[selinux-policy/f18] - dbus needs to start getty unit files - Add interface to allow system_dbusd_t to start the poweroff
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Sep 25 09:26:01 UTC 2012
commit 2bf102b83154589509b329080e12cd6a1ad8ec57
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Sep 25 11:25:47 2012 +0200
- dbus needs to start getty unit files
- Add interface to allow system_dbusd_t to start the poweroff service
- xdm wants to exec telepathy apps
- Allow users to send messages to systemdlogind
- Additional rules needed for systemd and other boot apps
- systemd wants to list /home and /boot
- Allow gkeyringd to write dbus/conf file
- realmd needs to read /dev/urand
- Allow readahead to delete /.readahead if labeled root_t, might get created before policy is loade
policy-rawhide.patch | 1645 ++++++++++++++++++------------------------
policy_contrib-rawhide.patch | 394 ++++++-----
selinux-policy.spec | 13 +-
3 files changed, 936 insertions(+), 1116 deletions(-)
---
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index c4edeb9..ad1f04e 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -10248,10 +10248,10 @@ index 0000000..0e52e03
+selinux(8), checkpolicy(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/chfn_selinux.8 b/man/man8/chfn_selinux.8
new file mode 100644
-index 0000000..a839d60
+index 0000000..63c2b04
--- /dev/null
+++ b/man/man8/chfn_selinux.8
-@@ -0,0 +1,173 @@
+@@ -0,0 +1,175 @@
+.TH "chfn_selinux" "8" "chfn" "dwalsh at redhat.com" "chfn SELinux Policy documentation"
+.SH "NAME"
+chfn_selinux \- Security Enhanced Linux Policy for the chfn processes
@@ -10405,6 +10405,8 @@ index 0000000..a839d60
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -10427,7 +10429,7 @@ index 0000000..a839d60
+selinux(8), chfn(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/chkpwd_selinux.8 b/man/man8/chkpwd_selinux.8
new file mode 100644
-index 0000000..b680d92
+index 0000000..e70bad7
--- /dev/null
+++ b/man/man8/chkpwd_selinux.8
@@ -0,0 +1,95 @@
@@ -10476,7 +10478,7 @@ index 0000000..b680d92
+.br
+.TP 5
+Paths:
-+/sbin/unix_chkpwd, /usr/sbin/unix_verify, /usr/sbin/validate, /sbin/unix_verify, /usr/sbin/unix_chkpwd
++/sbin/unix_verify, /sbin/unix_chkpwd, /usr/sbin/unix_verify, /usr/sbin/validate, /usr/sbin/unix_chkpwd
+
+.PP
+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
@@ -12782,10 +12784,10 @@ index 0000000..38b67d1
+selinux(8), condor_collector(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/condor_master_selinux.8 b/man/man8/condor_master_selinux.8
new file mode 100644
-index 0000000..c299941
+index 0000000..199cb6a
--- /dev/null
+++ b/man/man8/condor_master_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,105 @@
+.TH "condor_master_selinux" "8" "condor_master" "dwalsh at redhat.com" "condor_master SELinux Policy documentation"
+.SH "NAME"
+condor_master_selinux \- Security Enhanced Linux Policy for the condor_master processes
@@ -12796,20 +12798,6 @@ index 0000000..c299941
+
+.SH NSSWITCH DOMAIN
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_master_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the condor_master_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -13032,10 +13020,10 @@ index 0000000..8cc8c88
+selinux(8), condor_negotiator(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/condor_procd_selinux.8 b/man/man8/condor_procd_selinux.8
new file mode 100644
-index 0000000..3d02ecf
+index 0000000..fb6ef3d
--- /dev/null
+++ b/man/man8/condor_procd_selinux.8
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,119 @@
+.TH "condor_procd_selinux" "8" "condor_procd" "dwalsh at redhat.com" "condor_procd SELinux Policy documentation"
+.SH "NAME"
+condor_procd_selinux \- Security Enhanced Linux Policy for the condor_procd processes
@@ -13046,6 +13034,20 @@ index 0000000..3d02ecf
+
+.SH NSSWITCH DOMAIN
+
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the condor_procd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the condor_procd_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -15430,10 +15432,10 @@ index 0000000..107d65b
\ No newline at end of file
diff --git a/man/man8/crontab_selinux.8 b/man/man8/crontab_selinux.8
new file mode 100644
-index 0000000..185a00a
+index 0000000..c371dff
--- /dev/null
+++ b/man/man8/crontab_selinux.8
-@@ -0,0 +1,175 @@
+@@ -0,0 +1,177 @@
+.TH "crontab_selinux" "8" "crontab" "dwalsh at redhat.com" "crontab SELinux Policy documentation"
+.SH "NAME"
+crontab_selinux \- Security Enhanced Linux Policy for the crontab processes
@@ -15569,6 +15571,8 @@ index 0000000..185a00a
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.br
+.B var_auth_t
@@ -15965,10 +15969,10 @@ index 0000000..2aaabe2
+selinux(8), cups_pdf(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cupsd_config_selinux.8 b/man/man8/cupsd_config_selinux.8
new file mode 100644
-index 0000000..f085353
+index 0000000..2c6ca80
--- /dev/null
+++ b/man/man8/cupsd_config_selinux.8
-@@ -0,0 +1,188 @@
+@@ -0,0 +1,192 @@
+.TH "cupsd_config_selinux" "8" "cupsd_config" "dwalsh at redhat.com" "cupsd_config SELinux Policy documentation"
+.SH "NAME"
+cupsd_config_selinux \- Security Enhanced Linux Policy for the cupsd_config processes
@@ -16090,6 +16094,8 @@ index 0000000..f085353
+.br
+ /usr/lib/bjlib(/.*)?
+.br
++ /var/lib/iscan(/.*)?
++.br
+ /var/cache/cups(/.*)?
+.br
+ /etc/cups/certs/.*
@@ -16136,6 +16142,8 @@ index 0000000..f085353
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -16283,10 +16291,10 @@ index 0000000..1e6a8d8
\ No newline at end of file
diff --git a/man/man8/cupsd_selinux.8 b/man/man8/cupsd_selinux.8
new file mode 100644
-index 0000000..f75a68e
+index 0000000..a960b0d
--- /dev/null
+++ b/man/man8/cupsd_selinux.8
-@@ -0,0 +1,388 @@
+@@ -0,0 +1,390 @@
+.TH "cupsd_selinux" "8" "cupsd" "dwalsh at redhat.com" "cupsd SELinux Policy documentation"
+.SH "NAME"
+cupsd_selinux \- Security Enhanced Linux Policy for the cupsd processes
@@ -16432,7 +16440,7 @@ index 0000000..f75a68e
+.br
+.TP 5
+Paths:
-+/etc/cups/lpoptions.*, /usr/local/linuxprinter/ppd(/.*)?, /usr/Brother/(.*/)?inf(/.*)?, /opt/brother/Printers(.*/)?inf(/.*)?, /etc/cups/subscriptions.*, /etc/cups/classes\.conf.*, /usr/lib/bjlib(/.*)?, /etc/cups/ppd(/.*)?, /opt/gutenprint/ppds(/.*)?, /etc/printcap.*, /etc/alchemist/namespace/printconf(/.*)?, /var/lib/cups/certs, /etc/cups/ppds\.dat, /etc/cups/certs, /etc/cups/certs/.*, /etc/cups/printers\.conf.*, /var/lib/cups/certs/.*, /var/cache/foomatic(/.*)?, /var/cache/alchemist/printconf.*, /etc/cups/cupsd\.conf.*, /usr/Printer/(.*/)?inf(/.*)?, /var/cache/cups(/.*)?, /usr/share/foomatic/db/oldprinterids
++/etc/cups/lpoptions.*, /usr/local/linuxprinter/ppd(/.*)?, /usr/Brother/(.*/)?inf(/.*)?, /opt/brother/Printers(.*/)?inf(/.*)?, /etc/cups/subscriptions.*, /etc/cups/classes\.conf.*, /usr/lib/bjlib(/.*)?, /etc/cups/ppd(/.*)?, /opt/gutenprint/ppds(/.*)?, /etc/printcap.*, /var/lib/iscan(/.*)?, /etc/alchemist/namespace/printconf(/.*)?, /var/lib/cups/certs, /etc/cups/ppds\.dat, /etc/cups/certs, /etc/cups/certs/.*, /etc/cups/printers\.conf.*, /var/lib/cups/certs/.*, /var/cache/foomatic(/.*)?, /var/cache/alchemist/printconf.*, /etc/cups/cupsd\.conf.*, /usr/Printer/(.*/)?inf(/.*)?, /var/cache/cups(/.*)?, /usr/share/foomatic/db/oldprinterids
+
+.EX
+.PP
@@ -16524,6 +16532,8 @@ index 0000000..f75a68e
+.br
+ /usr/lib/bjlib(/.*)?
+.br
++ /var/lib/iscan(/.*)?
++.br
+ /var/cache/cups(/.*)?
+.br
+ /etc/cups/certs/.*
@@ -17223,7 +17233,7 @@ index 0000000..8208a25
+selinux(8), cyrus(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/dbadm_selinux.8 b/man/man8/dbadm_selinux.8
new file mode 100644
-index 0000000..5d12181
+index 0000000..cd160a1
--- /dev/null
+++ b/man/man8/dbadm_selinux.8
@@ -0,0 +1,198 @@
@@ -17274,17 +17284,17 @@ index 0000000..5d12181
+
+
+.PP
-+If you want to allow database admins to execute DML statement, you must turn on the sepgsql_unconfined_dbadm boolean.
++If you want to allow dbadm to manage files in users home directories, you must turn on the dbadm_manage_user_files boolean.
+
+.EX
-+.B setsebool -P sepgsql_unconfined_dbadm 1
++.B setsebool -P dbadm_manage_user_files 1
+.EE
+
+.PP
-+If you want to allow dbadm to manage files in users home directories, you must turn on the dbadm_manage_user_files boolean.
++If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean.
+
+.EX
-+.B setsebool -P dbadm_manage_user_files 1
++.B setsebool -P postgresql_selinux_unconfined_dbadm 1
+.EE
+
+.PP
@@ -18955,10 +18965,10 @@ index 0000000..1fbd4a1
+selinux(8), denyhosts(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/depmod_selinux.8 b/man/man8/depmod_selinux.8
new file mode 100644
-index 0000000..fd4ae1c
+index 0000000..67c21ef
--- /dev/null
+++ b/man/man8/depmod_selinux.8
-@@ -0,0 +1,97 @@
+@@ -0,0 +1,99 @@
+.TH "depmod_selinux" "8" "depmod" "dwalsh at redhat.com" "depmod SELinux Policy documentation"
+.SH "NAME"
+depmod_selinux \- Security Enhanced Linux Policy for the depmod processes
@@ -19036,6 +19046,8 @@ index 0000000..fd4ae1c
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -20053,10 +20065,10 @@ index 0000000..8630347
\ No newline at end of file
diff --git a/man/man8/dictd_selinux.8 b/man/man8/dictd_selinux.8
new file mode 100644
-index 0000000..d726f8d
+index 0000000..2de76e5
--- /dev/null
+++ b/man/man8/dictd_selinux.8
-@@ -0,0 +1,139 @@
+@@ -0,0 +1,155 @@
+.TH "dictd_selinux" "8" "dictd" "dwalsh at redhat.com" "dictd SELinux Policy documentation"
+.SH "NAME"
+dictd_selinux \- Security Enhanced Linux Policy for the dictd processes
@@ -20094,6 +20106,14 @@ index 0000000..d726f8d
+
+.EX
+.PP
++.B dictd_etc_t
++.EE
++
++- Set files with the dictd_etc_t type, if you want to store dictd files in the /etc directories.
++
++
++.EX
++.PP
+.B dictd_exec_t
+.EE
+
@@ -20102,10 +20122,18 @@ index 0000000..d726f8d
+
+.EX
+.PP
-+.B dictd_unit_file_t
++.B dictd_initrc_exec_t
+.EE
+
-+- Set files with the dictd_unit_file_t type, if you want to treat the files as dictd unit content.
++- Set files with the dictd_initrc_exec_t type, if you want to transition an executable to the dictd_initrc_t domain.
++
++
++.EX
++.PP
++.B dictd_var_lib_t
++.EE
++
++- Set files with the dictd_var_lib_t type, if you want to store the dictd files under the /var/lib directory.
+
+
+.EX
@@ -20171,7 +20199,7 @@ index 0000000..d726f8d
+.br
+.B dictd_var_run_t
+
-+ /var/run/dictd.pid
++ /var/run/dictd\.pid
+.br
+
+.SH "COMMANDS"
@@ -21160,10 +21188,10 @@ index 0000000..e58ec1a
+selinux(8), dkim_milter(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/dlm_controld_selinux.8 b/man/man8/dlm_controld_selinux.8
new file mode 100644
-index 0000000..00d1d0b
+index 0000000..ebed624
--- /dev/null
+++ b/man/man8/dlm_controld_selinux.8
-@@ -0,0 +1,141 @@
+@@ -0,0 +1,155 @@
+.TH "dlm_controld_selinux" "8" "dlm_controld" "dwalsh at redhat.com" "dlm_controld SELinux Policy documentation"
+.SH "NAME"
+dlm_controld_selinux \- Security Enhanced Linux Policy for the dlm_controld processes
@@ -21174,6 +21202,20 @@ index 0000000..00d1d0b
+
+.SH NSSWITCH DOMAIN
+
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the dlm_controld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the dlm_controld_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -21883,7 +21925,7 @@ index 0000000..5b194fb
+selinux(8), dnssec_trigger(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/dovecot_auth_selinux.8 b/man/man8/dovecot_auth_selinux.8
new file mode 100644
-index 0000000..0a678bd
+index 0000000..3c8fcbf
--- /dev/null
+++ b/man/man8/dovecot_auth_selinux.8
@@ -0,0 +1,146 @@
@@ -21932,7 +21974,7 @@ index 0000000..0a678bd
+.br
+.TP 5
+Paths:
-+/usr/libexec/dovecot/dovecot-auth, /usr/libexec/dovecot/auth
++/usr/libexec/dovecot/auth, /usr/libexec/dovecot/dovecot-auth
+
+.EX
+.PP
@@ -22183,7 +22225,7 @@ index 0000000..9f179d5
\ No newline at end of file
diff --git a/man/man8/dovecot_selinux.8 b/man/man8/dovecot_selinux.8
new file mode 100644
-index 0000000..99cd625
+index 0000000..de8d02e
--- /dev/null
+++ b/man/man8/dovecot_selinux.8
@@ -0,0 +1,314 @@
@@ -22232,7 +22274,7 @@ index 0000000..99cd625
+.br
+.TP 5
+Paths:
-+/usr/libexec/dovecot/dovecot-auth, /usr/libexec/dovecot/auth
++/usr/libexec/dovecot/auth, /usr/libexec/dovecot/dovecot-auth
+
+.EX
+.PP
@@ -24684,10 +24726,10 @@ index 0000000..32659cf
+selinux(8), firstboot(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/foghorn_selinux.8 b/man/man8/foghorn_selinux.8
new file mode 100644
-index 0000000..65d9a53
+index 0000000..ae8b7b6
--- /dev/null
+++ b/man/man8/foghorn_selinux.8
-@@ -0,0 +1,119 @@
+@@ -0,0 +1,133 @@
+.TH "foghorn_selinux" "8" "foghorn" "dwalsh at redhat.com" "foghorn SELinux Policy documentation"
+.SH "NAME"
+foghorn_selinux \- Security Enhanced Linux Policy for the foghorn processes
@@ -24698,6 +24740,20 @@ index 0000000..65d9a53
+
+.SH NSSWITCH DOMAIN
+
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the foghorn_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the foghorn_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -25069,7 +25125,7 @@ index 0000000..85a3f70
+selinux(8), freshclam(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/fsadm_selinux.8 b/man/man8/fsadm_selinux.8
new file mode 100644
-index 0000000..a2e7734
+index 0000000..b4f537d
--- /dev/null
+++ b/man/man8/fsadm_selinux.8
@@ -0,0 +1,249 @@
@@ -25104,7 +25160,7 @@ index 0000000..a2e7734
+.br
+.TP 5
+Paths:
-+/sbin/partx, /usr/sbin/fdisk, /sbin/mkfs.*, /sbin/blockdev, /usr/sbin/sfdisk, /sbin/mkdosfs, /usr/sbin/mke2fs, /sbin/mke2fs, /sbin/e4fsck, /usr/sbin/dosfsck, /usr/sbin/blockdev, /sbin/dosfsck, /usr/sbin/lsraid, /usr/bin/partition_uuid, /sbin/raidautorun, /usr/sbin/findfs, /usr/sbin/scsi_info, /sbin/resize.*fs, /usr/sbin/raidstart, /sbin/mkreiserfs, /usr/sbin/raidautorun, /usr/sbin/make_reiser4, /usr/sbin/partx, /usr/sbin/resize.*fs, /usr/sbin/fsck.*, /usr/sbin/dumpe2fs, /usr/sbin/cfdisk, /sbin/tune2fs, /sbin/dumpe2fs, /usr/sbin/mkdosfs, /sbin/blkid, /usr/sbin/hdparm, /sbin/make_reiser4, /sbin/dump, /sbin/swapon.*, /usr/sbin/jfs_.*, /usr/bin/scsi_unique_id, /sbin/findfs, /usr/sbin/smartctl, /usr/bin/syslinux, /usr/sbin/blkid, /sbin/losetup.*, /usr/sbin/tune2fs, /usr/lib/systemd/systemd-fsck, /sbin/parted, /sbin/partprobe, /usr/sbin/mkfs.*, /sbin/e2label, /usr/sbin/reiserfs(ck|tune), /sbin/mkraid, /sbin/install-mbr, /sbin/scsi_info, /sbin/fsck.*, /usr/sbin/install-mbr, /usr/s
bin/clubufflush, /sbin/jfs_.*, /usr/sbin/mke4fs, /sbin/raidstart, /sbin/lsraid, /usr/sbin/losetup.*, /usr/sbin/mkreiserfs, /usr/sbin/swapon.*, /usr/sbin/e2fsck, /sbin/reiserfs(ck|tune), /usr/sbin/e4fsck, /usr/sbin/dump, /usr/sbin/partprobe, /sbin/fdisk, /sbin/sfdisk, /sbin/e2fsck, /usr/sbin/e2label, /usr/sbin/parted, /usr/bin/raw, /sbin/mke4fs, /sbin/cfdisk, /usr/sbin/mkraid, /sbin/hdparm
++/sbin/partx, /usr/sbin/fdisk, /sbin/mkfs.*, /sbin/blockdev, /usr/sbin/sfdisk, /sbin/dumpe2fs, /sbin/mkdosfs, /usr/sbin/mke2fs, /sbin/mke2fs, /sbin/e4fsck, /usr/sbin/dosfsck, /usr/sbin/blockdev, /sbin/dosfsck, /usr/sbin/lsraid, /usr/bin/partition_uuid, /sbin/raidautorun, /usr/sbin/findfs, /usr/sbin/scsi_info, /sbin/resize.*fs, /usr/sbin/raidstart, /sbin/mkreiserfs, /usr/sbin/raidautorun, /usr/sbin/make_reiser4, /usr/sbin/partx, /usr/sbin/resize.*fs, /usr/sbin/fsck.*, /usr/sbin/dumpe2fs, /usr/sbin/cfdisk, /sbin/tune2fs, /usr/sbin/mkdosfs, /sbin/blkid, /usr/sbin/hdparm, /sbin/make_reiser4, /sbin/dump, /sbin/swapon.*, /usr/sbin/jfs_.*, /usr/bin/scsi_unique_id, /sbin/findfs, /usr/sbin/smartctl, /usr/bin/syslinux, /usr/sbin/blkid, /sbin/losetup.*, /usr/sbin/tune2fs, /usr/lib/systemd/systemd-fsck, /sbin/parted, /sbin/partprobe, /usr/sbin/mkfs.*, /sbin/e2label, /usr/sbin/reiserfs(ck|tune), /sbin/mkraid, /sbin/install-mbr, /sbin/scsi_info, /sbin/fsck.*, /usr/sbin/install-mbr, /usr/s
bin/clubufflush, /sbin/jfs_.*, /usr/sbin/mke4fs, /sbin/raidstart, /sbin/lsraid, /usr/sbin/losetup.*, /usr/sbin/mkreiserfs, /usr/sbin/swapon.*, /usr/sbin/e2fsck, /sbin/reiserfs(ck|tune), /usr/sbin/e4fsck, /usr/sbin/dump, /usr/sbin/partprobe, /sbin/fdisk, /sbin/sfdisk, /sbin/e2fsck, /usr/sbin/e2label, /usr/sbin/parted, /usr/bin/raw, /sbin/mke4fs, /sbin/cfdisk, /usr/sbin/mkraid, /sbin/hdparm
+
+.EX
+.PP
@@ -26066,10 +26122,10 @@ index 0000000..b71947a
\ No newline at end of file
diff --git a/man/man8/games_selinux.8 b/man/man8/games_selinux.8
new file mode 100644
-index 0000000..7c948d5
+index 0000000..44b9cda
--- /dev/null
+++ b/man/man8/games_selinux.8
-@@ -0,0 +1,155 @@
+@@ -0,0 +1,157 @@
+.TH "games_selinux" "8" "games" "dwalsh at redhat.com" "games SELinux Policy documentation"
+.SH "NAME"
+games_selinux \- Security Enhanced Linux Policy for the games processes
@@ -26205,6 +26261,8 @@ index 0000000..7c948d5
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -26227,10 +26285,10 @@ index 0000000..7c948d5
+selinux(8), games(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/gconfd_selinux.8 b/man/man8/gconfd_selinux.8
new file mode 100644
-index 0000000..db11a2e
+index 0000000..c432ad7
--- /dev/null
+++ b/man/man8/gconfd_selinux.8
-@@ -0,0 +1,102 @@
+@@ -0,0 +1,104 @@
+.TH "gconfd_selinux" "8" "gconfd" "dwalsh at redhat.com" "gconfd SELinux Policy documentation"
+.SH "NAME"
+gconfd_selinux \- Security Enhanced Linux Policy for the gconfd processes
@@ -26312,6 +26370,8 @@ index 0000000..db11a2e
+.br
+.B gconf_tmp_t
+
++ /tmp/gconfd-.*/.*
++.br
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -26648,10 +26708,10 @@ index 0000000..5405406
+selinux(8), getty(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/gfs_controld_selinux.8 b/man/man8/gfs_controld_selinux.8
new file mode 100644
-index 0000000..df0cbc4
+index 0000000..726f3fb
--- /dev/null
+++ b/man/man8/gfs_controld_selinux.8
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,147 @@
+.TH "gfs_controld_selinux" "8" "gfs_controld" "dwalsh at redhat.com" "gfs_controld SELinux Policy documentation"
+.SH "NAME"
+gfs_controld_selinux \- Security Enhanced Linux Policy for the gfs_controld processes
@@ -26662,6 +26722,20 @@ index 0000000..df0cbc4
+
+.SH NSSWITCH DOMAIN
+
++.PP
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the gfs_controld_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++
++.EX
++.B setsebool -P authlogin_nsswitch_use_ldap 1
++.EE
++
++.PP
++If you want to allow confined applications to run with kerberos for the gfs_controld_t, you must turn on the kerberos_enabled boolean.
