diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 8e5e6d2..908cfb5 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -3452,7 +3452,7 @@ index 7590165..85186a9 100644
+ fs_mounton_fusefs(seunshare_domain)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..ef87fdd 100644
+index 644d4d7..3656744 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -1,9 +1,10 @@
@@ -3475,8 +3475,11 @@ index 644d4d7..ef87fdd 100644
/etc/avahi/.*\.action -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -69,16 +71,25 @@ ifdef(`distro_redhat',`
+@@ -67,18 +69,28 @@ ifdef(`distro_redhat',`
+ /etc/hotplug\.d/default/default.* gen_context(system_u:object_r:bin_t,s0)
+
/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/etc/kde/kdm(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/etc/redhat-lsb(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3501,7 +3504,7 @@ index 644d4d7..ef87fdd 100644
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -101,8 +112,6 @@ ifdef(`distro_redhat',`
+@@ -101,8 +113,6 @@ ifdef(`distro_redhat',`
/etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -3510,7 +3513,7 @@ index 644d4d7..ef87fdd 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -116,6 +125,9 @@ ifdef(`distro_redhat',`
+@@ -116,6 +126,9 @@ ifdef(`distro_redhat',`
/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3520,7 +3523,7 @@ index 644d4d7..ef87fdd 100644
/etc/X11/xdm/GiveConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/TakeConsole -- gen_context(system_u:object_r:bin_t,s0)
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
-@@ -134,10 +146,12 @@ ifdef(`distro_debian',`
+@@ -134,10 +147,12 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -3534,7 +3537,7 @@ index 644d4d7..ef87fdd 100644
ifdef(`distro_gentoo',`
/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
-@@ -148,10 +162,12 @@ ifdef(`distro_gentoo',`
+@@ -148,10 +163,12 @@ ifdef(`distro_gentoo',`
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3548,7 +3551,7 @@ index 644d4d7..ef87fdd 100644
/sbin/.* gen_context(system_u:object_r:bin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:bin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:bin_t,s0)
-@@ -167,6 +183,7 @@ ifdef(`distro_gentoo',`
+@@ -167,6 +184,7 @@ ifdef(`distro_gentoo',`
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3556,7 +3559,7 @@ index 644d4d7..ef87fdd 100644
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -178,33 +195,49 @@ ifdef(`distro_gentoo',`
+@@ -178,33 +196,49 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3615,7 +3618,7 @@ index 644d4d7..ef87fdd 100644
/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +248,31 @@ ifdef(`distro_gentoo',`
+@@ -215,18 +249,31 @@ ifdef(`distro_gentoo',`
/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -3654,7 +3657,7 @@ index 644d4d7..ef87fdd 100644
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
-@@ -241,26 +287,39 @@ ifdef(`distro_gentoo',`
+@@ -241,26 +288,39 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -3699,7 +3702,7 @@ index 644d4d7..ef87fdd 100644
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -269,6 +328,7 @@ ifdef(`distro_gentoo',`
+@@ -269,6 +329,7 @@ ifdef(`distro_gentoo',`
/usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
@@ -3707,7 +3710,7 @@ index 644d4d7..ef87fdd 100644
/usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -276,10 +336,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +337,15 @@ ifdef(`distro_gentoo',`
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
@@ -3723,7 +3726,7 @@ index 644d4d7..ef87fdd 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +359,22 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +360,22 @@ ifdef(`distro_gentoo',`
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
@@ -3748,7 +3751,7 @@ index 644d4d7..ef87fdd 100644
ifdef(`distro_debian',`
/usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -321,20 +392,27 @@ ifdef(`distro_redhat', `
+@@ -321,20 +393,27 @@ ifdef(`distro_redhat', `
/etc/gdm/[^/]+ -d gen_context(system_u:object_r:bin_t,s0)
/etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
@@ -3777,7 +3780,7 @@ index 644d4d7..ef87fdd 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -342,6 +420,7 @@ ifdef(`distro_redhat', `
+@@ -342,6 +421,7 @@ ifdef(`distro_redhat', `
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -3785,7 +3788,7 @@ index 644d4d7..ef87fdd 100644
/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +462,16 @@ ifdef(`distro_suse', `
+@@ -383,11 +463,16 @@ ifdef(`distro_suse', `
#
# /var
#
@@ -3803,7 +3806,7 @@ index 644d4d7..ef87fdd 100644
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +481,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +482,12 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -17214,7 +17217,7 @@ index 54f1827..39faa3f 100644
+/usr/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/usr/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..13caedd 100644
+index 1700ef2..ca6c727 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
@@ -17318,7 +17321,33 @@ index 1700ef2..13caedd 100644
########################################
##
## Create block devices in on a tmpfs filesystem with the
-@@ -711,6 +777,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
+@@ -290,6 +356,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',`
+
+ ########################################
+ ##
++## Create block devices in on a tmp filesystem with the
++## fixed disk type via an automatic type transition.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`storage_tmp_filetrans_fixed_disk',`
++ gen_require(`
++ type fixed_disk_device_t;
++ ')
++
++ files_tmp_filetrans($1, fixed_disk_device_t, blk_file)
++')
++
++########################################
++##
+ ## Relabel fixed disk device nodes.
