diff --git a/policy-F16.patch b/policy-F16.patch
index f2b98da..1423ae9 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -60210,14 +60210,60 @@ index e0791b9..9f49d01 100644
+ term_dontaudit_use_all_ptys(traceroute_t)
+')
diff --git a/policy/modules/admin/passenger.if b/policy/modules/admin/passenger.if
-index f68b573..59ee69c 100644
+index f68b573..30b3188 100644
--- a/policy/modules/admin/passenger.if
+++ b/policy/modules/admin/passenger.if
-@@ -37,3 +37,25 @@ interface(`passenger_read_lib_files',`
+@@ -18,6 +18,24 @@ interface(`passenger_domtrans',`
+ domtrans_pattern($1, passenger_exec_t, passenger_t)
+ ')
+
++######################################
++##
++## Execute passenger in the current domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`passenger_exec',`
++ gen_require(`
++ type passenger_exec_t;
++ ')
++
++ can_exec($1, passenger_exec_t)
++')
++
+ ########################################
+ ##
+ ## Read passenger lib files
+@@ -37,3 +55,46 @@ interface(`passenger_read_lib_files',`
read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
files_search_var_lib($1)
')
+
++########################################
++##
++## Manage passenger lib files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`passenger_manage_lib_files',`
++ gen_require(`
++ type passenger_var_lib_t;
++ ')
++
++ manage_dirs_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
++ files_search_var_lib($1)
++')
++
+#####################################
+##
+## Manage passenger var_run content.
@@ -63752,10 +63798,10 @@ index 00a19e3..3681873 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..c33e026 100644
+index f5afe78..2111004 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,920 @@
+@@ -1,44 +1,899 @@
## GNU network object model environment (GNOME)
-############################################################
@@ -63917,27 +63963,6 @@ index f5afe78..c33e026 100644
+
+########################################
+##
-+## Connect to gkeyringd with a unix stream socket.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`gnome_stream_connect_all_gkeyringd',`
-+ gen_require(`
-+ attribute gkeyringd_domain;
-+ type gkeyringd_tmp_t;
-+ type gconf_tmp_t;
-+ ')
-+
-+ allow $1 gconf_tmp_t:dir search_dir_perms;
-+ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
-+')
-+
-+########################################
-+##
+## Run gconfd in gconfd domain.
+##
+##
@@ -64694,7 +64719,7 @@ index f5afe78..c33e026 100644
##
##
##
-@@ -46,37 +922,92 @@ interface(`gnome_role',`
+@@ -46,37 +901,92 @@ interface(`gnome_role',`
##
##
#
@@ -64798,7 +64823,7 @@ index f5afe78..c33e026 100644
##
##
##
-@@ -84,37 +1015,53 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +994,53 @@ template(`gnome_read_gconf_config',`
##
##
#
@@ -64863,7 +64888,7 @@ index f5afe78..c33e026 100644
##
##
##
-@@ -122,17 +1069,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +1048,17 @@ interface(`gnome_stream_connect_gconf',`
##
##
#
@@ -64885,7 +64910,7 @@ index f5afe78..c33e026 100644
##
##
##
-@@ -140,51 +1087,301 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1066,301 @@ interface(`gnome_domtrans_gconfd',`
##
##
#
@@ -71484,7 +71509,7 @@ index 223ad43..d95e720 100644
rsync_exec(yam_t)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 3fae11a..cf3cf20 100644
+index 3fae11a..d0282f6 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -71751,7 +71776,7 @@ index 3fae11a..cf3cf20 100644
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -306,10 +350,11 @@ ifdef(`distro_redhat', `
+@@ -306,10 +350,12 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -71762,10 +71787,11 @@ index 3fae11a..cf3cf20 100644
-/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/nfs-utils/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/tuned/powersave/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -319,9 +364,11 @@ ifdef(`distro_redhat', `
+@@ -319,9 +365,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -71777,7 +71803,7 @@ index 3fae11a..cf3cf20 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -363,20 +410,21 @@ ifdef(`distro_redhat', `
+@@ -363,20 +411,21 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -71803,7 +71829,7 @@ index 3fae11a..cf3cf20 100644
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -385,3 +433,13 @@ ifdef(`distro_suse', `
+@@ -385,3 +434,13 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -76008,7 +76034,7 @@ index c19518a..04ef731 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..0833750 100644
+index ff006ea..a8c0e34 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -77584,7 +77610,7 @@ index ff006ea..0833750 100644
')
########################################
-@@ -6117,3 +6899,320 @@ interface(`files_unconfined',`
+@@ -6117,3 +6899,324 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -77744,7 +77770,11 @@ index ff006ea..0833750 100644
+## Domain allowed access.
