diff --git a/policy-F16.patch b/policy-F16.patch
index 0ecf125..1892c25 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -68251,10 +68251,10 @@ index 0000000..efebae7
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..163c017
+index 0000000..995ec10
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,187 @@
+@@ -0,0 +1,188 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -68319,6 +68319,7 @@ index 0000000..163c017
+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
+corenet_tcp_connect_http_port(chrome_sandbox_t)
+corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
++corenet_tcp_connect_msnp_port(chrome_sandbox_t)
+corenet_tcp_connect_squid_port(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
@@ -72264,7 +72265,7 @@ index fbb5c5a..67c1168 100644
+')
+
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2e9318b..e170274 100644
+index 2e9318b..bb2d536 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,11 +7,25 @@ policy_module(mozilla, 2.3.3)
@@ -72453,7 +72454,7 @@ index 2e9318b..e170274 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -322,39 +354,60 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -322,39 +354,61 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -72491,6 +72492,7 @@ index 2e9318b..e170274 100644
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
+corenet_tcp_connect_jabber_client_port(mozilla_plugin_t)
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
++corenet_tcp_connect_msnp_port(mozilla_plugin_t)
+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
corenet_tcp_connect_speech_port(mozilla_plugin_t)
+corenet_tcp_connect_squid_port(mozilla_plugin_t)
@@ -72521,7 +72523,7 @@ index 2e9318b..e170274 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -362,15 +415,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -362,15 +416,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -72545,7 +72547,7 @@ index 2e9318b..e170274 100644
logging_send_syslog_msg(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
-@@ -383,34 +444,30 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -383,34 +445,30 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -72594,7 +72596,7 @@ index 2e9318b..e170274 100644
')
optional_policy(`
-@@ -421,24 +478,35 @@ optional_policy(`
+@@ -421,24 +479,35 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -72634,7 +72636,7 @@ index 2e9318b..e170274 100644
')
optional_policy(`
-@@ -446,10 +514,106 @@ optional_policy(`
+@@ -446,10 +515,106 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -74010,6 +74012,17 @@ index 96cc023..5919bbd 100644
########################################
##
## Execute ptchown in the ptchown domain, and
+diff --git a/policy/modules/apps/ptchown.te b/policy/modules/apps/ptchown.te
+index d90245a..a74d8e0 100644
+--- a/policy/modules/apps/ptchown.te
++++ b/policy/modules/apps/ptchown.te
+@@ -28,4 +28,6 @@ term_setattr_all_ptys(ptchown_t)
+ term_use_generic_ptys(ptchown_t)
+ term_use_ptmx(ptchown_t)
+
++auth_read_passwd(ptchown_t)
++
+ miscfiles_read_localization(ptchown_t)
diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc
index 84f23dc..5be2738 100644
--- a/policy/modules/apps/pulseaudio.fc
@@ -76820,7 +76833,7 @@ index e70b0e8..cd83b89 100644
/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/policy/modules/apps/userhelper.if b/policy/modules/apps/userhelper.if
-index ced285a..d2e2ce8 100644
+index ced285a..5fa7458 100644
--- a/policy/modules/apps/userhelper.if
+++ b/policy/modules/apps/userhelper.if
@@ -25,6 +25,7 @@ template(`userhelper_role_template',`
@@ -76860,7 +76873,7 @@ index ced285a..d2e2ce8 100644
tunable_policy(`! secure_mode',`
#if we are not in secure mode then we can transition to sysadm_t
sysadm_bin_spec_domtrans($1_userhelper_t)
-@@ -256,3 +248,88 @@ interface(`userhelper_exec',`
+@@ -256,3 +248,89 @@ interface(`userhelper_exec',`
can_exec($1, userhelper_exec_t)
')
@@ -76908,6 +76921,7 @@ index ced285a..d2e2ce8 100644
+ allow $3 $1_consolehelper_t:process signal;
+ allow $3 $1_consolehelper_t:dbus send_msg;
+ allow $1_consolehelper_t $3:dbus send_msg;
++ allow $1_consolehelper_t $3:unix_stream_socket connectto;
+
+ auth_use_pam($1_consolehelper_t)
+
@@ -76950,10 +76964,10 @@ index ced285a..d2e2ce8 100644
+ can_exec($1, consolehelper_exec_t)
+')
diff --git a/policy/modules/apps/userhelper.te b/policy/modules/apps/userhelper.te
-index 13b2cea..8ce8577 100644
+index 13b2cea..d59a927 100644
--- a/policy/modules/apps/userhelper.te
+++ b/policy/modules/apps/userhelper.te
-@@ -6,9 +6,81 @@ policy_module(userhelper, 1.6.0)
+@@ -6,9 +6,82 @@ policy_module(userhelper, 1.6.0)
#
attribute userhelper_type;
@@ -76996,6 +77010,7 @@ index 13b2cea..8ce8577 100644
+dev_dontaudit_list_all_dev_nodes(consolehelper_domain)
+dev_dontaudit_getattr_all(consolehelper_domain)
+fs_getattr_all_dirs(consolehelper_domain)
++fs_getattr_all_fs(consolehelper_domain)
+
+files_read_config_files(consolehelper_domain)
+files_read_usr_files(consolehelper_domain)
@@ -77095,7 +77110,7 @@ index f647c7e..252468a 100644
/usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
-index 23066a1..f0956d0 100644
+index 23066a1..85c393a 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -72,7 +72,7 @@ ifdef(`enable_mcs',`
@@ -77141,14 +77156,19 @@ index 23066a1..f0956d0 100644
userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
userdom_dontaudit_search_user_home_dirs(vmware_host_t)
-@@ -161,10 +163,22 @@ netutils_domtrans_ping(vmware_host_t)
+@@ -160,11 +162,27 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
+ netutils_domtrans_ping(vmware_host_t)
optional_policy(`
- hostname_exec(vmware_host_t)
--')
-+')
+- hostname_exec(vmware_host_t)
++ unconfined_domain(vmware_host_t)
+ ')
optional_policy(`
++ hostname_exec(vmware_host_t)
++')
++
++optional_policy(`
modutils_domtrans_insmod(vmware_host_t)
+')
+
@@ -77165,7 +77185,7 @@ index 23066a1..f0956d0 100644
')
optional_policy(`
-@@ -275,7 +289,7 @@ libs_read_lib_files(vmware_t)
+@@ -275,7 +293,7 @@ libs_read_lib_files(vmware_t)
miscfiles_read_localization(vmware_t)
@@ -82167,7 +82187,7 @@ index c19518a..145c899 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..5e933f1 100644
+index ff006ea..3dec529 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -82306,7 +82326,33 @@ index ff006ea..5e933f1 100644
## Read all directories on the filesystem, except
## the listed exceptions.
##
-@@ -1053,10 +1162,8 @@ interface(`files_relabel_all_files',`
+@@ -933,6 +1042,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+
+ ########################################
+ ##
++## Do not audit attempts to read/write
++## of non security named pipes.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`files_dontaudit_rw_inherited_pipes',`
++ gen_require(`
++ attribute non_security_file_type;
++ ')
++
++ dontaudit $1 non_security_file_type:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++##
+ ## Get the attributes of all named sockets.