+ ##
+ ##
+@@ -711,6 +796,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
')
@@ -17343,7 +17372,7 @@ index 1700ef2..13caedd 100644
########################################
##
## Allow the caller to directly read
-@@ -808,3 +892,452 @@ interface(`storage_unconfined',`
+@@ -808,3 +911,452 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -30036,7 +30065,7 @@ index 24e7804..6a39d34 100644
+ files_etc_filetrans($1, machineid_t, file, "machine-id" )
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..0973a7f 100644
+index dd3be8d..3b2baa7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -11,10 +11,31 @@ gen_require(`
@@ -30303,7 +30332,7 @@ index dd3be8d..0973a7f 100644
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
-@@ -186,29 +304,232 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +304,233 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -30344,6 +30373,7 @@ index dd3be8d..0973a7f 100644
+optional_policy(`
+ gnome_filetrans_home_content(init_t)
+ gnome_manage_data(init_t)
++ gnome_manage_config(init_t)
+')
+
+optional_policy(`
@@ -30545,7 +30575,7 @@ index dd3be8d..0973a7f 100644
')
optional_policy(`
-@@ -216,7 +537,30 @@ optional_policy(`
+@@ -216,7 +538,30 @@ optional_policy(`
')
optional_policy(`
@@ -30576,7 +30606,7 @@ index dd3be8d..0973a7f 100644
')
########################################
-@@ -225,8 +569,9 @@ optional_policy(`
+@@ -225,8 +570,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -30588,7 +30618,7 @@ index dd3be8d..0973a7f 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -257,12 +602,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +603,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -30605,7 +30635,7 @@ index dd3be8d..0973a7f 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +627,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +628,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -30648,7 +30678,7 @@ index dd3be8d..0973a7f 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +664,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +665,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -30660,7 +30690,7 @@ index dd3be8d..0973a7f 100644
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
-@@ -312,8 +676,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +677,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -30671,7 +30701,7 @@ index dd3be8d..0973a7f 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -321,8 +687,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +688,7 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -30681,7 +30711,7 @@ index dd3be8d..0973a7f 100644
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -331,7 +696,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +697,6 @@ domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -30689,7 +30719,7 @@ index dd3be8d..0973a7f 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -339,6 +703,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +704,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -30697,7 +30727,7 @@ index dd3be8d..0973a7f 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -346,14 +711,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +712,15 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -30715,7 +30745,7 @@ index dd3be8d..0973a7f 100644
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
-@@ -363,8 +729,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +730,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -30729,7 +30759,7 @@ index dd3be8d..0973a7f 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -374,10 +744,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +745,11 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -30743,7 +30773,7 @@ index dd3be8d..0973a7f 100644
mcs_process_set_categories(initrc_t)
mls_file_read_all_levels(initrc_t)
-@@ -386,6 +757,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +758,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -30751,7 +30781,7 @@ index dd3be8d..0973a7f 100644
selinux_get_enforce_mode(initrc_t)
-@@ -397,6 +769,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +770,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -30759,7 +30789,7 @@ index dd3be8d..0973a7f 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -415,20 +788,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +789,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -30783,7 +30813,7 @@ index dd3be8d..0973a7f 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +821,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +822,6 @@ ifdef(`distro_gentoo',`
allow initrc_t self:process setfscreate;
dev_create_null_dev(initrc_t)
dev_create_zero_dev(initrc_t)
@@ -30791,7 +30821,7 @@ index dd3be8d..0973a7f 100644
term_create_console_dev(initrc_t)
# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +855,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +856,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -30802,7 +30832,7 @@ index dd3be8d..0973a7f 100644
alsa_read_lib(initrc_t)
')
-@@ -505,7 +879,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +880,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -30811,7 +30841,7 @@ index dd3be8d..0973a7f 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -520,6 +894,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +895,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -30819,7 +30849,7 @@ index dd3be8d..0973a7f 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -540,6 +915,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +916,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -30827,7 +30857,7 @@ index dd3be8d..0973a7f 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +925,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +926,44 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -30872,7 +30902,7 @@ index dd3be8d..0973a7f 100644
')
optional_policy(`
-@@ -558,14 +970,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +971,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -30904,7 +30934,7 @@ index dd3be8d..0973a7f 100644
')
')
-@@ -576,6 +1005,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +1006,39 @@ ifdef(`distro_suse',`
')
')
@@ -30944,7 +30974,7 @@ index dd3be8d..0973a7f 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1050,8 @@ optional_policy(`
+@@ -588,6 +1051,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -30953,7 +30983,7 @@ index dd3be8d..0973a7f 100644
')
optional_policy(`
-@@ -609,6 +1073,7 @@ optional_policy(`
+@@ -609,6 +1074,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -30961,7 +30991,7 @@ index dd3be8d..0973a7f 100644
')
optional_policy(`
-@@ -625,6 +1090,17 @@ optional_policy(`
+@@ -625,6 +1091,17 @@ optional_policy(`
')
optional_policy(`
@@ -30979,7 +31009,7 @@ index dd3be8d..0973a7f 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -641,9 +1117,13 @@ optional_policy(`
+@@ -641,9 +1118,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -30993,7 +31023,7 @@ index dd3be8d..0973a7f 100644
')
optional_policy(`
-@@ -656,15 +1136,11 @@ optional_policy(`
+@@ -656,15 +1137,11 @@ optional_policy(`
')
optional_policy(`
@@ -31011,7 +31041,7 @@ index dd3be8d..0973a7f 100644
')
optional_policy(`
-@@ -685,6 +1161,15 @@ optional_policy(`
+@@ -685,6 +1162,15 @@ optional_policy(`
')
optional_policy(`
@@ -31027,7 +31057,7 @@ index dd3be8d..0973a7f 100644
inn_exec_config(initrc_t)
')
-@@ -725,6 +1210,7 @@ optional_policy(`
+@@ -725,6 +1211,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -31035,7 +31065,7 @@ index dd3be8d..0973a7f 100644
')
optional_policy(`
-@@ -742,7 +1228,13 @@ optional_policy(`
+@@ -742,7 +1229,13 @@ optional_policy(`
')
optional_policy(`
@@ -31050,7 +31080,7 @@ index dd3be8d..0973a7f 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -765,6 +1257,10 @@ optional_policy(`
+@@ -765,6 +1258,10 @@ optional_policy(`
')
optional_policy(`
@@ -31061,7 +31091,7 @@ index dd3be8d..0973a7f 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -774,10 +1270,20 @@ optional_policy(`
+@@ -774,10 +1271,20 @@ optional_policy(`
')
optional_policy(`
@@ -31082,7 +31112,7 @@ index dd3be8d..0973a7f 100644
quota_manage_flags(initrc_t)
')
-@@ -786,6 +1292,10 @@ optional_policy(`
+@@ -786,6 +1293,10 @@ optional_policy(`
')
optional_policy(`
@@ -31093,7 +31123,7 @@ index dd3be8d..0973a7f 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -807,8 +1317,6 @@ optional_policy(`
+@@ -807,8 +1318,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -31102,7 +31132,7 @@ index dd3be8d..0973a7f 100644
')
optional_policy(`
-@@ -817,6 +1325,10 @@ optional_policy(`
+@@ -817,6 +1326,10 @@ optional_policy(`
')
optional_policy(`
@@ -31113,7 +31143,7 @@ index dd3be8d..0973a7f 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -826,10 +1338,12 @@ optional_policy(`
+@@ -826,10 +1339,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -31126,7 +31156,7 @@ index dd3be8d..0973a7f 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1370,35 @@ optional_policy(`
+@@ -856,12 +1371,35 @@ optional_policy(`
')
optional_policy(`
@@ -31163,7 +31193,7 @@ index dd3be8d..0973a7f 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1408,18 @@ optional_policy(`
+@@ -871,6 +1409,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -31182,7 +31212,7 @@ index dd3be8d..0973a7f 100644
')
optional_policy(`
-@@ -886,6 +1435,10 @@ optional_policy(`
+@@ -886,6 +1436,10 @@ optional_policy(`
')
optional_policy(`
@@ -31193,7 +31223,7 @@ index dd3be8d..0973a7f 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -896,3 +1449,218 @@ optional_policy(`
+@@ -896,3 +1450,218 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -42310,7 +42340,7 @@ index db75976..cb4a211 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..95b1263 100644
+index 3c5dba7..4ce3586 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -44115,10 +44145,16 @@ index 3c5dba7..95b1263 100644
########################################
##
## Create directories in the home dir root with
-@@ -1711,6 +2255,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1707,10 +2251,12 @@ interface(`userdom_user_home_domtrans',`
+ #
+ interface(`userdom_dontaudit_search_user_home_content',`
+ gen_require(`
+- type user_home_t;
++ attribute user_home_type;
')
- dontaudit $1 user_home_t:dir search_dir_perms;
+- dontaudit $1 user_home_t:dir search_dir_perms;
++ dontaudit $1 user_home_type:dir search_dir_perms;
+ fs_dontaudit_list_nfs($1)
+ fs_dontaudit_list_cifs($1)
')
@@ -44965,7 +45001,7 @@ index 3c5dba7..95b1263 100644
##
##
##
-@@ -3130,17 +3946,17 @@ interface(`userdom_search_user_home_content',`
+@@ -3130,35 +3946,17 @@ interface(`userdom_search_user_home_content',`
##
##
#
@@ -44982,14 +45018,13 @@ index 3c5dba7..95b1263 100644
########################################
##
-## Send general signals to unprivileged user domains.