+##
+##
-+##
++##
++##
++## Object type.
++##
++##
+#
+interface(`files_rw_all_inherited_files',`
+ gen_require(`
@@ -84068,7 +84098,7 @@ index c0f858d..10a0cd6 100644
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/accountsd.te b/policy/modules/services/accountsd.te
-index 1632f10..3d2ca4c 100644
+index 1632f10..1204d7f 100644
--- a/policy/modules/services/accountsd.te
+++ b/policy/modules/services/accountsd.te
@@ -1,5 +1,9 @@
@@ -84126,12 +84156,13 @@ index 1632f10..3d2ca4c 100644
miscfiles_read_localization(accountsd_t)
-@@ -55,3 +70,8 @@ optional_policy(`
+@@ -55,3 +70,9 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(accountsd_t)
')
+
+optional_policy(`
++ xserver_read_state_xdm(accountsd_t)
+ xserver_dbus_chat_xdm(accountsd_t)
+ xserver_manage_xdm_etc_files(accountsd_t)
+')
@@ -85487,10 +85518,10 @@ index 6480167..4fc1968 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..0a79c81 100644
+index 3136c6a..639f834 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,136 +18,240 @@ policy_module(apache, 2.2.1)
+@@ -18,136 +18,247 @@ policy_module(apache, 2.2.1)
# Declarations
#
@@ -85696,6 +85727,13 @@ index 3136c6a..0a79c81 100644
+
+##
+##
++## Allow Apache to run in stickshift mode, not transition to passenger
++##
++##
++gen_tunable(httpd_run_stickshift, false)
++
++##
++##
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
+##
##
@@ -85787,7 +85825,7 @@ index 3136c6a..0a79c81 100644
attribute httpd_script_exec_type;
attribute httpd_user_script_exec_type;
-@@ -166,7 +270,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +277,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -85796,7 +85834,7 @@ index 3136c6a..0a79c81 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +281,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +288,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -85806,7 +85844,7 @@ index 3136c6a..0a79c81 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +323,21 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +330,21 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -85829,7 +85867,7 @@ index 3136c6a..0a79c81 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +347,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +354,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -85840,7 +85878,7 @@ index 3136c6a..0a79c81 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +358,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +365,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -85848,7 +85886,7 @@ index 3136c6a..0a79c81 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +380,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +387,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -85872,7 +85910,7 @@ index 3136c6a..0a79c81 100644
########################################
#
# Apache server local policy
-@@ -281,11 +416,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +423,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -85886,7 +85924,7 @@ index 3136c6a..0a79c81 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +466,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +473,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -85897,7 +85935,7 @@ index 3136c6a..0a79c81 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -339,8 +477,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -339,8 +484,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -85908,7 +85946,7 @@ index 3136c6a..0a79c81 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -355,6 +494,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +501,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -85918,7 +85956,7 @@ index 3136c6a..0a79c81 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +507,16 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +514,16 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -85936,7 +85974,7 @@ index 3136c6a..0a79c81 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +525,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +532,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -85952,7 +85990,7 @@ index 3136c6a..0a79c81 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +538,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +545,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -85960,7 +85998,7 @@ index 3136c6a..0a79c81 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +550,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +557,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -86064,7 +86102,7 @@ index 3136c6a..0a79c81 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,25 +657,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,25 +664,55 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -86122,7 +86160,7 @@ index 3136c6a..0a79c81 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +715,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +722,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -86139,7 +86177,7 @@ index 3136c6a..0a79c81 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +739,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +746,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -86160,7 +86198,7 @@ index 3136c6a..0a79c81 100644
