diff --git a/policy-F16.patch b/policy-F16.patch
index c731329..b727329 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -2137,10 +2137,10 @@ index 0000000..bd83148
+## No Interfaces
diff --git a/policy/modules/admin/permissivedomains.te b/policy/modules/admin/permissivedomains.te
new file mode 100644
-index 0000000..deed25f
+index 0000000..a6bd793
--- /dev/null
+++ b/policy/modules/admin/permissivedomains.te
-@@ -0,0 +1,20 @@
+@@ -0,0 +1,27 @@
+policy_module(permissivedomains,17)
+
+
@@ -2161,6 +2161,13 @@ index 0000000..deed25f
+ permissive zoneminder_t;
+')
+
++optional_policy(`
++ gen_require(`
++ type selinux_munin_plugin_t;
++ ')
++
++ permssive selinux_munin_plugin_t;
++')
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..b665b08 100644
--- a/policy/modules/admin/portage.fc
@@ -8218,7 +8225,7 @@ index fbb5c5a..ffeec16 100644
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..04159de 100644
+index 2e9318b..194857d 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -8409,7 +8416,8 @@ index 2e9318b..04159de 100644
userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
userdom_manage_user_tmp_sockets(mozilla_plugin_t)
userdom_manage_user_tmp_dirs(mozilla_plugin_t)
- userdom_read_user_tmp_files(mozilla_plugin_t)
+-userdom_read_user_tmp_files(mozilla_plugin_t)
++userdom_rw_inherited_user_tmp_files(mozilla_plugin_t)
userdom_read_user_tmp_symlinks(mozilla_plugin_t)
+userdom_stream_connect(mozilla_plugin_t)
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
@@ -26166,10 +26174,10 @@ index 6480167..2ad693a 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..6b7400b 100644
+index 3136c6a..1aa2421 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,136 +18,218 @@ policy_module(apache, 2.2.1)
+@@ -18,136 +18,226 @@ policy_module(apache, 2.2.1)
# Declarations
#
@@ -26284,17 +26292,25 @@ index 3136c6a..6b7400b 100644
##
gen_tunable(httpd_can_sendmail, false)
- ##
--##
--## Allow Apache to communicate with avahi service via dbus
--##
++
++##
++##
++## Allow http daemon to connect to zabbix
++##
++##
++gen_tunable(httpd_can_connect_zabbix, false)
++
++##
+##
+## Allow http daemon to check spam
+##
+##
+gen_tunable(httpd_can_check_spam, false)
+
-+##
+ ##
+-##
+-## Allow Apache to communicate with avahi service via dbus
+-##
+##
+## Allow Apache to communicate with avahi service via dbus
+##
@@ -26444,7 +26460,7 @@ index 3136c6a..6b7400b 100644
attribute httpd_script_exec_type;
attribute httpd_user_script_exec_type;
-@@ -166,7 +248,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +256,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -26453,7 +26469,7 @@ index 3136c6a..6b7400b 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +259,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +267,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -26463,7 +26479,7 @@ index 3136c6a..6b7400b 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +301,21 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +309,21 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -26486,7 +26502,7 @@ index 3136c6a..6b7400b 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +325,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +333,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -26497,7 +26513,7 @@ index 3136c6a..6b7400b 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +336,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +344,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -26505,7 +26521,7 @@ index 3136c6a..6b7400b 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +358,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +366,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -26529,7 +26545,7 @@ index 3136c6a..6b7400b 100644
########################################
#
# Apache server local policy
-@@ -281,11 +394,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +402,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -26543,7 +26559,7 @@ index 3136c6a..6b7400b 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +444,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +452,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -26554,7 +26570,7 @@ index 3136c6a..6b7400b 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -355,6 +471,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +479,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -26564,7 +26580,7 @@ index 3136c6a..6b7400b 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +484,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +492,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -26581,7 +26597,7 @@ index 3136c6a..6b7400b 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +501,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +509,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -26597,7 +26613,7 @@ index 3136c6a..6b7400b 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +514,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +522,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -26605,7 +26621,7 @@ index 3136c6a..6b7400b 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +526,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +534,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -26709,7 +26725,7 @@ index 3136c6a..6b7400b 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,25 +633,51 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,25 +641,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -26732,6 +26748,10 @@ index 3136c6a..6b7400b 100644
+ corenet_tcp_connect_ldap_port(httpd_t)
+')
+
++tunable_policy(`httpd_can_connect_zabbix',`
++ corenet_tcp_connect_zabbix_port(httpd_t)
++')
++
tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
+ corenet_tcp_bind_all_ephemeral_ports(httpd_t)
@@ -26763,7 +26783,7 @@ index 3136c6a..6b7400b 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +687,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +699,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -26780,7 +26800,7 @@ index 3136c6a..6b7400b 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +711,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +723,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -26801,7 +26821,7 @@ index 3136c6a..6b7400b 100644
')
optional_policy(`
-@@ -513,7 +735,13 @@ optional_policy(`
+@@ -513,7 +747,13 @@ optional_policy(`
')
optional_policy(`
@@ -26816,7 +26836,7 @@ index 3136c6a..6b7400b 100644
')
optional_policy(`
-@@ -528,7 +756,19 @@ optional_policy(`
+@@ -528,7 +768,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -26837,7 +26857,7 @@ index 3136c6a..6b7400b 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +777,13 @@ optional_policy(`
+@@ -537,8 +789,13 @@ optional_policy(`
')
optional_policy(`
@@ -26852,7 +26872,7 @@ index 3136c6a..6b7400b 100644
')
')
-@@ -556,7 +801,13 @@ optional_policy(`
+@@ -556,7 +813,13 @@ optional_policy(`
