[selinux-policy] - Add support for ecryptfs * ecryptfs does not support xattr * we need labeling for HOMEDIR - Ad

[Miroslav Grepl]

commit bfc280fd5bbab091e3fb0601d624105dc1efc2d9
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Fri Jun 15 10:43:55 2012 +0200

    - Add support for ecryptfs
      * ecryptfs does not support xattr
      * we need labeling for HOMEDIR
    - Add policy for (u)mount.ecryptfs*
    - Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage
    - Allow dovecot to manage Maildir content, fix transitions to Maildir
    - Allow postfix_local to transition to dovecot_deliver
    - Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code
    - Cleanup interface definitions
    - Allow apmd to change with the logind daemon
    - Changes required for sanlock in rhel6
    - Label /run/user/apache as httpd_tmp_t
    - Allow thumb to use lib_t as execmod if boolean turned on
    - Allow squid to create the squid directory in /var with the correct la
    - Add a new policy for glusterd from Bryan Bickford (bbickfor at redhat.co
    - Allow virtd to exec xend_exec_t without transition
    - Allow virtd_lxc_t to unmount all file systems

 modules-targeted.conf        |    7 +
 policy-rawhide.patch         |  716 +++++++++++++++++++++--------
 policy_contrib-rawhide.patch | 1055 ++++++++++++++++++++++++++++++------------
 selinux-policy.spec          |   21 +-
 4 files changed, 1302 insertions(+), 497 deletions(-)
---
diff --git a/modules-targeted.conf b/modules-targeted.conf
index a2c7c8c..9c8cbc0 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2556,3 +2556,10 @@ svnserve =  module
 #  policy for man2html apps
 # 
 man2html =  module
+
+# Layer: contrib
+# Module: glusterd
+#  
+#  policy for glusterd service
+#
+glusterd =  module
diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index 8fb05e8..1bcf4e2 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -58218,7 +58218,7 @@ index 66e85ea..d02654d 100644
  ## user domains.
  ## </p>
 diff --git a/policy/global_tunables b/policy/global_tunables
-index 4705ab6..cc2b436 100644
+index 4705ab6..8ba19a0 100644
 --- a/policy/global_tunables
 +++ b/policy/global_tunables
 @@ -6,52 +6,59 @@
@@ -58307,10 +58307,17 @@ index 4705ab6..cc2b436 100644
  ## Allow any files/directories to be exported read/write via NFS.
  ## </p>
  ## </desc>
-@@ -105,9 +103,17 @@ gen_tunable(use_samba_home_dirs,false)
+@@ -105,9 +103,24 @@ gen_tunable(use_samba_home_dirs,false)
  
  ## <desc>
  ## <p>
++## Support ecryptfs home directories
++## </p>
++## </desc>
++gen_tunable(use_ecryptfs_home_dirs,false)
++
++## <desc>
++## <p>
 +## Support fusefs home directories
 +## </p>
 +## </desc>
@@ -58422,10 +58429,10 @@ index f477c7f..d80599b 100644
 +
  ') dnl end enable_mcs
 diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index 7a6f06f..530d2df 100644
+index 7a6f06f..48fc840 100644
 --- a/policy/modules/admin/bootloader.fc
 +++ b/policy/modules/admin/bootloader.fc
-@@ -1,9 +1,14 @@
+@@ -1,9 +1,16 @@
 -
 +/etc/default/grub	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
  /etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
@@ -58437,6 +58444,8 @@ index 7a6f06f..530d2df 100644
  /sbin/lilo.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
  /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 +/sbin/zipl			--	gen_context(system_u:object_r:bootloader_exec_t,s0)
++
++/var/run/blkid(/.*)?		gen_context(system_u:object_r:bootloader_var_run_t,s0)
  
 -/usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 +/usr/sbin/grub.*	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
@@ -58529,7 +58538,7 @@ index a778bb1..5e914db 100644
 +	files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
 +')
 diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index ab0439a..e717a21 100644
+index ab0439a..4104b53 100644
 --- a/policy/modules/admin/bootloader.te
 +++ b/policy/modules/admin/bootloader.te
 @@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.0)
@@ -58543,13 +58552,16 @@ index ab0439a..e717a21 100644
  
  #
  # boot_runtime_t is the type for /boot/kernel.h,
-@@ -19,14 +19,15 @@ files_type(boot_runtime_t)
+@@ -19,14 +19,18 @@ files_type(boot_runtime_t)
  type bootloader_t;
  type bootloader_exec_t;
  application_domain(bootloader_t, bootloader_exec_t)
 -role bootloader_roles types bootloader_t;
 +#role bootloader_roles types bootloader_t;
 +role system_r types bootloader_t;
++
++type bootloader_var_run_t;
++files_pid_file(bootloader_var_run_t)
  
  #
  # bootloader_etc_t is the configuration file,
@@ -58561,7 +58573,7 @@ index ab0439a..e717a21 100644
  
  #
  # The temp file is used for initrd creation;
-@@ -41,7 +42,7 @@ dev_node(bootloader_tmp_t)
+@@ -41,7 +45,7 @@ dev_node(bootloader_tmp_t)
  # bootloader local policy
  #
  
@@ -58570,7 +58582,18 @@ index ab0439a..e717a21 100644
  allow bootloader_t self:process { signal_perms execmem };
  allow bootloader_t self:fifo_file rw_fifo_file_perms;
  
-@@ -81,6 +82,7 @@ dev_rw_nvram(bootloader_t)
+@@ -59,6 +63,10 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
+ # for tune2fs (cjp: ?)
+ files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
+ 
++manage_dirs_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
++manage_files_pattern(bootloader_t, bootloader_var_run_t, bootloader_var_run_t)
++files_pid_filetrans(bootloader_t, bootloader_var_run_t, {dir file })
++
+ kernel_getattr_core_if(bootloader_t)
+ kernel_read_network_state(bootloader_t)
+ kernel_read_system_state(bootloader_t)
+@@ -81,6 +89,7 @@ dev_rw_nvram(bootloader_t)
  
  fs_getattr_xattr_fs(bootloader_t)
  fs_getattr_tmpfs(bootloader_t)
@@ -58578,7 +58601,7 @@ index ab0439a..e717a21 100644
  fs_read_tmpfs_symlinks(bootloader_t)
  #Needed for ia64
  fs_manage_dos_files(bootloader_t)
-@@ -89,6 +91,7 @@ mls_file_read_all_levels(bootloader_t)
+@@ -89,6 +98,7 @@ mls_file_read_all_levels(bootloader_t)
  mls_file_write_all_levels(bootloader_t)
  
  term_getattr_all_ttys(bootloader_t)
@@ -58586,7 +58609,7 @@ index ab0439a..e717a21 100644
  term_dontaudit_manage_pty_dirs(bootloader_t)
  
  corecmd_exec_all_executables(bootloader_t)
-@@ -98,12 +101,14 @@ domain_use_interactive_fds(bootloader_t)
+@@ -98,12 +108,14 @@ domain_use_interactive_fds(bootloader_t)
  files_create_boot_dirs(bootloader_t)
  files_manage_boot_files(bootloader_t)
  files_manage_boot_symlinks(bootloader_t)
@@ -58601,7 +58624,7 @@ index ab0439a..e717a21 100644
  # for nscd
  files_dontaudit_search_pids(bootloader_t)
  # for blkid.tab
-@@ -111,6 +116,7 @@ files_manage_etc_runtime_files(bootloader_t)
+@@ -111,6 +123,7 @@ files_manage_etc_runtime_files(bootloader_t)
  files_etc_filetrans_etc_runtime(bootloader_t, file)
  files_dontaudit_search_home(bootloader_t)
  
@@ -58609,7 +58632,7 @@ index ab0439a..e717a21 100644
  init_getattr_initctl(bootloader_t)
  init_use_script_ptys(bootloader_t)
  init_use_script_fds(bootloader_t)
-@@ -118,8 +124,10 @@ init_rw_script_pipes(bootloader_t)
+@@ -118,8 +131,10 @@ init_rw_script_pipes(bootloader_t)
  
  libs_read_lib_files(bootloader_t)
  libs_exec_lib_files(bootloader_t)
@@ -58621,7 +58644,7 @@ index ab0439a..e717a21 100644
  logging_rw_generic_logs(bootloader_t)
  
  miscfiles_read_localization(bootloader_t)
-@@ -130,7 +138,8 @@ seutil_read_bin_policy(bootloader_t)
+@@ -130,7 +145,8 @@ seutil_read_bin_policy(bootloader_t)
  seutil_read_loadpolicy(bootloader_t)
  seutil_dontaudit_search_config(bootloader_t)
  
@@ -58631,7 +58654,7 @@ index ab0439a..e717a21 100644
  userdom_dontaudit_search_user_home_dirs(bootloader_t)
  
  ifdef(`distro_debian',`
-@@ -166,7 +175,8 @@ ifdef(`distro_redhat',`
+@@ -166,7 +182,8 @@ ifdef(`distro_redhat',`
  	files_manage_isid_type_chr_files(bootloader_t)
  
  	# for mke2fs
@@ -58641,7 +58664,7 @@ index ab0439a..e717a21 100644
  
  	optional_policy(`
  		unconfined_domain(bootloader_t)
-@@ -174,6 +184,10 @@ ifdef(`distro_redhat',`
+@@ -174,6 +191,10 @@ ifdef(`distro_redhat',`
  ')
  
  optional_policy(`
@@ -58652,7 +58675,7 @@ index ab0439a..e717a21 100644
  	fstools_exec(bootloader_t)
  ')
  
-@@ -183,6 +197,10 @@ optional_policy(`
+@@ -183,6 +204,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -58663,7 +58686,7 @@ index ab0439a..e717a21 100644
  	kudzu_domtrans(bootloader_t)
  ')
  
-@@ -195,15 +213,13 @@ optional_policy(`
+@@ -195,15 +220,13 @@ optional_policy(`
  
  optional_policy(`
  	modutils_exec_insmod(bootloader_t)
@@ -66453,10 +66476,18 @@ index 1ce8aa0..24dfed0 100644
  	allow files_unconfined_type file_type:file execmod;
  ')
 diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index cda5588..e89e4bf 100644
+index cda5588..91d1e25 100644
 --- a/policy/modules/kernel/filesystem.fc
 +++ b/policy/modules/kernel/filesystem.fc
-@@ -14,3 +14,8 @@
+@@ -1,3 +1,7 @@
++# ecryptfs does not support xattr
++HOME_DIR/\.ecryptfs(/.*)?	gen_context(system_u:object_r:ecryptfs_t,s0)
++HOME_DIR/\.Private(/.*)?	gen_context(system_u:object_r:ecryptfs_t,s0)
++
+ /cgroup			-d	gen_context(system_u:object_r:cgroup_t,s0)
+ /cgroup/.*			<<none>>
+ 
+@@ -14,3 +18,8 @@
  # for systemd systems:
  /sys/fs/cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
  /sys/fs/cgroup/.*		<<none>>
@@ -66466,7 +66497,7 @@ index cda5588..e89e4bf 100644
 +/usr/lib/udev/devices/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
 +/usr/lib/udev/devices/shm/.*	<<none>>
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 7c6b791..6d3f720 100644
+index 7c6b791..242bce2 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -66592,15 +66623,17 @@ index 7c6b791..6d3f720 100644
  	dev_search_sysfs($1)
  ')
  
-@@ -763,6 +829,7 @@ interface(`fs_rw_cgroup_files',`
+@@ -762,7 +828,9 @@ interface(`fs_rw_cgroup_files',`
+ 
  	')
  
++	read_lnk_files_pattern($1, cgroup_t, cgroup_t)
  	rw_files_pattern($1, cgroup_t, cgroup_t)
 +	fs_search_tmpfs($1)
  	dev_search_sysfs($1)
  ')
  
-@@ -803,6 +870,8 @@ interface(`fs_manage_cgroup_files',`
+@@ -803,6 +871,8 @@ interface(`fs_manage_cgroup_files',`
  	')
  
  	manage_files_pattern($1, cgroup_t, cgroup_t)
@@ -66609,7 +66642,7 @@ index 7c6b791..6d3f720 100644
  	dev_search_sysfs($1)
  ')
  
-@@ -1107,6 +1176,24 @@ interface(`fs_read_noxattr_fs_files',`
+@@ -1107,6 +1177,24 @@ interface(`fs_read_noxattr_fs_files',`
  
  ########################################
  ## <summary>
@@ -66634,7 +66667,7 @@ index 7c6b791..6d3f720 100644
  ##	Do not audit attempts to read all
  ##	noxattrfs files.
  ## </summary>
-@@ -1245,7 +1332,7 @@ interface(`fs_append_cifs_files',`
+@@ -1245,7 +1333,7 @@ interface(`fs_append_cifs_files',`
  
  ########################################
  ## <summary>
@@ -66643,7 +66676,7 @@ index 7c6b791..6d3f720 100644
  ##	on a CIFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -1265,6 +1352,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+@@ -1265,6 +1353,42 @@ interface(`fs_dontaudit_append_cifs_files',`
  
  ########################################
  ## <summary>
@@ -66686,7 +66719,7 @@ index 7c6b791..6d3f720 100644
  ##	Do not audit attempts to read or
  ##	write files on a CIFS or SMB filesystem.
  ## </summary>
-@@ -1279,7 +1402,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1279,7 +1403,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
  		type cifs_t;
  	')
  
@@ -66695,7 +66728,7 @@ index 7c6b791..6d3f720 100644
  ')
  
  ########################################
-@@ -1542,6 +1665,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1542,6 +1666,25 @@ interface(`fs_cifs_domtrans',`
  	domain_auto_transition_pattern($1, cifs_t, $2)
  ')
  
@@ -66721,7 +66754,7 @@ index 7c6b791..6d3f720 100644
  #######################################
  ## <summary>
  ##	Create, read, write, and delete dirs
-@@ -1582,6 +1724,24 @@ interface(`fs_manage_configfs_files',`
+@@ -1582,6 +1725,24 @@ interface(`fs_manage_configfs_files',`
  
  ########################################
  ## <summary>
@@ -66746,7 +66779,7 @@ index 7c6b791..6d3f720 100644
  ##	Mount a DOS filesystem, such as
  ##	FAT32 or NTFS.
  ## </summary>
-@@ -1679,6 +1839,25 @@ interface(`fs_relabelfrom_dos_fs',`
+@@ -1679,6 +1840,25 @@ interface(`fs_relabelfrom_dos_fs',`
  
  ########################################
  ## <summary>
@@ -66772,10 +66805,132 @@ index 7c6b791..6d3f720 100644
  ##	Search dosfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -2025,6 +2204,68 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1793,6 +1973,188 @@ interface(`fs_read_eventpollfs',`
+ 	refpolicywarn(`$0($*) has been deprecated.')
+ ')
  