')
optional_policy(`
-@@ -513,7 +763,13 @@ optional_policy(`
+@@ -513,7 +770,13 @@ optional_policy(`
')
optional_policy(`
@@ -86175,7 +86213,7 @@ index 3136c6a..0a79c81 100644
')
optional_policy(`
-@@ -528,7 +784,19 @@ optional_policy(`
+@@ -528,7 +791,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -86196,7 +86234,7 @@ index 3136c6a..0a79c81 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +805,13 @@ optional_policy(`
+@@ -537,8 +812,13 @@ optional_policy(`
')
optional_policy(`
@@ -86211,7 +86249,7 @@ index 3136c6a..0a79c81 100644
')
')
-@@ -556,7 +829,21 @@ optional_policy(`
+@@ -556,7 +836,21 @@ optional_policy(`
')
optional_policy(`
@@ -86233,7 +86271,7 @@ index 3136c6a..0a79c81 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +854,7 @@ optional_policy(`
+@@ -567,6 +861,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -86241,13 +86279,22 @@ index 3136c6a..0a79c81 100644
')
optional_policy(`
-@@ -577,6 +865,20 @@ optional_policy(`
+@@ -577,6 +872,29 @@ optional_policy(`
')
optional_policy(`
-+ passenger_domtrans(httpd_t)
-+ passenger_manage_pid_content(httpd_t)
-+ passenger_read_lib_files(httpd_t)
++ tunable_policy(`httpd_run_stickshift', `
++ allow httpd_t self:capability sys_resource;
++ allow httpd_t self:capability { fowner fsetid };
++ allow httpd_t self:process setexec;
++ passenger_exec(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++ passenger_manage_lib_files(httpd_t)
++ ',`
++ passenger_domtrans(httpd_t)
++ passenger_manage_pid_content(httpd_t)
++ passenger_read_lib_files(httpd_t)
++ ')
+')
+
+optional_policy(`
@@ -86262,7 +86309,7 @@ index 3136c6a..0a79c81 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +893,11 @@ optional_policy(`
+@@ -591,6 +909,11 @@ optional_policy(`
')
optional_policy(`
@@ -86274,7 +86321,7 @@ index 3136c6a..0a79c81 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +910,12 @@ optional_policy(`
+@@ -603,6 +926,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -86287,7 +86334,7 @@ index 3136c6a..0a79c81 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +929,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +945,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -86300,7 +86347,7 @@ index 3136c6a..0a79c81 100644
########################################
#
-@@ -654,28 +971,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +987,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -86344,7 +86391,7 @@ index 3136c6a..0a79c81 100644
')
########################################
-@@ -685,6 +1004,8 @@ optional_policy(`
+@@ -685,6 +1020,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -86353,7 +86400,7 @@ index 3136c6a..0a79c81 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1020,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1036,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -86379,7 +86426,7 @@ index 3136c6a..0a79c81 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1066,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1082,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -86412,7 +86459,7 @@ index 3136c6a..0a79c81 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1113,25 @@ optional_policy(`
+@@ -769,6 +1129,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -86438,7 +86485,7 @@ index 3136c6a..0a79c81 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1152,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1168,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -86456,7 +86503,7 @@ index 3136c6a..0a79c81 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1171,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1187,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -86513,7 +86560,7 @@ index 3136c6a..0a79c81 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1222,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1238,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -86544,7 +86591,7 @@ index 3136c6a..0a79c81 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1257,20 @@ optional_policy(`
+@@ -842,10 +1273,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -86565,7 +86612,7 @@ index 3136c6a..0a79c81 100644
')
########################################
-@@ -891,11 +1316,135 @@ optional_policy(`
+@@ -891,11 +1332,135 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -87614,10 +87661,10 @@ index a7a0e71..3b01eed 100644
diff --git a/policy/modules/services/bcfg2.fc b/policy/modules/services/bcfg2.fc
