diff --git a/policy-F16.patch b/policy-F16.patch
index 7bcb0ec..da8f6b8 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1312,7 +1312,7 @@ index 4f7bd3c..a29af21 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..b8152bc 100644
+index 7090dae..1c6d379 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -29,9 +29,9 @@ files_type(logrotate_var_lib_t)
@@ -1351,7 +1351,15 @@ index 7090dae..b8152bc 100644
selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t)
-@@ -102,6 +105,7 @@ files_read_var_lib_files(logrotate_t)
+@@ -85,6 +88,7 @@ auth_use_nsswitch(logrotate_t)
+ # Run helper programs.
+ corecmd_exec_bin(logrotate_t)
+ corecmd_exec_shell(logrotate_t)
++corecmd_getattr_all_executables(logrotate_t)
+
+ domain_signal_all_domains(logrotate_t)
+ domain_use_interactive_fds(logrotate_t)
+@@ -102,6 +106,7 @@ files_read_var_lib_files(logrotate_t)
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
@@ -1359,7 +1367,7 @@ index 7090dae..b8152bc 100644
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
-@@ -116,17 +120,16 @@ miscfiles_read_localization(logrotate_t)
+@@ -116,17 +121,17 @@ miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
@@ -1376,6 +1384,7 @@ index 7090dae..b8152bc 100644
-
-mta_send_mail(logrotate_t)
+userdom_dontaudit_list_admin_dir(logrotate_t)
++userdom_dontaudit_getattr_user_home_content(logrotate_t)
ifdef(`distro_debian', `
- allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
@@ -1383,7 +1392,7 @@ index 7090dae..b8152bc 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -138,7 +141,7 @@ ifdef(`distro_debian', `
+@@ -138,7 +143,7 @@ ifdef(`distro_debian', `
')
optional_policy(`
@@ -1392,7 +1401,7 @@ index 7090dae..b8152bc 100644
')
optional_policy(`
-@@ -154,6 +157,10 @@ optional_policy(`
+@@ -154,6 +159,10 @@ optional_policy(`
')
optional_policy(`
@@ -1403,7 +1412,7 @@ index 7090dae..b8152bc 100644
asterisk_domtrans(logrotate_t)
')
-@@ -162,10 +169,20 @@ optional_policy(`
+@@ -162,10 +171,20 @@ optional_policy(`
')
optional_policy(`
@@ -1424,7 +1433,7 @@ index 7090dae..b8152bc 100644
cups_domtrans(logrotate_t)
')
-@@ -178,6 +195,10 @@ optional_policy(`
+@@ -178,6 +197,10 @@ optional_policy(`
')
optional_policy(`
@@ -1435,7 +1444,7 @@ index 7090dae..b8152bc 100644
icecast_signal(logrotate_t)
')
-@@ -200,9 +221,12 @@ optional_policy(`
+@@ -200,9 +223,12 @@ optional_policy(`
')
optional_policy(`
@@ -1449,7 +1458,7 @@ index 7090dae..b8152bc 100644
optional_policy(`
samba_exec_log(logrotate_t)
-@@ -228,3 +252,14 @@ optional_policy(`
+@@ -228,3 +254,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -10704,11 +10713,12 @@ index 0000000..809784d
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..a53f663
+index 0000000..cab7eab
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,489 @@
+@@ -0,0 +1,492 @@
+policy_module(sandbox,1.0.0)
++
+dbus_stub()
+attribute sandbox_domain;
+attribute sandbox_x_domain;
@@ -10750,7 +10760,9 @@ index 0000000..a53f663
+#
+# sandbox xserver policy
+#
-+allow sandbox_xserver_t self:process { execmem execstack };
++
++allow sandbox_xserver_t self:process { execmem execstack signal_perms };
++
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
+allow sandbox_xserver_t self:shm create_shm_perms;
+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
@@ -25053,7 +25065,7 @@ index deca9d3..ae8c579 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..3f8a147 100644
+index 9e39aa5..5a10781 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,21 +1,30 @@
@@ -25088,7 +25100,7 @@ index 9e39aa5..3f8a147 100644
/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -24,16 +33,17 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+@@ -24,16 +33,18 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -25109,11 +25121,12 @@ index 9e39aa5..3f8a147 100644
/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
-+/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
-@@ -43,8 +53,9 @@ ifdef(`distro_suse', `
+@@ -43,8 +54,9 @@ ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -25125,7 +25138,7 @@ index 9e39aa5..3f8a147 100644
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -54,9 +65,11 @@ ifdef(`distro_suse', `
+@@ -54,9 +66,11 @@ ifdef(`distro_suse', `
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25137,7 +25150,7 @@ index 9e39aa5..3f8a147 100644
/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,20 +86,26 @@ ifdef(`distro_suse', `
+@@ -73,20 +87,26 @@ ifdef(`distro_suse', `
/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -25166,7 +25179,7 @@ index 9e39aa5..3f8a147 100644
ifdef(`distro_debian', `
