[selinux-policy/f17] * Tue Apr 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-112 - upowered needs to setsched on the

Tue Apr 10 10:10:00 UTC 2012

commit 571c88df1bcf38a08af1a094bf68550234f831b7
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Tue Apr 10 12:09:47 2012 +0200

    * Tue Apr 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-112
    - upowered needs to setsched on the kernel
    - Allow mpd_t to manage log files
    - Allow xdm_t to create /var/run/systemd/multi-session-x
    - Add rules for missedfont.log to be used by thumb.fc
    - Additional access required for virt_qmf_t
    - Allow dhclient to dbus chat with the firewalld
    - Add label for lvmetad
    - Allow systemd_logind_t to remove userdomain sock_files
    - Allow cups to execute usr_t files
    - Fix labeling on nvidia shared libraries
    - wdmd_t needs access to sssd and /etc/passwd
    - Add boolean to allow ftp servers to run in passive mode
    - Allow namepspace_init_t to relabelto/from a different user system_u from t
    - Fix using httpd_use_fusefs
    - Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it

 policy-F16.patch    |  345 ++++++++++++++++++++++++++++++++++-----------------
 selinux-policy.spec |   19 +++-
 2 files changed, 249 insertions(+), 115 deletions(-)
---

diff --git a/policy-F16.patch b/policy-F16.patch
index 8e93f9c..aa998e5 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -67442,10 +67442,10 @@ index 0000000..8d7c751
 +')
 diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te
 new file mode 100644
-index 0000000..5ddf179
+index 0000000..2f7149c
 --- /dev/null
 +++ b/policy/modules/apps/namespace.te
-@@ -0,0 +1,44 @@
+@@ -0,0 +1,45 @@
 +policy_module(namespace,1.0.0)
 +
 +########################################
@@ -67473,6 +67473,7 @@ index 0000000..5ddf179
 +corecmd_exec_shell(namespace_init_t)
 +
 +domain_use_interactive_fds(namespace_init_t)
++domain_obj_id_change_exemption(namespace_init_t)
 +
 +files_read_etc_files(namespace_init_t)
 +files_polyinstantiate_all(namespace_init_t)
@@ -70572,11 +70573,12 @@ index 2533ea0..92f0ecb 100644
 +')
 diff --git a/policy/modules/apps/thumb.fc b/policy/modules/apps/thumb.fc
 new file mode 100644
-index 0000000..930fa33
+index 0000000..3a7c395
 --- /dev/null
 +++ b/policy/modules/apps/thumb.fc
-@@ -0,0 +1,14 @@
+@@ -0,0 +1,15 @@
 +HOME_DIR/\.thumbnails(/.*)?			gen_context(system_u:object_r:thumb_home_t,s0)
++HOME_DIR/missfont\.log				gen_context(system_u:object_r:thumb_home_t,s0)
 +
 +/usr/bin/evince-thumbnailer		--	gen_context(system_u:object_r:thumb_exec_t,s0)
 +/usr/bin/gsf-office-thumbnailer		--	gen_context(system_u:object_r:thumb_exec_t,s0)
@@ -70592,10 +70594,10 @@ index 0000000..930fa33
 +/usr/lib/tumbler[^/]*/tumblerd		--	gen_context(system_u:object_r:thumb_exec_t,s0)
 diff --git a/policy/modules/apps/thumb.if b/policy/modules/apps/thumb.if
 new file mode 100644
-index 0000000..79515db
+index 0000000..9127cec
 --- /dev/null
 +++ b/policy/modules/apps/thumb.if
-@@ -0,0 +1,103 @@
+@@ -0,0 +1,125 @@
 +
 +## <summary>policy for thumb</summary>
 +
@@ -70677,6 +70679,7 @@ index 0000000..79515db
 +
 +	allow $2 thumb_t:dbus send_msg;
 +	allow thumb_t $2:dbus send_msg;
++	thumb_filetrans_home_content($2)
 +')
 +
 +########################################
@@ -70699,12 +70702,33 @@ index 0000000..79515db
 +        allow $1 thumb_t:dbus send_msg;
 +        allow thumb_t $1:dbus send_msg;
 +')
++
++########################################
++## <summary>
++##	Create thumb content in the user home directory
++##	with an correct label.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`thumb_filetrans_home_content',`
++
++	gen_require(`
++		type thumb_home_t;
++	')
++
++	userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails")
++	userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log")
++')
 diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
 new file mode 100644
-index 0000000..95befd6
+index 0000000..62dd2ef
 --- /dev/null
 +++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,96 @@
+@@ -0,0 +1,97 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -70744,6 +70768,7 @@ index 0000000..95befd6
 +manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t)
 +manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
 +userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
++userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
 +
 +manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
 +manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
@@ -75575,7 +75600,7 @@ index 6a1e4d1..ffaa90a 100644
 +	dontaudit $1 domain:socket_class_set { read write };
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..d8ec4d2 100644
+index fae1ab1..6d455ba 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -75676,7 +75701,7 @@ index fae1ab1..d8ec4d2 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -158,5 +199,252 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +199,256 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -75799,6 +75824,10 @@ index fae1ab1..d8ec4d2 100644
 +')
 +
 +optional_policy(`
++	thumb_filetrans_home_content(unconfined_domain_type)
++')
++
++optional_policy(`
 +	userdom_user_home_dir_filetrans_user_home_content(unconfined_domain_type, { dir file lnk_file fifo_file sock_file })
 +	userdom_filetrans_home_content(unconfined_domain_type)
 +')
@@ -95973,7 +96002,7 @@ index 305ddf4..4d70951 100644
 +	filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
  ')
 diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..c50598f 100644
+index 0f28095..a1527a7 100644
 --- a/policy/modules/services/cups.te
 +++ b/policy/modules/services/cups.te
 @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -96042,7 +96071,7 @@ index 0f28095..c50598f 100644
  term_use_unallocated_ttys(cupsd_t)
  term_search_ptys(cupsd_t)
  
