diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 69cca27..504052b 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -8888,7 +8888,7 @@ index 6a1e4d1..84e8030 100644
+ dontaudit $1 domain:dir_file_class_set audit_access;
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..c58f23f 100644
+index cf04cb5..4b49713 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -9026,7 +9026,7 @@ index cf04cb5..c58f23f 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +232,322 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +232,326 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -9329,6 +9329,10 @@ index cf04cb5..c58f23f 100644
+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
+
+optional_policy(`
++ rkhunter_append_lib_files(domain)
++')
++
++optional_policy(`
+ rpm_rw_script_inherited_pipes(domain)
+ rpm_use_fds(domain)
+ rpm_read_pipes(domain)
@@ -9600,7 +9604,7 @@ index c2c6e05..2282452 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..49a7b11 100644
+index 64ff4d7..8eb459b 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -10647,10 +10651,29 @@ index 64ff4d7..49a7b11 100644
')
########################################
-@@ -3132,6 +3686,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3686,44 @@ interface(`files_getattr_isid_type_dirs',`
########################################
##
++## Getattr all file opbjects on new filesystems
++## that have not yet been labeled.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_getattr_isid_type',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:dir_file_class_set getattr;
++')
++
++########################################
++##
+## Setattr of directories on new filesystems
+## that have not yet been labeled.
+##
@@ -10673,7 +10696,7 @@ index 64ff4d7..49a7b11 100644
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
##
-@@ -3205,6 +3778,62 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3205,6 +3797,62 @@ interface(`files_delete_isid_type_dirs',`
delete_dirs_pattern($1, file_t, file_t)
')
@@ -10736,7 +10759,7 @@ index 64ff4d7..49a7b11 100644
########################################
##
-@@ -3246,6 +3875,25 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3246,6 +3894,25 @@ interface(`files_mounton_isid_type_dirs',`
########################################
##
@@ -10762,7 +10785,7 @@ index 64ff4d7..49a7b11 100644
## Read files on new filesystems
## that have not yet been labeled.
##
-@@ -3455,6 +4103,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3455,6 +4122,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
##
@@ -10788,7 +10811,7 @@ index 64ff4d7..49a7b11 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
##
-@@ -3796,20 +4463,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4482,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -10832,7 +10855,7 @@ index 64ff4d7..49a7b11 100644
')
########################################
-@@ -4199,6 +4884,172 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,6 +4903,172 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -11005,7 +11028,7 @@ index 64ff4d7..49a7b11 100644
########################################
##
## Allow the specified type to associate
-@@ -4221,6 +5072,26 @@ interface(`files_associate_tmp',`
+@@ -4221,6 +5091,26 @@ interface(`files_associate_tmp',`
########################################
##
@@ -11032,7 +11055,7 @@ index 64ff4d7..49a7b11 100644
## Get the attributes of the tmp directory (/tmp).
##
##
-@@ -4234,17 +5105,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4234,17 +5124,37 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -11071,7 +11094,7 @@ index 64ff4d7..49a7b11 100644
##
##
#
-@@ -4271,6 +5162,7 @@ interface(`files_search_tmp',`
+@@ -4271,6 +5181,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -11079,7 +11102,7 @@ index 64ff4d7..49a7b11 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4307,6 +5199,7 @@ interface(`files_list_tmp',`
+@@ -4307,6 +5218,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -11087,7 +11110,7 @@ index 64ff4d7..49a7b11 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4316,7 +5209,7 @@ interface(`files_list_tmp',`
+@@ -4316,7 +5228,7 @@ interface(`files_list_tmp',`
##
##
##
@@ -11096,10 +11119,11 @@ index 64ff4d7..49a7b11 100644
##
##
#
-@@ -4328,6 +5221,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4328,7 +5240,26 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
+-########################################
+#######################################
+##
+## Allow read and write to the tmp directory (/tmp).
@@ -11119,10 +11143,11 @@ index 64ff4d7..49a7b11 100644
+ allow $1 tmp_t:dir rw_dir_perms;
+')
+
- ########################################
++########################################
##
## Remove entries from the tmp directory.
-@@ -4343,6 +5255,7 @@ interface(`files_delete_tmp_dir_entry',`
+ ##
+@@ -4343,6 +5274,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -11130,11 +11155,10 @@ index 64ff4d7..49a7b11 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4384,7 +5297,33 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4384,6 +5316,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
--## Manage temporary files and directories in /tmp.
+## Allow shared library text relocations in tmp files.
