diff --git a/policy-F16.patch b/policy-F16.patch
index ee7f839..f9e9883 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -281,7 +281,7 @@ index 358ce7c..e5dc022 100644
 +
  ') dnl end enable_mcs
 diff --git a/policy/modules/admin/acct.if b/policy/modules/admin/acct.if
-index e66c296..61f738b 100644
+index e66c296..993a1e9 100644
 --- a/policy/modules/admin/acct.if
 +++ b/policy/modules/admin/acct.if
 @@ -78,3 +78,21 @@ interface(`acct_manage_data',`
@@ -295,7 +295,7 @@ index e66c296..61f738b 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -1566,7 +1566,7 @@ index c633aea..d1e56f6 100644
  
  ifdef(`hide_broken_symptoms',`
 diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..2718561 100644
+index af55369..6059aed 100644
 --- a/policy/modules/admin/prelink.te
 +++ b/policy/modules/admin/prelink.te
 @@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
@@ -1625,17 +1625,17 @@ index af55369..2718561 100644
  optional_policy(`
 -	rpm_manage_tmp_files(prelink_t)
 +	gnome_dontaudit_read_config(prelink_t)
-+')
-+
-+optional_policy(`
-+	nsplugin_manage_rw_files(prelink_t)
  ')
  
  optional_policy(`
 -	unconfined_domain(prelink_t)
-+	rpm_manage_tmp_files(prelink_t)
++	nsplugin_manage_rw_files(prelink_t)
  ')
  
++optional_policy(`
++	rpm_manage_tmp_files(prelink_t)
++')
++
 +#optional_policy(`
 +#	unconfined_domain(prelink_t)
 +#')
@@ -1651,11 +1651,13 @@ index af55369..2718561 100644
  
  	domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
  	allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -148,17 +163,26 @@ optional_policy(`
+@@ -148,17 +163,28 @@ optional_policy(`
  	files_read_etc_files(prelink_cron_system_t)
  	files_search_var_lib(prelink_cron_system_t)
  
 -	init_exec(prelink_cron_system_t)
++	fs_search_cgroup_dirs(prelink_cron_system_t)
++
 +	init_telinit(prelink_cron_system_t)
  
  	libs_exec_ld_so(prelink_cron_system_t)
@@ -3217,7 +3219,7 @@ index 0000000..1f468aa
 +/usr/lib/chromium-browser/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
 diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
 new file mode 100644
-index 0000000..e921f24
+index 0000000..ae9c0c5
 --- /dev/null
 +++ b/policy/modules/apps/chrome.if
 @@ -0,0 +1,107 @@
@@ -3317,7 +3319,7 @@ index 0000000..e921f24
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -3691,7 +3693,7 @@ index 0000000..ce498b3
 +
 diff --git a/policy/modules/apps/firewallgui.if b/policy/modules/apps/firewallgui.if
 new file mode 100644
-index 0000000..7fe26f3
+index 0000000..2bd5790
 --- /dev/null
 +++ b/policy/modules/apps/firewallgui.if
 @@ -0,0 +1,41 @@
@@ -3725,7 +3727,7 @@ index 0000000..7fe26f3
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -3873,10 +3875,10 @@ index 00a19e3..55075f9 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..3587c52 100644
+index f5afe78..3ca01ec 100644
 --- a/policy/modules/apps/gnome.if
 +++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,605 @@
+@@ -1,44 +1,623 @@
  ## <summary>GNU network object model environment (GNOME)</summary>
  
 -############################################################
@@ -4085,7 +4087,7 @@ index f5afe78..3587c52 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -4103,7 +4105,7 @@ index f5afe78..3587c52 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -4263,6 +4265,24 @@ index f5afe78..3587c52 100644
 +
 +########################################
 +## <summary>
++##	Dontaudit read/write to generic cache home files (.cache)
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`gnome_dontaudit_rw_generic_cache_files',`
++	gen_require(`
++		type cache_home_t;
++	')
++
++	dontaudit $1 cache_home_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
 +##	read gnome homedir content (.config)
 +## </summary>
 +## <param name="domain">
@@ -4501,7 +4521,7 @@ index f5afe78..3587c52 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -46,37 +607,37 @@ interface(`gnome_role',`
+@@ -46,37 +625,37 @@ interface(`gnome_role',`
  ##	</summary>
  ## </param>
  #
@@ -4551,7 +4571,7 @@ index f5afe78..3587c52 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -84,37 +645,37 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +663,37 @@ template(`gnome_read_gconf_config',`
  ##	</summary>
  ## </param>
  #
@@ -4600,7 +4620,7 @@ index f5afe78..3587c52 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -122,17 +683,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +701,17 @@ interface(`gnome_stream_connect_gconf',`
  ##	</summary>
  ## </param>
  #
@@ -4622,7 +4642,7 @@ index f5afe78..3587c52 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -140,51 +701,335 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +719,335 @@ interface(`gnome_domtrans_gconfd',`
  ##	</summary>
  ## </param>
  #
@@ -4913,7 +4933,7 @@ index f5afe78..3587c52 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`gnome_user_home_dir_filetrans',`
++interface(`gnome_filetrans_home_content',`
 +
 +gen_require(`
 +	type config_home_t;
@@ -4950,7 +4970,7 @@ index f5afe78..3587c52 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`gnome_admin_home_dir_filetrans',`
++interface(`gnome_filetrans_admin_home_content',`
 +
 +gen_require(`
 +	type config_home_t;
@@ -5914,7 +5934,7 @@ index f63c4c2..bf59895 100644
  	policykit_dbus_chat(kdumpgui_t)
  ')
 diff --git a/policy/modules/apps/livecd.if b/policy/modules/apps/livecd.if
-index 12b772f..b67cf26 100644
+index 12b772f..1d203dc 100644
 --- a/policy/modules/apps/livecd.if
 +++ b/policy/modules/apps/livecd.if
 @@ -41,6 +41,8 @@ interface(`livecd_run',`
@@ -5934,7 +5954,7 @@ index 12b772f..b67cf26 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -6172,7 +6192,7 @@ index 93ac529..35b51ab 100644
 +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 +/usr/lib/xulrunner[^/]*/plugin-container		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..19de023 100644
+index 9a6d67d..c499e03 100644
 --- a/policy/modules/apps/mozilla.if
 +++ b/policy/modules/apps/mozilla.if
 @@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -6338,7 +6358,7 @@ index 9a6d67d..19de023 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -9645,10 +9665,10 @@ index 0000000..6878d68
 +
 diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
 new file mode 100644
-index 0000000..8791119
+index 0000000..a6cb11d
 --- /dev/null
 +++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,338 @@
+@@ -0,0 +1,336 @@
 +
 +policy_module(telepathy, 1.0.0)
 +
@@ -9665,6 +9685,14 @@ index 0000000..8791119
 +## </desc>
 +gen_tunable(telepathy_tcp_connect_generic_network_ports, false)
 +
++## <desc>
++## <p>
++##  Allow the Telepathy connection managers
++##  to connect to any network port.
++## </p>
++## </desc>
++gen_tunable(telepathy_connect_all_ports, true)
++
 +attribute telepathy_domain;
 +attribute telepathy_executable;
 +
@@ -9697,7 +9725,6 @@ index 0000000..8791119
 +#
 +
 +allow telepathy_msn_t self:process setsched;
-+allow telepathy_msn_t self:netlink_route_socket create_netlink_socket_perms;
 +allow telepathy_msn_t self:unix_dgram_socket { write create connect };
 +
 +manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
@@ -9717,6 +9744,7 @@ index 0000000..8791119
 +corenet_tcp_connect_msnp_port(telepathy_msn_t)
 +corenet_tcp_connect_sametime_port(telepathy_msn_t)
 +corenet_tcp_connect_ssdp_port(telepathy_msn_t)
++corenet_tcp_connect_sip_port(telepathy_msn_t)
 +
 +corecmd_exec_bin(telepathy_msn_t)
 +corecmd_exec_shell(telepathy_msn_t)
@@ -9725,8 +9753,6 @@ index 0000000..8791119
 +files_read_etc_files(telepathy_msn_t)
 +files_read_usr_files(telepathy_msn_t)
 +
-+auth_use_nsswitch(telepathy_msn_t)
-+
 +init_read_state(telepathy_msn_t)
 +
 +libs_exec_ldconfig(telepathy_msn_t)
@@ -9735,8 +9761,6 @@ index 0000000..8791119
 +
 +miscfiles_read_all_certs(telepathy_msn_t)
 +
-+sysnet_read_config(telepathy_msn_t)
-+
 +userdom_read_all_users_state(telepathy_msn_t)
 +
 +optional_policy(`
@@ -9755,7 +9779,6 @@ index 0000000..8791119
 +# Telepathy Gabble local policy.
 +#
 +
-+allow telepathy_gabble_t self:netlink_route_socket create_netlink_socket_perms;
 +allow telepathy_gabble_t self:tcp_socket { listen accept };
 +allow telepathy_gabble_t self:unix_dgram_socket { write read create getattr sendto };
 +
@@ -9785,9 +9808,9 @@ index 0000000..8791119
 +files_read_config_files(telepathy_gabble_t)
 +files_read_usr_files(telepathy_gabble_t)
 +
-+miscfiles_read_all_certs(telepathy_gabble_t)
++fs_getattr_all_fs(telepathy_gabble_t)
 +
-+sysnet_read_config(telepathy_gabble_t)
++miscfiles_read_all_certs(telepathy_gabble_t)
 +
 +optional_policy(`
 +        dbus_system_bus_client(telepathy_gabble_t)
@@ -9812,8 +9835,6 @@ index 0000000..8791119
 +# Telepathy Idle local policy.
 +#
 +
-+allow telepathy_idle_t self:netlink_route_socket create_netlink_socket_perms;
-+
 +corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
 +corenet_tcp_connect_gatekeeper_port(telepathy_idle_t)
 +corenet_tcp_connect_ircd_port(telepathy_idle_t)
@@ -9822,8 +9843,6 @@ index 0000000..8791119
 +
 +files_read_etc_files(telepathy_idle_t)
 +
-+sysnet_read_config(telepathy_idle_t)
-+
 +#######################################
 +#
 +# Telepathy Mission-Control local policy.
@@ -9851,8 +9870,6 @@ index 0000000..8791119
 +        fs_manage_cifs_files(telepathy_mission_control_t)
 +')
 +
-+auth_use_nsswitch(telepathy_mission_control_t)
-+
 +# ~/.cache/.mc_connections.
 +optional_policy(`
 +        manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
@@ -9870,8 +9887,6 @@ index 0000000..8791119
 +#
 +# Telepathy Salut local policy.
 +#
-+
-+allow telepathy_salut_t self:netlink_route_socket create_netlink_socket_perms;
 +allow telepathy_salut_t self:tcp_socket { accept listen };
 +
 +manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t)
@@ -9883,8 +9898,6 @@ index 0000000..8791119
 +
 +files_read_etc_files(telepathy_salut_t)
 +
-+sysnet_read_config(telepathy_salut_t)
-+
 +optional_policy(`
 +        dbus_system_bus_client(telepathy_salut_t)
 +
@@ -9897,19 +9910,17 @@ index 0000000..8791119
 +#
 +# Telepathy Sofiasip local policy.
 +#
-+
-+allow telepathy_sofiasip_t self:netlink_route_socket create_netlink_socket_perms;
 +allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen };
 +allow telepathy_sofiasip_t self:tcp_socket { listen };
 +
 +corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
 +corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
 +corenet_udp_bind_all_ports(telepathy_sofiasip_t)
++corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t)
++corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t)
 +
 +kernel_request_load_module(telepathy_sofiasip_t)
 +
-+sysnet_read_config(telepathy_sofiasip_t)
-+
 +#######################################
 +#
 +# Telepathy Sunshine local policy.
@@ -9959,9 +9970,9 @@ index 0000000..8791119
 +
 +fs_search_auto_mountpoints(telepathy_domain)
 +
-+miscfiles_read_localization(telepathy_domain)
++auth_use_nsswitch(telepathy_domain)
 +
-+sysnet_dns_name_resolve(telepathy_domain)
++miscfiles_read_localization(telepathy_domain)
 +
 +# This interface does not facilitate files_search_tmp which appears to be a bug.
 +userdom_stream_connect(telepathy_domain)
@@ -9972,12 +9983,19 @@ index 0000000..8791119
 +        corenet_sendrecv_generic_client_packets(telepathy_domain)
 +')
 +
++tunable_policy(`telepathy_connect_all_ports', `
++        corenet_tcp_connect_all_ports(telepathy_domain)
++        corenet_tcp_sendrecv_all_ports(telepathy_domain)
++		corenet_udp_sendrecv_all_ports(telepathy_domain)
++')
++
 +optional_policy(`
 +        automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
 +')
 +
 +optional_policy(`
-+        nis_use_ypbind(telepathy_domain)
++	gnome_read_generic_cache_files(telepathy_domain)
++	gnome_write_generic_cache_files(telepathy_domain)
 +')
 +
 +optional_policy(`
@@ -10720,9 +10738,18 @@ index 34c9d01..0d54b2c 100644
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
  /var/qmail/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
-index 9e9263a..24018ce 100644
+index 9e9263a..32826ad 100644
 --- a/policy/modules/kernel/corecommands.if
 +++ b/policy/modules/kernel/corecommands.if
+@@ -203,7 +203,7 @@ interface(`corecmd_getattr_bin_files',`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
 @@ -1049,6 +1049,7 @@ interface(`corecmd_manage_all_executables',`
  		type bin_t;
  	')
@@ -11119,7 +11146,7 @@ index 6cf8784..5b25039 100644
 +#
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index e9313fb..f8b1eee 100644
+index e9313fb..ddb84e0 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -11208,6 +11235,15 @@ index e9313fb..f8b1eee 100644
  ##	Dontaudit getattr on generic block devices.
  ## </summary>
  ## <param name="domain">
+@@ -628,7 +683,7 @@ interface(`dev_rw_generic_blk_files',`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to dontaudit access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
 @@ -715,7 +770,7 @@ interface(`dev_dontaudit_setattr_generic_symlinks',`
  