-@@ -220,6 +228,7 @@ corecmd_exec_bin(cupsd_t)
+@@ -220,11 +228,13 @@ corecmd_exec_bin(cupsd_t)
  
  domain_use_interactive_fds(cupsd_t)
  
@@ -96050,7 +96079,13 @@ index 0f28095..c50598f 100644
  files_list_spool(cupsd_t)
  files_read_etc_files(cupsd_t)
  files_read_etc_runtime_files(cupsd_t)
-@@ -270,12 +279,6 @@ files_dontaudit_list_home(cupsd_t)
+ # read python modules
+ files_read_usr_files(cupsd_t)
++files_exec_usr_files(cupsd_t)
+ # for /var/lib/defoma
+ files_read_var_lib_files(cupsd_t)
+ files_list_world_readable(cupsd_t)
+@@ -270,12 +280,6 @@ files_dontaudit_list_home(cupsd_t)
  userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
  userdom_dontaudit_search_user_home_content(cupsd_t)
  
@@ -96063,7 +96098,7 @@ index 0f28095..c50598f 100644
  optional_policy(`
  	apm_domtrans_client(cupsd_t)
  ')
-@@ -287,6 +290,8 @@ optional_policy(`
+@@ -287,6 +291,8 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(cupsd_t)
  
@@ -96072,7 +96107,7 @@ index 0f28095..c50598f 100644
  	userdom_dbus_send_all_users(cupsd_t)
  
  	optional_policy(`
-@@ -297,8 +302,10 @@ optional_policy(`
+@@ -297,8 +303,10 @@ optional_policy(`
  		hal_dbus_chat(cupsd_t)
  	')
  
@@ -96083,7 +96118,7 @@ index 0f28095..c50598f 100644
  	')
  ')
  
-@@ -311,10 +318,22 @@ optional_policy(`
+@@ -311,10 +319,22 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -96106,7 +96141,7 @@ index 0f28095..c50598f 100644
  	mta_send_mail(cupsd_t)
  ')
  
-@@ -322,6 +341,8 @@ optional_policy(`
+@@ -322,6 +342,8 @@ optional_policy(`
  	# cups execs smbtool which reads samba_etc_t files
  	samba_read_config(cupsd_t)
  	samba_rw_var_files(cupsd_t)
@@ -96115,7 +96150,7 @@ index 0f28095..c50598f 100644
  ')
  
  optional_policy(`
-@@ -371,8 +392,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +393,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
  
  allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
  
@@ -96126,7 +96161,7 @@ index 0f28095..c50598f 100644
  
  domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
  
-@@ -393,6 +415,10 @@ dev_read_sysfs(cupsd_config_t)
+@@ -393,6 +416,10 @@ dev_read_sysfs(cupsd_config_t)
  dev_read_urand(cupsd_config_t)
  dev_read_rand(cupsd_config_t)
  dev_rw_generic_usb_dev(cupsd_config_t)
@@ -96137,7 +96172,7 @@ index 0f28095..c50598f 100644
  
  files_search_all_mountpoints(cupsd_config_t)
  
-@@ -425,11 +451,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +452,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
  
  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -96151,7 +96186,7 @@ index 0f28095..c50598f 100644
  ifdef(`distro_redhat',`
  	optional_policy(`
  		rpm_read_db(cupsd_config_t)
-@@ -453,6 +479,10 @@ optional_policy(`
+@@ -453,6 +480,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -96162,7 +96197,7 @@ index 0f28095..c50598f 100644
  	hal_domtrans(cupsd_config_t)
  	hal_read_tmp_files(cupsd_config_t)
  	hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +497,10 @@ optional_policy(`
+@@ -467,6 +498,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -96173,7 +96208,7 @@ index 0f28095..c50598f 100644
  	policykit_dbus_chat(cupsd_config_t)
  	userdom_read_all_users_state(cupsd_config_t)
  ')
-@@ -537,6 +571,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,6 +572,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
  corenet_tcp_bind_generic_node(cupsd_lpd_t)
  corenet_udp_bind_generic_node(cupsd_lpd_t)
  corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -96181,7 +96216,7 @@ index 0f28095..c50598f 100644
  
  dev_read_urand(cupsd_lpd_t)
  dev_read_rand(cupsd_lpd_t)
-@@ -587,23 +622,22 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,23 +623,22 @@ auth_use_nsswitch(cups_pdf_t)
  
  miscfiles_read_localization(cups_pdf_t)
  miscfiles_read_fonts(cups_pdf_t)
@@ -96214,7 +96249,7 @@ index 0f28095..c50598f 100644
  ')
  