new file mode 100644
-index 0000000..97fa279
+index 0000000..6befaac
--- /dev/null
+++ b/policy/modules/services/bcfg2.fc
-@@ -0,0 +1,7 @@
+@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
+
+/usr/lib/systemd/system/bcfg2-server.service -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
@@ -87625,6 +87672,8 @@ index 0000000..97fa279
+/usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
+
+/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
++
++/var/run/bcfg2-server\.pid -- gen_context(system_u:object_r:bcfg2_var_run_t,s0)
diff --git a/policy/modules/services/bcfg2.if b/policy/modules/services/bcfg2.if
new file mode 100644
index 0000000..e71ebe1
@@ -87818,10 +87867,10 @@ index 0000000..e71ebe1
+')
diff --git a/policy/modules/services/bcfg2.te b/policy/modules/services/bcfg2.te
new file mode 100644
-index 0000000..5fbce5c
+index 0000000..7c301dc
--- /dev/null
+++ b/policy/modules/services/bcfg2.te
-@@ -0,0 +1,47 @@
+@@ -0,0 +1,55 @@
+policy_module(bcfg2, 1.0.0)
+
+########################################
@@ -87842,17 +87891,25 @@ index 0000000..5fbce5c
+type bcfg2_unit_file_t;
+systemd_unit_file(bcfg2_unit_file_t)
+
++type bcfg2_var_run_t;
++files_pid_file(bcfg2_var_run_t)
++
+########################################
+#
+# bcfg2 local policy
+#
++
+allow bcfg2_t self:fifo_file rw_fifo_file_perms;
++allow bcfg2_t self:tcp_socket create_stream_socket_perms;
+allow bcfg2_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+manage_dirs_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
+manage_files_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
+files_var_lib_filetrans(bcfg2_t, bcfg2_var_lib_t, { dir file })
+
++manage_files_pattern(bcfg2_t, bcfg2_var_run_t,bcfg2_var_run_t)
++files_pid_filetrans(bcfg2_t,bcfg2_var_run_t, { file })
++
+kernel_read_system_state(bcfg2_t)
+
+corecmd_exec_bin(bcfg2_t)
@@ -126128,7 +126185,7 @@ index 078bcd7..21ff471 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..6ec295a 100644
+index 22adaca..31b38b7 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -126331,7 +126388,7 @@ index 22adaca..6ec295a 100644
')
########################################
-@@ -290,11 +323,11 @@ template(`ssh_server_template', `
+@@ -290,14 +323,15 @@ template(`ssh_server_template', `
## User domain for the role
##
##
@@ -126344,7 +126401,11 @@ index 22adaca..6ec295a 100644
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
-@@ -327,17 +360,20 @@ template(`ssh_role_template',`
++ type cache_home_t;
+ ')
+
+ ##############################
+@@ -327,17 +361,20 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -126366,8 +126427,11 @@ index 22adaca..6ec295a 100644
##############################
#
-@@ -359,7 +395,7 @@ template(`ssh_role_template',`
+@@ -357,9 +394,10 @@ template(`ssh_role_template',`
+
+ # for ssh-add
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
++ stream_connect_pattern($3, cache_home_t, cache_home_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
- allow $3 $1_ssh_agent_t:process signal;
@@ -126375,7 +126439,7 @@ index 22adaca..6ec295a 100644
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
-@@ -381,7 +417,6 @@ template(`ssh_role_template',`
+@@ -381,7 +419,6 @@ template(`ssh_role_template',`
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
@@ -126383,7 +126447,7 @@ index 22adaca..6ec295a 100644
libs_read_lib_files($1_ssh_agent_t)
-@@ -393,28 +428,15 @@ template(`ssh_role_template',`
+@@ -393,28 +430,15 @@ template(`ssh_role_template',`
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
@@ -126415,7 +126479,7 @@ index 22adaca..6ec295a 100644
optional_policy(`
nis_use_ypbind($1_ssh_agent_t)
-@@ -464,6 +486,24 @@ interface(`ssh_signal',`
+@@ -464,6 +488,24 @@ interface(`ssh_signal',`
########################################
##
@@ -126440,7 +126504,7 @@ index 22adaca..6ec295a 100644
## Read a ssh server unnamed pipe.
##
##
-@@ -477,8 +517,27 @@ interface(`ssh_read_pipes',`
+@@ -477,8 +519,27 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@@ -126469,7 +126533,7 @@ index 22adaca..6ec295a 100644
########################################
##
## Read and write a ssh server unnamed pipe.
-@@ -494,7 +553,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +555,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -126478,7 +126542,7 @@ index 22adaca..6ec295a 100644
')
########################################
-@@ -586,6 +645,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +647,24 @@ interface(`ssh_domtrans',`
########################################
##
@@ -126503,7 +126567,7 @@ index 22adaca..6ec295a 100644
## Execute the ssh client in the caller domain.
##
##
-@@ -618,7 +695,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +697,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -126512,7 +126576,7 @@ index 22adaca..6ec295a 100644