- ########################################
- ## <summary>
++
++#######################################
++## <summary>
++##      Search directories
++##      on a ecrypt filesystem.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`fs_search_ecryptfs',`
++        gen_require(`
++                type fusefs_t;
++        ')
++
++        allow $1 ecryptfs_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete directories
++##	on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_ecryptfs_dirs',`
++	gen_require(`
++		type ecryptfs_t;
++	')
++
++	manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t)
++	allow $1 ecryptfs_t:dir manage_dir_perms;
++')
++
++#######################################
++## <summary>
++##      Create, read, write, and delete files
++##      on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_read_ecryptfs_files',`
++        gen_require(`
++                type ecryptfs_t;
++        ')
++
++        read_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete files
++##	on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_ecryptfs_files',`
++	gen_require(`
++		type ecryptfs_t;
++	')
++
++	manage_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to create,
++##	read, write, and delete files
++##	on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`fs_dontaudit_manage_ecryptfs_files',`
++	gen_require(`
++		type ecryptfs_t;
++	')
++
++	dontaudit $1 ecryptfs_t:file manage_file_perms;
++')
++
++########################################
++## <summary>
++##	Read symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_read_ecryptfs_symlinks',`
++	gen_require(`
++		type ecryptfs_t;
++	')
++
++	allow $1 ecryptfs_t:dir list_dir_perms;
++	read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
++')
++
++########################################
++## <summary>
 +##	Manage symbolic links on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
@@ -66784,12 +66939,12 @@ index 7c6b791..6d3f720 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_manage_fusefs_symlinks',`
++interface(`fs_manage_ecryptfs_symlinks',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
-+	manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++	manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t)
 +')
 +
 +########################################
@@ -66827,21 +66982,108 @@ index 7c6b791..6d3f720 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_fusefs_domtrans',`
++interface(`fs_ecryptfs_domtrans',`
++	gen_require(`
++		type ecryptfs_t;
++	')
++
++	allow $1 ecryptfs_t:dir search_dir_perms;
++	domain_auto_transition_pattern($1, ecryptfs_t, $2)
++')
++
+ ########################################
+ ## <summary>
+ ##	Mount a FUSE filesystem.
+@@ -2006,21 +2368,83 @@ interface(`fs_dontaudit_manage_fusefs_files',`
+ 
+ ########################################
+ ## <summary>
+-##	Read symbolic links on a FUSEFS filesystem.
++##	Read symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_read_fusefs_symlinks',`
 +	gen_require(`
 +		type fusefs_t;
 +	')
 +
-+	allow $1 fusefs_t:dir search_dir_perms;
-+	domain_auto_transition_pattern($1, fusefs_t, $2)
++	allow $1 fusefs_t:dir list_dir_perms;
++	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Get the attributes of an hugetlbfs
- ##	filesystem.
++##	Manage symbolic links on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_manage_fusefs_symlinks',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	manage_lnk_files_pattern($1, fusefs_t, fusefs_t)
++')
++
++########################################
++## <summary>
++##	Execute a file on a FUSE filesystem
++##	in the specified domain.
  ## </summary>
-@@ -2080,6 +2321,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
++## <desc>
++##	<p>
++##	Execute a file on a FUSE filesystem
++##	in the specified domain.  This allows
++##	the specified domain to execute any file
++##	on these filesystems in the specified
++##	domain.  This is not suggested.
++##	</p>
++##	<p>
++##	No interprocess communication (signals, pipes,
++##	etc.) is provided by this interface since
++##	the domains are not owned by this module.
++##	</p>
++##	<p>
++##	This interface was added to handle
++##	home directories on FUSE filesystems,
++##	in particular used by the ssh-agent policy.
++##	</p>
++## </desc>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++## <param name="target_domain">
++##	<summary>
++##	The type of the new process.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`fs_read_fusefs_symlinks',`
++interface(`fs_fusefs_domtrans',`
+ 	gen_require(`
+ 		type fusefs_t;
+ 	')
+ 
+-	allow $1 fusefs_t:dir list_dir_perms;
+-	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
++	allow $1 fusefs_t:dir search_dir_perms;
++	domain_auto_transition_pattern($1, fusefs_t, $2)
+ ')
+ 
+ ########################################
+@@ -2080,6 +2504,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
  
  ########################################
  ## <summary>
@@ -66866,7 +67108,7 @@ index 7c6b791..6d3f720 100644
  ##	Read and write hugetlbfs files.
  ## </summary>
  ## <param name="domain">
-@@ -2148,11 +2407,12 @@ interface(`fs_list_inotifyfs',`
+@@ -2148,11 +2590,12 @@ interface(`fs_list_inotifyfs',`
  	')
  
  	allow $1 inotifyfs_t:dir list_dir_perms;
@@ -66880,7 +67122,7 @@ index 7c6b791..6d3f720 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2485,6 +2745,7 @@ interface(`fs_read_nfs_files',`
+@@ -2485,6 +2928,7 @@ interface(`fs_read_nfs_files',`
  		type nfs_t;
  	')
  
@@ -66888,7 +67130,7 @@ index 7c6b791..6d3f720 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	read_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2523,6 +2784,7 @@ interface(`fs_write_nfs_files',`
+@@ -2523,6 +2967,7 @@ interface(`fs_write_nfs_files',`
  		type nfs_t;
  	')
  
@@ -66896,7 +67138,7 @@ index 7c6b791..6d3f720 100644
  	allow $1 nfs_t:dir list_dir_perms;
  	write_files_pattern($1, nfs_t, nfs_t)
  ')
-@@ -2549,6 +2811,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2549,6 +2994,25 @@ interface(`fs_exec_nfs_files',`
  
  ########################################
  ## <summary>
@@ -66922,7 +67164,7 @@ index 7c6b791..6d3f720 100644
  ##	Append files
  ##	on a NFS filesystem.
  ## </summary>
-@@ -2569,7 +2850,7 @@ interface(`fs_append_nfs_files',`
+@@ -2569,7 +3033,7 @@ interface(`fs_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -66931,7 +67173,7 @@ index 7c6b791..6d3f720 100644
  ##	on a NFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -2589,6 +2870,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2589,6 +3053,42 @@ interface(`fs_dontaudit_append_nfs_files',`
  
  ########################################
  ## <summary>
@@ -66974,7 +67216,7 @@ index 7c6b791..6d3f720 100644
  ##	Do not audit attempts to read or
  ##	write files on a NFS filesystem.
  ## </summary>
-@@ -2603,7 +2920,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2603,7 +3103,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
  		type nfs_t;
  	')
  
@@ -66983,7 +67225,7 @@ index 7c6b791..6d3f720 100644
  ')
  
  ########################################
-@@ -2627,7 +2944,7 @@ interface(`fs_read_nfs_symlinks',`
+@@ -2627,7 +3127,7 @@ interface(`fs_read_nfs_symlinks',`
  
  ########################################
  ## <summary>
@@ -66992,7 +67234,7 @@ index 7c6b791..6d3f720 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2741,7 +3058,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3241,7 @@ interface(`fs_search_removable',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -67001,7 +67243,7 @@ index 7c6b791..6d3f720 100644
  ##	</summary>
  ## </param>
  #
-@@ -2777,7 +3094,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3277,7 @@ interface(`fs_read_removable_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -67010,7 +67252,7 @@ index 7c6b791..6d3f720 100644
  ##	</summary>
  ## </param>
  #
-@@ -2970,6 +3287,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +3470,7 @@ interface(`fs_manage_nfs_dirs',`
  		type nfs_t;
  	')
  
@@ -67018,7 +67260,7 @@ index 7c6b791..6d3f720 100644
  	allow $1 nfs_t:dir manage_dir_perms;
  ')
  
-@@ -3010,6 +3328,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +3511,7 @@ interface(`fs_manage_nfs_files',`
  		type nfs_t;
  	')
  
@@ -67026,7 +67268,7 @@ index 7c6b791..6d3f720 100644
  	manage_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3050,6 +3369,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +3552,7 @@ interface(`fs_manage_nfs_symlinks',`
  		type nfs_t;
  	')
  
@@ -67034,7 +67276,7 @@ index 7c6b791..6d3f720 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3263,6 +3583,24 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3263,6 +3766,24 @@ interface(`fs_getattr_nfsd_files',`
  	getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
  ')
  
@@ -67059,7 +67301,7 @@ index 7c6b791..6d3f720 100644
  ########################################
  ## <summary>
  ##	Read and write NFS server files.
-@@ -3283,6 +3621,24 @@ interface(`fs_rw_nfsd_fs',`
+@@ -3283,6 +3804,24 @@ interface(`fs_rw_nfsd_fs',`
  
  ########################################
  ## <summary>
@@ -67084,7 +67326,7 @@ index 7c6b791..6d3f720 100644
  ##	Allow the type to associate to ramfs filesystems.
  ## </summary>
  ## <param name="type">
-@@ -3392,7 +3748,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +3931,7 @@ interface(`fs_search_ramfs',`
  
  ########################################
  ## <summary>
@@ -67093,7 +67335,7 @@ index 7c6b791..6d3f720 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3429,7 +3785,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +3968,7 @@ interface(`fs_manage_ramfs_dirs',`
  
  ########################################
  ## <summary>
@@ -67102,7 +67344,7 @@ index 7c6b791..6d3f720 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3447,7 +3803,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +3986,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
  
  ########################################
  ## <summary>
@@ -67111,7 +67353,7 @@ index 7c6b791..6d3f720 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3815,6 +4171,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4354,24 @@ interface(`fs_unmount_tmpfs',`
  
  ########################################
  ## <summary>
@@ -67136,7 +67378,7 @@ index 7c6b791..6d3f720 100644
  ##	Get the attributes of a tmpfs
  ##	filesystem.
  ## </summary>
-@@ -3963,6 +4337,42 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3963,6 +4520,42 @@ interface(`fs_dontaudit_list_tmpfs',`
  
  ########################################
  ## <summary>
@@ -67179,7 +67421,7 @@ index 7c6b791..6d3f720 100644
  ##	Create, read, write, and delete
  ##	tmpfs directories
  ## </summary>
-@@ -4069,7 +4479,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4069,7 +4662,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
  		type tmpfs_t;
  	')
  
@@ -67188,7 +67430,7 @@ index 7c6b791..6d3f720 100644
  ')
  
  ########################################
-@@ -4129,6 +4539,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4129,6 +4722,24 @@ interface(`fs_rw_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -67213,7 +67455,7 @@ index 7c6b791..6d3f720 100644
  ##	Read tmpfs link files.
  ## </summary>
  ## <param name="domain">
-@@ -4166,7 +4594,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4166,7 +4777,7 @@ interface(`fs_rw_tmpfs_chr_files',`
  
  ########################################
  ## <summary>
@@ -67222,7 +67464,7 @@ index 7c6b791..6d3f720 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4185,6 +4613,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4185,6 +4796,42 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  
  ########################################
  ## <summary>
@@ -67265,7 +67507,7 @@ index 7c6b791..6d3f720 100644
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4242,6 +4706,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4242,6 +4889,24 @@ interface(`fs_relabel_tmpfs_blk_file',`
  
  ########################################
  ## <summary>
@@ -67290,7 +67532,7 @@ index 7c6b791..6d3f720 100644
  ##	Read and write, create and delete generic
  ##	files on tmpfs filesystems.
  ## </summary>
-@@ -4261,6 +4743,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4261,6 +4926,25 @@ interface(`fs_manage_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -67316,7 +67558,7 @@ index 7c6b791..6d3f720 100644
  ##	Read and write, create and delete symbolic
  ##	links on tmpfs filesystems.
  ## </summary>
-@@ -4467,6 +4968,8 @@ interface(`fs_mount_all_fs',`
+@@ -4467,6 +5151,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -67325,7 +67567,7 @@ index 7c6b791..6d3f720 100644
  ')
  
  ########################################
-@@ -4513,7 +5016,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4513,7 +5199,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -67334,7 +67576,7 @@ index 7c6b791..6d3f720 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4876,3 +5379,24 @@ interface(`fs_unconfined',`
+@@ -4876,3 +5562,24 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -69645,10 +69887,10 @@ index 234a940..d340f20 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index e5aee97..f373c8d 100644
+index e5aee97..3d10b66 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,52 @@ policy_module(staff, 2.3.0)
+@@ -8,12 +8,57 @@ policy_module(staff, 2.3.0)
  role staff_r;
  
  userdom_unpriv_user_template(staff)
@@ -69698,10 +69940,15 @@ index e5aee97..f373c8d 100644
 +	abrt_read_cache(staff_t)
 +')
 +
++optional_policy(`
++	accountsd_dbus_chat(staff_t)
++	accountsd_read_lib_files(staff_t)
++')
++
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -23,11 +63,99 @@ optional_policy(`
+@@ -23,11 +68,98 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -69713,21 +69960,20 @@ index e5aee97..f373c8d 100644
 +')
 +
 +optional_policy(`
- 	dbadm_role_change(staff_r)
- ')
- 
- optional_policy(`
--	git_role(staff_r, staff_t)
-+	accountsd_dbus_chat(staff_t)
-+	accountsd_read_lib_files(staff_t)
++	chrome_role(staff_r, staff_t)
 +')
 +
 +optional_policy(`
-+	chrome_role(staff_r, staff_t)
++	colord_dbus_chat(staff_t)
 +')
 +
 +optional_policy(`
-+	colord_dbus_chat(staff_t)
+ 	dbadm_role_change(staff_r)
+ ')
+ 
+ optional_policy(`
+-	git_role(staff_r, staff_t)
++	dnsmasq_read_pid_files(staff_t)
 +')
 +
 +optional_policy(`
@@ -69802,7 +70048,7 @@ index e5aee97..f373c8d 100644
  ')
  
  optional_policy(`
-@@ -35,15 +163,23 @@ optional_policy(`
+@@ -35,15 +167,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -69814,6 +70060,10 @@ index e5aee97..f373c8d 100644
 +')
 +
 +optional_policy(`
++	rwho_read_spool_files(staff_t)
++')
++
++optional_policy(`
  	secadm_role_change(staff_r)
  ')
  
@@ -69828,7 +70078,7 @@ index e5aee97..f373c8d 100644
  ')
  
  optional_policy(`
-@@ -52,10 +188,59 @@ optional_policy(`
+@@ -52,10 +196,59 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -69888,7 +70138,7 @@ index e5aee97..f373c8d 100644
  	xserver_role(staff_r, staff_t)
  ')
  
-@@ -65,10 +250,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +258,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -69899,7 +70149,7 @@ index e5aee97..f373c8d 100644
  		cdrecord_role(staff_r, staff_t)
  	')
  
-@@ -93,18 +274,10 @@ ifndef(`distro_redhat',`
+@@ -93,18 +282,10 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -69918,7 +70168,7 @@ index e5aee97..f373c8d 100644
  		java_role(staff_r, staff_t)
  	')
  
-@@ -125,10 +298,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +306,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -69929,7 +70179,7 @@ index e5aee97..f373c8d 100644
  		pyzor_role(staff_r, staff_t)
  	')
  
-@@ -141,10 +310,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +318,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -69940,7 +70190,7 @@ index e5aee97..f373c8d 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -176,3 +341,7 @@ ifndef(`distro_redhat',`
+@@ -176,3 +349,7 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -73043,10 +73293,10 @@ index b17e27a..f87cce0 100644
 +    ssh_rw_dgram_sockets(chroot_user_t)
 +')
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index fc86b7c..cfe92e1 100644
+index fc86b7c..decae02 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
-@@ -2,13 +2,34 @@
+@@ -2,13 +2,35 @@
  # HOME_DIR
  #
  HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -73061,6 +73311,7 @@ index fc86b7c..cfe92e1 100644
  HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +HOME_DIR/\.Xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
  HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
++HOME_DIR/\.cache/gdm(/.*)?	--	gen_context(system_u:object_r:xdm_home_t,s0)
 +HOME_DIR/\.xsession-errors.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
 +HOME_DIR/\.dmrc.*	--	gen_context(system_u:object_r:xdm_home_t,s0)
 +
@@ -73081,7 +73332,7 @@ index fc86b7c..cfe92e1 100644
  
  #
  # /dev
-@@ -24,11 +45,18 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -24,11 +46,18 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
  
  /etc/init\.d/xfree86-common --	gen_context(system_u:object_r:xserver_exec_t,s0)
  
@@ -73100,7 +73351,7 @@ index fc86b7c..cfe92e1 100644
  /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,23 +74,24 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,23 +75,24 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
  # /tmp
  #
  
@@ -73131,7 +73382,7 @@ index fc86b7c..cfe92e1 100644
  /usr/bin/xauth		--	gen_context(system_u:object_r:xauth_exec_t,s0)
  /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
  
