# needed by check_users plugin
optional_policy(`
init_read_utmp(nagios_system_plugin_t)
-@@ -389,3 +408,52 @@ optional_policy(`
+@@ -389,3 +408,54 @@ optional_policy(`
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
@@ -47630,6 +47733,8 @@ index bf64a4c..2275f40 100644
+
+kernel_read_system_state(nagios_plugin_domain)
+
++corecmd_exec_bin(nagios_plugin_domain)
++
+dev_read_urand(nagios_plugin_domain)
+dev_read_rand(nagios_plugin_domain)
+
@@ -49743,7 +49848,7 @@ index 8ac407e..8235fb6 100644
admin_pattern($1, pads_config_t)
')
diff --git a/policy/modules/services/pads.te b/policy/modules/services/pads.te
-index b246bdd..84afa7a 100644
+index b246bdd..e6a686f 100644
--- a/policy/modules/services/pads.te
+++ b/policy/modules/services/pads.te
@@ -1,4 +1,4 @@
@@ -49776,7 +49881,15 @@ index b246bdd..84afa7a 100644
allow pads_t pads_config_t:file manage_file_perms;
files_etc_filetrans(pads_t, pads_config_t, file)
-@@ -48,6 +48,7 @@ corenet_tcp_connect_prelude_port(pads_t)
+@@ -37,6 +37,7 @@ allow pads_t pads_var_run_t:file manage_file_perms;
+ files_pid_filetrans(pads_t, pads_var_run_t, file)
+
+ kernel_read_sysctl(pads_t)
++kernel_read_network_state(pads_t)
+
+ corecmd_search_bin(pads_t)
+
+@@ -48,6 +49,7 @@ corenet_tcp_connect_prelude_port(pads_t)
dev_read_rand(pads_t)
dev_read_urand(pads_t)
@@ -51506,10 +51619,10 @@ index 0000000..b11f37a
+')
diff --git a/policy/modules/services/polipo.te b/policy/modules/services/polipo.te
new file mode 100644
-index 0000000..7750ace
+index 0000000..299b3ed
--- /dev/null
+++ b/policy/modules/services/polipo.te
-@@ -0,0 +1,170 @@
+@@ -0,0 +1,172 @@
+policy_module(polipo, 1.0.0)
+
+########################################
@@ -51627,6 +51740,8 @@ index 0000000..7750ace
+read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t)
+
+manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
++manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
++files_var_filetrans(polipo_t, polipo_cache_t, dir)
+
+append_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
+
@@ -69208,7 +69323,7 @@ index 73554ec..cd2c7cc 100644
+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index b7a5f00..7edafde 100644
+index b7a5f00..c175fd9 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,9 +5,25 @@ policy_module(authlogin, 2.2.1)
@@ -69289,7 +69404,7 @@ index b7a5f00..7edafde 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -388,10 +409,71 @@ ifdef(`distro_ubuntu',`
+@@ -388,10 +409,72 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -69357,6 +69472,7 @@ index b7a5f00..7edafde 100644
+
+optional_policy(`
+ sssd_stream_connect(nsswitch_domain)
++ sssd_read_public_files(nsswitch_domain)
+')
+
+optional_policy(`
@@ -77302,10 +77418,10 @@ index 0000000..d77929b
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..d0fcf7c
+index 0000000..af1e889
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,393 @@
+@@ -0,0 +1,394 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -77537,6 +77653,7 @@ index 0000000..d0fcf7c
+files_manage_all_pids(systemd_tmpfiles_t)
+files_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_manage_all_locks(systemd_tmpfiles_t)
++files_read_generic_tmp_symlinks(systemd_tmpfiles_t)
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
+files_delete_all_non_security_files(systemd_tmpfiles_t)
+files_delete_all_pid_sockets(systemd_tmpfiles_t)
@@ -78913,7 +79030,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..48bc324 100644
+index 4b2878a..46e298b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -80268,7 +80385,18 @@ index 4b2878a..48bc324 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1546,8 @@ template(`userdom_security_admin_template',`
+@@ -1165,6 +1501,10 @@ template(`userdom_admin_user_template',`
+ fs_read_noxattr_fs_files($1_t)
+ ')
+
++ tunable_policy(`user_tcp_server',`
++ corenet_tcp_bind_all_unreserved_ports($1_t)
++ ')
++
+ optional_policy(`
+ postgresql_unconfined($1_t)
+ ')
+@@ -1210,6 +1550,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -80277,7 +80405,7 @@ index 4b2878a..48bc324 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1560,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1564,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -80288,7 +80416,7 @@ index 4b2878a..48bc324 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1573,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1577,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -80317,7 +80445,7 @@ index 4b2878a..48bc324 100644
')
optional_policy(`
-@@ -1251,12 +1601,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1605,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -80333,7 +80461,7 @@ index 4b2878a..48bc324 100644
')
optional_policy(`
-@@ -1279,49 +1629,98 @@ template(`userdom_security_admin_template',`
+@@ -1279,44 +1633,93 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -80396,12 +80524,10 @@ index 4b2878a..48bc324 100644
#
-interface(`userdom_setattr_user_ptys',`
+interface(`userdom_user_tmpfs_content',`
- gen_require(`
-- type user_devpts_t;
++ gen_require(`