/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -105,7 +124,27 @@ ifdef(`distro_debian', `
+@@ -105,7 +125,27 @@ ifdef(`distro_debian', `
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -30285,10 +30298,10 @@ index 0000000..6451167
+')
diff --git a/policy/modules/services/cloudform.te b/policy/modules/services/cloudform.te
new file mode 100644
-index 0000000..54d3487
+index 0000000..e22a32e
--- /dev/null
+++ b/policy/modules/services/cloudform.te
-@@ -0,0 +1,227 @@
+@@ -0,0 +1,228 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -30385,6 +30398,7 @@ index 0000000..54d3487
+manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
+logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
+
++kernel_read_kernel_sysctls(deltacloudd_t)
+kernel_read_system_state(deltacloudd_t)
+
+corecmd_exec_bin(deltacloudd_t)
@@ -38465,7 +38479,7 @@ index 9d3201b..7da7267 100644
+ ftp_systemctl($1)
')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..cd27af1 100644
+index 8a74a83..94c1fed 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -40,6 +40,20 @@ gen_tunable(allow_ftpd_use_nfs, false)
@@ -38566,6 +38580,15 @@ index 8a74a83..cd27af1 100644
# Create and modify /var/log/xferlog.
manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+@@ -177,7 +206,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+
+ kernel_read_kernel_sysctls(ftpd_t)
+ kernel_read_system_state(ftpd_t)
+-kernel_search_network_state(ftpd_t)
++kernel_read_network_state(ftpd_t)
+
+ dev_read_sysfs(ftpd_t)
+ dev_read_urand(ftpd_t)
@@ -196,9 +225,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
@@ -45384,7 +45407,7 @@ index 343cee3..4099451 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
-index 64268e4..7ede790 100644
+index 64268e4..705498f 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -20,14 +20,16 @@ files_type(etc_aliases_t)
@@ -45438,7 +45461,7 @@ index 64268e4..7ede790 100644
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
-@@ -79,9 +71,16 @@ selinux_getattr_fs(system_mail_t)
+@@ -79,9 +71,18 @@ selinux_getattr_fs(system_mail_t)
term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
@@ -45453,10 +45476,12 @@ index 64268e4..7ede790 100644
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
+
+logging_append_all_logs(system_mail_t)
++
++logging_send_syslog_msg(system_mail_t)
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,14 +91,21 @@ optional_policy(`
+@@ -92,14 +93,21 @@ optional_policy(`
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -45481,7 +45506,7 @@ index 64268e4..7ede790 100644
')
optional_policy(`
-@@ -108,9 +114,15 @@ optional_policy(`
+@@ -108,9 +116,15 @@ optional_policy(`
')
optional_policy(`
@@ -45497,7 +45522,7 @@ index 64268e4..7ede790 100644
')
optional_policy(`
-@@ -124,12 +136,9 @@ optional_policy(`
+@@ -124,12 +138,9 @@ optional_policy(`
')
optional_policy(`
@@ -45512,7 +45537,7 @@ index 64268e4..7ede790 100644
')
optional_policy(`
-@@ -146,6 +155,10 @@ optional_policy(`
+@@ -146,6 +157,10 @@ optional_policy(`
')
optional_policy(`
@@ -45523,7 +45548,7 @@ index 64268e4..7ede790 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,22 +171,13 @@ optional_policy(`
+@@ -158,22 +173,13 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -45549,7 +45574,7 @@ index 64268e4..7ede790 100644
')
optional_policy(`
-@@ -189,6 +193,10 @@ optional_policy(`
+@@ -189,6 +195,10 @@ optional_policy(`
')
optional_policy(`
@@ -45560,7 +45585,7 @@ index 64268e4..7ede790 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,15 +207,16 @@ optional_policy(`
+@@ -199,15 +209,16 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -45581,7 +45606,7 @@ index 64268e4..7ede790 100644
########################################
#
# Mailserver delivery local policy
-@@ -220,7 +229,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,7 +231,8 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
@@ -45591,7 +45616,7 @@ index 64268e4..7ede790 100644
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-@@ -242,6 +252,10 @@ optional_policy(`
+@@ -242,6 +254,10 @@ optional_policy(`
')
optional_policy(`
@@ -45602,7 +45627,7 @@ index 64268e4..7ede790 100644
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,16 +263,25 @@ optional_policy(`
+@@ -249,16 +265,25 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -45630,7 +45655,7 @@ index 64268e4..7ede790 100644
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -277,14 +300,14 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
+@@ -277,14 +302,14 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
# files in an appropriate place for mta_user_agent
userdom_read_user_tmp_files(mta_user_agent)