+ ##
+ ##
+@@ -1053,10 +1181,8 @@ interface(`files_relabel_all_files',`
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -82319,7 +82365,7 @@ index ff006ea..5e933f1 100644
# satisfy the assertions:
seutil_relabelto_bin_policy($1)
-@@ -1482,6 +1589,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1482,6 +1608,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
##
@@ -82362,7 +82408,7 @@ index ff006ea..5e933f1 100644
## List the contents of the root directory.
##
##
-@@ -1562,7 +1705,7 @@ interface(`files_root_filetrans',`
+@@ -1562,7 +1724,7 @@ interface(`files_root_filetrans',`
type root_t;
')
@@ -82371,7 +82417,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -1660,6 +1803,42 @@ interface(`files_delete_root_dir_entry',`
+@@ -1660,6 +1822,42 @@ interface(`files_delete_root_dir_entry',`
########################################
##
@@ -82414,7 +82460,7 @@ index ff006ea..5e933f1 100644
## Unmount a rootfs filesystem.
##
##
-@@ -1678,6 +1857,24 @@ interface(`files_unmount_rootfs',`
+@@ -1678,6 +1876,24 @@ interface(`files_unmount_rootfs',`
########################################
##
@@ -82439,7 +82485,7 @@ index ff006ea..5e933f1 100644
## Get attributes of the /boot directory.
##
##
-@@ -1848,7 +2045,7 @@ interface(`files_boot_filetrans',`
+@@ -1848,7 +2064,7 @@ interface(`files_boot_filetrans',`
type boot_t;
')
@@ -82448,7 +82494,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -2372,6 +2569,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2372,6 +2588,24 @@ interface(`files_rw_etc_dirs',`
allow $1 etc_t:dir rw_dir_perms;
')
@@ -82473,7 +82519,7 @@ index ff006ea..5e933f1 100644
##########################################
##
## Manage generic directories in /etc
-@@ -2451,7 +2666,7 @@ interface(`files_read_etc_files',`
+@@ -2451,7 +2685,7 @@ interface(`files_read_etc_files',`
##
##
##
@@ -82482,7 +82528,7 @@ index ff006ea..5e933f1 100644
##
##
#
-@@ -2507,6 +2722,25 @@ interface(`files_manage_etc_files',`
+@@ -2507,6 +2741,25 @@ interface(`files_manage_etc_files',`
########################################
##
@@ -82508,7 +82554,7 @@ index ff006ea..5e933f1 100644
## Delete system configuration files in /etc.
##
##
-@@ -2525,6 +2759,24 @@ interface(`files_delete_etc_files',`
+@@ -2525,6 +2778,24 @@ interface(`files_delete_etc_files',`
########################################
##
@@ -82533,7 +82579,7 @@ index ff006ea..5e933f1 100644
## Execute generic files in /etc.
##
##
-@@ -2624,7 +2876,7 @@ interface(`files_etc_filetrans',`
+@@ -2624,7 +2895,7 @@ interface(`files_etc_filetrans',`
type etc_t;
')
@@ -82542,7 +82588,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -2680,24 +2932,6 @@ interface(`files_delete_boot_flag',`
+@@ -2680,24 +2951,6 @@ interface(`files_delete_boot_flag',`
########################################
##
@@ -82567,7 +82613,7 @@ index ff006ea..5e933f1 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
##
-@@ -2738,6 +2972,42 @@ interface(`files_read_etc_runtime_files',`
+@@ -2738,6 +2991,42 @@ interface(`files_read_etc_runtime_files',`
########################################
##
@@ -82610,7 +82656,7 @@ index ff006ea..5e933f1 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -2775,6 +3045,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -2775,6 +3064,7 @@ interface(`files_rw_etc_runtime_files',`
allow $1 etc_t:dir list_dir_perms;
rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -82618,7 +82664,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -2796,6 +3067,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -2796,6 +3086,7 @@ interface(`files_manage_etc_runtime_files',`
')
manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -82626,7 +82672,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -2819,7 +3091,7 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -2819,7 +3110,7 @@ interface(`files_etc_filetrans_etc_runtime',`
type etc_t, etc_runtime_t;
')
@@ -82635,7 +82681,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -3166,6 +3438,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3166,6 +3457,25 @@ interface(`files_rw_isid_type_blk_files',`
########################################
##
@@ -82661,7 +82707,7 @@ index ff006ea..5e933f1 100644
## Create, read, write, and delete block device nodes
## on new filesystems that have not yet been labeled.
##
-@@ -3364,7 +3655,7 @@ interface(`files_home_filetrans',`
+@@ -3364,7 +3674,7 @@ interface(`files_home_filetrans',`
type home_root_t;
')
@@ -82670,7 +82716,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -3502,20 +3793,38 @@ interface(`files_list_mnt',`
+@@ -3502,20 +3812,38 @@ interface(`files_list_mnt',`
######################################
##
@@ -82714,7 +82760,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -3804,7 +4113,7 @@ interface(`files_kernel_modules_filetrans',`
+@@ -3804,7 +4132,7 @@ interface(`files_kernel_modules_filetrans',`
type modules_object_t;
')
@@ -82723,7 +82769,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -3900,6 +4209,127 @@ interface(`files_read_world_readable_sockets',`
+@@ -3900,6 +4228,127 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -82851,7 +82897,7 @@ index ff006ea..5e933f1 100644