+ attribute user_tmpfs_type;
- ')
-
-- allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
++ ')
++
+ typeattribute $1 user_tmpfs_type;
+
+ files_tmpfs_file($1)
@@ -80438,15 +80564,10 @@ index 4b2878a..48bc324 100644
+##
+#
+interface(`userdom_setattr_user_ptys',`
-+ gen_require(`
-+ type user_devpts_t;
-+ ')
-+
-+ allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
- ')
-
- ########################################
-@@ -1395,6 +1794,7 @@ interface(`userdom_search_user_home_dirs',`
+ gen_require(`
+ type user_devpts_t;
+ ')
+@@ -1395,6 +1798,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -80454,7 +80575,7 @@ index 4b2878a..48bc324 100644
files_search_home($1)
')
-@@ -1441,6 +1841,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1845,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -80469,7 +80590,7 @@ index 4b2878a..48bc324 100644
')
########################################
-@@ -1456,9 +1864,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1868,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -80481,7 +80602,7 @@ index 4b2878a..48bc324 100644
')
########################################
-@@ -1515,6 +1925,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1929,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -80524,7 +80645,7 @@ index 4b2878a..48bc324 100644
########################################
##
## Create directories in the home dir root with
-@@ -1589,6 +2035,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +2039,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -80533,7 +80654,7 @@ index 4b2878a..48bc324 100644
')
########################################
-@@ -1603,10 +2051,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2055,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -80548,7 +80669,7 @@ index 4b2878a..48bc324 100644
')
########################################
-@@ -1649,6 +2099,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2103,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
##
@@ -80592,7 +80713,7 @@ index 4b2878a..48bc324 100644
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1668,6 +2155,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1668,6 +2159,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
##
@@ -80618,7 +80739,7 @@ index 4b2878a..48bc324 100644
## Mmap user home files.
##
##
-@@ -1698,14 +2204,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1698,14 +2208,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -80656,7 +80777,7 @@ index 4b2878a..48bc324 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1716,11 +2244,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2248,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -80674,7 +80795,7 @@ index 4b2878a..48bc324 100644
')
########################################
-@@ -1779,6 +2310,60 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2314,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
##
@@ -80735,7 +80856,7 @@ index 4b2878a..48bc324 100644
## Do not audit attempts to write user home files.
##
##
-@@ -1810,8 +2395,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2399,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -80745,7 +80866,7 @@ index 4b2878a..48bc324 100644
')
########################################
-@@ -1827,20 +2411,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2415,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -80770,7 +80891,7 @@ index 4b2878a..48bc324 100644
########################################
##
-@@ -1941,6 +2519,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -1941,6 +2523,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
##
@@ -80795,7 +80916,7 @@ index 4b2878a..48bc324 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
##
-@@ -2008,7 +2604,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2608,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -80804,7 +80925,7 @@ index 4b2878a..48bc324 100644
files_search_home($1)
')
-@@ -2039,7 +2635,7 @@ interface(`userdom_user_home_content_filetrans',`
+@@ -2039,7 +2639,7 @@ interface(`userdom_user_home_content_filetrans',`
type user_home_dir_t, user_home_t;
')
@@ -80813,7 +80934,7 @@ index 4b2878a..48bc324 100644
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
-@@ -2158,11 +2754,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2158,11 +2758,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -80828,7 +80949,7 @@ index 4b2878a..48bc324 100644
files_search_tmp($1)
')
-@@ -2182,7 +2778,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2782,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -80837,7 +80958,7 @@ index 4b2878a..48bc324 100644
')
########################################
-@@ -2390,7 +2986,7 @@ interface(`userdom_user_tmp_filetrans',`
+@@ -2390,7 +2990,7 @@ interface(`userdom_user_tmp_filetrans',`
type user_tmp_t;
')
@@ -80846,7 +80967,7 @@ index 4b2878a..48bc324 100644
files_search_tmp($1)
')
-@@ -2419,6 +3015,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2419,6 +3019,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2)
')