@@ -45647,7 +45672,7 @@ index 64268e4..7ede790 100644
# Read user temporary files.
# postfix seems to need write access if the file handle is opened read/write
userdom_rw_user_tmp_files(user_mail_t)
-@@ -292,3 +315,114 @@ optional_policy(`
+@@ -292,3 +317,114 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -51970,7 +51995,7 @@ index 09aeffa..f8a0d88 100644
postgresql_tcp_connect($1)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 4a5387a..acf8ed1 100644
+index 4a5387a..b75ab1c 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,16 +19,16 @@ gen_require(`
@@ -51996,6 +52021,15 @@ index 4a5387a..acf8ed1 100644
##
gen_tunable(sepgsql_unconfined_dbadm, true)
+@@ -205,7 +205,7 @@ allow postgresql_t self:shm create_shm_perms;
+ allow postgresql_t self:tcp_socket create_stream_socket_perms;
+ allow postgresql_t self:udp_socket create_stream_socket_perms;
+ allow postgresql_t self:unix_dgram_socket create_socket_perms;
+-allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
++allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow postgresql_t self:netlink_selinux_socket create_socket_perms;
+
+ allow postgresql_t sepgsql_database_type:db_database *;
@@ -241,7 +241,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
@@ -61310,7 +61344,7 @@ index 941380a..ce8c972 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..b231b96 100644
+index 8ffa257..d0c7e39 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -17,6 +17,7 @@ files_pid_file(sssd_public_t)
@@ -61327,7 +61361,7 @@ index 8ffa257..b231b96 100644
#
-allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
+
-+allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin };
++allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
-allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:fifo_file rw_fifo_file_perms;
@@ -63424,7 +63458,7 @@ index 7c5d8d8..45bac8e 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..a1bc102 100644
+index 3eca020..2cd5679 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,81 @@ policy_module(virt, 1.4.0)
@@ -63990,7 +64024,7 @@ index 3eca020..a1bc102 100644
miscfiles_read_localization(virt_domain)
+tunable_policy(`virt_use_execmem',`
-+ allow virtd_t virt_domain:process { execmem execstack };
++ allow virt_domain virt_domain:process { execmem execstack };
+')
+
optional_policy(`
@@ -67177,7 +67211,7 @@ index c9981d1..d0931f9 100644
corenet_sendrecv_zabbix_agent_client_packets($1)
diff --git a/policy/modules/services/zabbix.te b/policy/modules/services/zabbix.te
-index 7f88f5f..7d8a06e 100644
+index 7f88f5f..67a111c 100644
--- a/policy/modules/services/zabbix.te
+++ b/policy/modules/services/zabbix.te
@@ -5,6 +5,13 @@ policy_module(zabbix, 1.3.1)
@@ -67235,7 +67269,7 @@ index 7f88f5f..7d8a06e 100644
# shared memory
rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
-@@ -58,25 +75,55 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+@@ -58,25 +75,54 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
@@ -67266,8 +67300,7 @@ index 7f88f5f..7d8a06e 100644
zabbix_agent_tcp_connect(zabbix_t)
+tunable_policy(`zabbix_can_network',`
-+ corenet_tcp_connect_all_unreserved_ports(zabbix_t)
-+ corenet_tcp_connect_all_ephemeral_ports(zabbix_t)
++ corenet_tcp_connect_all_ports(zabbix_t)
+')
+
optional_policy(`
@@ -67293,7 +67326,7 @@ index 7f88f5f..7d8a06e 100644
########################################
#
# zabbix agent local policy
-@@ -134,3 +181,4 @@ sysnet_dns_name_resolve(zabbix_agent_t)
+@@ -134,3 +180,4 @@ sysnet_dns_name_resolve(zabbix_agent_t)
# Network access to zabbix server
zabbix_tcp_connect(zabbix_agent_t)
@@ -70695,7 +70728,7 @@ index 0d4c8d3..9d66bf7 100644
########################################
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 55a6cd8..2af2952 100644
+index 55a6cd8..46835a9 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -80,6 +80,8 @@ allow ipsec_t self:udp_socket create_socket_perms;
