diff --git a/policy-f18-base.patch b/policy-f18-base.patch
index 72e3179..901141a 100644
--- a/policy-f18-base.patch
+++ b/policy-f18-base.patch
@@ -117703,7 +117703,7 @@ index 8796ca3..cb02728 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index e1e814d..37f3b90 100644
+index e1e814d..360fbbd 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -118225,7 +118225,33 @@ index e1e814d..37f3b90 100644
')
########################################
-@@ -3135,6 +3446,25 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3059,6 +3370,25 @@ interface(`files_getattr_isid_type_dirs',`
+
+ ########################################
+ ##
++## Setattr of directories on new filesystems
++## that have not yet been labeled.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_setattr_isid_type_dirs',`
++ gen_require(`
++ type file_t;
++ ')
++
++ allow $1 file_t:dir setattr;
++')
++
++########################################
++##
+ ## Do not audit attempts to search directories on new filesystems
+ ## that have not yet been labeled.
+ ##
+@@ -3135,6 +3465,25 @@ interface(`files_delete_isid_type_dirs',`
########################################
##
@@ -118251,7 +118277,7 @@ index e1e814d..37f3b90 100644
## Create, read, write, and delete directories
## on new filesystems that have not yet been labeled.
##
-@@ -3382,6 +3712,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3382,6 +3731,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
##
@@ -118277,7 +118303,7 @@ index e1e814d..37f3b90 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
##
-@@ -3723,20 +4072,38 @@ interface(`files_list_mnt',`
+@@ -3723,20 +4091,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -118321,7 +118347,7 @@ index e1e814d..37f3b90 100644
')
########################################
-@@ -4126,6 +4493,133 @@ interface(`files_read_world_readable_sockets',`
+@@ -4126,6 +4512,133 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -118455,7 +118481,7 @@ index e1e814d..37f3b90 100644
########################################
##
## Allow the specified type to associate
-@@ -4148,6 +4642,26 @@ interface(`files_associate_tmp',`
+@@ -4148,6 +4661,26 @@ interface(`files_associate_tmp',`
########################################
##
@@ -118482,7 +118508,7 @@ index e1e814d..37f3b90 100644
## Get the attributes of the tmp directory (/tmp).
##
##
-@@ -4161,6 +4675,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4161,6 +4694,7 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -118490,7 +118516,7 @@ index e1e814d..37f3b90 100644
allow $1 tmp_t:dir getattr;
')
-@@ -4171,7 +4686,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4171,7 +4705,7 @@ interface(`files_getattr_tmp_dirs',`
##
##
##
@@ -118499,7 +118525,7 @@ index e1e814d..37f3b90 100644
##
##
#
-@@ -4198,6 +4713,7 @@ interface(`files_search_tmp',`
+@@ -4198,6 +4732,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -118507,7 +118533,7 @@ index e1e814d..37f3b90 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4234,6 +4750,7 @@ interface(`files_list_tmp',`
+@@ -4234,6 +4769,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -118515,7 +118541,7 @@ index e1e814d..37f3b90 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4243,7 +4760,7 @@ interface(`files_list_tmp',`
+@@ -4243,7 +4779,7 @@ interface(`files_list_tmp',`
##
##
##
@@ -118524,7 +118550,7 @@ index e1e814d..37f3b90 100644
##
##
#
-@@ -4255,6 +4772,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4255,6 +4791,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -118550,7 +118576,7 @@ index e1e814d..37f3b90 100644
########################################
##
## Remove entries from the tmp directory.
-@@ -4270,6 +4806,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4270,6 +4825,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -118558,7 +118584,7 @@ index e1e814d..37f3b90 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4311,6 +4848,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4311,6 +4867,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
@@ -118591,29 +118617,198 @@ index e1e814d..37f3b90 100644
## Manage temporary files and directories in /tmp.
##
##
-@@ -4365,6 +4928,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4365,7 +4947,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
+-## Set the attributes of all tmp directories.
+## Relabel a dir from the type used in /tmp.
+ ##
+ ##
+ ##
+@@ -4373,17 +4955,17 @@ interface(`files_rw_generic_tmp_sockets',`
+ ##
+ ##
+ #
+-interface(`files_setattr_all_tmp_dirs',`
++interface(`files_relabelfrom_tmp_dirs',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir { search_dir_perms setattr };
++ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ##
+-## List all tmp directories.
++## Relabel a file from the type used in /tmp.
+ ##
+ ##
+ ##
+@@ -4391,59 +4973,53 @@ interface(`files_setattr_all_tmp_dirs',`
+ ##
+ ##
+ #
+-interface(`files_list_all_tmp',`
++interface(`files_relabelfrom_tmp_files',`
+ gen_require(`
+- attribute tmpfile;
++ type tmp_t;
+ ')
+
+- allow $1 tmpfile:dir list_dir_perms;
++ relabelfrom_files_pattern($1, tmp_t, tmp_t)
+ ')
+
+ ########################################
+ ##
+-## Relabel to and from all temporary
+-## directory types.
++## Set the attributes of all tmp directories.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`files_relabel_all_tmp_dirs',`
++interface(`files_setattr_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
+- type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- relabel_dirs_pattern($1, tmpfile, tmpfile)
++ allow $1 tmpfile:dir { search_dir_perms setattr };
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes
+-## of all tmp files.
++## Allow caller to read inherited tmp files.
+ ##
+ ##
+ ##
+-## Domain not to audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_read_inherited_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+- dontaudit $1 tmpfile:file getattr;
++ allow $1 tmpfile:file { append read_inherited_file_perms };
+ ')
+
+ ########################################
+ ##
+-## Allow attempts to get the attributes
+-## of all tmp files.
++## Allow caller to append inherited tmp files.
+ ##
+ ##
+ ##
+@@ -4451,54 +5027,132 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+ ##
+ ##
+ #
+-interface(`files_getattr_all_tmp_files',`
++interface(`files_append_inherited_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
+- allow $1 tmpfile:file getattr;
++ allow $1 tmpfile:file append_inherited_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Relabel to and from all temporary
+-## file types.
++## List all tmp directories.
+ ##
+ ##
+ ##
+ ## Domain allowed access.
+ ##
+ ##
+-##
+ #
+-interface(`files_relabel_all_tmp_files',`
++interface(`files_list_all_tmp',`
+ gen_require(`
+ attribute tmpfile;
+- type var_t;
+ ')
+
+- allow $1 var_t:dir search_dir_perms;
+- relabel_files_pattern($1, tmpfile, tmpfile)
++ allow $1 tmpfile:dir list_dir_perms;
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to get the attributes
+-## of all tmp sock_file.
++## Relabel to and from all temporary
++## directory types.
+ ##
+ ##
+ ##
+-## Domain not to audit.
++## Domain allowed access.