@@ -80872,7 +80993,7 @@ index 4b2878a..48bc324 100644
########################################
##
## Read user tmpfs files.
-@@ -2435,13 +3050,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +3054,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -80888,7 +81009,7 @@ index 4b2878a..48bc324 100644
##
##
##
-@@ -2462,7 +3078,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,7 +3082,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -80897,7 +81018,7 @@ index 4b2878a..48bc324 100644
##
##
##
-@@ -2470,14 +3086,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2470,14 +3090,30 @@ interface(`userdom_rw_user_tmpfs_files',`
##
##
#
@@ -80932,7 +81053,7 @@ index 4b2878a..48bc324 100644
')
########################################
-@@ -2572,7 +3204,7 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3208,7 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -80941,7 +81062,7 @@ index 4b2878a..48bc324 100644
##
##
##
-@@ -2580,48 +3212,97 @@ interface(`userdom_use_user_ttys',`
+@@ -2580,48 +3216,97 @@ interface(`userdom_use_user_ttys',`
##
##
#
@@ -81063,7 +81184,7 @@ index 4b2878a..48bc324 100644
')
########################################
-@@ -2640,8 +3321,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2640,8 +3325,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -81093,7 +81214,7 @@ index 4b2878a..48bc324 100644
')
########################################
-@@ -2713,6 +3413,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2713,6 +3417,24 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -81118,7 +81239,7 @@ index 4b2878a..48bc324 100644
########################################
##
## Execute an Xserver session in all unprivileged user domains. This
-@@ -2736,24 +3454,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2736,24 +3458,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -81143,7 +81264,7 @@ index 4b2878a..48bc324 100644
########################################
##
## Manage unpriviledged user SysV sempaphores.
-@@ -2772,25 +3472,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2772,25 +3476,6 @@ interface(`userdom_manage_unpriv_user_semaphores',`
allow $1 unpriv_userdomain:sem create_sem_perms;
')
@@ -81169,7 +81290,7 @@ index 4b2878a..48bc324 100644
########################################
##
## Manage unpriviledged user SysV shared
-@@ -2852,7 +3533,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2852,7 +3537,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -81178,7 +81299,7 @@ index 4b2878a..48bc324 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2868,29 +3549,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2868,29 +3553,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -81212,7 +81333,7 @@ index 4b2878a..48bc324 100644
')
########################################
-@@ -2972,7 +3637,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2972,7 +3641,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -81221,7 +81342,7 @@ index 4b2878a..48bc324 100644
')
########################################
-@@ -3027,7 +3692,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3027,7 +3696,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -81268,7 +81389,7 @@ index 4b2878a..48bc324 100644
')
########################################
-@@ -3045,7 +3748,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3045,7 +3752,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -81277,7 +81398,7 @@ index 4b2878a..48bc324 100644
')
########################################
-@@ -3064,6 +3767,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3064,6 +3771,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -81285,7 +81406,7 @@ index 4b2878a..48bc324 100644
kernel_search_proc($1)
')
-@@ -3140,6 +3844,42 @@ interface(`userdom_signal_all_users',`
+@@ -3140,6 +3848,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -81328,7 +81449,7 @@ index 4b2878a..48bc324 100644
########################################
##
## Send a SIGCHLD signal to all user domains.
-@@ -3160,6 +3900,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3160,6 +3904,24 @@ interface(`userdom_sigchld_all_users',`
########################################
##
@@ -81353,7 +81474,7 @@ index 4b2878a..48bc324 100644
## Create keys for all user domains.
##
##
-@@ -3194,3 +3952,1238 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3956,1238 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 042c5d3..e0291d1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 88%{?dist}
+Release: 89%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,20 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Jun 12 2012 Miroslav Grepl 3.10.0-89
+- Allow systemd to read tmp_t link files
+- Backport ABRT policy from F17
+- Allow nagios domains to execute bin_t
+- Allow pads to read kernel network state
+- Allow sudo domains to manage kerberos rcache files
+- Allow polipo to manage polipo_cache dirs
+- Allow nsswitch domains to read sssd public files
+- Dontaudit net_admin capability for collectd
+- Allow thumb_t to create gstreamer dirs
+- user_tcp_server boolean should be also for sysadm_t
+- Add labeling for /var/lib/lighttpd
+- Fix files_lib_filetrans_shared_lib() interface
+
* Fri May 4 2012 Miroslav Grepl 3.10.0-88
- Allow jockey to use its own fifo_file
- Allow collectd to read /dev/random