-+## Inherit the file descriptors from unprivileged user domains.
- ##
- ##
- ##
-@@ -3148,25 +3964,7 @@ interface(`userdom_signull_unpriv_users',`
- ##
- ##
- #
+-##
+-##
+-##
+-## Domain allowed access.
+-##
+-##
+-#
-interface(`userdom_signal_unpriv_users',`
- gen_require(`
- attribute unpriv_userdomain;
@@ -45001,18 +45036,10 @@ index 3c5dba7..95b1263 100644
-########################################
-##
-## Inherit the file descriptors from unprivileged user domains.
--##
--##
--##
--## Domain allowed access.
--##
--##
--#
--interface(`userdom_use_unpriv_users_fds',`
-+interface(`userdom_use_unpriv_users_fds',`
- gen_require(`
- attribute unpriv_userdomain;
- ')
++## Inherit the file descriptors from unprivileged user domains.
+ ##
+ ##
+ ##
@@ -3217,7 +4015,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -45235,7 +45262,7 @@ index 3c5dba7..95b1263 100644
## Send a dbus message to all user domains.
##
##
-@@ -3438,4 +4403,1663 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3438,4 +4403,1664 @@ interface(`userdom_dbus_send_all_users',`
')
allow $1 userdomain:dbus send_msg;
@@ -45955,12 +45982,13 @@ index 3c5dba7..95b1263 100644
+ ')
+
+ userdom_search_user_home_dirs($1)
-+ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2012")
-+ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2013")
-+ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2014")
++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2012")
++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2013")
++ userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2014")
+ manage_dirs_pattern($1, texlive_home_t, texlive_home_t)
+ manage_files_pattern($1, texlive_home_t, texlive_home_t)
-+ manage_lnk_files_pattern($1, texlive_home_t, texlive_home_t)
++ manage_lnk_files_pattern($1, texlive_home_t, texlive_home_t)
++ allow $1 texlive_home_t:file relabelfrom;
+')
+
+########################################
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 943387d..8ce15bc 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -568,7 +568,7 @@ index 058d908..cf17e67 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index cc43d25..db6136e 100644
+index cc43d25..1dc58bb 100644
--- a/abrt.te
+++ b/abrt.te
@@ -1,4 +1,4 @@
@@ -913,7 +913,7 @@ index cc43d25..db6136e 100644
optional_policy(`
sendmail_domtrans(abrt_t)
')
-@@ -240,9 +304,17 @@ optional_policy(`
+@@ -240,9 +304,21 @@ optional_policy(`
sosreport_delete_tmp_files(abrt_t)
')
@@ -925,6 +925,10 @@ index cc43d25..db6136e 100644
+ xserver_read_log(abrt_t)
+')
+
++optional_policy(`
++ udev_read_db(abrt_t)
++')
++
#######################################
#
-# Handle-event local policy
@@ -932,7 +936,7 @@ index cc43d25..db6136e 100644
#
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +325,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +329,13 @@ tunable_policy(`abrt_handle_event',`
can_exec(abrt_t, abrt_handle_event_exec_t)
')
@@ -947,7 +951,7 @@ index cc43d25..db6136e 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +344,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +348,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -955,7 +959,7 @@ index cc43d25..db6136e 100644
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +353,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +357,20 @@ corecmd_read_all_executables(abrt_helper_t)
domain_read_all_domains_state(abrt_helper_t)
@@ -976,7 +980,7 @@ index cc43d25..db6136e 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +374,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +378,25 @@ ifdef(`hide_broken_symptoms',`
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -1003,7 +1007,7 @@ index cc43d25..db6136e 100644
#
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +410,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +414,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
dev_read_urand(abrt_retrace_coredump_t)
@@ -1017,7 +1021,7 @@ index cc43d25..db6136e 100644
optional_policy(`
rpm_exec(abrt_retrace_coredump_t)
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +428,11 @@ optional_policy(`
+@@ -330,10 +432,11 @@ optional_policy(`
#######################################
#
@@ -1031,7 +1035,7 @@ index cc43d25..db6136e 100644
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +451,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +455,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
dev_read_urand(abrt_retrace_worker_t)
@@ -1101,7 +1105,7 @@ index cc43d25..db6136e 100644
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
-@@ -400,16 +517,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +521,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
corecmd_exec_bin(abrt_watch_log_t)
logging_read_all_logs(abrt_watch_log_t)
@@ -9367,7 +9371,7 @@ index 2b9c7f3..0086b95 100644
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
diff --git a/bluetooth.if b/bluetooth.if
-index c723a0a..3e8a553 100644
+index c723a0a..aa3283e 100644
--- a/bluetooth.if
+++ b/bluetooth.if
@@ -37,7 +37,12 @@ interface(`bluetooth_role',`
@@ -9396,7 +9400,21 @@ index c723a0a..3e8a553 100644
')
#####################################
-@@ -130,6 +137,27 @@ interface(`bluetooth_dbus_chat',`
+@@ -63,11 +70,13 @@ interface(`bluetooth_role',`
+ interface(`bluetooth_stream_connect',`
+ gen_require(`
+ type bluetooth_t, bluetooth_var_run_t;
++ type bluetooth_tmp_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 bluetooth_t:socket rw_socket_perms;
+ stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
++ stream_connect_pattern($1, bluetooth_tmp_t, bluetooth_tmp_t, bluetooth_t)
+ ')