  ########################################
@@ -11493,6 +11529,15 @@ index e9313fb..f8b1eee 100644
  ##	Delete all block device files.
  ## </summary>
  ## <param name="domain">
+@@ -2663,7 +2914,7 @@ interface(`dev_write_misc',`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
 @@ -3192,24 +3443,6 @@ interface(`dev_rw_printer',`
  
  ########################################
@@ -12410,7 +12455,7 @@ index 3ff4f60..89ffda6 100644
 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
  allow devices_unconfined_type mtrr_device_t:file *;
 diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index aad8c52..e957e76 100644
+index aad8c52..53b0624 100644
 --- a/policy/modules/kernel/domain.if
 +++ b/policy/modules/kernel/domain.if
 @@ -474,6 +474,25 @@ interface(`domain_signal_all_domains',`
@@ -12448,7 +12493,7 @@ index aad8c52..e957e76 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -630,7 +649,7 @@ interface(`domain_getattr_all_domains',`
+@@ -630,11 +649,11 @@ interface(`domain_getattr_all_domains',`
  
  ########################################
  ## <summary>
@@ -12457,6 +12502,11 @@ index aad8c52..e957e76 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
 @@ -886,6 +905,24 @@ interface(`domain_getsched_all_domains',`
  
  ########################################
@@ -12526,7 +12576,7 @@ index aad8c52..e957e76 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -12866,7 +12916,7 @@ index 16108f6..de3c68f 100644
 +
 +/usr/lib/debug(/.*)?		<<none>>
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..4f3ff26 100644
+index 958ca84..1204be0 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -12987,7 +13037,7 @@ index 958ca84..4f3ff26 100644
 +## </summary>
 +## <param name="domain">
 +##  <summary>
-+##  Domain allowed access.
++##	Domain to not audit.
 +##  </summary>
 +## </param>
 +#
@@ -13038,7 +13088,7 @@ index 958ca84..4f3ff26 100644
 +## </summary>
 +## <param name="domain">
 +##      <summary>
-+##      Domain allowed access.
++##	Domain to not audit.
 +##      </summary>
 +## </param>
 +#
@@ -13053,6 +13103,15 @@ index 958ca84..4f3ff26 100644
  ##########################################
  ## <summary>
  ## 	Manage generic directories in /etc
+@@ -2379,7 +2504,7 @@ interface(`files_read_etc_files',`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
 @@ -2453,6 +2578,24 @@ interface(`files_delete_etc_files',`
  
  ########################################
@@ -13127,7 +13186,7 @@ index 958ca84..4f3ff26 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -13195,7 +13254,7 @@ index 958ca84..4f3ff26 100644
 +## </summary>
 +## <param name="domain">
 +##  <summary>
-+##  Domain allowed access.
++##	Domain to not audit.
 +##  </summary>
 +## </param>
 +#
@@ -13354,6 +13413,24 @@ index 958ca84..4f3ff26 100644
  ########################################
  ## <summary>
  ##	Allow the specified type to associate
+@@ -3774,7 +4128,7 @@ interface(`files_getattr_tmp_dirs',`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+@@ -3846,7 +4200,7 @@ interface(`files_list_tmp',`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
 @@ -3858,6 +4212,24 @@ interface(`files_dontaudit_list_tmp',`
  	dontaudit $1 tmp_t:dir list_dir_perms;
  ')
@@ -13379,12 +13456,13 @@ index 958ca84..4f3ff26 100644
  ########################################
  ## <summary>
  ##	Remove entries from the tmp directory.
-@@ -3914,6 +4286,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3914,25 +4286,33 @@ interface(`files_manage_generic_tmp_dirs',`
  
  ########################################
  ## <summary>
+-##	Manage temporary files and directories in /tmp.
 +##	Allow shared library text relocations in tmp files.
-+## </summary>
+ ## </summary>
 +## <desc>
 +##	<p>
 +##	Allow shared library text relocations in tmp files.
@@ -13393,52 +13471,91 @@ index 958ca84..4f3ff26 100644
 +##	This is added to support java policy.
 +##	</p>
 +## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_files',`
++interface(`files_execmod_tmp',`
+ 	gen_require(`
+-		type tmp_t;
++		attribute tmpfile;
+ 	')
+ 
+-	manage_files_pattern($1, tmp_t, tmp_t)
++	allow $1 tmpfile:file execmod;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read symbolic links in the tmp directory (/tmp).
++##	Manage temporary files and directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -3940,17 +4320,35 @@ interface(`files_manage_generic_tmp_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_symlinks',`
++interface(`files_manage_generic_tmp_files',`
+ 	gen_require(`
+ 		type tmp_t;
+ 	')
+ 
+-	read_lnk_files_pattern($1, tmp_t, tmp_t)
++	manage_files_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write generic named sockets in the tmp directory (/tmp).
++##	Read symbolic links in the tmp directory (/tmp).
++## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_execmod_tmp',`
++interface(`files_read_generic_tmp_symlinks',`
 +	gen_require(`
-+		attribute tmpfile;
++		type tmp_t;
 +	')
 +
-+	allow $1 tmpfile:file execmod;
++	read_lnk_files_pattern($1, tmp_t, tmp_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Manage temporary files and directories in /tmp.
++##	Read and write generic named sockets in the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
-@@ -3968,7 +4366,7 @@ interface(`files_rw_generic_tmp_sockets',`
+ ##	<summary>
+@@ -3968,6 +4366,84 @@ interface(`files_rw_generic_tmp_sockets',`
  