')
optional_policy(`
@@ -26866,7 +26886,7 @@ index 3136c6a..6b7400b 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +818,7 @@ optional_policy(`
+@@ -567,6 +830,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -26874,7 +26894,7 @@ index 3136c6a..6b7400b 100644
')
optional_policy(`
-@@ -577,6 +829,20 @@ optional_policy(`
+@@ -577,6 +841,20 @@ optional_policy(`
')
optional_policy(`
@@ -26895,7 +26915,7 @@ index 3136c6a..6b7400b 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +857,11 @@ optional_policy(`
+@@ -591,6 +869,11 @@ optional_policy(`
')
optional_policy(`
@@ -26907,7 +26927,7 @@ index 3136c6a..6b7400b 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +874,12 @@ optional_policy(`
+@@ -603,6 +886,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -26920,7 +26940,7 @@ index 3136c6a..6b7400b 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +893,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +905,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -26933,7 +26953,7 @@ index 3136c6a..6b7400b 100644
########################################
#
-@@ -654,28 +935,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +947,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -26977,7 +26997,7 @@ index 3136c6a..6b7400b 100644
')
########################################
-@@ -685,6 +968,8 @@ optional_policy(`
+@@ -685,6 +980,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -26986,7 +27006,7 @@ index 3136c6a..6b7400b 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +984,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +996,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -27012,7 +27032,7 @@ index 3136c6a..6b7400b 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1030,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1042,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -27045,7 +27065,7 @@ index 3136c6a..6b7400b 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1077,25 @@ optional_policy(`
+@@ -769,6 +1089,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -27071,7 +27091,7 @@ index 3136c6a..6b7400b 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1116,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1128,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -27089,7 +27109,7 @@ index 3136c6a..6b7400b 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1135,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1147,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -27146,7 +27166,7 @@ index 3136c6a..6b7400b 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1186,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1198,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -27177,7 +27197,7 @@ index 3136c6a..6b7400b 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1221,20 @@ optional_policy(`
+@@ -842,10 +1233,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -27198,7 +27218,7 @@ index 3136c6a..6b7400b 100644
')
########################################
-@@ -891,11 +1280,135 @@ optional_policy(`
+@@ -891,11 +1292,135 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -32494,20 +32514,29 @@ index e67a003..8bd4751 100644
unconfined_stream_connect(consolekit_t)
')
diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
-index 3a6d7eb..3f0e601 100644
+index 3a6d7eb..6c753ff 100644
--- a/policy/modules/services/corosync.fc
+++ b/policy/modules/services/corosync.fc
-@@ -1,8 +1,10 @@
+@@ -1,8 +1,14 @@
/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0)
++
++/usr/lib(64)?/heartbeat(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
++/usr/lib(64)?/heartbeat/heartbeat -- gen_context(system_u:object_r:corosync_exec_t,s0)
/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0)
+@@ -10,3 +16,4 @@
+
+ /var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0)
+ /var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0)
++/var/run/hearbeat(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
index 5220c9d..db158cc 100644
--- a/policy/modules/services/corosync.if
@@ -32554,7 +32583,7 @@ index 5220c9d..db158cc 100644
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
-index 04969e5..0f56485 100644
+index 04969e5..a603e70 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0)
@@ -32571,7 +32600,7 @@ index 04969e5..0f56485 100644
-allow corosync_t self:capability { sys_nice sys_resource ipc_lock };
-allow corosync_t self:process { setrlimit setsched signal };
-+allow corosync_t self:capability { dac_override setuid sys_nice sys_resource ipc_lock };
++allow corosync_t self:capability { dac_override setuid setgid sys_nice sys_resource ipc_lock };
+allow corosync_t self:process { setpgid setrlimit setsched signal signull };
allow corosync_t self:fifo_file rw_fifo_file_perms;
@@ -32601,15 +32630,20 @@ index 04969e5..0f56485 100644
corenet_udp_bind_netsupport_port(corosync_t)
-@@ -73,6 +80,7 @@ dev_read_urand(corosync_t)
+@@ -73,9 +80,12 @@ dev_read_urand(corosync_t)
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
++files_read_etc_files(corosync_t)
+files_read_usr_files(corosync_t)
auth_use_nsswitch(corosync_t)
-@@ -83,19 +91,44 @@ logging_send_syslog_msg(corosync_t)
++init_domtrans_script(corosync_t)
+ init_read_script_state(corosync_t)
+ init_rw_script_tmp_files(corosync_t)
+
+@@ -83,21 +93,51 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
@@ -32638,13 +32672,17 @@ index 04969e5..0f56485 100644
+optional_policy(`
+ drbd_domtrans(corosync_t)
+')
-
-- rhcs_rw_fenced_semaphores(corosync_t)
++
+optional_policy(`
+ lvm_rw_clvmd_tmpfs_files(corosync_t)
+ lvm_delete_clvmd_tmpfs_files(corosync_t)
+')
+- rhcs_rw_fenced_semaphores(corosync_t)
++optional_policy(`
++ qpidd_rw_shm(corosync_t)
++')
+
- rhcs_rw_gfs_controld_semaphores(corosync_t)
+optional_policy(`
+ rhcs_getattr_fenced(corosync_t)
@@ -32658,6 +32696,9 @@ index 04969e5..0f56485 100644
')
optional_policy(`
+ rgmanager_manage_tmpfs_files(corosync_t)
+ ')
++
diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc
index 01d31f1..8e2754b 100644
--- a/policy/modules/services/courier.fc
@@ -33385,7 +33426,7 @@ index 35241ed..7a0913c 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..958bd54 100644
+index f7583ab..d382f40 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -33590,7 +33631,7 @@ index f7583ab..958bd54 100644
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
+userdom_list_admin_dir(crond_t)
-+userdom_create_all_users_keys(crond_t)
++userdom_manage_all_users_keys(crond_t)
mta_send_mail(crond_t)
+mta_system_content(cron_spool_t)
@@ -33698,7 +33739,7 @@ index f7583ab..958bd54 100644
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -340,9 +419,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -340,11 +419,16 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -33712,8 +33753,11 @@ index f7583ab..958bd54 100644
+allow system_cronjob_t cron_spool_t:file rw_file_perms;