+
+ ########################################
+@@ -130,6 +139,27 @@ interface(`bluetooth_dbus_chat',`
########################################
##
@@ -9424,7 +9442,7 @@ index c723a0a..3e8a553 100644
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
##
##
-@@ -190,6 +218,29 @@ interface(`bluetooth_dontaudit_read_helper_state',`
+@@ -190,6 +220,29 @@ interface(`bluetooth_dontaudit_read_helper_state',`
########################################
##
@@ -9454,7 +9472,7 @@ index c723a0a..3e8a553 100644
## All of the rules required to
## administrate an bluetooth environment.
##
-@@ -210,12 +261,16 @@ interface(`bluetooth_admin',`
+@@ -210,12 +263,16 @@ interface(`bluetooth_admin',`
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
type bluetooth_var_lib_t, bluetooth_var_run_t;
type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
@@ -9473,7 +9491,7 @@ index c723a0a..3e8a553 100644
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 bluetooth_initrc_exec_t system_r;
-@@ -235,4 +290,8 @@ interface(`bluetooth_admin',`
+@@ -235,4 +292,8 @@ interface(`bluetooth_admin',`
files_list_pids($1)
admin_pattern($1, bluetooth_var_run_t)
@@ -10803,7 +10821,7 @@ index 400db07..f416e22 100644
domain_system_change_exemption($1)
role_transition $2 canna_initrc_exec_t system_r;
diff --git a/canna.te b/canna.te
-index 4ec0626..88e7e89 100644
+index 4ec0626..32b7796 100644
--- a/canna.te
+++ b/canna.te
@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file })
@@ -10814,7 +10832,7 @@ index 4ec0626..88e7e89 100644
corenet_all_recvfrom_netlabel(canna_t)
corenet_tcp_sendrecv_generic_if(canna_t)
corenet_tcp_sendrecv_generic_node(canna_t)
-@@ -68,16 +67,12 @@ fs_search_auto_mountpoints(canna_t)
+@@ -68,15 +67,13 @@ fs_search_auto_mountpoints(canna_t)
domain_use_interactive_fds(canna_t)
@@ -10824,13 +10842,14 @@ index 4ec0626..88e7e89 100644
files_search_tmp(canna_t)
files_dontaudit_read_root_files(canna_t)
- logging_send_syslog_msg(canna_t)
+-logging_send_syslog_msg(canna_t)
++auth_use_nsswitch(canna_t)
-miscfiles_read_localization(canna_t)
--
++logging_send_syslog_msg(canna_t)
+
sysnet_read_config(canna_t)
- userdom_dontaudit_use_unpriv_user_fds(canna_t)
diff --git a/ccs.if b/ccs.if
index 5ded72d..cb94e5e 100644
--- a/ccs.if
@@ -15927,7 +15946,7 @@ index 83d6744..3f0c0dc 100644
+ ')
')
diff --git a/couchdb.te b/couchdb.te
-index 503adab..1253764 100644
+index 503adab..726f653 100644
--- a/couchdb.te
+++ b/couchdb.te
@@ -27,6 +27,13 @@ files_type(couchdb_var_lib_t)
@@ -15957,7 +15976,7 @@ index 503adab..1253764 100644
manage_dirs_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
append_files_pattern(couchdb_t, couchdb_log_t, couchdb_log_t)
-@@ -56,11 +63,12 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
+@@ -56,11 +63,13 @@ files_var_lib_filetrans(couchdb_t, couchdb_var_lib_t, dir)
manage_dirs_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
manage_files_pattern(couchdb_t, couchdb_var_run_t, couchdb_var_run_t)
@@ -15968,10 +15987,11 @@ index 503adab..1253764 100644
kernel_read_system_state(couchdb_t)
+kernel_read_fs_sysctls(couchdb_t)
++kernel_dgram_send(couchdb_t)
corecmd_exec_bin(couchdb_t)
corecmd_exec_shell(couchdb_t)
-@@ -75,14 +83,32 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
+@@ -75,14 +84,32 @@ corenet_sendrecv_couchdb_server_packets(couchdb_t)
corenet_tcp_bind_couchdb_port(couchdb_t)
corenet_tcp_sendrecv_couchdb_port(couchdb_t)
@@ -24026,14 +24046,16 @@ index ef36d73..fddd51f 100644
sysnet_etc_filetrans_config(dnssec_triggerd_t)
diff --git a/docker.fc b/docker.fc
new file mode 100644
-index 0000000..1c4ac02
+index 0000000..de72961
--- /dev/null
+++ b/docker.fc
-@@ -0,0 +1,17 @@
+@@ -0,0 +1,19 @@
+/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0)
+
+/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
+
++/etc/docker(/.*)? gen_context(system_u:object_r:docker_config_t,s0)
++
+/var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0)
+
+/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0)
@@ -24049,10 +24071,10 @@ index 0000000..1c4ac02
+/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
diff --git a/docker.if b/docker.if
new file mode 100644
-index 0000000..683dfdc
+index 0000000..bc5142f
--- /dev/null
+++ b/docker.if
-@@ -0,0 +1,363 @@
+@@ -0,0 +1,366 @@
+
+## The open-source application container engine.