  ########################################
-@@ -639,7 +673,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +674,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
  manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
  
  manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -96223,7 +96258,7 @@ index 0f28095..c50598f 100644
  
  manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
  files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +719,9 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +720,9 @@ domain_use_interactive_fds(hplip_t)
  files_read_etc_files(hplip_t)
  files_read_etc_runtime_files(hplip_t)
  files_read_usr_files(hplip_t)
@@ -96233,7 +96268,7 @@ index 0f28095..c50598f 100644
  
  logging_send_syslog_msg(hplip_t)
  
-@@ -696,8 +733,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +734,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
  userdom_dontaudit_search_user_home_dirs(hplip_t)
  userdom_dontaudit_search_user_home_content(hplip_t)
  
@@ -97658,7 +97693,7 @@ index f706b99..d41e4fe 100644
 +	#logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
  ')
 diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..f5e84bd 100644
+index f231f17..fb64f1d 100644
 --- a/policy/modules/services/devicekit.te
 +++ b/policy/modules/services/devicekit.te
 @@ -16,6 +16,7 @@ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
@@ -97750,7 +97785,7 @@ index f231f17..f5e84bd 100644
  
  optional_policy(`
  	dbus_system_bus_client(devicekit_disk_t)
-@@ -178,55 +194,84 @@ optional_policy(`
+@@ -178,55 +194,85 @@ optional_policy(`
  	virt_manage_images(devicekit_disk_t)
  ')
  
@@ -97799,6 +97834,7 @@ index f231f17..f5e84bd 100644
 +kernel_rw_vm_sysctls(devicekit_power_t)
  kernel_search_debugfs(devicekit_power_t)
  kernel_write_proc_files(devicekit_power_t)
++kernel_setsched(devicekit_power_t)
  
  corecmd_exec_bin(devicekit_power_t)
  corecmd_exec_shell(devicekit_power_t)
@@ -97840,7 +97876,7 @@ index f231f17..f5e84bd 100644
  
  userdom_read_all_users_state(devicekit_power_t)
  
-@@ -235,7 +280,12 @@ optional_policy(`
+@@ -235,7 +281,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -97853,7 +97889,7 @@ index f231f17..f5e84bd 100644
  ')
  
  optional_policy(`
-@@ -261,14 +311,21 @@ optional_policy(`
+@@ -261,14 +312,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -97876,7 +97912,7 @@ index f231f17..f5e84bd 100644
  	policykit_dbus_chat(devicekit_power_t)
  	policykit_domtrans_auth(devicekit_power_t)
  	policykit_read_lib(devicekit_power_t)
-@@ -276,9 +333,30 @@ optional_policy(`
+@@ -276,9 +334,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -101218,10 +101254,10 @@ index 0000000..b468a30
 +/var/run/firewalld\.pid			--	gen_context(system_u:object_r:firewalld_var_run_t,s0)
 diff --git a/policy/modules/services/firewalld.if b/policy/modules/services/firewalld.if
 new file mode 100644
-index 0000000..62acfff
+index 0000000..c4c7510
 --- /dev/null
 +++ b/policy/modules/services/firewalld.if
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,130 @@
 +## <summary>policy for firewalld</summary>
 +
 +########################################
@@ -101286,6 +101322,27 @@ index 0000000..62acfff
 +
 +########################################
 +## <summary>
++##	Send and receive messages from
++##	firewalld over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`firewalld_dbus_chat',`
++	gen_require(`
++		type firewalld_t;
++		class dbus send_msg;
++	')
++
++	allow $1 firewalld_t:dbus send_msg;
++	allow firewalld_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
 +##	All of the rules required to administrate
 +##	an firewalld environment
 +## </summary>
@@ -101587,10 +101644,10 @@ index 9d3201b..6e75e3d 100644
 +	allow $1 ftpd_unit_file_t:service all_service_perms;
  ')
 diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
-index 8a74a83..c183d8c 100644
+index 8a74a83..14b822a 100644
 --- a/policy/modules/services/ftp.te
 +++ b/policy/modules/services/ftp.te
-@@ -40,6 +40,20 @@ gen_tunable(allow_ftpd_use_nfs, false)
+@@ -40,6 +40,27 @@ gen_tunable(allow_ftpd_use_nfs, false)
  
  ## <desc>
  ## <p>
@@ -101601,6 +101658,13 @@ index 8a74a83..c183d8c 100644
 +
 +## <desc>
 +## <p>
++## Allow ftp servers to use bind to all unreserved ports for passive mode
++## </p>
++## </desc>
++gen_tunable(ftpd_use_passive_mode, false)
++
++## <desc>
++## <p>
 +## Allow ftp servers to connect to all ports > 1023
 +## </p>
 +## </desc>
@@ -101611,7 +101675,7 @@ index 8a74a83..c183d8c 100644
  ## Allow ftp to read and write files in the user home directories
  ## </p>
  ## </desc>
-@@ -48,7 +62,7 @@ gen_tunable(ftp_home_dir, false)
+@@ -48,7 +69,7 @@ gen_tunable(ftp_home_dir, false)
  ## <desc>
  ## <p>
  ## Allow anon internal-sftp to upload files, used for
@@ -101620,7 +101684,7 @@ index 8a74a83..c183d8c 100644
  ## public_content_rw_t.
  ## </p>
  ## </desc>
-@@ -70,6 +84,14 @@ gen_tunable(sftpd_enable_homedirs, false)
+@@ -70,6 +91,14 @@ gen_tunable(sftpd_enable_homedirs, false)
  ## </desc>
  gen_tunable(sftpd_full_access, false)
  