kernel_read_kernel_sysctls(system_cronjob_t)
++kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -365,6 +448,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+ kernel_read_software_raid_state(system_cronjob_t)
+
+@@ -365,6 +449,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -33721,7 +33765,7 @@ index f7583ab..958bd54 100644
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -391,6 +475,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -391,6 +476,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -33729,7 +33773,7 @@ index f7583ab..958bd54 100644
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -413,8 +498,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -413,8 +499,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
@@ -33741,7 +33785,7 @@ index f7583ab..958bd54 100644
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -439,6 +526,8 @@ optional_policy(`
+@@ -439,6 +527,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -33750,7 +33794,7 @@ index f7583ab..958bd54 100644
')
optional_policy(`
-@@ -446,6 +535,14 @@ optional_policy(`
+@@ -446,6 +536,14 @@ optional_policy(`
')
optional_policy(`
@@ -33765,7 +33809,7 @@ index f7583ab..958bd54 100644
ftp_read_log(system_cronjob_t)
')
-@@ -456,6 +553,10 @@ optional_policy(`
+@@ -456,6 +554,10 @@ optional_policy(`
')
optional_policy(`
@@ -33776,7 +33820,7 @@ index f7583ab..958bd54 100644
lpd_list_spool(system_cronjob_t)
')
-@@ -464,7 +565,9 @@ optional_policy(`
+@@ -464,7 +566,9 @@ optional_policy(`
')
optional_policy(`
@@ -33786,7 +33830,7 @@ index f7583ab..958bd54 100644
')
optional_policy(`
-@@ -472,6 +575,10 @@ optional_policy(`
+@@ -472,6 +576,10 @@ optional_policy(`
')
optional_policy(`
@@ -33797,7 +33841,7 @@ index f7583ab..958bd54 100644
postfix_read_config(system_cronjob_t)
')
-@@ -480,7 +587,7 @@ optional_policy(`
+@@ -480,7 +588,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -33806,7 +33850,7 @@ index f7583ab..958bd54 100644
')
optional_policy(`
-@@ -495,6 +602,7 @@ optional_policy(`
+@@ -495,6 +603,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -33814,7 +33858,7 @@ index f7583ab..958bd54 100644
')
optional_policy(`
-@@ -502,7 +610,13 @@ optional_policy(`
+@@ -502,7 +611,13 @@ optional_policy(`
')
optional_policy(`
@@ -33828,7 +33872,7 @@ index f7583ab..958bd54 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +709,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +710,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -35699,19 +35743,20 @@ index 8ba9425..555058a 100644
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc
-index 418a5a0..d13814e 100644
+index 418a5a0..de67309 100644
--- a/policy/modules/services/devicekit.fc
+++ b/policy/modules/services/devicekit.fc
-@@ -1,3 +1,8 @@
+@@ -1,3 +1,9 @@
+/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+
+/usr/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
++/usr/lib/udisks2/udisksd -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+
/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
/usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
-@@ -6,9 +11,14 @@
+@@ -6,9 +12,14 @@
/var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
@@ -45201,14 +45246,14 @@ index 98d28b4..1c1d012 100644
+ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
+')
diff --git a/policy/modules/services/memcached.fc b/policy/modules/services/memcached.fc
-index 4d69477..4079870 100644
+index 4d69477..d3b4f39 100644
--- a/policy/modules/services/memcached.fc
+++ b/policy/modules/services/memcached.fc
@@ -2,4 +2,5 @@
/usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0)
-+/var/run/ipa_memcached -s gen_context(system_u:object_r:memcached_var_run_t,s0)
++/var/run/ipa_memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
/var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0)
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
index db4fd6f..ce07b3f 100644
@@ -47050,10 +47095,20 @@ index 64268e4..a7d94de 100644
+ exim_manage_log(user_mail_domain)
+')
diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
-index fd71d69..bf90863 100644
+index fd71d69..26597b2 100644
--- a/policy/modules/services/munin.fc
+++ b/policy/modules/services/munin.fc
-@@ -51,6 +51,7 @@
+@@ -41,6 +41,9 @@
+ /usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
+
++# selinux plugins
++/usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0)
++
+ # system plugins
+ /usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+ /usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+@@ -51,6 +54,7 @@
/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
@@ -47061,7 +47116,7 @@ index fd71d69..bf90863 100644
/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-@@ -63,6 +64,7 @@
+@@ -63,6 +67,7 @@
/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
@@ -47166,7 +47221,7 @@ index c358d8f..7c097ec 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
-index f17583b..171ebec 100644
+index f17583b..923fdfb 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -47178,7 +47233,7 @@ index f17583b..171ebec 100644
type munin_t alias lrrd_t;
type munin_exec_t alias lrrd_exec_t;
init_daemon_domain(munin_t, munin_exec_t)
-@@ -24,6 +26,9 @@ files_tmp_file(munin_tmp_t)
+@@ -24,15 +26,16 @@ files_tmp_file(munin_tmp_t)
type munin_var_lib_t alias lrrd_var_lib_t;
files_type(munin_var_lib_t)
@@ -47188,7 +47243,17 @@ index f17583b..171ebec 100644
type munin_var_run_t alias lrrd_var_run_t;
files_pid_file(munin_var_run_t)
-@@ -40,7 +45,7 @@ munin_plugin_template(system)
+ munin_plugin_template(disk)
+-
+ munin_plugin_template(mail)
+-
++munin_plugin_template(selinux)
+ munin_plugin_template(services)
+-
+ munin_plugin_template(system)
+
+ ########################################
+@@ -40,7 +43,7 @@ munin_plugin_template(system)
# Local policy
#
@@ -47197,7 +47262,7 @@ index f17583b..171ebec 100644
dontaudit munin_t self:capability sys_tty_config;
allow munin_t self:process { getsched setsched signal_perms };
allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -71,9 +76,12 @@ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -71,9 +74,12 @@ manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
files_search_var_lib(munin_t)
@@ -47211,7 +47276,7 @@ index f17583b..171ebec 100644
kernel_read_system_state(munin_t)
kernel_read_network_state(munin_t)
-@@ -116,6 +124,7 @@ logging_read_all_logs(munin_t)
+@@ -116,6 +122,7 @@ logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
miscfiles_read_localization(munin_t)
@@ -47219,7 +47284,7 @@ index f17583b..171ebec 100644
sysnet_exec_ifconfig(munin_t)
-@@ -145,6 +154,7 @@ optional_policy(`
+@@ -145,6 +152,7 @@ optional_policy(`
optional_policy(`
mta_read_config(munin_t)
mta_send_mail(munin_t)
@@ -47227,7 +47292,7 @@ index f17583b..171ebec 100644
mta_read_queue(munin_t)
')
-@@ -159,6 +169,7 @@ optional_policy(`
