-##
@@ -12781,105 +12900,6 @@ index 64ff4d7..90999af 100644
##
-##
+#
-+interface(`files_search_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ search_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Do not audit attempts to search generic
-+## spool directories.
-+##
-+##
- ##
--## The type of the object to be created.
-+## Domain to not audit.
- ##
- ##
--##
-+#
-+interface(`files_dontaudit_search_spool',`
-+ gen_require(`
-+ type var_spool_t;
-+ ')
-+
-+ dontaudit $1 var_spool_t:dir search_dir_perms;
-+')
-+
-+########################################
-+##
-+## List the contents of generic spool
-+## (/var/spool) directories.
-+##
-+##
- ##
--## The object class of the object being created.
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_list_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete generic
-+## spool directories (/var/spool).
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_manage_generic_spool_dirs',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ allow $1 var_t:dir search_dir_perms;
-+ manage_dirs_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Read generic spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`files_read_generic_spool',`
-+ gen_require(`
-+ type var_t, var_spool_t;
-+ ')
-+
-+ list_dirs_pattern($1, var_t, var_spool_t)
-+ read_files_pattern($1, var_spool_t, var_spool_t)
-+')
-+
-+########################################
-+##
-+## Create, read, write, and delete generic
-+## spool files.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+interface(`files_manage_generic_spool',`
+ gen_require(`
+ type var_t, var_spool_t;
@@ -12895,12 +12915,15 @@ index 64ff4d7..90999af 100644
+## with a private type with a type transition.
+##
+##
-+##
+ ##
+-## The type of the object to be created.
+## Domain allowed access.
-+##
-+##
+ ##
+ ##
+-##
+##
-+##
+ ##
+-## The object class of the object being created.
+## Type to which the created node will be transitioned.
+##
+##
@@ -13095,7 +13118,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6159,20 +7813,18 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6159,20 +7831,18 @@ interface(`files_pid_filetrans_lock_dir',`
##
##
#
@@ -13121,7 +13144,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6180,19 +7832,17 @@ interface(`files_rw_generic_pids',`
+@@ -6180,19 +7850,17 @@ interface(`files_rw_generic_pids',`
##
##
#
@@ -13145,7 +13168,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6200,18 +7850,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6200,18 +7868,17 @@ interface(`files_dontaudit_getattr_all_pids',`
##
##
#
@@ -13168,7 +13191,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6219,41 +7868,43 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6219,41 +7886,43 @@ interface(`files_dontaudit_write_all_pids',`
##
##
#
@@ -13226,7 +13249,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6262,67 +7913,55 @@ interface(`files_read_all_pids',`
+@@ -6262,67 +7931,55 @@ interface(`files_read_all_pids',`
##
##
#
@@ -13311,7 +13334,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6330,37 +7969,37 @@ interface(`files_manage_all_pids',`
+@@ -6330,37 +7987,37 @@ interface(`files_manage_all_pids',`
##
##
#
@@ -13360,7 +13383,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6368,186 +8007,169 @@ interface(`files_search_spool',`
+@@ -6368,186 +8025,169 @@ interface(`files_search_spool',`
##
##
#
@@ -13627,7 +13650,7 @@ index 64ff4d7..90999af 100644
##
##
##
-@@ -6555,10 +8177,11 @@ interface(`files_polyinstantiate_all',`
+@@ -6555,10 +8195,11 @@ interface(`files_polyinstantiate_all',`
##
##
#
@@ -18341,10 +18364,10 @@ index ff92430..36740ea 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..8c061b9 100644
+index 88d0028..83e6404 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,74 @@ policy_module(sysadm, 2.5.1)
+@@ -5,39 +5,78 @@ policy_module(sysadm, 2.5.1)
# Declarations
#
@@ -18421,6 +18444,10 @@ index 88d0028..8c061b9 100644
+userdom_exec_admin_home_files(sysadm_t)
+
+optional_policy(`
++ abrt_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
+ alsa_filetrans_named_content(sysadm_t)
+')
+
@@ -18430,7 +18457,7 @@ index 88d0028..8c061b9 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,13 +90,7 @@ ifdef(`distro_gentoo',`
+@@ -55,13 +94,7 @@ ifdef(`distro_gentoo',`
init_exec_rc(sysadm_t)
')
@@ -18445,7 +18472,7 @@ index 88d0028..8c061b9 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -71,9 +100,9 @@ optional_policy(`
+@@ -71,9 +104,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -18456,7 +18483,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -87,6 +116,7 @@ optional_policy(`
+@@ -87,6 +120,7 @@ optional_policy(`
optional_policy(`
asterisk_stream_connect(sysadm_t)
@@ -18464,7 +18491,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -110,6 +140,10 @@ optional_policy(`
+@@ -110,6 +144,10 @@ optional_policy(`
')
optional_policy(`
@@ -18475,7 +18502,7 @@ index 88d0028..8c061b9 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -122,11 +156,19 @@ optional_policy(`
+@@ -122,11 +160,19 @@ optional_policy(`
')
optional_policy(`
@@ -18497,7 +18524,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -140,6 +182,10 @@ optional_policy(`
+@@ -140,6 +186,10 @@ optional_policy(`
')
optional_policy(`
@@ -18508,7 +18535,7 @@ index 88d0028..8c061b9 100644
dmesg_exec(sysadm_t)
')
-@@ -156,11 +202,11 @@ optional_policy(`
+@@ -156,11 +206,11 @@ optional_policy(`
')
optional_policy(`
@@ -18522,7 +18549,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -179,6 +225,13 @@ optional_policy(`
+@@ -179,6 +229,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -18536,7 +18563,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -186,15 +239,20 @@ optional_policy(`
+@@ -186,15 +243,20 @@ optional_policy(`
')
optional_policy(`
@@ -18548,19 +18575,19 @@ index 88d0028..8c061b9 100644
- libs_run_ldconfig(sysadm_t, sysadm_r)
+ kerberos_exec_kadmind(sysadm_t)
+ kerberos_filetrans_named_content(sysadm_t)
-+')
-+
-+optional_policy(`
-+ kudzu_run(sysadm_t, sysadm_r)
')
optional_policy(`
- lockdev_role(sysadm_r, sysadm_t)
++ kudzu_run(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ libs_run_ldconfig(sysadm_t, sysadm_r)
')
optional_policy(`
-@@ -214,22 +272,20 @@ optional_policy(`
+@@ -214,22 +276,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -18589,7 +18616,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -241,14 +297,27 @@ optional_policy(`
+@@ -241,14 +301,27 @@ optional_policy(`
')
optional_policy(`
@@ -18617,7 +18644,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -256,10 +325,20 @@ optional_policy(`
+@@ -256,10 +329,20 @@ optional_policy(`
')
optional_policy(`
@@ -18638,7 +18665,7 @@ index 88d0028..8c061b9 100644
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +349,36 @@ optional_policy(`
+@@ -270,31 +353,36 @@ optional_policy(`
')
optional_policy(`
@@ -18682,7 +18709,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -319,12 +403,18 @@ optional_policy(`
+@@ -319,12 +407,18 @@ optional_policy(`
')
optional_policy(`
@@ -18702,7 +18729,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -349,7 +439,18 @@ optional_policy(`
+@@ -349,7 +443,18 @@ optional_policy(`