files_search_pids($1)
')
-@@ -643,6 +720,42 @@ interface(`ssh_agent_exec',`
+@@ -643,6 +722,42 @@ interface(`ssh_agent_exec',`
########################################
##
@@ -126555,7 +126619,7 @@ index 22adaca..6ec295a 100644
## Read ssh home directory content
##
##
-@@ -682,6 +795,50 @@ interface(`ssh_domtrans_keygen',`
+@@ -682,6 +797,50 @@ interface(`ssh_domtrans_keygen',`
########################################
##
@@ -126606,7 +126670,7 @@ index 22adaca..6ec295a 100644
## Read ssh server keys
##
##
-@@ -695,7 +852,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +854,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -126615,7 +126679,7 @@ index 22adaca..6ec295a 100644
')
######################################
-@@ -735,3 +892,63 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +894,63 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -126680,7 +126744,7 @@ index 22adaca..6ec295a 100644
+ userdom_user_home_dir_filetrans($1, ssh_home_t, dir, ".shosts")
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..9a5c6a6 100644
+index 2dad3c8..007838e 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,37 @@ policy_module(ssh, 2.2.0)
@@ -126875,7 +126939,7 @@ index 2dad3c8..9a5c6a6 100644
')
optional_policy(`
-+ gnome_stream_connect_all_gkeyringd(ssh_t)
++ gnome_stream_connect_gkeyringd(ssh_t)
+')
+
+optional_policy(`
@@ -127911,6 +127975,23 @@ index c842cad..037dd90 100644
domain_use_interactive_fds(tor_t)
+diff --git a/policy/modules/services/tuned.fc b/policy/modules/services/tuned.fc
+index 639c962..8488152 100644
+--- a/policy/modules/services/tuned.fc
++++ b/policy/modules/services/tuned.fc
+@@ -1,8 +1,12 @@
+ /etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0)
+
++/etc/tuned(/.)? gen_context(system_u:object_r:tuned_etc_t,s0)
++/etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0)
++
+ /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
+
+ /var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
+ /var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0)
+
++/var/run/tuned(/.*)? gen_context(system_u:object_r:tuned_var_run_t,s0)
+ /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
diff --git a/policy/modules/services/tuned.if b/policy/modules/services/tuned.if
index 54b8605..a04f013 100644
--- a/policy/modules/services/tuned.if
@@ -127953,19 +128034,53 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
-index db9d2a5..7f1a022 100644
+index db9d2a5..6f172ac 100644
--- a/policy/modules/services/tuned.te
+++ b/policy/modules/services/tuned.te
-@@ -24,6 +24,7 @@ files_pid_file(tuned_var_run_t)
+@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
+ type tuned_initrc_exec_t;
+ init_script_file(tuned_initrc_exec_t)
+
++type tuned_etc_t;
++files_config_file(tuned_etc_t)
++
++type tuned_rw_etc_t;
++files_config_file(tuned_rw_etc_t)
++
+ type tuned_log_t;
+ logging_log_file(tuned_log_t)
+
+@@ -23,23 +29,34 @@ files_pid_file(tuned_var_run_t)
+ # tuned local policy
#
++allow tuned_t self:process signal;
++
dontaudit tuned_t self:capability { dac_override sys_tty_config };
+allow tuned_t self:fifo_file rw_fifo_file_perms;
++allow tuned_t self:udp_socket create_socket_perms;
++
++read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
++
++manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
-@@ -39,7 +40,7 @@ kernel_read_system_state(tuned_t)
+-logging_log_filetrans(tuned_t, tuned_log_t, file)
++logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log")
+
+ manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
+-files_pid_filetrans(tuned_t, tuned_var_run_t, file)
++manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
++files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
+
+ corecmd_exec_shell(tuned_t)
+ corecmd_exec_bin(tuned_t)
+
+ kernel_read_system_state(tuned_t)
kernel_read_network_state(tuned_t)
++kernel_rw_hotplug_sysctls(tuned_t)
++kernel_rw_vm_sysctls(tuned_t)
dev_read_urand(tuned_t)
-dev_read_sysfs(tuned_t)
@@ -127973,7 +128088,7 @@ index db9d2a5..7f1a022 100644
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
-@@ -47,6 +48,8 @@ files_read_etc_files(tuned_t)
+@@ -47,6 +64,8 @@ files_read_etc_files(tuned_t)
files_read_usr_files(tuned_t)
files_dontaudit_search_home(tuned_t)
@@ -127982,7 +128097,7 @@ index db9d2a5..7f1a022 100644
logging_send_syslog_msg(tuned_t)
miscfiles_read_localization(tuned_t)
-@@ -58,6 +61,10 @@ optional_policy(`
+@@ -58,6 +77,10 @@ optional_policy(`
fstools_domtrans(tuned_t)
')
@@ -134475,7 +134590,7 @@ index 28ad538..bb13287 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..dec450c 100644
+index 73554ec..8beee5b 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -134922,7 +135037,7 @@ index 73554ec..dec450c 100644