++
++.EX
++.B setsebool -P kerberos_enabled 1
++.EE
++
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -26902,7 +26976,7 @@ index e9c43b1..0000000
-selinux(8), git(8), chcon(1), semodule(8), setsebool(8)
diff --git a/man/man8/git_shell_selinux.8 b/man/man8/git_shell_selinux.8
new file mode 100644
-index 0000000..91536bf
+index 0000000..2b3cae6
--- /dev/null
+++ b/man/man8/git_shell_selinux.8
@@ -0,0 +1,126 @@
@@ -26955,19 +27029,19 @@ index 0000000..91536bf
+
+.B dns_port_t: 53
+
-+.B ocsp_port_t: 9080
-+
+.B kerberos_port_t: 88,750,4444
+
++.B ocsp_port_t: 9080
++
+.TP
+The SELinux user git_shell_u is able to connect to the following tcp ports.
+
+.B dns_port_t: 53
+
-+.B ocsp_port_t: 9080
-+
+.B kerberos_port_t: 88,750,4444
+
++.B ocsp_port_t: 9080
++
+.SH HOME_EXEC
+
+The SELinux user git_shell_u is able execute home content files.
@@ -28926,7 +29000,7 @@ index 0000000..06a77c4
+selinux(8), groupadd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/groupd_selinux.8 b/man/man8/groupd_selinux.8
new file mode 100644
-index 0000000..aa995a2
+index 0000000..cf1f8f5
--- /dev/null
+++ b/man/man8/groupd_selinux.8
@@ -0,0 +1,140 @@
@@ -28941,14 +29015,14 @@ index 0000000..aa995a2
+.SH NSSWITCH DOMAIN
+
+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
++If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the groupd_t, groupadd_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
+
+.EX
+.B setsebool -P authlogin_nsswitch_use_ldap 1
+.EE
+
+.PP
-+If you want to allow confined applications to run with kerberos for the groupadd_t, you must turn on the kerberos_enabled boolean.
++If you want to allow confined applications to run with kerberos for the groupd_t, groupadd_t, you must turn on the kerberos_enabled boolean.
+
+.EX
+.B setsebool -P kerberos_enabled 1
@@ -29073,10 +29147,10 @@ index 0000000..aa995a2
\ No newline at end of file
diff --git a/man/man8/gssd_selinux.8 b/man/man8/gssd_selinux.8
new file mode 100644
-index 0000000..a09d3fd
+index 0000000..7cb2a9a
--- /dev/null
+++ b/man/man8/gssd_selinux.8
-@@ -0,0 +1,180 @@
+@@ -0,0 +1,182 @@
+.TH "gssd_selinux" "8" "gssd" "dwalsh at redhat.com" "gssd SELinux Policy documentation"
+.SH "NAME"
+gssd_selinux \- Security Enhanced Linux Policy for the gssd processes
@@ -29217,6 +29291,8 @@ index 0000000..a09d3fd
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.br
+.B var_lib_nfs_t
@@ -29260,7 +29336,7 @@ index 0000000..a09d3fd
\ No newline at end of file
diff --git a/man/man8/guest_selinux.8 b/man/man8/guest_selinux.8
new file mode 100644
-index 0000000..72bd98d
+index 0000000..633fb61
--- /dev/null
+++ b/man/man8/guest_selinux.8
@@ -0,0 +1,202 @@
@@ -29318,19 +29394,19 @@ index 0000000..72bd98d
+
+.B dns_port_t: 53
+
-+.B ocsp_port_t: 9080
-+
+.B kerberos_port_t: 88,750,4444
+
++.B ocsp_port_t: 9080
++
+.TP
+The SELinux user guest_u is able to connect to the following tcp ports.
+
+.B dns_port_t: 53
+
-+.B ocsp_port_t: 9080
-+
+.B kerberos_port_t: 88,750,4444
+
++.B ocsp_port_t: 9080
++
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. guest policy is extremely flexible and has several booleans that allow you to manipulate the policy and run guest with the tightest access possible.
+
@@ -31932,7 +32008,7 @@ index 0000000..fa3fa7c
+, httpd_selinux(8)
\ No newline at end of file
diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8
-index 16e8b13..3e3056c 100644
+index 16e8b13..aded5fa 100644
--- a/man/man8/httpd_selinux.8
+++ b/man/man8/httpd_selinux.8
@@ -1,120 +1,1969 @@
@@ -33329,7 +33405,7 @@ index 16e8b13..3e3056c 100644
+.br
+.TP 5
+Paths:
-+/var/www/html/[^/]*/sites/default/settings\.php, /var/spool/viewvc(/.*)?, /etc/WebCalendar(/.*)?, /etc/mock/koji(/.*)?, /var/lib/svn(/.*)?, /var/spool/gosa(/.*)?, /etc/zabbix/web(/.*)?, /var/lib/pootle/po(/.*)?, /etc/drupal.*, /var/www/gallery/albums(/.*)?, /usr/share/wordpress/wp-content/uploads(/.*)?, /var/www/html/configuration\.php, /usr/share/wordpress/wp-content/upgrade(/.*)?, /var/lib/drupal.*, /usr/share/wordpress-mu/wp-content(/.*)?, /var/lib/dokuwiki(/.*)?, /var/www/moodledata(/.*)?, /var/www/html/[^/]*/sites/default/files(/.*)?, /var/www/svn(/.*)?, /var/www/html/wp-content(/.*)?
++/var/www/html/[^/]*/sites/default/settings\.php, /var/spool/viewvc(/.*)?, /etc/WebCalendar(/.*)?, /etc/mock/koji(/.*)?, /var/lib/svn(/.*)?, /var/spool/gosa(/.*)?, /etc/zabbix/web(/.*)?, /usr/share/wordpress/wp-content/upgrade(/.*)?, /var/lib/pootle/po(/.*)?, /etc/drupal.*, /var/www/gallery/albums(/.*)?, /usr/share/wordpress/wp-content/uploads(/.*)?, /var/www/html/configuration\.php, /var/lib/drupal.*, /usr/share/wordpress-mu/wp-content(/.*)?, /var/lib/dokuwiki(/.*)?, /var/www/moodledata(/.*)?, /var/www/html/[^/]*/sites/default/files(/.*)?, /var/www/svn(/.*)?, /var/www/html/wp-content(/.*)?
+
+.EX
+.PP
@@ -33341,7 +33417,7 @@ index 16e8b13..3e3056c 100644
+.br
+.TP 5
+Paths:
-+/var/www/svn/hooks(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/wordpress/.*\.php, /usr/lib/cgi-bin(/.*)?, /var/www/perl(/.*)?, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/wordpress-mu/wp-config\.php, /usr/.*\.cgi, /var/www/html/[^/]*/cgi-bin(/.*)?, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /usr/share/wordpress/wp-includes/.*\.php, /opt/.*\.cgi
++/var/www/svn/hooks(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/wordpress/.*\.php, /usr/lib/cgi-bin(/.*)?, /opt/.*\.cgi, /var/www/perl(/.*)?, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/wordpress-mu/wp-config\.php, /usr/.*\.cgi, /var/www/html/[^/]*/cgi-bin(/.*)?, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /usr/share/wordpress/wp-includes/.*\.php
+
+.EX
+.PP
@@ -34272,7 +34348,7 @@ index 0000000..0fa636d
\ No newline at end of file
diff --git a/man/man8/httpd_sys_script_selinux.8 b/man/man8/httpd_sys_script_selinux.8
new file mode 100644
-index 0000000..4282d5b
+index 0000000..fec651b
--- /dev/null
+++ b/man/man8/httpd_sys_script_selinux.8
@@ -0,0 +1,172 @@
@@ -34347,7 +34423,7 @@ index 0000000..4282d5b
+.br
+.TP 5
+Paths:
-+/var/www/svn/hooks(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/wordpress/.*\.php, /usr/lib/cgi-bin(/.*)?, /var/www/perl(/.*)?, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/wordpress-mu/wp-config\.php, /usr/.*\.cgi, /var/www/html/[^/]*/cgi-bin(/.*)?, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /usr/share/wordpress/wp-includes/.*\.php, /opt/.*\.cgi
++/var/www/svn/hooks(/.*)?, /usr/share/mythweb/mythweb\.pl, /usr/share/wordpress/.*\.php, /usr/lib/cgi-bin(/.*)?, /opt/.*\.cgi, /var/www/perl(/.*)?, /usr/share/mythtv/mythweather/scripts(/.*)?, /usr/share/wordpress-mu/wp-config\.php, /usr/.*\.cgi, /var/www/html/[^/]*/cgi-bin(/.*)?, /var/www/[^/]*/cgi-bin(/.*)?, /var/www/cgi-bin(/.*)?, /usr/share/wordpress/wp-includes/.*\.php
+
+.PP
+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
@@ -36877,7 +36953,7 @@ index 0000000..5016301
\ No newline at end of file
diff --git a/man/man8/innd_selinux.8 b/man/man8/innd_selinux.8
new file mode 100644
-index 0000000..10905b1
+index 0000000..fa3b786
--- /dev/null
+++ b/man/man8/innd_selinux.8
@@ -0,0 +1,177 @@
@@ -36920,7 +36996,7 @@ index 0000000..10905b1
+.br
+.TP 5
+Paths:
-+/usr/bin/suck, /usr/lib/news/bin/filechan, /usr/lib/news/bin/nntpget, /usr/sbin/in\.nnrpd, /usr/lib/news/bin/convdate, /usr/lib/news/bin/innfeed, /usr/lib/news/bin/shlock, /usr/lib/news/bin/archive, /usr/lib/news/bin/innconfval, /usr/lib/news/bin/actsync, /usr/lib/news/bin/innxbatch, /usr/bin/inews, /usr/lib/news/bin/batcher, /usr/sbin/innd.*, /usr/lib/news/bin/expire, /usr/lib/news/bin/nnrpd, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/ctlinnd, /usr/bin/rpost, /usr/lib/news/bin/buffchan, /usr/lib/news/bin/ovdb_recover, /etc/news/boot, /usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/makehistory, /usr/lib/news/bin/expireover, /usr/lib/news/bin/innd, /usr/lib/news/bin/makedbz, /usr/bin/rnews, /usr/lib/news/bin/innxmit, /usr/lib/news/bin/fastrm, /usr/lib/news/bin/getlist, /usr/lib/news/bin/sm, /usr/lib/news/bin/grephistory, /usr/lib/news/bin/rnews, /usr/lib/news/bin/newsrequeue, /usr/lib/news/bin/overchan, /usr/lib/news/bin/cvtbatch, /usr/lib/news/bin/prunehistory, /usr/l
ib/news/bin/inews, /usr/lib/news/bin/shrinkfile, /usr/lib/news/bin/inndf
++/usr/bin/suck, /usr/lib/news/bin/filechan, /usr/lib/news/bin/nntpget, /usr/sbin/in\.nnrpd, /usr/lib/news/bin/convdate, /usr/lib/news/bin/innfeed, /usr/lib/news/bin/shlock, /usr/lib/news/bin/archive, /usr/lib/news/bin/innconfval, /usr/lib/news/bin/actsync, /usr/lib/news/bin/innxbatch, /usr/bin/inews, /usr/lib/news/bin/batcher, /usr/sbin/innd.*, /usr/lib/news/bin/expire, /usr/lib/news/bin/nnrpd, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/ctlinnd, /usr/bin/rpost, /usr/lib/news/bin/buffchan, /usr/lib/news/bin/ovdb_recover, /etc/news/boot, /usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/makehistory, /usr/lib/news/bin/expireover, /usr/bin/rnews, /usr/lib/news/bin/innd, /usr/lib/news/bin/newsrequeue, /usr/lib/news/bin/makedbz, /usr/lib/news/bin/innxmit, /usr/lib/news/bin/fastrm, /usr/lib/news/bin/getlist, /usr/lib/news/bin/sm, /usr/lib/news/bin/grephistory, /usr/lib/news/bin/rnews, /usr/lib/news/bin/overchan, /usr/lib/news/bin/cvtbatch, /usr/lib/news/bin/prunehistory, /usr/l
ib/news/bin/inews, /usr/lib/news/bin/shrinkfile, /usr/lib/news/bin/inndf
+
+.EX
+.PP
@@ -37963,7 +38039,7 @@ index 0000000..cbb0783
\ No newline at end of file
diff --git a/man/man8/irc_selinux.8 b/man/man8/irc_selinux.8
new file mode 100644
-index 0000000..82e800c
+index 0000000..f452dfc
--- /dev/null
+++ b/man/man8/irc_selinux.8
@@ -0,0 +1,133 @@
@@ -38044,7 +38120,7 @@ index 0000000..82e800c
+
+
+Default Defined Ports:
-+tcp 6667
++tcp 6667,6697
+.EE
+.SH PROCESS TYPES
+SELinux defines process types (domains) for each process running on the system
@@ -38197,10 +38273,10 @@ index 0000000..6703be5
+selinux(8), irqbalance(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/irssi_selinux.8 b/man/man8/irssi_selinux.8
new file mode 100644
-index 0000000..ece4f84
+index 0000000..7ba6834
--- /dev/null
+++ b/man/man8/irssi_selinux.8
-@@ -0,0 +1,128 @@
+@@ -0,0 +1,130 @@
+.TH "irssi_selinux" "8" "irssi" "dwalsh at redhat.com" "irssi SELinux Policy documentation"
+.SH "NAME"
+irssi_selinux \- Security Enhanced Linux Policy for the irssi processes
@@ -38305,6 +38381,8 @@ index 0000000..ece4f84
+
+ /home/[^/]*/\.irssi(/.*)?
+.br
++ /home/[^/]*/irclogs(/.*)?
++.br
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -41138,10 +41216,10 @@ index 0000000..83b5e43
+selinux(8), l2tpd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ldconfig_selinux.8 b/man/man8/ldconfig_selinux.8
new file mode 100644
-index 0000000..d61c4ba
+index 0000000..c1d439d
--- /dev/null
+++ b/man/man8/ldconfig_selinux.8
-@@ -0,0 +1,139 @@
+@@ -0,0 +1,141 @@
+.TH "ldconfig_selinux" "8" "ldconfig" "dwalsh at redhat.com" "ldconfig SELinux Policy documentation"
+.SH "NAME"
+ldconfig_selinux \- Security Enhanced Linux Policy for the ldconfig processes
@@ -41261,6 +41339,8 @@ index 0000000..d61c4ba
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -42859,7 +42939,7 @@ index 0000000..3b5cab5
+selinux(8), lpr(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/lsassd_selinux.8 b/man/man8/lsassd_selinux.8
new file mode 100644
-index 0000000..aaa8956
+index 0000000..cce57f9
--- /dev/null
+++ b/man/man8/lsassd_selinux.8
@@ -0,0 +1,251 @@
@@ -42930,7 +43010,7 @@ index 0000000..aaa8956
+.br
+.TP 5
+Paths:
-+/var/lib/likewise-open/\.lsassd, /var/lib/likewise-open/\.ntlmd, /var/lib/likewise-open/rpc/lsass
++/var/lib/likewise-open/rpc/lsass, /var/lib/likewise-open/\.lsassd, /var/lib/likewise-open/\.ntlmd
+
+.PP
+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
@@ -43116,7 +43196,7 @@ index 0000000..aaa8956
+selinux(8), lsassd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/lvm_selinux.8 b/man/man8/lvm_selinux.8
new file mode 100644
-index 0000000..46092e1
+index 0000000..1319a4b
--- /dev/null
+++ b/man/man8/lvm_selinux.8
@@ -0,0 +1,239 @@
@@ -43159,7 +43239,7 @@ index 0000000..46092e1
+.br
+.TP 5
+Paths:
-+/sbin/dmsetup, /usr/sbin/dmsetup, /usr/sbin/pvchange, /sbin/dmraid, /sbin/pvremove, /sbin/vgextend, /sbin/vgscan\.static, /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /usr/lib/lvm-10/.*, /sbin/lvmdiskscan, /sbin/lvresize, /sbin/vgmknodes, /usr/sbin/lvdisplay, /usr/sbin/mount\.crypt, /usr/sbin/pvs, /usr/sbin/vgsplit, /usr/lib/systemd/systemd-cryptsetup, /sbin/pvmove, /sbin/multipath\.static, /usr/sbin/pvcreate, /usr/sbin/lvmdiskscan, /usr/sbin/vgcfgbackup, /usr/sbin/lvmiopversion, /usr/sbin/vgimport, /sbin/vgck, /sbin/pvscan, /usr/sbin/lvmchange, /sbin/lvreduce, /sbin/vgremove, /sbin/vgscan, /sbin/vgsplit, /lib/lvm-200/.*, /usr/sbin/lvremove, /sbin/vgmerge, /usr/sbin/vgchange\.static, /sbin/pvcreate, /usr/sbin/lvm, /usr/sbin/lvrename, /usr/sbin/lvmsadc, /usr/lib/lvm-200/.*, /usr/sbin/pvdata, /usr/sbin/lvmetad, /sbin/vgchange, /sbin/lvm\.static, /sbin/vgcfgbackup, /sbin/e2fsadm, /sbin/lvm, /sbin/pvdata, /usr/sbin/lvcreate, /usr/sbin/vgextend, /sbin/lvextend, /usr/lib/udev
/udisks-lvm-pv-export, /sbin/vgcfgrestore, /usr/sbin/vgscan, /sbin/vgs, /sbin/lvmchange, /sbin/vgimport, /usr/sbin/lvscan, /usr/sbin/pvscan, /usr/sbin/vgreduce, /usr/sbin/dmsetup\.static, /usr/sbin/vgexport, /usr/sbin/lvextend, /usr/sbin/cryptsetup, /usr/sbin/dmraid, /usr/sbin/lvresize, /sbin/dmsetup\.static, /sbin/lvmsar, /usr/sbin/vgs, /usr/sbin/vgrename, /usr/sbin/lvs, /sbin/vgchange\.static, /usr/sbin/pvmove, /sbin/lvmsadc, /usr/sbin/vgmknodes, /sbin/lvmetad, /sbin/lvmiopversion, /usr/sbin/pvdisplay, /usr/sbin/vgremove, /usr/sbin/vgscan\.static, /sbin/pvdisplay, /usr/sbin/vgcfgrestore, /usr/sbin/kpartx, /sbin/cryptsetup, /lib/udev/udisks-lvm-pv-export, /sbin/vgwrapper, /sbin/pvs, /sbin/lvchange, /sbin/pvchange, /usr/sbin/lvm\.static, /usr/sbin/multipathd, /sbin/mount\.crypt, /sbin/vgcreate, /usr/sbin/vgwrapper, /sbin/vgreduce, /usr/sbin/lvreduce, /sbin/lvrename, /sbin/multipathd, /usr/sbin/vgcreate, /usr/sbin/vgmerge, /usr/sbin/multipath\.static, /sbin/vgexport, /usr/sbi
n/lvchange, /sbin/lvs, /usr/sbin/lvmsar, /usr/sbin/e2fsadm, /usr/sbin/vgchange, /sbin/kpartx, /lib/lvm-10/.*, /sbin/lvscan, /sbin/lvcreate, /sbin/vgdisplay, /usr/sbin/vgdisplay, /usr/sbin/dmeventd, /sbin/lvremove, /usr/sbin/pvremove
++/sbin/dmsetup, /usr/sbin/dmsetup, /usr/sbin/pvchange, /sbin/dmraid, /sbin/pvremove, /sbin/vgextend, /sbin/vgscan\.static, /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /usr/lib/lvm-10/.*, /sbin/lvmdiskscan, /sbin/lvresize, /sbin/vgmknodes, /usr/sbin/lvdisplay, /usr/sbin/mount\.crypt, /usr/sbin/pvs, /usr/lib/systemd/systemd-cryptsetup, /sbin/pvmove, /sbin/multipath\.static, /usr/sbin/pvcreate, /usr/sbin/lvmdiskscan, /usr/sbin/vgcfgbackup, /usr/sbin/lvmiopversion, /usr/sbin/vgimport, /sbin/vgck, /sbin/pvscan, /usr/sbin/lvmchange, /sbin/lvreduce, /sbin/vgremove, /sbin/vgscan, /sbin/vgsplit, /lib/lvm-200/.*, /usr/sbin/lvremove, /sbin/vgmerge, /usr/sbin/vgchange\.static, /sbin/pvcreate, /usr/sbin/lvm, /usr/sbin/lvrename, /usr/sbin/lvmsadc, /usr/lib/lvm-200/.*, /usr/sbin/pvdata, /usr/sbin/lvmetad, /sbin/vgchange, /sbin/lvm\.static, /sbin/vgcfgbackup, /sbin/e2fsadm, /sbin/lvm, /sbin/pvdata, /usr/sbin/lvcreate, /usr/sbin/vgextend, /sbin/lvextend, /usr/lib/udev/udisks-lvm-pv-expo
rt, /sbin/vgcfgrestore, /usr/sbin/vgscan, /sbin/vgs, /sbin/lvmchange, /sbin/vgimport, /usr/sbin/lvscan, /usr/sbin/pvscan, /usr/sbin/vgreduce, /usr/sbin/dmsetup\.static, /usr/sbin/vgexport, /usr/sbin/lvextend, /usr/sbin/cryptsetup, /usr/sbin/dmraid, /usr/sbin/lvresize, /sbin/dmsetup\.static, /sbin/lvmsar, /usr/sbin/vgs, /usr/sbin/vgrename, /usr/sbin/lvs, /sbin/vgchange\.static, /usr/sbin/pvmove, /sbin/lvmsadc, /usr/sbin/vgmknodes, /sbin/lvmetad, /sbin/lvmiopversion, /usr/sbin/pvdisplay, /usr/sbin/vgremove, /usr/sbin/vgscan\.static, /sbin/pvdisplay, /usr/sbin/vgcfgrestore, /usr/sbin/kpartx, /sbin/cryptsetup, /lib/udev/udisks-lvm-pv-export, /sbin/vgwrapper, /sbin/pvs, /sbin/lvchange, /sbin/pvchange, /usr/sbin/lvm\.static, /usr/sbin/multipathd, /sbin/mount\.crypt, /sbin/vgcreate, /usr/sbin/vgwrapper, /sbin/vgreduce, /usr/sbin/lvreduce, /sbin/lvrename, /sbin/multipathd, /usr/sbin/vgcreate, /usr/sbin/vgmerge, /usr/sbin/multipath\.static, /sbin/vgexport, /usr/sbin/lvchange, /sbin/l
vs, /usr/sbin/lvmsar, /usr/sbin/e2fsadm, /usr/sbin/vgchange, /sbin/kpartx, /usr/sbin/vgsplit, /lib/lvm-10/.*, /sbin/lvscan, /sbin/lvcreate, /sbin/vgdisplay, /usr/sbin/vgdisplay, /usr/sbin/dmeventd, /sbin/lvremove, /usr/sbin/pvremove
+
+.EX
+.PP
@@ -44288,487 +44368,6 @@ index 0000000..136c141
+
+.SH "SEE ALSO"
+selinux(8), mailman_queue(8), semanage(8), restorecon(8), chcon(1)
-diff --git a/man/man8/matahari_hostd_selinux.8 b/man/man8/matahari_hostd_selinux.8
-new file mode 100644
-index 0000000..5ef862c
---- /dev/null
-+++ b/man/man8/matahari_hostd_selinux.8
-@@ -0,0 +1,95 @@
-+.TH "matahari_hostd_selinux" "8" "matahari_hostd" "dwalsh at redhat.com" "matahari_hostd SELinux Policy documentation"
-+.SH "NAME"
-+matahari_hostd_selinux \- Security Enhanced Linux Policy for the matahari_hostd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the matahari_hostd processes via flexible mandatory access
-+control.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux matahari_hostd policy is very flexible allowing users to setup their matahari_hostd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for matahari_hostd:
-+
-+
-+.EX
-+.PP
-+.B matahari_hostd_exec_t
-+.EE
-+
-+- Set files with the matahari_hostd_exec_t type, if you want to transition an executable to the matahari_hostd_t domain.