+##
+##
@@ -11161,11 +11185,10 @@ index 64ff4d7..49a7b11 100644
+
+########################################
+##
-+## Manage temporary files and directories in /tmp.
+ ## Manage temporary files and directories in /tmp.
##
##
- ##
-@@ -4438,6 +5377,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4438,6 +5396,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
@@ -11208,7 +11231,7 @@ index 64ff4d7..49a7b11 100644
## Set the attributes of all tmp directories.
##
##
-@@ -4456,6 +5431,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4456,6 +5450,60 @@ interface(`files_setattr_all_tmp_dirs',`
########################################
##
@@ -11269,7 +11292,7 @@ index 64ff4d7..49a7b11 100644
## List all tmp directories.
##
##
-@@ -4501,7 +5530,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4501,7 +5549,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
@@ -11278,7 +11301,7 @@ index 64ff4d7..49a7b11 100644
##
##
#
-@@ -4561,7 +5590,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4561,7 +5609,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
@@ -11287,7 +11310,7 @@ index 64ff4d7..49a7b11 100644
##
##
#
-@@ -4593,6 +5622,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4593,6 +5641,44 @@ interface(`files_read_all_tmp_files',`
########################################
##
@@ -11332,7 +11355,7 @@ index 64ff4d7..49a7b11 100644
## Create an object in the tmp directories, with a private
## type using a type transition.
##
-@@ -4646,6 +5713,16 @@ interface(`files_purge_tmp',`
+@@ -4646,6 +5732,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -11349,7 +11372,7 @@ index 64ff4d7..49a7b11 100644
')
########################################
-@@ -5223,6 +6300,24 @@ interface(`files_list_var',`
+@@ -5223,6 +6319,24 @@ interface(`files_list_var',`
########################################
##
@@ -11374,7 +11397,7 @@ index 64ff4d7..49a7b11 100644
## Create, read, write, and delete directories
## in the /var directory.
##
-@@ -5507,6 +6602,23 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5507,6 +6621,23 @@ interface(`files_rw_var_lib_dirs',`
rw_dirs_pattern($1, var_lib_t, var_lib_t)
')
@@ -11398,7 +11421,7 @@ index 64ff4d7..49a7b11 100644
########################################
##
## Create objects in the /var/lib directory
-@@ -5578,6 +6690,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5578,6 +6709,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -11424,7 +11447,7 @@ index 64ff4d7..49a7b11 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5623,7 +6754,7 @@ interface(`files_manage_mounttab',`
+@@ -5623,7 +6773,7 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -11433,7 +11456,7 @@ index 64ff4d7..49a7b11 100644
##
##
##
-@@ -5631,12 +6762,13 @@ interface(`files_manage_mounttab',`
+@@ -5631,12 +6781,13 @@ interface(`files_manage_mounttab',`
##
##
#
@@ -11449,7 +11472,7 @@ index 64ff4d7..49a7b11 100644
')
########################################
-@@ -5654,6 +6786,7 @@ interface(`files_search_locks',`
+@@ -5654,6 +6805,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -11457,7 +11480,7 @@ index 64ff4d7..49a7b11 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5680,7 +6813,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5680,7 +6832,26 @@ interface(`files_dontaudit_search_locks',`
########################################
##
@@ -11485,7 +11508,7 @@ index 64ff4d7..49a7b11 100644
##
##
##
-@@ -5688,13 +6840,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,13 +6859,12 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -11502,7 +11525,7 @@ index 64ff4d7..49a7b11 100644
')
########################################
-@@ -5713,7 +6864,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5713,7 +6883,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -11511,7 +11534,7 @@ index 64ff4d7..49a7b11 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5746,7 +6897,6 @@ interface(`files_create_lock_dirs',`
+@@ -5746,7 +6916,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
##
##
@@ -11519,7 +11542,7 @@ index 64ff4d7..49a7b11 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5761,7 +6911,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5761,7 +6930,7 @@ interface(`files_relabel_all_lock_dirs',`
########################################
##
@@ -11528,7 +11551,7 @@ index 64ff4d7..49a7b11 100644
##
##
##
-@@ -5769,13 +6919,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5769,13 +6938,33 @@ interface(`files_relabel_all_lock_dirs',`
##
##
#
@@ -11563,7 +11586,7 @@ index 64ff4d7..49a7b11 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5791,13 +6961,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6980,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -11581,7 +11604,7 @@ index 64ff4d7..49a7b11 100644
')
########################################
-@@ -5816,9 +6985,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +7004,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -11592,7 +11615,7 @@ index 64ff4d7..49a7b11 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5860,8 +7027,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +7046,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -11602,7 +11625,7 @@ index 64ff4d7..49a7b11 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +7049,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +7068,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -11612,7 +11635,7 @@ index 64ff4d7..49a7b11 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +7086,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +7105,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -11622,7 +11645,7 @@ index 64ff4d7..49a7b11 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5961,7 +7125,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5961,7 +7144,7 @@ interface(`files_setattr_pid_dirs',`
type var_run_t;
')
@@ -11631,7 +11654,7 @@ index 64ff4d7..49a7b11 100644
allow $1 var_run_t:dir setattr;
')
-@@ -5981,10 +7145,48 @@ interface(`files_search_pids',`
+@@ -5981,10 +7164,48 @@ interface(`files_search_pids',`
type var_t, var_run_t;
')
@@ -11680,77 +11703,51 @@ index 64ff4d7..49a7b11 100644
########################################
##
## Do not audit attempts to search
-@@ -6007,27 +7209,27 @@ interface(`files_dontaudit_search_pids',`
+@@ -6007,6 +7228,25 @@ interface(`files_dontaudit_search_pids',`
########################################
##
--## List the contents of the runtime process
--## ID directories (/var/run).