  ########################################
  ## <summary>
--##	Set the attributes of all tmp directories.
 +##	Relabel a dir from the type used in /tmp.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -3976,17 +4374,95 @@ interface(`files_rw_generic_tmp_sockets',`
- ##	</summary>
- ## </param>
- #
--interface(`files_setattr_all_tmp_dirs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_relabelfrom_tmp_dirs',`
- 	gen_require(`
--		attribute tmpfile;
++	gen_require(`
 +		type tmp_t;
- 	')
- 
--	allow $1 tmpfile:dir { search_dir_perms setattr };
++	')
++
 +	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
- ')
- 
- ########################################
- ## <summary>
--##	List all tmp directories.
++')
++
++########################################
++## <summary>
 +##	Relabel a file from the type used in /tmp.
 +## </summary>
 +## <param name="domain">
@@ -13499,28 +13616,27 @@ index 958ca84..4f3ff26 100644
 +
 +########################################
 +## <summary>
-+##	Set the attributes of all tmp directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_setattr_all_tmp_dirs',`
-+	gen_require(`
-+		attribute tmpfile;
-+	')
-+
-+	allow $1 tmpfile:dir { search_dir_perms setattr };
-+')
-+
-+########################################
-+## <summary>
-+##	List all tmp directories.
+ ##	Set the attributes of all tmp directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -4009,7 +4485,7 @@ interface(`files_list_all_tmp',`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+@@ -4047,7 +4523,7 @@ interface(`files_getattr_all_tmp_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
+-##	Domain not to audit.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
 @@ -4103,7 +4579,7 @@ interface(`files_tmp_filetrans',`
  		type tmp_t;
  	')
@@ -14128,7 +14244,7 @@ index 958ca84..4f3ff26 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -14261,7 +14377,7 @@ index 59bae6a..2e55e71 100644
 +/dev/hugepages	-d	gen_context(system_u:object_r:hugetlbfs_t,s0)
 +/dev/hugepages(/.*)?		<<none>>
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index dfe361a..79b4c0f 100644
+index dfe361a..1c83074 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -14310,7 +14426,7 @@ index dfe361a..79b4c0f 100644
 +## </summary>
 +## <param name="domain">
 +##  <summary>
-+##  Domain allowed access.
++##	Domain to not audit.
 +##  </summary>
 +## </param>
 +#
@@ -14770,6 +14886,24 @@ index dfe361a..79b4c0f 100644
  ')
  
  ########################################
+@@ -2587,7 +2911,7 @@ interface(`fs_search_removable',`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+@@ -2623,7 +2947,7 @@ interface(`fs_read_removable_files',`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
 @@ -2637,6 +2961,24 @@ interface(`fs_dontaudit_read_removable_files',`
  
  ########################################
@@ -14778,7 +14912,7 @@ index dfe361a..79b4c0f 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain not to audit.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -14905,7 +15039,7 @@ index dfe361a..79b4c0f 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -14931,6 +15065,15 @@ index dfe361a..79b4c0f 100644
  ')
  
  ########################################
+@@ -4317,7 +4737,7 @@ interface(`fs_unmount_all_fs',`
+ ## <desc>
+ ##	<p>
+ ##	Allow the specified domain to
+-##	et the attributes of all filesystems.
++##	get the attributes of all filesystems.
+ ##	Example attributes:
+ ##	</p>
+ ##	<ul>
 @@ -4681,3 +5101,24 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
@@ -14943,7 +15086,7 @@ index dfe361a..79b4c0f 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -15043,7 +15186,7 @@ index e49c148..4d6bbf4 100644
  ########################################
  #
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 069d36c..78a81b3 100644
+index 069d36c..8cbeefb 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
 @@ -735,6 +735,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',`
@@ -15108,6 +15251,15 @@ index 069d36c..78a81b3 100644
  ')
  
  ########################################
+@@ -2254,7 +2293,7 @@ interface(`kernel_read_unlabeled_state',`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
 @@ -2436,6 +2475,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
  
  ########################################
@@ -15226,7 +15378,7 @@ index 069d36c..78a81b3 100644
 +')
 +
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 5001b89..fef153d 100644
+index 5001b89..e1fe78d 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
 @@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -15266,7 +15418,7 @@ index 5001b89..fef153d 100644
  
  corecmd_exec_shell(kernel_t)
  corecmd_list_bin(kernel_t)
-@@ -268,19 +275,28 @@ files_list_root(kernel_t)
+@@ -268,19 +275,40 @@ files_list_root(kernel_t)
  files_list_etc(kernel_t)
  files_list_home(kernel_t)
  files_read_usr_files(kernel_t)
@@ -15292,10 +15444,22 @@ index 5001b89..fef153d 100644
  ')
  
 +
++optional_policy(`
++	apache_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
++	gnome_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
++	kerberos_filetrans_home_content(kernel_t)
++')
++
  optional_policy(`
  	hotplug_search_config(kernel_t)
  ')
-@@ -296,6 +312,11 @@ optional_policy(`
+@@ -296,6 +324,19 @@ optional_policy(`
  
  optional_policy(`
  	logging_send_syslog_msg(kernel_t)
@@ -15303,16 +15467,29 @@ index 5001b89..fef153d 100644
 +')
 +
 +optional_policy(`
++	mta_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
++	ssh_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
 +	userdom_user_home_dir_filetrans_user_home_content(kernel_t, { file dir })
  ')
  
  optional_policy(`
-@@ -357,6 +378,10 @@ optional_policy(`
+@@ -357,6 +398,15 @@ optional_policy(`
  	unconfined_domain_noaudit(kernel_t)
  ')
  
 +optional_policy(`
++	virt_filetrans_home_content(kernel_t)
++')
++
++optional_policy(`
 +	xserver_xdm_manage_spool(kernel_t)
++	xserver_filetrans_home_content(kernel_t)
 +')
 +
  ########################################
@@ -15491,7 +15668,7 @@ index a9b8982..57c4a6a 100644
 +/lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 +/lib/udev/devices/fuse	-c	gen_context(system_u:object_r:fuse_device_t,s0)
 diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 3723150..a137563 100644
+index 3723150..097a2cc 100644
 --- a/policy/modules/kernel/storage.if
 +++ b/policy/modules/kernel/storage.if
 @@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@@ -15598,13 +15775,13 @@ index 3723150..a137563 100644
 +#
 +interface(`storage_filetrans_all_named_dev',`
 +
-+gen_require(`
-+	type tape_device_t;
-+	type fixed_disk_device_t;
-+	type removable_device_t;
-+	type scsi_generic_device_t;
-+	type fuse_device_t;
-+')
++	gen_require(`
++		type tape_device_t;
++		type fixed_disk_device_t;
++		type removable_device_t;
++		type scsi_generic_device_t;
++		type fuse_device_t;
++	')
 +
 +	dev_filetrans($1, tape_device_t, chr_file, ht00)
 +	dev_filetrans($1, tape_device_t, chr_file, ht01)
@@ -15874,7 +16051,7 @@ index 3994e57..a1923fe 100644
 +
 +/lib/udev/devices/pts	-d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
 diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index f3acfee..0082923 100644
+index f3acfee..5260651 100644
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
 @@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
@@ -16022,6 +16199,15 @@ index f3acfee..0082923 100644
  ')
  
  ########################################
+@@ -903,7 +982,7 @@ interface(`term_getattr_all_user_ptys',`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
 @@ -1123,7 +1202,7 @@ interface(`term_relabel_unallocated_ttys',`
  	')
  
@@ -16114,6 +16300,15 @@ index f3acfee..0082923 100644
  ')
  
  ########################################
+@@ -1467,7 +1570,7 @@ interface(`term_use_all_user_ttys',`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
 @@ -1475,3 +1578,382 @@ interface(`term_dontaudit_use_all_user_ttys',`
  	refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
  	term_dontaudit_use_all_ttys($1)
@@ -16623,7 +16818,7 @@ index be4de58..cce681a 100644
  ########################################
  #
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..95ff489 100644
+index 2be17d2..ddb6f0a 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
 @@ -8,12 +8,51 @@ policy_module(staff, 2.2.0)
@@ -16678,7 +16873,7 @@ index 2be17d2..95ff489 100644
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -27,25 +66,140 @@ optional_policy(`
+@@ -27,25 +66,139 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16701,7 +16896,6 @@ index 2be17d2..95ff489 100644
 +optional_policy(`
 +	gnome_role(staff_r, staff_t)
 +	gnome_role_gkeyringd(staff, staff_r, staff_t)
-+	permissive staff_gkeyringd_t;
 +')
 +
 +optional_policy(`
@@ -16752,7 +16946,7 @@ index 2be17d2..95ff489 100644
  optional_policy(`
 +	qemu_run(staff_t, staff_r)
 +	virt_manage_tmpfs_files(staff_t)
-+	virt_user_home_dir_filetrans(staff_t)
++	virt_filetrans_home_content(staff_t)
 +')
 +
 +optional_policy(`
@@ -16821,7 +17015,7 @@ index 2be17d2..95ff489 100644
  
  optional_policy(`
  	vlock_run(staff_t, staff_r)
-@@ -89,10 +243,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +242,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -16832,7 +17026,7 @@ index 2be17d2..95ff489 100644
  		gpg_role(staff_r, staff_t)
  	')
  