+ ##
+ ##
++##
+ #
+-interface(`files_dontaudit_getattr_all_tmp_sockets',`
++interface(`files_relabel_all_tmp_dirs',`
+ gen_require(`
+ attribute tmpfile;
++ type var_t;
+ ')
+
+- dontaudit $1 tmpfile:sock_file getattr;
+-')
++ allow $1 var_t:dir search_dir_perms;
++ relabel_dirs_pattern($1, tmpfile, tmpfile)
++')
++
++########################################
++##
++## Do not audit attempts to get the attributes
++## of all tmp files.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`files_relabelfrom_tmp_dirs',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
+ gen_require(`
-+ type tmp_t;
++ attribute tmpfile;
+ ')
+
-+ relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++ dontaudit $1 tmpfile:file getattr;
+')
+
+########################################
+##
-+## Relabel a file from the type used in /tmp.
++## Allow attempts to get the attributes
++## of all tmp files.
+##
+##
+##
@@ -118621,81 +118816,58 @@ index e1e814d..37f3b90 100644
+##
+##
+#
-+interface(`files_relabelfrom_tmp_files',`
++interface(`files_getattr_all_tmp_files',`
+ gen_require(`
-+ type tmp_t;
++ attribute tmpfile;
+ ')
+
-+ relabelfrom_files_pattern($1, tmp_t, tmp_t)
++ allow $1 tmpfile:file getattr;
+')
+
+########################################
+##
- ## Set the attributes of all tmp directories.
- ##
- ##
-@@ -4383,6 +4982,42 @@ interface(`files_setattr_all_tmp_dirs',`
-
- ########################################
- ##
-+## Allow caller to read inherited tmp files.
++## Relabel to and from all temporary
++## file types.
+##
+##
+##
+## Domain allowed access.
+##
+##
++##
+#
-+interface(`files_read_inherited_tmp_files',`
++interface(`files_relabel_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
++ type var_t;
+ ')
+
-+ allow $1 tmpfile:file { append read_inherited_file_perms };
++ allow $1 var_t:dir search_dir_perms;
++ relabel_files_pattern($1, tmpfile, tmpfile)
+')
+
+########################################
+##
-+## Allow caller to append inherited tmp files.
++## Do not audit attempts to get the attributes
++## of all tmp sock_file.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`files_append_inherited_tmp_files',`
++interface(`files_dontaudit_getattr_all_tmp_sockets',`
+ gen_require(`
+ attribute tmpfile;
+ ')
+
-+ allow $1 tmpfile:file append_inherited_file_perms;
++ dontaudit $1 tmpfile:sock_file getattr;
+')
-+
-+########################################
-+##
- ## List all tmp directories.
- ##
- ##
-@@ -4428,7 +5063,7 @@ interface(`files_relabel_all_tmp_dirs',`
- ##
- ##
- ##
--## Domain not to audit.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -4488,7 +5123,7 @@ interface(`files_relabel_all_tmp_files',`
- ##
- ##
- ##
--## Domain not to audit.
-+## Domain to not audit.
- ##
- ##
- #
-@@ -4573,6 +5208,16 @@ interface(`files_purge_tmp',`
+
+ ########################################
+ ##
+@@ -4573,6 +5227,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -118712,17 +118884,14 @@ index e1e814d..37f3b90 100644
')
########################################
-@@ -5150,12 +5795,30 @@ interface(`files_list_var',`
+@@ -5150,6 +5814,24 @@ interface(`files_list_var',`
########################################
##
--## Create, read, write, and delete directories
--## in the /var directory.
+## Do not audit listing of the var directory (/var).
- ##
- ##
- ##
--## Domain allowed access.
++##
++##
++##
+## Domain to not audit.
+##
+##
@@ -118737,16 +118906,10 @@ index e1e814d..37f3b90 100644
+
+########################################
+##
-+## Create, read, write, and delete directories
-+## in the /var directory.
-+##
-+##
-+##
-+## Domain allowed access.
- ##
- ##
- #
-@@ -5505,6 +6168,25 @@ interface(`files_read_var_lib_symlinks',`
+ ## Create, read, write, and delete directories
+ ## in the /var directory.
+ ##
+@@ -5505,6 +6187,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -118772,7 +118935,7 @@ index e1e814d..37f3b90 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5550,7 +6232,7 @@ interface(`files_manage_mounttab',`
+@@ -5550,7 +6251,7 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -118781,7 +118944,7 @@ index e1e814d..37f3b90 100644
##
##
##
-@@ -5558,12 +6240,13 @@ interface(`files_manage_mounttab',`
+@@ -5558,12 +6259,13 @@ interface(`files_manage_mounttab',`
##
##
#
@@ -118797,7 +118960,7 @@ index e1e814d..37f3b90 100644
')
########################################
-@@ -5581,6 +6264,7 @@ interface(`files_search_locks',`
+@@ -5581,6 +6283,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -118805,7 +118968,7 @@ index e1e814d..37f3b90 100644
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5607,7 +6291,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5607,7 +6310,26 @@ interface(`files_dontaudit_search_locks',`
########################################
##
@@ -118833,7 +118996,7 @@ index e1e814d..37f3b90 100644
##
##
##
-@@ -5615,13 +6318,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5615,13 +6337,12 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -118850,7 +119013,7 @@ index e1e814d..37f3b90 100644
')
########################################
-@@ -5640,7 +6342,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5640,7 +6361,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -118859,7 +119022,7 @@ index e1e814d..37f3b90 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5673,7 +6375,6 @@ interface(`files_create_lock_dirs',`
+@@ -5673,7 +6394,6 @@ interface(`files_create_lock_dirs',`
## Domain allowed access.
##
##
@@ -118867,7 +119030,7 @@ index e1e814d..37f3b90 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5701,8 +6402,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5701,8 +6421,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -118877,7 +119040,7 @@ index e1e814d..37f3b90 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5718,13 +6418,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5718,13 +6437,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -118895,7 +119058,7 @@ index e1e814d..37f3b90 100644
')
########################################
-@@ -5743,8 +6442,7 @@ interface(`files_manage_generic_locks',`
+@@ -5743,8 +6461,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -118905,7 +119068,7 @@ index e1e814d..37f3b90 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5786,8 +6484,7 @@ interface(`files_read_all_locks',`
+@@ -5786,8 +6503,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -118915,7 +119078,7 @@ index e1e814d..37f3b90 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5809,8 +6506,7 @@ interface(`files_manage_all_locks',`
+@@ -5809,8 +6525,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -118925,7 +119088,7 @@ index e1e814d..37f3b90 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5847,8 +6543,7 @@ interface(`files_lock_filetrans',`
+@@ -5847,8 +6562,7 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -118935,7 +119098,7 @@ index e1e814d..37f3b90 100644
filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
-@@ -5911,6 +6606,43 @@ interface(`files_search_pids',`
+@@ -5911,6 +6625,43 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
@@ -118979,7 +119142,7 @@ index e1e814d..37f3b90 100644
########################################
##
## Do not audit attempts to search
-@@ -5933,6 +6665,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -5933,6 +6684,25 @@ interface(`files_dontaudit_search_pids',`