+
@@ -24390,11 +24412,14 @@ index 0000000..683dfdc
+ type docker_unit_file_t;
+ type docker_lock_t;
+ type docker_log_t;
++ type docker_config_t;
+ ')
+
+ allow $1 docker_t:process { ptrace signal_perms };
+ ps_process_pattern($1, docker_t)
+
++ admin_pattern($1, docker_config_t)
++
+ files_search_var_lib($1)
+ admin_pattern($1, docker_var_lib_t)
+
@@ -24418,10 +24443,10 @@ index 0000000..683dfdc
+')
diff --git a/docker.te b/docker.te
new file mode 100644
-index 0000000..3ca773f
+index 0000000..206c692
--- /dev/null
+++ b/docker.te
-@@ -0,0 +1,284 @@
+@@ -0,0 +1,290 @@
+policy_module(docker, 1.0.0)
+
+########################################
@@ -24453,6 +24478,9 @@ index 0000000..3ca773f
+type docker_var_lib_t;
+files_type(docker_var_lib_t)
+
++type docker_config_t;
++files_config_file(docker_config_t)
++
+type docker_lock_t;
+files_lock_file(docker_lock_t)
+
@@ -24489,6 +24517,9 @@ index 0000000..3ca773f
+allow docker_t self:udp_socket create_socket_perms;
+allow docker_t self:capability2 block_suspend;
+
++
++manage_dirs_pattern(docker_t, docker_config_t, docker_config_t)
++manage_files_pattern(docker_t, docker_config_t, docker_config_t)
+manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
+manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)
+files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc")
@@ -29062,10 +29093,10 @@ index 0000000..9e17d3e
+')
diff --git a/geoclue.te b/geoclue.te
new file mode 100644
-index 0000000..d964114
+index 0000000..e61eed9
--- /dev/null
+++ b/geoclue.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,63 @@
+policy_module(geoclue, 1.0.0)
+
+########################################
@@ -29115,6 +29146,10 @@ index 0000000..d964114
+sysnet_dns_name_resolve(geoclue_t)
+
+optional_policy(`
++ kerberos_use(geoclue_t)
++')
++
++optional_policy(`
+ dbus_system_domain(geoclue_t, geoclue_exec_t)
+
+ optional_policy(`
@@ -40772,7 +40807,7 @@ index dd8e01a..9cd6b0b 100644
##
##
diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..36ced41 100644
+index 7bab8e5..5c1e801 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -1,20 +1,26 @@
@@ -41039,7 +41074,7 @@ index 7bab8e5..36ced41 100644
')
optional_policy(`
-@@ -228,10 +271,21 @@ optional_policy(`
+@@ -228,26 +271,43 @@ optional_policy(`
')
optional_policy(`
@@ -41061,7 +41096,11 @@ index 7bab8e5..36ced41 100644
su_exec(logrotate_t)
')
-@@ -239,15 +293,17 @@ optional_policy(`
+ optional_policy(`
++ rpm_read_cache(logrotate_t)
++')
++
++optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -46198,7 +46237,7 @@ index 6194b80..ecab2e6 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..80996ad 100644
+index 6a306ee..c4db163 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -1,4 +1,4 @@
@@ -46659,7 +46698,7 @@ index 6a306ee..80996ad 100644
')
optional_policy(`
-@@ -300,259 +341,256 @@ optional_policy(`
+@@ -300,259 +341,260 @@ optional_policy(`
########################################
#
@@ -47001,27 +47040,30 @@ index 6a306ee..80996ad 100644
- fs_manage_cifs_files(mozilla_plugin_t)
- fs_manage_cifs_symlinks(mozilla_plugin_t)
+optional_policy(`
-+ bumblebee_stream_connect(mozilla_plugin_t)
++ bluetooth_stream_connect(mozilla_plugin_t)
')
optional_policy(`
- alsa_read_rw_config(mozilla_plugin_t)
- alsa_read_home_files(mozilla_plugin_t)
-+ cups_stream_connect(mozilla_plugin_t)
++ bumblebee_stream_connect(mozilla_plugin_t)
')
optional_policy(`
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t)
-+ dbus_system_bus_client(mozilla_plugin_t)
-+ dbus_session_bus_client(mozilla_plugin_t)
-+ dbus_connect_session_bus(mozilla_plugin_t)
-+ dbus_read_lib_files(mozilla_plugin_t)
++ cups_stream_connect(mozilla_plugin_t)
')
optional_policy(`
- dbus_all_session_bus_client(mozilla_plugin_t)
- dbus_connect_all_session_bus(mozilla_plugin_t)
-- dbus_system_bus_client(mozilla_plugin_t)
+ dbus_system_bus_client(mozilla_plugin_t)
++ dbus_session_bus_client(mozilla_plugin_t)
++ dbus_connect_session_bus(mozilla_plugin_t)
++ dbus_read_lib_files(mozilla_plugin_t)
++')
++
++optional_policy(`
+ gnome_manage_config(mozilla_plugin_t)
+ gnome_read_usr_config(mozilla_plugin_t)
+ gnome_filetrans_home_content(mozilla_plugin_t)
@@ -47062,7 +47104,7 @@ index 6a306ee..80996ad 100644
')
optional_policy(`
-@@ -560,7 +598,11 @@ optional_policy(`
+@@ -560,7 +602,11 @@ optional_policy(`
')
optional_policy(`
@@ -47075,7 +47117,7 @@ index 6a306ee..80996ad 100644
')
optional_policy(`
-@@ -568,108 +610,142 @@ optional_policy(`
+@@ -568,108 +614,142 @@ optional_policy(`
')
optional_policy(`
@@ -47104,8 +47146,7 @@ index 6a306ee..80996ad 100644
-allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
-allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
-allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
-
+-
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
@@ -47113,7 +47154,8 @@ index 6a306ee..80996ad 100644
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
--
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
+
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
@@ -47201,31 +47243,25 @@ index 6a306ee..80996ad 100644
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_config_t)
+userdom_dontaudit_write_all_user_home_content_files(mozilla_plugin_config_t)
+userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t)
-
--userdom_use_user_ptys(mozilla_plugin_config_t)
++
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
-
--mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
++
+tunable_policy(`use_ecryptfs_home_dirs',`
+ fs_read_ecryptfs_files(mozilla_plugin_config_t)
+')
--tunable_policy(`allow_execmem',`
-- allow mozilla_plugin_config_t self:process execmem;
+-userdom_use_user_ptys(mozilla_plugin_config_t)
+optional_policy(`
+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
- ')
++')
--tunable_policy(`mozilla_execstack',`
-- allow mozilla_plugin_config_t self:process { execmem execstack };
+-mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
+optional_policy(`
+ xserver_use_user_fonts(mozilla_plugin_config_t)
- ')
++')
--tunable_policy(`use_nfs_home_dirs',`
-- fs_manage_nfs_dirs(mozilla_plugin_config_t)
-- fs_manage_nfs_files(mozilla_plugin_config_t)
-- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
+-tunable_policy(`allow_execmem',`
+- allow mozilla_plugin_config_t self:process execmem;
+ifdef(`distro_redhat',`
+ typealias mozilla_plugin_t alias nsplugin_t;
+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
@@ -47236,10 +47272,8 @@ index 6a306ee..80996ad 100644
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
')
--tunable_policy(`use_samba_home_dirs',`
-- fs_manage_cifs_dirs(mozilla_plugin_config_t)