+## Do not audit attempts to search
+## the all /var/run directory.
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
- ##
- ##
- #
--interface(`files_list_pids',`
++##
++##
++#
+interface(`files_dontaudit_search_all_pids',`
- gen_require(`
-- type var_t, var_run_t;
++ gen_require(`
+ attribute pidfile;
++ ')
++
++ dontaudit $1 pidfile:dir search_dir_perms;
++')
++
++########################################
++##
+ ## List the contents of the runtime process
+ ## ID directories (/var/run).
+ ##
+@@ -6021,7 +7261,7 @@ interface(`files_list_pids',`
+ type var_t, var_run_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
-- list_dirs_pattern($1, var_t, var_run_t)
-+ dontaudit $1 pidfile:dir search_dir_perms;
++ files_search_pids($1)
+ list_dirs_pattern($1, var_t, var_run_t)
')
- ########################################
- ##
--## Read generic process ID files.
-+## List the contents of the runtime process
-+## ID directories (/var/run).
- ##
- ##
- ##
-@@ -6035,12 +7237,31 @@ interface(`files_list_pids',`
- ##
- ##
- #
--interface(`files_read_generic_pids',`
-+interface(`files_list_pids',`
- gen_require(`
+@@ -6040,7 +7280,7 @@ interface(`files_read_generic_pids',`
type var_t, var_run_t;
')
- allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_search_pids($1)
-+ list_dirs_pattern($1, var_t, var_run_t)
-+')
-+
-+########################################
-+##
-+## Read generic process ID files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_generic_pids',`
-+ gen_require(`
-+ type var_t, var_run_t;
-+ ')
-+
-+ files_search_pids($1)
list_dirs_pattern($1, var_t, var_run_t)
read_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6060,7 +7281,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6060,7 +7300,7 @@ interface(`files_write_generic_pid_pipes',`
type var_run_t;
')
@@ -11759,7 +11756,7 @@ index 64ff4d7..49a7b11 100644
allow $1 var_run_t:fifo_file write;
')
-@@ -6122,7 +7343,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +7362,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -11767,7 +11764,7 @@ index 64ff4d7..49a7b11 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6151,6 +7371,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6151,6 +7390,24 @@ interface(`files_pid_filetrans_lock_dir',`
########################################
##
@@ -11792,7 +11789,7 @@ index 64ff4d7..49a7b11 100644
## Read and write generic process ID files.
##
##
-@@ -6164,7 +7402,7 @@ interface(`files_rw_generic_pids',`
+@@ -6164,7 +7421,7 @@ interface(`files_rw_generic_pids',`
type var_t, var_run_t;
')
@@ -11801,7 +11798,7 @@ index 64ff4d7..49a7b11 100644
list_dirs_pattern($1, var_t, var_run_t)
rw_files_pattern($1, var_run_t, var_run_t)
')
-@@ -6231,6 +7469,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6231,6 +7488,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -11918,7 +11915,7 @@ index 64ff4d7..49a7b11 100644