@@ -101635,7 +101699,7 @@ index 8a74a83..c183d8c 100644
  type anon_sftpd_t;
  typealias anon_sftpd_t alias sftpd_anon_t;
  domain_type(anon_sftpd_t)
-@@ -85,6 +107,9 @@ files_config_file(ftpd_etc_t)
+@@ -85,6 +114,9 @@ files_config_file(ftpd_etc_t)
  type ftpd_initrc_exec_t;
  init_script_file(ftpd_initrc_exec_t)
  
@@ -101645,7 +101709,7 @@ index 8a74a83..c183d8c 100644
  type ftpd_lock_t;
  files_lock_file(ftpd_lock_t)
  
-@@ -115,6 +140,10 @@ ifdef(`enable_mcs',`
+@@ -115,6 +147,10 @@ ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, s0 - mcs_systemhigh)
  ')
  
@@ -101656,7 +101720,7 @@ index 8a74a83..c183d8c 100644
  ########################################
  #
  # anon-sftp local policy
-@@ -122,6 +151,7 @@ ifdef(`enable_mcs',`
+@@ -122,6 +158,7 @@ ifdef(`enable_mcs',`
  
  files_read_etc_files(anon_sftpd_t)
  
@@ -101664,7 +101728,7 @@ index 8a74a83..c183d8c 100644
  miscfiles_read_public_files(anon_sftpd_t)
  
  tunable_policy(`sftpd_anon_write',`
-@@ -133,7 +163,7 @@ tunable_policy(`sftpd_anon_write',`
+@@ -133,7 +170,7 @@ tunable_policy(`sftpd_anon_write',`
  # ftpd local policy
  #
  
@@ -101673,7 +101737,7 @@ index 8a74a83..c183d8c 100644
  dontaudit ftpd_t self:capability sys_tty_config;
  allow ftpd_t self:process { getcap getpgid setcap setsched setrlimit signal_perms };
  allow ftpd_t self:fifo_file rw_fifo_file_perms;
-@@ -151,7 +181,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
+@@ -151,7 +188,6 @@ files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
  
  manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
  manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
@@ -101681,7 +101745,7 @@ index 8a74a83..c183d8c 100644
  
  manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
  manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -163,13 +192,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
+@@ -163,13 +199,13 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
  manage_dirs_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
  manage_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
  manage_sock_files_pattern(ftpd_t, ftpd_var_run_t, ftpd_var_run_t)
@@ -101697,7 +101761,7 @@ index 8a74a83..c183d8c 100644
  
  # Create and modify /var/log/xferlog.
  manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
-@@ -177,7 +206,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+@@ -177,7 +213,7 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
  
  kernel_read_kernel_sysctls(ftpd_t)
  kernel_read_system_state(ftpd_t)
@@ -101706,7 +101770,7 @@ index 8a74a83..c183d8c 100644
  
  dev_read_sysfs(ftpd_t)
  dev_read_urand(ftpd_t)
-@@ -196,9 +225,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
+@@ -196,9 +232,8 @@ corenet_tcp_bind_generic_node(ftpd_t)
  corenet_tcp_bind_ftp_port(ftpd_t)
  corenet_tcp_bind_ftp_data_port(ftpd_t)
  corenet_tcp_bind_generic_port(ftpd_t)
@@ -101718,7 +101782,7 @@ index 8a74a83..c183d8c 100644
  corenet_sendrecv_ftp_server_packets(ftpd_t)
  
  domain_use_interactive_fds(ftpd_t)
-@@ -212,13 +240,11 @@ fs_search_auto_mountpoints(ftpd_t)
+@@ -212,13 +247,11 @@ fs_search_auto_mountpoints(ftpd_t)
  fs_getattr_all_fs(ftpd_t)
  fs_search_fusefs(ftpd_t)
  
@@ -101734,7 +101798,7 @@ index 8a74a83..c183d8c 100644
  
  init_rw_utmp(ftpd_t)
  
-@@ -261,7 +287,11 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
+@@ -261,7 +294,15 @@ tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
  
  tunable_policy(`allow_ftpd_full_access',`
  	allow ftpd_t self:capability { dac_override dac_read_search };
@@ -101742,12 +101806,16 @@ index 8a74a83..c183d8c 100644
 +	files_manage_non_security_files(ftpd_t)
 +')
 +
++tunable_policy(`ftpd_use_passive_mode',`
++	corenet_tcp_bind_all_unreserved_ports(ftpd_t)
++')
++
 +tunable_policy(`ftpd_connect_all_unreserved',`
 +	corenet_tcp_connect_all_unreserved_ports(ftpd_t)
  ')
  
  tunable_policy(`ftp_home_dir',`
-@@ -270,10 +300,13 @@ tunable_policy(`ftp_home_dir',`
+@@ -270,10 +311,13 @@ tunable_policy(`ftp_home_dir',`
  	# allow access to /home
  	files_list_home(ftpd_t)
  	userdom_read_user_home_content_files(ftpd_t)
@@ -101765,7 +101833,7 @@ index 8a74a83..c183d8c 100644
  ')
  
  tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,6 +342,10 @@ optional_policy(`
+@@ -309,6 +353,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -101776,7 +101844,7 @@ index 8a74a83..c183d8c 100644
  	selinux_validate_context(ftpd_t)
  
  	kerberos_keytab_template(ftpd, ftpd_t)
-@@ -316,6 +353,25 @@ optional_policy(`
+@@ -316,6 +364,25 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -101802,7 +101870,7 @@ index 8a74a83..c183d8c 100644
  	inetd_tcp_service_domain(ftpd_t, ftpd_exec_t)
  
  	optional_policy(`
-@@ -347,16 +403,17 @@ optional_policy(`
+@@ -347,16 +414,17 @@ optional_policy(`
  