########################################
##
## Allow the specified type to associate
-@@ -3922,6 +4352,26 @@ interface(`files_associate_tmp',`
+@@ -3922,6 +4371,26 @@ interface(`files_associate_tmp',`
########################################
##
@@ -82878,7 +82924,7 @@ index ff006ea..5e933f1 100644
## Get the attributes of the tmp directory (/tmp).
##
##
-@@ -3935,6 +4385,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -3935,6 +4404,7 @@ interface(`files_getattr_tmp_dirs',`
type tmp_t;
')
@@ -82886,7 +82932,7 @@ index ff006ea..5e933f1 100644
allow $1 tmp_t:dir getattr;
')
-@@ -3945,7 +4396,7 @@ interface(`files_getattr_tmp_dirs',`
+@@ -3945,7 +4415,7 @@ interface(`files_getattr_tmp_dirs',`
##
##
##
@@ -82895,7 +82941,7 @@ index ff006ea..5e933f1 100644
##
##
#
-@@ -3972,6 +4423,7 @@ interface(`files_search_tmp',`
+@@ -3972,6 +4442,7 @@ interface(`files_search_tmp',`
type tmp_t;
')
@@ -82903,7 +82949,7 @@ index ff006ea..5e933f1 100644
allow $1 tmp_t:dir search_dir_perms;
')
-@@ -4008,6 +4460,7 @@ interface(`files_list_tmp',`
+@@ -4008,6 +4479,7 @@ interface(`files_list_tmp',`
type tmp_t;
')
@@ -82911,7 +82957,7 @@ index ff006ea..5e933f1 100644
allow $1 tmp_t:dir list_dir_perms;
')
-@@ -4017,7 +4470,7 @@ interface(`files_list_tmp',`
+@@ -4017,7 +4489,7 @@ interface(`files_list_tmp',`
##
##
##
@@ -82920,7 +82966,7 @@ index ff006ea..5e933f1 100644
##
##
#
-@@ -4029,6 +4482,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4029,6 +4501,25 @@ interface(`files_dontaudit_list_tmp',`
dontaudit $1 tmp_t:dir list_dir_perms;
')
@@ -82946,7 +82992,7 @@ index ff006ea..5e933f1 100644
########################################
##
## Remove entries from the tmp directory.
-@@ -4044,6 +4516,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4044,6 +4535,7 @@ interface(`files_delete_tmp_dir_entry',`
type tmp_t;
')
@@ -82954,7 +83000,7 @@ index ff006ea..5e933f1 100644
allow $1 tmp_t:dir del_entry_dir_perms;
')
-@@ -4085,6 +4558,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4085,6 +4577,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
##
@@ -82987,7 +83033,7 @@ index ff006ea..5e933f1 100644
## Manage temporary files and directories in /tmp.
##
##
-@@ -4139,6 +4638,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4139,6 +4657,42 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
##
@@ -83030,7 +83076,7 @@ index ff006ea..5e933f1 100644
## Set the attributes of all tmp directories.
##
##
-@@ -4155,6 +4690,24 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4155,6 +4709,24 @@ interface(`files_setattr_all_tmp_dirs',`
allow $1 tmpfile:dir { search_dir_perms setattr };
')
@@ -83055,7 +83101,7 @@ index ff006ea..5e933f1 100644
########################################
##
## List all tmp directories.
-@@ -4202,7 +4755,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4202,7 +4774,7 @@ interface(`files_relabel_all_tmp_dirs',`
##
##
##
@@ -83064,7 +83110,7 @@ index ff006ea..5e933f1 100644
##
##
#
-@@ -4262,7 +4815,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4262,7 +4834,7 @@ interface(`files_relabel_all_tmp_files',`
##
##
##
@@ -83073,7 +83119,7 @@ index ff006ea..5e933f1 100644
##
##
#
-@@ -4318,7 +4871,7 @@ interface(`files_tmp_filetrans',`
+@@ -4318,7 +4890,7 @@ interface(`files_tmp_filetrans',`
type tmp_t;
')
@@ -83082,7 +83128,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -4342,6 +4895,16 @@ interface(`files_purge_tmp',`
+@@ -4342,6 +4914,16 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -83099,7 +83145,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -4681,7 +5244,7 @@ interface(`files_usr_filetrans',`
+@@ -4681,7 +5263,7 @@ interface(`files_usr_filetrans',`
type usr_t;
')
@@ -83108,7 +83154,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -4914,6 +5477,24 @@ interface(`files_list_var',`
+@@ -4914,6 +5496,24 @@ interface(`files_list_var',`
########################################
##
@@ -83133,7 +83179,7 @@ index ff006ea..5e933f1 100644
## Create, read, write, and delete directories
## in the /var directory.
##
-@@ -5084,7 +5665,7 @@ interface(`files_var_filetrans',`
+@@ -5084,7 +5684,7 @@ interface(`files_var_filetrans',`
type var_t;
')
@@ -83142,7 +83188,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -5219,7 +5800,7 @@ interface(`files_var_lib_filetrans',`
+@@ -5219,7 +5819,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -83151,7 +83197,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -5259,6 +5840,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5259,6 +5859,25 @@ interface(`files_read_var_lib_symlinks',`
read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
')
@@ -83177,7 +83223,7 @@ index ff006ea..5e933f1 100644
# cjp: the next two interfaces really need to be fixed
# in some way. They really neeed their own types.
-@@ -5304,6 +5904,25 @@ interface(`files_manage_mounttab',`
+@@ -5304,6 +5923,25 @@ interface(`files_manage_mounttab',`
########################################
##
@@ -83203,7 +83249,7 @@ index ff006ea..5e933f1 100644
## Search the locks directory (/var/lock).
##
##
-@@ -5317,6 +5936,8 @@ interface(`files_search_locks',`
+@@ -5317,6 +5955,8 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -83212,7 +83258,7 @@ index ff006ea..5e933f1 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5336,12 +5957,14 @@ interface(`files_dontaudit_search_locks',`
+@@ -5336,12 +5976,14 @@ interface(`files_dontaudit_search_locks',`
type var_lock_t;
')
@@ -83228,7 +83274,7 @@ index ff006ea..5e933f1 100644
##
##
##
-@@ -5349,12 +5972,30 @@ interface(`files_dontaudit_search_locks',`
+@@ -5349,12 +5991,30 @@ interface(`files_dontaudit_search_locks',`
##
##
#
@@ -83261,7 +83307,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -5373,6 +6014,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5373,6 +6033,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -83269,7 +83315,7 @@ index ff006ea..5e933f1 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5385,7 +6027,6 @@ interface(`files_rw_lock_dirs',`