-@@ -90,24 +119,43 @@ ifndef(`distro_debian',`
+@@ -90,24 +120,43 @@ ifndef(`distro_debian',`
  /var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
  
  /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -73180,7 +73431,7 @@ index fc86b7c..cfe92e1 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..647cc5c 100644
+index 130ced9..173eaf5 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -19,9 +19,10 @@
@@ -73680,16 +73931,34 @@ index 130ced9..647cc5c 100644
  ##	Set the attributes of XDM temporary directories.
  ## </summary>
  ## <param name="domain">
-@@ -765,7 +918,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +918,25 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
  		type xdm_tmp_t;
  	')
  
 -	allow $1 xdm_tmp_t:dir setattr;
 +	allow $1 xdm_tmp_t:dir setattr_dir_perms;
++')
++
++########################################
++## <summary>
++##	Dont audit attempts to set the attributes of XDM temporary directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`xserver_dontaudit_xdm_tmp_dirs',`
++	gen_require(`
++		type xdm_tmp_t;
++	')
++
++	dontaudit $1 xdm_tmp_t:dir setattr_dir_perms;
  ')
  
  ########################################
-@@ -805,7 +958,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +976,26 @@ interface(`xserver_read_xdm_pid',`
  	')
  
  	files_search_pids($1)
@@ -73717,7 +73986,7 @@ index 130ced9..647cc5c 100644
  ')
  
  ########################################
-@@ -828,6 +1000,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -828,6 +1018,24 @@ interface(`xserver_read_xdm_lib_files',`
  
  ########################################
  ## <summary>
@@ -73742,7 +74011,7 @@ index 130ced9..647cc5c 100644
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -897,7 +1087,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1105,7 @@ interface(`xserver_getattr_log',`
  	')
  
  	logging_search_logs($1)
@@ -73751,7 +74020,7 @@ index 130ced9..647cc5c 100644
  ')
  
  ########################################
-@@ -916,7 +1106,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1124,7 @@ interface(`xserver_dontaudit_write_log',`
  		type xserver_log_t;
  	')
  
@@ -73760,7 +74029,7 @@ index 130ced9..647cc5c 100644
  ')
  
  ########################################
-@@ -963,6 +1153,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1171,45 @@ interface(`xserver_read_xkb_libs',`
  
  ########################################
  ## <summary>
@@ -73806,7 +74075,7 @@ index 130ced9..647cc5c 100644
  ##	Read xdm temporary files.
  ## </summary>
  ## <param name="domain">
-@@ -976,7 +1205,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1223,7 @@ interface(`xserver_read_xdm_tmp_files',`
  		type xdm_tmp_t;
  	')
  
@@ -73815,7 +74084,7 @@ index 130ced9..647cc5c 100644
  	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
  ')
  
-@@ -1038,6 +1267,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1285,42 @@ interface(`xserver_manage_xdm_tmp_files',`
  
  ########################################
  ## <summary>
@@ -73858,7 +74127,7 @@ index 130ced9..647cc5c 100644
  ##	Do not audit attempts to get the attributes of
  ##	xdm temporary named sockets.
  ## </summary>
-@@ -1052,7 +1317,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1335,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
  		type xdm_tmp_t;
  	')
  
@@ -73867,7 +74136,7 @@ index 130ced9..647cc5c 100644
  ')
  
  ########################################
-@@ -1070,8 +1335,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1353,10 @@ interface(`xserver_domtrans',`
  		type xserver_t, xserver_exec_t;
  	')
  
@@ -73879,7 +74148,7 @@ index 130ced9..647cc5c 100644
  ')
  
  ########################################
-@@ -1185,6 +1452,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1470,26 @@ interface(`xserver_stream_connect',`
  
  	files_search_tmp($1)
  	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -73906,7 +74175,7 @@ index 130ced9..647cc5c 100644
  ')
  
  ########################################
-@@ -1210,7 +1497,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1515,7 @@ interface(`xserver_read_tmp_files',`
  ## <summary>
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain permission to read the
@@ -73915,7 +74184,7 @@ index 130ced9..647cc5c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1220,13 +1507,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1525,23 @@ interface(`xserver_read_tmp_files',`
  #
  interface(`xserver_manage_core_devices',`
  	gen_require(`
@@ -73940,7 +74209,7 @@ index 130ced9..647cc5c 100644
  ')
  
  ########################################
-@@ -1243,10 +1540,533 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1558,533 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -74477,7 +74746,7 @@ index 130ced9..647cc5c 100644
 +	files_search_tmp($1)
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index c4f7c35..c221771 100644
+index c4f7c35..06c447c 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,27 +26,50 @@ gen_require(`
@@ -75136,7 +75405,7 @@ index c4f7c35..c221771 100644
  ')
  
  optional_policy(`
-@@ -514,12 +723,63 @@ optional_policy(`
+@@ -514,12 +723,64 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -75194,13 +75463,14 @@ index c4f7c35..c221771 100644
 +	gnome_read_usr_config(xdm_t)
 +	gnome_read_gconf_config(xdm_t)
 +	gnome_transition_gkeyringd(xdm_t)
++	gnome_cache_filetrans(xdm_t, xdm_home_t, dir, "gdm")
 +')
 +
 +optional_policy(`
  	hostname_exec(xdm_t)
  ')
  
-@@ -537,28 +797,69 @@ optional_policy(`
+@@ -537,28 +798,69 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -75279,7 +75549,7 @@ index c4f7c35..c221771 100644
  ')
  
  optional_policy(`
-@@ -570,6 +871,14 @@ optional_policy(`
+@@ -570,6 +872,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -75294,7 +75564,7 @@ index c4f7c35..c221771 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -594,7 +903,8 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,7 +904,8 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -75304,7 +75574,7 @@ index c4f7c35..c221771 100644
  dontaudit xserver_t self:capability chown;
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
-@@ -608,8 +918,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +919,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -75320,7 +75590,7 @@ index c4f7c35..c221771 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +945,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +946,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -75342,7 +75612,7 @@ index c4f7c35..c221771 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -641,6 +965,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,6 +966,7 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -75350,7 +75620,7 @@ index c4f7c35..c221771 100644
  
  # Run helper programs in xserver_t.
  corecmd_exec_bin(xserver_t)
-@@ -667,23 +992,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +993,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -75382,7 +75652,7 @@ index c4f7c35..c221771 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -694,8 +1024,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1025,13 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -75396,7 +75666,7 @@ index c4f7c35..c221771 100644
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -708,8 +1043,6 @@ init_getpgid(xserver_t)
+@@ -708,8 +1044,6 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -75405,7 +75675,7 @@ index c4f7c35..c221771 100644
  locallogin_use_fds(xserver_t)
  
  logging_send_syslog_msg(xserver_t)
-@@ -717,11 +1050,12 @@ logging_send_audit_msgs(xserver_t)
+@@ -717,11 +1051,12 @@ logging_send_audit_msgs(xserver_t)
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -75420,7 +75690,7 @@ index c4f7c35..c221771 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1109,40 @@ optional_policy(`
+@@ -775,16 +1110,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -75462,7 +75732,7 @@ index c4f7c35..c221771 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -793,6 +1151,10 @@ optional_policy(`
+@@ -793,6 +1152,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -75473,7 +75743,7 @@ index c4f7c35..c221771 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -808,10 +1170,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1171,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -75487,7 +75757,7 @@ index c4f7c35..c221771 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1181,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1182,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -75496,7 +75766,7 @@ index c4f7c35..c221771 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -832,26 +1194,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1195,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -75531,7 +75801,7 @@ index c4f7c35..c221771 100644
  ')
  
  optional_policy(`
-@@ -859,6 +1216,10 @@ optional_policy(`
+@@ -859,6 +1217,10 @@ optional_policy(`
  	rhgb_rw_tmpfs_files(xserver_t)
  ')
  
@@ -75542,7 +75812,7 @@ index c4f7c35..c221771 100644
  ########################################
  #
  # Rules common to all X window domains
-@@ -902,7 +1263,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1264,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -75551,7 +75821,7 @@ index c4f7c35..c221771 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -956,11 +1317,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1318,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -75583,7 +75853,7 @@ index c4f7c35..c221771 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -982,18 +1363,43 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1364,43 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -75801,7 +76071,7 @@ index 28ad538..82def3d 100644
 -/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 6ce867a..283f236 100644
+index 6ce867a..20a0b0a 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -75884,7 +76154,7 @@ index 6ce867a..283f236 100644
  	manage_files_pattern($1, var_auth_t, var_auth_t)
  
  	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -120,16 +146,29 @@ interface(`auth_login_pgm_domain',`
+@@ -120,16 +146,31 @@ interface(`auth_login_pgm_domain',`
  	manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
  	files_var_filetrans($1, auth_cache_t, dir)
  
@@ -75912,10 +76182,12 @@ index 6ce867a..283f236 100644
  	fs_list_auto_mountpoints($1)
 +	fs_manage_cgroup_dirs($1)
 +	fs_manage_cgroup_files($1)
++	fs_read_ecryptfs_symlinks($1)
++	fs_read_ecryptfs_files($1)
  
  	selinux_get_fs_mount($1)
  	selinux_validate_context($1)
-@@ -145,6 +184,8 @@ interface(`auth_login_pgm_domain',`
+@@ -145,6 +186,8 @@ interface(`auth_login_pgm_domain',`
  	mls_process_set_level($1)
  	mls_fd_share_all_levels($1)
  
@@ -75924,7 +76196,7 @@ index 6ce867a..283f236 100644
  	auth_use_pam($1)
  
  	init_rw_utmp($1)
-@@ -155,9 +196,83 @@ interface(`auth_login_pgm_domain',`
+@@ -155,9 +198,84 @@ interface(`auth_login_pgm_domain',`
  	seutil_read_config($1)
  	seutil_read_default_contexts($1)
  
@@ -75960,6 +76232,7 @@ index 6ce867a..283f236 100644
 +		corecmd_exec_bin($1)
 +		storage_getattr_fixed_disk_dev($1)
 +		mount_domtrans($1)
++		mount_domtrans_ecryptmount($1)
 +	')
 +
 +	optional_policy(`
@@ -76010,7 +76283,7 @@ index 6ce867a..283f236 100644
  ')
  
  ########################################
-@@ -395,13 +510,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -395,13 +513,15 @@ interface(`auth_domtrans_chk_passwd',`
  	')
  
  	optional_policy(`
@@ -76027,7 +76300,7 @@ index 6ce867a..283f236 100644
  ')
  
  ########################################
-@@ -448,6 +565,25 @@ interface(`auth_run_chk_passwd',`
+@@ -448,6 +568,25 @@ interface(`auth_run_chk_passwd',`
  
  	auth_domtrans_chk_passwd($1)
  	role $2 types chkpwd_t;
@@ -76053,7 +76326,7 @@ index 6ce867a..283f236 100644
  ')
  
  ########################################
-@@ -467,7 +603,6 @@ interface(`auth_domtrans_upd_passwd',`
+@@ -467,7 +606,6 @@ interface(`auth_domtrans_upd_passwd',`
  
  	domtrans_pattern($1, updpwd_exec_t, updpwd_t)
  	auth_dontaudit_read_shadow($1)
@@ -76061,7 +76334,7 @@ index 6ce867a..283f236 100644
  ')
  
  ########################################
-@@ -664,6 +799,10 @@ interface(`auth_manage_shadow',`
+@@ -664,6 +802,10 @@ interface(`auth_manage_shadow',`
  
  	allow $1 shadow_t:file manage_file_perms;
  	typeattribute $1 can_read_shadow_passwords, can_write_shadow_passwords;
@@ -76072,7 +76345,7 @@ index 6ce867a..283f236 100644
  ')
  
  #######################################
-@@ -763,7 +902,50 @@ interface(`auth_rw_faillog',`
+@@ -763,7 +905,50 @@ interface(`auth_rw_faillog',`
  	')
  
  	logging_search_logs($1)
@@ -76124,7 +76397,7 @@ index 6ce867a..283f236 100644
  ')
  
  #######################################
-@@ -959,9 +1141,30 @@ interface(`auth_manage_var_auth',`
+@@ -959,9 +1144,30 @@ interface(`auth_manage_var_auth',`
  	')
  
  	files_search_var($1)
@@ -76158,7 +76431,7 @@ index 6ce867a..283f236 100644
  ')
  
  ########################################
-@@ -1040,6 +1243,10 @@ interface(`auth_manage_pam_pid',`
+@@ -1040,6 +1246,10 @@ interface(`auth_manage_pam_pid',`
  	files_search_pids($1)
  	allow $1 pam_var_run_t:dir manage_dir_perms;
  	allow $1 pam_var_run_t:file manage_file_perms;
@@ -76169,7 +76442,7 @@ index 6ce867a..283f236 100644
  ')
  
  ########################################
-@@ -1157,6 +1364,7 @@ interface(`auth_manage_pam_console_data',`
+@@ -1157,6 +1367,7 @@ interface(`auth_manage_pam_console_data',`
  	files_search_pids($1)
  	manage_files_pattern($1, pam_var_console_t, pam_var_console_t)
  	manage_lnk_files_pattern($1, pam_var_console_t, pam_var_console_t)
@@ -76177,7 +76450,7 @@ index 6ce867a..283f236 100644
  ')
  
  #######################################
-@@ -1526,6 +1734,25 @@ interface(`auth_setattr_login_records',`
+@@ -1526,6 +1737,25 @@ interface(`auth_setattr_login_records',`
  
  ########################################
  ## <summary>
@@ -76203,7 +76476,7 @@ index 6ce867a..283f236 100644
  ##	Read login records files (/var/log/wtmp).
  ## </summary>
  ## <param name="domain">
-@@ -1676,37 +1903,49 @@ interface(`auth_manage_login_records',`
+@@ -1676,37 +1906,49 @@ interface(`auth_manage_login_records',`
  
  	logging_rw_generic_log_dirs($1)
  	allow $1 wtmp_t:file manage_file_perms;
@@ -76263,7 +76536,7 @@ index 6ce867a..283f236 100644
  ##	</p>
  ## </desc>
  ## <param name="domain">
-@@ -1714,87 +1953,206 @@ interface(`auth_relabel_login_records',`
+@@ -1714,87 +1956,206 @@ interface(`auth_relabel_login_records',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -76521,7 +76794,7 @@ index 6ce867a..283f236 100644
 +	userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
  ')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index f12b8ff..b3e0efd 100644
+index f12b8ff..2293c1b 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
 @@ -5,22 +5,42 @@ policy_module(authlogin, 2.3.1)
@@ -76630,7 +76903,7 @@ index f12b8ff..b3e0efd 100644
  # Allow utemper to write to /tmp/.xses-*
  userdom_write_user_tmp_files(utempter_t)
  
-@@ -388,10 +416,75 @@ ifdef(`distro_ubuntu',`
+@@ -388,10 +416,74 @@ ifdef(`distro_ubuntu',`
  ')
  
  optional_policy(`
@@ -76651,7 +76924,6 @@ index f12b8ff..b3e0efd 100644
 +	')
 +')
 +
-+
 +auth_read_passwd(nsswitch_domain)
 +
 +# read /etc/nsswitch.conf
@@ -79852,7 +80124,7 @@ index 0646ee7..36e02fa 100644
  ')
  
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index ef8bbaf..2c2e6f4 100644
+index ef8bbaf..6721637 100644
 --- a/policy/modules/system/libraries.fc
 +++ b/policy/modules/system/libraries.fc
 @@ -28,14 +28,17 @@ ifdef(`distro_redhat',`
@@ -79909,7 +80181,15 @@ index ef8bbaf..2c2e6f4 100644
  