########################################
##
@@ -119005,7 +119168,7 @@ index e1e814d..37f3b90 100644
## List the contents of the runtime process
## ID directories (/var/run).
##
-@@ -6048,7 +6799,6 @@ interface(`files_pid_filetrans',`
+@@ -6048,7 +6818,6 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -119013,7 +119176,7 @@ index e1e814d..37f3b90 100644
filetrans_pattern($1, var_run_t, $2, $3, $4)
')
-@@ -6157,30 +6907,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6157,30 +6926,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -119048,7 +119211,7 @@ index e1e814d..37f3b90 100644
##
##
##
-@@ -6188,43 +6933,35 @@ interface(`files_read_all_pids',`
+@@ -6188,43 +6952,35 @@ interface(`files_read_all_pids',`
##
##
#
@@ -119099,7 +119262,7 @@ index e1e814d..37f3b90 100644
##
##
##
-@@ -6232,21 +6969,17 @@ interface(`files_delete_all_pids',`
+@@ -6232,21 +6988,17 @@ interface(`files_delete_all_pids',`
##
##
#
@@ -119124,7 +119287,7 @@ index e1e814d..37f3b90 100644
##
##
##
-@@ -6254,56 +6987,59 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6254,56 +7006,59 @@ interface(`files_delete_all_pid_dirs',`
##
##
#
@@ -119200,7 +119363,7 @@ index e1e814d..37f3b90 100644
##
##
##
-@@ -6311,18 +7047,17 @@ interface(`files_list_spool',`
+@@ -6311,18 +7066,17 @@ interface(`files_list_spool',`
##
##
#
@@ -119223,7 +119386,7 @@ index e1e814d..37f3b90 100644
##
##
##
-@@ -6330,19 +7065,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6330,9 +7084,273 @@ interface(`files_manage_generic_spool_dirs',`
##
##
#
@@ -119232,62 +119395,40 @@ index e1e814d..37f3b90 100644
gen_require(`
- type var_t, var_spool_t;
+ type var_run_t;
- ')
-
-- list_dirs_pattern($1, var_t, var_spool_t)
-- read_files_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ exec_files_pattern($1, var_run_t, var_run_t)
- ')
-
- ########################################
- ##
--## Create, read, write, and delete generic
--## spool files.
++')
++
++########################################
++##
+## manage all pidfiles
+## in the /var/run directory.
- ##
- ##
- ##
-@@ -6350,55 +7084,62 @@ interface(`files_read_generic_spool',`
- ##
- ##
- #
--interface(`files_manage_generic_spool',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_manage_all_pids',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute pidfile;
- ')
-
-- allow $1 var_t:dir search_dir_perms;
-- manage_files_pattern($1, var_spool_t, var_spool_t)
++ ')
++
+ manage_files_pattern($1,pidfile,pidfile)
- ')
-
- ########################################
- ##
--## Create objects in the spool directory
--## with a private type with a type transition.
++')
++
++########################################
++##
+## Mount filesystems on all polyinstantiation
+## member directories.
- ##
- ##
- ##
- ## Domain allowed access.
- ##
- ##
--##
--##
--## Type to which the created node will be transitioned.
--##
--##
--##
--##
--## Object class(es) (single or set including {}) for which this
--## the transition will occur.
--##
--##
--##
++##
++##
++##
++## Domain allowed access.
++##
++##
+#
+interface(`files_mounton_all_poly_members',`
+ gen_require(`
@@ -119302,69 +119443,48 @@ index e1e814d..37f3b90 100644
+## Delete all process IDs.
+##
+##
- ##
--## The name of the object being created.
++##
+## Domain allowed access.
- ##
- ##
++##
++##
+##
- #
--interface(`files_spool_filetrans',`
++#
+interface(`files_delete_all_pids',`
- gen_require(`
-- type var_t, var_spool_t;
++ gen_require(`
+ attribute pidfile;
+ type var_t, var_run_t;
- ')
-
- allow $1 var_t:dir search_dir_perms;
-- filetrans_pattern($1, var_spool_t, $2, $3, $4)
++ ')
++
++ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ allow $1 var_run_t:dir rmdir;
+ allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+ delete_files_pattern($1, pidfile, pidfile)
+ delete_fifo_files_pattern($1, pidfile, pidfile)
+ delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
- ')
-
- ########################################
- ##
--## Allow access to manage all polyinstantiated
--## directories on the system.
++')
++
++########################################
++##
+## Delete all process ID directories.
- ##
- ##
- ##
-@@ -6406,25 +7147,283 @@ interface(`files_spool_filetrans',`
- ##
- ##
- #
--interface(`files_polyinstantiate_all',`
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
+interface(`files_delete_all_pid_dirs',`
- gen_require(`
-- attribute polydir, polymember, polyparent;
-- type poly_t;
++ gen_require(`
+ attribute pidfile;
+ type var_t, var_run_t;
- ')
-
-- # Need to give access to /selinux/member
-- selinux_compute_member($1)
--
-- # Need sys_admin capability for mounting
-- allow $1 self:capability { chown fsetid sys_admin fowner };
--
-- # Need to give access to the directories to be polyinstantiated
-- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
--
-- # Need to give access to the polyinstantiated subdirectories
-- allow $1 polymember:dir search_dir_perms;
++ ')
++
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ delete_dirs_pattern($1, pidfile, pidfile)
+')
-
-- # Need to give access to parent directories where original
++
+########################################
+##
+## Make the specified type a file
@@ -119539,102 +119659,10 @@ index e1e814d..37f3b90 100644
+interface(`files_read_generic_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+ read_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete generic
-+## spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Create objects in the spool directory
-+## with a private type with a type transition.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+##
-+##
-+## Type to which the created node will be transitioned.
-+##
-+##
-+##
-+##
-+## Object class(es) (single or set including {}) for which this
-+## the transition will occur.
-+##
-+##
-+##
-+##
-+## The name of the object being created.