+@@ -5385,7 +6046,6 @@ interface(`files_rw_lock_dirs',`
## Domain allowed access.
##
##
@@ -83277,7 +83323,7 @@ index ff006ea..5e933f1 100644
#
interface(`files_relabel_all_lock_dirs',`
gen_require(`
-@@ -5412,7 +6053,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5412,7 +6072,7 @@ interface(`files_getattr_generic_locks',`
type var_t, var_lock_t;
')
@@ -83286,7 +83332,7 @@ index ff006ea..5e933f1 100644
allow $1 var_lock_t:dir list_dir_perms;
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5428,12 +6069,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5428,12 +6088,12 @@ interface(`files_getattr_generic_locks',`
##
#
interface(`files_delete_generic_locks',`
@@ -83303,7 +83349,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -5452,7 +6093,7 @@ interface(`files_manage_generic_locks',`
+@@ -5452,7 +6112,7 @@ interface(`files_manage_generic_locks',`
type var_t, var_lock_t;
')
@@ -83312,7 +83358,7 @@ index ff006ea..5e933f1 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5493,7 +6134,7 @@ interface(`files_read_all_locks',`
+@@ -5493,7 +6153,7 @@ interface(`files_read_all_locks',`
type var_t, var_lock_t;
')
@@ -83321,7 +83367,7 @@ index ff006ea..5e933f1 100644
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5515,7 +6156,7 @@ interface(`files_manage_all_locks',`
+@@ -5515,7 +6175,7 @@ interface(`files_manage_all_locks',`
type var_t, var_lock_t;
')
@@ -83330,7 +83376,7 @@ index ff006ea..5e933f1 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5547,8 +6188,8 @@ interface(`files_lock_filetrans',`
+@@ -5547,8 +6207,8 @@ interface(`files_lock_filetrans',`
type var_t, var_lock_t;
')
@@ -83341,15 +83387,20 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -5608,6 +6249,43 @@ interface(`files_search_pids',`
+@@ -5608,14 +6268,51 @@ interface(`files_search_pids',`
search_dirs_pattern($1, var_t, var_run_t)
')
+-########################################
+######################################
-+##
+ ##
+-## Do not audit attempts to search
+-## the /var/run directory.
+## Add and remove entries from pid directories.
-+##
-+##
+ ##
+ ##
+-##
+-## Domain to not audit.
+##
+## Domain allowed access.
+##
@@ -83382,15 +83433,21 @@ index ff006ea..5e933f1 100644
+ allow $1 var_run_t:dir create_dir_perms;
+')
+
- ########################################
- ##
- ## Do not audit attempts to search
-@@ -5629,8 +6307,27 @@ interface(`files_dontaudit_search_pids',`
++########################################
++##
++## Do not audit attempts to search
++## the /var/run directory.
++##
++##
++##
++## Domain to not audit.
+ ##
+ ##
+ #
+@@ -5629,6 +6326,25 @@ interface(`files_dontaudit_search_pids',`
########################################
##
--## List the contents of the runtime process
--## ID directories (/var/run).
+## Do not audit attempts to search
+## the all /var/run directory.
+##
@@ -83410,12 +83467,10 @@ index ff006ea..5e933f1 100644
+
+########################################
+##
-+## List the contents of the runtime process
-+## ID directories (/var/run).
+ ## List the contents of the runtime process
+ ## ID directories (/var/run).
##
- ##
- ##
-@@ -5736,7 +6433,7 @@ interface(`files_pid_filetrans',`
+@@ -5736,7 +6452,7 @@ interface(`files_pid_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -83424,7 +83479,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -5815,6 +6512,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5815,6 +6531,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -83541,7 +83596,7 @@ index ff006ea..5e933f1 100644
## Read all process ID files.
##
##
-@@ -5832,6 +6639,62 @@ interface(`files_read_all_pids',`
+@@ -5832,6 +6658,62 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -83604,7 +83659,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -5900,6 +6763,90 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5900,6 +6782,90 @@ interface(`files_delete_all_pid_dirs',`
########################################
##
@@ -83695,7 +83750,7 @@ index ff006ea..5e933f1 100644
## Search the contents of generic spool
## directories (/var/spool).
##
-@@ -6042,7 +6989,7 @@ interface(`files_spool_filetrans',`
+@@ -6042,7 +7008,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -83704,7 +83759,7 @@ index ff006ea..5e933f1 100644
')
########################################
-@@ -6117,3 +7064,344 @@ interface(`files_unconfined',`
+@@ -6117,3 +7083,344 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -86358,7 +86413,7 @@ index 57c4a6a..d323c74 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..6d06ade 100644
+index 1700ef2..57d9dbc 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@@ -86458,7 +86513,32 @@ index 1700ef2..6d06ade 100644
########################################
##
## Create block devices in on a tmpfs filesystem with the
-@@ -808,3 +877,369 @@ interface(`storage_unconfined',`
+@@ -711,6 +780,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
+ dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
+ ')
+
++#######################################
++##
++## Alow read and write inherited removable devices.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`storage_rw_inherited_removable_device',`
++ gen_require(`
++ type removable_device_t;
++ ')
++
++ dontaudit $1 removable_device_t:blk_file { read write };
++')
++
+ ########################################
+ ##
+ ## Allow the caller to directly read
+@@ -808,3 +895,369 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -95590,10 +95670,10 @@ index 0000000..a66b2ff
+')
diff --git a/policy/modules/services/blueman.te b/policy/modules/services/blueman.te
new file mode 100644
-index 0000000..73442c8
+index 0000000..34a5638
--- /dev/null
+++ b/policy/modules/services/blueman.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,61 @@
+policy_module(blueman, 1.0.0)
+
+########################################
@@ -95614,7 +95694,7 @@ index 0000000..73442c8
+# blueman local policy
+#
+
-+allow blueman_t self:capability sys_nice;
++allow blueman_t self:capability { net_admin sys_nice };
+allow blueman_t self:process setsched;
+
+allow blueman_t self:fifo_file rw_fifo_file_perms;
@@ -95624,6 +95704,7 @@ index 0000000..73442c8
+files_var_lib_filetrans(blueman_t, blueman_var_lib_t, { file dir })
+
+kernel_read_system_state(blueman_t)
++kernel_request_load_module(blueman_t)
+
+corecmd_exec_bin(blueman_t)
+
@@ -95937,10 +96018,10 @@ index 0000000..e59e51b
+/var/log/boinc\.log -- gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/policy/modules/services/boinc.if b/policy/modules/services/boinc.if
new file mode 100644
-index 0000000..6d7e034
+index 0000000..3094265
--- /dev/null
+++ b/policy/modules/services/boinc.if
-@@ -0,0 +1,189 @@
+@@ -0,0 +1,207 @@
+## policy for boinc
+
+########################################
@@ -95979,6 +96060,24 @@ index 0000000..6d7e034
+ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
+')
+
++#######################################
++##
++## Dontaudit getattr on boinc lib files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`boinc_dontaudit_getattr_lib',`
++ gen_require(`
++ type boinc_var_lib_t;
++ ')
++
++ dontaudit $1 boinc_var_lib_t:file getattr;
++')
++
+########################################
+##
+## Search boinc lib directories.