  /usr/(.*/)?nvidia/.+\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -151,8 +158,8 @@ ifdef(`distro_redhat',`
+@@ -140,6 +147,7 @@ ifdef(`distro_redhat',`
+ /usr/lib/ati-fglrx/.+\.so(\..*)?	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/fglrx/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/libjs\.so.*			--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libzvbi\.so(\.[^/]*)* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/sse2/libx264\.so(\.[^/]*)* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -151,8 +159,8 @@ ifdef(`distro_redhat',`
  /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  /usr/(local/)?.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:lib_t,s0)
@@ -79920,7 +80200,7 @@ index ef8bbaf..2c2e6f4 100644
  /usr/NX/lib/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/NX/lib/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -244,8 +251,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_
+@@ -244,8 +252,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_
  /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  
@@ -79929,7 +80209,7 @@ index ef8bbaf..2c2e6f4 100644
  /usr/lib/.*/nprhapengine\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/local/(.*/)?nprhapengine\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -299,17 +304,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
+@@ -299,17 +305,153 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:te
  #
  /var/cache/ldconfig(/.*)?			gen_context(system_u:object_r:ldconfig_cache_t,s0)
  
@@ -82139,10 +82419,10 @@ index 560d5d9..86a7107 100644
  
  ifdef(`distro_gentoo',`
 diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
-index 72c746e..fa210cd 100644
+index 72c746e..f035d9f 100644
 --- a/policy/modules/system/mount.fc
 +++ b/policy/modules/system/mount.fc
-@@ -1,4 +1,21 @@
+@@ -1,4 +1,26 @@
 +/bin/fusermount    		--      gen_context(system_u:object_r:fusermount_exec_t,s0)
  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
@@ -82165,8 +82445,13 @@ index 72c746e..fa210cd 100644
 +/var/cache/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 +/var/run/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 +/var/run/mount(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
++
++/usr/sbin/mount\.ecryptfs_private 	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/mount\.ecryptfs	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/umount\.ecryptfs_private	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
++/usr/sbin/umount\.ecryptfs	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
 diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..4881d86 100644
+index 4584457..5b041ee 100644
 --- a/policy/modules/system/mount.if
 +++ b/policy/modules/system/mount.if
 @@ -16,6 +16,12 @@ interface(`mount_domtrans',`
@@ -82278,7 +82563,7 @@ index 4584457..4881d86 100644
  ##	</summary>
  ## </param>
  #
-@@ -131,45 +210,119 @@ interface(`mount_send_nfs_client_request',`
+@@ -131,45 +210,138 @@ interface(`mount_send_nfs_client_request',`
  
  ########################################
  ## <summary>
@@ -82413,12 +82698,31 @@ index 4584457..4881d86 100644
 +
 +    mount_domtrans_showmount($1)
 +    role $2 types showmount_t;
++')
++
++#######################################
++## <summary>
++##      Transition to ecryptmount.
++## </summary>
++## <param name="domain">
++## <summary>
++##      Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mount_domtrans_ecryptmount',`
++        gen_require(`
++                type mount_ecryptfs_t, mount_ecryptfs_exec_t;
++        ')
++
++        corecmd_search_bin($1)
++        domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
  ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6d3b14b..3eddba2 100644
+index 6d3b14b..a810a6b 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
-@@ -10,35 +10,52 @@ policy_module(mount, 1.14.2)
+@@ -10,35 +10,60 @@ policy_module(mount, 1.14.2)
  ## Allow the mount command to mount any directory or file.
  ## </p>
  ## </desc>
@@ -82465,6 +82769,14 @@ index 6d3b14b..3eddba2 100644
 +type showmount_exec_t;
 +application_domain(showmount_t, showmount_exec_t)
 +role system_r types showmount_t;
++
++type mount_ecryptfs_t;
++type mount_ecryptfs_exec_t;
++application_domain(mount_ecryptfs_t, mount_ecryptfs_exec_t)
++role system_r types mount_ecryptfs_t;
++
++type mount_ecryptfs_tmpfs_t;
++files_tmpfs_file(mount_ecryptfs_tmpfs_t)
  
  ########################################
  #
@@ -82482,7 +82794,7 @@ index 6d3b14b..3eddba2 100644
  
  allow mount_t mount_loopback_t:file read_file_perms;
  
-@@ -49,9 +66,24 @@ can_exec(mount_t, mount_exec_t)
+@@ -49,9 +74,24 @@ can_exec(mount_t, mount_exec_t)
  
  files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
  
@@ -82508,7 +82820,7 @@ index 6d3b14b..3eddba2 100644
  kernel_dontaudit_write_debugfs_dirs(mount_t)
  kernel_dontaudit_write_proc_dirs(mount_t)
  # To load binfmt_misc kernel module
-@@ -60,31 +92,46 @@ kernel_request_load_module(mount_t)
+@@ -60,31 +100,46 @@ kernel_request_load_module(mount_t)
  # required for mount.smbfs
  corecmd_exec_bin(mount_t)
  
@@ -82558,7 +82870,7 @@ index 6d3b14b..3eddba2 100644
  files_read_isid_type_files(mount_t)
  # For reading cert files
  files_read_usr_files(mount_t)
-@@ -92,28 +139,39 @@ files_list_mnt(mount_t)
+@@ -92,28 +147,39 @@ files_list_mnt(mount_t)
  files_dontaudit_write_all_mountpoints(mount_t)
  files_dontaudit_setattr_all_mountpoints(mount_t)
  
@@ -82604,7 +82916,7 @@ index 6d3b14b..3eddba2 100644
  term_dontaudit_manage_pty_dirs(mount_t)
  
  auth_use_nsswitch(mount_t)
-@@ -121,6 +179,8 @@ auth_use_nsswitch(mount_t)
+@@ -121,6 +187,8 @@ auth_use_nsswitch(mount_t)
  init_use_fds(mount_t)
  init_use_script_ptys(mount_t)
  init_dontaudit_getattr_initctl(mount_t)
@@ -82613,16 +82925,17 @@ index 6d3b14b..3eddba2 100644
  
  logging_send_syslog_msg(mount_t)
  
-@@ -131,6 +191,8 @@ sysnet_use_portmap(mount_t)
+@@ -131,6 +199,9 @@ sysnet_use_portmap(mount_t)
  seutil_read_config(mount_t)
  
  userdom_use_all_users_fds(mount_t)
 +userdom_manage_user_home_content_dirs(mount_t)
 +userdom_read_user_home_content_symlinks(mount_t)
++userdom_list_user_tmp(mount_t)
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -146,26 +208,28 @@ ifdef(`distro_ubuntu',`
+@@ -146,26 +217,28 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -82662,7 +82975,7 @@ index 6d3b14b..3eddba2 100644
  	corenet_tcp_bind_generic_port(mount_t)
  	corenet_udp_bind_generic_port(mount_t)
  	corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +243,8 @@ optional_policy(`
+@@ -179,6 +252,8 @@ optional_policy(`
  	fs_search_rpc(mount_t)
  
  	rpc_stub(mount_t)
@@ -82671,7 +82984,7 @@ index 6d3b14b..3eddba2 100644
  ')
  
  optional_policy(`
-@@ -186,6 +252,28 @@ optional_policy(`
+@@ -186,6 +261,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -82700,7 +83013,7 @@ index 6d3b14b..3eddba2 100644
  	ifdef(`hide_broken_symptoms',`
  		# for a bug in the X server
  		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -193,21 +281,96 @@ optional_policy(`
+@@ -193,21 +290,124 @@ optional_policy(`
  	')
  ')
  
@@ -82753,12 +83066,10 @@ index 6d3b14b..3eddba2 100644
 +optional_policy(`
 +	ssh_exec(mount_t)
 +')
- 
- optional_policy(`
--	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
--	unconfined_domain(unconfined_mount_t)
++
++optional_policy(`
 +	usbmuxd_stream_connect(mount_t)
- ')
++')
 +
 +optional_policy(`
 +	userhelper_exec_console(mount_t)
@@ -82767,10 +83078,12 @@ index 6d3b14b..3eddba2 100644
 +optional_policy(`
 +	virt_read_blk_images(mount_t)
 +')
-+
-+optional_policy(`
+ 
+ optional_policy(`
+-	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+-	unconfined_domain(unconfined_mount_t)
 +	vmware_exec_host(mount_t)
-+')
+ ')
 +
 +######################################
 +#
@@ -82804,6 +83117,34 @@ index 6d3b14b..3eddba2 100644
 +sysnet_dns_name_resolve(showmount_t)
 +
 +userdom_use_inherited_user_terminals(showmount_t)
++
++#######################################
++#
++# mount_ecryptfs local policy
++#
++
++domtrans_pattern(mount_ecryptfs_t, mount_exec_t, mount_t)
++
++allow mount_ecryptfs_t self:capability setgid;
++allow mount_ecryptfs_t self:capability { setuid sys_admin };
++allow mount_ecryptfs_t self:fifo_file rw_fifo_file_perms;
++allow mount_ecryptfs_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
++manage_files_pattern(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, mount_ecryptfs_tmpfs_t)
++fs_tmpfs_filetrans(mount_ecryptfs_t, mount_ecryptfs_tmpfs_t, { dir file })
++userdom_rw_user_tmpfs_files(mount_ecryptfs_t)
++
++domain_use_interactive_fds(mount_ecryptfs_t)
++
++files_read_etc_files(mount_ecryptfs_t)
++
++fs_read_ecryptfs_symlinks(mount_ecryptfs_t)
++fs_read_ecryptfs_files(mount_ecryptfs_t)
++
++auth_use_nsswitch(mount_ecryptfs_t)
++
++miscfiles_read_localization(mount_ecryptfs_t)
 diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
 index b263a8a..9348c8c 100644
 --- a/policy/modules/system/netlabel.fc
@@ -87146,7 +87487,7 @@ index db75976..ce61aed 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index e720dcd..3361868 100644
+index e720dcd..4272eef 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -89621,7 +89962,7 @@ index e720dcd..3361868 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3296,3 +4106,1292 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3296,3 +4106,1282 @@ interface(`userdom_dbus_send_all_users',`
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -89648,11 +89989,6 @@ index e720dcd..3361868 100644
 +## <summary>
 +##	Define this type as a Allow apps to set rlimits on userdomain
 +## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
 +## <param name="userdomain_prefix">
 +##	<summary>
 +##	The prefix of the user domain (e.g., user
@@ -89682,11 +90018,6 @@ index e720dcd..3361868 100644
 +## <summary>
 +##  Define this type as a Allow apps to set rlimits on userdomain
 +## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
-+## </param>
 +## <param name="userdomain_prefix">
 +##  <summary>
 +##  The prefix of the user domain (e.g., user
@@ -90915,7 +91246,7 @@ index e720dcd..3361868 100644
 +	typeattribute $1 userdom_home_manager_type;
 +')
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index 47efe9a..4136fa9 100644
+index 47efe9a..1fa68b1 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
 @@ -7,17 +7,17 @@ policy_module(userdomain, 4.7.2)
@@ -90990,7 +91321,7 @@ index 47efe9a..4136fa9 100644
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
  files_type(user_home_dir_t)
-@@ -71,26 +102,112 @@ ubac_constrained(user_home_dir_t)
+@@ -71,26 +102,121 @@ ubac_constrained(user_home_dir_t)
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -91086,6 +91417,10 @@ index 47efe9a..4136fa9 100644
 +    fs_read_fusefs_files(userdom_home_reader_type)
 +')
 +
++tunable_policy(`use_ecryptfs_home_dirs',`
++        fs_read_ecryptfs_files(userdom_home_reader_type)
++')
++
 +tunable_policy(`use_nfs_home_dirs',`
 +    fs_list_auto_mountpoints(userdom_home_manager_type)
 +    fs_manage_nfs_dirs(userdom_home_manager_type)
@@ -91105,6 +91440,11 @@ index 47efe9a..4136fa9 100644
 +    fs_manage_fusefs_symlinks(userdom_home_manager_type)
 +')
 +
++tunable_policy(`use_ecryptfs_home_dirs',`
++	fs_manage_ecryptfs_dirs(userdom_home_manager_type)
++	fs_manage_ecryptfs_files(userdom_home_manager_type)
++	fs_manage_ecryptfs_files(userdom_home_manager_type)
++')
 diff --git a/policy/support/misc_patterns.spt b/policy/support/misc_patterns.spt
 index e79d545..101086d 100644
 --- a/policy/support/misc_patterns.spt
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index a870673..8566bc4 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -745,7 +745,7 @@ index 1adca53..18e0e41 100644
  
  /var/lib/AccountsService(/.*)?			gen_context(system_u:object_r:accountsd_var_lib_t,s0)
 diff --git a/accountsd.if b/accountsd.if
-index c0f858d..10a0cd6 100644
+index c0f858d..d75aae9 100644
 --- a/accountsd.if
 +++ b/accountsd.if
 @@ -5,9 +5,9 @@
@@ -769,17 +769,21 @@ index c0f858d..10a0cd6 100644
  ##	</summary>
  ## </param>
  #
-@@ -118,6 +118,29 @@ interface(`accountsd_manage_lib_files',`
+@@ -118,28 +118,54 @@ interface(`accountsd_manage_lib_files',`
  
  ########################################
  ## <summary>
+-##	All of the rules required to administrate
+-##	an accountsd environment
 +##	Execute accountsd server in the accountsd domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain allowed to transition.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="role">
 +#
 +interface(`accountsd_systemctl',`
 +	gen_require(`
@@ -796,10 +800,17 @@ index c0f858d..10a0cd6 100644
 +
 +########################################
 +## <summary>
- ##	All of the rules required to administrate
- ##	an accountsd environment
- ## </summary>
-@@ -136,10 +159,19 @@ interface(`accountsd_manage_lib_files',`
++##	All of the rules required to administrate
++##	an accountsd environment
++## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	Role allowed access.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
  interface(`accountsd_admin',`
  	gen_require(`
  		type accountsd_t;
@@ -1549,7 +1560,7 @@ index e81bdbd..63ab279 100644
  
  optional_policy(`
 diff --git a/apache.fc b/apache.fc
-index fd9fa07..84bc8d6 100644
+index fd9fa07..2679748 100644
 --- a/apache.fc
 +++ b/apache.fc
 @@ -1,39 +1,54 @@
@@ -1640,7 +1651,7 @@ index fd9fa07..84bc8d6 100644
  
  /var/cache/httpd(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
  /var/cache/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_cache_t,s0)
-@@ -73,25 +92,36 @@ ifdef(`distro_suse', `
+@@ -73,31 +92,43 @@ ifdef(`distro_suse', `
  /var/cache/ssl.*\.sem		--	gen_context(system_u:object_r:httpd_cache_t,s0)
  
  /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -1681,7 +1692,14 @@ index fd9fa07..84bc8d6 100644
  /var/run/apache.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
  /var/run/gcache_port		-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
  /var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -109,3 +139,25 @@ ifdef(`distro_debian', `
+ /var/run/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/mod_.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/wsgi.*			-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/user/apache(/.*)?		gen_context(system_u:object_r:httpd_tmp_t,s0)
+ 
+ /var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+ /var/spool/squirrelmail(/.*)?		gen_context(system_u:object_r:squirrelmail_spool_t,s0)
+@@ -109,3 +140,25 @@ ifdef(`distro_debian', `
  /var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
  /var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -1708,7 +1726,7 @@ index fd9fa07..84bc8d6 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index 6480167..d0bf548 100644
+index 6480167..d30bdbf 100644
 --- a/apache.if
 +++ b/apache.if
 @@ -13,62 +13,46 @@
@@ -2353,7 +2371,7 @@ index 6480167..d0bf548 100644
  	admin_pattern($1, httpd_log_t)
  
  	admin_pattern($1, httpd_modules_t)
-@@ -1205,14 +1349,93 @@ interface(`apache_admin',`
+@@ -1205,14 +1349,88 @@ interface(`apache_admin',`
  	admin_pattern($1, httpd_var_run_t)
  	files_pid_filetrans($1, httpd_var_run_t, file)
  