## Read all process ID files.
##
##
-@@ -6243,12 +7591,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6243,12 +7610,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
interface(`files_read_all_pids',`
gen_require(`
attribute pidfile;
@@ -12007,7 +12004,7 @@ index 64ff4d7..49a7b11 100644
')
########################################
-@@ -6268,8 +7690,8 @@ interface(`files_delete_all_pids',`
+@@ -6268,8 +7709,8 @@ interface(`files_delete_all_pids',`
type var_t, var_run_t;
')
@@ -12017,7 +12014,7 @@ index 64ff4d7..49a7b11 100644
allow $1 var_run_t:dir rmdir;
allow $1 var_run_t:lnk_file delete_lnk_file_perms;
delete_files_pattern($1, pidfile, pidfile)
-@@ -6293,36 +7715,80 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6293,36 +7734,80 @@ interface(`files_delete_all_pid_dirs',`
type var_t, var_run_t;
')
@@ -12109,7 +12106,7 @@ index 64ff4d7..49a7b11 100644
##
##
##
-@@ -6330,12 +7796,33 @@ interface(`files_manage_all_pids',`
+@@ -6330,12 +7815,33 @@ interface(`files_manage_all_pids',`
##
##
#
@@ -12146,7 +12143,7 @@ index 64ff4d7..49a7b11 100644
')
########################################
-@@ -6562,3 +8049,514 @@ interface(`files_unconfined',`
+@@ -6562,3 +8068,514 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -23337,7 +23334,7 @@ index 6bf0ecc..115c533 100644
+ dontaudit $1 xserver_log_t:dir search_dir_perms;
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..adbe339 100644
+index 2696452..38c1435 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,59 @@ gen_require(`
@@ -23809,7 +23806,7 @@ index 2696452..adbe339 100644
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +525,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +525,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -23824,6 +23821,7 @@ index 2696452..adbe339 100644
+manage_lnk_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
-logging_log_filetrans(xdm_t, xserver_log_t, file)
++files_var_filetrans(xdm_t, xserver_log_t, dir, "gdm")
kernel_read_system_state(xdm_t)
+kernel_read_device_sysctls(xdm_t)
@@ -23841,7 +23839,7 @@ index 2696452..adbe339 100644
corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +557,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +558,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -23895,7 +23893,7 @@ index 2696452..adbe339 100644
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -430,9 +610,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +611,28 @@ files_list_mnt(xdm_t)
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -23924,7 +23922,7 @@ index 2696452..adbe339 100644
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +640,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +641,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23973,7 +23971,7 @@ index 2696452..adbe339 100644
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +687,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +688,144 @@ userdom_read_user_home_content_files(xdm_t)
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -24124,7 +24122,7 @@ index 2696452..adbe339 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -502,11 +838,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +839,26 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -24151,7 +24149,7 @@ index 2696452..adbe339 100644
')
optional_policy(`
-@@ -514,12 +865,57 @@ optional_policy(`
+@@ -514,12 +866,57 @@ optional_policy(`
')
optional_policy(`
@@ -24209,7 +24207,7 @@ index 2696452..adbe339 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +933,78 @@ optional_policy(`
+@@ -537,28 +934,78 @@ optional_policy(`
')
optional_policy(`
@@ -24297,7 +24295,7 @@ index 2696452..adbe339 100644
')
optional_policy(`
-@@ -570,6 +1016,14 @@ optional_policy(`
+@@ -570,6 +1017,14 @@ optional_policy(`
')
optional_policy(`
@@ -24312,7 +24310,7 @@ index 2696452..adbe339 100644
xfs_stream_connect(xdm_t)
')
-@@ -584,7 +1038,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -584,7 +1039,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -24321,7 +24319,7 @@ index 2696452..adbe339 100644
# setuid/setgid for the wrapper program to change UID
# sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -594,8 +1048,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1049,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -24334,7 +24332,7 @@ index 2696452..adbe339 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1065,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1066,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -24350,7 +24348,7 @@ index 2696452..adbe339 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1081,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1082,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
@@ -24361,7 +24359,7 @@ index 2696452..adbe339 100644
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1096,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1097,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -24383,7 +24381,7 @@ index 2696452..adbe339 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1116,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1117,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -24397,7 +24395,7 @@ index 2696452..adbe339 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1142,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1143,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -24429,7 +24427,7 @@ index 2696452..adbe339 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,7 +1174,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1175,16 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -24447,7 +24445,7 @@ index 2696452..adbe339 100644
mls_xwin_read_to_clearance(xserver_t)
selinux_validate_context(xserver_t)
-@@ -708,20 +1197,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1198,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -24471,7 +24469,7 @@ index 2696452..adbe339 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1216,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1217,6 @@ userdom_setattr_user_ttys(xserver_t)