@@ -104287,7 +104386,7 @@ index 1a1becd..115133d 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
-index 1bff6ee..f8993c2 100644
+index 1bff6ee..797d795 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -104358,11 +104457,12 @@ index 1bff6ee..f8993c2 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -133,14 +142,36 @@ seutil_read_config(system_dbusd_t)
+@@ -133,14 +142,37 @@ seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)
seutil_sigchld_newrole(system_dbusd_t)
+storage_rw_inherited_fixed_disk_dev(system_dbusd_t)
++storage_rw_inherited_removable_device(system_dbusd_t)
+
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
@@ -104395,7 +104495,7 @@ index 1bff6ee..f8993c2 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -151,12 +182,162 @@ optional_policy(`
+@@ -151,12 +183,162 @@ optional_policy(`
')
optional_policy(`
@@ -108682,7 +108782,7 @@ index 6537214..8629354 100644
files_list_etc($1)
admin_pattern($1, fetchmail_etc_t)
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
-index 3459d93..3d4e162 100644
+index 3459d93..887540e 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -10,6 +10,9 @@ type fetchmail_exec_t;
@@ -108707,7 +108807,16 @@ index 3459d93..3d4e162 100644
kernel_read_kernel_sysctls(fetchmail_t)
kernel_list_proc(fetchmail_t)
kernel_getattr_proc_files(fetchmail_t)
-@@ -85,7 +93,10 @@ miscfiles_read_generic_certs(fetchmail_t)
+@@ -77,6 +85,8 @@ fs_search_auto_mountpoints(fetchmail_t)
+
+ domain_use_interactive_fds(fetchmail_t)
+
++auth_read_passwd(fetchmail_t)
++
+ logging_send_syslog_msg(fetchmail_t)
+
+ miscfiles_read_localization(fetchmail_t)
+@@ -85,7 +95,10 @@ miscfiles_read_generic_certs(fetchmail_t)
sysnet_read_config(fetchmail_t)
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
@@ -108912,10 +109021,10 @@ index 0000000..c4c7510
+')
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
new file mode 100644
-index 0000000..b3727f1
+index 0000000..3064df2
--- /dev/null
+++ b/policy/modules/services/firewalld.te
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,93 @@
+
+policy_module(firewalld,1.0.0)
+
@@ -108988,6 +109097,8 @@ index 0000000..b3727f1
+seutil_exec_setfiles(firewalld_t)
+seutil_read_file_contexts(firewalld_t)
+
++sysnet_read_config(firewalld_t)
++
+optional_policy(`
+ dbus_system_domain(firewalld_t, firewalld_exec_t)
+
@@ -116629,7 +116740,7 @@ index 0000000..1d76fb8
+')
diff --git a/policy/modules/services/mock.te b/policy/modules/services/mock.te
new file mode 100644
-index 0000000..621fc5a
+index 0000000..e45e237
--- /dev/null
+++ b/policy/modules/services/mock.te
@@ -0,0 +1,253 @@
@@ -116676,7 +116787,7 @@ index 0000000..621fc5a
+# mock local policy
+#
+
-+allow mock_t self:capability { sys_admin setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
++allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
+allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
+# Needed because mock can run java and mono withing build environment
+allow mock_t self:process { execmem execstack };
@@ -116791,7 +116902,7 @@ index 0000000..621fc5a
+')
+
+optional_policy(`
-+ mount_domtrans(mock_t)
++ mount_exec(mock_t)
+')
+
+optional_policy(`
@@ -123031,10 +123142,10 @@ index 0000000..71d6f47
+')
diff --git a/policy/modules/services/openshift.te b/policy/modules/services/openshift.te
new file mode 100644
-index 0000000..6c77c83
+index 0000000..8d6a975
--- /dev/null
+++ b/policy/modules/services/openshift.te
-@@ -0,0 +1,364 @@
+@@ -0,0 +1,372 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -123064,12 +123175,12 @@ index 0000000..6c77c83
+oddjob_system_entry(openshift_initrc_t, openshift_initrc_exec_t)
+domain_obj_id_change_exemption(openshift_initrc_t)
+
-+type openshift_tmpfs_t;
-+files_tmpfs_file(openshift_tmpfs_t)
-+
+type openshift_initrc_tmp_t;
+files_tmp_file(openshift_initrc_tmp_t)
+
++type openshift_tmpfs_t;
++files_tmpfs_file(openshift_tmpfs_t)
++
+type openshift_tmp_t, openshift_file_type;
+files_tmp_file(openshift_tmp_t)
+files_mountpoint(openshift_tmp_t)
@@ -123177,6 +123288,7 @@ index 0000000..6c77c83
+manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
+fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file })
++can_exec(openshift_domain, openshift_tmpfs_t)
+
+manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
@@ -123206,7 +123318,6 @@ index 0000000..6c77c83
+corecmd_exec_all_executables(openshift_domain)
+
+dev_read_sysfs(openshift_domain)
-+dev_read_urand(openshift_domain)
+dev_read_rand(openshift_domain)
+dev_dontaudit_append_rand(openshift_domain)
+dev_dontaudit_write_urand(openshift_domain)
@@ -123256,6 +123367,7 @@ index 0000000..6c77c83
+libs_exec_ld_so(openshift_domain)
+
+term_use_ptmx(openshift_domain)
++term_use_generic_ptys(openshift_domain)
+
+selinux_validate_context(openshift_domain)
+
@@ -123263,7 +123375,6 @@ index 0000000..6c77c83
+
+init_dontaudit_read_utmp(openshift_domain)