-+
-+.br
-+.TP 5
-+Paths:
-+/usr/sbin/matahari-qmf-hostd, /usr/sbin/matahari-hostd, /usr/sbin/matahari-dbus-hostd
-+
-+.EX
-+.PP
-+.B matahari_hostd_unit_file_t
-+.EE
-+
-+- Set files with the matahari_hostd_unit_file_t type, if you want to treat the files as matahari hostd unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux matahari_hostd policy is very flexible allowing users to setup their matahari_hostd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for matahari_hostd:
-+
-+.EX
-+.B matahari_hostd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux user type matahari_hostd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.br
-+.B mtrr_device_t
-+
-+ /dev/cpu/mtrr
-+.br
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated by genman.py.
-+
-+.SH "SEE ALSO"
-+selinux(8), matahari_hostd(8), semanage(8), restorecon(8), chcon(1)
-diff --git a/man/man8/matahari_netd_selinux.8 b/man/man8/matahari_netd_selinux.8
-new file mode 100644
-index 0000000..de6755d
---- /dev/null
-+++ b/man/man8/matahari_netd_selinux.8
-@@ -0,0 +1,89 @@
-+.TH "matahari_netd_selinux" "8" "matahari_netd" "dwalsh at redhat.com" "matahari_netd SELinux Policy documentation"
-+.SH "NAME"
-+matahari_netd_selinux \- Security Enhanced Linux Policy for the matahari_netd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the matahari_netd processes via flexible mandatory access
-+control.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux matahari_netd policy is very flexible allowing users to setup their matahari_netd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for matahari_netd:
-+
-+
-+.EX
-+.PP
-+.B matahari_netd_exec_t
-+.EE
-+
-+- Set files with the matahari_netd_exec_t type, if you want to transition an executable to the matahari_netd_t domain.
-+
-+.br
-+.TP 5
-+Paths:
-+/usr/sbin/matahari-qmf-networkd, /usr/sbin/matahari-netd, /usr/sbin/matahari-dbus-networkd
-+
-+.EX
-+.PP
-+.B matahari_netd_unit_file_t
-+.EE
-+
-+- Set files with the matahari_netd_unit_file_t type, if you want to treat the files as matahari netd unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux matahari_netd policy is very flexible allowing users to setup their matahari_netd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for matahari_netd:
-+
-+.EX
-+.B matahari_netd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux user type matahari_netd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated by genman.py.
-+
-+.SH "SEE ALSO"
-+selinux(8), matahari_netd(8), semanage(8), restorecon(8), chcon(1)
-diff --git a/man/man8/matahari_rpcd_selinux.8 b/man/man8/matahari_rpcd_selinux.8
-new file mode 100644
-index 0000000..a98fb2f
---- /dev/null
-+++ b/man/man8/matahari_rpcd_selinux.8
-@@ -0,0 +1,85 @@
-+.TH "matahari_rpcd_selinux" "8" "matahari_rpcd" "dwalsh at redhat.com" "matahari_rpcd SELinux Policy documentation"
-+.SH "NAME"
-+matahari_rpcd_selinux \- Security Enhanced Linux Policy for the matahari_rpcd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the matahari_rpcd processes via flexible mandatory access
-+control.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux matahari_rpcd policy is very flexible allowing users to setup their matahari_rpcd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for matahari_rpcd:
-+
-+
-+.EX
-+.PP
-+.B matahari_rpcd_exec_t
-+.EE
-+
-+- Set files with the matahari_rpcd_exec_t type, if you want to transition an executable to the matahari_rpcd_t domain.
-+
-+
-+.EX
-+.PP
-+.B matahari_rpcd_unit_file_t
-+.EE
-+
-+- Set files with the matahari_rpcd_unit_file_t type, if you want to treat the files as matahari rpcd unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux matahari_rpcd policy is very flexible allowing users to setup their matahari_rpcd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for matahari_rpcd:
-+
-+.EX
-+.B matahari_rpcd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux user type matahari_rpcd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated by genman.py.
-+
-+.SH "SEE ALSO"
-+selinux(8), matahari_rpcd(8), semanage(8), restorecon(8), chcon(1)
-diff --git a/man/man8/matahari_serviced_selinux.8 b/man/man8/matahari_serviced_selinux.8
-new file mode 100644
-index 0000000..4173cc6
---- /dev/null
-+++ b/man/man8/matahari_serviced_selinux.8
-@@ -0,0 +1,89 @@
-+.TH "matahari_serviced_selinux" "8" "matahari_serviced" "dwalsh at redhat.com" "matahari_serviced SELinux Policy documentation"
-+.SH "NAME"
-+matahari_serviced_selinux \- Security Enhanced Linux Policy for the matahari_serviced processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the matahari_serviced processes via flexible mandatory access
-+control.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux matahari_serviced policy is very flexible allowing users to setup their matahari_serviced processes in as secure a method as possible.
-+.PP
-+The following file types are defined for matahari_serviced:
-+
-+
-+.EX
-+.PP
-+.B matahari_serviced_exec_t
-+.EE
-+
-+- Set files with the matahari_serviced_exec_t type, if you want to transition an executable to the matahari_serviced_t domain.
-+
-+.br
-+.TP 5
-+Paths:
-+/usr/sbin/matahari-serviced, /usr/sbin/matahari-dbus-serviced, /usr/sbin/matahari-qmf-serviced
-+
-+.EX
-+.PP
-+.B matahari_serviced_unit_file_t
-+.EE
-+
-+- Set files with the matahari_serviced_unit_file_t type, if you want to treat the files as matahari serviced unit content.
-+
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux matahari_serviced policy is very flexible allowing users to setup their matahari_serviced processes in as secure a method as possible.
-+.PP
-+The following process types are defined for matahari_serviced:
-+
-+.EX
-+.B matahari_serviced_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux user type matahari_serviced_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated by genman.py.
-+
-+.SH "SEE ALSO"
-+selinux(8), matahari_serviced(8), semanage(8), restorecon(8), chcon(1)
-diff --git a/man/man8/matahari_sysconfigd_selinux.8 b/man/man8/matahari_sysconfigd_selinux.8
-new file mode 100644
-index 0000000..79966b1
---- /dev/null
-+++ b/man/man8/matahari_sysconfigd_selinux.8
-@@ -0,0 +1,93 @@
-+.TH "matahari_sysconfigd_selinux" "8" "matahari_sysconfigd" "dwalsh at redhat.com" "matahari_sysconfigd SELinux Policy documentation"
-+.SH "NAME"
-+matahari_sysconfigd_selinux \- Security Enhanced Linux Policy for the matahari_sysconfigd processes
-+.SH "DESCRIPTION"
-+
-+Security-Enhanced Linux secures the matahari_sysconfigd processes via flexible mandatory access
-+control.
-+
-+.SH NSSWITCH DOMAIN
-+
-+.SH FILE CONTEXTS
-+SELinux requires files to have an extended attribute to define the file type.
-+.PP
-+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
-+.PP
-+Policy governs the access confined processes have to these files.
-+SELinux matahari_sysconfigd policy is very flexible allowing users to setup their matahari_sysconfigd processes in as secure a method as possible.
-+.PP
-+The following file types are defined for matahari_sysconfigd:
-+
-+
-+.EX
-+.PP
-+.B matahari_sysconfigd_exec_t
-+.EE
-+
-+- Set files with the matahari_sysconfigd_exec_t type, if you want to transition an executable to the matahari_sysconfigd_t domain.
-+
-+.br
-+.TP 5
-+Paths:
-+/usr/sbin/matahari-qmf-sysconfig-consoled, /usr/sbin/matahari-dbus-sysconfigd, /usr/sbin/matahari-qmf-sysconfigd
-+
-+.EX
-+.PP
-+.B matahari_sysconfigd_unit_file_t
-+.EE
-+
-+- Set files with the matahari_sysconfigd_unit_file_t type, if you want to treat the files as matahari sysconfigd unit content.
-+
-+.br
-+.TP 5
-+Paths:
-+/usr/lib/systemd/system/matahari-sysconfig-console.*, /usr/lib/systemd/system/matahari-sysconfig.*
-+
-+.PP
-+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
-+.B semanage fcontext
-+command. This will modify the SELinux labeling database. You will need to use
-+.B restorecon
-+to apply the labels.
-+
-+.SH PROCESS TYPES
-+SELinux defines process types (domains) for each process running on the system
-+.PP
-+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
-+.PP
-+Policy governs the access confined processes have to files.
-+SELinux matahari_sysconfigd policy is very flexible allowing users to setup their matahari_sysconfigd processes in as secure a method as possible.
-+.PP
-+The following process types are defined for matahari_sysconfigd:
-+
-+.EX
-+.B matahari_sysconfigd_t
-+.EE
-+.PP
-+Note:
-+.B semanage permissive -a PROCESS_TYPE
-+can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
-+
-+.SH "MANAGED FILES"
-+
-+The SELinux user type matahari_sysconfigd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
-+
-+.SH "COMMANDS"
-+.B semanage fcontext
-+can also be used to manipulate default file context mappings.
-+.PP
-+.B semanage permissive
-+can also be used to manipulate whether or not a process type is permissive.
-+.PP
-+.B semanage module
-+can also be used to enable/disable/install/remove policy modules.
-+
-+.PP
-+.B system-config-selinux
-+is a GUI tool available to customize SELinux policy settings.
-+
-+.SH AUTHOR
-+This manual page was auto-generated by genman.py.
-+
-+.SH "SEE ALSO"
-+selinux(8), matahari_sysconfigd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/mcelog_selinux.8 b/man/man8/mcelog_selinux.8
new file mode 100644
index 0000000..1c3f6d3
@@ -45968,10 +45567,10 @@ index 0000000..0bd5e95
\ No newline at end of file
diff --git a/man/man8/mount_selinux.8 b/man/man8/mount_selinux.8
new file mode 100644
-index 0000000..970cd52
+index 0000000..8758c79
--- /dev/null
+++ b/man/man8/mount_selinux.8
-@@ -0,0 +1,261 @@
+@@ -0,0 +1,227 @@
+.TH "mount_selinux" "8" "mount" "dwalsh at redhat.com" "mount SELinux Policy documentation"
+.SH "NAME"
+mount_selinux \- Security Enhanced Linux Policy for the mount processes
@@ -46115,22 +45714,6 @@ index 0000000..970cd52
+The SELinux user type mount_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
-+.B anon_inodefs_t
-+
-+
-+.br
-+.B cgroup_t
-+
-+ /cgroup
-+.br
-+ /sys/fs/cgroup
-+.br
-+
-+.br
-+.B debugfs_t
-+
-+
-+.br
+.B etc_runtime_t
+
+ /[^/]+
@@ -46185,29 +45768,11 @@ index 0000000..970cd52
+.br
+
+.br
-+.B livecd_tmp_t
-+
-+
-+.br
-+.B mount_tmp_t
-+
-+
-+.br
-+.B mount_var_run_t
++.B nfsd_fs_t
+
-+ /run/mount(/.*)?
-+.br
-+ /dev/\.mount(/.*)?
-+.br
-+ /var/run/mount(/.*)?
-+.br
-+ /var/run/davfs2(/.*)?
-+.br
-+ /var/cache/davfs2(/.*)?
-+.br
+
+.br
-+.B nfsd_fs_t
++.B non_security_file_type
+
+
+.SH "COMMANDS"
@@ -46652,10 +46217,10 @@ index 0000000..8ecc677
\ No newline at end of file
diff --git a/man/man8/mozilla_selinux.8 b/man/man8/mozilla_selinux.8
new file mode 100644
-index 0000000..94074ea
+index 0000000..118b8d9
--- /dev/null
+++ b/man/man8/mozilla_selinux.8
-@@ -0,0 +1,307 @@
+@@ -0,0 +1,297 @@
+.TH "mozilla_selinux" "8" "mozilla" "dwalsh at redhat.com" "mozilla SELinux Policy documentation"
+.SH "NAME"
+mozilla_selinux \- Security Enhanced Linux Policy for the mozilla processes
@@ -46915,16 +46480,6 @@ index 0000000..94074ea
+.br
+
+.br
-+.B tmpfs_t
-+
-+ /dev/shm
-+.br
-+ /lib/udev/devices/shm
-+.br
-+ /usr/lib/udev/devices/shm
-+.br
-+
-+.br
+.B user_fonts_cache_t
+
+ /root/\.fontconfig(/.*)?
@@ -55201,10 +54756,10 @@ index 0000000..59f31f3
+selinux(8), pads(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/pam_console_selinux.8 b/man/man8/pam_console_selinux.8
new file mode 100644
-index 0000000..cc869e0
+index 0000000..52a061f
--- /dev/null
+++ b/man/man8/pam_console_selinux.8
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,95 @@
+.TH "pam_console_selinux" "8" "pam_console" "dwalsh at redhat.com" "pam_console SELinux Policy documentation"
+.SH "NAME"
+pam_console_selinux \- Security Enhanced Linux Policy for the pam_console processes
@@ -55300,8 +54855,6 @@ index 0000000..cc869e0
+
+.SH "SEE ALSO"
+selinux(8), pam_console(8), semanage(8), restorecon(8), chcon(1)
-+, pam_selinux(8)
-\ No newline at end of file
diff --git a/man/man8/pam_timestamp_selinux.8 b/man/man8/pam_timestamp_selinux.8
new file mode 100644
index 0000000..8a4d1da
@@ -55417,7 +54970,7 @@ index 0000000..8a4d1da
+selinux(8), pam_timestamp(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/passenger_selinux.8 b/man/man8/passenger_selinux.8
new file mode 100644
-index 0000000..d724a7a
+index 0000000..13d501c
--- /dev/null
+++ b/man/man8/passenger_selinux.8
@@ -0,0 +1,161 @@
@@ -55466,7 +55019,7 @@ index 0000000..d724a7a
+.br
+.TP 5
+Paths:
-+/usr/.*/gems/.*/passenger-.*/agents/PassengerWatchdog, /usr/.*/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent, /usr/.*/gems/.*/passenger-.*/agents/PassengerLoggingAgent, /usr/.*/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable
++/usr/share/gems/.*/ApplicationPoolServerExecutable, /usr/lib/gems/.*/Passenger.*, /usr/share/gems/.*/Passenger.*, /usr/lib/gems/.*/ApplicationPoolServerExecutable
+
+.EX
+.PP
@@ -58449,10 +58002,10 @@ index 0000000..3e023fe
\ No newline at end of file
diff --git a/man/man8/polipo_selinux.8 b/man/man8/polipo_selinux.8
new file mode 100644
-index 0000000..513f255
+index 0000000..b549de6
--- /dev/null
+++ b/man/man8/polipo_selinux.8
-@@ -0,0 +1,223 @@
+@@ -0,0 +1,216 @@
+.TH "polipo_selinux" "8" "polipo" "dwalsh at redhat.com" "polipo SELinux Policy documentation"
+.SH "NAME"
+polipo_selinux \- Security Enhanced Linux Policy for the polipo processes
@@ -58480,13 +58033,6 @@ index 0000000..513f255
+.EE
+
+.PP
-+If you want to determine whether Polipo session daemon can send syslog messages, you must turn on the polipo_session_send_syslog_msg boolean.
-+
-+.EX
-+.B setsebool -P polipo_session_send_syslog_msg 1
-+.EE
-+
-+.PP
+If you want to determine whether Polipo session daemon can bind tcp sockets to all unreserved ports, you must turn on the polipo_session_bind_all_unreserved_ports boolean.
+
+.EX
@@ -61034,10 +60580,10 @@ index 0000000..8d86391
+selinux(8), postfix_virtual(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/postgresql_selinux.8 b/man/man8/postgresql_selinux.8
new file mode 100644
-index 0000000..555d167
+index 0000000..f698c7b
--- /dev/null
+++ b/man/man8/postgresql_selinux.8
-@@ -0,0 +1,320 @@
+@@ -0,0 +1,348 @@
+.TH "postgresql_selinux" "8" "postgresql" "dwalsh at redhat.com" "postgresql SELinux Policy documentation"
+.SH "NAME"
+postgresql_selinux \- Security Enhanced Linux Policy for the postgresql processes
@@ -61051,12 +60597,40 @@ index 0000000..555d167
+
+
+.PP
++If you want to allow postgresql to use ssh and rsync for point-in-time recovery, you must turn on the postgresql_can_rsync boolean.
++
++.EX
++.B setsebool -P postgresql_can_rsync 1
++.EE
++
++.PP
++If you want to allow unprivileged users to execute DDL statement, you must turn on the postgresql_selinux_users_ddl boolean.
++
++.EX
++.B setsebool -P postgresql_selinux_users_ddl 1
++.EE
++
++.PP
++If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean.
++
++.EX
++.B setsebool -P postgresql_selinux_unconfined_dbadm 1
++.EE
++
++.PP
+If you want to allow users to connect to PostgreSQL, you must turn on the user_postgresql_connect boolean.
+
+.EX
+.B setsebool -P user_postgresql_connect 1
+.EE
+
++.PP
++If you want to allow transmit client label to foreign database, you must turn on the postgresql_selinux_transmit_client_label boolean.
++
++.EX
++.B setsebool -P postgresql_selinux_transmit_client_label 1
++.EE
++
+.SH NSSWITCH DOMAIN
+
+.PP
@@ -66800,10 +66374,10 @@ index 0000000..b8c348b
+selinux(8), qmail_tcp_env(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/qpidd_selinux.8 b/man/man8/qpidd_selinux.8
new file mode 100644
-index 0000000..1c40256
+index 0000000..d0c9485
--- /dev/null
+++ b/man/man8/qpidd_selinux.8
-@@ -0,0 +1,147 @@
+@@ -0,0 +1,131 @@
+.TH "qpidd_selinux" "8" "qpidd" "dwalsh at redhat.com" "qpidd SELinux Policy documentation"
+.SH "NAME"
+qpidd_selinux \- Security Enhanced Linux Policy for the qpidd processes
@@ -66899,22 +66473,6 @@ index 0000000..1c40256
+The SELinux user type qpidd_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
+
+.br
-+.B matahari_var_lib_t
-+
-+ /var/lib/matahari(/.*)?
-+.br
-+
-+.br
-+.B matahari_var_run_t
-+
-+ /var/run/matahari(/.*)?
-+.br
-+ /var/run/matahari\.pid
-+.br
-+ /var/run/matahari-broker\.pid
-+.br
-+
-+.br
+.B qpidd_tmpfs_t
+
+
@@ -68262,10 +67820,10 @@ index 0000000..30a2642
+selinux(8), rdisc(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/readahead_selinux.8 b/man/man8/readahead_selinux.8
new file mode 100644
-index 0000000..68f76cf
+index 0000000..60709f3
--- /dev/null
+++ b/man/man8/readahead_selinux.8
-@@ -0,0 +1,169 @@
+@@ -0,0 +1,175 @@
+.TH "readahead_selinux" "8" "readahead" "dwalsh at redhat.com" "readahead SELinux Policy documentation"
+.SH "NAME"
+readahead_selinux \- Security Enhanced Linux Policy for the readahead processes
@@ -68416,6 +67974,12 @@ index 0000000..68f76cf
+ /var/run/systemd/readahead(/.*)?
+.br
+
++.br
++.B sysfs_t
++
++ /sys(/.*)?