')
optional_policy(`
@@ -18722,7 +18749,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -360,19 +461,15 @@ optional_policy(`
+@@ -360,19 +465,15 @@ optional_policy(`
')
optional_policy(`
@@ -18744,7 +18771,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -384,10 +481,6 @@ optional_policy(`
+@@ -384,10 +485,6 @@ optional_policy(`
')
optional_policy(`
@@ -18755,7 +18782,7 @@ index 88d0028..8c061b9 100644
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
usermanage_run_groupadd(sysadm_t, sysadm_r)
usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +488,9 @@ optional_policy(`
+@@ -395,6 +492,9 @@ optional_policy(`
optional_policy(`
virt_stream_connect(sysadm_t)
@@ -18765,7 +18792,7 @@ index 88d0028..8c061b9 100644
')
optional_policy(`
-@@ -402,31 +498,34 @@ optional_policy(`
+@@ -402,31 +502,34 @@ optional_policy(`
')
optional_policy(`
@@ -18806,7 +18833,7 @@ index 88d0028..8c061b9 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,10 +538,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +542,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -18817,7 +18844,7 @@ index 88d0028..8c061b9 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
optional_policy(`
-@@ -463,15 +558,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +562,75 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -22045,7 +22072,7 @@ index d1f64a0..3be3d00 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..1c8242d 100644
+index 6bf0ecc..d4ed029 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -22293,7 +22320,7 @@ index 6bf0ecc..1c8242d 100644
')
allow $2 self:shm create_shm_perms;
-@@ -456,11 +495,24 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +495,34 @@ template(`xserver_user_x_domain_template',`
allow $2 xauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file read_file_perms;
@@ -22306,6 +22333,16 @@ index 6bf0ecc..1c8242d 100644
+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".Xauthority-c")
+ userdom_user_home_dir_filetrans($2, xauth_home_t, file, ".xauth")
+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:0")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:1")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:2")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:3")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:4")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:5")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:6")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:7")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:8")
++ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-:9")
+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped")
+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".xsession-errors-stamped.old")
+ userdom_user_home_dir_filetrans($2, xdm_home_t, file, ".dmrc")
@@ -22320,7 +22357,7 @@ index 6bf0ecc..1c8242d 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +524,26 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +534,26 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -22350,7 +22387,7 @@ index 6bf0ecc..1c8242d 100644
')
########################################
-@@ -517,6 +575,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +585,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -22358,7 +22395,7 @@ index 6bf0ecc..1c8242d 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -547,6 +606,42 @@ interface(`xserver_domtrans_xauth',`
+@@ -547,6 +616,42 @@ interface(`xserver_domtrans_xauth',`
domtrans_pattern($1, xauth_exec_t, xauth_t)
')
@@ -22401,7 +22438,7 @@ index 6bf0ecc..1c8242d 100644
########################################
##
## Create a Xauthority file in the user home directory.
-@@ -598,6 +693,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +703,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -22409,7 +22446,7 @@ index 6bf0ecc..1c8242d 100644
')
########################################
-@@ -615,7 +711,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +721,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -22418,7 +22455,7 @@ index 6bf0ecc..1c8242d 100644
')
########################################
-@@ -638,6 +734,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +744,25 @@ interface(`xserver_rw_console',`
########################################
##
@@ -22444,7 +22481,7 @@ index 6bf0ecc..1c8242d 100644
## Use file descriptors for xdm.
##
##
-@@ -651,7 +766,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +776,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -22453,7 +22490,7 @@ index 6bf0ecc..1c8242d 100644
')
########################################
-@@ -670,7 +785,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +795,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -22462,7 +22499,7 @@ index 6bf0ecc..1c8242d 100644
')
########################################
-@@ -688,7 +803,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +813,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -22471,7 +22508,7 @@ index 6bf0ecc..1c8242d 100644
')
########################################
-@@ -703,12 +818,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +828,11 @@ interface(`xserver_rw_xdm_pipes',`
##
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -22485,7 +22522,7 @@ index 6bf0ecc..1c8242d 100644
')
########################################
-@@ -765,11 +879,71 @@ interface(`xserver_manage_xdm_spool_files',`
+@@ -765,11 +889,71 @@ interface(`xserver_manage_xdm_spool_files',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -22559,7 +22596,7 @@ index 6bf0ecc..1c8242d 100644
')
########################################
-@@ -793,6 +967,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -793,6 +977,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
##
@@ -22585,7 +22622,7 @@ index 6bf0ecc..1c8242d 100644
## Set the attributes of XDM temporary directories.
##
##
-@@ -806,7 +999,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -806,7 +1009,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -22612,7 +22649,7 @@ index 6bf0ecc..1c8242d 100644
')
########################################
-@@ -846,7 +1057,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -846,7 +1067,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -22640,7 +22677,7 @@ index 6bf0ecc..1c8242d 100644
')
########################################
-@@ -869,6 +1099,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -869,6 +1109,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
##
@@ -22665,7 +22702,7 @@ index 6bf0ecc..1c8242d 100644
## Make an X session script an entrypoint for the specified domain.
##
##
-@@ -938,7 +1186,26 @@ interface(`xserver_getattr_log',`
+@@ -938,7 +1196,26 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -22693,7 +22730,7 @@ index 6bf0ecc..1c8242d 100644
')
########################################
-@@ -957,7 +1224,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -957,7 +1234,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -22702,7 +22739,7 @@ index 6bf0ecc..1c8242d 100644
')
########################################
-@@ -1004,6 +1271,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1281,45 @@ interface(`xserver_read_xkb_libs',`