+
-+miscfiles_read_localization(openshift_domain)
+miscfiles_read_fonts(openshift_domain)
+miscfiles_dontaudit_setattr_fonts_cache_dirs(openshift_domain)
+
@@ -123285,15 +123396,19 @@ index 0000000..6c77c83
+ apache_read_sys_content(openshift_domain)
+ apache_exec_sys_script(openshift_domain)
+ apache_entrypoint(openshift_domain)
++')
+
++optional_policy(`
+ #############################################
+ #
+ # openshift cgi script policy
+ #
+ apache_content_template(openshift)
+ domtrans_pattern(httpd_openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
++
+ optional_policy(`
+ dbus_system_bus_client(httpd_openshift_script_t)
++
+ optional_policy(`
+ oddjob_dbus_chat(httpd_openshift_script_t)
+ oddjob_dontaudit_rw_fifo_file(openshift_domain)
@@ -123314,6 +123429,10 @@ index 0000000..6c77c83
+')
+
+optional_policy(`
++ screen_exec(openshift_domain)
++')
++
++optional_policy(`
+ ssh_use_ptys(openshift_domain)
+ ssh_getattr_user_home_dir(openshift_domain)
+ ssh_dontaudit_search_user_home_dir(openshift_domain)
@@ -123374,7 +123493,7 @@ index 0000000..6c77c83
+allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
+allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
+
-+ssh_dontaudit_use_ptys(openshift_cgroup_read_t)
++ssh_use_ptys(openshift_cgroup_read_t)
+
+corecmd_exec_bin(openshift_cgroup_read_t)
+
@@ -131988,10 +132107,10 @@ index 0000000..d2a58c1
+')
diff --git a/policy/modules/services/rhnsd.te b/policy/modules/services/rhnsd.te
new file mode 100644
-index 0000000..9ae861e
+index 0000000..0425ae5
--- /dev/null
+++ b/policy/modules/services/rhnsd.te
-@@ -0,0 +1,41 @@
+@@ -0,0 +1,43 @@
+policy_module(rhnsd, 1.0.0)
+
+########################################
@@ -132023,6 +132142,8 @@ index 0000000..9ae861e
+manage_files_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t)
+files_pid_filetrans(rhnsd_t, rhnsd_var_run_t, { dir file })
+
++corecmd_exec_bin(rhnsd_t)
++
+files_read_etc_files(rhnsd_t)
+
+logging_send_syslog_msg(rhnsd_t)
@@ -137444,7 +137565,7 @@ index d2496bd..c7614d7 100644
init_labeled_script_domtrans($1, squid_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
-index 4b2230e..72c7364 100644
+index 4b2230e..24a0520 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -1,4 +1,4 @@
@@ -137539,7 +137660,18 @@ index 4b2230e..72c7364 100644
sysnet_dns_name_resolve(httpd_squid_script_t)
-@@ -206,3 +220,29 @@ optional_policy(`
+@@ -196,6 +210,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ mysql_stream_connect(squid_t)
++')
++
++optional_policy(`
+ samba_domtrans_winbind_helper(squid_t)
+ ')
+
+@@ -206,3 +224,29 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
@@ -145499,7 +145631,7 @@ index 130ced9..dd8a707 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..2bf3618 100644
+index 143c893..0b0510a 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -146141,7 +146273,7 @@ index 143c893..2bf3618 100644
tunable_policy(`xdm_sysadm_login',`
userdom_xsession_spec_domtrans_all_users(xdm_t)
# FIXME:
-@@ -507,11 +708,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +708,25 @@ tunable_policy(`xdm_sysadm_login',`
')
optional_policy(`
@@ -146153,6 +146285,10 @@ index 143c893..2bf3618 100644
+')
+
+optional_policy(`
++ boinc_dontaudit_getattr_lib(xdm_t)
++')
++
++optional_policy(`
alsa_domtrans(xdm_t)
+ alsa_read_rw_config(xdm_t)
')
@@ -146163,7 +146299,7 @@ index 143c893..2bf3618 100644
')
optional_policy(`
-@@ -519,12 +730,64 @@ optional_policy(`
+@@ -519,12 +734,64 @@ optional_policy(`
')
optional_policy(`
@@ -146228,7 +146364,7 @@ index 143c893..2bf3618 100644
hostname_exec(xdm_t)
')
-@@ -542,28 +805,69 @@ optional_policy(`
+@@ -542,28 +809,69 @@ optional_policy(`
')
optional_policy(`
@@ -146307,7 +146443,7 @@ index 143c893..2bf3618 100644
')
optional_policy(`
-@@ -575,6 +879,14 @@ optional_policy(`
+@@ -575,6 +883,14 @@ optional_policy(`
')
optional_policy(`
@@ -146322,7 +146458,7 @@ index 143c893..2bf3618 100644
xfs_stream_connect(xdm_t)
')
-@@ -599,7 +911,8 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +915,8 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -146332,7 +146468,7 @@ index 143c893..2bf3618 100644
dontaudit xserver_t self:capability chown;
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
-@@ -613,8 +926,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +930,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -146348,7 +146484,7 @@ index 143c893..2bf3618 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +953,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +957,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -146370,7 +146506,7 @@ index 143c893..2bf3618 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +973,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +977,7 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -146378,7 +146514,7 @@ index 143c893..2bf3618 100644