++.br
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -70574,10 +70138,10 @@ index 0000000..c50b549
\ No newline at end of file
diff --git a/man/man8/rlogind_selinux.8 b/man/man8/rlogind_selinux.8
new file mode 100644
-index 0000000..36ad2fc
+index 0000000..74f3ce6
--- /dev/null
+++ b/man/man8/rlogind_selinux.8
-@@ -0,0 +1,307 @@
+@@ -0,0 +1,309 @@
+.TH "rlogind_selinux" "8" "rlogind" "dwalsh at redhat.com" "rlogind SELinux Policy documentation"
+.SH "NAME"
+rlogind_selinux \- Security Enhanced Linux Policy for the rlogind processes
@@ -70836,6 +70400,8 @@ index 0000000..36ad2fc
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.br
+.B var_auth_t
@@ -71644,10 +71210,10 @@ index 0000000..0a187e3
\ No newline at end of file
diff --git a/man/man8/rshd_selinux.8 b/man/man8/rshd_selinux.8
new file mode 100644
-index 0000000..8977cf3
+index 0000000..7976243
--- /dev/null
+++ b/man/man8/rshd_selinux.8
-@@ -0,0 +1,277 @@
+@@ -0,0 +1,279 @@
+.TH "rshd_selinux" "8" "rshd" "dwalsh at redhat.com" "rshd SELinux Policy documentation"
+.SH "NAME"
+rshd_selinux \- Security Enhanced Linux Policy for the rshd processes
@@ -71870,6 +71436,8 @@ index 0000000..8977cf3
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.br
+.B user_tmp_type
@@ -72152,10 +71720,10 @@ index 0000000..e7179dd
+, rssh_chroot_helper_selinux(8)
\ No newline at end of file
diff --git a/man/man8/rsync_selinux.8 b/man/man8/rsync_selinux.8
-index ad9ccf5..bf48e69 100644
+index ad9ccf5..f0b5a28 100644
--- a/man/man8/rsync_selinux.8
+++ b/man/man8/rsync_selinux.8
-@@ -1,52 +1,237 @@
+@@ -1,52 +1,244 @@
-.TH "rsync_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "rsync Selinux Policy documentation"
-.de EX
-.nf
@@ -72190,6 +71758,13 @@ index ad9ccf5..bf48e69 100644
+
+
+.PP
++If you want to allow postgresql to use ssh and rsync for point-in-time recovery, you must turn on the postgresql_can_rsync boolean.
++
++.EX
++.B setsebool -P postgresql_can_rsync 1
++.EE
++
++.PP
+If you want to allow rsync to run as a client, you must turn on the rsync_client boolean.
+
+.EX
@@ -72672,69 +72247,63 @@ index 0000000..ba67797
+
+.SH "SEE ALSO"
+selinux(8), run_init(8), semanage(8), restorecon(8), chcon(1)
-diff --git a/man/man8/rwhod_selinux.8 b/man/man8/rwhod_selinux.8
+diff --git a/man/man8/rwho_selinux.8 b/man/man8/rwho_selinux.8
new file mode 100644
-index 0000000..fa1da4b
+index 0000000..e319c86
--- /dev/null
-+++ b/man/man8/rwhod_selinux.8
++++ b/man/man8/rwho_selinux.8
@@ -0,0 +1,139 @@
-+.TH "rwhod_selinux" "8" "rwhod" "dwalsh at redhat.com" "rwhod SELinux Policy documentation"
++.TH "rwho_selinux" "8" "rwho" "dwalsh at redhat.com" "rwho SELinux Policy documentation"
+.SH "NAME"
-+rwhod_selinux \- Security Enhanced Linux Policy for the rwhod processes
++rwho_selinux \- Security Enhanced Linux Policy for the rwho processes
+.SH "DESCRIPTION"
+
-+Security-Enhanced Linux secures the rwhod processes via flexible mandatory access
++Security-Enhanced Linux secures the rwho processes via flexible mandatory access
+control.
+
+.SH NSSWITCH DOMAIN
+
-+.PP
-+If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the rwhod_t, you must turn on the authlogin_nsswitch_use_ldap boolean.
-+
-+.EX
-+.B setsebool -P authlogin_nsswitch_use_ldap 1
-+.EE
-+
-+.PP
-+If you want to allow confined applications to run with kerberos for the rwhod_t, you must turn on the kerberos_enabled boolean.
-+
-+.EX
-+.B setsebool -P kerberos_enabled 1
-+.EE
-+
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
+You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
+.PP
+Policy governs the access confined processes have to these files.
-+SELinux rwhod policy is very flexible allowing users to setup their rwhod processes in as secure a method as possible.
++SELinux rwho policy is very flexible allowing users to setup their rwho processes in as secure a method as possible.
+.PP
-+The following file types are defined for rwhod:
++The following file types are defined for rwho:
+
+
+.EX
+.PP
-+.B rwhod_exec_t
++.B rwho_exec_t
+.EE
+
-+- Set files with the rwhod_exec_t type, if you want to transition an executable to the rwhod_t domain.
++- Set files with the rwho_exec_t type, if you want to transition an executable to the rwho_t domain.
+
+
+.EX
+.PP
-+.B rwhod_spool_t
++.B rwho_initrc_exec_t
+.EE
+
-+- Set files with the rwhod_spool_t type, if you want to store the rwhod files under the /var/spool directory.
++- Set files with the rwho_initrc_exec_t type, if you want to transition an executable to the rwho_initrc_t domain.
+
+
+.EX
+.PP
-+.B rwhod_unit_file_t
++.B rwho_log_t
+.EE
+
-+- Set files with the rwhod_unit_file_t type, if you want to treat the files as rwhod unit content.
++- Set files with the rwho_log_t type, if you want to treat the data as rwho log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B rwho_spool_t
++.EE
++
++- Set files with the rwho_spool_t type, if you want to store the rwho files under the /var/spool directory.
+
+
+.PP
@@ -72753,9 +72322,9 @@ index 0000000..fa1da4b
+
+.PP
+Policy governs the access confined processes have to these ports.
-+SELinux rwhod policy is very flexible allowing users to setup their rwhod processes in as secure a method as possible.
++SELinux rwho policy is very flexible allowing users to setup their rwho processes in as secure a method as possible.
+.PP
-+The following port types are defined for rwhod:
++The following port types are defined for rwho:
+
+.EX
+.TP 5
@@ -72773,12 +72342,12 @@ index 0000000..fa1da4b
+You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
+.PP
+Policy governs the access confined processes have to files.
-+SELinux rwhod policy is very flexible allowing users to setup their rwhod processes in as secure a method as possible.
++SELinux rwho policy is very flexible allowing users to setup their rwho processes in as secure a method as possible.
+.PP
-+The following process types are defined for rwhod:
++The following process types are defined for rwho:
+
+.EX
-+.B rwhod_t
++.B rwho_t
+.EE
+.PP
+Note:
@@ -72787,10 +72356,16 @@ index 0000000..fa1da4b
+
+.SH "MANAGED FILES"
+
-+The SELinux user type rwhod_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++The SELinux user type rwho_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions.
++
++.br
++.B rwho_log_t
++
++ /var/log/rwhod(/.*)?
++.br
+
+.br
-+.B rwhod_spool_t
++.B rwho_spool_t
+
+ /var/spool/rwho(/.*)?
+.br
@@ -72816,7 +72391,7 @@ index 0000000..fa1da4b
+This manual page was auto-generated by genman.py.
+
+.SH "SEE ALSO"
-+selinux(8), rwhod(8), semanage(8), restorecon(8), chcon(1)
++selinux(8), rwho(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/samba_net_selinux.8 b/man/man8/samba_net_selinux.8
new file mode 100644
index 0000000..63b3384
@@ -73411,10 +72986,10 @@ index 0000000..759c807
\ No newline at end of file
diff --git a/man/man8/sanlock_selinux.8 b/man/man8/sanlock_selinux.8
new file mode 100644
-index 0000000..9f02fe9
+index 0000000..81d9aa7
--- /dev/null
+++ b/man/man8/sanlock_selinux.8
-@@ -0,0 +1,164 @@
+@@ -0,0 +1,171 @@
+.TH "sanlock_selinux" "8" "sanlock" "dwalsh at redhat.com" "sanlock SELinux Policy documentation"
+.SH "NAME"
+sanlock_selinux \- Security Enhanced Linux Policy for the sanlock processes
@@ -73428,6 +73003,13 @@ index 0000000..9f02fe9
+
+
+.PP
++If you want to allow sanlock to read/write fuse files, you must turn on the sanlock_use_fusefs boolean.
++
++.EX
++.B setsebool -P sanlock_use_fusefs 1
++.EE
++
++.PP
+If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean.
+
+.EX
@@ -75195,10 +74777,10 @@ index 0000000..85b97dd
+selinux(8), services_munin_plugin(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/setfiles_selinux.8 b/man/man8/setfiles_selinux.8
new file mode 100644
-index 0000000..8770c6f
+index 0000000..ee5a350
--- /dev/null
+++ b/man/man8/setfiles_selinux.8
-@@ -0,0 +1,87 @@
+@@ -0,0 +1,93 @@
+.TH "setfiles_selinux" "8" "setfiles" "dwalsh at redhat.com" "setfiles SELinux Policy documentation"
+.SH "NAME"
+setfiles_selinux \- Security Enhanced Linux Policy for the setfiles processes
@@ -75267,6 +74849,12 @@ index 0000000..8770c6f
+ /selinux
+.br
+
++.br
++.B user_home_type
++
++ all user home files
++.br
++
+.SH "COMMANDS"
+.B semanage fcontext
+can also be used to manipulate default file context mappings.
@@ -80134,10 +79722,10 @@ index 0000000..931ff5a
\ No newline at end of file
diff --git a/man/man8/ssh_selinux.8 b/man/man8/ssh_selinux.8
new file mode 100644
-index 0000000..32088d6
+index 0000000..7c35616
--- /dev/null
+++ b/man/man8/ssh_selinux.8
-@@ -0,0 +1,322 @@
+@@ -0,0 +1,324 @@
+.TH "ssh_selinux" "8" "ssh" "dwalsh at redhat.com" "ssh SELinux Policy documentation"
+.SH "NAME"
+ssh_selinux \- Security Enhanced Linux Policy for the ssh processes
@@ -80427,6 +80015,8 @@ index 0000000..32088d6
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.br
+.B user_tmp_type
@@ -80463,10 +80053,10 @@ index 0000000..32088d6
\ No newline at end of file
diff --git a/man/man8/sshd_selinux.8 b/man/man8/sshd_selinux.8
new file mode 100644
-index 0000000..46c1f08
+index 0000000..6389ad9
--- /dev/null
+++ b/man/man8/sshd_selinux.8
-@@ -0,0 +1,424 @@
+@@ -0,0 +1,426 @@
+.TH "sshd_selinux" "8" "sshd" "dwalsh at redhat.com" "sshd SELinux Policy documentation"
+.SH "NAME"
+sshd_selinux \- Security Enhanced Linux Policy for the sshd processes
@@ -80832,6 +80422,8 @@ index 0000000..46c1f08
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.br
+.B user_tmp_type
@@ -81141,10 +80733,10 @@ index 0000000..b685521
+selinux(8), sssd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/staff_selinux.8 b/man/man8/staff_selinux.8
new file mode 100644
-index 0000000..e84d243
+index 0000000..136be75
--- /dev/null
+++ b/man/man8/staff_selinux.8
-@@ -0,0 +1,504 @@
+@@ -0,0 +1,506 @@
+.TH "staff_selinux" "8" "staff" "mgrepl at redhat.com" "staff SELinux Policy documentation"
+.SH "NAME"
+staff_u \- \fBAdministrator's unprivileged user\fP - Security Enhanced Linux Policy
@@ -81335,6 +80927,8 @@ index 0000000..e84d243
+.TP
+The SELinux user staff_u is able to listen on the following udp ports.
+
++.B ephemeral_port_t: 32768-61000
++
+.B all ports with out defined types
+
+.TP
@@ -82748,10 +82342,10 @@ index 0000000..fc8dec4
+selinux(8), swat(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/sysadm_selinux.8 b/man/man8/sysadm_selinux.8
new file mode 100644
-index 0000000..bff177f
+index 0000000..da9fe7c
--- /dev/null
+++ b/man/man8/sysadm_selinux.8
-@@ -0,0 +1,458 @@
+@@ -0,0 +1,462 @@
+.TH "sysadm_selinux" "8" "sysadm" "mgrepl at redhat.com" "sysadm SELinux Policy documentation"
+.SH "NAME"
+sysadm_u \- \fBGeneral system administration role\fP - Security Enhanced Linux Policy
@@ -82883,6 +82477,8 @@ index 0000000..bff177f
+
+.B all ports with out defined types
+
++.B ephemeral_port_t: 32768-61000
++
+.TP
+The SELinux user sysadm_u is able to connect to the following tcp ports.
+
@@ -82895,6 +82491,8 @@ index 0000000..bff177f
+
+.B ntp_port_t: 123
+
++.B ephemeral_port_t: 32768-61000
++
+.TP
+The SELinux user sysadm_u is able to connect to the following tcp ports.
+
@@ -83213,10 +82811,10 @@ index 0000000..bff177f
\ No newline at end of file
diff --git a/man/man8/syslogd_selinux.8 b/man/man8/syslogd_selinux.8
new file mode 100644
-index 0000000..a4cb5f3
+index 0000000..ad5876d
--- /dev/null
+++ b/man/man8/syslogd_selinux.8
-@@ -0,0 +1,237 @@
+@@ -0,0 +1,223 @@
+.TH "syslogd_selinux" "8" "syslogd" "dwalsh at redhat.com" "syslogd SELinux Policy documentation"
+.SH "NAME"
+syslogd_selinux \- Security Enhanced Linux Policy for the syslogd processes
@@ -83230,13 +82828,6 @@ index 0000000..a4cb5f3
+
+
+.PP
-+If you want to determine whether Polipo session daemon can send syslog messages, you must turn on the polipo_session_send_syslog_msg boolean.
-+
-+.EX
-+.B setsebool -P polipo_session_send_syslog_msg 1
-+.EE
-+
-+.PP
+If you want to allow syslogd the ability to read/write terminals, you must turn on the logging_syslogd_use_tty boolean.
+
+.EX
@@ -83250,13 +82841,6 @@ index 0000000..a4cb5f3
+.B setsebool -P logging_syslogd_can_sendmail 1
+.EE
+
-+.PP
-+If you want to determine whether Git session daemons can send syslog messages, you must turn on the git_session_send_syslog_msg boolean.
-+
-+.EX
-+.B setsebool -P git_session_send_syslog_msg 1
-+.EE
-+
+.SH NSSWITCH DOMAIN
+
+.PP
@@ -83790,10 +83374,10 @@ index 0000000..9abc94b
+selinux(8), systemd_logger(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/systemd_logind_selinux.8 b/man/man8/systemd_logind_selinux.8
new file mode 100644
-index 0000000..51b3bf3
+index 0000000..7cf2f53
--- /dev/null
+++ b/man/man8/systemd_logind_selinux.8
-@@ -0,0 +1,209 @@
+@@ -0,0 +1,211 @@
+.TH "systemd_logind_selinux" "8" "systemd_logind" "dwalsh at redhat.com" "systemd_logind SELinux Policy documentation"
+.SH "NAME"
+systemd_logind_selinux \- Security Enhanced Linux Policy for the systemd_logind processes
@@ -83963,6 +83547,8 @@ index 0000000..51b3bf3
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.br
+.B var_auth_t
@@ -85891,10 +85477,10 @@ index 0000000..1723c12
+selinux(8), telepathy_sunshine(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/telnetd_selinux.8 b/man/man8/telnetd_selinux.8
new file mode 100644
-index 0000000..d8f3577
+index 0000000..cc1c99b
--- /dev/null
+++ b/man/man8/telnetd_selinux.8
-@@ -0,0 +1,205 @@
+@@ -0,0 +1,207 @@
+.TH "telnetd_selinux" "8" "telnetd" "dwalsh at redhat.com" "telnetd SELinux Policy documentation"
+.SH "NAME"
+telnetd_selinux \- Security Enhanced Linux Policy for the telnetd processes
@@ -86071,6 +85657,8 @@ index 0000000..d8f3577
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.br
+.B wtmp_t
@@ -86440,10 +86028,10 @@ index 0000000..3817e99
+selinux(8), tgtd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/thumb_selinux.8 b/man/man8/thumb_selinux.8
new file mode 100644
-index 0000000..493c0e0
+index 0000000..97f8a06
--- /dev/null
+++ b/man/man8/thumb_selinux.8
-@@ -0,0 +1,161 @@
+@@ -0,0 +1,163 @@
+.TH "thumb_selinux" "8" "thumb" "dwalsh at redhat.com" "thumb SELinux Policy documentation"
+.SH "NAME"
+thumb_selinux \- Security Enhanced Linux Policy for the thumb processes
@@ -86565,12 +86153,12 @@ index 0000000..493c0e0
+.br
+.B thumb_home_t
+
-+ /home/[^/]*/.cache/thumbnails(/.*)?
-+.br
+ /home/[^/]*/\.thumbnails(/.*)?
+.br
+ /home/[^/]*/missfont\.log.*
+.br
++ /home/[^/]*/\.cache/thumbnails(/.*)?
++.br
+
+.br
+.B thumb_tmp_t
@@ -86585,6 +86173,8 @@ index 0000000..493c0e0
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -88256,7 +87846,7 @@ index 0000000..d69f677
\ No newline at end of file
diff --git a/man/man8/unconfined_selinux.8 b/man/man8/unconfined_selinux.8
new file mode 100644
-index 0000000..11631ab
+index 0000000..419d7ad
--- /dev/null
+++ b/man/man8/unconfined_selinux.8
@@ -0,0 +1,121 @@
@@ -88307,17 +87897,17 @@ index 0000000..11631ab
+
+
+.PP
-+If you want to allow database admins to execute DML statement, you must turn on the sepgsql_unconfined_dbadm boolean.
++If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean.
+
+.EX
-+.B setsebool -P sepgsql_unconfined_dbadm 1
++.B setsebool -P unconfined_mozilla_plugin_transition 1
+.EE
+
+.PP
-+If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean.
++If you want to allow database admins to execute DML statement, you must turn on the postgresql_selinux_unconfined_dbadm boolean.
+
+.EX
-+.B setsebool -P unconfined_mozilla_plugin_transition 1
++.B setsebool -P postgresql_selinux_unconfined_dbadm 1
+.EE
+
+.PP
@@ -89029,10 +88619,10 @@ index 0000000..d031d76
+selinux(8), usbmuxd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/user_selinux.8 b/man/man8/user_selinux.8
new file mode 100644
-index 0000000..0e0a3ae
+index 0000000..1b1edbf
--- /dev/null
+++ b/man/man8/user_selinux.8
-@@ -0,0 +1,544 @@
+@@ -0,0 +1,546 @@
+.TH "user_selinux" "8" "user" "mgrepl at redhat.com" "user SELinux Policy documentation"
+.SH "NAME"
+user_u \- \fBGeneric unprivileged user\fP - Security Enhanced Linux Policy
@@ -89097,6 +88687,8 @@ index 0000000..0e0a3ae
+
+.B all ports with out defined types
+
++.B ephemeral_port_t: 32768-61000
++
+.TP
+The SELinux user user_u is able to connect to the following tcp ports.
+
@@ -89135,6 +88727,13 @@ index 0000000..0e0a3ae
+.EE
+
+.PP
++If you want to allow unprivileged users to execute DDL statement, you must turn on the postgresql_selinux_users_ddl boolean.
++
++.EX
++.B setsebool -P postgresql_selinux_users_ddl 1
++.EE
++
++.PP
+If you want to allow pppd to be run for a regular user, you must turn on the pppd_for_user boolean.
+
+.EX
@@ -89288,13 +88887,6 @@ index 0000000..0e0a3ae
+.B setsebool -P user_dmesg 1
+.EE
+
-+.PP
-+If you want to allow unprivileged users to execute DDL statement, you must turn on the sepgsql_enable_users_ddl boolean.
-+
-+.EX
-+.B setsebool -P sepgsql_enable_users_ddl 1
-+.EE
-+
+.SH HOME_EXEC
+
+The SELinux user user_u is able execute home content files.
@@ -89984,10 +89576,10 @@ index 0000000..271e8a0
\ No newline at end of file
diff --git a/man/man8/utempter_selinux.8 b/man/man8/utempter_selinux.8
new file mode 100644
-index 0000000..dad2308
+index 0000000..b1150b0
--- /dev/null
+++ b/man/man8/utempter_selinux.8
-@@ -0,0 +1,115 @@
+@@ -0,0 +1,117 @@
+.TH "utempter_selinux" "8" "utempter" "dwalsh at redhat.com" "utempter SELinux Policy documentation"
+.SH "NAME"
+utempter_selinux \- Security Enhanced Linux Policy for the utempter processes
@@ -90077,6 +89669,8 @@ index 0000000..dad2308
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.br
+.B wtmp_t
@@ -91745,10 +91339,10 @@ index 0000000..c0fe284
\ No newline at end of file
diff --git a/man/man8/virtd_selinux.8 b/man/man8/virtd_selinux.8
new file mode 100644
-index 0000000..7ccb20c
+index 0000000..a62bc55
--- /dev/null
+++ b/man/man8/virtd_selinux.8
-@@ -0,0 +1,425 @@
+@@ -0,0 +1,421 @@
+.TH "virtd_selinux" "8" "virtd" "dwalsh at redhat.com" "virtd SELinux Policy documentation"
+.SH "NAME"
+virtd_selinux \- Security Enhanced Linux Policy for the virtd processes
@@ -92081,8 +91675,6 @@ index 0000000..7ccb20c
+.br
+.B virt_home_t
+
-+ /var/run/user/[^/]*/libguestfs(/.*)?
-+.br
+ /home/[^/]*/\.libvirt(/.*)?
+.br
+ /home/[^/]*/\.virtinst(/.*)?
@@ -92145,8 +91737,6 @@ index 0000000..7ccb20c
+.br
+ /var/run/libvirt(/.*)?
+.br
-+ /var/run/libguestfs(/.*)?