+@@ -159,6 +167,7 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
@@ -47235,20 +47300,19 @@ index f17583b..171ebec 100644
')
optional_policy(`
-@@ -182,6 +193,7 @@ optional_policy(`
+@@ -182,6 +191,7 @@ optional_policy(`
# local policy for disk plugins
#
-+allow munin_disk_plugin_t self:capability { sys_admin sys_rawio };
++allow disk_munin_plugin_t self:capability { sys_admin sys_rawio };
allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-@@ -190,15 +202,13 @@ corecmd_exec_shell(disk_munin_plugin_t)
-
- corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
+@@ -192,13 +202,13 @@ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
--files_read_etc_files(disk_munin_plugin_t)
+ files_read_etc_files(disk_munin_plugin_t)
files_read_etc_runtime_files(disk_munin_plugin_t)
++files_read_usr_files(disk_munin_plugin_t)
-fs_getattr_all_fs(disk_munin_plugin_t)
-
@@ -47261,7 +47325,7 @@ index f17583b..171ebec 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -221,19 +231,23 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -221,30 +231,44 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
dev_read_urand(mail_munin_plugin_t)
@@ -47292,7 +47356,19 @@ index f17583b..171ebec 100644
')
optional_policy(`
-@@ -245,6 +259,8 @@ optional_policy(`
+ sendmail_read_log(mail_munin_plugin_t)
+ ')
+
++##################################
++#
++# local policy for selinux plugins
++#
++
++selinux_get_enforce_mode(selinux_munin_plugin_t)
++
++
+ ###################################
+ #
# local policy for service plugins
#
@@ -47301,7 +47377,7 @@ index f17583b..171ebec 100644
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -255,13 +271,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -255,13 +279,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
dev_read_urand(services_munin_plugin_t)
dev_read_rand(services_munin_plugin_t)
@@ -47316,7 +47392,7 @@ index f17583b..171ebec 100644
cups_stream_connect(services_munin_plugin_t)
')
-@@ -279,6 +292,10 @@ optional_policy(`
+@@ -279,6 +300,10 @@ optional_policy(`
')
optional_policy(`
@@ -47327,7 +47403,7 @@ index f17583b..171ebec 100644
postgresql_stream_connect(services_munin_plugin_t)
')
-@@ -286,6 +303,10 @@ optional_policy(`
+@@ -286,6 +311,10 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -47338,7 +47414,7 @@ index f17583b..171ebec 100644
##################################
#
# local policy for system plugins
-@@ -295,13 +316,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+@@ -295,13 +324,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -47355,7 +47431,7 @@ index f17583b..171ebec 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +333,31 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +341,35 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -47387,6 +47463,10 @@ index f17583b..171ebec 100644
+fs_getattr_all_fs(munin_plugin_domain)
+
+miscfiles_read_localization(munin_plugin_domain)
++
++optional_policy(`
++ nscd_socket_use(munin_plugin_domain)
++')
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index e9c0982..840e562 100644
--- a/policy/modules/services/mysql.if
@@ -48517,7 +48597,7 @@ index 15448d5..62284bf 100644
+/usr/lib/systemd/system/yppasswdd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
+/usr/lib/systemd/system/ypxfrd\.service -- gen_context(system_u:object_r:nis_unit_file_t,s0)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
-index abe3f7f..d3595cf 100644
+index abe3f7f..7c7f939 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -34,7 +34,7 @@ interface(`nis_use_ypbind_uncond',`
@@ -48529,7 +48609,7 @@ index abe3f7f..d3595cf 100644
allow $1 var_yp_t:file read_file_perms;
corenet_all_recvfrom_unlabeled($1)
-@@ -49,12 +49,12 @@ interface(`nis_use_ypbind_uncond',`
+@@ -49,14 +49,15 @@ interface(`nis_use_ypbind_uncond',`
corenet_udp_bind_generic_node($1)
corenet_tcp_bind_generic_port($1)
corenet_udp_bind_generic_port($1)
@@ -48543,9 +48623,13 @@ index abe3f7f..d3595cf 100644
- corenet_tcp_connect_reserved_port($1)
+ corenet_tcp_connect_all_reserved_ports($1)
corenet_tcp_connect_generic_port($1)
- corenet_dontaudit_tcp_connect_all_ports($1)
+- corenet_dontaudit_tcp_connect_all_ports($1)
++# Attempt to see if this is actually needed
++# corenet_dontaudit_tcp_connect_all_ports($1)
corenet_sendrecv_portmap_client_packets($1)
-@@ -243,25 +243,6 @@ interface(`nis_read_ypbind_pid',`
+ corenet_sendrecv_generic_client_packets($1)
+ corenet_sendrecv_generic_server_packets($1)
+@@ -243,25 +244,6 @@ interface(`nis_read_ypbind_pid',`
########################################
##
@@ -48571,7 +48655,7 @@ index abe3f7f..d3595cf 100644
## Read ypserv configuration files.
##
##
-@@ -337,6 +318,55 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -337,6 +319,55 @@ interface(`nis_initrc_domtrans_ypbind',`
########################################
##
@@ -48627,13 +48711,14 @@ index abe3f7f..d3595cf 100644
## All of the rules required to administrate
## an nis environment
##
-@@ -354,22 +384,28 @@ interface(`nis_initrc_domtrans_ypbind',`
+@@ -354,22 +385,28 @@ interface(`nis_initrc_domtrans_ypbind',`
#
interface(`nis_admin',`
gen_require(`
- type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
+- type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
+ type ypbind_t, yppasswdd_t, ypserv_t;
- type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
++ type ypserv_tmp_t, ypserv_conf_t;
type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
- type ypbind_initrc_exec_t, nis_initrc_exec_t;
+ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
@@ -48662,25 +48747,39 @@ index abe3f7f..d3595cf 100644
ps_process_pattern($1, ypxfr_t)
nis_initrc_domtrans($1)
-@@ -384,6 +420,7 @@ interface(`nis_admin',`
+@@ -379,18 +416,18 @@ interface(`nis_admin',`
+ role_transition $2 ypbind_initrc_exec_t system_r;
+ allow $2 system_r;
+- files_list_tmp($1)
+- admin_pattern($1, ypbind_tmp_t)
+-
files_list_pids($1)
admin_pattern($1, ypbind_var_run_t)
+ nis_systemctl_ypbind($1)
admin_pattern($1, yppasswdd_var_run_t)
-@@ -393,4 +430,5 @@ interface(`nis_admin',`
+ files_list_etc($1)
+ admin_pattern($1, ypserv_conf_t)
+
++ files_list_tmp($1)
admin_pattern($1, ypserv_tmp_t)
admin_pattern($1, ypserv_var_run_t)
+ nis_systemctl($1)
')
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
-index 4876cae..eabed96 100644
+index 4876cae..de34d17 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
-@@ -24,6 +24,9 @@ files_tmp_file(ypbind_tmp_t)
+@@ -18,12 +18,12 @@ init_daemon_domain(ypbind_t, ypbind_exec_t)
+ type ypbind_initrc_exec_t;
+ init_script_file(ypbind_initrc_exec_t)
+
+-type ypbind_tmp_t;
+-files_tmp_file(ypbind_tmp_t)
+-
type ypbind_var_run_t;
files_pid_file(ypbind_var_run_t)
@@ -48690,7 +48789,7 @@ index 4876cae..eabed96 100644
type yppasswdd_t;
type yppasswdd_exec_t;
init_daemon_domain(yppasswdd_t, yppasswdd_exec_t)
-@@ -37,7 +40,7 @@ type ypserv_exec_t;