########################################
##
@@ -22748,7 +22785,7 @@ index 6bf0ecc..1c8242d 100644
## Read xdm temporary files.
##
##
-@@ -1017,7 +1323,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1333,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -22757,7 +22794,7 @@ index 6bf0ecc..1c8242d 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1079,6 +1385,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,6 +1395,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
##
@@ -22800,7 +22837,7 @@ index 6bf0ecc..1c8242d 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
##
-@@ -1093,7 +1435,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1093,7 +1445,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -22809,7 +22846,7 @@ index 6bf0ecc..1c8242d 100644
')
########################################
-@@ -1111,8 +1453,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1463,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -22821,7 +22858,7 @@ index 6bf0ecc..1c8242d 100644
')
########################################
-@@ -1226,6 +1570,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1580,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -22848,7 +22885,7 @@ index 6bf0ecc..1c8242d 100644
')
########################################
-@@ -1251,7 +1615,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1625,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -22857,7 +22894,7 @@ index 6bf0ecc..1c8242d 100644
##
##
##
-@@ -1261,13 +1625,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1635,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -22882,7 +22919,7 @@ index 6bf0ecc..1c8242d 100644
')
########################################
-@@ -1284,10 +1658,577 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1668,577 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -31789,7 +31826,7 @@ index e8c59a5..ea56d23 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 9fe8e01..06fa481 100644
+index 9fe8e01..fa82aac 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,11 +9,13 @@ ifdef(`distro_gentoo',`
@@ -31808,7 +31845,7 @@ index 9fe8e01..06fa481 100644
ifdef(`distro_redhat',`
/etc/sysconfig/clock -- gen_context(system_u:object_r:locale_t,s0)
-@@ -37,11 +39,6 @@ ifdef(`distro_redhat',`
+@@ -37,14 +39,10 @@ ifdef(`distro_redhat',`
/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
@@ -31820,7 +31857,19 @@ index 9fe8e01..06fa481 100644
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -77,7 +74,7 @@ ifdef(`distro_redhat',`
++/usr/share/pki/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+ /usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+ /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+@@ -53,6 +51,7 @@ ifdef(`distro_redhat',`
+ /usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+ /usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
+
++/usr/share/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
+ /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
+@@ -77,7 +76,7 @@ ifdef(`distro_redhat',`
/var/cache/fontconfig(/.*)? gen_context(system_u:object_r:fonts_cache_t,s0)
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
@@ -31829,7 +31878,7 @@ index 9fe8e01..06fa481 100644
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-@@ -90,6 +87,7 @@ ifdef(`distro_debian',`
+@@ -90,6 +89,7 @@ ifdef(`distro_debian',`
')
ifdef(`distro_redhat',`
@@ -32460,7 +32509,7 @@ index 72c746e..f035d9f 100644
+/usr/sbin/umount\.ecryptfs_private -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
+/usr/sbin/umount\.ecryptfs -- gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..300c3f7 100644
+index 4584457..0755e25 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -16,6 +16,13 @@ interface(`mount_domtrans',`
@@ -32559,7 +32608,7 @@ index 4584457..300c3f7 100644
+ type mount_var_run_t;
+ ')
+
-+ allow $1 mount_var_run_t:file read_file_perms;
++ read_files_pattern($1, mount_var_run_t, mount_var_run_t)
+ files_search_pids($1)
+')
+
@@ -32748,7 +32797,7 @@ index 4584457..300c3f7 100644
+ domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..bfb146f 100644
+index 6a50270..ac90315 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@@ -32945,7 +32994,7 @@ index 6a50270..bfb146f 100644
term_dontaudit_manage_pty_dirs(mount_t)
auth_use_nsswitch(mount_t)
-@@ -121,16 +187,19 @@ auth_use_nsswitch(mount_t)
+@@ -121,16 +187,21 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -32960,6 +33009,8 @@ index 6a50270..bfb146f 100644
seutil_read_config(mount_t)
++systemd_passwd_agent_domtrans(mount_t)
++
userdom_use_all_users_fds(mount_t)
+userdom_manage_user_home_content_dirs(mount_t)
+userdom_read_user_home_content_symlinks(mount_t)
@@ -32967,7 +33018,7 @@ index 6a50270..bfb146f 100644
ifdef(`distro_redhat',`
optional_policy(`
-@@ -146,26 +215,27 @@ ifdef(`distro_ubuntu',`
+@@ -146,26 +217,27 @@ ifdef(`distro_ubuntu',`
')
')
@@ -33007,7 +33058,7 @@ index 6a50270..bfb146f 100644
corenet_tcp_bind_generic_port(mount_t)
corenet_udp_bind_generic_port(mount_t)
corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +249,8 @@ optional_policy(`
+@@ -179,6 +251,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@@ -33016,7 +33067,7 @@ index 6a50270..bfb146f 100644
')
optional_policy(`
-@@ -186,6 +258,36 @@ optional_policy(`
+@@ -186,6 +260,36 @@ optional_policy(`
')
optional_policy(`
@@ -33053,7 +33104,7 @@ index 6a50270..bfb146f 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -194,24 +296,124 @@ optional_policy(`
+@@ -194,24 +298,124 @@ optional_policy(`
')
optional_policy(`
@@ -34672,10 +34723,10 @@ index 1447687..d5e6fb9 100644
seutil_read_config(setrans_t)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 346a7cc..2fa1253 100644
+index 346a7cc..b44bb0c 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
-@@ -17,14 +17,15 @@ ifdef(`distro_debian',`
+@@ -17,16 +17,17 @@ ifdef(`distro_debian',`
/etc/dhclient.*conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -34692,8 +34743,11 @@ index 346a7cc..2fa1253 100644
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntp\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
- /etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
+-/etc/dhcp3(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
++/etc/dhcp3?(/.*)? gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
+
+ ifdef(`distro_redhat',`
@@ -55,6 +56,20 @@ ifdef(`distro_redhat',`
#
# /usr
@@ -35397,12 +35451,29 @@ index 0000000..4e12420
+/var/run/initramfs(/.*)? <>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..fc080a1
+index 0000000..ab20e2f
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1064 @@
+@@ -0,0 +1,1081 @@
+## SELinux policy for systemd components
+
++######################################
++##
++## Create a domain for processes which are started
++## exuting systemctl.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_stub_unit_file',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++')
++
+#######################################
+##
+## Create a domain for processes which are started
@@ -36467,10 +36538,10 @@ index 0000000..fc080a1
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..dd93187
+index 0000000..4d56107
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,639 @@
+@@ -0,0 +1,641 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -36950,6 +37021,8 @@ index 0000000..dd93187
+
+userdom_dbus_send_all_users(systemd_localed_t)
+
++xserver_manage_config(systemd_localed_t)
++
+optional_policy(`
+ dbus_connect_system_bus(systemd_localed_t)
+ dbus_system_bus_client(systemd_localed_t)
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index f271bb8..fe16da6 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -64,7 +64,7 @@ index e4f84de..94697ea 100644
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
diff --git a/abrt.if b/abrt.if
-index 058d908..b7620e3 100644
+index 058d908..702b716 100644
--- a/abrt.if
+++ b/abrt.if
@@ -1,4 +1,26 @@
@@ -156,7 +156,7 @@ index 058d908..b7620e3 100644
##
##
##
-@@ -154,17 +174,54 @@ interface(`abrt_domtrans_helper',`
+@@ -154,17 +174,35 @@ interface(`abrt_domtrans_helper',`
#
interface(`abrt_run_helper',`
gen_require(`
@@ -186,55 +186,55 @@ index 058d908..b7620e3 100644
+
+ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
+ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
-+')
-+
-+########################################
-+##
-+## Append abrt cache
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`abrt_append_cache',`
-+ gen_require(`
-+ type abrt_var_cache_t;
-+ ')
-+
-+
-+ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## abrt cache files.