# Run helper programs in xserver_t.
corecmd_exec_bin(xserver_t)
-@@ -672,21 +1000,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,21 +1004,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -146409,7 +146545,7 @@ index 143c893..2bf3618 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -697,8 +1032,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1036,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -146423,7 +146559,7 @@ index 143c893..2bf3618 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1051,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1055,6 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -146432,7 +146568,7 @@ index 143c893..2bf3618 100644
locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1058,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1062,12 @@ logging_send_audit_msgs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -146447,7 +146583,7 @@ index 143c893..2bf3618 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1117,40 @@ optional_policy(`
+@@ -778,16 +1121,40 @@ optional_policy(`
')
optional_policy(`
@@ -146489,7 +146625,7 @@ index 143c893..2bf3618 100644
unconfined_domtrans(xserver_t)
')
-@@ -796,6 +1159,10 @@ optional_policy(`
+@@ -796,6 +1163,10 @@ optional_policy(`
')
optional_policy(`
@@ -146500,7 +146636,7 @@ index 143c893..2bf3618 100644
xfs_stream_connect(xserver_t)
')
-@@ -811,10 +1178,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1182,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -146514,7 +146650,7 @@ index 143c893..2bf3618 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1189,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1193,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -146523,7 +146659,7 @@ index 143c893..2bf3618 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -835,26 +1202,21 @@ init_use_fds(xserver_t)
+@@ -835,26 +1206,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -146558,7 +146694,7 @@ index 143c893..2bf3618 100644
')
optional_policy(`
-@@ -862,6 +1224,10 @@ optional_policy(`
+@@ -862,6 +1228,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -146569,7 +146705,7 @@ index 143c893..2bf3618 100644
########################################
#
# Rules common to all X window domains
-@@ -905,7 +1271,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1275,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -146578,7 +146714,7 @@ index 143c893..2bf3618 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -959,11 +1325,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1329,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -146610,7 +146746,7 @@ index 143c893..2bf3618 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -985,18 +1371,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1375,44 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -150463,7 +150599,7 @@ index 94fd8dd..09f0ac4 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..5e6570b 100644
+index 29a9565..efca7b7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -151151,7 +151287,7 @@ index 29a9565..5e6570b 100644
')
')
-@@ -549,6 +853,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +853,41 @@ ifdef(`distro_suse',`
')
')
@@ -151160,6 +151296,8 @@ index 29a9565..5e6570b 100644
+userdom_dontaudit_list_admin_dir(daemon)
+userdom_dontaudit_search_user_tmp(daemon)
+
++init_rw_inherited_script_tmp_files(daemon)
++
+tunable_policy(`allow_daemons_use_tcp_wrapper',`
+ corenet_tcp_connect_auth_port(daemon)
+')
@@ -151191,7 +151329,7 @@ index 29a9565..5e6570b 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +898,8 @@ optional_policy(`
+@@ -561,6 +900,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -151200,7 +151338,7 @@ index 29a9565..5e6570b 100644
')
optional_policy(`
-@@ -577,6 +916,7 @@ optional_policy(`
+@@ -577,6 +918,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -151208,7 +151346,7 @@ index 29a9565..5e6570b 100644
')
optional_policy(`
-@@ -589,6 +929,17 @@ optional_policy(`
+@@ -589,6 +931,17 @@ optional_policy(`
')
optional_policy(`
@@ -151226,7 +151364,7 @@ index 29a9565..5e6570b 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +956,13 @@ optional_policy(`
+@@ -605,9 +958,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -151240,7 +151378,7 @@ index 29a9565..5e6570b 100644
')
optional_policy(`
-@@ -632,6 +987,10 @@ optional_policy(`
+@@ -632,6 +989,10 @@ optional_policy(`
')
optional_policy(`
@@ -151251,7 +151389,7 @@ index 29a9565..5e6570b 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +1008,15 @@ optional_policy(`
+@@ -649,6 +1010,15 @@ optional_policy(`
')
optional_policy(`
@@ -151267,7 +151405,7 @@ index 29a9565..5e6570b 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1057,7 @@ optional_policy(`
+@@ -689,6 +1059,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -151275,7 +151413,7 @@ index 29a9565..5e6570b 100644
')
optional_policy(`
-@@ -706,7 +1075,13 @@ optional_policy(`
+@@ -706,7 +1077,13 @@ optional_policy(`
')
optional_policy(`
@@ -151289,7 +151427,7 @@ index 29a9565..5e6570b 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1104,10 @@ optional_policy(`
+@@ -729,6 +1106,10 @@ optional_policy(`
')
optional_policy(`
@@ -151300,7 +151438,7 @@ index 29a9565..5e6570b 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1117,20 @@ optional_policy(`
+@@ -738,10 +1119,20 @@ optional_policy(`
')
optional_policy(`
@@ -151321,7 +151459,7 @@ index 29a9565..5e6570b 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1139,10 @@ optional_policy(`
+@@ -750,6 +1141,10 @@ optional_policy(`
')
optional_policy(`
@@ -151332,7 +151470,7 @@ index 29a9565..5e6570b 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1164,6 @@ optional_policy(`
+@@ -771,8 +1166,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -151341,7 +151479,7 @@ index 29a9565..5e6570b 100644
')
optional_policy(`
-@@ -781,6 +1172,10 @@ optional_policy(`
+@@ -781,6 +1174,10 @@ optional_policy(`
')
optional_policy(`
@@ -151352,7 +151490,7 @@ index 29a9565..5e6570b 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -790,10 +1185,12 @@ optional_policy(`
+@@ -790,10 +1187,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -151365,7 +151503,7 @@ index 29a9565..5e6570b 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1202,6 @@ optional_policy(`
+@@ -805,7 +1204,6 @@ optional_policy(`
')
optional_policy(`
@@ -151373,7 +151511,7 @@ index 29a9565..5e6570b 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1211,30 @@ optional_policy(`
+@@ -815,11 +1213,30 @@ optional_policy(`
')
optional_policy(`