+@@ -37,7 +37,7 @@ type ypserv_exec_t;
init_daemon_domain(ypserv_t, ypserv_exec_t)
type ypserv_conf_t;
@@ -48699,7 +48798,7 @@ index 4876cae..eabed96 100644
type ypserv_tmp_t;
files_tmp_file(ypserv_tmp_t)
-@@ -52,13 +55,17 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t)
+@@ -52,22 +52,22 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t)
type ypxfr_var_run_t;
files_pid_file(ypxfr_var_run_t)
@@ -48718,7 +48817,16 @@ index 4876cae..eabed96 100644
allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
allow ypbind_t self:tcp_socket create_stream_socket_perms;
-@@ -142,8 +149,8 @@ optional_policy(`
+ allow ypbind_t self:udp_socket create_socket_perms;
+
+-manage_dirs_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t)
+-manage_files_pattern(ypbind_t, ypbind_tmp_t, ypbind_tmp_t)
+-files_tmp_filetrans(ypbind_t, ypbind_tmp_t, { file dir })
+-
+ manage_files_pattern(ypbind_t, ypbind_var_run_t, ypbind_var_run_t)
+ files_pid_filetrans(ypbind_t, ypbind_var_run_t, file)
+
+@@ -142,8 +142,8 @@ optional_policy(`
allow yppasswdd_t self:capability dac_override;
dontaudit yppasswdd_t self:capability sys_tty_config;
@@ -48728,7 +48836,7 @@ index 4876cae..eabed96 100644
allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -211,6 +218,10 @@ optional_policy(`
+@@ -211,6 +211,10 @@ optional_policy(`
')
optional_policy(`
@@ -48739,7 +48847,7 @@ index 4876cae..eabed96 100644
seutil_sigchld_newrole(yppasswdd_t)
')
-@@ -224,8 +235,8 @@ optional_policy(`
+@@ -224,8 +228,8 @@ optional_policy(`
#
dontaudit ypserv_t self:capability sys_tty_config;
@@ -52362,42 +52470,92 @@ index a3e85c9..c0e0959 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..1fbe0fa 100644
+index 46bee12..99499ef 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
-@@ -34,11 +34,13 @@ template(`postfix_domain_template',`
+@@ -28,75 +28,19 @@ interface(`postfix_stub',`
+ ##
+ #
+ template(`postfix_domain_template',`
+- type postfix_$1_t;
++ gen_require(`
++ attribute postfix_domain;
++ ')
++
++ type postfix_$1_t, postfix_domain;
+ type postfix_$1_exec_t;
+ domain_type(postfix_$1_t)
domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
role system_r types postfix_$1_t;
-+ allow postfix_$1_t self:capability { sys_nice sys_chroot };
- dontaudit postfix_$1_t self:capability sys_tty_config;
+- dontaudit postfix_$1_t self:capability sys_tty_config;
- allow postfix_$1_t self:process { signal_perms setpgid };
-+ allow postfix_$1_t self:process { signal_perms setpgid setsched };
- allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
- allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
- allow postfix_$1_t self:unix_stream_socket connectto;
-+ allow postfix_$1_t self:fifo_file rw_fifo_file_perms;
-
- allow postfix_master_t postfix_$1_t:process signal;
- #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
-@@ -50,7 +52,7 @@ template(`postfix_domain_template',`
-
- can_exec(postfix_$1_t, postfix_$1_exec_t)
-
+- allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
+- allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
+- allow postfix_$1_t self:unix_stream_socket connectto;
+-
+- allow postfix_master_t postfix_$1_t:process signal;
+- #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
+- allow postfix_$1_t postfix_master_t:file read;
+-
+- allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
+- read_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+- read_lnk_files_pattern(postfix_$1_t, postfix_etc_t, postfix_etc_t)
+-
+- can_exec(postfix_$1_t, postfix_$1_exec_t)
+-
- allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock ioctl };
-+ allow postfix_$1_t postfix_exec_t:file { mmap_file_perms lock };
-
- allow postfix_$1_t postfix_master_t:process sigchld;
+-
+- allow postfix_$1_t postfix_master_t:process sigchld;
+-
+- allow postfix_$1_t postfix_spool_t:dir list_dir_perms;
+-
+- allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
+- files_pid_filetrans(postfix_$1_t, postfix_var_run_t, file)
+-
+- kernel_read_system_state(postfix_$1_t)
+- kernel_read_network_state(postfix_$1_t)
+- kernel_read_all_sysctls(postfix_$1_t)
+-
+- dev_read_sysfs(postfix_$1_t)
+- dev_read_rand(postfix_$1_t)
+- dev_read_urand(postfix_$1_t)
+-
+- fs_search_auto_mountpoints(postfix_$1_t)
+- fs_getattr_xattr_fs(postfix_$1_t)
+- fs_rw_anon_inodefs_files(postfix_$1_t)
+-
+- term_dontaudit_use_console(postfix_$1_t)
+-
+- corecmd_exec_shell(postfix_$1_t)
+-
+- files_read_etc_files(postfix_$1_t)
+- files_read_etc_runtime_files(postfix_$1_t)
+- files_read_usr_symlinks(postfix_$1_t)
+- files_search_spool(postfix_$1_t)
+- files_getattr_tmp_dirs(postfix_$1_t)
+- files_search_all_mountpoints(postfix_$1_t)
+-
+- init_dontaudit_use_fds(postfix_$1_t)
+- init_sigchld(postfix_$1_t)
+-
+ auth_use_nsswitch(postfix_$1_t)
-@@ -77,6 +79,7 @@ template(`postfix_domain_template',`
+- logging_send_syslog_msg(postfix_$1_t)
+-
+- miscfiles_read_localization(postfix_$1_t)
+- miscfiles_read_generic_certs(postfix_$1_t)
+-
+- userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
+-
+- optional_policy(`
+- udev_read_db(postfix_$1_t)
+- ')
++ can_exec(postfix_$1_t, postfix_$1_exec_t)
+ ')
- files_read_etc_files(postfix_$1_t)
- files_read_etc_runtime_files(postfix_$1_t)
-+ files_read_usr_files(postfix_$1_t)
- files_read_usr_symlinks(postfix_$1_t)
- files_search_spool(postfix_$1_t)
- files_getattr_tmp_dirs(postfix_$1_t)
-@@ -115,7 +118,7 @@ template(`postfix_server_domain_template',`
+ ########################################
+@@ -115,7 +59,7 @@ template(`postfix_server_domain_template',`
type postfix_$1_tmp_t;
files_tmp_file(postfix_$1_tmp_t)
@@ -52406,7 +52564,7 @@ index 46bee12..1fbe0fa 100644
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow postfix_$1_t self:tcp_socket create_socket_perms;
allow postfix_$1_t self:udp_socket create_socket_perms;
-@@ -165,6 +168,8 @@ template(`postfix_user_domain_template',`
+@@ -165,6 +109,8 @@ template(`postfix_user_domain_template',`
domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
domain_use_interactive_fds(postfix_$1_t)
@@ -52415,7 +52573,7 @@ index 46bee12..1fbe0fa 100644
')
########################################
-@@ -215,7 +220,7 @@ interface(`postfix_config_filetrans',`
+@@ -215,7 +161,7 @@ interface(`postfix_config_filetrans',`
')
files_search_etc($1)
@@ -52424,7 +52582,7 @@ index 46bee12..1fbe0fa 100644
')
########################################
-@@ -272,7 +277,8 @@ interface(`postfix_read_local_state',`
+@@ -272,7 +218,8 @@ interface(`postfix_read_local_state',`
type postfix_local_t;
')
@@ -52434,7 +52592,7 @@ index 46bee12..1fbe0fa 100644
')
########################################
-@@ -290,7 +296,27 @@ interface(`postfix_read_master_state',`
+@@ -290,7 +237,27 @@ interface(`postfix_read_master_state',`
type postfix_master_t;
')
@@ -52463,7 +52621,7 @@ index 46bee12..1fbe0fa 100644
')