  # Allow ftpdctl to talk to ftpd over a socket connection
  stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -101822,7 +101890,7 @@ index 8a74a83..c183d8c 100644
  
  ########################################
  #
-@@ -365,18 +422,33 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +433,33 @@ userdom_use_user_terminals(ftpdctl_t)
  
  files_read_etc_files(sftpd_t)
  
@@ -101859,7 +101927,7 @@ index 8a74a83..c183d8c 100644
  ')
  
  tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,19 +466,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,19 +477,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
  tunable_policy(`sftpd_full_access',`
  	allow sftpd_t self:capability { dac_override dac_read_search };
  	fs_read_noxattr_fs_files(sftpd_t)
@@ -108682,6 +108750,16 @@ index 83f002c..fa8a3d5 100644
  
  corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
  corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
+diff --git a/policy/modules/services/mpd.fc b/policy/modules/services/mpd.fc
+index ddc14d6..c74bf3d 100644
+--- a/policy/modules/services/mpd.fc
++++ b/policy/modules/services/mpd.fc
+@@ -6,3 +6,5 @@
+ /var/lib/mpd(/.*)?		gen_context(system_u:object_r:mpd_var_lib_t,s0)
+ /var/lib/mpd/music(/.*)?	gen_context(system_u:object_r:mpd_data_t,s0)
+ /var/lib/mpd/playlists(/.*)?	gen_context(system_u:object_r:mpd_data_t,s0)
++
++/var/log/mpd(/.*)?		gen_context(system_u:object_r:mpd_log_t,s0)
 diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if
 index d72276f..cb8c563 100644
 --- a/policy/modules/services/mpd.if
@@ -108700,7 +108778,7 @@ index d72276f..cb8c563 100644
  	mpd_initrc_domtrans($1)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
-index 7f68872..36ff69d 100644
+index 7f68872..72c1f8a 100644
 --- a/policy/modules/services/mpd.te
 +++ b/policy/modules/services/mpd.te
 @@ -44,6 +44,9 @@ allow mpd_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -108713,7 +108791,18 @@ index 7f68872..36ff69d 100644
  
  manage_dirs_pattern(mpd_t, mpd_data_t, mpd_data_t)
  manage_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
-@@ -103,6 +106,10 @@ logging_send_syslog_msg(mpd_t)
+@@ -51,6 +54,10 @@ manage_lnk_files_pattern(mpd_t, mpd_data_t, mpd_data_t)
+ 
+ read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
+ 
++manage_dirs_pattern(mpd_t, mpd_log_t, mpd_log_t)
++manage_files_pattern(mpd_t, mpd_log_t, mpd_log_t)
++logging_log_filetrans(mpd_t, mpd_log_t, { dir file lnk_file })
++
+ manage_dirs_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+ manage_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+ manage_sock_files_pattern(mpd_t, mpd_tmp_t, mpd_tmp_t)
+@@ -103,6 +110,10 @@ logging_send_syslog_msg(mpd_t)
  
  miscfiles_read_localization(mpd_t)
  
@@ -108724,7 +108813,7 @@ index 7f68872..36ff69d 100644
  optional_policy(`
  	alsa_read_rw_config(mpd_t)
  ')
-@@ -122,5 +129,14 @@ optional_policy(`
+@@ -122,5 +133,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -130426,7 +130515,7 @@ index 7c5d8d8..c542fe7 100644
 +')
 +
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..794917a 100644
+index 3eca020..9386b72 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
 @@ -5,56 +5,87 @@ policy_module(virt, 1.4.0)
@@ -131001,7 +131090,7 @@ index 3eca020..794917a 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -440,25 +645,393 @@ files_search_all(virt_domain)
+@@ -440,25 +645,396 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -131361,11 +131450,14 @@ index 3eca020..794917a 100644
 +#
 +# virt_qmf local policy
 +#
-+allow virt_qmf_t self:process signal;
++allow virt_qmf_t self:capability { sys_nice sys_tty_config };
++allow virt_qmf_t self:process { setsched signal };
 +allow virt_qmf_t self:fifo_file rw_fifo_file_perms;
 +allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms;
 +allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
++allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
 +
++kernel_read_system_state(virt_qmf_t)
 +kernel_read_network_state(virt_qmf_t)
 +
 +dev_list_sysfs(virt_qmf_t)
@@ -131624,10 +131716,10 @@ index 0000000..8e3570d
 +')
 diff --git a/policy/modules/services/wdmd.te b/policy/modules/services/wdmd.te
 new file mode 100644
-index 0000000..c0f3e2f
+index 0000000..b6db3b3
 --- /dev/null
 +++ b/policy/modules/services/wdmd.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,47 @@
 +policy_module(wdmd,1.0.0)
 +
 +########################################
@@ -131670,6 +131762,8 @@ index 0000000..c0f3e2f
 +
 +fs_read_anon_inodefs_files(wdmd_t)
 +
++auth_use_nsswitch(wdmd_t)
++
 +logging_send_syslog_msg(wdmd_t)
 +
 +miscfiles_read_localization(wdmd_t)
@@ -131684,7 +131778,7 @@ index aa6e5a8..42a0efb 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 4966c94..44a9ef5 100644
+index 4966c94..bc7b581 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
 @@ -2,13 +2,34 @@
@@ -131787,7 +131881,7 @@ index 4966c94..44a9ef5 100644
  