userdom_read_user_tmp_files(xserver_t)
userdom_rw_user_tmpfs_files(xserver_t)
@@ -24480,7 +24478,7 @@ index 2696452..adbe339 100644
ifndef(`distro_redhat',`
allow xserver_t self:process { execmem execheap execstack };
domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1260,44 @@ optional_policy(`
+@@ -775,16 +1261,44 @@ optional_policy(`
')
optional_policy(`
@@ -24526,7 +24524,7 @@ index 2696452..adbe339 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1306,10 @@ optional_policy(`
+@@ -793,6 +1307,10 @@ optional_policy(`
')
optional_policy(`
@@ -24537,7 +24535,7 @@ index 2696452..adbe339 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1325,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1326,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -24551,7 +24549,7 @@ index 2696452..adbe339 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1336,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1337,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -24560,7 +24558,7 @@ index 2696452..adbe339 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1349,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1350,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -24595,7 +24593,7 @@ index 2696452..adbe339 100644
')
optional_policy(`
-@@ -902,7 +1414,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1415,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -24604,7 +24602,7 @@ index 2696452..adbe339 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1468,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1469,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -24636,7 +24634,7 @@ index 2696452..adbe339 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1514,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1515,150 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -28408,7 +28406,7 @@ index 24e7804..45d0b37 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..fb85065 100644
+index dd3be8d..3f4f878 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -28933,7 +28931,7 @@ index dd3be8d..fb85065 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +585,37 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +585,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -28954,7 +28952,6 @@ index dd3be8d..fb85065 100644
+files_exec_etc_files(initrc_t)
+files_manage_etc_symlinks(initrc_t)
+files_manage_system_conf_files(initrc_t)
-+files_filetrans_named_content(initrc_t)
+
+fs_manage_tmpfs_dirs(initrc_t)
+fs_manage_tmpfs_symlinks(initrc_t)
@@ -28977,7 +28974,7 @@ index dd3be8d..fb85065 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +623,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +622,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -28989,7 +28986,7 @@ index dd3be8d..fb85065 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +635,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +634,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -29000,7 +28997,7 @@ index dd3be8d..fb85065 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +646,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +645,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -29010,7 +29007,7 @@ index dd3be8d..fb85065 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +655,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +654,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -29018,7 +29015,7 @@ index dd3be8d..fb85065 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +662,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +661,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -29026,7 +29023,7 @@ index dd3be8d..fb85065 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +670,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +669,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -29044,7 +29041,7 @@ index dd3be8d..fb85065 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +688,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +687,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -29058,7 +29055,7 @@ index dd3be8d..fb85065 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +703,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +702,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -29072,7 +29069,7 @@ index dd3be8d..fb85065 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +716,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +715,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -29080,7 +29077,7 @@ index dd3be8d..fb85065 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +728,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +727,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -29088,7 +29085,7 @@ index dd3be8d..fb85065 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +747,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +746,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -29112,7 +29109,7 @@ index dd3be8d..fb85065 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +780,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +779,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -29120,7 +29117,7 @@ index dd3be8d..fb85065 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +814,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +813,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -29131,7 +29128,7 @@ index dd3be8d..fb85065 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +838,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +837,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -29140,7 +29137,7 @@ index dd3be8d..fb85065 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +853,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +852,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -29148,7 +29145,7 @@ index dd3be8d..fb85065 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +874,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +873,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -29156,7 +29153,7 @@ index dd3be8d..fb85065 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +884,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +883,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -29201,7 +29198,7 @@ index dd3be8d..fb85065 100644