@@ -2376,13 +2394,6 @@ index 6480167..d0bf548 100644
 +	admin_pattern($1, httpd_unit_file_t)
 +	allow $1 httpd_unit_file_t:service all_service_perms;
 +
-+	ifdef(`TODO',`
-+		apache_set_booleans($1, $2, $3, httpd_bool_t)
-+		seutil_setsebool_role_template($1, $3, $2)
-+		allow httpd_setsebool_t httpd_bool_t:dir list_dir_perms;
-+		allow httpd_setsebool_t httpd_bool_t:file rw_file_perms;
-+	')
-+
 +	apache_filetrans_named_content($1)
 +')
 +
@@ -2422,11 +2433,13 @@ index 6480167..d0bf548 100644
 +interface(`apache_filetrans_named_content',`
 +	gen_require(`
 +		type httpd_sys_content_t, httpd_sys_rw_content_t;
++		type httpd_tmp_t;
 +	')
 +
 +
 +	apache_filetrans_home_content($1)
 +	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
++	userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
 +')
 +
 +########################################
@@ -2453,7 +2466,7 @@ index 6480167..d0bf548 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index a36a01d..f6aad32 100644
+index a36a01d..bde887f 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -18,6 +18,8 @@ policy_module(apache, 2.3.2)
@@ -2772,7 +2785,7 @@ index a36a01d..f6aad32 100644
  
  # Allow the httpd_t to read the web servers config files
  allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -336,8 +494,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -336,8 +494,10 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
  manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -2780,10 +2793,11 @@ index a36a01d..f6aad32 100644
  manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 -files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
 +files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
++userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
  
  manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
  manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -346,8 +505,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -346,8 +506,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
  manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
  fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
  
@@ -2794,7 +2808,7 @@ index a36a01d..f6aad32 100644
  
  setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
  manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -362,6 +522,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -362,6 +523,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  kernel_read_kernel_sysctls(httpd_t)
  # for modules that want to access /proc/meminfo
  kernel_read_system_state(httpd_t)
@@ -2804,7 +2818,7 @@ index a36a01d..f6aad32 100644
  
  corenet_all_recvfrom_unlabeled(httpd_t)
  corenet_all_recvfrom_netlabel(httpd_t)
-@@ -372,11 +535,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -372,11 +536,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
  corenet_tcp_sendrecv_all_ports(httpd_t)
  corenet_udp_sendrecv_all_ports(httpd_t)
  corenet_tcp_bind_generic_node(httpd_t)
@@ -2825,7 +2839,7 @@ index a36a01d..f6aad32 100644
  
  dev_read_sysfs(httpd_t)
  dev_read_rand(httpd_t)
-@@ -385,9 +556,14 @@ dev_rw_crypto(httpd_t)
+@@ -385,9 +557,14 @@ dev_rw_crypto(httpd_t)
  
  fs_getattr_all_fs(httpd_t)
  fs_search_auto_mountpoints(httpd_t)
@@ -2840,7 +2854,7 @@ index a36a01d..f6aad32 100644
  # execute perl
  corecmd_exec_bin(httpd_t)
  corecmd_exec_shell(httpd_t)
-@@ -398,6 +574,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -398,6 +575,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
  files_read_usr_files(httpd_t)
  files_list_mnt(httpd_t)
  files_search_spool(httpd_t)
@@ -2848,7 +2862,7 @@ index a36a01d..f6aad32 100644
  files_read_var_lib_files(httpd_t)
  files_search_home(httpd_t)
  files_getattr_home_dir(httpd_t)
-@@ -409,48 +586,101 @@ files_read_etc_files(httpd_t)
+@@ -409,48 +587,101 @@ files_read_etc_files(httpd_t)
  files_read_var_lib_symlinks(httpd_t)
  
  fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -2954,7 +2968,7 @@ index a36a01d..f6aad32 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -461,27 +691,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -461,27 +692,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -3018,7 +3032,7 @@ index a36a01d..f6aad32 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_t)
  	fs_read_cifs_symlinks(httpd_t)
-@@ -491,7 +755,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -491,7 +756,22 @@ tunable_policy(`httpd_can_sendmail',`
  	# allow httpd to connect to mail servers
  	corenet_tcp_connect_smtp_port(httpd_t)
  	corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -3041,7 +3055,7 @@ index a36a01d..f6aad32 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -511,9 +790,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -511,9 +791,19 @@ tunable_policy(`httpd_ssi_exec',`
  # to run correctly without this permission, so the permission
  # are dontaudited here.
  tunable_policy(`httpd_tty_comm',`
@@ -3062,7 +3076,7 @@ index a36a01d..f6aad32 100644
  ')
  
  optional_policy(`
-@@ -525,6 +814,9 @@ optional_policy(`
+@@ -525,6 +815,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3072,7 +3086,7 @@ index a36a01d..f6aad32 100644
  	cobbler_search_lib(httpd_t)
  ')
  
-@@ -540,6 +832,24 @@ optional_policy(`
+@@ -540,6 +833,24 @@ optional_policy(`
  	daemontools_service_domain(httpd_t, httpd_exec_t)
  ')
  
@@ -3097,7 +3111,7 @@ index a36a01d..f6aad32 100644
   optional_policy(`
  	dbus_system_bus_client(httpd_t)
  
-@@ -549,12 +859,21 @@ optional_policy(`
+@@ -549,13 +860,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3118,9 +3132,12 @@ index a36a01d..f6aad32 100644
 +
 +optional_policy(`
  	kerberos_keytab_template(httpd, httpd_t)
++	kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
++	kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
  ')
  
-@@ -568,7 +887,21 @@ optional_policy(`
+ optional_policy(`
+@@ -568,7 +890,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3142,7 +3159,7 @@ index a36a01d..f6aad32 100644
  	mysql_stream_connect(httpd_t)
  	mysql_rw_db_sockets(httpd_t)
  
-@@ -579,6 +912,7 @@ optional_policy(`
+@@ -579,6 +915,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -3150,7 +3167,7 @@ index a36a01d..f6aad32 100644
  ')
  
  optional_policy(`
-@@ -589,6 +923,33 @@ optional_policy(`
+@@ -589,6 +926,33 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3184,7 +3201,7 @@ index a36a01d..f6aad32 100644
  	# Allow httpd to work with postgresql
  	postgresql_stream_connect(httpd_t)
  	postgresql_unpriv_client(httpd_t)
-@@ -603,6 +964,11 @@ optional_policy(`
+@@ -603,6 +967,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3196,7 +3213,7 @@ index a36a01d..f6aad32 100644
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -615,6 +981,12 @@ optional_policy(`
+@@ -615,6 +984,12 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -3209,7 +3226,7 @@ index a36a01d..f6aad32 100644
  ########################################
  #
  # Apache helper local policy
-@@ -628,7 +1000,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -628,7 +1003,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
  
  logging_send_syslog_msg(httpd_helper_t)
  
@@ -3222,7 +3239,7 @@ index a36a01d..f6aad32 100644
  
  ########################################
  #
-@@ -666,28 +1042,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -666,28 +1045,30 @@ libs_exec_lib_files(httpd_php_t)
  userdom_use_unpriv_users_fds(httpd_php_t)
  
  tunable_policy(`httpd_can_network_connect_db',`
@@ -3266,7 +3283,7 @@ index a36a01d..f6aad32 100644
  ')
  
  ########################################
-@@ -697,6 +1075,7 @@ optional_policy(`
+@@ -697,6 +1078,7 @@ optional_policy(`
  
  allow httpd_suexec_t self:capability { setuid setgid };
  allow httpd_suexec_t self:process signal_perms;
@@ -3274,7 +3291,7 @@ index a36a01d..f6aad32 100644
  allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
  
  domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -711,14 +1090,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -711,14 +1093,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -3298,7 +3315,7 @@ index a36a01d..f6aad32 100644
  # for shell scripts
  corecmd_exec_bin(httpd_suexec_t)
  corecmd_exec_shell(httpd_suexec_t)
-@@ -752,13 +1140,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -752,13 +1143,31 @@ tunable_policy(`httpd_can_network_connect',`
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -3331,7 +3348,7 @@ index a36a01d..f6aad32 100644
  	fs_read_nfs_files(httpd_suexec_t)
  	fs_read_nfs_symlinks(httpd_suexec_t)
  	fs_exec_nfs_files(httpd_suexec_t)
-@@ -781,6 +1187,25 @@ optional_policy(`
+@@ -781,6 +1190,25 @@ optional_policy(`
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -3357,7 +3374,7 @@ index a36a01d..f6aad32 100644
  ########################################
  #
  # Apache system script local policy
-@@ -801,12 +1226,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -801,12 +1229,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
  
  kernel_read_kernel_sysctls(httpd_sys_script_t)
  
@@ -3375,7 +3392,7 @@ index a36a01d..f6aad32 100644
  ifdef(`distro_redhat',`
  	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
  ')
-@@ -815,18 +1245,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -815,18 +1248,50 @@ tunable_policy(`httpd_can_sendmail',`
  	mta_send_mail(httpd_sys_script_t)
  ')
  
@@ -3432,7 +3449,7 @@ index a36a01d..f6aad32 100644
  	corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
  	corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -834,14 +1296,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -834,14 +1299,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
  ')
  
  tunable_policy(`httpd_enable_homedirs',`
@@ -3473,7 +3490,7 @@ index a36a01d..f6aad32 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -854,10 +1341,20 @@ optional_policy(`
+@@ -854,10 +1344,20 @@ optional_policy(`
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -3494,7 +3511,7 @@ index a36a01d..f6aad32 100644
  ')
  
  ########################################
-@@ -903,11 +1400,146 @@ optional_policy(`
+@@ -903,11 +1403,146 @@ optional_policy(`
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -3823,7 +3840,7 @@ index 1ea99b2..0b668ae 100644
 +	ps_process_pattern($1, apmd_t)
  ')
 diff --git a/apm.te b/apm.te
-index 1c8c27e..13a6f08 100644
+index 1c8c27e..35d798f 100644
 --- a/apm.te
 +++ b/apm.te
 @@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -3931,14 +3948,18 @@ index 1c8c27e..13a6f08 100644
  	dbus_system_bus_client(apmd_t)
  
  	optional_policy(`
-@@ -209,8 +233,9 @@ optional_policy(`
+@@ -209,8 +233,13 @@ optional_policy(`
  	pcmcia_domtrans_cardctl(apmd_t)
  ')
  
 +
++optional_policy(`
++	shutdown_domtrans(apmd_t)
++')
++
  optional_policy(`
 -	seutil_sigchld_newrole(apmd_t)
-+	shutdown_domtrans(apmd_t)
++	systemd_dbus_chat_logind(apmd_t)
  ')
  
  optional_policy(`
@@ -5912,19 +5933,27 @@ index 2c2cdb6..73b3814 100644
 +        role $2 types brctl_t;
 +')
 diff --git a/bugzilla.if b/bugzilla.if
-index de89d0f..954e726 100644
+index de89d0f..86e4ee7 100644
 --- a/bugzilla.if
 +++ b/bugzilla.if
-@@ -58,13 +58,20 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+@@ -48,23 +48,24 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="role">
+-##	<summary>
+-##	The role to be allowed to manage the bugzilla domain.
+-##	</summary>
+-## </param>
+-## <rolecap/>
+ #
  interface(`bugzilla_admin',`
  	gen_require(`
  		type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
--		type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
+ 		type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
 -		type httpd_bugzilla_htaccess_t;
--	')
-+        type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
-+        type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
-+    ')
++		type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
+ 	')
  
 -	allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
 +	allow $1 httpd_bugzilla_script_t:process signal_perms;
@@ -10819,10 +10848,10 @@ index 0000000..196461b
 +/var/run/couchdb(/.*)?		gen_context(system_u:object_r:couchdb_var_run_t,s0)
 diff --git a/couchdb.if b/couchdb.if
 new file mode 100644
-index 0000000..31692fb
+index 0000000..3e17383
 --- /dev/null
 +++ b/couchdb.if
-@@ -0,0 +1,249 @@
+@@ -0,0 +1,244 @@
 +
 +## <summary>policy for couchdb</summary>
 +
@@ -11034,11 +11063,6 @@ index 0000000..31692fb
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
 +## <rolecap/>
 +#
 +interface(`couchdb_admin',`
@@ -12947,7 +12971,7 @@ index 305ddf4..3629b92 100644
 +	filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
  ')
 diff --git a/cups.te b/cups.te
-index 6e7f1b6..f7dabbe 100644
+index 6e7f1b6..a699948 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -13063,10 +13087,11 @@ index 6e7f1b6..f7dabbe 100644
  	')
  ')
  
-@@ -311,10 +319,22 @@ optional_policy(`
+@@ -311,10 +319,23 @@ optional_policy(`
  ')
  
  optional_policy(`
++	kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
 +	kerberos_manage_host_rcache(cupsd_t)
 +')
 +
@@ -13086,7 +13111,7 @@ index 6e7f1b6..f7dabbe 100644
  	mta_send_mail(cupsd_t)
  ')
  
-@@ -322,6 +342,8 @@ optional_policy(`
+@@ -322,6 +343,8 @@ optional_policy(`
  	# cups execs smbtool which reads samba_etc_t files
  	samba_read_config(cupsd_t)
  	samba_rw_var_files(cupsd_t)
@@ -13095,7 +13120,7 @@ index 6e7f1b6..f7dabbe 100644
  ')
  
  optional_policy(`
-@@ -371,8 +393,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +394,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
  
  allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
  
@@ -13106,7 +13131,7 @@ index 6e7f1b6..f7dabbe 100644
  
  domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
  
-@@ -425,11 +448,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -425,11 +449,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
  
  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -13120,7 +13145,7 @@ index 6e7f1b6..f7dabbe 100644
  ifdef(`distro_redhat',`
  	optional_policy(`
  		rpm_read_db(cupsd_config_t)
-@@ -453,6 +476,10 @@ optional_policy(`
+@@ -453,6 +477,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -13131,7 +13156,7 @@ index 6e7f1b6..f7dabbe 100644
  	hal_domtrans(cupsd_config_t)
  	hal_read_tmp_files(cupsd_config_t)
  	hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +494,10 @@ optional_policy(`
+@@ -467,6 +495,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -13142,7 +13167,7 @@ index 6e7f1b6..f7dabbe 100644
  	policykit_dbus_chat(cupsd_config_t)
  	userdom_read_all_users_state(cupsd_config_t)
  ')
-@@ -537,6 +568,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,6 +569,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
  corenet_tcp_bind_generic_node(cupsd_lpd_t)
  corenet_udp_bind_generic_node(cupsd_lpd_t)
  corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -13150,7 +13175,7 @@ index 6e7f1b6..f7dabbe 100644
  
  dev_read_urand(cupsd_lpd_t)
  dev_read_rand(cupsd_lpd_t)
-@@ -587,23 +619,22 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,23 +620,22 @@ auth_use_nsswitch(cups_pdf_t)
  
  miscfiles_read_localization(cups_pdf_t)
  miscfiles_read_fonts(cups_pdf_t)
@@ -13183,7 +13208,7 @@ index 6e7f1b6..f7dabbe 100644
  ')
  