-+##
-+##
-+#
-+interface(`files_spool_filetrans',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
-+')
-+
-+########################################
-+##
-+## Allow access to manage all polyinstantiated
-+## directories on the system.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_polyinstantiate_all',`
-+ gen_require(`
-+ attribute polydir, polymember, polyparent;
-+ type poly_t;
-+ ')
-+
-+ # Need to give access to /selinux/member
-+ selinux_compute_member($1)
-+
-+ # Need sys_admin capability for mounting
-+ allow $1 self:capability { chown fsetid sys_admin fowner };
-+
-+ # Need to give access to the directories to be polyinstantiated
-+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
-+
-+ # Need to give access to the polyinstantiated subdirectories
-+ allow $1 polymember:dir search_dir_perms;
-+
-+ # Need to give access to parent directories where original
- # is remounted for polyinstantiation aware programs (like gdm)
- allow $1 polyparent:dir { getattr mounton };
+ ')
-@@ -6467,3 +7466,457 @@ interface(`files_unconfined',`
+ list_dirs_pattern($1, var_t, var_spool_t)
+@@ -6467,3 +7485,457 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -124769,7 +124797,7 @@ index ff92430..36740ea 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 44c198a..82eb9e5 100644
+index 44c198a..72a70fc 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,73 @@ policy_module(sysadm, 2.5.0)
@@ -125065,7 +125093,7 @@ index 44c198a..82eb9e5 100644
optional_policy(`
- pyzor_role(sysadm_r, sysadm_t)
-+ postfix_filetrans_named_content(sysadm_t)
++ postfix_admin(sysadm_t, sysadm_r)
')
optional_policy(`
@@ -130989,10 +131017,10 @@ index c6fdab7..c59902a 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..ffa1f8f 100644
+index 28ad538..ebe81bf 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
-@@ -1,14 +1,25 @@
+@@ -1,14 +1,26 @@
+HOME_DIR/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
+HOME_DIR/\.google_authenticator~ gen_context(system_u:object_r:auth_home_t,s0)
+/root/\.google_authenticator gen_context(system_u:object_r:auth_home_t,s0)
@@ -131005,6 +131033,7 @@ index 28ad538..ffa1f8f 100644
+/etc/group\.lock -- gen_context(system_u:object_r:passwd_file_t,s0)
/etc/gshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
++/etc/nshadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/security/opasswd -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/security/opasswd\.old -- gen_context(system_u:object_r:shadow_t,s0)
@@ -131022,7 +131051,7 @@ index 28ad538..ffa1f8f 100644
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
-@@ -16,13 +27,24 @@ ifdef(`distro_suse', `
+@@ -16,13 +28,24 @@ ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
@@ -131049,7 +131078,7 @@ index 28ad538..ffa1f8f 100644
/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
-@@ -30,20 +52,24 @@ ifdef(`distro_gentoo', `
+@@ -30,20 +53,24 @@ ifdef(`distro_gentoo', `
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/lib/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
@@ -131079,7 +131108,7 @@ index 28ad538..ffa1f8f 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index f416ce9..b4efacf 100644
+index f416ce9..4d4ec55 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -131314,17 +131343,18 @@ index f416ce9..b4efacf 100644
')
########################################
-@@ -664,6 +720,9 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +720,10 @@ interface(`auth_manage_shadow',`
allow $1 shadow_t:file manage_file_perms;
typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
+ files_var_filetrans($1, shadow_t, file, "shadow")
+ files_var_filetrans($1, shadow_t, file, "shadow-")
+ files_etc_filetrans($1, shadow_t, file, "gshadow")
++ files_etc_filetrans($1, shadow_t, file, "nshadow")
')
#######################################
-@@ -763,7 +822,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +823,50 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
@@ -131376,7 +131406,7 @@ index f416ce9..b4efacf 100644
')
#######################################
-@@ -826,7 +928,7 @@ interface(`auth_rw_lastlog',`
+@@ -826,7 +929,7 @@ interface(`auth_rw_lastlog',`
########################################
##
@@ -131385,7 +131415,7 @@ index f416ce9..b4efacf 100644
##
##
##
-@@ -834,12 +936,27 @@ interface(`auth_rw_lastlog',`
+@@ -834,12 +937,27 @@ interface(`auth_rw_lastlog',`
##
##
#
@@ -131416,7 +131446,7 @@ index f416ce9..b4efacf 100644
')
########################################
-@@ -854,15 +971,15 @@ interface(`auth_domtrans_pam',`
+@@ -854,15 +972,15 @@ interface(`auth_domtrans_pam',`
#
interface(`auth_signal_pam',`
gen_require(`
@@ -131435,7 +131465,7 @@ index f416ce9..b4efacf 100644
##
##
##
-@@ -875,13 +992,33 @@ interface(`auth_signal_pam',`
+@@ -875,13 +993,33 @@ interface(`auth_signal_pam',`
##
##
#
@@ -131473,7 +131503,7 @@ index f416ce9..b4efacf 100644
')
########################################
-@@ -959,9 +1096,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1097,30 @@ interface(`auth_manage_var_auth',`
')
files_search_var($1)
@@ -131507,7 +131537,7 @@ index f416ce9..b4efacf 100644
')
########################################
-@@ -1040,6 +1198,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1199,10 @@ interface(`auth_manage_pam_pid',`
files_search_pids($1)
allow $1 pam_var_run_t:dir manage_dir_perms;
allow $1 pam_var_run_t:file manage_file_perms;
@@ -131518,7 +131548,7 @@ index f416ce9..b4efacf 100644
')
########################################
-@@ -1157,6 +1319,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1157,6 +1320,7 @@ interface(`auth_manage_pam_console_data',`
files_search_pids($1)
manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -131526,7 +131556,7 @@ index f416ce9..b4efacf 100644
')
#######################################
-@@ -1526,6 +1689,25 @@ interface(`auth_setattr_login_records',`
+@@ -1526,6 +1690,25 @@ interface(`auth_setattr_login_records',`
########################################
##
@@ -131552,7 +131582,7 @@ index f416ce9..b4efacf 100644
## Read login records files (/var/log/wtmp).
##
##
-@@ -1676,24 +1858,7 @@ interface(`auth_manage_login_records',`
+@@ -1676,24 +1859,7 @@ interface(`auth_manage_login_records',`
logging_rw_generic_log_dirs($1)
allow $1 wtmp_t:file manage_file_perms;
@@ -131578,7 +131608,7 @@ index f416ce9..b4efacf 100644
')
########################################
-@@ -1717,11 +1882,13 @@ interface(`auth_relabel_login_records',`
+@@ -1717,11 +1883,13 @@ interface(`auth_relabel_login_records',`
##
#
interface(`auth_use_nsswitch',`
@@ -131595,7 +131625,7 @@ index f416ce9..b4efacf 100644
')
########################################
-@@ -1755,3 +1922,199 @@ interface(`auth_unconfined',`
+@@ -1755,3 +1923,199 @@ interface(`auth_unconfined',`
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -141400,10 +141430,10 @@ index 0000000..6d7c302
+/var/run/initramfs(/.*)? <>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..059885e
+index 0000000..3e4cae7
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,943 @@
+@@ -0,0 +1,962 @@
+## SELinux policy for systemd components
+
+#######################################
@@ -142347,6 +142377,25 @@ index 0000000..059885e
+ systemd_exec_systemctl($1)
+ allow $1 systemd_unit_file_type:service start;
+')
++
++#######################################
++##
++## Start power unit files domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`systemd_status_all_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 systemd_unit_file_type:service status;
++')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..223e3f0
diff --git a/policy-f18-contrib.patch b/policy-f18-contrib.patch
index 5fa2677..1b100a3 100644
--- a/policy-f18-contrib.patch
+++ b/policy-f18-contrib.patch
@@ -2132,7 +2132,7 @@ index 0000000..feabdf3
+ files_getattr_all_sockets(antivirus_domain)
+')
diff --git a/apache.fc b/apache.fc
-index fd9fa07..cca43af 100644
+index fd9fa07..dcb9d6e 100644
--- a/apache.fc
+++ b/apache.fc
@@ -1,20 +1,37 @@
@@ -2233,7 +2233,12 @@ index fd9fa07..cca43af 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,31 +100,50 @@ ifdef(`distro_suse', `
+@@ -69,35 +96,54 @@ ifdef(`distro_suse', `
+ /var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
+ /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+ /var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
+-/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
++/var/cache/rt(3|4)(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -2275,7 +2280,7 @@ index fd9fa07..cca43af 100644
')
+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/rt(3|4)/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -21287,7 +21292,7 @@ index 0000000..c4c7510
+')
diff --git a/firewalld.te b/firewalld.te
new file mode 100644
-index 0000000..97cb441
+index 0000000..90c8ee3
--- /dev/null
+++ b/firewalld.te
@@ -0,0 +1,95 @@
@@ -21355,7 +21360,7 @@ index 0000000..97cb441
+
+fs_getattr_xattr_fs(firewalld_t)
+
-+auth_read_passwd(firewalld_t)
++auth_use_nsswitch(firewalld_t)
+
+logging_send_syslog_msg(firewalld_t)
+
@@ -31526,7 +31531,7 @@ index 572b5db..1e55f43 100644
+userdom_use_inherited_user_terminals(lockdev_t)
+
diff --git a/logrotate.te b/logrotate.te
-index 7090dae..4aaa8fb 100644
+index 7090dae..8a2583b 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -29,9 +29,8 @@ files_type(logrotate_var_lib_t)
@@ -31536,7 +31541,7 @@ index 7090dae..4aaa8fb 100644
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
-# for mailx
-dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
-+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
++allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
+dontaudit logrotate_t self:capability sys_resource;
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
@@ -31589,7 +31594,7 @@ index 7090dae..4aaa8fb 100644
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
-@@ -112,21 +115,20 @@ logging_send_audit_msgs(logrotate_t)
+@@ -112,21 +115,21 @@ logging_send_audit_msgs(logrotate_t)