-+## Read/Write inherited abrt cache
++## Append abrt cache
##
##
##
-@@ -172,15 +229,18 @@ interface(`abrt_run_helper',`
+@@ -172,15 +210,37 @@ interface(`abrt_run_helper',`
##
##
#
-interface(`abrt_cache_manage',`
- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
- abrt_manage_cache($1)
-+interface(`abrt_rw_inherited_cache',`
++interface(`abrt_append_cache',`
+ gen_require(`
+ type abrt_var_cache_t;
+ ')
+
+
-+ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
++ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
')
########################################
##
-## Create, read, write, and delete
-## abrt cache content.
++## Read/Write inherited abrt cache
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_rw_inherited_cache',`
++ gen_require(`
++ type abrt_var_cache_t;
++ ')
++
++
++ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
++')
++
++########################################
++##
+## Manage abrt cache
##
##
@@ -329,7 +329,7 @@ index 058d908..b7620e3 100644
##
##
##
-@@ -288,39 +387,146 @@ interface(`abrt_manage_pid_files',`
+@@ -288,39 +387,172 @@ interface(`abrt_manage_pid_files',`
##
##
##
@@ -470,7 +470,7 @@ index 058d908..b7620e3 100644
+ list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
-+')
+ ')
+
+########################################
+##
@@ -488,9 +488,35 @@ index 058d908..b7620e3 100644
+ ')
+
+ dontaudit $1 abrt_t:sock_file write;
- ')
++')
++
++########################################
++##
++## Transition to abrt named content
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`abrt_filetrans_named_content',`
++ gen_require(`
++ type abrt_tmp_t;
++ type abrt_etc_t;
++ type abrt_var_cache_t;
++ type abrt_var_run_t;
++ ')
++
++ files_tmp_filetrans($1, abrt_tmp_t, dir, "abrt")
++ files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
++ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
++ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
++ files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
++')
++
diff --git a/abrt.te b/abrt.te
-index cc43d25..304203f 100644
+index cc43d25..0842350 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -909,7 +935,7 @@ index cc43d25..304203f 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,30 +406,37 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,30 +406,38 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -921,6 +947,7 @@ index cc43d25..304203f 100644
+optional_policy(`
+ mock_domtrans(abrt_retrace_worker_t)
++ mock_manage_lib_files(abrt_t)
+')
+
########################################
@@ -950,7 +977,7 @@ index cc43d25..304203f 100644
kernel_read_kernel_sysctls(abrt_dump_oops_t)
kernel_read_ring_buffer(abrt_dump_oops_t)
-@@ -384,14 +445,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
+@@ -384,14 +446,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
fs_list_inotifyfs(abrt_dump_oops_t)
logging_read_generic_logs(abrt_dump_oops_t)
@@ -968,7 +995,7 @@ index cc43d25..304203f 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +462,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +463,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -7322,10 +7349,10 @@ index 089430a..7cd037b 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index a579c3b..e8961f7 100644
+index a579c3b..512d6b1 100644
--- a/automount.te
+++ b/automount.te
-@@ -22,6 +22,9 @@ type automount_tmp_t;
+@@ -22,12 +22,16 @@ type automount_tmp_t;
files_tmp_file(automount_tmp_t)
files_mountpoint(automount_tmp_t)
@@ -7335,7 +7362,15 @@ index a579c3b..e8961f7 100644
########################################
#
# Local policy
-@@ -62,7 +65,6 @@ kernel_dontaudit_search_xen_state(automount_t)
+ #
+
+-allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
++allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
++allow automount_t self:capability2 block_suspend;
+ dontaudit automount_t self:capability sys_tty_config;
+ allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
+ allow automount_t self:fifo_file rw_fifo_file_perms;
+@@ -62,7 +66,6 @@ kernel_dontaudit_search_xen_state(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
@@ -7343,7 +7378,7 @@ index a579c3b..e8961f7 100644
corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
-@@ -96,7 +98,6 @@ files_mount_all_file_type_fs(automount_t)
+@@ -96,7 +99,6 @@ files_mount_all_file_type_fs(automount_t)
files_mounton_all_mountpoints(automount_t)
files_mounton_mnt(automount_t)
files_read_etc_runtime_files(automount_t)
@@ -7351,7 +7386,7 @@ index a579c3b..e8961f7 100644
files_search_boot(automount_t)
files_search_all(automount_t)
files_unmount_all_file_type_fs(automount_t)
-@@ -130,15 +131,18 @@ auth_use_nsswitch(automount_t)
+@@ -130,15 +132,18 @@ auth_use_nsswitch(automount_t)
logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
@@ -9706,10 +9741,10 @@ index 2354e21..bec6c06 100644
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
-index 403af41..7c0b1be 100644
+index 403af41..68a5e26 100644
--- a/certwatch.te
+++ b/certwatch.te
-@@ -21,25 +21,26 @@ role certwatch_roles types certwatch_t;
+@@ -21,27 +21,29 @@ role certwatch_roles types certwatch_t;
allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };
@@ -9740,7 +9775,10 @@ index 403af41..7c0b1be 100644
+userdom_dontaudit_list_admin_dir(certwatch_t)
optional_policy(`
++ apache_exec(certwatch_t)
apache_exec_modules(certwatch_t)
+ apache_read_config(certwatch_t)
+ ')
diff --git a/cfengine.if b/cfengine.if
index a731122..5279d4e 100644
--- a/cfengine.if
@@ -9899,7 +9937,7 @@ index 85ca63f..1d1c99c 100644
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index fdee107..eb7a3ac 100644
+index fdee107..7a38b63 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -9945,10 +9983,10 @@ index fdee107..eb7a3ac 100644
#
# cgred local policy
#
++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
++allow cgred_t self:process signal_perms;
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
-+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
-+
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
@@ -15987,7 +16025,7 @@ index 06da9a0..ca832e1 100644
+ ps_process_pattern($1, cupsd_t)
')
diff --git a/cups.te b/cups.te
-index 9f34c2e..45fe9a0 100644
+index 9f34c2e..3b03f21 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -16209,7 +16247,7 @@ index 9f34c2e..45fe9a0 100644
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
-@@ -215,16 +246,16 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,16 +246,17 @@ files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