########################################
-@@ -376,6 +402,25 @@ interface(`postfix_domtrans_master',`
+@@ -376,6 +343,25 @@ interface(`postfix_domtrans_master',`
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
@@ -52489,7 +52647,7 @@ index 46bee12..1fbe0fa 100644
########################################
##
## Execute the master postfix program in the
-@@ -404,7 +449,6 @@ interface(`postfix_exec_master',`
+@@ -404,7 +390,6 @@ interface(`postfix_exec_master',`
## Domain allowed access.
##
##
@@ -52497,7 +52655,7 @@ index 46bee12..1fbe0fa 100644
#
interface(`postfix_stream_connect_master',`
gen_require(`
-@@ -416,6 +460,24 @@ interface(`postfix_stream_connect_master',`
+@@ -416,6 +401,24 @@ interface(`postfix_stream_connect_master',`
########################################
##
@@ -52522,7 +52680,7 @@ index 46bee12..1fbe0fa 100644
## Execute the master postdrop in the
## postfix_postdrop domain.
##
-@@ -462,7 +524,7 @@ interface(`postfix_domtrans_postqueue',`
+@@ -462,7 +465,7 @@ interface(`postfix_domtrans_postqueue',`
##
##
#
@@ -52531,7 +52689,7 @@ index 46bee12..1fbe0fa 100644
gen_require(`
type postfix_postqueue_exec_t;
')
-@@ -529,6 +591,25 @@ interface(`postfix_domtrans_smtp',`
+@@ -529,6 +532,25 @@ interface(`postfix_domtrans_smtp',`
########################################
##
@@ -52557,7 +52715,7 @@ index 46bee12..1fbe0fa 100644
## Search postfix mail spool directories.
##
##
-@@ -539,10 +620,10 @@ interface(`postfix_domtrans_smtp',`
+@@ -539,10 +561,10 @@ interface(`postfix_domtrans_smtp',`
#
interface(`postfix_search_spool',`
gen_require(`
@@ -52570,7 +52728,7 @@ index 46bee12..1fbe0fa 100644
files_search_spool($1)
')
-@@ -558,10 +639,10 @@ interface(`postfix_search_spool',`
+@@ -558,10 +580,10 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@@ -52583,7 +52741,7 @@ index 46bee12..1fbe0fa 100644
files_search_spool($1)
')
-@@ -577,11 +658,11 @@ interface(`postfix_list_spool',`
+@@ -577,11 +599,11 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -52597,7 +52755,7 @@ index 46bee12..1fbe0fa 100644
')
########################################
-@@ -596,11 +677,11 @@ interface(`postfix_read_spool_files',`
+@@ -596,11 +618,11 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -52611,7 +52769,7 @@ index 46bee12..1fbe0fa 100644
')
########################################
-@@ -621,3 +702,154 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +643,154 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -52767,10 +52925,10 @@ index 46bee12..1fbe0fa 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index a32c4b3..dda5b86 100644
+index a32c4b3..e92a85d 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
-@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.1)
+@@ -5,6 +5,15 @@ policy_module(postfix, 1.12.1)
# Declarations
#
@@ -52781,11 +52939,12 @@ index a32c4b3..dda5b86 100644
+##
+gen_tunable(allow_postfix_local_write_mail_spool, true)
+
++attribute postfix_domain;
+attribute postfix_spool_type;
attribute postfix_user_domains;
# domains that transition to the
# postfix user domains
-@@ -12,8 +20,8 @@ attribute postfix_user_domtrans;
+@@ -12,8 +21,8 @@ attribute postfix_user_domtrans;
postfix_server_domain_template(bounce)
@@ -52796,7 +52955,7 @@ index a32c4b3..dda5b86 100644
postfix_server_domain_template(cleanup)
-@@ -41,6 +49,9 @@ typealias postfix_master_t alias postfix_t;
+@@ -41,6 +50,9 @@ typealias postfix_master_t alias postfix_t;
# generation macro work
mta_mailserver(postfix_t, postfix_master_exec_t)
@@ -52806,7 +52965,7 @@ index a32c4b3..dda5b86 100644
postfix_server_domain_template(pickup)
postfix_server_domain_template(pipe)
-@@ -49,6 +60,7 @@ postfix_user_domain_template(postdrop)
+@@ -49,6 +61,7 @@ postfix_user_domain_template(postdrop)
mta_mailserver_user_agent(postfix_postdrop_t)
postfix_user_domain_template(postqueue)
@@ -52814,7 +52973,7 @@ index a32c4b3..dda5b86 100644
type postfix_private_t;
files_type(postfix_private_t)
-@@ -65,14 +77,14 @@ mta_mailserver_sender(postfix_smtp_t)
+@@ -65,14 +78,14 @@ mta_mailserver_sender(postfix_smtp_t)
postfix_server_domain_template(smtpd)
@@ -52835,7 +52994,7 @@ index a32c4b3..dda5b86 100644
type postfix_public_t;
files_type(postfix_public_t)
-@@ -94,23 +106,24 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -94,23 +107,24 @@ mta_mailserver_delivery(postfix_virtual_t)
# chown is to set the correct ownership of queue dirs
allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
@@ -52865,7 +53024,7 @@ index a32c4b3..dda5b86 100644
manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
-@@ -130,7 +143,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
+@@ -130,7 +144,7 @@ manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
@@ -52874,7 +53033,7 @@ index a32c4b3..dda5b86 100644
manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
-@@ -138,6 +151,7 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_
+@@ -138,6 +152,7 @@ manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -52882,7 +53041,7 @@ index a32c4b3..dda5b86 100644
setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
kernel_read_all_sysctls(postfix_master_t)
-@@ -150,6 +164,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -150,6 +165,9 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
corenet_udp_sendrecv_generic_node(postfix_master_t)
corenet_tcp_sendrecv_all_ports(postfix_master_t)
corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -52892,7 +53051,7 @@ index a32c4b3..dda5b86 100644
corenet_tcp_bind_generic_node(postfix_master_t)
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -167,6 +184,10 @@ corecmd_exec_bin(postfix_master_t)
+@@ -167,6 +185,10 @@ corecmd_exec_bin(postfix_master_t)
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
@@ -52903,7 +53062,7 @@ index a32c4b3..dda5b86 100644
term_dontaudit_search_ptys(postfix_master_t)
-@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
+@@ -220,13 +242,17 @@ allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -52922,7 +53081,7 @@ index a32c4b3..dda5b86 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -243,12 +268,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t,
+@@ -243,12 +269,17 @@ stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t,
rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
@@ -52940,7 +53099,7 @@ index a32c4b3..dda5b86 100644
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
corecmd_exec_bin(postfix_cleanup_t)
-@@ -264,7 +294,6 @@ optional_policy(`
+@@ -264,7 +295,6 @@ optional_policy(`
# Postfix local local policy
#
@@ -52948,7 +53107,7 @@ index a32c4b3..dda5b86 100644
allow postfix_local_t self:process { setsched setrlimit };
# connect to master process
-@@ -273,6 +302,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,6 +303,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -52957,7 +53116,7 @@ index a32c4b3..dda5b86 100644
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,10 +318,15 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -52976,7 +53135,7 @@ index a32c4b3..dda5b86 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -297,6 +333,10 @@ optional_policy(`
+@@ -297,6 +334,10 @@ optional_policy(`
')
optional_policy(`
@@ -52987,7 +53146,7 @@ index a32c4b3..dda5b86 100644
# for postalias
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
-@@ -304,9 +344,22 @@ optional_policy(`
+@@ -304,9 +345,22 @@ optional_policy(`
')
optional_policy(`
@@ -53010,7 +53169,7 @@ index a32c4b3..dda5b86 100644
########################################
#
# Postfix map local policy
-@@ -379,18 +432,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +433,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -53036,7 +53195,7 @@ index a32c4b3..dda5b86 100644
allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +460,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +461,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -53045,7 +53204,7 @@ index a32c4b3..dda5b86 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +481,7 @@ optional_policy(`
+@@ -420,6 +482,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -53053,7 +53212,7 @@ index a32c4b3..dda5b86 100644
')
optional_policy(`
-@@ -436,11 +498,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +499,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -53071,7 +53230,7 @@ index a32c4b3..dda5b86 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +555,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +556,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -53082,7 +53241,7 @@ index a32c4b3..dda5b86 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +587,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +588,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -53095,7 +53254,7 @@ index a32c4b3..dda5b86 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +611,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +612,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -53106,16 +53265,16 @@ index a32c4b3..dda5b86 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +632,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +633,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
-+rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
++rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +641,14 @@ optional_policy(`
+@@ -565,6 +642,14 @@ optional_policy(`
')
optional_policy(`
@@ -53130,7 +53289,7 @@ index a32c4b3..dda5b86 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -588,10 +672,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +673,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -53147,7 +53306,7 @@ index a32c4b3..dda5b86 100644
')
optional_policy(`
-@@ -599,6 +689,12 @@ optional_policy(`
+@@ -599,6 +690,12 @@ optional_policy(`
')
optional_policy(`
@@ -53160,7 +53319,7 @@ index a32c4b3..dda5b86 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +707,6 @@ optional_policy(`
+@@ -611,7 +708,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -53168,7 +53327,7 @@ index a32c4b3..dda5b86 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +725,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +726,75 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -53177,6 +53336,73 @@ index a32c4b3..dda5b86 100644
+userdom_manage_user_home_content(postfix_virtual_t)
+userdom_home_filetrans_user_home_dir(postfix_virtual_t)
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
++
++########################################
++#
++# postfix_domain common policy
++#
++allow postfix_domain self:capability { sys_nice sys_chroot };
++dontaudit postfix_domain self:capability sys_tty_config;
++allow postfix_domain self:process { signal_perms setpgid setsched };
++allow postfix_domain self:unix_dgram_socket create_socket_perms;
++allow postfix_domain self:unix_stream_socket create_stream_socket_perms;
++allow postfix_domain self:unix_stream_socket connectto;
++allow postfix_domain self:fifo_file rw_fifo_file_perms;
++
++allow postfix_master_t postfix_domain:process signal;
++#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
++allow postfix_domain postfix_master_t:file read;
++allow postfix_domain postfix_etc_t:dir list_dir_perms;
++read_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t)
++read_lnk_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t)
++
++allow postfix_domain postfix_exec_t:file { mmap_file_perms lock };
++
++allow postfix_domain postfix_master_t:process sigchld;
++
++allow postfix_domain postfix_spool_t:dir list_dir_perms;
++
++allow postfix_domain postfix_var_run_t:file manage_file_perms;
++files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
++
++kernel_read_system_state(postfix_domain)
++kernel_read_network_state(postfix_domain)
++kernel_read_all_sysctls(postfix_domain)
++
++dev_read_sysfs(postfix_domain)
++dev_read_rand(postfix_domain)
++dev_read_urand(postfix_domain)
++
++fs_search_auto_mountpoints(postfix_domain)
++fs_getattr_xattr_fs(postfix_domain)
++fs_rw_anon_inodefs_files(postfix_domain)
++
++term_dontaudit_use_console(postfix_domain)
++
++corecmd_exec_shell(postfix_domain)
++
++files_read_etc_files(postfix_domain)
++files_read_etc_runtime_files(postfix_domain)
++files_read_usr_files(postfix_domain)
++files_read_usr_symlinks(postfix_domain)
++files_search_spool(postfix_domain)
++files_getattr_tmp_dirs(postfix_domain)
++files_search_all_mountpoints(postfix_domain)
++
++init_dontaudit_use_fds(postfix_domain)
++init_sigchld(postfix_domain)
++init_dontaudit_rw_stream_socket(postfix_domain)
++
++logging_send_syslog_msg(postfix_domain)
++
++miscfiles_read_localization(postfix_domain)
++miscfiles_read_generic_certs(postfix_domain)
++
++userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
++
++optional_policy(`
++ udev_read_db(postfix_domain)
++')
diff --git a/policy/modules/services/postfixpolicyd.if b/policy/modules/services/postfixpolicyd.if
index feae93b..b2af729 100644
--- a/policy/modules/services/postfixpolicyd.if
@@ -55464,7 +55690,7 @@ index 4f94229..f3b89e4 100644
/var/lib/qpidd(/.*)? gen_context(system_u:object_r:qpidd_var_lib_t,s0)
diff --git a/policy/modules/services/qpid.if b/policy/modules/services/qpid.if
-index 5a9630c..61f0099 100644
+index 5a9630c..aaaef40 100644
--- a/policy/modules/services/qpid.if
+++ b/policy/modules/services/qpid.if
@@ -1,4 +1,4 @@
@@ -55655,7 +55881,7 @@ index 5a9630c..61f0099 100644
# Allow qpidd_t to restart the apache service
qpidd_initrc_domtrans($1)
-@@ -180,7 +189,43 @@ interface(`qpidd_admin',`
+@@ -180,7 +189,45 @@ interface(`qpidd_admin',`
role_transition $2 qpidd_initrc_exec_t system_r;
allow $2 system_r;
@@ -55683,23 +55909,25 @@ index 5a9630c..61f0099 100644
+ allow $1 qpidd_t:sem rw_sem_perms;
+')
+
-+########################################
++#######################################
+##
-+## Read and write to qpidd shared memory.
++## Read and write to qpidd shared memory.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`qpidd_rw_shm',`
+ gen_require(`
-+ type qpidd_t;
++ type qpidd_tmpfs_t;
+ ')
- admin_pattern($1, qpidd_var_run_t)
-+ allow $1 qpidd_t:shm rw_shm_perms;
++ qpidd_rw_shm($1)
++ fs_search_tmpfs($1)
++ manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t)
')
diff --git a/policy/modules/services/qpid.te b/policy/modules/services/qpid.te
index cb7ecb5..08d19e6 100644
@@ -69335,10 +69563,24 @@ index c9981d1..75a7d17 100644
init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
-index 7f88f5f..5f1e19c 100644
+index 7f88f5f..4d704e8 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
-@@ -23,6 +23,10 @@ init_script_file(zabbix_agent_initrc_exec_t)
+@@ -5,6 +5,13 @@ policy_module(zabbix, 1.3.1)
+ # Declarations
+ #
+
++##
++##
++## Allow zabbix to connect to unreserved ports
++##
++##
++gen_tunable(zabbix_can_network, false)
++
+ type zabbix_t;
+ type zabbix_exec_t;
+ init_daemon_domain(zabbix_t, zabbix_exec_t)
+@@ -23,6 +30,10 @@ init_script_file(zabbix_agent_initrc_exec_t)
type zabbix_log_t;
logging_log_file(zabbix_log_t)
@@ -69349,7 +69591,7 @@ index 7f88f5f..5f1e19c 100644
# shared memory
type zabbix_tmpfs_t;
files_tmpfs_file(zabbix_tmpfs_t)
-@@ -36,19 +40,25 @@ files_pid_file(zabbix_var_run_t)
+@@ -36,19 +47,25 @@ files_pid_file(zabbix_var_run_t)
# zabbix local policy
#
@@ -69379,7 +69621,7 @@ index 7f88f5f..5f1e19c 100644
# shared memory
rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