# cjp: why is this needed?
logging_exec_all_logs(logrotate_t)
@@ -31598,6 +31603,7 @@ index 7090dae..4aaa8fb 100644
+systemd_getattr_unit_files(logrotate_t)
+systemd_start_all_unit_files(logrotate_t)
+systemd_reload_all_services(logrotate_t)
++systemd_status_all_unit_files(logrotate_t)
+init_stream_connect(logrotate_t)
-seutil_dontaudit_read_config(logrotate_t)
@@ -31620,7 +31626,7 @@ index 7090dae..4aaa8fb 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -138,7 +140,7 @@ ifdef(`distro_debian', `
+@@ -138,7 +141,7 @@ ifdef(`distro_debian', `
')
optional_policy(`
@@ -31629,7 +31635,7 @@ index 7090dae..4aaa8fb 100644
')
optional_policy(`
-@@ -154,6 +156,10 @@ optional_policy(`
+@@ -154,6 +157,10 @@ optional_policy(`
')
optional_policy(`
@@ -31640,7 +31646,7 @@ index 7090dae..4aaa8fb 100644
asterisk_domtrans(logrotate_t)
')
-@@ -162,10 +168,20 @@ optional_policy(`
+@@ -162,10 +169,20 @@ optional_policy(`
')
optional_policy(`
@@ -31661,7 +31667,7 @@ index 7090dae..4aaa8fb 100644
cups_domtrans(logrotate_t)
')
-@@ -178,6 +194,10 @@ optional_policy(`
+@@ -178,6 +195,10 @@ optional_policy(`
')
optional_policy(`
@@ -31672,7 +31678,7 @@ index 7090dae..4aaa8fb 100644
icecast_signal(logrotate_t)
')
-@@ -194,15 +214,19 @@ optional_policy(`
+@@ -194,15 +215,19 @@ optional_policy(`
')
optional_policy(`
@@ -31693,7 +31699,7 @@ index 7090dae..4aaa8fb 100644
optional_policy(`
samba_exec_log(logrotate_t)
-@@ -217,6 +241,11 @@ optional_policy(`
+@@ -217,6 +242,11 @@ optional_policy(`
')
optional_policy(`
@@ -31705,7 +31711,7 @@ index 7090dae..4aaa8fb 100644
squid_domtrans(logrotate_t)
')
-@@ -228,3 +257,14 @@ optional_policy(`
+@@ -228,3 +258,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -32398,10 +32404,10 @@ index 0000000..bd1d48e
+')
diff --git a/mailscanner.te b/mailscanner.te
new file mode 100644
-index 0000000..45f3262
+index 0000000..d2f7a62
--- /dev/null
+++ b/mailscanner.te
-@@ -0,0 +1,85 @@
+@@ -0,0 +1,86 @@
+policy_module(mailscanner, 1.0.0)
+
+########################################
@@ -32435,6 +32441,7 @@ index 0000000..45f3262
+allow mscan_t self:fifo_file rw_fifo_file_perms;
+
+read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
++list_dirs_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
+
+manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t)
+files_pid_filetrans(mscan_t, mscan_var_run_t, file)
@@ -34316,10 +34323,10 @@ index 6647a35..f3b35e1 100644
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
diff --git a/mozilla.fc b/mozilla.fc
-index 3a73e74..60e7237 100644
+index 3a73e74..0fa08be 100644
--- a/mozilla.fc
+++ b/mozilla.fc
-@@ -2,8 +2,17 @@ HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0
+@@ -2,8 +2,18 @@ HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0
HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -34331,13 +34338,14 @@ index 3a73e74..60e7237 100644
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
#
# /bin
-@@ -16,6 +25,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+@@ -16,6 +26,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -34350,7 +34358,7 @@ index 3a73e74..60e7237 100644
ifdef(`distro_debian',`
/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
')
-@@ -23,11 +38,20 @@ ifdef(`distro_debian',`
+@@ -23,11 +39,20 @@ ifdef(`distro_debian',`
#
# /lib
#
@@ -34378,7 +34386,7 @@ index 3a73e74..60e7237 100644
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
+')
diff --git a/mozilla.if b/mozilla.if
-index b397fde..9ba2af3 100644
+index b397fde..cccec7e 100644
--- a/mozilla.if
+++ b/mozilla.if
@@ -18,10 +18,11 @@
@@ -34528,7 +34536,7 @@ index b397fde..9ba2af3 100644
##
##
##
-@@ -275,28 +361,118 @@ interface(`mozilla_rw_tcp_sockets',`
+@@ -275,28 +361,119 @@ interface(`mozilla_rw_tcp_sockets',`
##
##
#
@@ -34652,10 +34660,11 @@ index b397fde..9ba2af3 100644
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
++ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
+')
+
diff --git a/mozilla.te b/mozilla.te
-index d4fcb75..907ff48 100644
+index d4fcb75..8cf0087 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -7,19 +7,34 @@ policy_module(mozilla, 2.6.0)
@@ -34818,7 +34827,7 @@ index d4fcb75..907ff48 100644
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
')
-@@ -297,65 +317,101 @@ optional_policy(`
+@@ -297,65 +317,102 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -34847,6 +34856,7 @@ index d4fcb75..907ff48 100644
+manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
++manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+mozilla_filetrans_home_content(mozilla_plugin_t)
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
@@ -34935,7 +34945,7 @@ index d4fcb75..907ff48 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,55 +419,59 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,55 +420,59 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -35017,7 +35027,7 @@ index d4fcb75..907ff48 100644
')
optional_policy(`
-@@ -422,24 +482,39 @@ optional_policy(`
+@@ -422,24 +483,39 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -35061,7 +35071,7 @@ index d4fcb75..907ff48 100644
')
optional_policy(`
-@@ -447,10 +522,115 @@ optional_policy(`
+@@ -447,10 +523,116 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -35121,6 +35131,7 @@ index d4fcb75..907ff48 100644
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
++manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
+
+corecmd_exec_bin(mozilla_plugin_config_t)
+corecmd_exec_shell(mozilla_plugin_config_t)
@@ -36985,7 +36996,7 @@ index c358d8f..1cc176c 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index f17583b..3a691c7 100644