  ########################################
-@@ -661,10 +692,10 @@ corenet_tcp_bind_generic_node(hplip_t)
+@@ -661,10 +693,10 @@ corenet_tcp_bind_generic_node(hplip_t)
  corenet_udp_bind_generic_node(hplip_t)
  corenet_tcp_bind_hplip_port(hplip_t)
  corenet_tcp_connect_hplip_port(hplip_t)
@@ -13197,7 +13222,7 @@ index 6e7f1b6..f7dabbe 100644
  
  dev_read_sysfs(hplip_t)
  dev_rw_printer(hplip_t)
-@@ -685,6 +716,9 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +717,9 @@ domain_use_interactive_fds(hplip_t)
  files_read_etc_files(hplip_t)
  files_read_etc_runtime_files(hplip_t)
  files_read_usr_files(hplip_t)
@@ -13207,7 +13232,7 @@ index 6e7f1b6..f7dabbe 100644
  
  logging_send_syslog_msg(hplip_t)
  
-@@ -696,8 +730,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +731,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
  userdom_dontaudit_search_user_home_dirs(hplip_t)
  userdom_dontaudit_search_user_home_content(hplip_t)
  
@@ -15728,10 +15753,10 @@ index 0000000..b214253
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 0000000..71f225b
+index 0000000..4409b7d
 --- /dev/null
 +++ b/dirsrv.te
-@@ -0,0 +1,194 @@
+@@ -0,0 +1,197 @@
 +policy_module(dirsrv,1.0.0)
 +
 +########################################
@@ -15869,6 +15894,9 @@ index 0000000..71f225b
 +
 +optional_policy(`
 +	kerberos_use(dirsrv_t)
++	kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0")
++	kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487")
++	kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55")
 +')
 +
 +# FIPS mode
@@ -15983,7 +16011,7 @@ index b886676..3d5ca2b 100644
  /var/run/dnsmasq\.pid		--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
  /var/run/libvirt/network(/.*)?		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
 diff --git a/dnsmasq.if b/dnsmasq.if
-index 9bd812b..9b48f71 100644
+index 9bd812b..53f895e 100644
 --- a/dnsmasq.if
 +++ b/dnsmasq.if
 @@ -10,7 +10,6 @@
@@ -16049,7 +16077,7 @@ index 9bd812b..9b48f71 100644
  ##	Send dnsmasq a signal
  ## </summary>
  ## <param name="domain">
-@@ -144,12 +184,12 @@ interface(`dnsmasq_write_config',`
+@@ -144,18 +184,18 @@ interface(`dnsmasq_write_config',`
  ##	</summary>
  ## </param>
  #
@@ -16063,11 +16091,36 @@ index 9bd812b..9b48f71 100644
  	delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
  ')
  
-@@ -163,17 +203,80 @@ interface(`dnsmasq_delete_pid_files',`
+ ########################################
+ ## <summary>
+-##	Read dnsmasq pid files
++##	Manage dnsmasq pid files
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -163,17 +203,99 @@ interface(`dnsmasq_delete_pid_files',`
  ##	</summary>
  ## </param>
  #
--#
++interface(`dnsmasq_manage_pid_files',`
++	gen_require(`
++		type dnsmasq_var_run_t;
++	')
++
++	files_search_pids($1)
++	manage_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
++')
++
++########################################
++## <summary>
++##	Read dnsmasq pid files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
+ #
  interface(`dnsmasq_read_pid_files',`
  	gen_require(`
  		type dnsmasq_var_run_t;
@@ -16145,7 +16198,7 @@ index 9bd812b..9b48f71 100644
  ##	All of the rules required to administrate
  ##	an dnsmasq environment
  ## </summary>
-@@ -193,10 +296,14 @@ interface(`dnsmasq_admin',`
+@@ -193,10 +315,14 @@ interface(`dnsmasq_admin',`
  	gen_require(`
  		type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
  		type dnsmasq_initrc_exec_t;
@@ -16161,7 +16214,7 @@ index 9bd812b..9b48f71 100644
  
  	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -208,4 +315,8 @@ interface(`dnsmasq_admin',`
+@@ -208,4 +334,8 @@ interface(`dnsmasq_admin',`
  
  	files_list_pids($1)
  	admin_pattern($1, dnsmasq_var_run_t)
@@ -16249,10 +16302,10 @@ index 0000000..9e231a8
 +/var/run/dnssec.*			gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
 diff --git a/dnssec.if b/dnssec.if
 new file mode 100755
-index 0000000..a9dbcf2
+index 0000000..a952041
 --- /dev/null
 +++ b/dnssec.if
-@@ -0,0 +1,70 @@
+@@ -0,0 +1,64 @@
 +
 +## <summary>policy for dnssec_trigger</summary>
 +
@@ -16304,12 +16357,6 @@ index 0000000..a9dbcf2
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
 +interface(`dnssec_trigger_admin',`
 +	gen_require(`
@@ -16531,7 +16578,7 @@ index e1d7dc5..df96c0d 100644
  	admin_pattern($1, dovecot_var_run_t)
  
 diff --git a/dovecot.te b/dovecot.te
-index 2df7766..53efc0b 100644
+index 2df7766..0e55b6d 100644
 --- a/dovecot.te
 +++ b/dovecot.te
 @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -16623,8 +16670,11 @@ index 2df7766..53efc0b 100644
  userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
  userdom_manage_user_home_content_dirs(dovecot_t)
  userdom_manage_user_home_content_files(dovecot_t)
-@@ -154,16 +164,31 @@ userdom_manage_user_home_content_sockets(dovecot_t)
+@@ -152,18 +162,34 @@ userdom_manage_user_home_content_symlinks(dovecot_t)
+ userdom_manage_user_home_content_pipes(dovecot_t)
+ userdom_manage_user_home_content_sockets(dovecot_t)
  userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
++mta_manage_home_rw(dovecot_t)
  
  mta_manage_spool(dovecot_t)
 +mta_read_home_rw(dovecot_t)
@@ -16655,7 +16705,7 @@ index 2df7766..53efc0b 100644
  	seutil_sigchld_newrole(dovecot_t)
  ')
  
-@@ -180,8 +205,8 @@ optional_policy(`
+@@ -180,8 +206,8 @@ optional_policy(`
  # dovecot auth local policy
  #
  
@@ -16666,7 +16716,7 @@ index 2df7766..53efc0b 100644
  allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
  allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
  allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +215,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +216,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
  
  read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
  
@@ -16676,7 +16726,7 @@ index 2df7766..53efc0b 100644
  manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
  manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
  files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,9 +229,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -201,9 +230,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
  kernel_read_all_sysctls(dovecot_auth_t)
  kernel_read_system_state(dovecot_auth_t)
  
@@ -16689,7 +16739,7 @@ index 2df7766..53efc0b 100644
  dev_read_urand(dovecot_auth_t)
  
  auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -216,7 +247,8 @@ files_read_usr_files(dovecot_auth_t)
+@@ -216,7 +248,8 @@ files_read_usr_files(dovecot_auth_t)
  files_read_usr_symlinks(dovecot_auth_t)
  files_read_var_lib_files(dovecot_auth_t)
  files_search_tmp(dovecot_auth_t)
@@ -16699,7 +16749,7 @@ index 2df7766..53efc0b 100644
  
  init_rw_utmp(dovecot_auth_t)
  
-@@ -236,6 +268,8 @@ optional_policy(`
+@@ -236,6 +269,8 @@ optional_policy(`
  optional_policy(`
  	mysql_search_db(dovecot_auth_t)
  	mysql_stream_connect(dovecot_auth_t)
@@ -16708,7 +16758,7 @@ index 2df7766..53efc0b 100644
  ')
  
  optional_policy(`
-@@ -243,6 +277,8 @@ optional_policy(`
+@@ -243,6 +278,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16717,7 +16767,7 @@ index 2df7766..53efc0b 100644
  	postfix_search_spool(dovecot_auth_t)
  ')
  
-@@ -250,23 +286,42 @@ optional_policy(`
+@@ -250,23 +287,42 @@ optional_policy(`
  #
  # dovecot deliver local policy
  #
@@ -16762,7 +16812,7 @@ index 2df7766..53efc0b 100644
  
  miscfiles_read_localization(dovecot_deliver_t)
  
-@@ -283,24 +338,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +339,23 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
  userdom_manage_user_home_content_sockets(dovecot_deliver_t)
  userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
  
@@ -18942,7 +18992,7 @@ index 9d3201b..6e75e3d 100644
 +	allow $1 ftpd_unit_file_t:service all_service_perms;
  ')
 diff --git a/ftp.te b/ftp.te
-index 4285c83..2edc3a2 100644
+index 4285c83..d1b00d0 100644
 --- a/ftp.te
 +++ b/ftp.te
 @@ -12,7 +12,7 @@ policy_module(ftp, 1.13.1)
@@ -19181,7 +19231,7 @@ index 4285c83..2edc3a2 100644
  ')
  
  tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
-@@ -309,10 +353,34 @@ optional_policy(`
+@@ -309,10 +353,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19195,6 +19245,7 @@ index 4285c83..2edc3a2 100644
 -	kerberos_manage_host_rcache(ftpd_t)
 +	# this part of auth_use_pam
 +	#kerberos_manage_host_rcache(ftpd_t)
++	kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
 +')
 +
 +optional_policy(`
@@ -19217,7 +19268,7 @@ index 4285c83..2edc3a2 100644
  ')
  
  optional_policy(`
-@@ -347,16 +415,17 @@ optional_policy(`
+@@ -347,16 +416,17 @@ optional_policy(`
  
  # Allow ftpdctl to talk to ftpd over a socket connection
  stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -19237,7 +19288,7 @@ index 4285c83..2edc3a2 100644
  
  ########################################
  #
-@@ -365,18 +434,33 @@ userdom_use_user_terminals(ftpdctl_t)
+@@ -365,18 +435,33 @@ userdom_use_user_terminals(ftpdctl_t)
  
  files_read_etc_files(sftpd_t)
  
@@ -19274,7 +19325,7 @@ index 4285c83..2edc3a2 100644
  ')
  
  tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -394,19 +478,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
+@@ -394,19 +479,7 @@ tunable_policy(`sftpd_enable_homedirs && use_samba_home_dirs',`
  tunable_policy(`sftpd_full_access',`
  	allow sftpd_t self:capability { dac_override dac_read_search };
  	fs_read_noxattr_fs_files(sftpd_t)
@@ -20117,6 +20168,290 @@ index 4afb81f..842165a 100644
  fs_getattr_xattr_fs(glance_api_t)
 -
 -libs_exec_ldconfig(glance_api_t)
+diff --git a/glusterd.fc b/glusterd.fc
+new file mode 100644
+index 0000000..6418e39
+--- /dev/null
++++ b/glusterd.fc
+@@ -0,0 +1,16 @@
++
++/etc/rc\.d/init\.d/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
++
++/etc/glusterfs(/.*)?			gen_context(system_u:object_r:glusterd_etc_t,s0)
++/etc/glusterd(/.*)?			gen_context(system_u:object_r:glusterd_etc_t,s0)
++
++/usr/sbin/glusterd		--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
++/usr/sbin/glusterfsd		--	gen_context(system_u:object_r:glusterd_exec_t,s0)
++
++/opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
++
++/var/log/glusterfs(/.*)?		gen_context(system_u:object_r:glusterd_log_t,s0)
++
++/var/run/glusterd(/.*)?			gen_context(system_u:object_r:glusterd_var_run_t,s0)
++/var/run/glusterd\.pid		--	gen_context(system_u:object_r:glusterd_var_run_t,s0)
++
+diff --git a/glusterd.if b/glusterd.if
+new file mode 100644
+index 0000000..e15bbb0
+--- /dev/null
++++ b/glusterd.if
+@@ -0,0 +1,146 @@
++
++## <summary>policy for glusterd</summary>
++
++
++########################################
++## <summary>
++##	Transition to glusterd.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`glusterd_domtrans',`
++	gen_require(`
++		type glusterd_t, glusterd_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, glusterd_exec_t, glusterd_t)
++')
++
++
++########################################
++## <summary>
++##	Execute glusterd server in the glusterd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`glusterd_initrc_domtrans',`
++	gen_require(`
++		type glusterd_initrc_exec_t;
++	')
++
++	init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
++')
++
++
++########################################
++## <summary>
++##	Read glusterd's log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`glusterd_read_log',`
++	gen_require(`
++		type glusterd_log_t;
++	')
++
++	logging_search_logs($1)
++	read_files_pattern($1, glusterd_log_t, glusterd_log_t)
++')
++
++########################################
++## <summary>
++##	Append to glusterd log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`glusterd_append_log',`
++	gen_require(`
++		type glusterd_log_t;
++	')
++
++	logging_search_logs($1)
++	append_files_pattern($1, glusterd_log_t, glusterd_log_t)
++')
++
++########################################
++## <summary>
++##	Manage glusterd log files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`glusterd_manage_log',`
++	gen_require(`
++		type glusterd_log_t;
++	')
++
++	logging_search_logs($1)
++	manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
++	manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
++	manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an glusterd environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`glusterd_admin',`
++	gen_require(`
++		type glusterd_t;
++		type glusterd_initrc_exec_t;
++		type glusterd_log_t;
++		type glusterd_tmp_t;
++		type glusterd_etc_t; 
++	')
++
++	allow $1 glusterd_t:process { ptrace signal_perms };
++	ps_process_pattern($1, glusterd_t)
++
++	glusterd_initrc_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 glusterd_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	logging_search_logs($1)
++	admin_pattern($1, glusterd_log_t)
++
++	admin_pattern($1, glusterd_tmp_t)
++
++	admin_pattern($1, glusterd_etc_t)
++
++')
++
+diff --git a/glusterd.te b/glusterd.te
+new file mode 100644
+index 0000000..8dfb74a
+--- /dev/null
++++ b/glusterd.te
+@@ -0,0 +1,104 @@
++policy_module(glusterd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type glusterd_t;
++type glusterd_exec_t;
++init_daemon_domain(glusterd_t, glusterd_exec_t)
++
++type glusterd_etc_t;
++files_type(glusterd_etc_t)
++
++type glusterd_tmp_t;
++files_tmp_file(glusterd_tmp_t)
++
++type glusterd_initrc_exec_t;
++init_script_file(glusterd_initrc_exec_t)
++
++type glusterd_log_t;
++logging_log_file(glusterd_log_t)
++
++type glusterd_var_run_t;
++files_pid_file(glusterd_var_run_t)
++
++type glusterd_var_lib_t;
++files_type(glusterd_var_lib_t);
++
++
++########################################
++#
++# glusterd local policy
++#
++
++allow glusterd_t self:capability { net_bind_service sys_admin dac_override chown dac_read_search fowner };
++allow glusterd_t self:process { setrlimit signal };
++allow glusterd_t self:capability sys_resource;
++
++allow glusterd_t self:fifo_file rw_fifo_file_perms;
++allow glusterd_t self:netlink_route_socket r_netlink_socket_perms;
++allow glusterd_t self:tcp_socket create_stream_socket_perms;
++allow glusterd_t self:udp_socket create_socket_perms;
++allow glusterd_t self:unix_stream_socket create_stream_socket_perms;
++allow glusterd_t self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
++manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
++manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
++files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file }) 
++userdom_user_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
++
++manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
++manage_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
++logging_log_filetrans(glusterd_t, glusterd_log_t, { dir file })
++
++manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
++manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
++files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
++
++manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
++manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
++files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, { dir file })
++
++manage_dirs_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t)
++manage_files_pattern(glusterd_t, glusterd_etc_t, glusterd_etc_t)
++files_etc_filetrans(glusterd_t, glusterd_etc_t, { dir file }, "glusterfs")
++
++can_exec(glusterd_t, glusterd_exec_t)
++
++kernel_read_system_state(glusterd_t)
++
++corecmd_exec_bin(glusterd_t)
++corecmd_exec_shell(glusterd_t)
++
++domain_use_interactive_fds(glusterd_t)
++
++corenet_tcp_bind_generic_node(glusterd_t)
++corenet_tcp_bind_generic_port(glusterd_t)
++corenet_tcp_bind_all_reserved_ports(glusterd_t)
++corenet_udp_bind_all_rpc_ports(glusterd_t)
++corenet_tcp_connect_unreserved_ports(glusterd_t)
++corenet_udp_bind_generic_node(glusterd_t)
++corenet_udp_bind_ipp_port(glusterd_t)
++
++dev_read_sysfs(glusterd_t)
++dev_read_urand(glusterd_t)
++
++files_read_etc_files(glusterd_t)
++files_read_usr_files(glusterd_t)
++files_rw_pid_dirs(glusterd_t)
++
++# Why is this needed
++#files_manage_urandom_seed(glusterd_t)
++
++auth_use_nsswitch(glusterd_t)
++
++logging_send_syslog_msg(glusterd_t)
++
++miscfiles_read_localization(glusterd_t)
++
++sysnet_read_config(glusterd_t)
++
++userdom_manage_user_home_dirs(glusterd_t)
 diff --git a/gnome.fc b/gnome.fc
 index 00a19e3..17006fc 100644
 --- a/gnome.fc
@@ -20179,7 +20514,7 @@ index 00a19e3..17006fc 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index f5afe78..e283f63 100644
+index f5afe78..8da3abc 100644
 --- a/gnome.if
 +++ b/gnome.if
 @@ -1,44 +1,937 @@
@@ -21179,10 +21514,11 @@ index f5afe78..e283f63 100644
 +	list_dirs_pattern($1, config_home_t, config_home_t)
 +	read_files_pattern($1, config_home_t, config_home_t)
 +	read_lnk_files_pattern($1, config_home_t, config_home_t)
-+')
-+
-+#######################################
-+## <summary>
+ ')
+ 
+ #######################################
+ ## <summary>
+-##	Create, read, write, and delete gconf config files.
 +##  delete gnome homedir content (.config)
 +## </summary>
 +## <param name="domain">
@@ -21197,11 +21533,10 @@ index f5afe78..e283f63 100644
 +    ')
 +
 +    delete_files_pattern($1, config_home_t, config_home_t)
- ')
- 
- #######################################
- ## <summary>
--##	Create, read, write, and delete gconf config files.
++')
++
++#######################################
++## <summary>
 +##  setattr gnome homedir content (.config)
 +## </summary>
 +## <param name="domain">
@@ -21374,7 +21709,7 @@ index f5afe78..e283f63 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -140,51 +1149,307 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +1149,302 @@ interface(`gnome_domtrans_gconfd',`
  ##	</summary>
  ## </param>
  #
@@ -21551,11 +21886,6 @@ index f5afe78..e283f63 100644
 +##	Domain allowed access
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed the gkeyring domain.
-+##	</summary>
-+## </param>
 +#
 +interface(`gnome_transition_gkeyringd',`
 +	gen_require(`
@@ -24086,10 +24416,10 @@ index 0000000..1725b7e
 +
 diff --git a/jetty.if b/jetty.if
 new file mode 100644
-index 0000000..9f09101
+index 0000000..2abc285
 --- /dev/null
 +++ b/jetty.if
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,268 @@
 +
 +## <summary>policy for jetty</summary>
 +
@@ -24336,11 +24666,6 @@ index 0000000..9f09101
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
 +## <rolecap/>
 +#
 +interface(`jetty_admin',`
@@ -24408,10 +24733,10 @@ index 0000000..274cdec
 +/var/log/jockey\.log	--	gen_context(system_u:object_r:jockey_var_log_t,s0)
 diff --git a/jockey.if b/jockey.if
 new file mode 100644
-index 0000000..fb58f33
+index 0000000..868c7d0
 --- /dev/null
 +++ b/jockey.if
-@@ -0,0 +1,132 @@
+@@ -0,0 +1,126 @@
 +
 +## <summary>policy for jockey</summary>
 +
@@ -24521,12 +24846,6 @@ index 0000000..fb58f33
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
 +interface(`jockey_admin',`
 +	gen_require(`
@@ -24873,7 +25192,7 @@ index 3525d24..ee0a3d5 100644
 +/var/tmp/ldap_487		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/ldap_55		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --git a/kerberos.if b/kerberos.if
-index 604f67b..8714225 100644
+index 604f67b..ebebcd5 100644
 --- a/kerberos.if
 +++ b/kerberos.if
 @@ -84,7 +84,7 @@ interface(`kerberos_use',`
@@ -24926,7 +25245,7 @@ index 604f67b..8714225 100644
  ##	Create a derived type for kerberos keytab
  ## </summary>
  ## <param name="prefix">
-@@ -282,38 +302,25 @@ interface(`kerberos_manage_host_rcache',`
+@@ -282,42 +302,21 @@ interface(`kerberos_manage_host_rcache',`
  	# does not work in conditionals
  	domain_obj_id_change_exemption($1)
  