@@ -70707,7 +70740,7 @@ index 55a6cd8..2af2952 100644
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
-@@ -128,13 +130,13 @@ corecmd_exec_bin(ipsec_t)
+@@ -128,19 +130,21 @@ corecmd_exec_bin(ipsec_t)
# Pluto needs network access
corenet_all_recvfrom_unlabeled(ipsec_t)
@@ -70727,7 +70760,15 @@ index 55a6cd8..2af2952 100644
corenet_tcp_bind_reserved_port(ipsec_t)
corenet_tcp_bind_isakmp_port(ipsec_t)
corenet_udp_bind_isakmp_port(ipsec_t)
-@@ -156,6 +158,8 @@ files_dontaudit_search_home(ipsec_t)
+ corenet_udp_bind_ipsecnat_port(ipsec_t)
+ corenet_sendrecv_generic_server_packets(ipsec_t)
+ corenet_sendrecv_isakmp_server_packets(ipsec_t)
++corenet_tcp_connect_http_port(ipsec_t)
++corenet_tcp_connect_ldap_port(ipsec_t)
+
+ dev_read_sysfs(ipsec_t)
+ dev_read_rand(ipsec_t)
+@@ -156,6 +160,8 @@ files_dontaudit_search_home(ipsec_t)
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -70736,7 +70777,7 @@ index 55a6cd8..2af2952 100644
term_use_console(ipsec_t)
term_dontaudit_use_all_ttys(ipsec_t)
-@@ -169,6 +173,8 @@ logging_send_syslog_msg(ipsec_t)
+@@ -169,6 +175,8 @@ logging_send_syslog_msg(ipsec_t)
miscfiles_read_localization(ipsec_t)
sysnet_domtrans_ifconfig(ipsec_t)
@@ -70745,7 +70786,7 @@ index 55a6cd8..2af2952 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -245,6 +251,19 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+@@ -245,6 +253,19 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -70765,7 +70806,7 @@ index 55a6cd8..2af2952 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -277,9 +296,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -277,9 +298,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -70777,7 +70818,7 @@ index 55a6cd8..2af2952 100644
init_read_utmp(ipsec_mgmt_t)
init_use_script_ptys(ipsec_mgmt_t)
-@@ -297,7 +317,7 @@ sysnet_manage_config(ipsec_mgmt_t)
+@@ -297,7 +319,7 @@ sysnet_manage_config(ipsec_mgmt_t)
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
sysnet_etc_filetrans_config(ipsec_mgmt_t)
@@ -70786,7 +70827,7 @@ index 55a6cd8..2af2952 100644
optional_policy(`
consoletype_exec(ipsec_mgmt_t)
-@@ -324,10 +344,6 @@ optional_policy(`
+@@ -324,10 +346,6 @@ optional_policy(`
modutils_domtrans_insmod(ipsec_mgmt_t)
')
@@ -70797,7 +70838,7 @@ index 55a6cd8..2af2952 100644
ifdef(`TODO',`
# ideally it would not need this. It wants to write to /root/.rnd
file_type_auto_trans(ipsec_mgmt_t, sysadm_home_dir_t, sysadm_home_t, file)
-@@ -377,12 +393,12 @@ corecmd_exec_shell(racoon_t)
+@@ -377,12 +395,12 @@ corecmd_exec_shell(racoon_t)
corecmd_exec_bin(racoon_t)
corenet_all_recvfrom_unlabeled(racoon_t)
@@ -70816,7 +70857,7 @@ index 55a6cd8..2af2952 100644
corenet_udp_bind_isakmp_port(racoon_t)
corenet_udp_bind_ipsecnat_port(racoon_t)
-@@ -411,6 +427,8 @@ miscfiles_read_localization(racoon_t)
+@@ -411,6 +429,8 @@ miscfiles_read_localization(racoon_t)
sysnet_exec_ifconfig(racoon_t)
@@ -70825,7 +70866,7 @@ index 55a6cd8..2af2952 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -448,5 +466,6 @@ miscfiles_read_localization(setkey_t)
+@@ -448,5 +468,6 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
@@ -71013,7 +71054,7 @@ index f3e1b57..d7fd7fb 100644
')
diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc
-index 14d9670..56960ca 100644
+index 14d9670..57d9b88 100644
--- a/policy/modules/system/iscsi.fc
+++ b/policy/modules/system/iscsi.fc
@@ -1,7 +1,12 @@
@@ -71026,7 +71067,7 @@ index 14d9670..56960ca 100644
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
+
/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
-+/var/log/iscsiuio\.log.* gen_context(system_u:object_r:iscsi_log_t,s0)
++/var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
+
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
@@ -71928,7 +71969,7 @@ index a0b379d..bf90918 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 02f4c97..cd16709 100644
+index 02f4c97..7470a2e 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,13 @@