  /usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
  
-@@ -90,17 +115,44 @@ ifdef(`distro_debian', `
+@@ -90,17 +115,45 @@ ifdef(`distro_debian', `
  
  /var/[xgk]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
  
@@ -131825,6 +131919,7 @@ index 4966c94..44a9ef5 100644
 +
 +/var/run/video.rom	--	gen_context(system_u:object_r:xserver_var_run_t,s0)
 +/var/run/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_run_t,s0)
++/var/run/systemd/multi-session-x(/.*)?	gen_context(system_u:object_r:xdm_var_run_t,s0)
  
  ifdef(`distro_suse',`
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -133072,7 +133167,7 @@ index 130ced9..4a0455e 100644
 +	userdom_admin_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 143c893..b0f5722 100644
+index 143c893..2659b5c 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,27 +26,50 @@ gen_require(`
@@ -133610,7 +133705,7 @@ index 143c893..b0f5722 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -446,28 +610,37 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -446,28 +610,38 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -133635,6 +133730,7 @@ index 143c893..b0f5722 100644
  # Run telinit->init to shutdown.
  init_telinit(xdm_t)
 +init_dbus_chat(xdm_t)
++init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x")
  
  libs_exec_lib_files(xdm_t)
  
@@ -133651,7 +133747,7 @@ index 143c893..b0f5722 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -476,24 +649,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -476,24 +650,43 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -133701,7 +133797,7 @@ index 143c893..b0f5722 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -507,11 +699,21 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -507,11 +700,21 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
@@ -133723,7 +133819,7 @@ index 143c893..b0f5722 100644
  ')
  
  optional_policy(`
-@@ -519,12 +721,63 @@ optional_policy(`
+@@ -519,12 +722,63 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -133787,7 +133883,7 @@ index 143c893..b0f5722 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -542,28 +795,69 @@ optional_policy(`
+@@ -542,28 +796,69 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -133866,7 +133962,7 @@ index 143c893..b0f5722 100644
  ')
  
  optional_policy(`
-@@ -575,6 +869,14 @@ optional_policy(`
+@@ -575,6 +870,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -133881,7 +133977,7 @@ index 143c893..b0f5722 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -599,7 +901,8 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -599,7 +902,8 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -133891,7 +133987,7 @@ index 143c893..b0f5722 100644
  dontaudit xserver_t self:capability chown;
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
-@@ -613,8 +916,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -613,8 +917,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -133907,7 +134003,7 @@ index 143c893..b0f5722 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -633,12 +943,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -633,12 +944,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -133929,7 +134025,7 @@ index 143c893..b0f5722 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -646,6 +963,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -646,6 +964,7 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -133937,7 +134033,7 @@ index 143c893..b0f5722 100644
  
  # Run helper programs in xserver_t.
  corecmd_exec_bin(xserver_t)
-@@ -672,21 +990,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -672,21 +991,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -133968,7 +134064,7 @@ index 143c893..b0f5722 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -697,8 +1022,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -697,8 +1023,13 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -133982,7 +134078,7 @@ index 143c893..b0f5722 100644
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -711,8 +1041,6 @@ init_getpgid(xserver_t)
+@@ -711,8 +1042,6 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -133991,7 +134087,7 @@ index 143c893..b0f5722 100644
  locallogin_use_fds(xserver_t)
  
  logging_send_syslog_msg(xserver_t)
-@@ -720,11 +1048,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -720,11 +1049,12 @@ logging_send_audit_msgs(xserver_t)
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -134006,7 +134102,7 @@ index 143c893..b0f5722 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -778,16 +1107,40 @@ optional_policy(`
+@@ -778,16 +1108,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134048,7 +134144,7 @@ index 143c893..b0f5722 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -796,6 +1149,10 @@ optional_policy(`
+@@ -796,6 +1150,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134059,7 +134155,7 @@ index 143c893..b0f5722 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -811,10 +1168,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -811,10 +1169,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -134073,7 +134169,7 @@ index 143c893..b0f5722 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -822,7 +1179,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -822,7 +1180,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -134082,7 +134178,7 @@ index 143c893..b0f5722 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -835,26 +1192,21 @@ init_use_fds(xserver_t)
+@@ -835,26 +1193,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -134117,7 +134213,7 @@ index 143c893..b0f5722 100644
  ')
  
  optional_policy(`
-@@ -862,6 +1214,10 @@ optional_policy(`
+@@ -862,6 +1215,10 @@ optional_policy(`
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -134128,7 +134224,7 @@ index 143c893..b0f5722 100644
  ########################################
  #
  # Rules common to all X window domains
-@@ -905,7 +1261,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -905,7 +1262,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -134137,7 +134233,7 @@ index 143c893..b0f5722 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -959,11 +1315,31 @@ allow x_domain self:x_resource { read write };
+@@ -959,11 +1316,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -134169,7 +134265,7 @@ index 143c893..b0f5722 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -985,18 +1361,31 @@ tunable_policy(`! xserver_object_manager',`
+@@ -985,18 +1362,31 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -139385,7 +139481,7 @@ index ddbd8be..fad18e0 100644
  domain_use_interactive_fds(iscsid_t)
  domain_dontaudit_read_all_domains_state(iscsid_t)
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 560dc48..75a2fbd 100644
+index 560dc48..989999b 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
 @@ -28,26 +28,24 @@ ifdef(`distro_redhat',`
@@ -139419,9 +139515,12 @@ index 560dc48..75a2fbd 100644
  ')
  