-- fs_manage_cifs_files(mozilla_plugin_config_t)
-- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+-tunable_policy(`mozilla_execstack',`
+- allow mozilla_plugin_config_t self:process { execmem execstack };
+#tunable_policy(`mozilla_plugin_enable_homedirs',`
+# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
+#', `
@@ -47252,27 +47286,35 @@ index 6a306ee..80996ad 100644
+ userdom_execmod_user_home_files(mozilla_plugin_t)
')
--optional_policy(`
-- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(mozilla_plugin_config_t)
+- fs_manage_nfs_files(mozilla_plugin_config_t)
+- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_spice',`
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
+ dev_setattr_generic_usb_dev(mozilla_plugin_t)
+ corenet_tcp_bind_vnc_port(mozilla_plugin_t)
')
--optional_policy(`
-- xserver_use_user_fonts(mozilla_plugin_config_t)
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(mozilla_plugin_config_t)
+- fs_manage_cifs_files(mozilla_plugin_config_t)
+- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_gps',`
+ fs_manage_dos_dirs(mozilla_plugin_t)
+ fs_manage_dos_files(mozilla_plugin_t)
-+')
-+
+ ')
+
+-optional_policy(`
+- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_use_bluejeans',`
+ corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
+ corenet_dontaudit_tcp_bind_all_defined_ports(mozilla_plugin_t)
+ corenet_tcp_connect_commplex_main_port(mozilla_plugin_t)
-+')
-+
+ ')
+
+-optional_policy(`
+- xserver_use_user_fonts(mozilla_plugin_config_t)
+tunable_policy(`mozilla_plugin_bind_unreserved_ports',`
+ corenet_tcp_bind_unreserved_ports(mozilla_plugin_t)
+ corenet_udp_bind_all_unreserved_ports(mozilla_plugin_t)
@@ -48874,7 +48916,7 @@ index ed81cac..837a43a 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index afd2fad..21904e5 100644
+index afd2fad..bff8488 100644
--- a/mta.te
+++ b/mta.te
@@ -1,4 +1,4 @@
@@ -49171,7 +49213,7 @@ index afd2fad..21904e5 100644
optional_policy(`
+ munin_dontaudit_leaks(system_mail_t)
-+ munin_append_var_lib_files(system_mail_t)
++ munin_manage_var_lib_files(system_mail_t)
+')
+
+optional_policy(`
@@ -49643,7 +49685,7 @@ index eb4b72a..4968324 100644
+/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+/var/www/cgi-bin/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
diff --git a/munin.if b/munin.if
-index b744fe3..17e2514 100644
+index b744fe3..e713bb6 100644
--- a/munin.if
+++ b/munin.if
@@ -1,12 +1,13 @@
@@ -49714,7 +49756,7 @@ index b744fe3..17e2514 100644
##
##
##
-@@ -80,15 +84,73 @@ interface(`munin_read_config',`
+@@ -80,15 +84,92 @@ interface(`munin_read_config',`
type munin_etc_t;
')
@@ -49723,11 +49765,10 @@ index b744fe3..17e2514 100644
allow $1 munin_etc_t:file read_file_perms;
allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
+ files_search_etc($1)
- ')
-
- #######################################
- ##
--## Append munin log files.
++')
++
++#######################################
++##
+## Read munin library files.
+##
+##
@@ -49748,6 +49789,25 @@ index b744fe3..17e2514 100644
+
+#######################################
+##
++## Manage munin library files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`munin_manage_var_lib_files',`
++ gen_require(`
++ type munin_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
++')
++
++#######################################
++##
+## Append munin library files.
+##
+##
@@ -49782,15 +49842,16 @@ index b744fe3..17e2514 100644
+ ')
+
+ dontaudit $1 munin_t:tcp_socket { read write };
-+')
-+
-+#######################################
-+##
+ ')
+
+ #######################################
+ ##
+-## Append munin log files.
+## Append to the munin log.
##
##
##
-@@ -147,8 +209,8 @@ interface(`munin_dontaudit_search_lib',`
+@@ -147,8 +228,8 @@ interface(`munin_dontaudit_search_lib',`
########################################
##
@@ -49801,7 +49862,7 @@ index b744fe3..17e2514 100644
##
##
##
-@@ -157,7 +219,7 @@ interface(`munin_dontaudit_search_lib',`
+@@ -157,7 +238,7 @@ interface(`munin_dontaudit_search_lib',`
##
##
##
@@ -49810,7 +49871,7 @@ index b744fe3..17e2514 100644
##
##
##
-@@ -170,8 +232,12 @@ interface(`munin_admin',`
+@@ -170,8 +251,12 @@ interface(`munin_admin',`
type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
')
@@ -59645,7 +59706,7 @@ index 6837e9a..21e6dae 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 3270ff9..e148dc4 100644
+index 3270ff9..baf76c1 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
@@ -59748,7 +59809,7 @@ index 3270ff9..e148dc4 100644
corenet_rw_tun_tap_dev(openvpn_t)
dev_read_rand(openvpn_t)
-@@ -118,21 +144,30 @@ files_read_etc_runtime_files(openvpn_t)
+@@ -118,21 +144,31 @@ files_read_etc_runtime_files(openvpn_t)
fs_getattr_all_fs(openvpn_t)
fs_search_auto_mountpoints(openvpn_t)
@@ -59769,6 +59830,7 @@ index 3270ff9..e148dc4 100644
-userdom_use_user_terminals(openvpn_t)
+systemd_passwd_agent_domtrans(openvpn_t)
++systemd_manage_passwd_run(openvpn_t)
+
+userdom_use_inherited_user_terminals(openvpn_t)
+userdom_read_home_certs(openvpn_t)
@@ -59782,7 +59844,7 @@ index 3270ff9..e148dc4 100644
')
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -143,11 +178,25 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+@@ -143,11 +179,25 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(openvpn_t)
')
@@ -59808,7 +59870,7 @@ index 3270ff9..e148dc4 100644
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)
-@@ -155,3 +204,27 @@ optional_policy(`
+@@ -155,3 +205,27 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
@@ -68973,7 +69035,7 @@ index cd8b8b9..6c73980 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index b2b5dba..96d835a 100644
+index b2b5dba..3ed75e7 100644
--- a/ppp.te
+++ b/ppp.te
@@ -1,4 +1,4 @@
@@ -69062,7 +69124,8 @@ index b2b5dba..96d835a 100644
+# PPPD Local policy
#
- allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
+-allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
++allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice sys_chroot };
dontaudit pppd_t self:capability sys_tty_config;
-allow pppd_t self:process { getsched setsched signal };
+dontaudit pppd_t self:capability2 block_suspend;
@@ -70642,7 +70705,7 @@ index 0000000..19c35c1
+')
diff --git a/prosody.te b/prosody.te
new file mode 100644
-index 0000000..4f6badd
+index 0000000..ad32ffe
--- /dev/null
+++ b/prosody.te
@@ -0,0 +1,75 @@
@@ -70679,7 +70742,7 @@ index 0000000..4f6badd
+# prosody local policy
+#
+allow prosody_t self:capability { setuid setgid };
-+allow prosody_t self:process signal_perms;
++allow prosody_t self:process { signal_perms execmem };
+allow prosody_t self:tcp_socket create_stream_socket_perms;