##
##
##
-@@ -1575,87 +1808,202 @@ interface(`auth_relabel_login_records',`
+@@ -1575,87 +1808,204 @@ interface(`auth_relabel_login_records',`
## Domain allowed access.
##
##
@@ -134961,6 +135076,7 @@ index 73554ec..dec450c 100644
+ type shadow_t;
+ type passwd_file_t;
+ type faillog_t;
++ type lastlog_t;
+ type wtmp_t;
+ type pam_var_console_t;
+ type pam_var_run_t;
@@ -134981,6 +135097,7 @@ index 73554ec..dec450c 100644
+ files_etc_filetrans($1, shadow_t, file, "shadow-")
+ files_etc_filetrans($1, shadow_t, file, ".pwd.lock")
+ files_etc_filetrans($1, shadow_t, file, "gshadow")
++ logging_log_named_filetrans($1, lastlog_t, file, "lastlog")
+ logging_log_named_filetrans($1, faillog_t, file, "tallylog")
+ logging_log_named_filetrans($1, faillog_t, file, "faillog")
+ logging_log_named_filetrans($1, faillog_t, file, "btmp")
@@ -136898,7 +137015,7 @@ index 94fd8dd..6acffdb 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..e2c5116 100644
+index 29a9565..59ba914 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -137295,7 +137412,7 @@ index 29a9565..e2c5116 100644
init_write_initctl(initrc_t)
-@@ -258,20 +475,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +475,33 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -137315,6 +137432,7 @@ index 29a9565..e2c5116 100644
+files_manage_system_conf_files(initrc_t)
+
+fs_manage_tmpfs_dirs(initrc_t)
++fs_manage_tmpfs_symlinks(initrc_t)
+fs_tmpfs_filetrans(initrc_t, initrc_state_t, file)
corecmd_exec_all_executables(initrc_t)
@@ -137332,7 +137450,7 @@ index 29a9565..e2c5116 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +508,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +509,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -137340,7 +137458,7 @@ index 29a9565..e2c5116 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +519,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +520,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -137351,7 +137469,7 @@ index 29a9565..e2c5116 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,17 +530,16 @@ dev_manage_generic_files(initrc_t)
+@@ -298,17 +531,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -137371,7 +137489,7 @@ index 29a9565..e2c5116 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -316,6 +547,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +548,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -137379,7 +137497,7 @@ index 29a9565..e2c5116 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +555,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +556,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -137391,7 +137509,7 @@ index 29a9565..e2c5116 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +574,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +575,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -137405,7 +137523,7 @@ index 29a9565..e2c5116 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,9 +589,12 @@ fs_mount_all_fs(initrc_t)
+@@ -351,9 +590,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -137419,7 +137537,7 @@ index 29a9565..e2c5116 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -363,6 +604,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +605,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -137427,7 +137545,7 @@ index 29a9565..e2c5116 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +616,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +617,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -137435,7 +137553,7 @@ index 29a9565..e2c5116 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +637,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +638,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -137457,7 +137575,7 @@ index 29a9565..e2c5116 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +700,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +701,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -137468,7 +137586,7 @@ index 29a9565..e2c5116 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +724,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +725,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -137477,7 +137595,7 @@ index 29a9565..e2c5116 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +739,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +740,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -137485,7 +137603,7 @@ index 29a9565..e2c5116 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -513,6 +760,7 @@ ifdef(`distro_redhat',`
+@@ -513,6 +761,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -137493,7 +137611,7 @@ index 29a9565..e2c5116 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -522,8 +770,35 @@ ifdef(`distro_redhat',`
+@@ -522,8 +771,35 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -137529,7 +137647,7 @@ index 29a9565..e2c5116 100644
')
optional_policy(`
-@@ -531,14 +806,27 @@ ifdef(`distro_redhat',`
+@@ -531,14 +807,27 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -137557,7 +137675,7 @@ index 29a9565..e2c5116 100644
')
')
-@@ -549,6 +837,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +838,39 @@ ifdef(`distro_suse',`
')
')
@@ -137597,7 +137715,7 @@ index 29a9565..e2c5116 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +882,8 @@ optional_policy(`