  ifdef(`distro_gentoo',`
-@@ -62,7 +60,6 @@ ifdef(`distro_gentoo',`
+@@ -60,9 +58,8 @@ ifdef(`distro_gentoo',`
+ #
+ # /opt
  #
- /opt/.*\.so					gen_context(system_u:object_r:lib_t,s0)
+-/opt/.*\.so					gen_context(system_u:object_r:lib_t,s0)
++/opt/.*\.so(\.[^/]*)*				gen_context(system_u:object_r:lib_t,s0)
  /opt/(.*/)?lib(/.*)?				gen_context(system_u:object_r:lib_t,s0)
 -/opt/(.*/)?lib64(/.*)?				gen_context(system_u:object_r:lib_t,s0)
  /opt/(.*/)?java/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
@@ -139440,7 +139539,7 @@ index 560dc48..75a2fbd 100644
  /usr/(.*/)?/HelixPlayer/.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/(.*/)?/RealPlayer/.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -119,64 +122,62 @@ ifdef(`distro_redhat',`
+@@ -119,64 +122,63 @@ ifdef(`distro_redhat',`
  /usr/(.*/)?java/.+\.jsa			--	gen_context(system_u:object_r:lib_t,s0)
  
  /usr/(.*/)?lib(/.*)?				gen_context(system_u:object_r:lib_t,s0)
@@ -139507,6 +139606,7 @@ index 560dc48..75a2fbd 100644
 +/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/nero/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/nvidia/.+\.so(\..*)? --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -139539,7 +139639,7 @@ index 560dc48..75a2fbd 100644
  ')
  
  ifdef(`distro_gentoo',`
-@@ -195,7 +196,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
+@@ -195,7 +197,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
  /usr/lib/allegro/(.*/)?alleg-vga\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/firefox-[^/]*/plugins/nppdf.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -139547,7 +139647,7 @@ index 560dc48..75a2fbd 100644
  /usr/lib/libFLAC\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/libfglrx_gamma\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/mozilla/plugins/nppdf\.so 	-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -203,86 +203,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
+@@ -203,86 +204,87 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
  /usr/lib/nx/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/nx/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/VBoxVMM\.so			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -139692,7 +139792,7 @@ index 560dc48..75a2fbd 100644
  
  /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -303,8 +304,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -303,8 +305,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/.+\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/(.*/)?ADMPlugin\.apl	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -139702,7 +139802,7 @@ index 560dc48..75a2fbd 100644
  ') dnl end distro_redhat
  
  #
-@@ -312,17 +312,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -312,17 +313,156 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  #
  /var/cache/ldconfig(/.*)?			gen_context(system_u:object_r:ldconfig_cache_t,s0)
  
@@ -140980,10 +141080,10 @@ index b6ec597..9c495b2 100644
  
  optional_policy(`
 diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..1121047 100644
+index 879bb1e..63893d1 100644
 --- a/policy/modules/system/lvm.fc
 +++ b/policy/modules/system/lvm.fc
-@@ -28,20 +28,24 @@ ifdef(`distro_gentoo',`
+@@ -28,23 +28,28 @@ ifdef(`distro_gentoo',`
  #
  /lib/lvm-10/.*		--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /lib/lvm-200/.*		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -141009,7 +141109,11 @@ index 879bb1e..1121047 100644
  /sbin/lvm\.static	--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/lvmchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/lvmdiskscan	--	gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -88,8 +92,66 @@ ifdef(`distro_gentoo',`
++/sbin/lvmetad		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmiopversion	--	gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmsadc		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+ /sbin/lvmsar		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+@@ -88,8 +93,67 @@ ifdef(`distro_gentoo',`
  #
  # /usr
  #
@@ -141030,6 +141134,7 @@ index 879bb1e..1121047 100644
 +/usr/sbin/lvm\.static		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/sbin/lvmchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/sbin/lvmdiskscan		--	gen_context(system_u:object_r:lvm_exec_t,s0)
++/usr/sbin/lvmetad		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/sbin/lvmiopversion		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/sbin/lvmsadc		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 +/usr/sbin/lvmsar		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -141078,7 +141183,7 @@ index 879bb1e..1121047 100644
  