-+.br
+
+.SH "COMMANDS"
+.B semanage fcontext
@@ -92300,7 +91890,7 @@ index 0000000..2322b2f
+selinux(8), vlock(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/vmware_host_selinux.8 b/man/man8/vmware_host_selinux.8
new file mode 100644
-index 0000000..bc7c63c
+index 0000000..e10c9b4
--- /dev/null
+++ b/man/man8/vmware_host_selinux.8
@@ -0,0 +1,130 @@
@@ -92335,7 +91925,7 @@ index 0000000..bc7c63c
+.br
+.TP 5
+Paths:
-+/usr/bin/vmware-smbpasswd\.bin, /usr/lib/vmware/bin/vmware-vmx, /usr/bin/vmware-smbd, /usr/lib/vmware-tools/sbin64/vmware.*, /usr/bin/vmnet-dhcpd, /usr/bin/vmnet-bridge, /usr/bin/vmware-nmbd, /usr/bin/vmnet-netifup, /usr/sbin/vmware-guest.*, /usr/bin/vmnet-natd, /usr/bin/vmware-vmx, /usr/bin/vmware-network, /usr/bin/vmnet-sniffer, /usr/bin/vmware-smbpasswd, /usr/lib/vmware-tools/sbin32/vmware.*
++/usr/bin/vmware-smbpasswd\.bin, /usr/bin/vmware-smbd, /usr/lib/vmware-tools/sbin64/vmware.*, /usr/bin/vmnet-dhcpd, /usr/bin/vmnet-bridge, /usr/bin/vmware-nmbd, /usr/bin/vmnet-netifup, /usr/sbin/vmware-guest.*, /usr/bin/vmnet-natd, /usr/bin/vmware-vmx, /usr/bin/vmware-network, /usr/bin/vmnet-sniffer, /usr/bin/vmware-smbpasswd, /usr/lib/vmware-tools/sbin32/vmware.*, /usr/lib/vmware/bin/vmware-vmx
+
+.EX
+.PP
@@ -92437,7 +92027,7 @@ index 0000000..bc7c63c
\ No newline at end of file
diff --git a/man/man8/vmware_selinux.8 b/man/man8/vmware_selinux.8
new file mode 100644
-index 0000000..0350ac4
+index 0000000..eec481c
--- /dev/null
+++ b/man/man8/vmware_selinux.8
@@ -0,0 +1,220 @@
@@ -92500,7 +92090,7 @@ index 0000000..0350ac4
+.br
+.TP 5
+Paths:
-+/usr/bin/vmware-smbpasswd\.bin, /usr/lib/vmware/bin/vmware-vmx, /usr/bin/vmware-smbd, /usr/lib/vmware-tools/sbin64/vmware.*, /usr/bin/vmnet-dhcpd, /usr/bin/vmnet-bridge, /usr/bin/vmware-nmbd, /usr/bin/vmnet-netifup, /usr/sbin/vmware-guest.*, /usr/bin/vmnet-natd, /usr/bin/vmware-vmx, /usr/bin/vmware-network, /usr/bin/vmnet-sniffer, /usr/bin/vmware-smbpasswd, /usr/lib/vmware-tools/sbin32/vmware.*
++/usr/bin/vmware-smbpasswd\.bin, /usr/bin/vmware-smbd, /usr/lib/vmware-tools/sbin64/vmware.*, /usr/bin/vmnet-dhcpd, /usr/bin/vmnet-bridge, /usr/bin/vmware-nmbd, /usr/bin/vmnet-netifup, /usr/sbin/vmware-guest.*, /usr/bin/vmnet-natd, /usr/bin/vmware-vmx, /usr/bin/vmware-network, /usr/bin/vmnet-sniffer, /usr/bin/vmware-smbpasswd, /usr/lib/vmware-tools/sbin32/vmware.*, /usr/lib/vmware/bin/vmware-vmx
+
+.EX
+.PP
@@ -93717,10 +93307,10 @@ index 0000000..ba1693e
\ No newline at end of file
diff --git a/man/man8/winbind_selinux.8 b/man/man8/winbind_selinux.8
new file mode 100644
-index 0000000..fbc135e
+index 0000000..975d839
--- /dev/null
+++ b/man/man8/winbind_selinux.8
-@@ -0,0 +1,258 @@
+@@ -0,0 +1,260 @@
+.TH "winbind_selinux" "8" "winbind" "dwalsh at redhat.com" "winbind SELinux Policy documentation"
+.SH "NAME"
+winbind_selinux \- Security Enhanced Linux Policy for the winbind processes
@@ -93939,6 +93529,8 @@ index 0000000..fbc135e
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.br
+.B winbind_log_t
@@ -93982,7 +93574,7 @@ index 0000000..fbc135e
\ No newline at end of file
diff --git a/man/man8/wine_selinux.8 b/man/man8/wine_selinux.8
new file mode 100644
-index 0000000..29697df
+index 0000000..1aec24d
--- /dev/null
+++ b/man/man8/wine_selinux.8
@@ -0,0 +1,108 @@
@@ -94028,7 +93620,7 @@ index 0000000..29697df
+.br
+.TP 5
+Paths:
-+/opt/google/picasa(/.*)?/bin/msiexec, /usr/bin/regedit, /opt/google/picasa(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/notepad, /opt/google/picasa(/.*)?/bin/regedit, /usr/bin/regsvr32, /opt/google/picasa(/.*)?/bin/regsvr32, /usr/bin/uninstaller, /opt/google/picasa(/.*)?/bin/uninstaller, /opt/google/picasa(/.*)?/bin/wdi, /usr/bin/msiexec, /opt/google/picasa(/.*)?/Picasa3/.*exe, /opt/teamviewer(/.*)?/bin/wine.*, /usr/bin/wine.*, /opt/google/picasa(/.*)?/bin/progman, /opt/picasa/wine/bin/wine.*, /usr/bin/notepad, /opt/cxoffice/bin/wine.*
++/opt/google/picasa(/.*)?/bin/msiexec, /usr/bin/regedit, /opt/google/picasa(/.*)?/bin/wine.*, /opt/google/picasa(/.*)?/bin/notepad, /opt/google/picasa(/.*)?/bin/regedit, /usr/bin/regsvr32, /usr/bin/uninstaller, /opt/google/picasa(/.*)?/bin/uninstaller, /opt/google/picasa(/.*)?/bin/wdi, /opt/google/picasa(/.*)?/bin/regsvr32, /usr/bin/msiexec, /opt/google/picasa(/.*)?/Picasa3/.*exe, /opt/teamviewer(/.*)?/bin/wine.*, /usr/bin/wine.*, /opt/google/picasa(/.*)?/bin/progman, /opt/picasa/wine/bin/wine.*, /usr/bin/notepad, /opt/cxoffice/bin/wine.*
+
+.EX
+.PP
@@ -94341,10 +93933,10 @@ index 0000000..48ec260
+selinux(8), wpa_cli(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/xauth_selinux.8 b/man/man8/xauth_selinux.8
new file mode 100644
-index 0000000..db32c31
+index 0000000..b8d2d9a
--- /dev/null
+++ b/man/man8/xauth_selinux.8
-@@ -0,0 +1,201 @@
+@@ -0,0 +1,203 @@
+.TH "xauth_selinux" "8" "xauth" "dwalsh at redhat.com" "xauth SELinux Policy documentation"
+.SH "NAME"
+xauth_selinux \- Security Enhanced Linux Policy for the xauth processes
@@ -94452,6 +94044,8 @@ index 0000000..db32c31
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.br
+.B xauth_home_t
@@ -94548,10 +94142,10 @@ index 0000000..db32c31
+selinux(8), xauth(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/xdm_selinux.8 b/man/man8/xdm_selinux.8
new file mode 100644
-index 0000000..b9c7f31
+index 0000000..28ae2f9
--- /dev/null
+++ b/man/man8/xdm_selinux.8
-@@ -0,0 +1,707 @@
+@@ -0,0 +1,709 @@
+.TH "xdm_selinux" "8" "xdm" "dwalsh at redhat.com" "xdm SELinux Policy documentation"
+.SH "NAME"
+xdm_selinux \- Security Enhanced Linux Policy for the xdm processes
@@ -95038,6 +94632,8 @@ index 0000000..b9c7f31
+
+ /var/run/user(/.*)?
+.br
++ /tmp/gconfd-.*
++.br
+
+.br
+.B user_tmpfs_type
@@ -95841,10 +95437,10 @@ index 0000000..bce5105
+selinux(8), xenstored(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/xguest_selinux.8 b/man/man8/xguest_selinux.8
new file mode 100644
-index 0000000..d038fd3
+index 0000000..7ccd34a
--- /dev/null
+++ b/man/man8/xguest_selinux.8
-@@ -0,0 +1,286 @@
+@@ -0,0 +1,290 @@
+.TH "xguest_selinux" "8" "xguest" "mgrepl at redhat.com" "xguest SELinux Policy documentation"
+.SH "NAME"
+xguest_u \- \fBLeast privledge xwindows user role\fP - Security Enhanced Linux Policy
@@ -95899,9 +95495,9 @@ index 0000000..d038fd3
+
+.B dns_port_t: 53
+
-+.B pulseaudio_port_t: 4713
++.B kerberos_port_t: 88,750,4444
+
-+.B flash_port_t: 843,1935
++.B ocsp_port_t: 9080
+
+.B soundd_port_t: 8000,9433,16001
+
@@ -95909,12 +95505,8 @@ index 0000000..d038fd3
+
+.B transproxy_port_t: 8081
+
-+.B ocsp_port_t: 9080
-+
+.B all ports with out defined types
+
-+.B kerberos_port_t: 88,750,4444
-+
+.B ftp_port_t: 21,990
+
+.B speech_port_t: 8036
@@ -95925,14 +95517,20 @@ index 0000000..d038fd3
+
+.B squid_port_t: 3128,3401,4827
+
++.B ephemeral_port_t: 32768-61000
++
++.B pulseaudio_port_t: 4713
++
++.B flash_port_t: 843,1935
++
+.TP
+The SELinux user xguest_u is able to connect to the following tcp ports.
+
+.B dns_port_t: 53
+
-+.B pulseaudio_port_t: 4713
++.B kerberos_port_t: 88,750,4444
+
-+.B flash_port_t: 843,1935
++.B ocsp_port_t: 9080
+
+.B soundd_port_t: 8000,9433,16001
+
@@ -95940,12 +95538,8 @@ index 0000000..d038fd3
+
+.B transproxy_port_t: 8081
+
-+.B ocsp_port_t: 9080
-+
+.B all ports with out defined types
+
-+.B kerberos_port_t: 88,750,4444
-+
+.B ftp_port_t: 21,990
+
+.B speech_port_t: 8036
@@ -95956,6 +95550,12 @@ index 0000000..d038fd3
+
+.B squid_port_t: 3128,3401,4827
+
++.B ephemeral_port_t: 32768-61000
++
++.B pulseaudio_port_t: 4713
++
++.B flash_port_t: 843,1935
++
+.SH BOOLEANS
+SELinux policy is customizable based on least access required. xguest policy is extremely flexible and has several booleans that allow you to manipulate the policy and run xguest with the tightest access possible.
+
@@ -98337,7 +97937,7 @@ index 0000000..6c02d27
+selinux(8), zarafa_spooler(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/zebra_selinux.8 b/man/man8/zebra_selinux.8
new file mode 100644
-index 0000000..ee7db30
+index 0000000..f05220d
--- /dev/null
+++ b/man/man8/zebra_selinux.8
@@ -0,0 +1,198 @@
@@ -98419,7 +98019,7 @@ index 0000000..ee7db30
+.br
+.TP 5
+Paths:
-+/var/log/zebra(/.*)?, /var/log/quagga(/.*)?
++/var/log/quagga(/.*)?, /var/log/zebra(/.*)?
+
+.EX
+.PP
@@ -105232,7 +104832,7 @@ index 6a1e4d1..eee8419 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..74b6af7 100644
+index cf04cb5..1e017ad 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.11.0)
@@ -105328,7 +104928,12 @@ index cf04cb5..74b6af7 100644
')
########################################
-@@ -151,8 +196,13 @@ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+@@ -147,12 +192,18 @@ optional_policy(`
+ # Use/sendto/connectto sockets created by any domain.
+ allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
+
++allow unconfined_domain_type domain:system all_system_perms;
+ # Use descriptors and pipes created by any domain.
allow unconfined_domain_type domain:fd use;
allow unconfined_domain_type domain:fifo_file rw_file_perms;
@@ -105343,7 +104948,7 @@ index cf04cb5..74b6af7 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +216,252 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +217,252 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -116500,7 +116105,7 @@ index 130ced9..ff65b6f 100644
+ files_search_tmp($1)
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index d40f750..c36e969 100644
+index d40f750..10170d4 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,27 +26,50 @@ gen_require(`
@@ -116515,15 +116120,15 @@ index d40f750..c36e969 100644
+## Allows clients to write to the X server shared
+## memory segments.
+## </p>
- ## </desc>
--gen_tunable(allow_write_xshm, false)
++## </desc>
+gen_tunable(xserver_clients_write_xshm, false)
+
+## <desc>
+## <p>
+## Allows XServer to execute writable memory
+## </p>
-+## </desc>
+ ## </desc>
+-gen_tunable(allow_write_xshm, false)
+gen_tunable(xserver_execmem, false)
## <desc>
@@ -117231,7 +116836,7 @@ index d40f750..c36e969 100644
hostname_exec(xdm_t)
')
-@@ -537,28 +801,70 @@ optional_policy(`
+@@ -537,28 +801,74 @@ optional_policy(`
')
optional_policy(`
@@ -117300,18 +116905,22 @@ index d40f750..c36e969 100644
- allow xdm_t self:process { execheap execmem };
- ')
+optional_policy(`
-+ udev_read_db(xdm_t)
++ telepathy_exec(xdm_t)
+')
- ifdef(`distro_rhel4',`
- allow xdm_t self:process { execheap execmem };
- ')
+optional_policy(`
++ udev_read_db(xdm_t)
++')
++
++optional_policy(`
+ unconfined_signal(xdm_t)
')
optional_policy(`
-@@ -570,6 +876,14 @@ optional_policy(`
+@@ -570,6 +880,14 @@ optional_policy(`
')
optional_policy(`
@@ -117326,7 +116935,7 @@ index d40f750..c36e969 100644
xfs_stream_connect(xdm_t)
')
-@@ -594,8 +908,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +912,11 @@ allow xserver_t input_xevent_t:x_event send;
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -117339,7 +116948,7 @@ index d40f750..c36e969 100644
allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +925,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +929,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -117355,7 +116964,7 @@ index d40f750..c36e969 100644
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +952,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +956,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -117377,7 +116986,7 @@ index d40f750..c36e969 100644
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +972,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +976,12 @@ kernel_read_modprobe_sysctls(xserver_t)
# Xorg wants to check if kernel is tainted
kernel_read_kernel_sysctls(xserver_t)
kernel_write_proc_files(xserver_t)
@@ -117391,7 +117000,7 @@ index d40f750..c36e969 100644
corenet_all_recvfrom_netlabel(xserver_t)
corenet_tcp_sendrecv_generic_if(xserver_t)
corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +998,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1002,28 @@ dev_rw_apm_bios(xserver_t)
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -117423,7 +117032,7 @@ index d40f750..c36e969 100644
# brought on by rhgb
files_search_mnt(xserver_t)
-@@ -694,8 +1030,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1034,13 @@ fs_getattr_xattr_fs(xserver_t)
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -117437,7 +117046,7 @@ index d40f750..c36e969 100644
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1049,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1053,18 @@ init_getpgid(xserver_t)
term_setattr_unallocated_ttys(xserver_t)
term_use_unallocated_ttys(xserver_t)
@@ -117461,7 +117070,7 @@ index d40f750..c36e969 100644
userdom_search_user_home_dirs(xserver_t)
userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1114,40 @@ optional_policy(`
+@@ -775,16 +1118,40 @@ optional_policy(`
')
optional_policy(`
@@ -117503,7 +117112,7 @@ index d40f750..c36e969 100644
unconfined_domtrans(xserver_t)
')
-@@ -793,6 +1156,10 @@ optional_policy(`
+@@ -793,6 +1160,10 @@ optional_policy(`
')
optional_policy(`
@@ -117514,7 +117123,7 @@ index d40f750..c36e969 100644
xfs_stream_connect(xserver_t)
')
-@@ -808,10 +1175,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1179,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
# NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
# handle of a file inside the dir!!!
@@ -117528,7 +117137,7 @@ index d40f750..c36e969 100644
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1186,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1190,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
# Run xkbcomp.
@@ -117537,7 +117146,7 @@ index d40f750..c36e969 100644
can_exec(xserver_t, xkb_var_lib_t)
# VNC v4 module in X server
-@@ -832,26 +1199,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1203,21 @@ init_use_fds(xserver_t)
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -117572,7 +117181,7 @@ index d40f750..c36e969 100644
')
optional_policy(`
-@@ -859,6 +1221,10 @@ optional_policy(`
+@@ -859,6 +1225,10 @@ optional_policy(`
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -117583,7 +117192,7 @@ index d40f750..c36e969 100644
########################################
#
# Rules common to all X window domains
-@@ -902,7 +1268,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1272,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -117592,7 +117201,7 @@ index d40f750..c36e969 100644
# operations allowed on all windows
allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
-@@ -956,11 +1322,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1326,31 @@ allow x_domain self:x_resource { read write };
# can mess with the screensaver
allow x_domain xserver_t:x_screen { getattr saver_getattr };
@@ -117624,7 +117233,7 @@ index d40f750..c36e969 100644
tunable_policy(`! xserver_object_manager',`
# should be xserver_unconfined(x_domain),
# but typeattribute doesnt work in conditionals
-@@ -982,18 +1368,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1372,44 @@ tunable_policy(`! xserver_object_manager',`
allow x_domain xevent_type:{ x_event x_synthetic_event } *;
')
@@ -119287,23 +118896,85 @@ index 6c4b6ee..86a90a2 100644
xen_rw_image_files(fsadm_t)
')
diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
-index e1a1848..909af45 100644
+index e1a1848..c0d34e7 100644
--- a/policy/modules/system/getty.fc
+++ b/policy/modules/system/getty.fc
-@@ -3,6 +3,8 @@
+@@ -3,6 +3,10 @@
/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
++/usr/lib/systemd/system/[^/]*getty.* -- gen_context(system_u:object_r:getty_unit_file_t,s0)
++
+/usr/sbin/.*getty -- gen_context(system_u:object_r:getty_exec_t,s0)
+
/var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
/var/log/vgetty\.log\..* -- gen_context(system_u:object_r:getty_log_t,s0)
+diff --git a/policy/modules/system/getty.if b/policy/modules/system/getty.if
+index e4376aa..2c98c56 100644
+--- a/policy/modules/system/getty.if
++++ b/policy/modules/system/getty.if
+@@ -96,3 +96,45 @@ interface(`getty_rw_config',`
+ files_search_etc($1)
+ allow $1 getty_etc_t:file rw_file_perms;
+ ')
++
++########################################
++## <summary>
++## Execute getty server in the getty domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`getty_systemctl',`
++ gen_require(`
++ type getty_unit_file_t;
++ type getty_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 getty_unit_file_t:file read_file_perms;
++ allow $1 getty_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, getty_t)
++')
++
++########################################
++## <summary>
++## Start getty unit files domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`getty_start_services',`
++ gen_require(`
++ type getty_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 getty_unit_file_t:service start;
++')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index fd100fc..a0a6cef 100644
+index fd100fc..0940bf1 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
-@@ -83,8 +83,10 @@ term_use_unallocated_ttys(getty_t)
+@@ -27,6 +27,9 @@ files_tmp_file(getty_tmp_t)
+ type getty_var_run_t;
+ files_pid_file(getty_var_run_t)
+
++type getty_unit_file_t;
++systemd_unit_file(getty_unit_file_t)
++
+ ########################################
+ #
+ # Getty local policy
+@@ -83,8 +86,10 @@ term_use_unallocated_ttys(getty_t)
term_setattr_all_ttys(getty_t)
term_setattr_unallocated_ttys(getty_t)
term_setattr_console(getty_t)
@@ -119314,7 +118985,7 @@ index fd100fc..a0a6cef 100644
init_rw_utmp(getty_t)
init_use_script_ptys(getty_t)
-@@ -94,7 +96,6 @@ locallogin_domtrans(getty_t)
+@@ -94,7 +99,6 @@ locallogin_domtrans(getty_t)
logging_send_syslog_msg(getty_t)
@@ -119322,7 +118993,7 @@ index fd100fc..a0a6cef 100644
ifdef(`distro_gentoo',`
# Gentoo default /etc/issue makes agetty
-@@ -113,7 +114,7 @@ ifdef(`distro_ubuntu',`
+@@ -113,7 +117,7 @@ ifdef(`distro_ubuntu',`
')
')
@@ -119331,7 +119002,7 @@ index fd100fc..a0a6cef 100644
# Support logging in from /dev/console
term_use_console(getty_t)
',`
-@@ -125,10 +126,6 @@ optional_policy(`
+@@ -125,10 +129,6 @@ optional_policy(`
')
optional_policy(`
@@ -119551,7 +119222,7 @@ index d2e40b8..084ee57 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index d26fe81..1cb0308 100644
+index d26fe81..c932f74 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,38 @@ interface(`init_script_domain',`
@@ -120392,7 +120063,7 @@ index d26fe81..1cb0308 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1792,3 +2256,284 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1792,3 +2256,286 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -120640,6 +120311,7 @@ index d26fe81..1cb0308 100644
+ ')
+
+ allow $1 init_t:system reboot;
++ systemd_config_power_services($1)
+')
+
+########################################
@@ -120658,6 +120330,7 @@ index d26fe81..1cb0308 100644
+ ')
+
+ allow $1 init_t:system halt;
++ systemd_config_power_services($1)
+')
+
+########################################
@@ -120678,7 +120351,7 @@ index d26fe81..1cb0308 100644
+ allow $1 init_t:system undefined;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 4a88fa1..852fe45 100644
+index 4a88fa1..b6196d7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -120926,7 +120599,7 @@ index 4a88fa1..852fe45 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -196,16 +300,164 @@ tunable_policy(`init_upstart',`
+@@ -196,16 +300,166 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -121003,6 +120676,8 @@ index 4a88fa1..852fe45 100644
+ files_list_locks(init_t)
+ files_list_spool(init_t)
+ files_list_var(init_t)
++ files_list_boot(init_t)
++ files_list_home(init_t)
+ files_create_lock_dirs(init_t)
+ files_relabel_all_lock_dirs(init_t)
+ files_read_kernel_modules(init_t)
@@ -121093,7 +120768,7 @@ index 4a88fa1..852fe45 100644
')
optional_policy(`
-@@ -213,6 +465,22 @@ optional_policy(`
+@@ -213,6 +467,22 @@ optional_policy(`
')
optional_policy(`
@@ -121116,7 +120791,7 @@ index 4a88fa1..852fe45 100644
unconfined_domain(init_t)
')
-@@ -222,8 +490,9 @@ optional_policy(`
+@@ -222,8 +492,9 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -121128,7 +120803,7 @@ index 4a88fa1..852fe45 100644
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -251,12 +520,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -251,12 +522,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -121144,7 +120819,7 @@ index 4a88fa1..852fe45 100644
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -272,23 +544,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -272,23 +546,36 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -121187,7 +120862,7 @@ index 4a88fa1..852fe45 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -296,6 +581,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -296,6 +583,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -121195,7 +120870,7 @@ index 4a88fa1..852fe45 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -306,8 +592,10 @@ dev_write_framebuffer(initrc_t)
+@@ -306,8 +594,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -121206,7 +120881,7 @@ index 4a88fa1..852fe45 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -315,17 +603,16 @@ dev_manage_generic_files(initrc_t)
+@@ -315,17 +605,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -121226,7 +120901,7 @@ index 4a88fa1..852fe45 100644
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -333,6 +620,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -333,6 +622,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -121234,7 +120909,7 @@ index 4a88fa1..852fe45 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -340,8 +628,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -340,8 +630,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -121246,7 +120921,7 @@ index 4a88fa1..852fe45 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -357,8 +647,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -357,8 +649,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -121260,7 +120935,7 @@ index 4a88fa1..852fe45 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -368,9 +662,12 @@ fs_mount_all_fs(initrc_t)
+@@ -368,9 +664,12 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -121274,7 +120949,7 @@ index 4a88fa1..852fe45 100644
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
-@@ -380,6 +677,7 @@ mls_process_read_up(initrc_t)
+@@ -380,6 +679,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -121282,7 +120957,7 @@ index 4a88fa1..852fe45 100644
selinux_get_enforce_mode(initrc_t)
-@@ -391,6 +689,7 @@ term_use_all_terms(initrc_t)
+@@ -391,6 +691,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -121290,7 +120965,7 @@ index 4a88fa1..852fe45 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -409,20 +708,18 @@ logging_read_all_logs(initrc_t)