+@@ -561,6 +883,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -137606,7 +137724,7 @@ index 29a9565..e2c5116 100644
')
optional_policy(`
-@@ -577,6 +900,7 @@ optional_policy(`
+@@ -577,6 +901,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -137614,7 +137732,7 @@ index 29a9565..e2c5116 100644
')
optional_policy(`
-@@ -589,6 +913,17 @@ optional_policy(`
+@@ -589,6 +914,17 @@ optional_policy(`
')
optional_policy(`
@@ -137632,7 +137750,7 @@ index 29a9565..e2c5116 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +940,13 @@ optional_policy(`
+@@ -605,9 +941,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -137646,7 +137764,7 @@ index 29a9565..e2c5116 100644
')
optional_policy(`
-@@ -632,6 +971,10 @@ optional_policy(`
+@@ -632,6 +972,10 @@ optional_policy(`
')
optional_policy(`
@@ -137657,7 +137775,7 @@ index 29a9565..e2c5116 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +992,11 @@ optional_policy(`
+@@ -649,6 +993,11 @@ optional_policy(`
')
optional_policy(`
@@ -137669,7 +137787,7 @@ index 29a9565..e2c5116 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1037,7 @@ optional_policy(`
+@@ -689,6 +1038,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -137677,7 +137795,7 @@ index 29a9565..e2c5116 100644
')
optional_policy(`
-@@ -706,7 +1055,13 @@ optional_policy(`
+@@ -706,7 +1056,13 @@ optional_policy(`
')
optional_policy(`
@@ -137691,7 +137809,7 @@ index 29a9565..e2c5116 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1084,10 @@ optional_policy(`
+@@ -729,6 +1085,10 @@ optional_policy(`
')
optional_policy(`
@@ -137702,7 +137820,7 @@ index 29a9565..e2c5116 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1097,20 @@ optional_policy(`
+@@ -738,10 +1098,20 @@ optional_policy(`
')
optional_policy(`
@@ -137723,7 +137841,7 @@ index 29a9565..e2c5116 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1119,10 @@ optional_policy(`
+@@ -750,6 +1120,10 @@ optional_policy(`
')
optional_policy(`
@@ -137734,7 +137852,7 @@ index 29a9565..e2c5116 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1144,6 @@ optional_policy(`
+@@ -771,8 +1145,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -137743,7 +137861,7 @@ index 29a9565..e2c5116 100644
')
optional_policy(`
-@@ -781,6 +1152,10 @@ optional_policy(`
+@@ -781,6 +1153,10 @@ optional_policy(`
')
optional_policy(`
@@ -137754,7 +137872,7 @@ index 29a9565..e2c5116 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -790,10 +1165,12 @@ optional_policy(`
+@@ -790,10 +1166,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -137767,7 +137885,7 @@ index 29a9565..e2c5116 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1182,6 @@ optional_policy(`
+@@ -805,7 +1183,6 @@ optional_policy(`
')
optional_policy(`
@@ -137775,7 +137893,7 @@ index 29a9565..e2c5116 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1191,25 @@ optional_policy(`
+@@ -815,11 +1192,25 @@ optional_policy(`
')
optional_policy(`
@@ -137802,7 +137920,7 @@ index 29a9565..e2c5116 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1219,18 @@ optional_policy(`
+@@ -829,6 +1220,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -137821,7 +137939,7 @@ index 29a9565..e2c5116 100644
')
optional_policy(`
-@@ -844,6 +1246,10 @@ optional_policy(`
+@@ -844,6 +1247,10 @@ optional_policy(`
')
optional_policy(`
@@ -137832,7 +137950,7 @@ index 29a9565..e2c5116 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1260,161 @@ optional_policy(`
+@@ -854,3 +1261,161 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -142220,7 +142338,7 @@ index 170e2c7..6c56785 100644
+ auth_relabelto_shadow($1)
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index 7ed9819..4442617 100644
+index 7ed9819..b55eda0 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,6 +11,7 @@ gen_require(`
@@ -142491,7 +142609,7 @@ index 7ed9819..4442617 100644
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(run_init_t)
-@@ -420,67 +471,29 @@ optional_policy(`
+@@ -420,185 +471,194 @@ optional_policy(`
# semodule local policy
#
@@ -142514,19 +142632,19 @@ index 7ed9819..4442617 100644
-dev_read_urand(semanage_t)
-
-domain_use_interactive_fds(semanage_t)
-+seutil_semanage_policy(semanage_t)
-+allow semanage_t self:fifo_file rw_fifo_file_perms;
-
+-
-files_read_etc_files(semanage_t)
-files_read_etc_runtime_files(semanage_t)
-files_read_usr_files(semanage_t)
-files_list_pids(semanage_t)
-+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
++seutil_semanage_policy(semanage_t)
++allow semanage_t self:fifo_file rw_fifo_file_perms;
-mls_file_write_all_levels(semanage_t)
-mls_file_read_all_levels(semanage_t)
--
++manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
++manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+
-selinux_validate_context(semanage_t)
-selinux_get_enforce_mode(semanage_t)
-selinux_getattr_fs(semanage_t)
@@ -142535,7 +142653,9 @@ index 7ed9819..4442617 100644
+can_exec(semanage_t, semanage_exec_t)
-term_use_all_terms(semanage_t)
--
++# Admins are creating pp files in random locations
++files_read_non_security_files(semanage_t)
+
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