  #
  # /var
-@@ -97,5 +159,7 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +161,7 @@ ifdef(`distro_gentoo',`
  /var/cache/multipathd(/.*)?	gen_context(system_u:object_r:lvm_metadata_t,s0)
  /var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
  /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -144059,7 +144164,7 @@ index ff80d0a..22c9f0d 100644
 +	files_etc_filetrans($1, net_conf_t, file, "yp.conf")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..92fa1e9 100644
+index 34d0ec5..400efc0 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -144205,7 +144310,18 @@ index 34d0ec5..92fa1e9 100644
  ')
  
  optional_policy(`
-@@ -171,6 +203,8 @@ optional_policy(`
+@@ -161,6 +193,10 @@ optional_policy(`
+ 	dbus_connect_system_bus(dhcpc_t)
+ 
+ 	optional_policy(`
++		firewalld_dbus_chat(dhcpc_t)
++	')
++
++	optional_policy(`
+ 		networkmanager_dbus_chat(dhcpc_t)
+ 	')
+ ')
+@@ -171,6 +207,8 @@ optional_policy(`
  
  optional_policy(`
  	hal_dontaudit_rw_dgram_sockets(dhcpc_t)
@@ -144214,7 +144330,7 @@ index 34d0ec5..92fa1e9 100644
  ')
  
  optional_policy(`
-@@ -192,17 +226,31 @@ optional_policy(`
+@@ -192,17 +230,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -144246,7 +144362,7 @@ index 34d0ec5..92fa1e9 100644
  ')
  
  optional_policy(`
-@@ -213,6 +261,11 @@ optional_policy(`
+@@ -213,6 +265,11 @@ optional_policy(`
  optional_policy(`
  	seutil_sigchld_newrole(dhcpc_t)
  	seutil_dontaudit_search_config(dhcpc_t)
@@ -144258,7 +144374,7 @@ index 34d0ec5..92fa1e9 100644
  ')
  
  optional_policy(`
-@@ -255,6 +308,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -255,6 +312,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
  allow ifconfig_t self:msg { send receive };
  # Create UDP sockets, necessary when called from dhcpc
  allow ifconfig_t self:udp_socket create_socket_perms;
@@ -144266,7 +144382,7 @@ index 34d0ec5..92fa1e9 100644
  # for /sbin/ip
  allow ifconfig_t self:packet_socket create_socket_perms;
  allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -273,11 +327,17 @@ corenet_rw_tun_tap_dev(ifconfig_t)
+@@ -273,11 +331,17 @@ corenet_rw_tun_tap_dev(ifconfig_t)
  dev_read_sysfs(ifconfig_t)
  # for IPSEC setup:
  dev_read_urand(ifconfig_t)
@@ -144284,7 +144400,7 @@ index 34d0ec5..92fa1e9 100644
  
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
-@@ -290,7 +350,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -290,7 +354,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
  term_dontaudit_use_ptmx(ifconfig_t)
  term_dontaudit_use_generic_ptys(ifconfig_t)
  
@@ -144293,7 +144409,7 @@ index 34d0ec5..92fa1e9 100644
  
  init_use_fds(ifconfig_t)
  init_use_script_ptys(ifconfig_t)
-@@ -301,11 +361,11 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -301,11 +365,11 @@ logging_send_syslog_msg(ifconfig_t)
  
  miscfiles_read_localization(ifconfig_t)
  
@@ -144308,7 +144424,7 @@ index 34d0ec5..92fa1e9 100644
  userdom_use_all_users_fds(ifconfig_t)
  
  ifdef(`distro_ubuntu',`
-@@ -314,7 +374,22 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +378,22 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -144331,7 +144447,7 @@ index 34d0ec5..92fa1e9 100644
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
  	')
-@@ -325,8 +400,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +404,14 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
@@ -144346,7 +144462,7 @@ index 34d0ec5..92fa1e9 100644
  ')
  
  optional_policy(`
-@@ -335,7 +416,15 @@ optional_policy(`
+@@ -335,7 +420,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -144363,7 +144479,7 @@ index 34d0ec5..92fa1e9 100644
  ')
  
  optional_policy(`
-@@ -356,3 +445,9 @@ optional_policy(`
+@@ -356,3 +449,9 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -145090,10 +145206,10 @@ index 0000000..a7e3666
 +
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..f4dd2ab
+index 0000000..68bf0f6
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,402 @@
+@@ -0,0 +1,403 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -145223,6 +145339,7 @@ index 0000000..f4dd2ab
 +userdom_manage_user_tmp_dirs(systemd_logind_t)
 +userdom_manage_user_tmp_files(systemd_logind_t)
 +userdom_manage_user_tmp_symlinks(systemd_logind_t)
++userdom_manage_user_tmp_sockets(systemd_logind_t)
 +
 +optional_policy(`
 +	cron_dbus_chat_crond(systemd_logind_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f194a4f..8f80045 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.10.0
-Release: 111%{?dist}
+Release: 112%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -489,6 +489,23 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Apr 10 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-112
+- upowered needs to setsched on the kernel
+- Allow mpd_t to manage log files
+- Allow xdm_t to create /var/run/systemd/multi-session-x
+- Add rules for missedfont.log to be used by thumb.fc
+- Additional access required for virt_qmf_t
+- Allow dhclient to dbus chat with the firewalld
+- Add label for lvmetad
+- Allow systemd_logind_t to remove userdomain sock_files
+- Allow cups to execute usr_t files
+- Fix labeling on nvidia shared libraries
+- wdmd_t needs access to sssd and /etc/passwd
+- Add boolean to allow ftp servers to run in passive mode
+- Allow namepspace_init_t to relabelto/from a different user system_u from the user the namespace_init running with
+- Fix using httpd_use_fusefs
+- Allow chrome_sandbox_nacl to write inherited user tmp files as we allow it for chrome_sandbox
+
 * Fri Apr 6 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-111
 - Rename rdate port to time port, and allow gnomeclock to connect to it
 - We no longer need to transition to ldconfig from rpm, rpm_script, or anaconda