files_read_var_files(cupsd_t)
files_read_var_symlinks(cupsd_t)
@@ -16225,10 +16263,11 @@ index 9f34c2e..45fe9a0 100644
fs_search_fusefs(cupsd_t)
fs_read_anon_inodefs_files(cupsd_t)
+fs_rw_anon_inodefs_files(cupsd_t)
++fs_rw_inherited_tmpfs_files(cupsd_t)
mls_fd_use_all_levels(cupsd_t)
mls_file_downgrade(cupsd_t)
-@@ -235,6 +266,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -235,6 +267,8 @@ mls_socket_write_all_levels(cupsd_t)
term_search_ptys(cupsd_t)
term_use_unallocated_ttys(cupsd_t)
@@ -16237,7 +16276,7 @@ index 9f34c2e..45fe9a0 100644
selinux_compute_access_vector(cupsd_t)
selinux_validate_context(cupsd_t)
-@@ -247,21 +280,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +281,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
auth_rw_faillog(cupsd_t)
auth_use_nsswitch(cupsd_t)
@@ -16263,7 +16302,7 @@ index 9f34c2e..45fe9a0 100644
userdom_dontaudit_search_user_home_content(cupsd_t)
optional_policy(`
-@@ -275,6 +307,8 @@ optional_policy(`
+@@ -275,6 +308,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -16272,7 +16311,7 @@ index 9f34c2e..45fe9a0 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -285,8 +319,10 @@ optional_policy(`
+@@ -285,8 +320,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -16283,7 +16322,7 @@ index 9f34c2e..45fe9a0 100644
')
')
-@@ -299,8 +335,8 @@ optional_policy(`
+@@ -299,8 +336,8 @@ optional_policy(`
')
optional_policy(`
@@ -16293,7 +16332,7 @@ index 9f34c2e..45fe9a0 100644
')
optional_policy(`
-@@ -309,7 +345,6 @@ optional_policy(`
+@@ -309,7 +346,6 @@ optional_policy(`
optional_policy(`
lpd_exec_lpr(cupsd_t)
@@ -16301,7 +16340,7 @@ index 9f34c2e..45fe9a0 100644
lpd_read_config(cupsd_t)
lpd_relabel_spool(cupsd_t)
')
-@@ -337,7 +372,7 @@ optional_policy(`
+@@ -337,7 +373,7 @@ optional_policy(`
')
optional_policy(`
@@ -16310,7 +16349,7 @@ index 9f34c2e..45fe9a0 100644
')
########################################
-@@ -345,11 +380,9 @@ optional_policy(`
+@@ -345,11 +381,9 @@ optional_policy(`
# Configuration daemon local policy
#
@@ -16324,7 +16363,7 @@ index 9f34c2e..45fe9a0 100644
allow cupsd_config_t cupsd_t:process signal;
ps_process_pattern(cupsd_config_t, cupsd_t)
-@@ -375,18 +408,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +409,15 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
@@ -16344,7 +16383,7 @@ index 9f34c2e..45fe9a0 100644
corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +425,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +426,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
corenet_sendrecv_all_client_packets(cupsd_config_t)
corenet_tcp_connect_all_ports(cupsd_config_t)
@@ -16365,7 +16404,7 @@ index 9f34c2e..45fe9a0 100644
fs_search_auto_mountpoints(cupsd_config_t)
domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +442,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +443,6 @@ auth_use_nsswitch(cupsd_config_t)
logging_send_syslog_msg(cupsd_config_t)
@@ -16377,7 +16416,7 @@ index 9f34c2e..45fe9a0 100644
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +469,12 @@ optional_policy(`
+@@ -452,9 +470,12 @@ optional_policy(`
')
optional_policy(`
@@ -16391,7 +16430,7 @@ index 9f34c2e..45fe9a0 100644
')
optional_policy(`
-@@ -490,10 +510,6 @@ optional_policy(`
+@@ -490,10 +511,6 @@ optional_policy(`
# Lpd local policy
#
@@ -16402,7 +16441,7 @@ index 9f34c2e..45fe9a0 100644
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +527,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +528,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
@@ -16435,7 +16474,7 @@ index 9f34c2e..45fe9a0 100644
optional_policy(`
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
')
-@@ -546,7 +553,6 @@ optional_policy(`
+@@ -546,7 +554,6 @@ optional_policy(`
#
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -16443,7 +16482,7 @@ index 9f34c2e..45fe9a0 100644
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,17 +568,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,17 +569,8 @@ fs_search_auto_mountpoints(cups_pdf_t)
kernel_read_system_state(cups_pdf_t)
@@ -16461,7 +16500,7 @@ index 9f34c2e..45fe9a0 100644
userdom_manage_user_home_content_dirs(cups_pdf_t)
userdom_manage_user_home_content_files(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
-@@ -582,128 +579,12 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -582,128 +580,12 @@ tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(cups_pdf_t)
')
@@ -16592,7 +16631,7 @@ index 9f34c2e..45fe9a0 100644
########################################
#
-@@ -731,7 +612,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +613,6 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
@@ -16600,7 +16639,7 @@ index 9f34c2e..45fe9a0 100644
corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_generic_if(ptal_t)
corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +621,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +622,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
corenet_tcp_bind_ptal_port(ptal_t)
corenet_tcp_sendrecv_ptal_port(ptal_t)
@@ -16614,7 +16653,7 @@ index 9f34c2e..45fe9a0 100644
files_read_etc_runtime_files(ptal_t)
fs_getattr_all_fs(ptal_t)
-@@ -755,8 +633,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +634,6 @@ fs_search_auto_mountpoints(ptal_t)
logging_send_syslog_msg(ptal_t)
@@ -19262,7 +19301,7 @@ index 0000000..332a1c9
+')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
-index 0000000..a3d076f
+index 0000000..ab083cf
--- /dev/null
+++ b/dirsrv-admin.te
@@ -0,0 +1,144 @@
@@ -19300,7 +19339,7 @@ index 0000000..a3d076f
+#
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
-+allow dirsrvadmin_t self:process setrlimit;
++allow dirsrvadmin_t self:process { setrlimit signal_perms };
+
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
@@ -23047,7 +23086,7 @@ index d062080..e098a40 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index e50f33c..2f7de33 100644
+index e50f33c..5e6cdb8 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
@@ -23068,16 +23107,23 @@ index e50f33c..2f7de33 100644
##
##
-@@ -30,7 +30,7 @@ gen_tunable(allow_ftpd_full_access, false)
+@@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false)
## used for public file transfer services.
##
##
-gen_tunable(allow_ftpd_use_cifs, false)
+gen_tunable(ftpd_use_cifs, false)
++
++##
++##
++## Allow samba to export ntfs/fusefs volumes.
++##
++##
++gen_tunable(ftpd_use_fusefs, false)