')
optional_policy(`
-@@ -558,14 +929,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +928,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -29233,7 +29230,7 @@ index dd3be8d..fb85065 100644
')
')
-@@ -576,6 +964,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +963,39 @@ ifdef(`distro_suse',`
')
')
@@ -29273,7 +29270,7 @@ index dd3be8d..fb85065 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1009,8 @@ optional_policy(`
+@@ -588,6 +1008,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -29282,7 +29279,7 @@ index dd3be8d..fb85065 100644
')
optional_policy(`
-@@ -609,6 +1032,7 @@ optional_policy(`
+@@ -609,6 +1031,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -29290,7 +29287,7 @@ index dd3be8d..fb85065 100644
')
optional_policy(`
-@@ -625,6 +1049,17 @@ optional_policy(`
+@@ -625,6 +1048,17 @@ optional_policy(`
')
optional_policy(`
@@ -29308,7 +29305,7 @@ index dd3be8d..fb85065 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1076,13 @@ optional_policy(`
+@@ -641,9 +1075,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -29322,7 +29319,7 @@ index dd3be8d..fb85065 100644
')
optional_policy(`
-@@ -656,15 +1095,11 @@ optional_policy(`
+@@ -656,15 +1094,11 @@ optional_policy(`
')
optional_policy(`
@@ -29340,7 +29337,7 @@ index dd3be8d..fb85065 100644
')
optional_policy(`
-@@ -685,6 +1120,15 @@ optional_policy(`
+@@ -685,6 +1119,15 @@ optional_policy(`
')
optional_policy(`
@@ -29356,7 +29353,7 @@ index dd3be8d..fb85065 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1169,7 @@ optional_policy(`
+@@ -725,6 +1168,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -29364,7 +29361,7 @@ index dd3be8d..fb85065 100644
')
optional_policy(`
-@@ -742,7 +1187,13 @@ optional_policy(`
+@@ -742,7 +1186,13 @@ optional_policy(`
')
optional_policy(`
@@ -29379,7 +29376,7 @@ index dd3be8d..fb85065 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1216,10 @@ optional_policy(`
+@@ -765,6 +1215,10 @@ optional_policy(`
')
optional_policy(`
@@ -29390,7 +29387,7 @@ index dd3be8d..fb85065 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1229,20 @@ optional_policy(`
+@@ -774,10 +1228,20 @@ optional_policy(`
')
optional_policy(`
@@ -29411,7 +29408,7 @@ index dd3be8d..fb85065 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1251,10 @@ optional_policy(`
+@@ -786,6 +1250,10 @@ optional_policy(`
')
optional_policy(`
@@ -29422,7 +29419,7 @@ index dd3be8d..fb85065 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1276,6 @@ optional_policy(`
+@@ -807,8 +1275,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -29431,7 +29428,7 @@ index dd3be8d..fb85065 100644
')
optional_policy(`
-@@ -817,6 +1284,10 @@ optional_policy(`
+@@ -817,6 +1283,10 @@ optional_policy(`
')
optional_policy(`
@@ -29442,7 +29439,7 @@ index dd3be8d..fb85065 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1297,12 @@ optional_policy(`
+@@ -826,10 +1296,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -29455,7 +29452,7 @@ index dd3be8d..fb85065 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1329,35 @@ optional_policy(`
+@@ -856,12 +1328,35 @@ optional_policy(`
')
optional_policy(`
@@ -29492,7 +29489,7 @@ index dd3be8d..fb85065 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1367,18 @@ optional_policy(`
+@@ -871,6 +1366,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -29511,7 +29508,7 @@ index dd3be8d..fb85065 100644
')
optional_policy(`
-@@ -886,6 +1394,10 @@ optional_policy(`
+@@ -886,6 +1393,10 @@ optional_policy(`
')
optional_policy(`
@@ -29522,7 +29519,7 @@ index dd3be8d..fb85065 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1408,218 @@ optional_policy(`
+@@ -896,3 +1407,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -30820,7 +30817,7 @@ index 73bb3c0..5b9420f 100644
+
+/usr/sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..9d8f729 100644
+index 808ba93..57a68da 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',`
@@ -30956,7 +30953,7 @@ index 808ba93..9d8f729 100644
')
########################################
-@@ -534,3 +558,26 @@ interface(`lib_filetrans_shared_lib',`
+@@ -534,3 +558,28 @@ interface(`lib_filetrans_shared_lib',`
interface(`files_lib_filetrans_shared_lib',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -30973,10 +30970,12 @@ index 808ba93..9d8f729 100644
+#
+interface(`libs_filetrans_named_content',`
+ gen_require(`
++ type lib_t;
+ type ld_so_cache_t;
+ type ldconfig_cache_t;
+ ')
+
++ files_var_lib_filetrans($1,ldconfig_cache_t, dir, "debug")
+ files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
@@ -38253,7 +38252,7 @@ index 0000000..1d9bdfd
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..0ad142f
+index 0000000..ca12f04
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,657 @@
@@ -38518,7 +38517,7 @@ index 0000000..0ad142f
+# Local policy
+#
+
-+allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod };
++allow systemd_tmpfiles_t self:capability { chown dac_override fsetid fowner mknod net_admin };
+allow systemd_tmpfiles_t self:process { setfscreate };
+
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 8e61db7..6fa48c8 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -19128,7 +19128,7 @@ index dda905b..31f269b 100644
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+')
diff --git a/dbus.if b/dbus.if
-index afcf3a2..e6ecc4d 100644
+index afcf3a2..49bb04b 100644
--- a/dbus.if
+++ b/dbus.if
@@ -1,4 +1,4 @@
@@ -19137,16 +19137,33 @@ index afcf3a2..e6ecc4d 100644
########################################
##
-@@ -19,7 +19,7 @@ interface(`dbus_stub',`
+@@ -19,7 +19,24 @@ interface(`dbus_stub',`
########################################
##
-## Role access for dbus.