@@ -71954,7 +71995,16 @@ index 02f4c97..cd16709 100644
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-@@ -73,4 +80,8 @@ ifdef(`distro_redhat',`
+@@ -54,6 +61,8 @@ ifndef(`distro_gentoo',`
+ ifdef(`distro_redhat',`
+ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
+ /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
++/var/spool/postfix/dev -d gen_context(system_u:object_r:var_log_t,s0)
++/var/spool/postfix/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+ ')
+
+ /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+@@ -73,4 +82,8 @@ ifdef(`distro_redhat',`
/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -77681,7 +77731,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 4b2878a..e03d9fb 100644
+index 4b2878a..88476fe 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -78515,15 +78565,22 @@ index 4b2878a..e03d9fb 100644
')
')
-@@ -712,13 +875,26 @@ template(`userdom_login_user_template', `
+@@ -708,17 +871,33 @@ template(`userdom_common_user_template',`
+ template(`userdom_login_user_template', `
+ gen_require(`
+ class context contains;
++ attribute login_userdomain;
+ ')
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
-+ userdom_manage_home_role($1_r, $1_usertype)
++ typeattribute $1_t login_userdomain;
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
++ userdom_manage_home_role($1_r, $1_usertype)
++
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
+
@@ -78547,7 +78604,7 @@ index 4b2878a..e03d9fb 100644
userdom_change_password_template($1)
-@@ -736,72 +912,80 @@ template(`userdom_login_user_template', `
+@@ -736,72 +915,80 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -78661,7 +78718,7 @@ index 4b2878a..e03d9fb 100644
')
')
-@@ -833,6 +1017,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1020,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -78671,7 +78728,7 @@ index 4b2878a..e03d9fb 100644
##############################
#
# Local policy
-@@ -874,45 +1061,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1064,118 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -78740,37 +78797,36 @@ index 4b2878a..e03d9fb 100644
+ dbus_role_template($1, $1_r, $1_usertype)
+ dbus_system_bus_client($1_usertype)
+ allow $1_usertype $1_usertype:dbus send_msg;
-+
-+ optional_policy(`
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
+ abrt_dbus_chat($1_usertype)
+ abrt_run_helper($1_usertype, $1_r)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- cups_dbus_chat($1_t)
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
-+ ')
+ ')
+
+ optional_policy(`
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
+ ')
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
++
++ optional_policy(`
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
- ')
-
- optional_policy(`
-- cups_dbus_chat($1_t)
++ ')
++
++ optional_policy(`
+ fprintd_dbus_chat($1_t)
- ')
- ')
-
- optional_policy(`
-- java_role($1_r, $1_t)
++ ')
++ ')
++
++ optional_policy(`
+ openoffice_role_template($1, $1_r, $1_usertype)
+ ')
+
@@ -78782,9 +78838,10 @@ index 4b2878a..e03d9fb 100644
+ pulseaudio_role($1_r, $1_usertype)
+ pulseaudio_filetrans_admin_home_content($1_usertype)
+ pulseaudio_filetrans_home_content($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- java_role($1_r, $1_t)
+ rtkit_scheduled($1_usertype)
')
@@ -78801,7 +78858,7 @@ index 4b2878a..e03d9fb 100644
')
')
-@@ -947,7 +1207,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1210,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -78810,7 +78867,7 @@ index 4b2878a..e03d9fb 100644
userdom_common_user_template($1)
##############################
-@@ -956,12 +1216,15 @@ template(`userdom_unpriv_user_template', `
+@@ -956,12 +1219,15 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -78828,7 +78885,7 @@ index 4b2878a..e03d9fb 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -978,23 +1241,72 @@ template(`userdom_unpriv_user_template', `