+
+manage_dirs_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
@@ -75797,7 +75860,7 @@ index 2c3d338..7d49554 100644
init_labeled_script_domtrans($1, rabbitmq_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..a844a8f 100644
+index 3698b51..f1b94dd 100644
--- a/rabbitmq.te
+++ b/rabbitmq.te
@@ -5,13 +5,14 @@ policy_module(rabbitmq, 1.0.0)
@@ -75831,7 +75894,7 @@ index 3698b51..a844a8f 100644
type rabbitmq_var_log_t;
logging_log_file(rabbitmq_var_log_t)
-@@ -27,80 +31,86 @@ files_pid_file(rabbitmq_var_run_t)
+@@ -27,80 +31,92 @@ files_pid_file(rabbitmq_var_run_t)
######################################
#
@@ -75850,55 +75913,55 @@ index 3698b51..a844a8f 100644
-append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
-setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
--
--manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
--manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+allow rabbitmq_t self:capability setuid;
--can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
+-manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+-manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
+allow rabbitmq_t self:process { setsched signal signull };
+allow rabbitmq_t self:fifo_file rw_fifo_file_perms;
+allow rabbitmq_t self:tcp_socket { accept listen };
--domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
+-can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+files_var_lib_filetrans(rabbitmq_t, rabbitmq_var_lib_t, { dir file })
--kernel_read_system_state(rabbitmq_beam_t)
+-domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
+logging_log_filetrans(rabbitmq_t, rabbitmq_var_log_t, { dir file })
--corecmd_exec_bin(rabbitmq_beam_t)
--corecmd_exec_shell(rabbitmq_beam_t)
+-kernel_read_system_state(rabbitmq_beam_t)
+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
+manage_files_pattern(rabbitmq_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
+files_lock_filetrans(rabbitmq_t, rabbitmq_var_lock_t, file)
+-corecmd_exec_bin(rabbitmq_beam_t)
+-corecmd_exec_shell(rabbitmq_beam_t)
++manage_dirs_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
++manage_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
++manage_lnk_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
++files_pid_filetrans(rabbitmq_t, rabbitmq_var_run_t, { dir file })
+
-corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
-corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
-corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
-corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
-corenet_tcp_bind_generic_node(rabbitmq_beam_t)
-+manage_dirs_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
-+manage_files_pattern(rabbitmq_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
-+files_pid_filetrans(rabbitmq_t, rabbitmq_var_run_t, { dir file })
++kernel_read_system_state(rabbitmq_t)
++kernel_read_fs_sysctls(rabbitmq_t)
-corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
-corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
-+kernel_read_system_state(rabbitmq_t)
-+kernel_read_fs_sysctls(rabbitmq_t)
++corecmd_exec_bin(rabbitmq_t)
++corecmd_exec_shell(rabbitmq_t)
-corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
-corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
-corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
-+corecmd_exec_bin(rabbitmq_t)
-+corecmd_exec_shell(rabbitmq_t)
-
--dev_read_sysfs(rabbitmq_beam_t)
+corenet_tcp_bind_generic_node(rabbitmq_t)
+corenet_udp_bind_generic_node(rabbitmq_t)
+corenet_all_recvfrom_unlabeled(rabbitmq_t)
@@ -75921,51 +75984,56 @@ index 3698b51..a844a8f 100644
+corenet_tcp_sendrecv_epmd_port(rabbitmq_t)
+corenet_tcp_connect_http_port(rabbitmq_t)
--files_read_etc_files(rabbitmq_beam_t)
+-dev_read_sysfs(rabbitmq_beam_t)
+domain_read_all_domains_state(rabbitmq_t)
--miscfiles_read_localization(rabbitmq_beam_t)
+-files_read_etc_files(rabbitmq_beam_t)
+auth_read_passwd(rabbitmq_t)
+auth_use_pam(rabbitmq_t)
+-miscfiles_read_localization(rabbitmq_beam_t)
++files_getattr_all_mountpoints(rabbitmq_t)
+
-sysnet_dns_name_resolve(rabbitmq_beam_t)
-
-########################################
-#
-# Epmd local policy
-#
-+files_getattr_all_mountpoints(rabbitmq_t)
-
+fs_getattr_all_fs(rabbitmq_t)
+fs_getattr_all_dirs(rabbitmq_t)
+fs_getattr_cgroup(rabbitmq_t)
+fs_search_cgroup_dirs(rabbitmq_t)
++dev_read_sysfs(rabbitmq_t)
++dev_read_urand(rabbitmq_t)
+
-allow rabbitmq_epmd_t self:process signal;
-allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
-allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
-+dev_read_sysfs(rabbitmq_t)
-+dev_read_urand(rabbitmq_t)
++storage_getattr_fixed_disk_dev(rabbitmq_t)
-allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
-+storage_getattr_fixed_disk_dev(rabbitmq_t)
++sysnet_dns_name_resolve(rabbitmq_t)
-corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
-corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
-corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
-corenet_tcp_sendrecv_generic_node(rabbitmq_epmd_t)
-corenet_tcp_bind_generic_node(rabbitmq_epmd_t)
-+sysnet_dns_name_resolve(rabbitmq_t)
++logging_send_syslog_msg(rabbitmq_t)
-corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
-corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
-corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
-+logging_send_syslog_msg(rabbitmq_t)
++optional_policy(`
++ dbus_system_bus_client(rabbitmq_t)
++')
-files_read_etc_files(rabbitmq_epmd_t)
+optional_policy(`
-+ dbus_system_bus_client(rabbitmq_t)
++ hostname_exec(rabbitmq_t)
+')
-logging_send_syslog_msg(rabbitmq_epmd_t)
@@ -76408,7 +76476,7 @@ index 951db7f..c0cabe8 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
')
diff --git a/raid.te b/raid.te
-index 2c1730b..fe05f23 100644
+index 2c1730b..36acb6c 100644
--- a/raid.te
+++ b/raid.te
@@ -15,6 +15,18 @@ role mdadm_roles types mdadm_t;
@@ -76512,11 +76580,12 @@ index 2c1730b..fe05f23 100644
mls_file_read_all_levels(mdadm_t)
mls_file_write_all_levels(mdadm_t)
-@@ -70,15 +111,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +111,22 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
storage_write_scsi_generic(mdadm_t)
+storage_raw_read_removable_device(mdadm_t)
++storage_tmp_filetrans_fixed_disk(mdadm_t)
term_dontaudit_list_ptys(mdadm_t)
term_dontaudit_use_unallocated_ttys(mdadm_t)
@@ -76524,6 +76593,7 @@ index 2c1730b..fe05f23 100644
+auth_use_nsswitch(mdadm_t)
+
init_dontaudit_getattr_initctl(mdadm_t)
++init_getattr_script_status_files(mdadm_t)
+logging_dontaudit_getattr_all_logs(mdadm_t)
logging_send_syslog_msg(mdadm_t)
@@ -76534,7 +76604,7 @@ index 2c1730b..fe05f23 100644