+@@ -409,20 +710,18 @@ logging_read_all_logs(initrc_t)
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -121314,7 +120989,7 @@ index 4a88fa1..852fe45 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -476,6 +773,10 @@ ifdef(`distro_gentoo',`
+@@ -476,6 +775,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -121325,7 +121000,7 @@ index 4a88fa1..852fe45 100644
alsa_read_lib(initrc_t)
')
-@@ -496,7 +797,7 @@ ifdef(`distro_redhat',`
+@@ -496,7 +799,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -121334,7 +121009,7 @@ index 4a88fa1..852fe45 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -511,6 +812,7 @@ ifdef(`distro_redhat',`
+@@ -511,6 +814,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -121342,7 +121017,7 @@ index 4a88fa1..852fe45 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -531,6 +833,7 @@ ifdef(`distro_redhat',`
+@@ -531,6 +835,7 @@ ifdef(`distro_redhat',`
miscfiles_rw_localization(initrc_t)
miscfiles_setattr_localization(initrc_t)
miscfiles_relabel_localization(initrc_t)
@@ -121350,7 +121025,7 @@ index 4a88fa1..852fe45 100644
miscfiles_read_fonts(initrc_t)
miscfiles_read_hwdata(initrc_t)
-@@ -540,8 +843,39 @@ ifdef(`distro_redhat',`
+@@ -540,8 +845,39 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -121390,7 +121065,7 @@ index 4a88fa1..852fe45 100644
')
optional_policy(`
-@@ -549,14 +883,31 @@ ifdef(`distro_redhat',`
+@@ -549,14 +885,31 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -121422,7 +121097,7 @@ index 4a88fa1..852fe45 100644
')
')
-@@ -567,6 +918,39 @@ ifdef(`distro_suse',`
+@@ -567,6 +920,39 @@ ifdef(`distro_suse',`
')
')
@@ -121462,7 +121137,7 @@ index 4a88fa1..852fe45 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -579,6 +963,8 @@ optional_policy(`
+@@ -579,6 +965,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -121471,7 +121146,7 @@ index 4a88fa1..852fe45 100644
')
optional_policy(`
-@@ -600,6 +986,7 @@ optional_policy(`
+@@ -600,6 +988,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -121479,7 +121154,7 @@ index 4a88fa1..852fe45 100644
')
optional_policy(`
-@@ -612,6 +999,17 @@ optional_policy(`
+@@ -612,6 +1001,17 @@ optional_policy(`
')
optional_policy(`
@@ -121497,7 +121172,7 @@ index 4a88fa1..852fe45 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -628,9 +1026,13 @@ optional_policy(`
+@@ -628,9 +1028,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -121511,7 +121186,7 @@ index 4a88fa1..852fe45 100644
')
optional_policy(`
-@@ -655,6 +1057,10 @@ optional_policy(`
+@@ -655,6 +1059,10 @@ optional_policy(`
')
optional_policy(`
@@ -121522,7 +121197,7 @@ index 4a88fa1..852fe45 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -672,6 +1078,15 @@ optional_policy(`
+@@ -672,6 +1080,15 @@ optional_policy(`
')
optional_policy(`
@@ -121538,7 +121213,7 @@ index 4a88fa1..852fe45 100644
inn_exec_config(initrc_t)
')
-@@ -712,6 +1127,7 @@ optional_policy(`
+@@ -712,6 +1129,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -121546,7 +121221,7 @@ index 4a88fa1..852fe45 100644
')
optional_policy(`
-@@ -729,7 +1145,14 @@ optional_policy(`
+@@ -729,7 +1147,14 @@ optional_policy(`
')
optional_policy(`
@@ -121561,7 +121236,7 @@ index 4a88fa1..852fe45 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -752,6 +1175,10 @@ optional_policy(`
+@@ -752,6 +1177,10 @@ optional_policy(`
')
optional_policy(`
@@ -121572,7 +121247,7 @@ index 4a88fa1..852fe45 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -761,10 +1188,20 @@ optional_policy(`
+@@ -761,10 +1190,20 @@ optional_policy(`
')
optional_policy(`
@@ -121593,7 +121268,7 @@ index 4a88fa1..852fe45 100644
quota_manage_flags(initrc_t)
')
-@@ -773,6 +1210,10 @@ optional_policy(`
+@@ -773,6 +1212,10 @@ optional_policy(`
')
optional_policy(`
@@ -121604,7 +121279,7 @@ index 4a88fa1..852fe45 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -794,8 +1235,6 @@ optional_policy(`
+@@ -794,8 +1237,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -121613,7 +121288,7 @@ index 4a88fa1..852fe45 100644
')
optional_policy(`
-@@ -804,6 +1243,10 @@ optional_policy(`
+@@ -804,6 +1245,10 @@ optional_policy(`
')
optional_policy(`
@@ -121624,7 +121299,7 @@ index 4a88fa1..852fe45 100644
# shorewall-init script run /var/lib/shorewall/firewall
shorewall_lib_domtrans(initrc_t)
')
-@@ -813,10 +1256,12 @@ optional_policy(`
+@@ -813,10 +1258,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -121637,7 +121312,7 @@ index 4a88fa1..852fe45 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -828,8 +1273,6 @@ optional_policy(`
+@@ -828,8 +1275,6 @@ optional_policy(`
')
optional_policy(`
@@ -121646,7 +121321,7 @@ index 4a88fa1..852fe45 100644
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
-@@ -840,12 +1283,30 @@ optional_policy(`
+@@ -840,12 +1285,30 @@ optional_policy(`
')
optional_policy(`
@@ -121679,7 +121354,7 @@ index 4a88fa1..852fe45 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -855,6 +1316,18 @@ optional_policy(`
+@@ -855,6 +1318,18 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -121698,7 +121373,7 @@ index 4a88fa1..852fe45 100644
')
optional_policy(`
-@@ -870,6 +1343,10 @@ optional_policy(`
+@@ -870,6 +1345,10 @@ optional_policy(`
')
optional_policy(`
@@ -121709,7 +121384,7 @@ index 4a88fa1..852fe45 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -880,3 +1357,173 @@ optional_policy(`
+@@ -880,3 +1359,173 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -127797,10 +127472,10 @@ index ed363e1..27de635 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..7da5bf6
+index 0000000..b5707fb
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,24 @@
+@@ -0,0 +1,27 @@
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
@@ -127813,6 +127488,9 @@ index 0000000..7da5bf6
+/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_file_t,s0)
++/usr/lib/systemd/system/.*power.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*reboot.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
++/usr/lib/systemd/system/.*halt.* -- gen_context(system_u:object_r:power_unit_file_t,s0)
+/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/systemd/systemd-logger -- gen_context(system_u:object_r:systemd_logger_exec_t,s0)
+/usr/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
@@ -127827,10 +127505,10 @@ index 0000000..7da5bf6
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..23bac8e
+index 0000000..693ded2
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,792 @@
+@@ -0,0 +1,850 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -128623,12 +128301,70 @@ index 0000000..23bac8e
+ allow $1 systemd_logind_t:system undefined;
+')
+
++########################################
++## <summary>
++## Configure generic unit files domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`systemd_config_generic_services',`
++ gen_require(`
++ type systemd_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 systemd_unit_file_t:file read_file_perms;
++ allow $1 systemd_unit_file_t:service manage_service_perms;
++')
++
++########################################
++## <summary>
++## Configure power unit files domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`systemd_config_power_services',`
++ gen_require(`
++ type power_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 power_unit_file_t:file read_file_perms;
++ allow $1 power_unit_file_t:service manage_service_perms;
++')
++
++########################################
++## <summary>
++## Start power unit files domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`systemd_start_power_services',`
++ gen_require(`
++ type power_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ allow $1 power_unit_file_t:service start;
++')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..110ab13
+index 0000000..b7022eb
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,437 @@
+@@ -0,0 +1,445 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -128682,6 +128418,9 @@ index 0000000..110ab13
+type systemd_unit_file_t;
+systemd_unit_file(systemd_unit_file_t)
+
++type power_unit_file_t;
++systemd_unit_file(power_unit_file_t)
++
+# executable for systemctl
+type systemd_systemctl_exec_t;
+corecmd_executable_file(systemd_systemctl_exec_t)
@@ -128707,14 +128446,6 @@ index 0000000..110ab13
+manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
+manage_sock_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
-+init_named_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit")
-+
-+init_status(systemd_logind_t)
-+init_signal(systemd_logind_t)
-+init_reboot(systemd_logind_t)
-+init_halt(systemd_logind_t)
-+init_undefined(systemd_logind_t)
-+init_signal_script(systemd_logind_t)
+
+kernel_read_system_state(systemd_logind_t)
+
@@ -128755,6 +128486,19 @@ index 0000000..110ab13
+
+term_use_unallocated_ttys(systemd_logind_t)
+
++init_named_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit")
++
++init_status(systemd_logind_t)
++init_signal(systemd_logind_t)
++init_reboot(systemd_logind_t)
++init_halt(systemd_logind_t)
++init_undefined(systemd_logind_t)
++init_signal_script(systemd_logind_t)
++
++getty_systemctl(systemd_logind_t)
++
++systemd_config_generic_services(systemd_logind_t)
++
+# /run/user/.*
+# Actually only have proof of it creating dirs and symlinks (/run/user/$USER/X11/display)
+auth_manage_var_auth(systemd_logind_t)
@@ -130414,7 +130158,7 @@ index db75976..ce61aed 100644
+
+/var/run/user(/.*)? gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..3784c82 100644
+index e720dcd..8b6920b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -130430,7 +130174,7 @@ index e720dcd..3784c82 100644
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
-@@ -44,79 +46,130 @@ template(`userdom_base_user_template',`
+@@ -44,79 +46,131 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -130585,6 +130329,7 @@ index e720dcd..3784c82 100644
+ systemd_dbus_chat_logind($1_usertype)
+ systemd_read_logind_sessions_files($1_usertype)
+ systemd_write_inhibit_pipes($1_usertype)
++ systemd_write_inherited_logind_sessions_pipes($1_usertype)
+
+ tunable_policy(`deny_execmem',`', `
# Allow loading DSOs that require executable stack.
@@ -130613,7 +130358,7 @@ index e720dcd..3784c82 100644
')
#######################################
-@@ -150,6 +203,8 @@ interface(`userdom_ro_home_role',`
+@@ -150,6 +204,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -130622,7 +130367,7 @@ index e720dcd..3784c82 100644
##############################
#
# Domain access to home dir
-@@ -167,27 +222,6 @@ interface(`userdom_ro_home_role',`
+@@ -167,27 +223,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -130650,7 +130395,7 @@ index e720dcd..3784c82 100644
')
#######################################
-@@ -219,8 +253,11 @@ interface(`userdom_ro_home_role',`
+@@ -219,8 +254,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -130662,7 +130407,7 @@ index e720dcd..3784c82 100644
##############################
#
# Domain access to home dir
-@@ -229,43 +266,47 @@ interface(`userdom_manage_home_role',`
+@@ -229,43 +267,47 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -130726,7 +130471,7 @@ index e720dcd..3784c82 100644
')
')
-@@ -273,6 +314,25 @@ interface(`userdom_manage_home_role',`
+@@ -273,6 +315,25 @@ interface(`userdom_manage_home_role',`
## <summary>
## Manage user temporary files
## </summary>
@@ -130752,7 +130497,7 @@ index e720dcd..3784c82 100644
## <param name="role">
## <summary>
## Role allowed access.
-@@ -287,17 +347,64 @@ interface(`userdom_manage_home_role',`
+@@ -287,17 +348,64 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -130822,7 +130567,7 @@ index e720dcd..3784c82 100644
')
#######################################
-@@ -317,6 +424,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -317,6 +425,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -130830,7 +130575,7 @@ index e720dcd..3784c82 100644
files_search_tmp($1)
')
-@@ -348,59 +456,60 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -348,59 +457,60 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
@@ -130921,7 +130666,7 @@ index e720dcd..3784c82 100644
')
#######################################
-@@ -431,6 +540,7 @@ template(`userdom_xwindows_client_template',`
+@@ -431,6 +541,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -130929,7 +130674,7 @@ index e720dcd..3784c82 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -463,8 +573,8 @@ template(`userdom_change_password_template',`
+@@ -463,8 +574,8 @@ template(`userdom_change_password_template',`
')
optional_policy(`
@@ -130940,7 +130685,7 @@ index e720dcd..3784c82 100644
')
')
-@@ -491,7 +601,8 @@ template(`userdom_common_user_template',`
+@@ -491,7 +602,8 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -130950,7 +130695,7 @@ index e720dcd..3784c82 100644
##############################
#
-@@ -501,41 +612,51 @@ template(`userdom_common_user_template',`
+@@ -501,41 +613,51 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -131025,7 +130770,7 @@ index e720dcd..3784c82 100644
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
-@@ -546,28 +667,28 @@ template(`userdom_common_user_template',`
+@@ -546,28 +668,28 @@ template(`userdom_common_user_template',`
selinux_compute_user_contexts($1_t)
# for eject
@@ -131066,7 +130811,7 @@ index e720dcd..3784c82 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -575,71 +696,117 @@ template(`userdom_common_user_template',`
+@@ -575,71 +697,117 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -131206,7 +130951,7 @@ index e720dcd..3784c82 100644
mysql_stream_connect($1_t)
')
')
-@@ -651,40 +818,52 @@ template(`userdom_common_user_template',`
+@@ -651,40 +819,52 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -131271,7 +131016,7 @@ index e720dcd..3784c82 100644
')
')
-@@ -709,17 +888,33 @@ template(`userdom_common_user_template',`
+@@ -709,17 +889,33 @@ template(`userdom_common_user_template',`
template(`userdom_login_user_template', `
gen_require(`
class context contains;
@@ -131310,7 +131055,7 @@ index e720dcd..3784c82 100644
userdom_change_password_template($1)
-@@ -727,82 +922,95 @@ template(`userdom_login_user_template', `
+@@ -727,82 +923,95 @@ template(`userdom_login_user_template', `
#
# User domain Local policy
#
@@ -131443,7 +131188,7 @@ index e720dcd..3784c82 100644
')
')
-@@ -834,6 +1042,12 @@ template(`userdom_restricted_user_template',`
+@@ -834,6 +1043,12 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -131456,7 +131201,7 @@ index e720dcd..3784c82 100644
##############################
#
# Local policy
-@@ -874,46 +1088,114 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,46 +1089,114 @@ template(`userdom_restricted_xwindows_user_template',`
# Local policy
#
@@ -131584,7 +131329,7 @@ index e720dcd..3784c82 100644
')
')
-@@ -948,21 +1230,27 @@ template(`userdom_unpriv_user_template', `
+@@ -948,21 +1231,27 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -131615,7 +131360,7 @@ index e720dcd..3784c82 100644
files_read_kernel_symbol_table($1_t)
ifndef(`enable_mls',`
-@@ -979,23 +1267,60 @@ template(`userdom_unpriv_user_template', `
+@@ -979,23 +1268,60 @@ template(`userdom_unpriv_user_template', `
')
')
@@ -131685,7 +131430,7 @@ index e720dcd..3784c82 100644
')
# Run pppd in pppd_t by default for user
-@@ -1004,7 +1329,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1004,7 +1330,9 @@ template(`userdom_unpriv_user_template', `
')
optional_policy(`
@@ -131696,7 +131441,7 @@ index e720dcd..3784c82 100644
')
')
-@@ -1040,7 +1367,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1040,7 +1368,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -131705,7 +131450,7 @@ index e720dcd..3784c82 100644
')
##############################
-@@ -1067,6 +1394,7 @@ template(`userdom_admin_user_template',`
+@@ -1067,6 +1395,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -131713,7 +131458,7 @@ index e720dcd..3784c82 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1075,6 +1403,9 @@ template(`userdom_admin_user_template',`
+@@ -1075,6 +1404,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -131723,7 +131468,7 @@ index e720dcd..3784c82 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1089,6 +1420,7 @@ template(`userdom_admin_user_template',`
+@@ -1089,6 +1421,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -131731,7 +131476,7 @@ index e720dcd..3784c82 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,10 +1438,14 @@ template(`userdom_admin_user_template',`
+@@ -1106,10 +1439,14 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -131746,7 +131491,7 @@ index e720dcd..3784c82 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1120,29 +1456,38 @@ template(`userdom_admin_user_template',`
+@@ -1120,29 +1457,38 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -131789,7 +131534,7 @@ index e720dcd..3784c82 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1152,6 +1497,8 @@ template(`userdom_admin_user_template',`
+@@ -1152,6 +1498,8 @@ template(`userdom_admin_user_template',`
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -131798,7 +131543,7 @@ index e720dcd..3784c82 100644
userdom_manage_user_home_content_dirs($1_t)
userdom_manage_user_home_content_files($1_t)
userdom_manage_user_home_content_symlinks($1_t)
-@@ -1166,6 +1513,10 @@ template(`userdom_admin_user_template',`
+@@ -1166,6 +1514,10 @@ template(`userdom_admin_user_template',`
fs_read_noxattr_fs_files($1_t)
')
@@ -131809,7 +131554,7 @@ index e720dcd..3784c82 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1211,6 +1562,8 @@ template(`userdom_security_admin_template',`
+@@ -1211,6 +1563,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -131818,7 +131563,7 @@ index e720dcd..3784c82 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1223,8 +1576,10 @@ template(`userdom_security_admin_template',`
+@@ -1223,8 +1577,10 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -131830,7 +131575,7 @@ index e720dcd..3784c82 100644
auth_relabel_shadow($1)
init_exec($1)
-@@ -1235,13 +1590,19 @@ template(`userdom_security_admin_template',`
+@@ -1235,13 +1591,19 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -131854,7 +131599,7 @@ index e720dcd..3784c82 100644
')
optional_policy(`
-@@ -1252,12 +1613,12 @@ template(`userdom_security_admin_template',`
+@@ -1252,12 +1614,12 @@ template(`userdom_security_admin_template',`
dmesg_exec($1)
')
@@ -131870,7 +131615,7 @@ index e720dcd..3784c82 100644
')
optional_policy(`
-@@ -1317,12 +1678,15 @@ interface(`userdom_user_application_domain',`
+@@ -1317,12 +1679,15 @@ interface(`userdom_user_application_domain',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -131887,7 +131632,7 @@ index e720dcd..3784c82 100644
')
########################################
-@@ -1363,7 +1727,52 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1363,7 +1728,52 @@ interface(`userdom_user_tmpfs_file',`
## <summary>
## Allow domain to attach to TUN devices created by administrative users.
## </summary>
@@ -131941,7 +131686,7 @@ index e720dcd..3784c82 100644
## <summary>
## Domain allowed access.
## </summary>
-@@ -1467,11 +1876,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1467,11 +1877,31 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -131973,7 +131718,7 @@ index e720dcd..3784c82 100644
## Do not audit attempts to search user home directories.
## </summary>
## <desc>
-@@ -1513,6 +1942,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1513,6 +1943,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -131988,7 +131733,7 @@ index e720dcd..3784c82 100644
')
########################################
-@@ -1528,9 +1965,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1528,9 +1966,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -132000,7 +131745,7 @@ index e720dcd..3784c82 100644
')
########################################
-@@ -1587,6 +2026,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1587,6 +2027,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -132043,7 +131788,7 @@ index e720dcd..3784c82 100644
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1666,6 +2141,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1666,6 +2142,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -132052,7 +131797,7 @@ index e720dcd..3784c82 100644
')
########################################
-@@ -1680,10 +2157,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1680,10 +2158,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -132067,7 +131812,7 @@ index e720dcd..3784c82 100644
')
########################################
-@@ -1726,6 +2205,43 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1726,6 +2206,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -132111,7 +131856,7 @@ index e720dcd..3784c82 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1745,6 +2261,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1745,6 +2262,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
########################################
## <summary>
@@ -132137,7 +131882,7 @@ index e720dcd..3784c82 100644
## Mmap user home files.
## </summary>
## <param name="domain">
-@@ -1775,14 +2310,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1775,14 +2311,36 @@ interface(`userdom_mmap_user_home_content_files',`
interface(`userdom_read_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -132175,7 +131920,7 @@ index e720dcd..3784c82 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1793,11 +2350,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1793,11 +2351,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -132193,7 +131938,7 @@ index e720dcd..3784c82 100644
')
########################################
-@@ -1856,6 +2416,78 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1856,6 +2417,78 @@ interface(`userdom_delete_user_home_content_files',`
########################################
## <summary>
@@ -132272,7 +132017,7 @@ index e720dcd..3784c82 100644
## Do not audit attempts to write user home files.
## </summary>
## <param name="domain">
-@@ -1887,8 +2519,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1887,8 +2520,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -132282,7 +132027,7 @@ index e720dcd..3784c82 100644
')
########################################
-@@ -1904,20 +2535,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1904,20 +2536,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -132307,7 +132052,7 @@ index e720dcd..3784c82 100644
########################################
## <summary>
-@@ -2018,6 +2643,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+@@ -2018,6 +2644,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