+index f17583b..addfbf2 100644
--- a/munin.te
+++ b/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -37124,11 +37135,11 @@ index f17583b..3a691c7 100644
dev_read_sysfs(disk_munin_plugin_t)
dev_read_urand(disk_munin_plugin_t)
+dev_read_all_blk_files(munin_disk_plugin_t)
-+
-+fs_getattr_all_fs(disk_munin_plugin_t)
-+fs_getattr_all_dirs(disk_munin_plugin_t)
-storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
++fs_getattr_all_fs(disk_munin_plugin_t)
++fs_getattr_all_dirs(disk_munin_plugin_t)
++
+storage_raw_read_fixed_disk(disk_munin_plugin_t)
sysnet_read_config(disk_munin_plugin_t)
@@ -37202,7 +37213,7 @@ index f17583b..3a691c7 100644
cups_stream_connect(services_munin_plugin_t)
')
-@@ -279,6 +316,10 @@ optional_policy(`
+@@ -279,6 +316,14 @@ optional_policy(`
')
optional_policy(`
@@ -37210,10 +37221,14 @@ index f17583b..3a691c7 100644
+')
+
+optional_policy(`
++ ntp_exec(services_munin_plugin_t)
++')
++
++optional_policy(`
postgresql_stream_connect(services_munin_plugin_t)
')
-@@ -286,6 +327,18 @@ optional_policy(`
+@@ -286,6 +331,18 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -37232,7 +37247,7 @@ index f17583b..3a691c7 100644
##################################
#
# local policy for system plugins
-@@ -295,12 +348,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+@@ -295,12 +352,10 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -37248,7 +37263,7 @@ index f17583b..3a691c7 100644
dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
-@@ -313,3 +364,47 @@ init_read_utmp(system_munin_plugin_t)
+@@ -313,3 +368,47 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t)
@@ -41151,10 +41166,36 @@ index e79dccc..2a3c6af 100644
/var/log/ntp.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/log/ntpstats(/.*)? gen_context(system_u:object_r:ntpd_log_t,s0)
diff --git a/ntp.if b/ntp.if
-index e80f8c0..0044e73 100644
+index e80f8c0..d60b451 100644
--- a/ntp.if
+++ b/ntp.if
-@@ -98,6 +98,48 @@ interface(`ntp_initrc_domtrans',`
+@@ -37,6 +37,25 @@ interface(`ntp_domtrans',`
+
+ ########################################
+ ##
++## Execute ntp server in the caller domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`ntp_exec',`
++ gen_require(`
++ type ntpd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, ntpd_exec_t)
++')
++
++########################################
++##
+ ## Execute ntp in the ntp domain, and
+ ## allow the specified role the ntp domain.
+ ##
+@@ -98,6 +117,48 @@ interface(`ntp_initrc_domtrans',`
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
')
@@ -41203,7 +41244,7 @@ index e80f8c0..0044e73 100644
########################################
##
## Read and write ntpd shared memory.
-@@ -122,6 +164,25 @@ interface(`ntp_rw_shm',`
+@@ -122,6 +183,25 @@ interface(`ntp_rw_shm',`
########################################
##
@@ -41229,7 +41270,7 @@ index e80f8c0..0044e73 100644
## All of the rules required to administrate
## an ntp environment
##
-@@ -140,12 +201,15 @@ interface(`ntp_rw_shm',`
+@@ -140,12 +220,15 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
@@ -41248,7 +41289,7 @@ index e80f8c0..0044e73 100644
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
domain_system_change_exemption($1)
-@@ -162,4 +226,8 @@ interface(`ntp_admin',`
+@@ -162,4 +245,8 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
@@ -43846,10 +43887,10 @@ index 0000000..14f29e4
+')
diff --git a/openvswitch.te b/openvswitch.te
new file mode 100644
-index 0000000..31370ed
+index 0000000..f6e0f04
--- /dev/null
+++ b/openvswitch.te
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,84 @@
+policy_module(openvswitch, 1.0.0)
+
+########################################
@@ -43886,6 +43927,7 @@ index 0000000..31370ed
+allow openvswitch_t self:fifo_file rw_fifo_file_perms;
+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow openvswitch_t self:netlink_socket create_socket_perms;
++allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
+
+can_exec(openvswitch_t, openvswitch_exec_t)
+
@@ -48097,7 +48139,7 @@ index 1ddfa16..c0e0959 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/postfix.if b/postfix.if
-index 46bee12..8ef270f 100644
+index 46bee12..20a3ccd 100644
--- a/postfix.if
+++ b/postfix.if
@@ -28,75 +28,23 @@ interface(`postfix_stub',`
@@ -48353,7 +48395,69 @@ index 46bee12..8ef270f 100644
## Execute the master postdrop in the
## postfix_postdrop domain.
##
-@@ -462,7 +492,7 @@ interface(`postfix_domtrans_postqueue',`
+@@ -452,6 +482,61 @@ interface(`postfix_domtrans_postqueue',`
+ domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
+ ')
+
++########################################
++##
++## Execute the master postqueue in the
++## postfix_postdrop domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The role to be allowed the iptables domain.
++##
++##
++##
++#
++
++interface(`postfix_run_postqueue',`
++ gen_require(`
++ type postfix_postqueue_t;
++ ')
++
++ postfix_domtrans_postqueue($1)
++ role $2 types postfix_postqueue_t;
++ allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
++')
++
++########################################
++##
++## Execute postfix_postgqueue in the postfix_postgqueue domain, and
++## allow the specified role the postfix_postgqueue domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`postfix_run_postgqueue',`
++ gen_require(`
++ type postfix_postgqueue_t;
++ ')
++
++ postfix_domtrans_postgqueue($1)
++ role $2 types postfix_postgqueue_t;
++')
++
++
+ #######################################
+ ##
+ ## Execute the master postqueue in the caller domain.