##
##
-@@ -38,7 +38,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
+@@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
## used for public file transfer services.
##
##
@@ -23086,7 +23132,7 @@ index e50f33c..2f7de33 100644
##
##
-@@ -124,6 +124,9 @@ files_config_file(ftpd_etc_t)
+@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t)
type ftpd_initrc_exec_t;
init_script_file(ftpd_initrc_exec_t)
@@ -23096,7 +23142,7 @@ index e50f33c..2f7de33 100644
type ftpd_lock_t;
files_lock_file(ftpd_lock_t)
-@@ -179,6 +182,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms;
+@@ -179,6 +189,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms;
allow ftpd_t ftpd_lock_t:file manage_file_perms;
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
@@ -23106,7 +23152,7 @@ index e50f33c..2f7de33 100644
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -201,14 +207,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+@@ -201,14 +214,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
kernel_read_kernel_sysctls(ftpd_t)
kernel_read_system_state(ftpd_t)
@@ -23122,7 +23168,7 @@ index e50f33c..2f7de33 100644
corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_generic_if(ftpd_t)
corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -224,9 +229,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
+@@ -224,9 +236,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
@@ -23136,7 +23182,7 @@ index e50f33c..2f7de33 100644
files_read_etc_runtime_files(ftpd_t)
files_search_var_lib(ftpd_t)
-@@ -245,7 +253,6 @@ logging_send_audit_msgs(ftpd_t)
+@@ -245,7 +260,6 @@ logging_send_audit_msgs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
logging_set_loginuid(ftpd_t)
@@ -23144,7 +23190,7 @@ index e50f33c..2f7de33 100644
miscfiles_read_public_files(ftpd_t)
seutil_dontaudit_search_config(ftpd_t)
-@@ -254,32 +261,42 @@ sysnet_use_ldap(ftpd_t)
+@@ -254,32 +268,49 @@ sysnet_use_ldap(ftpd_t)
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
userdom_dontaudit_search_user_home_dirs(ftpd_t)
@@ -23167,6 +23213,13 @@ index e50f33c..2f7de33 100644
')
-tunable_policy(`allow_ftpd_use_nfs',`
++tunable_policy(`ftpd_use_fusefs',`
++ fs_manage_fusefs_dirs(ftpd_t)
++ fs_manage_fusefs_files(ftpd_t)
++',`
++ fs_search_fusefs(ftpd_t)
++')
++
+tunable_policy(`ftpd_use_nfs',`
fs_read_nfs_files(ftpd_t)
fs_read_nfs_symlinks(ftpd_t)
@@ -23194,7 +23247,7 @@ index e50f33c..2f7de33 100644
')
tunable_policy(`ftpd_use_passive_mode',`
-@@ -299,9 +316,9 @@ tunable_policy(`ftpd_connect_db',`
+@@ -299,9 +330,9 @@ tunable_policy(`ftpd_connect_db',`
corenet_sendrecv_mssql_client_packets(ftpd_t)
corenet_tcp_connect_mssql_port(ftpd_t)
corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -23207,7 +23260,7 @@ index e50f33c..2f7de33 100644
')
tunable_policy(`ftp_home_dir',`
-@@ -309,12 +326,9 @@ tunable_policy(`ftp_home_dir',`
+@@ -309,12 +340,9 @@ tunable_policy(`ftp_home_dir',`
userdom_manage_user_home_content_dirs(ftpd_t)
userdom_manage_user_home_content_files(ftpd_t)
@@ -23220,7 +23273,7 @@ index e50f33c..2f7de33 100644
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
')
-@@ -360,7 +374,7 @@ optional_policy(`
+@@ -360,7 +388,7 @@ optional_policy(`
selinux_validate_context(ftpd_t)
kerberos_keytab_template(ftpd, ftpd_t)
@@ -23229,7 +23282,7 @@ index e50f33c..2f7de33 100644
')
optional_policy(`
-@@ -410,21 +424,20 @@ optional_policy(`
+@@ -410,21 +438,20 @@ optional_policy(`
#
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -23253,7 +23306,7 @@ index e50f33c..2f7de33 100644
miscfiles_read_public_files(anon_sftpd_t)
-@@ -437,23 +450,34 @@ tunable_policy(`sftpd_anon_write',`
+@@ -437,23 +464,34 @@ tunable_policy(`sftpd_anon_write',`
# Sftpd local policy
#
@@ -23294,7 +23347,7 @@ index e50f33c..2f7de33 100644
')
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -475,21 +499,11 @@ tunable_policy(`sftpd_anon_write',`
+@@ -475,21 +513,11 @@ tunable_policy(`sftpd_anon_write',`
tunable_policy(`sftpd_full_access',`
allow sftpd_t self:capability { dac_override dac_read_search };
fs_read_noxattr_fs_files(sftpd_t)
@@ -36754,7 +36807,7 @@ index 6194b80..648d041 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..4c1c064 100644
+index 6a306ee..8faac8d 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -37013,10 +37066,10 @@ index 6a306ee..4c1c064 100644
-userdom_manage_user_home_content_dirs(mozilla_t)
-userdom_manage_user_home_content_files(mozilla_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
--
--userdom_write_user_tmp_sockets(mozilla_t)
+userdom_use_inherited_user_ptys(mozilla_t)
+-userdom_write_user_tmp_sockets(mozilla_t)
+-
-mozilla_run_plugin(mozilla_t, mozilla_roles)
-mozilla_run_plugin_config(mozilla_t, mozilla_roles)
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
@@ -37179,7 +37232,7 @@ index 6a306ee..4c1c064 100644
')
optional_policy(`
-@@ -300,221 +308,171 @@ optional_policy(`
+@@ -300,221 +308,173 @@ optional_policy(`
########################################
#
@@ -37434,7 +37487,8 @@ index 6a306ee..4c1c064 100644
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
-userdom_manage_user_home_content_files(mozilla_plugin_t)
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
--
++systemd_read_logind_sessions_files(mozilla_plugin_t)
+
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
+term_getattr_all_ttys(mozilla_plugin_t)
+term_getattr_all_ptys(mozilla_plugin_t)
@@ -37494,7 +37548,7 @@ index 6a306ee..4c1c064 100644
')
optional_policy(`
-@@ -523,36 +481,47 @@ optional_policy(`
+@@ -523,36 +483,47 @@ optional_policy(`
')
optional_policy(`
@@ -37555,7 +37609,7 @@ index 6a306ee..4c1c064 100644
')
optional_policy(`
-@@ -560,7 +529,7 @@ optional_policy(`
+@@ -560,7 +531,7 @@ optional_policy(`
')
optional_policy(`
@@ -37564,7 +37618,7 @@ index 6a306ee..4c1c064 100644
')
optional_policy(`
-@@ -568,108 +537,108 @@ optional_policy(`
+@@ -568,108 +539,108 @@ optional_policy(`
')
optional_policy(`
@@ -43241,7 +43295,7 @@ index 46e55c3..346242e 100644
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/nis.te b/nis.te
-index 3e4a31c..0d16edc 100644
+index 3e4a31c..bd8e3ff 100644
--- a/nis.te
+++ b/nis.te
@@ -1,12 +1,10 @@
@@ -43431,7 +43485,7 @@ index 3e4a31c..0d16edc 100644
sysnet_read_config(yppasswdd_t)
-@@ -219,6 +215,10 @@ optional_policy(`
+@@ -219,6 +215,14 @@ optional_policy(`
')
optional_policy(`
@@ -43439,10 +43493,14 @@ index 3e4a31c..0d16edc 100644
+')
+
+optional_policy(`
++ nis_use_ypbind(yppasswdd_t)
++')
++
++optional_policy(`
seutil_sigchld_newrole(yppasswdd_t)
')
-@@ -234,7 +234,8 @@ optional_policy(`
+@@ -234,7 +238,8 @@ optional_policy(`
dontaudit ypserv_t self:capability sys_tty_config;
allow ypserv_t self:fifo_file rw_fifo_file_perms;
allow ypserv_t self:process signal_perms;