-@@ -137,10 +287,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +286,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -16843,7 +17037,7 @@ index 2be17d2..95ff489 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -172,3 +318,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +317,7 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -16852,7 +17046,7 @@ index 2be17d2..95ff489 100644
 +	userdom_execmod_user_home_files(staff_usertype)
 +')
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 4a8d146..65a8661 100644
+index 4a8d146..4fb9455 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -24,20 +24,55 @@ ifndef(`enable_mls',`
@@ -16906,7 +17100,7 @@ index 4a8d146..65a8661 100644
 +userdom_manage_user_tmp_blk_files(sysadm_t)
 +
 +optional_policy(`
-+	ssh_admin_home_dir_filetrans(sysadm_t)
++	ssh_filetrans_admin_home_content(sysadm_t)
 +')
  
  ifdef(`direct_sysadm_daemon',`
@@ -17133,7 +17327,7 @@ index 4a8d146..65a8661 100644
  optional_policy(`
 -	wireshark_role(sysadm_r, sysadm_t)
 +	virt_stream_connect(sysadm_t)
-+	virt_user_home_dir_filetrans(sysadm_t)
++	virt_filetrans_home_content(sysadm_t)
  ')
  
  optional_policy(`
@@ -17157,7 +17351,7 @@ index 4a8d146..65a8661 100644
  
  	optional_policy(`
  		gnome_role(sysadm_r, sysadm_t)
-+		gnome_admin_home_dir_filetrans(sysadm_t)
++		gnome_filetrans_admin_home_content(sysadm_t)
  	')
  
  	optional_policy(`
@@ -17932,7 +18126,7 @@ index 0000000..8b2cdf3
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..4c5f006
+index 0000000..4cf791b
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
 @@ -0,0 +1,525 @@
@@ -18035,7 +18229,7 @@ index 0000000..4c5f006
 +sysnet_etc_filetrans_config(unconfined_t, yp.conf)
 +
 +optional_policy(`
-+	ssh_admin_home_dir_filetrans(unconfined_t)
++	ssh_filetrans_admin_home_content(unconfined_t)
 +')
 +
 +mcs_killall(unconfined_t)
@@ -18237,7 +18431,7 @@ index 0000000..4c5f006
 +	optional_policy(`
 +		gnomeclock_dbus_chat(unconfined_usertype)
 +		gnome_dbus_chat_gconfdefault(unconfined_usertype)
-+		gnome_admin_home_dir_filetrans(unconfined_usertype)
++		gnome_filetrans_admin_home_content(unconfined_usertype)
 +	')
 +
 +	optional_policy(`
@@ -18383,7 +18577,7 @@ index 0000000..4c5f006
 +
 +optional_policy(`
 +	virt_transition_svirt(unconfined_t, unconfined_r)
-+	virt_user_home_dir_filetrans(unconfined_t)
++	virt_filetrans_home_content(unconfined_t)
 +')
 +
 +optional_policy(`
@@ -22673,7 +22867,7 @@ index 0000000..18f37e2
 +/var/lib/bugzilla(/.*)?			gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
 diff --git a/policy/modules/services/bugzilla.if b/policy/modules/services/bugzilla.if
 new file mode 100644
-index 0000000..3964548
+index 0000000..d1fd21d
 --- /dev/null
 +++ b/policy/modules/services/bugzilla.if
 @@ -0,0 +1,80 @@
@@ -22705,7 +22899,7 @@ index 0000000..3964548
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -24616,10 +24810,10 @@ index 0000000..939d76e
 +')
 diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
 new file mode 100644
-index 0000000..e79f653
+index 0000000..13278c0
 --- /dev/null
 +++ b/policy/modules/services/colord.te
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,106 @@
 +policy_module(colord,1.0.0)
 +
 +########################################
@@ -24637,10 +24831,16 @@ index 0000000..e79f653
 +type colord_tmp_t;
 +files_tmp_file(colord_tmp_t)
 +
++type colord_tmpfs_t;
++files_tmpfs_file(colord_tmpfs_t)
++
 +########################################
 +#
 +# colord local policy
 +#
++
++allow colord_t self:process signal;
++
 +allow colord_t self:fifo_file rw_fifo_file_perms;
 +allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
 +allow colord_t self:udp_socket create_socket_perms;
@@ -24650,6 +24850,10 @@ index 0000000..e79f653
 +manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
 +files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
 +
++manage_dirs_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
++manage_files_pattern(colord_t, colord_tmpfs_t, colord_tmpfs_t)
++fs_tmpfs_filetrans(colord_t, colord_tmpfs_t, { dir file })
++
 +manage_dirs_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 +manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 +files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
@@ -24717,7 +24921,7 @@ index 0000000..e79f653
 +	udev_read_db(colord_t)
 +')
 diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
-index fd15dfe..ad224fa 100644
+index fd15dfe..0716ee4 100644
 --- a/policy/modules/services/consolekit.if
 +++ b/policy/modules/services/consolekit.if
 @@ -5,9 +5,9 @@
@@ -24741,7 +24945,7 @@ index fd15dfe..ad224fa 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -25947,7 +26151,7 @@ index 305ddf4..777091a 100644
  
  	admin_pattern($1, ptal_etc_t)
 diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..cda064a 100644
+index 0f28095..a3a6265 100644
 --- a/policy/modules/services/cups.te
 +++ b/policy/modules/services/cups.te
 @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -26059,11 +26263,12 @@ index 0f28095..cda064a 100644
  
  files_search_all_mountpoints(cupsd_config_t)
  
-@@ -425,11 +438,10 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +438,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
  
  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
 +userdom_rw_user_tmp_files(cupsd_config_t)
++userdom_read_user_tmp_symlinks(cupsd_config_t)
  
  cups_stream_connect(cupsd_config_t)
  
@@ -26072,7 +26277,7 @@ index 0f28095..cda064a 100644
  ifdef(`distro_redhat',`
  	optional_policy(`
  		rpm_read_db(cupsd_config_t)
-@@ -453,6 +465,10 @@ optional_policy(`
+@@ -453,6 +466,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26083,7 +26288,7 @@ index 0f28095..cda064a 100644
  	hal_domtrans(cupsd_config_t)
  	hal_read_tmp_files(cupsd_config_t)
  	hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +483,10 @@ optional_policy(`
+@@ -467,6 +484,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26094,7 +26299,7 @@ index 0f28095..cda064a 100644
  	policykit_dbus_chat(cupsd_config_t)
  	userdom_read_all_users_state(cupsd_config_t)
  ')
-@@ -587,13 +607,17 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,13 +608,17 @@ auth_use_nsswitch(cups_pdf_t)
  
  miscfiles_read_localization(cups_pdf_t)
  miscfiles_read_fonts(cups_pdf_t)
@@ -26114,7 +26319,7 @@ index 0f28095..cda064a 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_search_auto_mountpoints(cups_pdf_t)
-@@ -606,6 +630,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -606,6 +631,10 @@ tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_files(cups_pdf_t)
  ')
  
@@ -26125,7 +26330,7 @@ index 0f28095..cda064a 100644
  ########################################
  #
  # HPLIP local policy
-@@ -639,7 +667,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +668,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
  manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
  
  manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -26134,7 +26339,7 @@ index 0f28095..cda064a 100644
  
  manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
  files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +713,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +714,7 @@ domain_use_interactive_fds(hplip_t)
  files_read_etc_files(hplip_t)
  files_read_etc_runtime_files(hplip_t)
  files_read_usr_files(hplip_t)
@@ -26142,7 +26347,7 @@ index 0f28095..cda064a 100644
  
  logging_send_syslog_msg(hplip_t)
  
-@@ -696,8 +725,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +726,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
  userdom_dontaudit_search_user_home_dirs(hplip_t)
  userdom_dontaudit_search_user_home_content(hplip_t)
  
@@ -26156,7 +26361,7 @@ index 0f28095..cda064a 100644
  optional_policy(`
  	dbus_system_bus_client(hplip_t)
 diff --git a/policy/modules/services/cvs.if b/policy/modules/services/cvs.if
-index c43ff4c..a9783e3 100644
+index c43ff4c..6ca9a6b 100644
 --- a/policy/modules/services/cvs.if
 +++ b/policy/modules/services/cvs.if
 @@ -1,5 +1,23 @@
@@ -26168,7 +26373,7 @@ index c43ff4c..a9783e3 100644
 +## </summary>
 +## <param name="domain">
 +##  <summary>
-+##  Domain allowed access.
++##	Domain to not audit.
 +##  </summary>
 +## </param>
 +#
@@ -28777,7 +28982,7 @@ index f28f64b..18c3c33 100644
  
  optional_policy(`
 diff --git a/policy/modules/services/fail2ban.if b/policy/modules/services/fail2ban.if
-index f590a1f..87f6bfb 100644
+index f590a1f..3cc3f80 100644
 --- a/policy/modules/services/fail2ban.if
 +++ b/policy/modules/services/fail2ban.if
 @@ -5,9 +5,9 @@
@@ -28812,7 +29017,7 @@ index f590a1f..87f6bfb 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -29377,7 +29582,7 @@ index 54f0737..2b552c5 100644
 +/var/www/git(/.*)?		gen_context(system_u:object_r:httpd_git_content_t,s0)
 +/var/www/git/gitweb.cgi		gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
 diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
-index 458aac6..03645a9 100644
+index 458aac6..8e83609 100644
 --- a/policy/modules/services/git.if
 +++ b/policy/modules/services/git.if
 @@ -1 +1,539 @@
@@ -29763,7 +29968,7 @@ index 458aac6..03645a9 100644
 +## </summary>
 +## <param name="domain">
 +##  <summary>
-+##  Domain allowed access.
++##	Domain to not audit.
 +##  </summary>
 +## </param>
 +#
@@ -31376,7 +31581,7 @@ index 3525d24..923e979 100644
  /var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/HTTP_23		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..414cfb4 100644
+index 604f67b..04309ea 100644
 --- a/policy/modules/services/kerberos.if
 +++ b/policy/modules/services/kerberos.if
 @@ -26,9 +26,9 @@
@@ -31505,7 +31710,7 @@ index 604f67b..414cfb4 100644
  	')
  
  	allow $1 kadmind_t:process { ptrace signal_perms };
-@@ -378,3 +374,110 @@ interface(`kerberos_admin',`
+@@ -378,3 +374,108 @@ interface(`kerberos_admin',`
  