@@ -151405,7 +151543,7 @@ index 29a9565..5e6570b 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1244,18 @@ optional_policy(`
+@@ -829,6 +1246,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -151424,7 +151562,7 @@ index 29a9565..5e6570b 100644
')
optional_policy(`
-@@ -844,6 +1271,10 @@ optional_policy(`
+@@ -844,6 +1273,10 @@ optional_policy(`
')
optional_policy(`
@@ -151435,7 +151573,7 @@ index 29a9565..5e6570b 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1285,165 @@ optional_policy(`
+@@ -854,3 +1287,166 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -151533,6 +151671,7 @@ index 29a9565..5e6570b 100644
+
+dontaudit systemprocess init_t:unix_stream_socket getattr;
+
++init_rw_inherited_script_tmp_files(systemprocess)
+
+tunable_policy(`init_systemd',`
+ # Handle upstart/systemd direct transition to a executable
@@ -157118,7 +157257,7 @@ index ff80d0a..419fc29 100644
+ files_etc_filetrans($1, net_conf_t, file, "yp.conf")
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..92fa1e9 100644
+index 34d0ec5..6f5482f 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -157325,7 +157464,7 @@ index 34d0ec5..92fa1e9 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -273,11 +327,17 @@ corenet_rw_tun_tap_dev(ifconfig_t)
+@@ -273,11 +327,18 @@ corenet_rw_tun_tap_dev(ifconfig_t)
dev_read_sysfs(ifconfig_t)
# for IPSEC setup:
dev_read_urand(ifconfig_t)
@@ -157336,6 +157475,7 @@ index 34d0ec5..92fa1e9 100644
+read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
+
++files_dontaudit_rw_inherited_pipes(ifconfig_t)
+files_dontaudit_read_root_files(ifconfig_t)
files_read_etc_files(ifconfig_t)
files_read_etc_runtime_files(ifconfig_t)
@@ -157343,7 +157483,7 @@ index 34d0ec5..92fa1e9 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -290,7 +350,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -290,10 +351,11 @@ term_dontaudit_use_all_ptys(ifconfig_t)
term_dontaudit_use_ptmx(ifconfig_t)
term_dontaudit_use_generic_ptys(ifconfig_t)
@@ -157352,7 +157492,11 @@ index 34d0ec5..92fa1e9 100644
init_use_fds(ifconfig_t)
init_use_script_ptys(ifconfig_t)
-@@ -301,11 +361,11 @@ logging_send_syslog_msg(ifconfig_t)
++init_rw_inherited_script_tmp_files(ifconfig_t)
+
+ libs_read_lib_files(ifconfig_t)
+
+@@ -301,11 +363,11 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
@@ -157367,7 +157511,7 @@ index 34d0ec5..92fa1e9 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +374,22 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +376,22 @@ ifdef(`distro_ubuntu',`
')
')
@@ -157390,7 +157534,7 @@ index 34d0ec5..92fa1e9 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,8 +400,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +402,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -157405,7 +157549,7 @@ index 34d0ec5..92fa1e9 100644
')
optional_policy(`
-@@ -335,7 +416,15 @@ optional_policy(`
+@@ -335,7 +418,15 @@ optional_policy(`
')
optional_policy(`
@@ -157422,7 +157566,7 @@ index 34d0ec5..92fa1e9 100644
')
optional_policy(`
-@@ -356,3 +445,9 @@ optional_policy(`
+@@ -356,3 +447,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -164052,7 +164196,7 @@ index 77d41b6..cc73c96 100644
files_search_pids($1)
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
-index 4350ba0..48f2468 100644
+index 4350ba0..3c5c7e4 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -4,6 +4,7 @@ policy_module(xen, 1.10.1)
@@ -164196,6 +164340,15 @@ index 4350ba0..48f2468 100644
########################################
#
# Xen console local policy
+@@ -359,7 +384,7 @@ allow xenconsoled_t self:process setrlimit;
+ allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
+ allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
+
+-allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
++allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr };
+
+ # pid file
+ manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
@@ -374,8 +399,6 @@ dev_rw_xen(xenconsoled_t)
dev_filetrans_xen(xenconsoled_t)
dev_rw_sysfs(xenconsoled_t)
@@ -164205,7 +164358,16 @@ index 4350ba0..48f2468 100644
files_read_etc_files(xenconsoled_t)
files_read_usr_files(xenconsoled_t)
-@@ -413,9 +436,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
+@@ -387,6 +410,8 @@ term_create_pty(xenconsoled_t, xen_devpts_t)
+ term_use_generic_ptys(xenconsoled_t)
+ term_use_console(xenconsoled_t)
+
++auth_read_passwd(xenconsoled_t)
++
+ init_use_fds(xenconsoled_t)
+ init_use_script_ptys(xenconsoled_t)
+
+@@ -413,9 +438,10 @@ manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
# pid file
@@ -164217,7 +164379,7 @@ index 4350ba0..48f2468 100644
# log files
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
-@@ -442,9 +466,11 @@ files_read_etc_files(xenstored_t)
+@@ -442,9 +468,11 @@ files_read_etc_files(xenstored_t)
files_read_usr_files(xenstored_t)
@@ -164229,7 +164391,7 @@ index 4350ba0..48f2468 100644
init_use_fds(xenstored_t)
init_use_script_ptys(xenstored_t)
-@@ -457,96 +483,9 @@ xen_append_log(xenstored_t)
+@@ -457,96 +485,9 @@ xen_append_log(xenstored_t)
########################################
#
@@ -164326,7 +164488,7 @@ index 4350ba0..48f2468 100644
#Should have a boolean wrapping these
fs_list_auto_mountpoints(xend_t)
files_search_mnt(xend_t)
-@@ -559,8 +498,4 @@ optional_policy(`
+@@ -559,8 +500,4 @@ optional_policy(`
fs_manage_nfs_files(xend_t)
fs_read_nfs_symlinks(xend_t)
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 03f4ef0..8f8aec5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 160%{?dist}
+Release: 161%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -479,6 +479,21 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Nov 21 2012 Miroslav Grepl 3.10.0-161
+- Add commands needed to get mock to build from staff_t in enforcing mode
+- Allow dbus-daemon to read/write inherited removable devices
+- Add storage_rw_inherited_removable_device() interface
+- fetchmail reads /etc/passwd
+- Allow rhnsd to execute bin_t in the caller rhnsd_t domain
+- Allow all daemons and systemprocesses to use inherited initrc_tmp_t files
+- Allow enabling Network Access Point service using blueman
+- Make vmware_host_t as unconfined domain
+- Allow authenticate users in webaccess via squid, using mysql as backend
+- Allow firewalld to read /etc/hosts
+- Backport openshift.te from F18
+- Dontaudit xdm_t to getattr on BOINC lib files
+- Allow chrome and mozilla plugin to connect to msnp ports
+
* Tue Nov 13 2012 Miroslav Grepl 3.10.0-160
- Allow BOINC client to use an HTTP proxy for all connections
- Add labeling for /var/lib/zarafa-webapp