++## Execute dbus-daemon in the caller domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`dbus_exec_dbusd',`
++ gen_require(`
++ type dbusd_exec_t;
++ ')
++ can_exec($1, dbusd_exec_t)
++')
++
++########################################
++##
+## Role access for dbus
##
##
##
-@@ -41,59 +41,68 @@ interface(`dbus_stub',`
+@@ -41,59 +58,68 @@ interface(`dbus_stub',`
template(`dbus_role_template',`
gen_require(`
class dbus { send_msg acquire_svc };
@@ -19236,7 +19253,7 @@ index afcf3a2..e6ecc4d 100644
##
##
##
-@@ -103,65 +112,29 @@ template(`dbus_role_template',`
+@@ -103,65 +129,29 @@ template(`dbus_role_template',`
#
interface(`dbus_system_bus_client',`
gen_require(`
@@ -19311,7 +19328,7 @@ index afcf3a2..e6ecc4d 100644
##
##
##
-@@ -175,19 +148,21 @@ interface(`dbus_connect_all_session_bus',`
+@@ -175,19 +165,21 @@ interface(`dbus_connect_all_session_bus',`
##
##
#
@@ -19338,7 +19355,7 @@ index afcf3a2..e6ecc4d 100644
##
##
##
-@@ -196,72 +171,23 @@ interface(`dbus_connect_spec_session_bus',`
+@@ -196,72 +188,23 @@ interface(`dbus_connect_spec_session_bus',`
##
#
interface(`dbus_session_bus_client',`
@@ -19418,7 +19435,7 @@ index afcf3a2..e6ecc4d 100644
##
##
##
-@@ -270,59 +196,17 @@ interface(`dbus_spec_session_bus_client',`
+@@ -270,59 +213,17 @@ interface(`dbus_spec_session_bus_client',`
##
#
interface(`dbus_send_session_bus',`
@@ -19480,21 +19497,23 @@ index afcf3a2..e6ecc4d 100644
##
##
##
-@@ -380,69 +264,32 @@ interface(`dbus_manage_lib_files',`
+@@ -380,69 +281,32 @@ interface(`dbus_manage_lib_files',`
########################################
##
-## Allow a application domain to be
-## started by the specified session bus.
--##
++## Connect to the system DBUS
++## for service (acquire_svc).
+ ##
-##
-##
-## The prefix of the user role (e.g., user
-## is the prefix for user_r).
-##
-##
--##
--##
+ ##
+ ##
-## Type to be used as a domain.
-##
-##
@@ -19514,11 +19533,9 @@ index afcf3a2..e6ecc4d 100644
-##
-## Allow a application domain to be
-## started by the specified session bus.
-+## Connect to the system DBUS
-+## for service (acquire_svc).
- ##
- ##
- ##
+-##
+-##
+-##
-## Type to be used as a domain.
-##
-##
@@ -19561,7 +19578,7 @@ index afcf3a2..e6ecc4d 100644
##
##
##
-@@ -457,20 +304,21 @@ interface(`dbus_all_session_domain',`
+@@ -457,20 +321,21 @@ interface(`dbus_all_session_domain',`
##
##
#
@@ -19587,7 +19604,7 @@ index afcf3a2..e6ecc4d 100644
##
##
##
-@@ -489,7 +337,7 @@ interface(`dbus_connect_system_bus',`
+@@ -489,7 +354,7 @@ interface(`dbus_connect_system_bus',`
########################################
##
@@ -19596,7 +19613,7 @@ index afcf3a2..e6ecc4d 100644
##
##
##
-@@ -508,7 +356,7 @@ interface(`dbus_send_system_bus',`
+@@ -508,7 +373,7 @@ interface(`dbus_send_system_bus',`
########################################
##
@@ -19605,7 +19622,7 @@ index afcf3a2..e6ecc4d 100644
##
##
##
-@@ -527,8 +375,8 @@ interface(`dbus_system_bus_unconfined',`
+@@ -527,8 +392,8 @@ interface(`dbus_system_bus_unconfined',`
########################################
##
@@ -19616,7 +19633,7 @@ index afcf3a2..e6ecc4d 100644
##
##
##
-@@ -543,33 +391,24 @@ interface(`dbus_system_bus_unconfined',`
+@@ -543,33 +408,24 @@ interface(`dbus_system_bus_unconfined',`
#
interface(`dbus_system_domain',`
gen_require(`
@@ -19654,7 +19671,7 @@ index afcf3a2..e6ecc4d 100644
##
##
##
-@@ -587,26 +426,25 @@ interface(`dbus_use_system_bus_fds',`
+@@ -587,26 +443,25 @@ interface(`dbus_use_system_bus_fds',`
########################################
##
@@ -19687,7 +19704,7 @@ index afcf3a2..e6ecc4d 100644
##
##
##
-@@ -614,10 +452,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -614,10 +469,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