  	admin_pattern($1, krb5kdc_var_run_t)
  ')
@@ -31609,8 +31814,6 @@ index 604f67b..414cfb4 100644
 +	#filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, principal1)
 +
 +	kerberos_etc_filetrans_keytab($1, krb5.keytab)
-+	# this is defined in userdom_login_user_template
-+	#kerberos_filetrans_home_content($1)
 +	kerberos_filetrans_admin_home_content($1)
 +
 +	kerberos_tmp_filetrans_host_rcache($1, host_0)
@@ -33091,7 +33294,7 @@ index 0000000..68ad33f
 +/var/cache/mock(/.*)?		gen_context(system_u:object_r:mock_cache_t,s0)
 diff --git a/policy/modules/services/mock.if b/policy/modules/services/mock.if
 new file mode 100644
-index 0000000..f60483e
+index 0000000..ec2832c
 --- /dev/null
 +++ b/policy/modules/services/mock.if
 @@ -0,0 +1,272 @@
@@ -33254,7 +33457,7 @@ index 0000000..f60483e
 +## </summary>
 +## <param name="domain">
 +##  <summary>
-+##  Domain allowed access.
++##	Domain to not audit.
 +##  </summary>
 +## </param>
 +#
@@ -35678,7 +35881,7 @@ index 2324d9e..8069487 100644
 +	append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
 +')
 diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 0619395..8f8c519 100644
+index 0619395..863ba2d 100644
 --- a/policy/modules/services/networkmanager.te
 +++ b/policy/modules/services/networkmanager.te
 @@ -12,6 +12,12 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -35739,7 +35942,15 @@ index 0619395..8f8c519 100644
  manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
  manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
  files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -133,30 +155,37 @@ logging_send_syslog_msg(NetworkManager_t)
+@@ -100,6 +122,7 @@ dev_read_rand(NetworkManager_t)
+ dev_read_urand(NetworkManager_t)
+ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+ dev_getattr_all_chr_files(NetworkManager_t)
++dev_rw_wireless(NetworkManager_t)
+ 
+ fs_getattr_all_fs(NetworkManager_t)
+ fs_search_auto_mountpoints(NetworkManager_t)
+@@ -133,30 +156,37 @@ logging_send_syslog_msg(NetworkManager_t)
  miscfiles_read_localization(NetworkManager_t)
  miscfiles_read_generic_certs(NetworkManager_t)
  
@@ -35779,7 +35990,7 @@ index 0619395..8f8c519 100644
  ')
  
  optional_policy(`
-@@ -172,14 +201,21 @@ optional_policy(`
+@@ -172,14 +202,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35802,7 +36013,7 @@ index 0619395..8f8c519 100644
  	')
  ')
  
-@@ -202,6 +238,17 @@ optional_policy(`
+@@ -202,6 +239,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35820,7 +36031,7 @@ index 0619395..8f8c519 100644
  	iptables_domtrans(NetworkManager_t)
  ')
  
-@@ -219,6 +266,11 @@ optional_policy(`
+@@ -219,6 +267,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35832,7 +36043,7 @@ index 0619395..8f8c519 100644
  	openvpn_domtrans(NetworkManager_t)
  	openvpn_kill(NetworkManager_t)
  	openvpn_signal(NetworkManager_t)
-@@ -263,6 +315,7 @@ optional_policy(`
+@@ -263,6 +316,7 @@ optional_policy(`
  	vpn_kill(NetworkManager_t)
  	vpn_signal(NetworkManager_t)
  	vpn_signull(NetworkManager_t)
@@ -38809,7 +39020,7 @@ index 46bee12..37bd751 100644
 +	role $2 types postfix_postdrop_t;
 +')
 diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..8bf015c 100644
+index 06e37d4..38fe95a 100644
 --- a/policy/modules/services/postfix.te
 +++ b/policy/modules/services/postfix.te
 @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
@@ -39047,7 +39258,16 @@ index 06e37d4..8bf015c 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +564,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -507,6 +552,8 @@ optional_policy(`
+ # Postfix qmgr local policy
+ #
+ 
++allow postfix_qmgr_t self:fifo_file rw_fifo_file_perms;
++
+ stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
+ 
+ rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
+@@ -519,7 +566,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
  
  allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
  allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -39056,7 +39276,7 @@ index 06e37d4..8bf015c 100644
  
  corecmd_exec_bin(postfix_qmgr_t)
  
-@@ -539,7 +584,7 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +586,7 @@ postfix_list_spool(postfix_showq_t)
  
  allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
  allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -39065,7 +39285,7 @@ index 06e37d4..8bf015c 100644
  
  # to write the mailq output, it really should not need read access!
  term_use_all_ptys(postfix_showq_t)
-@@ -588,10 +633,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +635,16 @@ corecmd_exec_bin(postfix_smtpd_t)
  
  # for OpenSSL certificates
  files_read_usr_files(postfix_smtpd_t)
@@ -39082,7 +39302,7 @@ index 06e37d4..8bf015c 100644
  ')
  
  optional_policy(`
-@@ -611,8 +662,8 @@ optional_policy(`
+@@ -611,8 +664,8 @@ optional_policy(`
  # Postfix virtual local policy
  #
  
@@ -39092,7 +39312,7 @@ index 06e37d4..8bf015c 100644
  
  allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
  
-@@ -630,3 +681,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +683,8 @@ mta_delete_spool(postfix_virtual_t)
  # For reading spamassasin
  mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
@@ -45101,7 +45321,7 @@ index 078bcd7..2d60774 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..de9d29e 100644
+index 22adaca..0ecf6e4 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
 @@ -32,10 +32,10 @@
@@ -45418,7 +45638,7 @@ index 22adaca..de9d29e 100644
  ')
  
  ######################################
-@@ -735,3 +795,61 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +795,62 @@ interface(`ssh_delete_tmp',`
  	files_search_tmp($1)
  	delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
  ')
@@ -45452,7 +45672,7 @@ index 22adaca..de9d29e 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`ssh_admin_home_dir_filetrans',`
++interface(`ssh_filetrans_admin_home_content',`
 +	gen_require(`
 +		type ssh_home_t;
 +	')
@@ -45472,7 +45692,8 @@ index 22adaca..de9d29e 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`ssh_user_home_dir_filetrans',`
++interface(`ssh_filetrans_home_content',`
++	
 +	gen_require(`
 +		type ssh_home_t;
 +	')
@@ -47064,7 +47285,7 @@ index 2124b6a..9682c44 100644
 +/var/lib/oz(/.*)?					gen_context(system_u:object_r:virt_var_lib_t,s0)
 +/var/lib/oz/isos(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
 diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..05a7054 100644
+index 7c5d8d8..16f69c9 100644
 --- a/policy/modules/services/virt.if
 +++ b/policy/modules/services/virt.if
 @@ -13,14 +13,15 @@
@@ -47249,7 +47470,7 @@ index 7c5d8d8..05a7054 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -47494,7 +47715,7 @@ index 7c5d8d8..05a7054 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`virt_user_home_dir_filetrans',`
++interface(`virt_filetrans_home_content',`
 +	gen_require(`
 +		type virt_home_t;
 +	')
@@ -48245,10 +48466,10 @@ index 0000000..b9104b7
 +')
 diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
 new file mode 100644
-index 0000000..a7de540
+index 0000000..90b8072
 --- /dev/null
 +++ b/policy/modules/services/vnstatd.te
-@@ -0,0 +1,73 @@
+@@ -0,0 +1,78 @@
 +policy_module(vnstatd, 1.0.0)
 +
 +########################################
@@ -48286,10 +48507,15 @@ index 0000000..a7de540
 +manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
 +files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
 +
++kernel_read_network_state(vnstatd_t)
++kernel_read_system_state(vnstatd_t)
++
 +domain_use_interactive_fds(vnstatd_t)
 +
 +files_read_etc_files(vnstatd_t)
 +
++fs_getattr_xattr_fs(vnstatd_t)
++
 +logging_send_syslog_msg(vnstatd_t)
 +
 +miscfiles_read_localization(vnstatd_t)
@@ -48496,7 +48722,7 @@ index 6f1e3c7..a3986f4 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..ade50fd 100644
+index 130ced9..463447d 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -19,9 +19,10 @@
@@ -48806,7 +49032,7 @@ index 130ced9..ade50fd 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -48934,7 +49160,7 @@ index 130ced9..ade50fd 100644
 +## </summary>
 +## <param name="domain">
 +##  <summary>
-+##  Domain allowed access.
++##	Domain to not audit.
 +##  </summary>
 +## </param>
 +#
@@ -49146,7 +49372,7 @@ index 130ced9..ade50fd 100644
  ')
  
  ########################################
-@@ -1243,10 +1462,397 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1462,431 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -49541,13 +49767,47 @@ index 130ced9..ade50fd 100644
 +
 +	manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
 +
-+	userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, .k5login)
-+	userdom_user_home_dir_filetrans($1, user_fonts_t, dir, .fonts.d)
++#	userdom_user_home_dir_filetrans($1, user_fonts_t, dir, .fonts.d)
++#	userdom_user_home_dir_filetrans($1, user_fonts_t, dir, .fonts)
++#	userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, .fontconfig)
++')
++
++########################################
++## <summary>
++##	Transition to xserver named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`xserver_filetrans_home_content',`
++	gen_require(`
++		type xdm_home_t;
++		type xauth_home_t;
++		type iceauth_home_t;
++		type user_home_t;
++		type user_fonts_t;
++		type user_fonts_cache_t;
++		type user_fonts_config_t;
++	')
++
++	userdom_user_home_dir_filetrans($1, xdm_home_t, file, .dmrc)
++	userdom_user_home_dir_filetrans($1, xdm_home_t, file, .xsession-errors)
++	userdom_user_home_dir_filetrans($1, iceauth_home_t, file, .DCOP)
++	userdom_user_home_dir_filetrans($1, iceauth_home_t, file, .ICEauthority)
++	userdom_user_home_dir_filetrans($1, xauth_home_t, file, .Xauthority)
++	userdom_user_home_dir_filetrans($1, xauth_home_t, file, .xauth)
++	userdom_user_home_dir_filetrans($1, xauth_home_t, file, .Xauth)
++	userdom_user_home_dir_filetrans($1, user_fonts_config_t, file, .fonts.conf)
++	userdom_user_home_dir_filetrans($1, user_fonts_config_t, dir, .fonts.d)
 +	userdom_user_home_dir_filetrans($1, user_fonts_t, dir, .fonts)
 +	userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, .fontconfig)
++	filetrans_pattern($1, user_fonts_t, user_fonts_cache_t, dir, auto)
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 6c01261..8cb530b 100644
+index 6c01261..1a345d6 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,27 +26,50 @@ gen_require(`
@@ -49869,7 +50129,7 @@ index 6c01261..8cb530b 100644
  optional_policy(`
  	ssh_sigchld(xauth_t)
  	ssh_read_pipes(xauth_t)
-@@ -302,20 +415,38 @@ optional_policy(`
+@@ -302,20 +415,34 @@ optional_policy(`
  # XDM Local policy
  #
  