+@@ -462,7 +547,7 @@ interface(`postfix_domtrans_postqueue',`
##
##
#
@@ -48362,7 +48466,7 @@ index 46bee12..8ef270f 100644
gen_require(`
type postfix_postqueue_exec_t;
')
-@@ -529,6 +559,25 @@ interface(`postfix_domtrans_smtp',`
+@@ -529,6 +614,25 @@ interface(`postfix_domtrans_smtp',`
########################################
##
@@ -48388,7 +48492,7 @@ index 46bee12..8ef270f 100644
## Search postfix mail spool directories.
##
##
-@@ -539,10 +588,10 @@ interface(`postfix_domtrans_smtp',`
+@@ -539,10 +643,10 @@ interface(`postfix_domtrans_smtp',`
#
interface(`postfix_search_spool',`
gen_require(`
@@ -48401,7 +48505,7 @@ index 46bee12..8ef270f 100644
files_search_spool($1)
')
-@@ -558,10 +607,10 @@ interface(`postfix_search_spool',`
+@@ -558,10 +662,10 @@ interface(`postfix_search_spool',`
#
interface(`postfix_list_spool',`
gen_require(`
@@ -48414,7 +48518,7 @@ index 46bee12..8ef270f 100644
files_search_spool($1)
')
-@@ -577,11 +626,11 @@ interface(`postfix_list_spool',`
+@@ -577,11 +681,11 @@ interface(`postfix_list_spool',`
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -48428,7 +48532,7 @@ index 46bee12..8ef270f 100644
')
########################################
-@@ -596,11 +645,31 @@ interface(`postfix_read_spool_files',`
+@@ -596,11 +700,31 @@ interface(`postfix_read_spool_files',`
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -48462,7 +48566,7 @@ index 46bee12..8ef270f 100644
')
########################################
-@@ -621,3 +690,155 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -621,3 +745,157 @@ interface(`postfix_domtrans_user_mail_handler',`
typeattribute $1 postfix_user_domtrans;
')
@@ -48528,6 +48632,7 @@ index 46bee12..8ef270f 100644
+
+ postfix_run_map($1, $2)
+ postfix_run_postdrop($1, $2)
++ postfix_run_postqueue($1, $2)
+
+ postfix_initrc_domtrans($1)
+ domain_system_change_exemption($1)
@@ -48581,6 +48686,7 @@ index 46bee12..8ef270f 100644
+ allow postfix_postdrop_t $1:unix_stream_socket { read write getattr };
+')
+
++
+########################################
+##
+## Execute postfix exec in the users domain
@@ -48619,7 +48725,7 @@ index 46bee12..8ef270f 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/postfix.te b/postfix.te
-index a1e0f60..85b12af 100644
+index a1e0f60..ae56a3e 100644
--- a/postfix.te
+++ b/postfix.te
@@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
@@ -48780,7 +48886,7 @@ index a1e0f60..85b12af 100644
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
-@@ -195,7 +216,7 @@ optional_policy(`
+@@ -195,15 +216,11 @@ optional_policy(`
')
optional_policy(`
@@ -48789,7 +48895,15 @@ index a1e0f60..85b12af 100644
mailman_manage_data_files(postfix_master_t)
')
-@@ -220,13 +241,17 @@ allow postfix_bounce_t self:capability dac_read_search;
+ optional_policy(`
+- mysql_stream_connect(postfix_master_t)
+-')
+-
+-optional_policy(`
+ postgrey_search_spool(postfix_master_t)
+ ')
+
+@@ -220,13 +237,17 @@ allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
allow postfix_bounce_t postfix_public_t:sock_file write;
@@ -48808,7 +48922,7 @@ index a1e0f60..85b12af 100644
manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -237,22 +262,31 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -237,22 +258,31 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
#
allow postfix_cleanup_t self:process setrlimit;
@@ -48840,7 +48954,7 @@ index a1e0f60..85b12af 100644
mta_read_aliases(postfix_cleanup_t)
optional_policy(`
-@@ -264,7 +298,6 @@ optional_policy(`
+@@ -264,7 +294,6 @@ optional_policy(`
# Postfix local local policy
#
@@ -48848,7 +48962,7 @@ index a1e0f60..85b12af 100644
allow postfix_local_t self:process { setsched setrlimit };
# connect to master process
-@@ -272,28 +305,51 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -272,28 +301,51 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -48905,7 +49019,7 @@ index a1e0f60..85b12af 100644
')
optional_policy(`
-@@ -304,9 +360,26 @@ optional_policy(`
+@@ -304,9 +356,26 @@ optional_policy(`
')
optional_policy(`
@@ -48932,7 +49046,7 @@ index a1e0f60..85b12af 100644
########################################
#
# Postfix map local policy
-@@ -329,7 +402,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -329,7 +398,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -48940,7 +49054,7 @@ index a1e0f60..85b12af 100644
corenet_all_recvfrom_netlabel(postfix_map_t)
corenet_tcp_sendrecv_generic_if(postfix_map_t)
corenet_udp_sendrecv_generic_if(postfix_map_t)
-@@ -348,7 +420,6 @@ corecmd_read_bin_sockets(postfix_map_t)
+@@ -348,7 +416,6 @@ corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
files_read_usr_files(postfix_map_t)
@@ -48948,7 +49062,7 @@ index a1e0f60..85b12af 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -356,8 +427,6 @@ auth_use_nsswitch(postfix_map_t)
+@@ -356,8 +423,6 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -48957,7 +49071,7 @@ index a1e0f60..85b12af 100644
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
-@@ -379,18 +448,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +444,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -48983,7 +49097,7 @@ index a1e0f60..85b12af 100644
allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +476,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +472,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -48992,7 +49106,7 @@ index a1e0f60..85b12af 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +497,7 @@ optional_policy(`
+@@ -420,6 +493,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -49000,7 +49114,7 @@ index a1e0f60..85b12af 100644
')
optional_policy(`
-@@ -436,11 +514,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +510,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -49018,7 +49132,7 @@ index a1e0f60..85b12af 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +571,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +567,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -49029,7 +49143,7 @@ index a1e0f60..85b12af 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +603,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +599,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -49042,7 +49156,7 @@ index a1e0f60..85b12af 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +627,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +623,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -49053,7 +49167,7 @@ index a1e0f60..85b12af 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +648,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +644,12 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -49066,7 +49180,7 @@ index a1e0f60..85b12af 100644
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +661,14 @@ optional_policy(`
+@@ -565,6 +657,14 @@ optional_policy(`
')
optional_policy(`
@@ -49081,7 +49195,7 @@ index a1e0f60..85b12af 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +685,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +681,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
# for prng_exch
@@ -49108,7 +49222,7 @@ index a1e0f60..85b12af 100644
')
optional_policy(`
-@@ -599,6 +711,11 @@ optional_policy(`
+@@ -599,6 +707,11 @@ optional_policy(`
')
optional_policy(`
@@ -49120,7 +49234,7 @@ index a1e0f60..85b12af 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +728,6 @@ optional_policy(`
+@@ -611,7 +724,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -49128,7 +49242,7 @@ index a1e0f60..85b12af 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -622,7 +738,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
+@@ -622,7 +734,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
@@ -49136,7 +49250,7 @@ index a1e0f60..85b12af 100644
files_read_usr_files(postfix_virtual_t)
mta_read_aliases(postfix_virtual_t)