@@ -24943,10 +25262,10 @@ index 604f67b..8714225 100644
 +		manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
  		files_search_tmp($1)
  	')
--')
+ ')
  
--########################################
--## <summary>
+ ########################################
+ ## <summary>
 -##	Connect to krb524 service
 -## </summary>
 -## <param name="domain">
@@ -24965,17 +25284,14 @@ index 604f67b..8714225 100644
 -		corenet_udp_sendrecv_kerberos_master_port($1)
 -		corenet_sendrecv_kerberos_master_client_packets($1)
 -	')
-+	kerberos_tmp_filetrans_host_rcache($1, "host_0")
-+	kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
-+	kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
-+	kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
-+	kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
-+	kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
-+	kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
- ')
- 
- ########################################
-@@ -338,18 +345,22 @@ interface(`kerberos_admin',`
+-')
+-
+-########################################
+-## <summary>
+ ##	All of the rules required to administrate 
+ ##	an kerberos environment
+ ## </summary>
+@@ -338,18 +337,22 @@ interface(`kerberos_admin',`
  		type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
  		type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
  		type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
@@ -25003,7 +25319,7 @@ index 604f67b..8714225 100644
  	ps_process_pattern($1, kpropd_t)
  
  	init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
-@@ -378,3 +389,113 @@ interface(`kerberos_admin',`
+@@ -378,3 +381,114 @@ interface(`kerberos_admin',`
  
  	admin_pattern($1, krb5kdc_var_run_t)
  ')
@@ -25024,6 +25340,7 @@ index 604f67b..8714225 100644
 +		type krb5_host_rcache_t;
 +	')
 +
++	manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
 +	files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
 +')
 +
@@ -25384,10 +25701,10 @@ index 0000000..408d6c0
 +/var/log/keystone(/.*)?		gen_context(system_u:object_r:keystone_log_t,s0)
 diff --git a/keystone.if b/keystone.if
 new file mode 100644
-index 0000000..c7a5aeb
+index 0000000..f20248c
 --- /dev/null
 +++ b/keystone.if
-@@ -0,0 +1,224 @@
+@@ -0,0 +1,218 @@
 +
 +## <summary>policy for keystone</summary>
 +
@@ -25580,12 +25897,6 @@ index 0000000..c7a5aeb
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
 +interface(`keystone_admin',`
 +	gen_require(`
@@ -26336,7 +26647,7 @@ index 3aa8fa7..9539b76 100644
 +	allow $1 ldap_unit_file_t:service all_service_perms;
  ')
 diff --git a/ldap.te b/ldap.te
-index 64fd1ff..0f5d0b7 100644
+index 64fd1ff..47c43ab 100644
 --- a/ldap.te
 +++ b/ldap.te
 @@ -10,7 +10,7 @@ type slapd_exec_t;
@@ -26404,6 +26715,16 @@ index 64fd1ff..0f5d0b7 100644
  
  logging_send_syslog_msg(slapd_t)
  
+@@ -117,6 +135,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t)
+ 
+ optional_policy(`
+ 	kerberos_keytab_template(slapd, slapd_t)
++	kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0")
++	kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487")
++	kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55")
+ ')
+ 
+ optional_policy(`
 diff --git a/likewise.fc b/likewise.fc
 index 057a4e4..57491fc 100644
 --- a/likewise.fc
@@ -27795,10 +28116,10 @@ index 0000000..2907017
 +/var/cache/man2html(/.*)?		gen_context(system_u:object_r:httpd_man2html_script_cache_t,s0)
 diff --git a/man2html.if b/man2html.if
 new file mode 100644
-index 0000000..68fddff
+index 0000000..050157a
 --- /dev/null
 +++ b/man2html.if
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,127 @@
 +
 +## <summary>policy for httpd_man2html_script</summary>
 +
@@ -27909,12 +28230,6 @@ index 0000000..68fddff
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
 +interface(`httpd_man2html_script_admin',`
 +	gen_require(`
@@ -28811,10 +29126,10 @@ index 0000000..8d0e473
 +/var/cache/mock(/.*)?		gen_context(system_u:object_r:mock_cache_t,s0)
 diff --git a/mock.if b/mock.if
 new file mode 100644
-index 0000000..1d76fb8
+index 0000000..7f6f2d6
 --- /dev/null
 +++ b/mock.if
-@@ -0,0 +1,313 @@
+@@ -0,0 +1,307 @@
 +## <summary>policy for mock</summary>
 +
 +########################################
@@ -29096,12 +29411,6 @@ index 0000000..1d76fb8
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
 +interface(`mock_admin',`
 +	gen_require(`
@@ -29438,10 +29747,19 @@ index b3ace16..83392b6 100644
  optional_policy(`
  	udev_read_db(modemmanager_t)
 diff --git a/mojomojo.if b/mojomojo.if
-index 657a9fc..0b9bf04 100644
+index 657a9fc..6be094b 100644
 --- a/mojomojo.if
 +++ b/mojomojo.if
-@@ -19,18 +19,23 @@
+@@ -10,27 +10,26 @@
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="role">
+-##	<summary>
+-##	Role allowed access.
+-##	</summary>
+-## </param>
+-## <rolecap/>
  #
  interface(`mojomojo_admin',`
  	gen_require(`
@@ -29828,7 +30146,7 @@ index b397fde..30bfefb 100644
 +')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 0724816..7ccc738 100644
+index 0724816..c1fa8ea 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -12,14 +12,22 @@ policy_module(mozilla, 2.5.3)
@@ -30129,7 +30447,7 @@ index 0724816..7ccc738 100644
  
  optional_policy(`
  	alsa_read_rw_config(mozilla_plugin_t)
-@@ -422,35 +463,134 @@ optional_policy(`
+@@ -422,35 +463,135 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(mozilla_plugin_t)
  	dbus_session_bus_client(mozilla_plugin_t)
@@ -30188,6 +30506,7 @@ index 0724816..7ccc738 100644
 +optional_policy(`
 +	xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
 +	xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
++	xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
  	xserver_read_xdm_pid(mozilla_plugin_t)
  	xserver_stream_connect(mozilla_plugin_t)
  	xserver_use_user_fonts(mozilla_plugin_t)
@@ -30664,7 +30983,7 @@ index afa18c8..f6e2bb8 100644
 +/var/spool/mqueue\.in(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
  /var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 diff --git a/mta.if b/mta.if
-index 4e2a5ba..12b951c 100644
+index 4e2a5ba..d5a1725 100644
 --- a/mta.if
 +++ b/mta.if
 @@ -37,6 +37,7 @@ interface(`mta_stub',`
@@ -31071,7 +31390,7 @@ index 4e2a5ba..12b951c 100644
  ##	Read sendmail binary.
  ## </summary>
  ## <param name="domain">
-@@ -901,3 +983,143 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -901,3 +983,169 @@ interface(`mta_rw_user_mail_stream_sockets',`
  
  	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
  ')
@@ -31146,6 +31465,32 @@ index 4e2a5ba..12b951c 100644
 +        ')
 +')
 +
++####################################
++## <summary>
++##      Allow domain to manage mail content in the homedir
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`mta_manage_home_rw',`
++        gen_require(`
++                type mail_home_rw_t;
++        ')
++
++        userdom_search_user_home_dirs($1)
++	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
++	manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
++	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++
++        ifdef(`distro_redhat',`
++                userdom_search_admin_dir($1)
++		userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++        ')
++')
++
 +########################################
 +## <summary>
 +##	create mail content in the  in the /root directory
@@ -31166,7 +31511,7 @@ index 4e2a5ba..12b951c 100644
 +	userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
 +	userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
 +	userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
-+	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, "Maildir")
++	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
 +	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
 +')
 +
@@ -31189,7 +31534,7 @@ index 4e2a5ba..12b951c 100644
 +	userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
 +	userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
 +	userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
-+	userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, "Maildir")
++	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
 +	userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
 +')
 +
@@ -35642,10 +35987,10 @@ index 0000000..be6fcb0
 +/var/run/numad\.pid      --  gen_context(system_u:object_r:numad_var_run_t,s0)
 diff --git a/numad.if b/numad.if
 new file mode 100644
-index 0000000..77a3112
+index 0000000..709dda1
 --- /dev/null
 +++ b/numad.if
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,72 @@
 +
 +## <summary>policy for numad</summary>
 +
@@ -35702,12 +36047,6 @@ index 0000000..77a3112
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
 +interface(`numad_admin',`
 +	gen_require(`
@@ -37891,7 +38230,7 @@ index 5702ca4..498d856 100644
  /var/run/plymouth(/.*)?			gen_context(system_u:object_r:plymouthd_var_run_t,s0)
  /var/spool/plymouth(/.*)?		gen_context(system_u:object_r:plymouthd_spool_t,s0)
 diff --git a/plymouthd.if b/plymouthd.if
-index 9759ed8..f8d254a 100644
+index 9759ed8..17c097d 100644
 --- a/plymouthd.if
 +++ b/plymouthd.if
 @@ -120,7 +120,7 @@ interface(`plymouthd_search_spool', `
@@ -37903,10 +38242,12 @@ index 9759ed8..f8d254a 100644
  	gen_require(`
  		type plymouthd_spool_t;
  	')
-@@ -228,6 +228,48 @@ interface(`plymouthd_read_pid_files', `
+@@ -228,20 +228,56 @@ interface(`plymouthd_read_pid_files', `
  
  ########################################
  ## <summary>
+-##	All of the rules required to administrate
+-##	an plymouthd environment
 +##	Allow the specified domain to read
 +##	to plymouthd log files.
 +## </summary>
@@ -37929,12 +38270,13 @@ index 9759ed8..f8d254a 100644
 +## <summary>
 +##	Allow the specified domain to manage
 +##	to plymouthd log files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="role">
 +#
 +interface(`plymouthd_manage_log',`
 +	gen_require(`
@@ -37949,10 +38291,20 @@ index 9759ed8..f8d254a 100644
 +
 +########################################
 +## <summary>
- ##	All of the rules required to administrate
- ##	an plymouthd environment
- ## </summary>
-@@ -249,12 +291,17 @@ interface(`plymouthd_admin', `
++##	All of the rules required to administrate
++##	an plymouthd environment
++## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	Role allowed access.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`plymouthd_admin', `
+ 	gen_require(`
+@@ -249,12 +285,17 @@ interface(`plymouthd_admin', `
  		type plymouthd_var_run_t;
  	')
  
@@ -38243,7 +38595,7 @@ index 48ff1e8..be00a65 100644
 +	allow $1 policykit_auth_t:process signal;
  ')
 diff --git a/policykit.te b/policykit.te
-index 44db896..11800bb 100644
+index 44db896..9e61080 100644
 --- a/policykit.te
 +++ b/policykit.te
 @@ -1,51 +1,73 @@
@@ -38298,7 +38650,7 @@ index 44db896..11800bb 100644
 +# policykit_domain local policy
 +#
 +
-+allow policykit_domain self:process getattr;
++allow policykit_domain self:process { execmem getattr };
 +allow policykit_domain self:fifo_file rw_fifo_file_perms;
 +
 +dev_read_sysfs(policykit_domain)
@@ -38333,7 +38685,7 @@ index 44db896..11800bb 100644
  rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
  
  policykit_domtrans_resolve(policykit_t)
-@@ -56,56 +78,111 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+@@ -56,56 +78,112 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
  manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
  files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
  