@@ -49899,11 +50159,7 @@ index 6c01261..8cb530b 100644
 +
 +manage_files_pattern(xdm_t, xdm_home_t, xdm_home_t)
 +userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
-+userdom_user_home_dir_filetrans(xdm_t, iceauth_home_t, file, .DCOP)
-+userdom_user_home_dir_filetrans(xdm_t, iceauth_home_t, file, .ICEauthority)
-+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, .Xauthority)
-+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, .xauth)
-+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, .Xauth)
++xserver_filetrans_home_content(xdm_t)
 +
 +#Handle mislabeled files in homedir
 +userdom_delete_user_home_content_files(xdm_t)
@@ -49912,7 +50168,7 @@ index 6c01261..8cb530b 100644
  
  # Allow gdm to run gdm-binary
  can_exec(xdm_t, xdm_exec_t)
-@@ -323,43 +454,62 @@ can_exec(xdm_t, xdm_exec_t)
+@@ -323,43 +450,62 @@ can_exec(xdm_t, xdm_exec_t)
  allow xdm_t xdm_lock_t:file manage_file_perms;
  files_lock_filetrans(xdm_t, xdm_lock_t, file)
  
@@ -49981,7 +50237,7 @@ index 6c01261..8cb530b 100644
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -368,18 +518,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -368,18 +514,26 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -50009,7 +50265,7 @@ index 6c01261..8cb530b 100644
  
  corenet_all_recvfrom_unlabeled(xdm_t)
  corenet_all_recvfrom_netlabel(xdm_t)
-@@ -391,18 +549,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -391,18 +545,22 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -50033,7 +50289,7 @@ index 6c01261..8cb530b 100644
  dev_setattr_apm_bios_dev(xdm_t)
  dev_rw_dri(xdm_t)
  dev_rw_agp(xdm_t)
-@@ -411,18 +573,24 @@ dev_setattr_xserver_misc_dev(xdm_t)
+@@ -411,18 +569,24 @@ dev_setattr_xserver_misc_dev(xdm_t)
  dev_getattr_misc_dev(xdm_t)
  dev_setattr_misc_dev(xdm_t)
  dev_dontaudit_rw_misc(xdm_t)
@@ -50061,7 +50317,7 @@ index 6c01261..8cb530b 100644
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -433,9 +601,23 @@ files_list_mnt(xdm_t)
+@@ -433,9 +597,23 @@ files_list_mnt(xdm_t)
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -50085,7 +50341,7 @@ index 6c01261..8cb530b 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -444,28 +626,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -444,28 +622,36 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -50124,7 +50380,7 @@ index 6c01261..8cb530b 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -474,9 +664,30 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -474,9 +660,30 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -50155,7 +50411,7 @@ index 6c01261..8cb530b 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xdm_t)
-@@ -492,6 +703,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -492,6 +699,14 @@ tunable_policy(`use_samba_home_dirs',`
  	fs_exec_cifs_files(xdm_t)
  ')
  
@@ -50170,7 +50426,7 @@ index 6c01261..8cb530b 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -505,11 +724,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -505,11 +720,21 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
@@ -50192,7 +50448,7 @@ index 6c01261..8cb530b 100644
  ')
  
  optional_policy(`
-@@ -517,7 +746,43 @@ optional_policy(`
+@@ -517,7 +742,43 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50237,7 +50493,7 @@ index 6c01261..8cb530b 100644
  ')
  
  optional_policy(`
-@@ -527,6 +792,16 @@ optional_policy(`
+@@ -527,6 +788,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50254,7 +50510,7 @@ index 6c01261..8cb530b 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -544,28 +819,65 @@ optional_policy(`
+@@ -544,28 +815,65 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50329,7 +50585,7 @@ index 6c01261..8cb530b 100644
  ')
  
  optional_policy(`
-@@ -577,6 +889,14 @@ optional_policy(`
+@@ -577,6 +885,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50344,7 +50600,7 @@ index 6c01261..8cb530b 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -601,7 +921,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -601,7 +917,7 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -50353,7 +50609,7 @@ index 6c01261..8cb530b 100644
  dontaudit xserver_t self:capability chown;
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
-@@ -615,8 +935,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -615,8 +931,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -50369,7 +50625,7 @@ index 6c01261..8cb530b 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -635,12 +962,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -635,12 +958,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -50391,7 +50647,7 @@ index 6c01261..8cb530b 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -648,6 +982,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -648,6 +978,7 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -50399,7 +50655,7 @@ index 6c01261..8cb530b 100644
  
  # Run helper programs in xserver_t.
  corecmd_exec_bin(xserver_t)
-@@ -674,7 +1009,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -674,7 +1005,6 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -50407,7 +50663,7 @@ index 6c01261..8cb530b 100644
  dev_create_generic_dirs(xserver_t)
  dev_setattr_generic_dirs(xserver_t)
  # raw memory access is needed if not using the frame buffer
-@@ -684,11 +1018,17 @@ dev_wx_raw_memory(xserver_t)
+@@ -684,11 +1014,17 @@ dev_wx_raw_memory(xserver_t)
  dev_rw_xserver_misc(xserver_t)
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
@@ -50425,7 +50681,7 @@ index 6c01261..8cb530b 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -699,8 +1039,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -699,8 +1035,13 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -50439,7 +50695,7 @@ index 6c01261..8cb530b 100644
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -713,8 +1058,6 @@ init_getpgid(xserver_t)
+@@ -713,8 +1054,6 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -50448,7 +50704,7 @@ index 6c01261..8cb530b 100644
  locallogin_use_fds(xserver_t)
  
  logging_send_syslog_msg(xserver_t)
-@@ -722,11 +1065,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -722,11 +1061,12 @@ logging_send_audit_msgs(xserver_t)
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -50463,7 +50719,7 @@ index 6c01261..8cb530b 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -780,16 +1124,36 @@ optional_policy(`
+@@ -780,16 +1120,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50501,7 +50757,7 @@ index 6c01261..8cb530b 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -798,6 +1162,10 @@ optional_policy(`
+@@ -798,6 +1158,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50512,7 +50768,7 @@ index 6c01261..8cb530b 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -813,10 +1181,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -813,10 +1177,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -50526,7 +50782,7 @@ index 6c01261..8cb530b 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -824,7 +1192,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -824,7 +1188,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -50535,7 +50791,7 @@ index 6c01261..8cb530b 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -837,6 +1205,9 @@ init_use_fds(xserver_t)
+@@ -837,6 +1201,9 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -50545,7 +50801,7 @@ index 6c01261..8cb530b 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
-@@ -844,6 +1215,11 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -844,6 +1211,11 @@ tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_symlinks(xserver_t)
  ')
  
@@ -50557,7 +50813,7 @@ index 6c01261..8cb530b 100644
  tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_dirs(xserver_t)
  	fs_manage_cifs_files(xserver_t)
-@@ -852,11 +1228,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -852,11 +1224,14 @@ tunable_policy(`use_samba_home_dirs',`
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -50574,7 +50830,7 @@ index 6c01261..8cb530b 100644
  ')
  
  optional_policy(`
-@@ -864,6 +1243,10 @@ optional_policy(`
+@@ -864,6 +1239,10 @@ optional_policy(`
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -50585,7 +50841,7 @@ index 6c01261..8cb530b 100644
  ########################################
  #
  # Rules common to all X window domains
-@@ -907,7 +1290,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -907,7 +1286,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -50594,7 +50850,7 @@ index 6c01261..8cb530b 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -961,11 +1344,31 @@ allow x_domain self:x_resource { read write };
+@@ -961,11 +1340,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -50626,7 +50882,7 @@ index 6c01261..8cb530b 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -987,18 +1390,32 @@ tunable_policy(`! xserver_object_manager',`
+@@ -987,18 +1386,32 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -52256,7 +52512,7 @@ index 354ce93..f97fbb7 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..e83c909 100644
+index cc83689..e4f13ca 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -79,6 +79,41 @@ interface(`init_script_domain',`
@@ -52529,7 +52785,7 @@ index cc83689..e83c909 100644
 +## </summary>
 +## <param name="domain">
 +##  <summary>
-+##  Domain allowed access.
++##	Domain to not audit.
 +##  </summary>
 +## </param>
 +#
@@ -52542,7 +52798,7 @@ index cc83689..e83c909 100644
  ')
  
  ########################################
-@@ -688,19 +843,24 @@ interface(`init_telinit',`
+@@ -688,19 +843,25 @@ interface(`init_telinit',`
  		type initctl_t;
  	')
  
@@ -52559,6 +52815,7 @@ index cc83689..e83c909 100644
  			type init_t;
  		')
  
++		ps_process_pattern($1, init_t)
 +		allow $1 init_t:process signal;
  		# upstart uses a datagram socket instead of initctl pipe
  		allow $1 self:unix_dgram_socket create_socket_perms;
@@ -52568,7 +52825,16 @@ index cc83689..e83c909 100644
  	')
  ')
  
-@@ -773,18 +933,19 @@ interface(`init_script_file_entry_type',`
+@@ -730,7 +891,7 @@ interface(`init_rw_initctl',`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+@@ -773,18 +934,19 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -52592,7 +52858,7 @@ index cc83689..e83c909 100644
  	')
  ')
  