########################################
## <summary>
@@ -132332,7 +132077,7 @@ index e720dcd..3784c82 100644
## Create, read, write, and delete named pipes
## in a user home subdirectory.
## </summary>
-@@ -2250,11 +2893,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2250,11 +2894,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
#
interface(`userdom_read_user_tmp_files',`
gen_require(`
@@ -132347,7 +132092,7 @@ index e720dcd..3784c82 100644
files_search_tmp($1)
')
-@@ -2274,7 +2917,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2274,7 +2918,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -132356,7 +132101,7 @@ index e720dcd..3784c82 100644
')
########################################
-@@ -2521,6 +3164,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2521,6 +3165,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
@@ -132382,7 +132127,7 @@ index e720dcd..3784c82 100644
########################################
## <summary>
## Read user tmpfs files.
-@@ -2537,13 +3199,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2537,13 +3200,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -132398,7 +132143,7 @@ index e720dcd..3784c82 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2564,7 +3227,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2564,7 +3228,7 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -132407,7 +132152,7 @@ index e720dcd..3784c82 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2572,19 +3235,17 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2572,19 +3236,17 @@ interface(`userdom_rw_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -132430,7 +132175,7 @@ index e720dcd..3784c82 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2592,12 +3253,30 @@ interface(`userdom_manage_user_tmpfs_files',`
+@@ -2592,12 +3254,30 @@ interface(`userdom_manage_user_tmpfs_files',`
## </summary>
## </param>
#
@@ -132464,7 +132209,7 @@ index e720dcd..3784c82 100644
')
########################################
-@@ -2674,6 +3353,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2674,6 +3354,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -132489,7 +132234,7 @@ index e720dcd..3784c82 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2692,22 +3389,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2692,22 +3390,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -132532,7 +132277,7 @@ index e720dcd..3784c82 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2716,14 +3425,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2716,14 +3426,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -132570,7 +132315,7 @@ index e720dcd..3784c82 100644
')
########################################
-@@ -2742,8 +3470,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2742,8 +3471,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
type user_tty_device_t, user_devpts_t;
')
@@ -132600,7 +132345,7 @@ index e720dcd..3784c82 100644
')
########################################
-@@ -2815,69 +3562,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2815,69 +3563,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
allow unpriv_userdomain $1:process sigchld;
')
@@ -132701,7 +132446,7 @@ index e720dcd..3784c82 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2885,12 +3631,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -2885,12 +3632,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
## </summary>
## </param>
#
@@ -132716,7 +132461,7 @@ index e720dcd..3784c82 100644
')
########################################
-@@ -2954,7 +3700,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2954,7 +3701,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -132725,7 +132470,7 @@ index e720dcd..3784c82 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2970,29 +3716,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2970,29 +3717,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -132759,7 +132504,7 @@ index e720dcd..3784c82 100644
')
########################################
-@@ -3074,7 +3804,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3074,7 +3805,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -132768,7 +132513,7 @@ index e720dcd..3784c82 100644
')
########################################
-@@ -3129,7 +3859,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3129,7 +3860,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -132815,7 +132560,7 @@ index e720dcd..3784c82 100644
')
########################################
-@@ -3147,7 +3915,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3147,7 +3916,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
type user_tty_device_t;
')
@@ -132824,7 +132569,7 @@ index e720dcd..3784c82 100644
')
########################################
-@@ -3166,6 +3934,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3166,6 +3935,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -132832,7 +132577,7 @@ index e720dcd..3784c82 100644
kernel_search_proc($1)
')
-@@ -3242,6 +4011,42 @@ interface(`userdom_signal_all_users',`
+@@ -3242,6 +4012,42 @@ interface(`userdom_signal_all_users',`
allow $1 userdomain:process signal;
')
@@ -132875,7 +132620,7 @@ index e720dcd..3784c82 100644
########################################
## <summary>
## Send a SIGCHLD signal to all user domains.
-@@ -3262,6 +4067,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3262,6 +4068,24 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
@@ -132900,7 +132645,7 @@ index e720dcd..3784c82 100644
## Create keys for all user domains.
## </summary>
## <param name="domain">
-@@ -3296,3 +4119,1282 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3296,3 +4120,1282 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index de023b2..e2346ae 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -4335,7 +4335,7 @@ index 1ea99b2..0b668ae 100644
+ ps_process_pattern($1, apmd_t)
')
diff --git a/apm.te b/apm.te
-index 1c8c27e..ae5cf5a 100644
+index 1c8c27e..4c09721 100644
--- a/apm.te
+++ b/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -4459,17 +4459,15 @@ index 1c8c27e..ae5cf5a 100644
dbus_system_bus_client(apmd_t)
optional_policy(`
-@@ -209,8 +229,13 @@ optional_policy(`
- pcmcia_domtrans_cardctl(apmd_t)
+@@ -210,7 +230,11 @@ optional_policy(`
')
-+
-+optional_policy(`
+ optional_policy(`
+- seutil_sigchld_newrole(apmd_t)
+ shutdown_domtrans(apmd_t)
+')
+
- optional_policy(`
-- seutil_sigchld_newrole(apmd_t)
++optional_policy(`
+ systemd_dbus_chat_logind(apmd_t)
')
@@ -9137,10 +9135,10 @@ index 6077339..d44d33f 100644
corosync_stream_connect(clogd_t)
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
-index 0000000..61ab864
+index 0000000..8a40857
--- /dev/null
+++ b/cloudform.fc
-@@ -0,0 +1,20 @@
+@@ -0,0 +1,22 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
@@ -9156,6 +9154,8 @@ index 0000000..61ab864
+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0)
+/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
++/var/log/mongo(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
++/var/log/mongo/mongod\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
+/var/log/aeolus-conductor/dbomatic\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
+
+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
@@ -9211,10 +9211,10 @@ index 0000000..cffcfc9
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..c247c62
+index 0000000..d013099
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,196 @@
+@@ -0,0 +1,197 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -9373,6 +9373,7 @@ index 0000000..c247c62
+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
+logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log")
++logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log")
+
+manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
+manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
@@ -13842,7 +13843,7 @@ index 848bb92..c584f5a 100644
+
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --git a/cups.if b/cups.if
-index 305ddf4..11d010a 100644
+index 305ddf4..c960be7 100644
--- a/cups.if
+++ b/cups.if
@@ -9,6 +9,11 @@
@@ -13927,7 +13928,7 @@ index 305ddf4..11d010a 100644
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 cupsd_initrc_exec_t system_r;
-@@ -350,9 +384,42 @@ interface(`cups_admin',`
+@@ -350,9 +384,43 @@ interface(`cups_admin',`
admin_pattern($1, cupsd_var_run_t)
files_list_pids($1)
@@ -13956,19 +13957,20 @@ index 305ddf4..11d010a 100644
+#
+interface(`cups_filetrans_named_content',`
+ gen_require(`
-+ type cups_rw_etc_t;
-+ type cups_etc_t;
++ type cupsd_rw_etc_t;
++ type cupsd_etc_t;
+ ')
+
-+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "classes.conf")
-+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "printers.conf")
-+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "printers.conf.O")
-+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "cupsd.conf")
-+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "cupsd.conf.default")
-+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "lpoptions")
-+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "subscriptions.conf")
-+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "subscriptions.conf.O")
-+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
++ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
')
diff --git a/cups.te b/cups.te
index e5a8924..b9c34bf 100644
@@ -15122,7 +15124,7 @@ index fb4bf82..126d543 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 625cb32..c6d487c 100644
+index 625cb32..47d33d3 100644
--- a/dbus.te
+++ b/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -15201,7 +15203,7 @@ index 625cb32..c6d487c 100644
miscfiles_read_generic_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
-@@ -135,11 +142,31 @@ seutil_sigchld_newrole(system_dbusd_t)
+@@ -135,11 +142,35 @@ seutil_sigchld_newrole(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
@@ -15216,12 +15218,16 @@ index 625cb32..c6d487c 100644
+')
+
+optional_policy(`
-+ gnome_exec_gconf(system_dbusd_t)
-+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
++ cpufreqselector_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
-+ cpufreqselector_dbus_chat(system_dbusd_t)
++ getty_start_services(system_dbusd_t)
++')
++
++optional_policy(`
++ gnome_exec_gconf(system_dbusd_t)
++ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
+')
+
+optional_policy(`
@@ -15233,16 +15239,18 @@ index 625cb32..c6d487c 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -150,12 +177,155 @@ optional_policy(`
+@@ -149,13 +180,157 @@ optional_policy(`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
')
- optional_policy(`
++#optional_policy(`
+ systemd_use_fds_logind(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_inhibit_pipes(system_dbusd_t)
-+')
++ systemd_start_power_services(system_dbusd_t)
++#')
+
-+optional_policy(`
+ optional_policy(`
udev_read_db(system_dbusd_t)
')
@@ -24026,7 +24034,7 @@ index f5afe78..3e6dac9 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/gnome.te b/gnome.te
-index 783c5fb..61fa745 100644
+index 783c5fb..5b4f2e5 100644
--- a/gnome.te
+++ b/gnome.te
@@ -6,11 +6,31 @@ policy_module(gnome, 2.2.0)
@@ -24213,7 +24221,7 @@ index 783c5fb..61fa745 100644
+allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
+allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
+
-+dontaudit gkeyringd_domain config_home_t:file write;
++allow gkeyringd_domain config_home_t:file write;
+
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
+manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
@@ -27376,10 +27384,10 @@ index 0000000..868c7d0
+')
diff --git a/jockey.te b/jockey.te
new file mode 100644
-index 0000000..5ca0ec0
+index 0000000..6a0bb3e
--- /dev/null
+++ b/jockey.te
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,58 @@
+policy_module(jockey, 1.0.0)
+
+########################################
@@ -27425,12 +27433,15 @@ index 0000000..5ca0ec0
+files_read_etc_files(jockey_t)
+files_read_usr_files(jockey_t)
+
-+
+optional_policy(`
+ dbus_system_domain(jockey_t, jockey_exec_t)
+')
+
+optional_policy(`
++ gnome_dontaudit_search_config(jockey_t)
++')
++
++optional_policy(`
+ modutils_domtrans_insmod(jockey_t)
+ modutils_read_module_config(jockey_t)
+ modutils_list_module_config(jockey_t)
@@ -33691,7 +33702,7 @@ index afa18c8..f6e2bb8 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/mta.if b/mta.if
-index 4e2a5ba..68c5f8e 100644
+index 4e2a5ba..1185c88c 100644
--- a/mta.if
+++ b/mta.if
@@ -37,6 +37,7 @@ interface(`mta_stub',`
@@ -34221,7 +34232,7 @@ index 4e2a5ba..68c5f8e 100644
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
-+ read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
++ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
+
+ ifdef(`distro_redhat',`
@@ -34300,7 +34311,7 @@ index 4e2a5ba..68c5f8e 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index 84a7d66..d0d924a 100644
+index 84a7d66..15738c9 100644
--- a/mta.te
+++ b/mta.te
@@ -20,14 +20,19 @@ files_type(etc_aliases_t)
@@ -34378,7 +34389,7 @@ index 84a7d66..d0d924a 100644
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
-@@ -92,14 +99,26 @@ optional_policy(`
+@@ -92,25 +99,38 @@ optional_policy(`
apache_dontaudit_rw_stream_sockets(system_mail_t)
apache_dontaudit_rw_tcp_sockets(system_mail_t)
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
@@ -34400,22 +34411,20 @@ index 84a7d66..d0d924a 100644
+ arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
+ ')
+
-+')
-+
-+optional_policy(`
-+ bugzilla_search_content(system_mail_t)
-+ bugzilla_dontaudit_rw_stream_sockets(system_mail_t)
')
optional_policy(`
-@@ -108,9 +127,15 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ courier_stream_connect_authdaemon(system_mail_t)
+- clamav_stream_connect(system_mail_t)
+- clamav_append_log(system_mail_t)
++ bugzilla_search_content(system_mail_t)
++ bugzilla_dontaudit_rw_stream_sockets(system_mail_t)
+')
+
+optional_policy(`
++ courier_stream_connect_authdaemon(system_mail_t)
+ ')
+
+ optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
cron_rw_system_job_stream_sockets(system_mail_t)
@@ -34424,7 +34433,7 @@ index 84a7d66..d0d924a 100644
')
optional_policy(`
-@@ -124,12 +149,9 @@ optional_policy(`
+@@ -124,12 +144,9 @@ optional_policy(`
')
optional_policy(`
@@ -34439,7 +34448,7 @@ index 84a7d66..d0d924a 100644
')
optional_policy(`
-@@ -146,6 +168,10 @@ optional_policy(`
+@@ -146,6 +163,10 @@ optional_policy(`
')
optional_policy(`
@@ -34450,7 +34459,7 @@ index 84a7d66..d0d924a 100644
nagios_read_tmp_files(system_mail_t)
')
-@@ -158,22 +184,13 @@ optional_policy(`
+@@ -158,22 +179,13 @@ optional_policy(`
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
domain_use_interactive_fds(system_mail_t)
@@ -34476,7 +34485,7 @@ index 84a7d66..d0d924a 100644
')
optional_policy(`
-@@ -189,6 +206,10 @@ optional_policy(`
+@@ -189,6 +201,10 @@ optional_policy(`
')
optional_policy(`
@@ -34487,7 +34496,7 @@ index 84a7d66..d0d924a 100644
smartmon_read_tmp_files(system_mail_t)
')
-@@ -199,20 +220,23 @@ optional_policy(`
+@@ -199,20 +215,23 @@ optional_policy(`
arpwatch_search_data(mailserver_delivery)
arpwatch_manage_tmp_files(mta_user_agent)
@@ -34515,16 +34524,16 @@ index 84a7d66..d0d924a 100644
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -220,21 +244,13 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -220,21 +239,13 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
--
--read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+userdom_search_admin_dir(mailserver_delivery)
+read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
+-read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+-
-tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_dirs(mailserver_delivery)
- fs_manage_cifs_files(mailserver_delivery)
@@ -34542,7 +34551,7 @@ index 84a7d66..d0d924a 100644
optional_policy(`
dovecot_manage_spool(mailserver_delivery)
-@@ -242,6 +258,10 @@ optional_policy(`
+@@ -242,6 +253,10 @@ optional_policy(`
')
optional_policy(`
@@ -34553,7 +34562,7 @@ index 84a7d66..d0d924a 100644
# so MTA can access /var/lib/mailman/mail/wrapper
files_search_var_lib(mailserver_delivery)
-@@ -249,6 +269,14 @@ optional_policy(`
+@@ -249,6 +264,14 @@ optional_policy(`
mailman_read_data_symlinks(mailserver_delivery)
')
@@ -34568,7 +34577,7 @@ index 84a7d66..d0d924a 100644
########################################
#
# User send mail local policy
-@@ -256,9 +284,9 @@ optional_policy(`
+@@ -256,9 +279,9 @@ optional_policy(`
domain_use_interactive_fds(user_mail_t)
@@ -34580,7 +34589,7 @@ index 84a7d66..d0d924a 100644
# Create dead.letter in user home directories.
userdom_manage_user_home_content_files(user_mail_t)
userdom_user_home_dir_filetrans_user_home_content(user_mail_t, file)
-@@ -270,6 +298,8 @@ userdom_manage_user_home_content_symlinks(mailserver_delivery)
+@@ -270,6 +293,8 @@ userdom_manage_user_home_content_symlinks(mailserver_delivery)
userdom_manage_user_home_content_pipes(mailserver_delivery)
userdom_manage_user_home_content_sockets(mailserver_delivery)
userdom_user_home_dir_filetrans_user_home_content(mailserver_delivery, { dir file lnk_file fifo_file sock_file })
@@ -34589,7 +34598,7 @@ index 84a7d66..d0d924a 100644
# Read user temporary files.
userdom_read_user_tmp_files(user_mail_t)
userdom_dontaudit_append_user_tmp_files(user_mail_t)
-@@ -277,6 +307,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
+@@ -277,6 +302,8 @@ userdom_dontaudit_append_user_tmp_files(user_mail_t)
# files in an appropriate place for mta_user_agent
userdom_read_user_tmp_files(mta_user_agent)
@@ -34598,7 +34607,7 @@ index 84a7d66..d0d924a 100644
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(user_mail_t)
fs_manage_cifs_symlinks(user_mail_t)
-@@ -292,3 +324,118 @@ optional_policy(`
+@@ -292,3 +319,123 @@ optional_policy(`
postfix_read_config(user_mail_t)
postfix_list_spool(user_mail_t)
')
@@ -34717,6 +34726,11 @@ index 84a7d66..d0d924a 100644
+optional_policy(`
+ uucp_manage_spool(user_mail_domain)
+')
++
++optional_policy(`
++ clamav_stream_connect(user_mail_domain)
++ clamav_stream_connect(mta_user_agent)
++')
diff --git a/munin.fc b/munin.fc
index fd71d69..26597b2 100644
--- a/munin.fc
@@ -44971,7 +44985,7 @@ index 46bee12..3d33d82 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/postfix.te b/postfix.te
-index a1e0f60..3bf042f 100644
+index a1e0f60..f94e74f 100644
--- a/postfix.te
+++ b/postfix.te
@@ -5,6 +5,15 @@ policy_module(postfix, 1.14.0)
@@ -45206,7 +45220,7 @@ index a1e0f60..3bf042f 100644
logging_dontaudit_search_logs(postfix_local_t)
-@@ -286,10 +320,15 @@ mta_read_aliases(postfix_local_t)
+@@ -286,14 +320,28 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -45225,22 +45239,20 @@ index a1e0f60..3bf042f 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -297,6 +336,14 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ dovecot_domtrans_deliver(postfix_local_t)
+ clamav_exec_clamscan(postfix_local_t)
++ clamav_stream_connect(postfix_domain)
+')
+
+optional_policy(`
-+ dspam_domtrans(postfix_local_t)
++ dovecot_domtrans_deliver(postfix_local_t)
+')
+
+optional_policy(`
- # for postalias
- mailman_manage_data_files(postfix_local_t)
- mailman_append_log(postfix_local_t)
-@@ -304,9 +351,22 @@ optional_policy(`
++ dspam_domtrans(postfix_local_t)
+ ')
+
+ optional_policy(`
+@@ -304,9 +352,22 @@ optional_policy(`
')
optional_policy(`
@@ -45263,7 +45275,7 @@ index a1e0f60..3bf042f 100644
########################################
#
# Postfix map local policy
-@@ -329,7 +389,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -329,7 +390,6 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -45271,7 +45283,7 @@ index a1e0f60..3bf042f 100644
corenet_all_recvfrom_netlabel(postfix_map_t)
corenet_tcp_sendrecv_generic_if(postfix_map_t)
corenet_udp_sendrecv_generic_if(postfix_map_t)
-@@ -348,7 +407,6 @@ corecmd_read_bin_sockets(postfix_map_t)
+@@ -348,7 +408,6 @@ corecmd_read_bin_sockets(postfix_map_t)
files_list_home(postfix_map_t)
files_read_usr_files(postfix_map_t)
@@ -45279,7 +45291,7 @@ index a1e0f60..3bf042f 100644
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
-@@ -356,8 +414,6 @@ auth_use_nsswitch(postfix_map_t)
+@@ -356,8 +415,6 @@ auth_use_nsswitch(postfix_map_t)
logging_send_syslog_msg(postfix_map_t)
@@ -45288,7 +45300,7 @@ index a1e0f60..3bf042f 100644
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
-@@ -379,18 +435,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +436,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -45314,7 +45326,7 @@ index a1e0f60..3bf042f 100644
allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +463,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +464,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -45323,7 +45335,7 @@ index a1e0f60..3bf042f 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +484,7 @@ optional_policy(`
+@@ -420,6 +485,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -45331,7 +45343,7 @@ index a1e0f60..3bf042f 100644
')
optional_policy(`
-@@ -436,11 +501,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +502,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -45349,7 +45361,7 @@ index a1e0f60..3bf042f 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +558,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +559,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -45360,7 +45372,7 @@ index a1e0f60..3bf042f 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +590,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +591,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -45373,7 +45385,7 @@ index a1e0f60..3bf042f 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +614,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +615,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -45384,7 +45396,7 @@ index a1e0f60..3bf042f 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +635,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +636,11 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -45396,7 +45408,7 @@ index a1e0f60..3bf042f 100644
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +647,14 @@ optional_policy(`
+@@ -565,6 +648,14 @@ optional_policy(`
')
optional_policy(`
@@ -45411,7 +45423,7 @@ index a1e0f60..3bf042f 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +671,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +672,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
# for prng_exch
@@ -45438,7 +45450,7 @@ index a1e0f60..3bf042f 100644
')
optional_policy(`
-@@ -599,6 +697,11 @@ optional_policy(`
+@@ -599,6 +698,11 @@ optional_policy(`
')
optional_policy(`
@@ -45450,7 +45462,7 @@ index a1e0f60..3bf042f 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +714,6 @@ optional_policy(`
+@@ -611,7 +715,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -45458,7 +45470,7 @@ index a1e0f60..3bf042f 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -622,7 +724,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
+@@ -622,7 +725,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
corecmd_exec_shell(postfix_virtual_t)
corecmd_exec_bin(postfix_virtual_t)
@@ -45466,7 +45478,7 @@ index a1e0f60..3bf042f 100644
files_read_usr_files(postfix_virtual_t)
mta_read_aliases(postfix_virtual_t)
-@@ -630,3 +731,75 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +732,76 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -45537,6 +45549,7 @@ index a1e0f60..3bf042f 100644
+
+optional_policy(`
+ spamd_stream_connect(postfix_domain)
++ spamassassin_domtrans_client(postfix_domain)
+')
+
+optional_policy(`
@@ -45857,7 +45870,7 @@ index de4bdb7..a4cad0b 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index bcbf9ac..a7f204b 100644