@@ -43452,7 +43510,7 @@ index 3e4a31c..0d16edc 100644
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
allow ypserv_t self:tcp_socket connected_stream_socket_perms;
allow ypserv_t self:udp_socket create_socket_perms;
-@@ -254,7 +255,6 @@ kernel_read_kernel_sysctls(ypserv_t)
+@@ -254,7 +259,6 @@ kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t)
@@ -43460,7 +43518,7 @@ index 3e4a31c..0d16edc 100644
corenet_all_recvfrom_netlabel(ypserv_t)
corenet_tcp_sendrecv_generic_if(ypserv_t)
corenet_udp_sendrecv_generic_if(ypserv_t)
-@@ -264,31 +264,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
+@@ -264,31 +268,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
corenet_udp_sendrecv_all_ports(ypserv_t)
corenet_tcp_bind_generic_node(ypserv_t)
corenet_udp_bind_generic_node(ypserv_t)
@@ -43498,7 +43556,7 @@ index 3e4a31c..0d16edc 100644
nis_domtrans_ypxfr(ypserv_t)
-@@ -310,8 +306,8 @@ optional_policy(`
+@@ -310,8 +310,8 @@ optional_policy(`
# ypxfr local policy
#
@@ -43509,7 +43567,7 @@ index 3e4a31c..0d16edc 100644
allow ypxfr_t self:tcp_socket create_stream_socket_perms;
allow ypxfr_t self:udp_socket create_socket_perms;
allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -326,7 +322,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
+@@ -326,7 +326,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
@@ -43517,7 +43575,7 @@ index 3e4a31c..0d16edc 100644
corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_generic_if(ypxfr_t)
corenet_udp_sendrecv_generic_if(ypxfr_t)
-@@ -336,23 +331,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
+@@ -336,23 +335,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
corenet_udp_sendrecv_all_ports(ypxfr_t)
corenet_tcp_bind_generic_node(ypxfr_t)
corenet_udp_bind_generic_node(ypxfr_t)
@@ -48167,10 +48225,10 @@ index 0000000..407386d
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 0000000..45e60e5
+index 0000000..894ce1c
--- /dev/null
+++ b/openshift.te
-@@ -0,0 +1,526 @@
+@@ -0,0 +1,530 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -48694,6 +48752,10 @@ index 0000000..45e60e5
+')
+
+optional_policy(`
++ quota_read_db(openshift_cron_t)
++')
++
++optional_policy(`
+ ssh_exec_keygen(openshift_cron_t)
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
+')
@@ -67547,10 +67609,10 @@ index c49828c..a323332 100644
sysnet_dns_name_resolve(rpcbind_t)
diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..cba31f2 100644
+index ebe91fc..54fe358 100644
--- a/rpm.fc
+++ b/rpm.fc
-@@ -1,61 +1,68 @@
+@@ -1,61 +1,69 @@
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -67573,6 +67635,7 @@ index ebe91fc..cba31f2 100644
+/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -81291,10 +81354,10 @@ index 0000000..bfcd2c7
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..aaf768a
+index 0000000..49cd645
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,137 @@
+@@ -0,0 +1,138 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -81389,6 +81452,7 @@ index 0000000..aaf768a
+userdom_dontaudit_setattr_user_tmp(thumb_t)
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
++userdom_exec_user_home_content_files(thumb_t)
+userdom_write_user_tmp_files(thumb_t)
+userdom_read_home_audio_files(thumb_t)
+userdom_home_reader(thumb_t)
@@ -82322,7 +82386,7 @@ index e29db63..061fb98 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 7116181..0bd0be9 100644
+index 7116181..7a80e6d 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -82335,9 +82399,12 @@ index 7116181..0bd0be9 100644
type tuned_var_run_t;
files_pid_file(tuned_var_run_t)
-@@ -31,8 +34,10 @@ files_pid_file(tuned_var_run_t)
+@@ -29,10 +32,12 @@ files_pid_file(tuned_var_run_t)
+ # Local policy
+ #
- allow tuned_t self:capability { sys_admin sys_nice };
+-allow tuned_t self:capability { sys_admin sys_nice };
++allow tuned_t self:capability { sys_admin sys_nice sys_rawio };
dontaudit tuned_t self:capability { dac_override sys_tty_config };
-allow tuned_t self:process { setsched signal };
+allow tuned_t self:process { setsched signal };
@@ -85620,7 +85687,7 @@ index 9dec06c..b991ec7 100644
+ allow svirt_lxc_domain $1:process sigchld;
')
diff --git a/virt.te b/virt.te
-index 1f22fba..7b17f67 100644
+index 1f22fba..64e638c 100644
--- a/virt.te
+++ b/virt.te
@@ -1,94 +1,98 @@
@@ -85916,7 +85983,9 @@ index 1f22fba..7b17f67 100644
-append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-
-kernel_read_system_state(virt_domain)
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+
-fs_getattr_xattr_fs(virt_domain)
-
-corecmd_exec_bin(virt_domain)
@@ -86034,15 +86103,17 @@ index 1f22fba..7b17f67 100644
- fs_manage_dos_dirs(virt_domain)
- fs_manage_dos_files(virt_domain)
-')
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-optional_policy(`
- tunable_policy(`virt_use_xserver',`
- xserver_read_xdm_pid(virt_domain)
- xserver_stream_connect(virt_domain)
- ')
-')
+-
+-optional_policy(`
+- dbus_read_lib_files(virt_domain)
+-')
+corenet_udp_sendrecv_generic_if(svirt_t)
+corenet_udp_sendrecv_generic_node(svirt_t)
+corenet_udp_sendrecv_all_ports(svirt_t)
@@ -86052,24 +86123,20 @@ index 1f22fba..7b17f67 100644
+corenet_tcp_connect_all_ports(svirt_t)
-optional_policy(`
-- dbus_read_lib_files(virt_domain)
+- nscd_use(virt_domain)
-')
+miscfiles_read_generic_certs(svirt_t)
optional_policy(`
-- nscd_use(virt_domain)
+- samba_domtrans_smbd(virt_domain)
+ xen_rw_image_files(svirt_t)
')
optional_policy(`
-- samba_domtrans_smbd(virt_domain)
+- xen_rw_image_files(virt_domain)
+ nscd_use(svirt_t)
')
--optional_policy(`
-- xen_rw_image_files(virt_domain)
--')
--
-########################################
+#######################################
#
@@ -86089,7 +86156,9 @@ index 1f22fba..7b17f67 100644
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
-
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
--
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
-
-corenet_udp_sendrecv_generic_if(svirt_t)
@@ -86111,9 +86180,7 @@ index 1f22fba..7b17f67 100644
-corenet_sendrecv_all_server_packets(svirt_t)
-corenet_udp_bind_all_ports(svirt_t)
-corenet_tcp_bind_all_ports(svirt_t)
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
-
+-
-corenet_sendrecv_all_client_packets(svirt_t)
-corenet_tcp_connect_all_ports(svirt_t)
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
@@ -86241,16 +86308,16 @@ index 1f22fba..7b17f67 100644
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
+-
-kernel_read_crypto_sysctls(virtd_t)
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
@@ -86489,7 +86556,7 @@ index 1f22fba..7b17f67 100644
+# virtual domains common policy
+#
+allow virt_domain self:capability2 compromise_kernel;
-+allow virt_domain self:process { setrlimit signal_perms getsched };
++allow virt_domain self:process { setrlimit signal_perms getsched setsched };