-@@ -800,23 +961,45 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +962,41 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -52615,11 +52881,11 @@ index cc83689..e83c909 100644
  	ifdef(`enable_mls',`
 -		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
 +		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- 	')
- ')
- 
- ########################################
- ## <summary>
++	')
++')
++
++########################################
++## <summary>
 +##	Execute a file in a bin directory
 +##	in the initrc_t domain 
 +## </summary>
@@ -52632,17 +52898,13 @@ index cc83689..e83c909 100644
 +interface(`init_bin_domtrans_spec',`
 +	gen_require(`
 +		type initrc_t;
-+	')
+ 	')
 +
 +	corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Execute a init script in a specified domain.
- ## </summary>
- ## <desc>
-@@ -868,9 +1051,14 @@ interface(`init_script_file_domtrans',`
+ ')
+ 
+ ########################################
+@@ -868,9 +1052,14 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -52657,7 +52919,7 @@ index cc83689..e83c909 100644
  	files_search_etc($1)
  ')
  
-@@ -1079,6 +1267,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1268,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -52682,7 +52944,7 @@ index cc83689..e83c909 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1130,12 +1336,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1337,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -52696,7 +52958,7 @@ index cc83689..e83c909 100644
  ')
  
  ########################################
-@@ -1375,6 +1576,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1577,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -52724,7 +52986,7 @@ index cc83689..e83c909 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1461,6 +1683,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1684,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -52750,7 +53012,7 @@ index cc83689..e83c909 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1519,6 +1760,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1761,24 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -52775,7 +53037,7 @@ index cc83689..e83c909 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1674,7 +1933,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1934,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -52784,7 +53046,7 @@ index cc83689..e83c909 100644
  ')
  
  ########################################
-@@ -1715,6 +1974,74 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1975,74 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file)
  ')
  
@@ -52859,7 +53121,7 @@ index cc83689..e83c909 100644
  ########################################
  ## <summary>
  ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2076,139 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2077,139 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -52898,7 +53160,7 @@ index cc83689..e83c909 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -53000,7 +53262,7 @@ index cc83689..e83c909 100644
 +')
 +
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..5429a16 100644
+index ea29513..22a5fdd 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -16,6 +16,34 @@ gen_require(`
@@ -53126,10 +53388,13 @@ index ea29513..5429a16 100644
  files_manage_etc_runtime_files(init_t)
  files_etc_filetrans_etc_runtime(init_t, file)
  # Run /etc/X11/prefdm:
-@@ -151,10 +195,13 @@ mls_file_read_all_levels(init_t)
+@@ -151,10 +195,16 @@ mls_file_read_all_levels(init_t)
  mls_file_write_all_levels(init_t)
  mls_process_write_down(init_t)
  mls_fd_use_all_levels(init_t)
++mls_socket_read_all_levels(init_t)
++mls_socket_write_all_levels(init_t)
++
 +mls_rangetrans_source(initrc_t)
  
  selinux_set_all_booleans(init_t)
@@ -53141,7 +53406,7 @@ index ea29513..5429a16 100644
  
  # Run init scripts.
  init_domtrans_script(init_t)
-@@ -162,12 +209,15 @@ init_domtrans_script(init_t)
+@@ -162,12 +212,15 @@ init_domtrans_script(init_t)
  libs_rw_ld_so_cache(init_t)
  
  logging_send_syslog_msg(init_t)
@@ -53157,7 +53422,7 @@ index ea29513..5429a16 100644
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
  ')
-@@ -178,7 +228,7 @@ ifdef(`distro_redhat',`
+@@ -178,7 +231,7 @@ ifdef(`distro_redhat',`
  	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
  ')
  
@@ -53166,7 +53431,7 @@ index ea29513..5429a16 100644
  	corecmd_shell_domtrans(init_t, initrc_t)
  ',`
  	# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +236,119 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +239,119 @@ tunable_policy(`init_upstart',`
  	sysadm_shell_domtrans(init_t)
  ')
  
@@ -53286,7 +53551,7 @@ index ea29513..5429a16 100644
  ')
  
  optional_policy(`
-@@ -199,10 +356,25 @@ optional_policy(`
+@@ -199,10 +359,25 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53312,7 +53577,7 @@ index ea29513..5429a16 100644
  	unconfined_domain(init_t)
  ')
  
-@@ -212,7 +384,7 @@ optional_policy(`
+@@ -212,7 +387,7 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -53321,7 +53586,7 @@ index ea29513..5429a16 100644
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
-@@ -241,12 +413,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +416,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -53337,7 +53602,7 @@ index ea29513..5429a16 100644
  
  init_write_initctl(initrc_t)
  
-@@ -258,20 +433,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +436,32 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -53374,7 +53639,7 @@ index ea29513..5429a16 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +466,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +469,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -53382,7 +53647,7 @@ index ea29513..5429a16 100644
  dev_write_kmsg(initrc_t)
  dev_write_rand(initrc_t)
  dev_write_urand(initrc_t)
-@@ -291,6 +479,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +482,7 @@ dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
  dev_setattr_all_chr_files(initrc_t)
  dev_rw_lvm_control(initrc_t)
@@ -53390,7 +53655,7 @@ index ea29513..5429a16 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -298,13 +487,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +490,13 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -53406,7 +53671,7 @@ index ea29513..5429a16 100644
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
-@@ -316,6 +505,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +508,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -53414,7 +53679,7 @@ index ea29513..5429a16 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -323,8 +513,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +516,10 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -53426,7 +53691,7 @@ index ea29513..5429a16 100644
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
-@@ -340,8 +532,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +535,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -53440,7 +53705,7 @@ index ea29513..5429a16 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -351,6 +547,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +550,8 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -53449,7 +53714,7 @@ index ea29513..5429a16 100644
  
  # initrc_t needs to do a pidof which requires ptrace
  mcs_ptrace_all(initrc_t)
-@@ -363,6 +561,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +564,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -53457,7 +53722,7 @@ index ea29513..5429a16 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -374,6 +573,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +576,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -53465,7 +53730,7 @@ index ea29513..5429a16 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -394,18 +594,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +597,17 @@ logging_read_audit_config(initrc_t)
  
  miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
@@ -53487,7 +53752,7 @@ index ea29513..5429a16 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +657,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +660,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -53498,7 +53763,7 @@ index ea29513..5429a16 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -478,7 +681,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +684,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -53507,7 +53772,7 @@ index ea29513..5429a16 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -493,6 +696,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +699,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -53515,7 +53780,7 @@ index ea29513..5429a16 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -522,8 +726,29 @@ ifdef(`distro_redhat',`
+@@ -522,8 +729,29 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -53545,7 +53810,7 @@ index ea29513..5429a16 100644
  	')
  
  	optional_policy(`
-@@ -531,10 +756,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +759,22 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -53568,7 +53833,7 @@ index ea29513..5429a16 100644
  	')
  
  	optional_policy(`
-@@ -549,6 +786,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +789,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -53608,7 +53873,7 @@ index ea29513..5429a16 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +831,8 @@ optional_policy(`
+@@ -561,6 +834,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -53617,7 +53882,7 @@ index ea29513..5429a16 100644
  ')
  
  optional_policy(`
-@@ -577,6 +849,7 @@ optional_policy(`
+@@ -577,6 +852,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -53625,7 +53890,7 @@ index ea29513..5429a16 100644
  ')
  
  optional_policy(`
-@@ -589,6 +862,11 @@ optional_policy(`
+@@ -589,6 +865,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53637,7 +53902,7 @@ index ea29513..5429a16 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -605,9 +883,13 @@ optional_policy(`
+@@ -605,9 +886,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -53651,7 +53916,7 @@ index ea29513..5429a16 100644
  	')
  
  	optional_policy(`
-@@ -649,6 +931,11 @@ optional_policy(`
+@@ -649,6 +934,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53663,7 +53928,7 @@ index ea29513..5429a16 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -706,7 +993,13 @@ optional_policy(`
+@@ -706,7 +996,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53677,7 +53942,7 @@ index ea29513..5429a16 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -729,6 +1022,10 @@ optional_policy(`
+@@ -729,6 +1025,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53688,7 +53953,7 @@ index ea29513..5429a16 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -738,10 +1035,20 @@ optional_policy(`
+@@ -738,10 +1038,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53709,7 +53974,7 @@ index ea29513..5429a16 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -750,6 +1057,10 @@ optional_policy(`
+@@ -750,6 +1060,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53720,7 +53985,7 @@ index ea29513..5429a16 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -771,8 +1082,6 @@ optional_policy(`
+@@ -771,8 +1085,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -53729,7 +53994,7 @@ index ea29513..5429a16 100644
  ')
  
  optional_policy(`
-@@ -781,14 +1090,21 @@ optional_policy(`
+@@ -781,14 +1093,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53751,7 +54016,7 @@ index ea29513..5429a16 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1116,6 @@ optional_policy(`
+@@ -800,7 +1119,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53759,7 +54024,7 @@ index ea29513..5429a16 100644
  	udev_manage_pid_files(initrc_t)
  	udev_manage_rules_files(initrc_t)
  ')
-@@ -810,11 +1125,24 @@ optional_policy(`
+@@ -810,11 +1128,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53785,7 +54050,7 @@ index ea29513..5429a16 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1152,25 @@ optional_policy(`
+@@ -824,6 +1155,25 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -53811,7 +54076,7 @@ index ea29513..5429a16 100644
  ')
  
  optional_policy(`
-@@ -849,3 +1196,42 @@ optional_policy(`
+@@ -849,3 +1199,42 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -55429,7 +55694,7 @@ index c7cfb62..ee89659 100644
  	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b5a9ed..179ca63 100644
+index 9b5a9ed..869d51c 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -19,6 +19,11 @@ type auditd_log_t;
@@ -55529,7 +55794,7 @@ index 9b5a9ed..179ca63 100644
  
  corenet_all_recvfrom_unlabeled(audisp_remote_t)
  corenet_all_recvfrom_netlabel(audisp_remote_t)
-@@ -265,10 +291,19 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -265,10 +291,20 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
  
  files_read_etc_files(audisp_remote_t)
  