-
@@ -142544,9 +142664,7 @@ index 7ed9819..4442617 100644
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
-+# Admins are creating pp files in random locations
-+files_read_non_security_files(semanage_t)
-
+-
-seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
@@ -142568,8 +142686,15 @@ index 7ed9819..4442617 100644
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
-@@ -493,112 +506,161 @@ ifdef(`distro_ubuntu',`
- ')
+ files_read_var_lib_symlinks(semanage_t)
+ ')
+
+-ifdef(`distro_ubuntu',`
+- optional_policy(`
+- unconfined_domain(semanage_t)
+- ')
++optional_policy(`
++ unconfined_domain(semanage_t)
')
-########################################
@@ -142584,11 +142709,17 @@ index 7ed9819..4442617 100644
-allow setfiles_t self:capability { dac_override dac_read_search fowner };
-dontaudit setfiles_t self:capability sys_tty_config;
-allow setfiles_t self:fifo_file rw_file_perms;
--
++init_dontaudit_use_fds(setsebool_t)
+
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:file read_file_perms;
-allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
--
++# Bug in semanage
++seutil_domtrans_setfiles(setsebool_t)
++seutil_manage_file_contexts(setsebool_t)
++seutil_manage_default_contexts(setsebool_t)
++seutil_manage_config(setsebool_t)
+
-kernel_read_system_state(setfiles_t)
-kernel_relabelfrom_unlabeled_dirs(setfiles_t)
-kernel_relabelfrom_unlabeled_files(setfiles_t)
@@ -142600,15 +142731,9 @@ index 7ed9819..4442617 100644
-kernel_rw_unix_dgram_sockets(setfiles_t)
-kernel_dontaudit_list_all_proc(setfiles_t)
-kernel_dontaudit_list_all_sysctls(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
-
+-
-dev_relabel_all_dev_nodes(setfiles_t)
-+# Bug in semanage
-+seutil_domtrans_setfiles(setsebool_t)
-+seutil_manage_file_contexts(setsebool_t)
-+seutil_manage_default_contexts(setsebool_t)
-+seutil_manage_config(setsebool_t)
-
+-
-domain_use_interactive_fds(setfiles_t)
-domain_dontaudit_search_all_domains_state(setfiles_t)
-
@@ -142775,9 +142900,8 @@ index 7ed9819..4442617 100644
# and then relabeled afterwards; thus
# /dev/console has the tmpfs type
- fs_rw_tmpfs_chr_files(setfiles_t)
-+ fs_rw_tmpfs_chr_files(setfiles_domain)
- ')
-
+-')
+-
-ifdef(`distro_redhat', `
- fs_rw_tmpfs_chr_files(setfiles_t)
- fs_rw_tmpfs_blk_files(setfiles_t)
@@ -142789,8 +142913,9 @@ index 7ed9819..4442617 100644
- optional_policy(`
- unconfined_domain(setfiles_t)
- ')
--')
--
++ fs_rw_tmpfs_chr_files(setfiles_domain)
+ ')
+
-ifdef(`hide_broken_symptoms',`
- optional_policy(`
- udev_dontaudit_rw_dgram_sockets(setfiles_t)
@@ -143155,7 +143280,7 @@ index ff80d0a..22c9f0d 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..40d2d20 100644
+index 34d0ec5..cd52cdd 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -143362,7 +143487,12 @@ index 34d0ec5..40d2d20 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -276,8 +330,12 @@ dev_read_urand(ifconfig_t)
+@@ -273,11 +327,17 @@ corenet_rw_tun_tap_dev(ifconfig_t)
+ dev_read_sysfs(ifconfig_t)
+ # for IPSEC setup:
+ dev_read_urand(ifconfig_t)
++# needed by tuned
++dev_rw_netcontrol(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -143375,7 +143505,7 @@ index 34d0ec5..40d2d20 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -290,7 +348,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -290,7 +350,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -143384,7 +143514,7 @@ index 34d0ec5..40d2d20 100644
init_use_fds(ifconfig_t)
init_use_script_ptys(ifconfig_t)
-@@ -301,11 +359,11 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -301,11 +361,11 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
@@ -143399,7 +143529,7 @@ index 34d0ec5..40d2d20 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +372,18 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +374,18 @@ ifdef(`distro_ubuntu',`
')
')
@@ -143418,7 +143548,7 @@ index 34d0ec5..40d2d20 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,8 +394,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +396,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -143433,7 +143563,7 @@ index 34d0ec5..40d2d20 100644
')
optional_policy(`
-@@ -335,7 +410,15 @@ optional_policy(`
+@@ -335,7 +412,15 @@ optional_policy(`
')
optional_policy(`
@@ -143450,7 +143580,7 @@ index 34d0ec5..40d2d20 100644
')
optional_policy(`
-@@ -356,3 +439,9 @@ optional_policy(`
+@@ -356,3 +441,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9fe6871..3a5b233 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 108%{?dist}
+Release: 109%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -484,6 +484,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Mar 30 2012 Miroslav Grepl 3.10.0-109
+- Ensure lastlog is labeled correctly
+- Allow accountsd to read /proc data about gdm
+- Add fixes for tuned
+- Add bcfg2 fixes which were discovered during RHEL6 testing
+- More fixes for gnome-keyring socket being moved
+- Run semanage as a unconfined domain, and allow initrc_t to create tmpfs_t sym links on shutdown
+- Fix description for files_dontaudit_read_security_files() interface
+
* Wed Mar 28 2012 Miroslav Grepl 3.10.0-108
- Add new policy and man page for bcfg2
- cgconfig needs to use getpw calls