+index bcbf9ac..291e831 100644
--- a/ppp.te
+++ b/ppp.te
@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
@@ -45967,8 +45980,11 @@ index bcbf9ac..a7f204b 100644
# allow running ip-up and ip-down scripts and running chat.
corecmd_exec_bin(pppd_t)
-@@ -163,41 +170,51 @@ files_manage_etc_runtime_files(pppd_t)
+@@ -161,43 +168,54 @@ domain_use_interactive_fds(pppd_t)
+ files_exec_etc_files(pppd_t)
+ files_manage_etc_runtime_files(pppd_t)
files_dontaudit_write_etc_files(pppd_t)
++files_read_usr_files(pppd_t)
# for scripts
-files_read_etc_files(pppd_t)
@@ -46025,7 +46041,7 @@ index bcbf9ac..a7f204b 100644
')
optional_policy(`
-@@ -247,21 +264,24 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -247,21 +265,24 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -46052,7 +46068,7 @@ index bcbf9ac..a7f204b 100644
corenet_all_recvfrom_netlabel(pptp_t)
corenet_tcp_sendrecv_generic_if(pptp_t)
corenet_raw_sendrecv_generic_if(pptp_t)
-@@ -273,7 +293,6 @@ corenet_tcp_connect_generic_port(pptp_t)
+@@ -273,7 +294,6 @@ corenet_tcp_connect_generic_port(pptp_t)
corenet_tcp_connect_all_reserved_ports(pptp_t)
corenet_sendrecv_generic_client_packets(pptp_t)
@@ -46060,7 +46076,7 @@ index bcbf9ac..a7f204b 100644
fs_getattr_all_fs(pptp_t)
fs_search_auto_mountpoints(pptp_t)
-@@ -288,8 +307,6 @@ auth_use_nsswitch(pptp_t)
+@@ -288,8 +308,6 @@ auth_use_nsswitch(pptp_t)
logging_send_syslog_msg(pptp_t)
@@ -50459,7 +50475,7 @@ index 47c4723..64c8889 100644
+')
+
diff --git a/readahead.te b/readahead.te
-index b4ac57e..dffaad9 100644
+index b4ac57e..81300c8 100644
--- a/readahead.te
+++ b/readahead.te
@@ -16,13 +16,14 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
@@ -50499,12 +50515,13 @@ index b4ac57e..dffaad9 100644
dev_getattr_generic_chr_files(readahead_t)
dev_getattr_generic_blk_files(readahead_t)
dev_getattr_all_chr_files(readahead_t)
-@@ -53,10 +59,18 @@ domain_read_all_domains_state(readahead_t)
+@@ -53,10 +59,19 @@ domain_read_all_domains_state(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
+files_dontaudit_read_security_files(readahead_t)
files_create_boot_flag(readahead_t)
++files_delete_root_files(readahead_t)
files_getattr_all_pipes(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
files_dontaudit_getattr_non_security_blk_files(readahead_t)
@@ -50518,7 +50535,7 @@ index b4ac57e..dffaad9 100644
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
-@@ -66,12 +80,14 @@ fs_read_cgroup_files(readahead_t)
+@@ -66,12 +81,14 @@ fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
@@ -50533,7 +50550,7 @@ index b4ac57e..dffaad9 100644
storage_raw_read_fixed_disk(readahead_t)
-@@ -82,13 +98,13 @@ auth_dontaudit_read_shadow(readahead_t)
+@@ -82,13 +99,13 @@ auth_dontaudit_read_shadow(readahead_t)
init_use_fds(readahead_t)
init_use_script_ptys(readahead_t)
init_getattr_initctl(readahead_t)
@@ -50606,10 +50623,10 @@ index 0000000..e38693b
+')
diff --git a/realmd.te b/realmd.te
new file mode 100644
-index 0000000..ef3e11e
+index 0000000..093f2c8
--- /dev/null
+++ b/realmd.te
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,56 @@
+policy_module(realmd, 1.0.0)
+
+########################################
@@ -50626,17 +50643,22 @@ index 0000000..ef3e11e
+#
+# realmd local policy
+#
++corecmd_exec_bin(realmd_t)
+
-+allow realmd_t self:capability { kill };
++corenet_tcp_connect_http_port(realmd_t)
+
+domain_use_interactive_fds(realmd_t)
+
++dev_read_urand(realmd_t)
++
+files_read_etc_files(realmd_t)
+files_read_usr_files(realmd_t)
+
++auth_use_nsswitch(realmd_t)
++
+logging_send_syslog_msg(realmd_t)
+
-+sysnet_read_config(realmd_t)
++sysnet_dns_name_resolve(realmd_t)
+
+optional_policy(`
+ dbus_system_domain(realmd_t, realmd_exec_t)
@@ -50647,6 +50669,11 @@ index 0000000..ef3e11e
+')
+
+optional_policy(`
++ gnome_read_generic_cache_files(realmd_t)
++ gnome_write_generic_cache_files(realmd_t)
++')
++
++optional_policy(`
+ samba_domtrans_net(realmd_t)
+ samba_read_config(realmd_t)
+')
@@ -51419,7 +51446,7 @@ index de37806..8ed6546 100644
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
diff --git a/rhcs.te b/rhcs.te
-index 93c896a..4f499ab 100644
+index 93c896a..79f8185 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -12,7 +12,16 @@ policy_module(rhcs, 1.1.0)
@@ -51550,7 +51577,7 @@ index 93c896a..4f499ab 100644
')
optional_policy(`
-@@ -114,13 +158,42 @@ optional_policy(`
+@@ -114,13 +158,46 @@ optional_policy(`
lvm_read_config(fenced_t)
')
@@ -51573,14 +51600,18 @@ index 93c896a..4f499ab 100644
+
+dev_read_urand(foghorn_t)
+
++files_read_etc_files(foghorn_t)
+files_read_usr_files(foghorn_t)
+
++sysnet_dns_name_resolve(foghorn_t)
++
+optional_policy(`
+ dbus_connect_system_bus(foghorn_t)
+')
+
+optional_policy(`
+ snmp_read_snmp_var_lib_files(foghorn_t)
++ snmp_dontaudit_write_snmp_var_lib_files(foghorn_t)
+ snmp_stream_connect(foghorn_t)
+')
+
@@ -51594,7 +51625,7 @@ index 93c896a..4f499ab 100644
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -139,10 +212,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -139,10 +216,6 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -51605,7 +51636,7 @@ index 93c896a..4f499ab 100644
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -154,12 +223,12 @@ optional_policy(`
+@@ -154,12 +227,12 @@ optional_policy(`
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
@@ -51620,7 +51651,7 @@ index 93c896a..4f499ab 100644
init_rw_script_tmp_files(groupd_t)
-@@ -168,8 +237,7 @@ init_rw_script_tmp_files(groupd_t)
+@@ -168,8 +241,7 @@ init_rw_script_tmp_files(groupd_t)
# qdiskd local policy
#
@@ -51630,7 +51661,7 @@ index 93c896a..4f499ab 100644
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -182,7 +250,7 @@ kernel_read_system_state(qdiskd_t)
+@@ -182,7 +254,7 @@ kernel_read_system_state(qdiskd_t)
kernel_read_software_raid_state(qdiskd_t)
kernel_getattr_core_if(qdiskd_t)
@@ -51639,7 +51670,7 @@ index 93c896a..4f499ab 100644
corecmd_exec_shell(qdiskd_t)
dev_read_sysfs(qdiskd_t)
-@@ -197,19 +265,14 @@ domain_dontaudit_getattr_all_sockets(qdiskd_t)
+@@ -197,19 +269,14 @@ domain_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_sockets(qdiskd_t)
files_dontaudit_getattr_all_pipes(qdiskd_t)
@@ -51661,7 +51692,7 @@ index 93c896a..4f499ab 100644
optional_policy(`
netutils_domtrans_ping(qdiskd_t)
')
-@@ -223,18 +286,24 @@ optional_policy(`
+@@ -223,18 +290,24 @@ optional_policy(`
# rhcs domains common policy
#
@@ -54877,7 +54908,7 @@ index 82cb169..9bb5db2 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 905883f..e042b3c 100644
+index 905883f..d93d8ce 100644
--- a/samba.te
+++ b/samba.te
@@ -12,7 +12,7 @@ policy_module(samba, 1.15.0)
@@ -54980,7 +55011,15 @@ index 905883f..e042b3c 100644
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -253,6 +263,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -244,6 +254,7 @@ allow smbd_t self:msg { send receive };
+ allow smbd_t self:msgq create_msgq_perms;
+ allow smbd_t self:sem create_sem_perms;
+ allow smbd_t self:shm create_shm_perms;
++allow smbd_t self:key manage_key_perms;
+ allow smbd_t self:sock_file read_sock_file_perms;
+ allow smbd_t self:tcp_socket create_stream_socket_perms;
+ allow smbd_t self:udp_socket create_socket_perms;
+@@ -253,6 +264,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow smbd_t nmbd_t:process { signal signull };
allow smbd_t nmbd_var_run_t:file rw_file_perms;
@@ -54988,7 +55027,7 @@ index 905883f..e042b3c 100644
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-@@ -267,12 +278,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+@@ -267,12 +279,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -55003,7 +55042,7 @@ index 905883f..e042b3c 100644
allow smbd_t smbcontrol_t:process { signal signull };
-@@ -283,7 +295,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+@@ -283,7 +296,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
@@ -55012,7 +55051,7 @@ index 905883f..e042b3c 100644
allow smbd_t swat_t:process signal;
-@@ -302,7 +314,6 @@ kernel_read_system_state(smbd_t)
+@@ -302,7 +315,6 @@ kernel_read_system_state(smbd_t)
corecmd_exec_shell(smbd_t)
corecmd_exec_bin(smbd_t)
@@ -55020,7 +55059,7 @@ index 905883f..e042b3c 100644
corenet_all_recvfrom_netlabel(smbd_t)
corenet_tcp_sendrecv_generic_if(smbd_t)
corenet_udp_sendrecv_generic_if(smbd_t)
-@@ -320,6 +331,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
+@@ -320,6 +332,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
dev_read_sysfs(smbd_t)
dev_read_urand(smbd_t)
@@ -55028,7 +55067,7 @@ index 905883f..e042b3c 100644
dev_getattr_mtrr_dev(smbd_t)
dev_dontaudit_getattr_usbfs_dirs(smbd_t)
# For redhat bug 566984
-@@ -327,26 +339,29 @@ dev_getattr_all_blk_files(smbd_t)
+@@ -327,26 +340,29 @@ dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
fs_getattr_all_fs(smbd_t)
@@ -55059,7 +55098,7 @@ index 905883f..e042b3c 100644
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -355,9 +370,10 @@ init_rw_utmp(smbd_t)
+@@ -355,9 +371,10 @@ init_rw_utmp(smbd_t)
logging_search_logs(smbd_t)
logging_send_syslog_msg(smbd_t)
@@ -55071,7 +55110,7 @@ index 905883f..e042b3c 100644
userdom_use_unpriv_users_fds(smbd_t)
userdom_search_user_home_content(smbd_t)
userdom_signal_all_users(smbd_t)
-@@ -372,8 +388,13 @@ ifdef(`hide_broken_symptoms', `
+@@ -372,8 +389,13 @@ ifdef(`hide_broken_symptoms', `
fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
')
@@ -55086,7 +55125,7 @@ index 905883f..e042b3c 100644
')
tunable_policy(`samba_domain_controller',`
-@@ -389,12 +410,7 @@ tunable_policy(`samba_domain_controller',`
+@@ -389,12 +411,7 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -55100,7 +55139,7 @@ index 905883f..e042b3c 100644
')
# Support Samba sharing of NFS mount points
-@@ -415,6 +431,15 @@ tunable_policy(`samba_share_fusefs',`
+@@ -415,6 +432,15 @@ tunable_policy(`samba_share_fusefs',`
')
optional_policy(`
@@ -55116,7 +55155,7 @@ index 905883f..e042b3c 100644
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
')
-@@ -426,6 +451,7 @@ optional_policy(`
+@@ -426,6 +452,7 @@ optional_policy(`
optional_policy(`
ldap_stream_connect(smbd_t)
@@ -55124,7 +55163,7 @@ index 905883f..e042b3c 100644
')
optional_policy(`
-@@ -452,26 +478,26 @@ optional_policy(`
+@@ -452,26 +479,26 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -55163,7 +55202,7 @@ index 905883f..e042b3c 100644
########################################
#
# nmbd Local policy
-@@ -491,8 +517,11 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -491,8 +518,11 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -55176,7 +55215,7 @@ index 905883f..e042b3c 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -501,11 +530,13 @@ manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
+@@ -501,11 +531,13 @@ manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
@@ -55192,7 +55231,7 @@ index 905883f..e042b3c 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
-@@ -513,7 +544,6 @@ kernel_read_network_state(nmbd_t)
+@@ -513,7 +545,6 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
@@ -55200,7 +55239,7 @@ index 905883f..e042b3c 100644
corenet_all_recvfrom_netlabel(nmbd_t)
corenet_tcp_sendrecv_generic_if(nmbd_t)
corenet_udp_sendrecv_generic_if(nmbd_t)
-@@ -536,7 +566,6 @@ fs_search_auto_mountpoints(nmbd_t)
+@@ -536,7 +567,6 @@ fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
files_read_usr_files(nmbd_t)
@@ -55208,7 +55247,7 @@ index 905883f..e042b3c 100644
files_list_var_lib(nmbd_t)
auth_use_nsswitch(nmbd_t)
-@@ -544,8 +573,6 @@ auth_use_nsswitch(nmbd_t)
+@@ -544,8 +574,6 @@ auth_use_nsswitch(nmbd_t)
logging_search_logs(nmbd_t)
logging_send_syslog_msg(nmbd_t)
@@ -55217,7 +55256,7 @@ index 905883f..e042b3c 100644
userdom_use_unpriv_users_fds(nmbd_t)
userdom_dontaudit_search_user_home_dirs(nmbd_t)
-@@ -562,18 +589,21 @@ optional_policy(`
+@@ -562,18 +590,21 @@ optional_policy(`
# smbcontrol local policy
#
@@ -55243,7 +55282,7 @@ index 905883f..e042b3c 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -581,11 +611,19 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -581,11 +612,19 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
@@ -55266,7 +55305,7 @@ index 905883f..e042b3c 100644
########################################
#
-@@ -604,7 +642,7 @@ allow smbmount_t samba_etc_t:file read_file_perms;
+@@ -604,7 +643,7 @@ allow smbmount_t samba_etc_t:file read_file_perms;
can_exec(smbmount_t, smbmount_exec_t)
@@ -55275,7 +55314,7 @@ index 905883f..e042b3c 100644
allow smbmount_t samba_log_t:file manage_file_perms;
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -615,7 +653,6 @@ files_list_var_lib(smbmount_t)
+@@ -615,7 +654,6 @@ files_list_var_lib(smbmount_t)
kernel_read_system_state(smbmount_t)
@@ -55283,7 +55322,7 @@ index 905883f..e042b3c 100644
corenet_all_recvfrom_netlabel(smbmount_t)
corenet_tcp_sendrecv_generic_if(smbmount_t)
corenet_raw_sendrecv_generic_if(smbmount_t)
-@@ -645,25 +682,25 @@ files_list_mnt(smbmount_t)
+@@ -645,25 +683,25 @@ files_list_mnt(smbmount_t)
files_mounton_mnt(smbmount_t)
files_manage_etc_runtime_files(smbmount_t)
files_etc_filetrans_etc_runtime(smbmount_t, file)
@@ -55314,7 +55353,7 @@ index 905883f..e042b3c 100644
########################################
#
# SWAT Local policy
-@@ -684,7 +721,8 @@ samba_domtrans_nmbd(swat_t)
+@@ -684,7 +722,8 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -55324,7 +55363,7 @@ index 905883f..e042b3c 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -699,12 +737,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -699,12 +738,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -55339,7 +55378,7 @@ index 905883f..e042b3c 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -717,6 +757,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -717,6 +758,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -55347,7 +55386,7 @@ index 905883f..e042b3c 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -726,7 +767,6 @@ kernel_read_network_state(swat_t)
+@@ -726,7 +768,6 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
@@ -55355,7 +55394,7 @@ index 905883f..e042b3c 100644
corenet_all_recvfrom_netlabel(swat_t)
corenet_tcp_sendrecv_generic_if(swat_t)
corenet_udp_sendrecv_generic_if(swat_t)
-@@ -744,7 +784,6 @@ corenet_sendrecv_ipp_client_packets(swat_t)
+@@ -744,7 +785,6 @@ corenet_sendrecv_ipp_client_packets(swat_t)
dev_read_urand(swat_t)
files_list_var_lib(swat_t)
@@ -55363,7 +55402,7 @@ index 905883f..e042b3c 100644
files_search_home(swat_t)
files_read_usr_files(swat_t)
fs_getattr_xattr_fs(swat_t)
-@@ -759,7 +798,10 @@ logging_send_syslog_msg(swat_t)
+@@ -759,7 +799,10 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -55375,7 +55414,7 @@ index 905883f..e042b3c 100644
optional_policy(`
cups_read_rw_config(swat_t)
-@@ -790,7 +832,8 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -790,7 +833,8 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
@@ -55385,7 +55424,7 @@ index 905883f..e042b3c 100644
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -813,21 +856,24 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -813,21 +857,24 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -55416,7 +55455,7 @@ index 905883f..e042b3c 100644
corenet_all_recvfrom_netlabel(winbind_t)
corenet_tcp_sendrecv_generic_if(winbind_t)
corenet_udp_sendrecv_generic_if(winbind_t)
-@@ -840,6 +886,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -840,6 +887,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -55424,7 +55463,7 @@ index 905883f..e042b3c 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -855,12 +902,14 @@ auth_manage_cache(winbind_t)
+@@ -855,12 +903,14 @@ auth_manage_cache(winbind_t)
domain_use_interactive_fds(winbind_t)
@@ -55441,7 +55480,7 @@ index 905883f..e042b3c 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -871,6 +920,11 @@ userdom_manage_user_home_content_sockets(winbind_t)
+@@ -871,6 +921,11 @@ userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
@@ -55453,7 +55492,7 @@ index 905883f..e042b3c 100644
kerberos_use(winbind_t)
')
-@@ -909,9 +963,7 @@ auth_use_nsswitch(winbind_helper_t)
+@@ -909,9 +964,7 @@ auth_use_nsswitch(winbind_helper_t)
logging_send_syslog_msg(winbind_helper_t)
@@ -55464,7 +55503,7 @@ index 905883f..e042b3c 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -929,19 +981,34 @@ optional_policy(`
+@@ -929,19 +982,34 @@ optional_policy(`
#
optional_policy(`
@@ -56967,7 +57006,7 @@ index fa24879..3abfdf2 100644
ps_process_pattern($1, sblim_reposd_t)
diff --git a/sblim.te b/sblim.te
-index 869f976..7f8830a 100644
+index 869f976..1aa9946 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,9 @@ policy_module(sblim, 1.0.0)
@@ -56995,15 +57034,17 @@ index 869f976..7f8830a 100644
sysnet_dns_name_resolve(sblim_gatherd_t)
term_getattr_pty_fs(sblim_gatherd_t)
-@@ -64,6 +62,7 @@ optional_policy(`
+@@ -63,7 +61,9 @@ optional_policy(`
+ ')
optional_policy(`
++ virt_read_config(sblim_gatherd_t)
virt_stream_connect(sblim_gatherd_t)
+ virt_getattr_exec(sblim_gatherd_t)
')
optional_policy(`
-@@ -81,6 +80,8 @@ domtrans_pattern(sblim_gatherd_t, sblim_reposd_exec_t, sblim_reposd_t)
+@@ -81,6 +81,8 @@ domtrans_pattern(sblim_gatherd_t, sblim_reposd_exec_t, sblim_reposd_t)
corenet_tcp_bind_all_nodes(sblim_reposd_t)
corenet_tcp_bind_repository_port(sblim_reposd_t)
@@ -57012,8 +57053,11 @@ index 869f976..7f8830a 100644
######################################
#
# sblim_domain local policy
-@@ -93,12 +94,8 @@ manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+@@ -91,14 +93,13 @@ allow sblim_domain self:tcp_socket create_stream_socket_perms;
+ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+ manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
++files_pid_filetrans(sblim_domain, sblim_var_run_t, { dir file sock_file })
kernel_read_network_state(sblim_domain)
-kernel_read_system_state(sblim_domain)
@@ -57021,7 +57065,8 @@ index 869f976..7f8830a 100644
dev_read_sysfs(sblim_domain)
-logging_send_syslog_msg(sblim_domain)
--
++auth_read_passwd(sblim_domain)
+
files_read_etc_files(sblim_domain)
-miscfiles_read_localization(sblim_domain)
@@ -61504,7 +61549,7 @@ index b07ee19..a275bd6 100644
HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
diff --git a/telepathy.if b/telepathy.if
-index f09171e..c91baed 100644
+index f09171e..95a9aa3 100644
--- a/telepathy.if
+++ b/telepathy.if
@@ -11,7 +11,6 @@
@@ -61586,7 +61631,7 @@ index f09171e..c91baed 100644
## Domain allowed access.
## </summary>
## </param>
-@@ -179,3 +182,111 @@ interface(`telepathy_salut_stream_connect', `
+@@ -179,3 +182,130 @@ interface(`telepathy_salut_stream_connect', `
stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
files_search_tmp($1)
')
@@ -61698,6 +61743,25 @@ index f09171e..c91baed 100644
+ gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger")
+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
+')
++
++######################################
++## <summary>
++## Execute telepathy in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`telepathy_exec',`
++ gen_require(`
++ attribute telepathy_executable;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, telepathy_executable)
++')
diff --git a/telepathy.te b/telepathy.te
index 964978b..cf85d39 100644
--- a/telepathy.te
@@ -63035,7 +63099,7 @@ index 0000000..a8385bc
+/var/run/tomcat6?\.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0)
diff --git a/tomcat.if b/tomcat.if
new file mode 100644
-index 0000000..1c8d314
+index 0000000..226293f
--- /dev/null
+++ b/tomcat.if
@@ -0,0 +1,395 @@
@@ -63063,19 +63127,19 @@ index 0000000..1c8d314
+ init_daemon_domain($1_t, $1_exec_t)
+
+ type $1_cache_t;
-+ files_type(tomcat_cache_t)
++ files_type($1_cache_t)
+
+ type $1_log_t;
-+ logging_log_file(tomcat_log_t)
++ logging_log_file($1_log_t)
+
+ type $1_var_lib_t;
-+ files_type(tomcat_var_lib_t)
++ files_type($1_var_lib_t)
+
+ type $1_var_run_t;
-+ files_pid_file(tomcat_var_run_t)
++ files_pid_file($1_var_run_t)
+
+ type $1_tmp_t;
-+ files_tmp_file(tomcat_tmp_t)
++ files_tmp_file($1_tmp_t)
+
+ ##################################
+ #
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 5ba9e4e..f0a3908 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.1
-Release: 23%{?dist}
+Release: 24%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -521,6 +521,17 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Sep 25 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-24
+- dbus needs to start getty unit files
+- Add interface to allow system_dbusd_t to start the poweroff service
+- xdm wants to exec telepathy apps
+- Allow users to send messages to systemdlogind
+- Additional rules needed for systemd and other boot apps
+- systemd wants to list /home and /boot
+- Allow gkeyringd to write dbus/conf file
+- realmd needs to read /dev/urand
+- Allow readahead to delete /.readahead if labeled root_t, might get created before policy is loaded
+
* Thu Sep 20 2012 Miroslav Grepl <mgreplh at redhat.com> 3.11.1-23
- Fixes to safe more rules
- Re-write tomcat_domain_template()
More information about the scm-commits
mailing list