-@@ -630,3 +745,76 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +741,80 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -49206,6 +49320,10 @@ index a1e0f60..85b12af 100644
+userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
+
+optional_policy(`
++ mysql_stream_connect(postfix_domain)
++')
++
++optional_policy(`
+ spamd_stream_connect(postfix_domain)
+ spamassassin_domtrans_client(postfix_domain)
+')
@@ -56117,7 +56235,7 @@ index 137605a..fd40b90 100644
+ ')
')
diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 783f678..14193ca 100644
+index 783f678..62c40bb 100644
--- a/rhsmcertd.te
+++ b/rhsmcertd.te
@@ -29,6 +29,9 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -56130,7 +56248,7 @@ index 783f678..14193ca 100644
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -43,17 +46,36 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
+@@ -43,17 +46,40 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
@@ -56139,24 +56257,28 @@ index 783f678..14193ca 100644
+kernel_read_network_state(rhsmcertd_t)
kernel_read_system_state(rhsmcertd_t)
++corenet_tcp_connect_http_port(rhsmcertd_t)
++
+files_list_tmp(rhsmcertd_t)
+
corecmd_exec_bin(rhsmcertd_t)
++corecmd_exec_shell(rhsmcertd_t)
+dev_read_rand(rhsmcertd_t)
dev_read_urand(rhsmcertd_t)
+dev_read_sysfs(rhsmcertd_t)
++dev_read_raw_memory(rhsmcertd_t)
files_read_etc_files(rhsmcertd_t)
files_read_usr_files(rhsmcertd_t)
+files_manage_generic_locks(rhsmcertd_t)
+
+auth_read_passwd(rhsmcertd_t)
-+
-+logging_send_syslog_msg(rhsmcertd_t)
-miscfiles_read_localization(rhsmcertd_t)
-miscfiles_read_generic_certs(rhsmcertd_t)
++logging_send_syslog_msg(rhsmcertd_t)
++
+miscfiles_read_certs(rhsmcertd_t)
sysnet_dns_name_resolve(rhsmcertd_t)
@@ -67817,7 +67939,7 @@ index 67b5592..ccddff5 100644
corenet_tcp_sendrecv_generic_if(timidity_t)
corenet_udp_sendrecv_generic_if(timidity_t)
diff --git a/tmpreaper.te b/tmpreaper.te
-index 0521d5a..4ad0788 100644
+index 0521d5a..b08a00a 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.6.0)
@@ -67828,7 +67950,7 @@ index 0521d5a..4ad0788 100644
application_domain(tmpreaper_t, tmpreaper_exec_t)
role system_r types tmpreaper_t;
-@@ -18,33 +19,47 @@ role system_r types tmpreaper_t;
+@@ -18,33 +19,48 @@ role system_r types tmpreaper_t;
allow tmpreaper_t self:process { fork sigchld };
allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
@@ -67845,6 +67967,7 @@ index 0521d5a..4ad0788 100644
+files_delete_all_non_security_files(tmpreaper_t)
# why does it need setattr?
files_setattr_all_tmp_dirs(tmpreaper_t)
++files_setattr_isid_type_dirs(tmpreaper_t)
+files_setattr_usr_dirs(tmpreaper_t)
files_getattr_all_dirs(tmpreaper_t)
files_getattr_all_files(tmpreaper_t)
@@ -67882,7 +68005,7 @@ index 0521d5a..4ad0788 100644
')
optional_policy(`
-@@ -52,7 +67,9 @@ optional_policy(`
+@@ -52,7 +68,9 @@ optional_policy(`
')
optional_policy(`
@@ -67892,7 +68015,7 @@ index 0521d5a..4ad0788 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,9 +83,17 @@ optional_policy(`
+@@ -66,9 +84,17 @@ optional_policy(`
')
optional_policy(`
@@ -71006,7 +71129,7 @@ index 6f0736b..408a20a 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 947bbc6..609bc32 100644
+index 947bbc6..12c15cb 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,104 @@ policy_module(virt, 1.5.0)
@@ -71363,7 +71486,7 @@ index 947bbc6..609bc32 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -202,19 +298,28 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -202,19 +298,29 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -71376,6 +71499,7 @@ index 947bbc6..609bc32 100644
-manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-logging_log_filetrans(virtd_t, virt_log_t, { file dir })
+manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
++allow virtd_t virt_image_type:dir setattr;
+allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
+allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
@@ -71398,7 +71522,7 @@ index 947bbc6..609bc32 100644
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -225,16 +330,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -225,16 +331,22 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -71422,7 +71546,7 @@ index 947bbc6..609bc32 100644
corenet_all_recvfrom_netlabel(virtd_t)
corenet_tcp_sendrecv_generic_if(virtd_t)
corenet_tcp_sendrecv_generic_node(virtd_t)
-@@ -247,22 +358,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -247,22 +359,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -71456,7 +71580,7 @@ index 947bbc6..609bc32 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +390,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -270,6 +391,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -71475,7 +71599,7 @@ index 947bbc6..609bc32 100644
mcs_process_set_categories(virtd_t)
-@@ -284,7 +416,8 @@ term_use_ptmx(virtd_t)
+@@ -284,7 +417,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -71485,7 +71609,7 @@ index 947bbc6..609bc32 100644
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -293,17 +426,36 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +427,36 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -71522,7 +71646,7 @@ index 947bbc6..609bc32 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +474,10 @@ optional_policy(`
+@@ -322,6 +475,10 @@ optional_policy(`
')
optional_policy(`
@@ -71533,7 +71657,7 @@ index 947bbc6..609bc32 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -335,19 +491,34 @@ optional_policy(`
+@@ -335,19 +492,34 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -71569,7 +71693,7 @@ index 947bbc6..609bc32 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -362,6 +533,12 @@ optional_policy(`
+@@ -362,6 +534,12 @@ optional_policy(`
')
optional_policy(`
@@ -71582,7 +71706,7 @@ index 947bbc6..609bc32 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +546,11 @@ optional_policy(`
+@@ -369,11 +547,11 @@ optional_policy(`
')
optional_policy(`
@@ -71599,7 +71723,7 @@ index 947bbc6..609bc32 100644
')
optional_policy(`
-@@ -384,6 +561,7 @@ optional_policy(`
+@@ -384,6 +562,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -71607,7 +71731,7 @@ index 947bbc6..609bc32 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -402,35 +580,85 @@ optional_policy(`
+@@ -402,35 +581,85 @@ optional_policy(`
#
# virtual domains common policy
#
@@ -71702,7 +71826,7 @@ index 947bbc6..609bc32 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,34 +666,628 @@ dev_write_sound(virt_domain)
+@@ -438,34 +667,628 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 654ac5a..3ca075f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 68%{?dist}
+Release: 69%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -524,6 +524,24 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jan 2 2013 Miroslav Grepl 3.11.1-69
+- Add systemd_status_all_unit_files() interface
+- Add support for nshadow
+- Allow sysadm_t to administrate the postfix domains
+- Add interface to setattr on isid directories for use by tmpreaper
+- Allow sshd_t sys_admin for use with afs logins
+- Allow systemd to read/write all sysctls
+- Allow sshd_t sys_admin for use with afs logins
+- Allow systemd to read/write all sysctls
+- Add systemd_status_all_unit_files() interface
+- Add support for nshadow
+- Allow sysadm_t to administrate the postfix domains
+- Add interface to setattr on isid directories for use by tmpreaper
+- Allow sshd_t sys_admin for use with afs logins
+- Allow systemd to read/write all sysctls
+- Allow sshd_t sys_admin for use with afs logins
+- Add labeling for /var/named/chroot/etc/localtim
+
* Thu Dec 27 2012 Miroslav Grepl 3.11.1-68
- Allow setroubleshoot_fixit to execute rpm
- zoneminder needs to connect to httpd ports where remote cameras are listening