@@ -55539,6 +55804,7 @@ index 9b5a9ed..179ca63 100644
 +logging_send_audit_msgs(audisp_remote_t)
 +
 +auth_use_nsswitch(audisp_remote_t)
++auth_append_login_records(audisp_remote_t)
  
  miscfiles_read_localization(audisp_remote_t)
  
@@ -55549,7 +55815,7 @@ index 9b5a9ed..179ca63 100644
  sysnet_dns_name_resolve(audisp_remote_t)
  
  ########################################
-@@ -338,11 +373,12 @@ optional_policy(`
+@@ -338,11 +374,12 @@ optional_policy(`
  # chown fsetid for syslog-ng
  # sys_admin for the integrated klog of syslog-ng and metalog
  # cjp: why net_admin!
@@ -55564,7 +55830,7 @@ index 9b5a9ed..179ca63 100644
  # receive messages to be logged
  allow syslogd_t self:unix_dgram_socket create_socket_perms;
  allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -360,6 +396,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -360,6 +397,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
  # create/append log files.
  manage_files_pattern(syslogd_t, var_log_t, var_log_t)
  rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -55572,7 +55838,7 @@ index 9b5a9ed..179ca63 100644
  
  # Allow access for syslog-ng
  allow syslogd_t var_log_t:dir { create setattr };
-@@ -369,9 +406,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -369,9 +407,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
  
@@ -55588,7 +55854,7 @@ index 9b5a9ed..179ca63 100644
  # manage pid file
  manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
  files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -412,8 +455,13 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
+@@ -412,8 +456,13 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
  
  dev_filetrans(syslogd_t, devlog_t, sock_file)
  dev_read_sysfs(syslogd_t)
@@ -55602,7 +55868,7 @@ index 9b5a9ed..179ca63 100644
  
  files_read_etc_files(syslogd_t)
  files_read_usr_files(syslogd_t)
-@@ -432,6 +480,7 @@ term_write_console(syslogd_t)
+@@ -432,6 +481,7 @@ term_write_console(syslogd_t)
  # Allow syslog to a terminal
  term_write_unallocated_ttys(syslogd_t)
  
@@ -55610,7 +55876,7 @@ index 9b5a9ed..179ca63 100644
  # for sending messages to logged in users
  init_read_utmp(syslogd_t)
  init_dontaudit_write_utmp(syslogd_t)
-@@ -480,6 +529,10 @@ optional_policy(`
+@@ -480,6 +530,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55621,7 +55887,7 @@ index 9b5a9ed..179ca63 100644
  	postgresql_stream_connect(syslogd_t)
  ')
  
-@@ -488,6 +541,10 @@ optional_policy(`
+@@ -488,6 +542,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -56243,7 +56509,7 @@ index 72c746e..9f9124f 100644
 +/var/cache/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 +/var/run/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 8b5c196..6dc92dd 100644
+index 8b5c196..f66d272 100644
 --- a/policy/modules/system/mount.if
 +++ b/policy/modules/system/mount.if
 @@ -16,6 +16,16 @@ interface(`mount_domtrans',`
@@ -56263,7 +56529,7 @@ index 8b5c196..6dc92dd 100644
  ')
  
  ########################################
-@@ -45,12 +55,77 @@ interface(`mount_run',`
+@@ -45,8 +55,73 @@ interface(`mount_run',`
  	role $2 types mount_t;
  
  	optional_policy(`
@@ -56286,11 +56552,11 @@ index 8b5c196..6dc92dd 100644
 +
 +	optional_policy(`
 +		samba_run_smbmount(mount_t, $2)
- 	')
- ')
- 
- ########################################
- ## <summary>
++	')
++')
++
++########################################
++## <summary>
 +##	Execute fusermount in the mount domain, and
 +##	allow the specified role the mount domain,
 +##	and use the caller's terminal.
@@ -56331,17 +56597,13 @@ index 8b5c196..6dc92dd 100644
 +interface(`mount_read_pid_files',`
 +	gen_require(`
 +		type mount_var_run_t;
-+	')
+ 	')
 +
 +	allow $1 mount_var_run_t:file read_file_perms;
 +	files_search_pids($1)
-+')
-+
-+########################################
-+## <summary>
- ##	Execute mount in the caller domain.
- ## </summary>
- ## <param name="domain">
+ ')
+ 
+ ########################################
 @@ -84,9 +159,11 @@ interface(`mount_exec',`
  interface(`mount_signal',`
  	gen_require(`
@@ -56445,7 +56707,7 @@ index 8b5c196..6dc92dd 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -56867,17 +57129,22 @@ index 15832c7..43f0a0b 100644
 +
 +userdom_use_inherited_user_terminals(showmount_t)
 diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
-index cbbda4a..83c5ce7 100644
+index cbbda4a..8dcc346 100644
 --- a/policy/modules/system/netlabel.te
 +++ b/policy/modules/system/netlabel.te
-@@ -25,4 +25,6 @@ files_read_etc_files(netlabel_mgmt_t)
+@@ -23,6 +23,11 @@ kernel_read_network_state(netlabel_mgmt_t)
  
+ files_read_etc_files(netlabel_mgmt_t)
+ 
++term_use_all_inherited_terms(netlabel_mgmt_t) 
++
  seutil_use_newrole_fds(netlabel_mgmt_t)
  
 -userdom_use_user_terminals(netlabel_mgmt_t)
 +term_use_all_terms(netlabel_mgmt_t)
 +
 +userdom_use_inherited_user_terminals(netlabel_mgmt_t)
++
 diff --git a/policy/modules/system/pcmcia.te b/policy/modules/system/pcmcia.te
 index 4d06ae3..ebd5ed4 100644
 --- a/policy/modules/system/pcmcia.te
@@ -58000,7 +58267,7 @@ index 694fd94..334e80e 100644
 +
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index ff80d0a..ec91ad9 100644
+index ff80d0a..95e705c 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
 @@ -60,6 +60,24 @@ interface(`sysnet_run_dhcpc',`
@@ -58209,7 +58476,7 @@ index ff80d0a..ec91ad9 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	The domain sending the SIGCHLD.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -58515,7 +58782,7 @@ index 0000000..c7476cb
 +
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..4dfe28c
+index 0000000..71398e5
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
 @@ -0,0 +1,246 @@
@@ -58615,7 +58882,7 @@ index 0000000..4dfe28c
 +## </summary>
 +## <param name="domain">
 +##      <summary>
-+##      Domain allowed access.
++##	Domain to not audit.
 +##      </summary>
 +## </param>
 +#
@@ -59400,7 +59667,7 @@ index ce2fbb9..8b34dbc 100644
 -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 -')
 diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index 416e668..352e672 100644
+index 416e668..9f3c1c1 100644
 --- a/policy/modules/system/unconfined.if
 +++ b/policy/modules/system/unconfined.if
 @@ -12,27 +12,34 @@
@@ -59451,7 +59718,7 @@ index 416e668..352e672 100644
  
 +	domain_mmap_low($1)
 +
-+	mls_file_read_all_levels($1)
++	mcs_file_read_all($1)
 +
 +	ubac_process_exempt($1)
 +
@@ -60151,7 +60418,7 @@ index db75976..392d1ee 100644
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 +HOME_DIR/\.debug(/.*)?	<<none>>
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..78f35d2 100644
+index 28b88de..d933851 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -60466,7 +60733,7 @@ index 28b88de..78f35d2 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -62131,7 +62398,7 @@ index 28b88de..78f35d2 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -62149,7 +62416,7 @@ index 28b88de..78f35d2 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -62764,7 +63031,7 @@ index 28b88de..78f35d2 100644
 +## </summary>
 +## <param name="domain">
 +##  <summary>
-+##  Domain allowed access.
++##	Domain to not audit.
 +##  </summary>
 +## </param>
 +#
@@ -62782,7 +63049,7 @@ index 28b88de..78f35d2 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -62800,7 +63067,7 @@ index 28b88de..78f35d2 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -62818,7 +63085,7 @@ index 28b88de..78f35d2 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -62876,7 +63143,7 @@ index 28b88de..78f35d2 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
@@ -63092,7 +63359,7 @@ index 28b88de..78f35d2 100644
 +')
 +
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index df29ca1..e9e85d7 100644
+index df29ca1..54e3feb 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
 @@ -7,7 +7,7 @@ policy_module(userdomain, 4.5.0)
@@ -63145,7 +63412,7 @@ index df29ca1..e9e85d7 100644
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
  files_type(user_home_dir_t)
-@@ -71,26 +98,63 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +98,66 @@ ubac_constrained(user_home_dir_t)
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -63204,13 +63471,16 @@ index df29ca1..e9e85d7 100644
 +dontaudit unpriv_userdomain self:dir setattr;
 +
 +optional_policy(`
-+	gnome_user_home_dir_filetrans(userdomain)
++	gnome_filetrans_home_content(userdomain)
 +')
 +
 +optional_policy(`
-+	ssh_user_home_dir_filetrans(userdomain)
++	ssh_filetrans_home_content(userdomain)
 +')
 +
++optional_policy(`
++	xserver_filetrans_home_content(userdomain)
++')
 diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
 index a865da7..a5ed06e 100644
 --- a/policy/modules/system/xen.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6742d89..b6535a9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.16
-Release: 18%{?dist}
+Release: 19%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,14 @@ exit 0
 %endif
 
 %changelog
+* Tue May 3 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-19
+- Forard port changes from F15 for telepathy
+- NetworkManager should be allowed to use /dev/rfkill
+- Fix dontaudit messages to say Domain to not audit
+- Allow telepathy domains to read/write gnome_cache files
+- Allow telepathy domains to call getpw
+- Fixes for colord and vnstatd policy
+
 * Wed Apr 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-18
 - Allow init_t getcap and setcap
 - Allow namespace_init_t to use nsswitch