+allow virt_domain self:fifo_file rw_fifo_file_perms;
+allow virt_domain self:shm create_shm_perms;
+allow virt_domain self:unix_stream_socket create_stream_socket_perms;
@@ -86776,12 +86843,12 @@ index 1f22fba..7b17f67 100644
-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
-
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+-
+-allow virsh_t svirt_lxc_domain:process transition;
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
+virt_filetrans_named_content(virsh_t)
--allow virsh_t svirt_lxc_domain:process transition;
--
-can_exec(virsh_t, virsh_exec_t)
-
-virt_domtrans(virsh_t)
@@ -86928,11 +86995,13 @@ index 1f22fba..7b17f67 100644
manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +959,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +959,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
+files_associate_rootfs(svirt_lxc_file_t)
++
++seutil_read_file_contexts(virtd_lxc_t)
storage_manage_fixed_disk(virtd_lxc_t)
+storage_rw_fuse(virtd_lxc_t)
@@ -86944,7 +87013,7 @@ index 1f22fba..7b17f67 100644
corecmd_exec_bin(virtd_lxc_t)
corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +979,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +981,8 @@ dev_read_urand(virtd_lxc_t)
domain_use_interactive_fds(virtd_lxc_t)
@@ -86955,7 +87024,7 @@ index 1f22fba..7b17f67 100644
files_relabel_rootfs(virtd_lxc_t)
files_mounton_non_security(virtd_lxc_t)
files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +988,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+@@ -944,6 +990,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
files_list_isid_type_dirs(virtd_lxc_t)
files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
@@ -86963,7 +87032,7 @@ index 1f22fba..7b17f67 100644
fs_getattr_all_fs(virtd_lxc_t)
fs_manage_tmpfs_dirs(virtd_lxc_t)
fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1000,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,15 +1002,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
fs_unmount_all_fs(virtd_lxc_t)
fs_relabelfrom_tmpfs(virtd_lxc_t)
@@ -86982,7 +87051,7 @@ index 1f22fba..7b17f67 100644
term_use_generic_ptys(virtd_lxc_t)
term_use_ptmx(virtd_lxc_t)
-@@ -973,20 +1014,35 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,21 +1016,36 @@ auth_use_nsswitch(virtd_lxc_t)
logging_send_syslog_msg(virtd_lxc_t)
@@ -87020,12 +87089,14 @@ index 1f22fba..7b17f67 100644
#
-
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
+-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
+allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot ipc_lock };
+allow svirt_lxc_domain self:key manage_key_perms;
- allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
++allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid setrlimit };
allow svirt_lxc_domain self:fifo_file manage_file_perms;
allow svirt_lxc_domain self:sem create_sem_perms;
-@@ -995,18 +1051,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+ allow svirt_lxc_domain self:shm create_shm_perms;
+@@ -995,18 +1053,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
@@ -87052,7 +87123,7 @@ index 1f22fba..7b17f67 100644
manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1069,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1071,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -87071,7 +87142,7 @@ index 1f22fba..7b17f67 100644
kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1088,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1090,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -87098,7 +87169,7 @@ index 1f22fba..7b17f67 100644
auth_dontaudit_read_login_records(svirt_lxc_domain)
auth_dontaudit_write_login_records(svirt_lxc_domain)
auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1113,90 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,96 +1115,90 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
@@ -87234,7 +87305,7 @@ index 1f22fba..7b17f67 100644
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -1165,12 +1209,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1211,12 @@ dev_read_sysfs(virt_qmf_t)
dev_read_rand(virt_qmf_t)
dev_read_urand(virt_qmf_t)
@@ -87249,7 +87320,7 @@ index 1f22fba..7b17f67 100644
sysnet_read_config(virt_qmf_t)
optional_policy(`
-@@ -1183,9 +1227,8 @@ optional_policy(`
+@@ -1183,9 +1229,8 @@ optional_policy(`
########################################
#
@@ -87260,7 +87331,7 @@ index 1f22fba..7b17f67 100644
allow virt_bridgehelper_t self:process { setcap getcap };
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1241,70 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1243,70 @@ kernel_read_network_state(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f29b1cc..f1fce32 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 22%{?dist}
+Release: 23%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -526,6 +526,40 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Mar 26 2013 Miroslav Grepl 3.12.1-23
+- Allow abrt to manage mock build environments to catch build problems.
+- Allow virt_domains to setsched for running gdb on itself
+- Allow thumb_t to execute user home content
+- Allow pulseaudio running as mozilla_plugin_t to read /run/systemd/users/1000
+- Allow certwatch to execut /usr/bin/httpd
+- Allow cgred to send signal perms to itself, needs back port to RHEL6
+- Allow openshift_cron_t to look at quota
+- Allow cups_t to read inhered tmpfs_t from the kernel
+- Allow yppasswdd to use NIS
+- Tuned wants sys_rawio capability
+- Add ftpd_use_fusefs boolean
+- Allow dirsrvadmin_t to signal itself
+- block_suspend is capability2
+- label /usr/bin/repoquery as rpm_exec_t
+- Allow automount to block suspend
+- Add abrt_filetrans_named_content so that abrt directories get labeled correctly
+- Allow virt domains to setrlimit and read file_context
+- Add labeling for /usr/share/pki
+- Allow programs that read var_run_t symlinks also read var_t symlinks
+- Add additional ports as mongod_port_t for 27018, 27019, 28017, 28018 and 28019 ports
+- Fix labeling for /etc/dhcp directory
+- add missing systemd_stub_unit_file() interface
+- Add files_stub_var() interface
+- Add lables for cert_t directories
+- Make localectl set-x11-keymap working at all
+- Allow localectl to read /etc/X11/xorg.conf.d directory
+- Revert "Revert "Fix filetrans rules for kdm creates .xsession-errors""
+-
+- This reverts commit 807b3ed8dbbd3fa1779a099ff43259fc1bc0689d.
+- Allow mount to transition to systemd_passwd_agent
+- Make sure abrt directories are labeled correctly
+- Allow commands that are going to read mount pid files to search mount_var_run_t
+
* Mon Mar 18 2013 Miroslav Grepl 3.12.1-22
- Allow nagios to manage nagios spool files
- /var/spool/snmptt is a directory which snmdp needs to write to, needs back port to RHEL6