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -89,17 +135,38 @@ optional_policy(`
+@@ -89,17 +137,38 @@ optional_policy(`
')
optional_policy(`
@@ -79777,7 +79847,7 @@ index 56bc01f..1337d42 100644
+ allow $1 cluster_unit_file_t:service all_service_perms;
')
diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..a470f79 100644
+index 2c2de9a..a8f6097 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -80267,7 +80337,7 @@ index 2c2de9a..a470f79 100644
optional_policy(`
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +582,54 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +582,57 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
dev_list_sysfs(groupd_t)
@@ -80312,6 +80382,9 @@ index 2c2de9a..a470f79 100644
+corenet_tcp_connect_http_cache_port(haproxy_t)
+corenet_tcp_connect_rtp_media_port(haproxy_t)
+
++dev_read_rand(haproxy_t)
++dev_read_urand(haproxy_t)
++
+sysnet_dns_name_resolve(haproxy_t)
+
+tunable_policy(`haproxy_connect_any',`
@@ -80324,7 +80397,7 @@ index 2c2de9a..a470f79 100644
######################################
#
# qdiskd local policy
-@@ -321,6 +672,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +675,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
@@ -82482,7 +82555,7 @@ index 3bd6446..eec0a35 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/rpc.te b/rpc.te
-index e5212e6..fa69f22 100644
+index e5212e6..fbbff71 100644
--- a/rpc.te
+++ b/rpc.te
@@ -1,4 +1,4 @@
@@ -82526,7 +82599,7 @@ index e5212e6..fa69f22 100644
type exports_t;
files_config_file(exports_t)
-@@ -36,110 +32,49 @@ files_tmp_file(gssd_tmp_t)
+@@ -36,110 +32,50 @@ files_tmp_file(gssd_tmp_t)
type rpcd_var_run_t;
files_pid_file(rpcd_var_run_t)
@@ -82645,12 +82718,13 @@ index e5212e6..fa69f22 100644
can_exec(rpcd_t, rpcd_exec_t)
+kernel_read_system_state(rpcd_t)
++kernel_write_proc_files(rpcd_t)
kernel_read_network_state(rpcd_t)
+# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
kernel_dontaudit_getattr_core_if(rpcd_t)
-@@ -160,13 +95,14 @@ fs_getattr_all_fs(rpcd_t)
+@@ -160,13 +96,14 @@ fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
@@ -82668,7 +82742,7 @@ index e5212e6..fa69f22 100644
optional_policy(`
automount_signal(rpcd_t)
-@@ -174,19 +110,27 @@ optional_policy(`
+@@ -174,19 +111,27 @@ optional_policy(`
')
optional_policy(`
@@ -82699,7 +82773,7 @@ index e5212e6..fa69f22 100644
')
########################################
-@@ -195,41 +139,56 @@ optional_policy(`
+@@ -195,41 +140,56 @@ optional_policy(`
#
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -82764,7 +82838,7 @@ index e5212e6..fa69f22 100644
miscfiles_manage_public_files(nfsd_t)
')
-@@ -238,7 +197,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -238,7 +198,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -82772,7 +82846,7 @@ index e5212e6..fa69f22 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -250,12 +208,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -250,12 +209,12 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -82787,7 +82861,7 @@ index e5212e6..fa69f22 100644
')
########################################
-@@ -263,7 +221,7 @@ optional_policy(`
+@@ -263,7 +222,7 @@ optional_policy(`
# GSSD local policy
#
@@ -82796,7 +82870,7 @@ index e5212e6..fa69f22 100644
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
-@@ -271,6 +229,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -271,6 +230,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
@@ -82804,7 +82878,7 @@ index e5212e6..fa69f22 100644
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_request_load_module(gssd_t)
-@@ -279,25 +238,30 @@ kernel_signal(gssd_t)
+@@ -279,25 +239,30 @@ kernel_signal(gssd_t)
corecmd_exec_bin(gssd_t)
@@ -82838,7 +82912,7 @@ index e5212e6..fa69f22 100644
')
optional_policy(`
-@@ -306,8 +270,11 @@ optional_policy(`
+@@ -306,8 +271,11 @@ optional_policy(`
optional_policy(`
kerberos_keytab_template(gssd, gssd_t)
@@ -98774,10 +98848,10 @@ index 0000000..c1fd8b4
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..7f7e7ff
+index 0000000..dd6ba2c
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,159 @@
+@@ -0,0 +1,160 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -98808,6 +98882,7 @@ index 0000000..7f7e7ff
+
+allow thumb_t self:process { setsched signal signull setrlimit };
+dontaudit thumb_t self:capability sys_tty_config;
++dontaudit thumb_t self:process setfscreate;
+
+tunable_policy(`deny_execmem',`',`
+ allow thumb_t self:process execmem;
@@ -100367,7 +100442,7 @@ index 1ec5e99..88e287d 100644
+ allow $1 usbmuxd_unit_file_t:service all_service_perms;
+')
diff --git a/usbmuxd.te b/usbmuxd.te
-index 8840be6..041373e 100644
+index 8840be6..6a13ab8 100644
--- a/usbmuxd.te
+++ b/usbmuxd.te
@@ -10,34 +10,54 @@ roleattribute system_r usbmuxd_roles;
@@ -100393,9 +100468,10 @@ index 8840be6..041373e 100644
#
-allow usbmuxd_t self:capability { kill setgid setuid };
+-allow usbmuxd_t self:process { signal signull };
+allow usbmuxd_t self:capability { fowner fsetid chown kill setgid setuid };
+dontaudit usbmuxd_t self:capability sys_resource;
- allow usbmuxd_t self:process { signal signull };
++allow usbmuxd_t self:process { signal_perms setrlimit };
allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
+allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow usbmuxd_t self:unix_stream_socket connectto;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e863167..a896c26 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.12.1
-Release: 196%{?dist}
+Release: 197%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -582,6 +582,25 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Fri Jan 16 2015 Lukas Vrabec 3.12.1-197
+- allow mozilla plugins to connect to bluetooth devices
+- Allow system_mail_t to create content in /var/lib/munin
+- Allow prosody_t to execmem, since it is using loajit.
+- Allow mdadm_t to create fixed_disk_device_t on /tmp file systems
+- Allow rpcd_t to write to /proc
+- Additional access required by usbmuxd
+- Allow mdadm_t to getattr on init status files
+- Allow abrt to read udev database
+- Allow rabbitmq_t to deal with link files created with its content
+- Allow rabbitmq_t to run hostname
+- Allow canna go call getpw*
+- Fixed storage_tmp_filestrans_fixed_disk interface
+- userdom_dontaudit_search_user_home_content should not search through any homedirs and subdirs
+- Allow init_t to create gnome content in homedirs
+- Allow mdadm_t to create fixed_disk_device_t on /tmp file systems
+- Fix labels on /etc/kde/kdm
+- Allow texlive managers to relabelfrom
+
* Tue Dec 02 2014 Lukas Vrabec 3.12.1-196
- Dontaudit couchdb to list /var
- Couchdb policy fixes