+@@ -978,23 +1244,72 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -78879,11 +78936,9 @@ index 4b2878a..e03d9fb 100644
+
+ optional_policy(`
+ gpm_stream_connect($1_usertype)
- ')
-
- optional_policy(`
-- netutils_run_ping_cond($1_t, $1_r)
-- netutils_run_traceroute_cond($1_t, $1_r)
++ ')
++
++ optional_policy(`
+ execmem_role_template($1, $1_r, $1_t)
+ ')
+
@@ -78902,15 +78957,17 @@ index 4b2878a..e03d9fb 100644
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- netutils_run_ping_cond($1_t, $1_r)
+- netutils_run_traceroute_cond($1_t, $1_r)
+ postfix_run_postdrop($1_t, $1_r)
+ postfix_search_spool($1_t)
')
# Run pppd in pppd_t by default for user
-@@ -1003,7 +1315,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1003,7 +1318,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -78921,7 +78978,7 @@ index 4b2878a..e03d9fb 100644
')
')
-@@ -1039,7 +1353,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1356,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -78930,7 +78987,7 @@ index 4b2878a..e03d9fb 100644
')
##############################
-@@ -1066,6 +1380,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1383,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -78938,7 +78995,7 @@ index 4b2878a..e03d9fb 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1389,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1392,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -78948,7 +79005,7 @@ index 4b2878a..e03d9fb 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1406,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1409,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -78956,7 +79013,7 @@ index 4b2878a..e03d9fb 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1424,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1427,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -78970,7 +79027,7 @@ index 4b2878a..e03d9fb 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,29 +1441,38 @@ template(`userdom_admin_user_template',`
+@@ -1119,29 +1444,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -79013,7 +79070,7 @@ index 4b2878a..e03d9fb 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1151,6 +1482,8 @@ template(`userdom_admin_user_template',`
+@@ -1151,6 +1485,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -79022,7 +79079,7 @@ index 4b2878a..e03d9fb 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1210,6 +1543,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1546,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -79031,7 +79088,7 @@ index 4b2878a..e03d9fb 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,8 +1557,9 @@ template(`userdom_security_admin_template',`
+@@ -1222,8 +1560,9 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -79042,7 +79099,7 @@ index 4b2878a..e03d9fb 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1234,13 +1570,24 @@ template(`userdom_security_admin_template',`
+@@ -1234,13 +1573,24 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -79071,7 +79128,7 @@ index 4b2878a..e03d9fb 100644
')
optional_policy(`
-@@ -1251,12 +1598,12 @@ template(`userdom_security_admin_template',`
+@@ -1251,12 +1601,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -79087,7 +79144,7 @@ index 4b2878a..e03d9fb 100644
')
optional_policy(`
-@@ -1279,50 +1626,99 @@ template(`userdom_security_admin_template',`
+@@ -1279,49 +1629,98 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -79156,7 +79213,6 @@ index 4b2878a..e03d9fb 100644
')
- allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
--')
+ typeattribute $1 user_tmpfs_type;
+
+ files_tmpfs_file($1)
@@ -79198,11 +79254,10 @@ index 4b2878a..e03d9fb 100644
+ ')
+
+ allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
-+')
+ ')
########################################
- ##
@@ -81291,7 +81346,14 @@ index 9b4a930..d6c3860 100644 ## Allow w to display everyone ##
##