##
##
#
@@ -25087,7 +25104,7 @@ index 50d0084..6565422 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
-index 0872e50..95bb886 100644
+index 0872e50..cdea6d0 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -25164,7 +25181,7 @@ index 0872e50..95bb886 100644
shorewall_domtrans(fail2ban_t)
')
-@@ -129,22 +142,25 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -129,22 +142,29 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@@ -25194,6 +25211,10 @@ index 0872e50..95bb886 100644
-
userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
userdom_use_user_terminals(fail2ban_client_t)
++
++optional_policy(`
++ apache_read_log(fail2ban_client_t)
++')
diff --git a/fcoe.te b/fcoe.te
index 79b9273..6bf3534 100644
--- a/fcoe.te
@@ -81047,10 +81068,10 @@ index 9927d29..6746952 100644
+userdom_getattr_user_terminals(rwho_t)
+
diff --git a/samba.fc b/samba.fc
-index b8b66ff..2ccac49 100644
+index b8b66ff..d1fa967 100644
--- a/samba.fc
+++ b/samba.fc
-@@ -1,42 +1,54 @@
+@@ -1,42 +1,55 @@
-/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
+
@@ -81076,6 +81097,7 @@ index b8b66ff..2ccac49 100644
+#
+/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
+/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
++/usr/lib/systemd/system/winbind.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
-/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
-/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
@@ -81131,7 +81153,7 @@ index b8b66ff..2ccac49 100644
/var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
/var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
-@@ -45,7 +57,11 @@
+@@ -45,7 +58,11 @@
/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
@@ -87938,11 +87960,13 @@ index cbfe369..6594af3 100644
files_search_var_lib($1)
diff --git a/snapper.fc b/snapper.fc
new file mode 100644
-index 0000000..3f412d5
+index 0000000..48c0623
--- /dev/null
+++ b/snapper.fc
-@@ -0,0 +1 @@
+@@ -0,0 +1,3 @@
+/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0)
++
++/var/log/snapper\.log.* -- gen_context(system_u:object_r:snapperd_log_t,s0)
diff --git a/snapper.if b/snapper.if
new file mode 100644
index 0000000..94105ee
@@ -94023,10 +94047,10 @@ index 0000000..c1fd8b4
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..ed78f6f
+index 0000000..81e8be9
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,154 @@
+@@ -0,0 +1,155 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -94146,6 +94170,7 @@ index 0000000..ed78f6f
+')
+
+optional_policy(`
++ dbus_exec_dbusd(thumb_t)
+ dbus_dontaudit_stream_connect_session_bus(thumb_t)
+ dbus_dontaudit_chat_session_bus(thumb_t)
+')
@@ -100833,10 +100858,10 @@ index 0000000..044be2f
+')
diff --git a/vmtools.te b/vmtools.te
new file mode 100644
-index 0000000..b4d2dac
+index 0000000..1398ead
--- /dev/null
+++ b/vmtools.te
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,44 @@
+policy_module(vmtools, 1.0.0)
+
+########################################
@@ -100876,6 +100901,8 @@ index 0000000..b4d2dac
+dev_read_urand(vmtools_t)
+dev_getattr_all_blk_files(vmtools_t)
+
++fs_getattr_all_fs(vmtools_t)
++
+auth_use_nsswitch(vmtools_t)
+
+logging_send_syslog_msg(vmtools_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6246a43..13d6c68 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -581,6 +581,12 @@ SELinux Reference policy mls base module.
%changelog
* Tue Jan 28 2014 Miroslav Grepl 3.12.1-122
- Update snapper policy
+- Allow domains to append rkhunter lib files
+- Allow snapperd to getattr on all fs
+- Allow xdm to create /var/gdm with correct labeling
+- Add label for snapper.log
+- Allow fail2ban-client to read apache log files
+- Allow thumb_t to execute dbus-daemon in thumb_t
* Mon Jan 27 2014 Miroslav Grepl 3.12.1-121
- Allow gdm to create /var/gdm with correct labeling