-@@ -58,14 +68,25 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+@@ -58,25 +75,53 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
@@ -69407,7 +69649,13 @@ index 7f88f5f..5f1e19c 100644
zabbix_agent_tcp_connect(zabbix_t)
-@@ -74,9 +95,21 @@ optional_policy(`
++tunable_policy(`zabbix_can_network',`
++ corenet_tcp_connect_all_unreserved_ports(zabbix_t)
++ corenet_tcp_connect_all_ephemeral_ports(zabbix_t)
++')
++
+ optional_policy(`
+ mysql_stream_connect(zabbix_t)
')
optional_policy(`
@@ -69429,6 +69677,11 @@ index 7f88f5f..5f1e19c 100644
########################################
#
# zabbix agent local policy
+@@ -134,3 +179,4 @@ sysnet_dns_name_resolve(zabbix_agent_t)
+
+ # Network access to zabbix server
+ zabbix_tcp_connect(zabbix_agent_t)
++
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
index 3defaa1..2ad2488 100644
--- a/policy/modules/services/zarafa.fc
@@ -74074,13 +74327,13 @@ index f3e1b57..d7fd7fb 100644
')
diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc
-index 14d9670..f28128a 100644
+index 14d9670..7742cf4 100644
--- a/policy/modules/system/iscsi.fc
+++ b/policy/modules/system/iscsi.fc
-@@ -1,7 +1,11 @@
+@@ -1,7 +1,12 @@
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
-+/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
++/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
@@ -74089,6 +74342,7 @@ index 14d9670..f28128a 100644
+
+/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
++/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index ddbd8be..65b5762 100644
--- a/policy/modules/system/iscsi.te
@@ -75012,10 +75266,10 @@ index a0b379d..2291a13 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..3bdf89f 100644
+index 02f4c97..dfd853e 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
-@@ -17,12 +17,27 @@
+@@ -17,12 +17,28 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
@@ -75025,6 +75279,7 @@ index 02f4c97..3bdf89f 100644
+/opt/zimbra/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/opt/Symantec/scspagent/IDS/system(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
++/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
+/usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -75044,7 +75299,7 @@ index 02f4c97..3bdf89f 100644
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -38,7 +53,7 @@ ifdef(`distro_suse', `
+@@ -38,7 +54,7 @@ ifdef(`distro_suse', `
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
@@ -75053,7 +75308,7 @@ index 02f4c97..3bdf89f 100644
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-@@ -46,6 +61,7 @@ ifdef(`distro_suse', `
+@@ -46,6 +62,7 @@ ifdef(`distro_suse', `
/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
@@ -75061,7 +75316,7 @@ index 02f4c97..3bdf89f 100644
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -66,6 +82,7 @@ ifdef(`distro_redhat',`
+@@ -66,6 +83,7 @@ ifdef(`distro_redhat',`
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
@@ -75069,7 +75324,7 @@ index 02f4c97..3bdf89f 100644
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-@@ -73,4 +90,9 @@ ifdef(`distro_redhat',`
+@@ -73,4 +91,9 @@ ifdef(`distro_redhat',`
/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -80108,7 +80363,7 @@ index 025348a..c15e57c 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..5ff6beb 100644
+index d88f7c3..b79d72f 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -80237,7 +80492,16 @@ index d88f7c3..5ff6beb 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -169,6 +190,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -154,6 +175,8 @@ miscfiles_read_hwdata(udev_t)
+ modutils_domtrans_insmod(udev_t)
+ # read modules.inputmap:
+ modutils_read_module_deps(udev_t)
++modutils_list_module_config(udev_t)
++modutils_read_module_conf(udev_t)
+
+ seutil_read_config(udev_t)
+ seutil_read_default_contexts(udev_t)
+@@ -169,6 +192,8 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
@@ -80246,7 +80510,7 @@ index d88f7c3..5ff6beb 100644
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -186,8 +209,9 @@ ifdef(`distro_redhat',`
+@@ -186,8 +211,9 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -80257,7 +80521,7 @@ index d88f7c3..5ff6beb 100644
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
-@@ -216,11 +240,16 @@ optional_policy(`
+@@ -216,11 +242,16 @@ optional_policy(`
')
optional_policy(`
@@ -80274,7 +80538,7 @@ index d88f7c3..5ff6beb 100644
')
optional_policy(`
-@@ -230,10 +259,20 @@ optional_policy(`
+@@ -230,10 +261,20 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -80295,7 +80559,7 @@ index d88f7c3..5ff6beb 100644
')
optional_policy(`
-@@ -259,6 +298,10 @@ optional_policy(`
+@@ -259,6 +300,10 @@ optional_policy(`
')
optional_policy(`
@@ -80306,7 +80570,7 @@ index d88f7c3..5ff6beb 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +316,11 @@ optional_policy(`
+@@ -273,6 +318,11 @@ optional_policy(`
')
optional_policy(`
@@ -80318,7 +80582,7 @@ index d88f7c3..5ff6beb 100644
unconfined_signal(udev_t)
')
-@@ -285,6 +333,7 @@ optional_policy(`
+@@ -285,6 +335,7 @@ optional_policy(`
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
xen_read_image_files(udev_t)
@@ -81135,7 +81399,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..eeb5b5a 100644
+index 4b2878a..43d975f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -83472,7 +83736,7 @@ index 4b2878a..eeb5b5a 100644
## Create keys for all user domains.
##
##
-@@ -3194,3 +3913,1236 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3194,3 +3913,1254 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -84425,6 +84689,24 @@ index 4b2878a..eeb5b5a 100644
+
+########################################
+##
++## Read/write all inherited users files in /tmp
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_rw_inherited_user_tmp_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ allow $1 user_tmp_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+## Write all inherited users files in /tmp
+##
+##
@@ -84710,7 +84992,7 @@ index 4b2878a..eeb5b5a 100644
+ typeattribute $1 userdom_home_manager_type;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 9b4a930..ced52ff 100644
+index 9b4a930..0e7648c 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.2)
@@ -84766,7 +85048,7 @@ index 9b4a930..ced52ff 100644
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
-@@ -71,26 +101,110 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +101,111 @@ ubac_constrained(user_home_dir_t)
type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -84837,6 +85119,7 @@ index 9b4a930..ced52ff 100644
+
+optional_policy(`
+ ssh_filetrans_home_content(userdomain)
++ ssh_rw_tcp_sockets(userdomain)
+')
+
+optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 83ada10..70224a6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 79%{?dist}
+Release: 80%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,19 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Thu Jan 26 2012 Miroslav Grepl 3.10.0-80
+- Add zabbix_can_network boolean
+- Add httpd_can_connect_zabbix boolean
+- Prepare file context labeling for usrmove functions
+- Allow system cronjobs to read kernel network state
+- Add support for selinux_avcstat munin plugin
+- Treat hearbeat with corosync policy
+- Allow corosync to read and write to qpidd shared mem
+- mozilla_plugin is trying to run pulseaudio
+- Fixes for new sshd patch for running priv sep domains as the users context
+- Turn off dontaudit rules when turning on allow_ypbind
+- udev now reads /etc/modules.d directory
+
* Tue Jan 24 2012 Miroslav Grepl 3.10.0-79
- Turn on deny_ptrace boolean for the Rawhide run, so we can test this out
- Cups exchanges dbus messages with init