@@ -38377,6 +38729,7 @@ index 44db896..11800bb 100644
 +')
 +
 +optional_policy(`
++	kerberos_tmp_filetrans_host_rcache(policykit_t, "host_0")
 +	kerberos_manage_host_rcache(policykit_t)
 +')
 +
@@ -38457,11 +38810,12 @@ index 44db896..11800bb 100644
  	dbus_session_bus_client(policykit_auth_t)
  
  	optional_policy(`
-@@ -118,14 +195,25 @@ optional_policy(`
+@@ -118,14 +196,26 @@ optional_policy(`
  	hal_read_state(policykit_auth_t)
  ')
  
 +optional_policy(`
++	kerberos_tmp_filetrans_host_rcache(policykit_auth_t, "host_0")
 +        kerberos_manage_host_rcache(policykit_auth_t)
 +')
 +
@@ -38485,7 +38839,7 @@ index 44db896..11800bb 100644
  allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
  allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -145,19 +233,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
+@@ -145,19 +235,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
  files_read_etc_files(policykit_grant_t)
  files_read_usr_files(policykit_grant_t)
  
@@ -38510,7 +38864,7 @@ index 44db896..11800bb 100644
  		consolekit_dbus_chat(policykit_grant_t)
  	')
  ')
-@@ -167,9 +254,8 @@ optional_policy(`
+@@ -167,9 +256,8 @@ optional_policy(`
  # polkit_resolve local policy
  #
  
@@ -38522,7 +38876,7 @@ index 44db896..11800bb 100644
  allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
  allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -185,14 +271,8 @@ corecmd_search_bin(policykit_resolve_t)
+@@ -185,14 +273,8 @@ corecmd_search_bin(policykit_resolve_t)
  files_read_etc_files(policykit_resolve_t)
  files_read_usr_files(policykit_resolve_t)
  
@@ -38537,7 +38891,7 @@ index 44db896..11800bb 100644
  userdom_read_all_users_state(policykit_resolve_t)
  
  optional_policy(`
-@@ -207,4 +287,3 @@ optional_policy(`
+@@ -207,4 +289,3 @@ optional_policy(`
  	kernel_search_proc(policykit_resolve_t)
  	hal_read_state(policykit_resolve_t)
  ')
@@ -39740,7 +40094,7 @@ index 46bee12..99499ef 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
 +')
 diff --git a/postfix.te b/postfix.te
-index 69cbd06..c990292 100644
+index 69cbd06..2f19c1c 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -1,10 +1,19 @@
@@ -39955,10 +40309,14 @@ index 69cbd06..c990292 100644
  
  optional_policy(`
  	clamav_search_lib(postfix_local_t)
-@@ -297,6 +334,10 @@ optional_policy(`
+@@ -297,6 +334,14 @@ optional_policy(`
  ')
  
  optional_policy(`
++	dovecot_domtrans_deliver(postfix_local_t)
++')
++
++optional_policy(`
 +	dspam_domtrans(postfix_local_t)
 +')
 +
@@ -39966,7 +40324,7 @@ index 69cbd06..c990292 100644
  #	for postalias
  	mailman_manage_data_files(postfix_local_t)
  	mailman_append_log(postfix_local_t)
-@@ -304,9 +345,22 @@ optional_policy(`
+@@ -304,9 +349,22 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39989,7 +40347,7 @@ index 69cbd06..c990292 100644
  ########################################
  #
  # Postfix map local policy
-@@ -379,18 +433,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -379,18 +437,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
  rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
  rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
  
@@ -40015,7 +40373,7 @@ index 69cbd06..c990292 100644
  allow postfix_pipe_t self:process setrlimit;
  
  write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +461,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +465,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
  
  domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
  
@@ -40024,7 +40382,7 @@ index 69cbd06..c990292 100644
  optional_policy(`
  	dovecot_domtrans_deliver(postfix_pipe_t)
  ')
-@@ -420,6 +482,7 @@ optional_policy(`
+@@ -420,6 +486,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_domtrans_client(postfix_pipe_t)
@@ -40032,7 +40390,7 @@ index 69cbd06..c990292 100644
  ')
  
  optional_policy(`
-@@ -436,11 +499,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +503,17 @@ allow postfix_postdrop_t self:capability sys_resource;
  allow postfix_postdrop_t self:tcp_socket create;
  allow postfix_postdrop_t self:udp_socket create_socket_perms;
  
@@ -40050,7 +40408,7 @@ index 69cbd06..c990292 100644
  corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
  corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
  
-@@ -487,8 +556,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +560,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
  domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
  
  # to write the mailq output, it really should not need read access!
@@ -40061,7 +40419,7 @@ index 69cbd06..c990292 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +588,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +592,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
  
  allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
  allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -40074,7 +40432,7 @@ index 69cbd06..c990292 100644
  
  corecmd_exec_bin(postfix_qmgr_t)
  
-@@ -539,7 +612,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +616,9 @@ postfix_list_spool(postfix_showq_t)
  
  allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
  allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -40085,7 +40443,7 @@ index 69cbd06..c990292 100644
  
  # to write the mailq output, it really should not need read access!
  term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +633,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +637,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
  
  allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
  
@@ -40094,7 +40452,7 @@ index 69cbd06..c990292 100644
  files_search_all_mountpoints(postfix_smtp_t)
  
  optional_policy(`
-@@ -565,6 +642,14 @@ optional_policy(`
+@@ -565,6 +646,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -40109,7 +40467,7 @@ index 69cbd06..c990292 100644
  	milter_stream_connect_all(postfix_smtp_t)
  ')
  
-@@ -581,17 +666,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +670,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
  corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
  
  # for prng_exch
@@ -40136,7 +40494,7 @@ index 69cbd06..c990292 100644
  ')
  
  optional_policy(`
-@@ -599,6 +692,12 @@ optional_policy(`
+@@ -599,6 +696,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -40149,7 +40507,7 @@ index 69cbd06..c990292 100644
  	postgrey_stream_connect(postfix_smtpd_t)
  ')
  
-@@ -611,7 +710,6 @@ optional_policy(`
+@@ -611,7 +714,6 @@ optional_policy(`
  # Postfix virtual local policy
  #
  
@@ -40157,7 +40515,7 @@ index 69cbd06..c990292 100644
  allow postfix_virtual_t self:process { setsched setrlimit };
  
  allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +728,75 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +732,75 @@ mta_delete_spool(postfix_virtual_t)
  # For reading spamassasin
  mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
@@ -43277,10 +43635,10 @@ index 0000000..9108437
 +/var/log/quantum(/.*)?		gen_context(system_u:object_r:quantum_log_t,s0)
 diff --git a/quantum.if b/quantum.if
 new file mode 100644
-index 0000000..89e4bc5
+index 0000000..010b2be
 --- /dev/null
 +++ b/quantum.if
-@@ -0,0 +1,224 @@
+@@ -0,0 +1,218 @@
 +## <summary>Quantum is a virtual network service for Openstack</summary>
 +
 +########################################
@@ -43473,12 +43831,6 @@ index 0000000..89e4bc5
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
 +interface(`quantum_admin',`
 +	gen_require(`
@@ -46426,7 +46778,7 @@ index 63e78c6..fdd8228 100644
  		type rlogind_home_t;
  	')
 diff --git a/rlogin.te b/rlogin.te
-index d654552..49dbcc4 100644
+index d654552..706700d 100644
 --- a/rlogin.te
 +++ b/rlogin.te
 @@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
@@ -46466,7 +46818,7 @@ index d654552..49dbcc4 100644
  
  files_read_etc_files(rlogind_t)
  files_read_etc_runtime_files(rlogind_t)
-@@ -88,27 +88,23 @@ seutil_read_config(rlogind_t)
+@@ -88,27 +88,24 @@ seutil_read_config(rlogind_t)
  userdom_setattr_user_ptys(rlogind_t)
  # cjp: this is egregious
  userdom_read_user_home_content_files(rlogind_t)
@@ -46493,6 +46845,7 @@ index d654552..49dbcc4 100644
 -	fs_read_cifs_symlinks(rlogind_t)
 +optional_policy(`
 +	kerberos_keytab_template(rlogind, rlogind_t)
++	kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
 +	#part of auth_use_pam
 +	#kerberos_manage_host_rcache(rlogind_t)
  ')
@@ -49899,7 +50252,7 @@ index cfe3172..3eb745d 100644
 +
  ')
 diff --git a/sanlock.te b/sanlock.te
-index e02eb6c..d5d96e7 100644
+index e02eb6c..f1314b0 100644
 --- a/sanlock.te
 +++ b/sanlock.te
 @@ -1,4 +1,4 @@
@@ -49931,15 +50284,27 @@ index e02eb6c..d5d96e7 100644
  ## </desc>
  gen_tunable(sanlock_use_samba, false)
  
-@@ -46,6 +46,7 @@ ifdef(`enable_mls',`
+@@ -44,8 +44,9 @@ ifdef(`enable_mls',`
  #
- allow sanlock_t self:capability { sys_nice ipc_lock };
- allow sanlock_t self:process { setsched signull };
+ # sanlock local policy
+ #
+-allow sanlock_t self:capability { sys_nice ipc_lock };
+-allow sanlock_t self:process { setsched signull };
++allow sanlock_t self:capability { chown setgid dac_override ipc_lock sys_nice };
++allow sanlock_t self:process { setsched signull signal };
 +
  allow sanlock_t self:fifo_file rw_fifo_file_perms;
  allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -67,6 +68,8 @@ storage_raw_rw_fixed_disk(sanlock_t)
+@@ -58,6 +59,7 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
+ 
+ kernel_read_system_state(sanlock_t)
++kernel_read_kernel_sysctls(sanlock_t)
+ 
+ domain_use_interactive_fds(sanlock_t)
+ 
+@@ -67,6 +69,8 @@ storage_raw_rw_fixed_disk(sanlock_t)
  
  dev_read_urand(sanlock_t)
  
@@ -49948,7 +50313,7 @@ index e02eb6c..d5d96e7 100644
  init_read_utmp(sanlock_t)
  init_dontaudit_write_utmp(sanlock_t)
  
-@@ -75,19 +78,25 @@ logging_send_syslog_msg(sanlock_t)
+@@ -75,19 +79,25 @@ logging_send_syslog_msg(sanlock_t)
  miscfiles_read_localization(sanlock_t)
  
  tunable_policy(`sanlock_use_nfs',`
@@ -50014,7 +50379,7 @@ index f1aea88..3e6a93f 100644
  	admin_pattern($1, saslauthd_var_run_t)
  ')
 diff --git a/sasl.te b/sasl.te
-index 9d9f8ce..15569f0 100644
+index 9d9f8ce..637b67c 100644
 --- a/sasl.te
 +++ b/sasl.te
 @@ -10,7 +10,7 @@ policy_module(sasl, 1.14.0)
@@ -50036,15 +50401,14 @@ index 9d9f8ce..15569f0 100644
  type saslauthd_var_run_t;
  files_pid_file(saslauthd_var_run_t)
  
-@@ -38,16 +35,19 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
+@@ -38,16 +35,17 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
  allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
  allow saslauthd_t self:tcp_socket create_socket_perms;
  
 -allow saslauthd_t saslauthd_tmp_t:dir setattr;
 -manage_files_pattern(saslauthd_t, saslauthd_tmp_t, saslauthd_tmp_t)
 -files_tmp_filetrans(saslauthd_t, saslauthd_tmp_t, file)
-+kerberos_tmp_filetrans_host_rcache(saslauthd_t)
- 
+-
 +manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
  manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
  manage_sock_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
@@ -50060,7 +50424,7 @@ index 9d9f8ce..15569f0 100644
  
  corenet_all_recvfrom_unlabeled(saslauthd_t)
  corenet_all_recvfrom_netlabel(saslauthd_t)
-@@ -55,6 +55,7 @@ corenet_tcp_sendrecv_generic_if(saslauthd_t)
+@@ -55,6 +53,7 @@ corenet_tcp_sendrecv_generic_if(saslauthd_t)
  corenet_tcp_sendrecv_generic_node(saslauthd_t)
  corenet_tcp_sendrecv_all_ports(saslauthd_t)
  corenet_tcp_connect_pop_port(saslauthd_t)
@@ -50068,7 +50432,7 @@ index 9d9f8ce..15569f0 100644
  corenet_sendrecv_pop_client_packets(saslauthd_t)
  
  dev_read_urand(saslauthd_t)
-@@ -88,12 +89,13 @@ userdom_dontaudit_search_user_home_dirs(saslauthd_t)
+@@ -88,11 +87,12 @@ userdom_dontaudit_search_user_home_dirs(saslauthd_t)
  
  # cjp: typeattribute doesnt work in conditionals
  auth_can_read_shadow_passwords(saslauthd_t)
@@ -50078,11 +50442,10 @@ index 9d9f8ce..15569f0 100644
  ')
  
  optional_policy(`
++	kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0")
  	kerberos_keytab_template(saslauthd, saslauthd_t)
-+	#kerberos_manage_host_rcache(saslauthd_t)
  ')
  
- optional_policy(`
 diff --git a/sblim.if b/sblim.if
 index fa24879..fdb665a 100644
 --- a/sblim.if
@@ -52805,7 +53168,7 @@ index d2496bd..c7614d7 100644
  	init_labeled_script_domtrans($1, squid_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/squid.te b/squid.te
-index d24bd07..e5f4599 100644
+index d24bd07..daf200c 100644
 --- a/squid.te
 +++ b/squid.te
 @@ -29,7 +29,7 @@ type squid_cache_t;
@@ -52827,7 +53190,15 @@ index d24bd07..e5f4599 100644
  type squid_var_run_t;
  files_pid_file(squid_var_run_t)
  
-@@ -85,11 +88,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir })
+@@ -69,6 +72,7 @@ allow squid_t self:udp_socket create_socket_perms;
+ manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
+ manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
+ manage_lnk_files_pattern(squid_t, squid_cache_t, squid_cache_t)
++files_var_filetrans(squid_t, squid_cache_t, dir, "squid")
+ 
+ allow squid_t squid_conf_t:dir list_dir_perms;
+ read_files_pattern(squid_t, squid_conf_t, squid_conf_t)
+@@ -85,11 +89,16 @@ logging_log_filetrans(squid_t, squid_log_t, { file dir })
  manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
  fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
  
@@ -52844,7 +53215,7 @@ index d24bd07..e5f4599 100644
  
  files_dontaudit_getattr_boot_dirs(squid_t)
  
-@@ -169,7 +177,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
+@@ -169,7 +178,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
  tunable_policy(`squid_connect_any',`
  	corenet_tcp_connect_all_ports(squid_t)
  	corenet_tcp_bind_all_ports(squid_t)
@@ -52854,7 +53225,7 @@ index d24bd07..e5f4599 100644
  ')
  
  tunable_policy(`squid_use_tproxy',`
-@@ -185,6 +194,7 @@ optional_policy(`
+@@ -185,6 +195,7 @@ optional_policy(`
  	corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
  	corenet_all_recvfrom_netlabel(httpd_squid_script_t)
  	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@@ -52862,13 +53233,13 @@ index d24bd07..e5f4599 100644
  
  	sysnet_dns_name_resolve(httpd_squid_script_t)
  
-@@ -206,3 +216,7 @@ optional_policy(`
+@@ -206,3 +217,7 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(squid_t)
  ')
 +
 +optional_policy(`
-+	kerberos_manage_host_rcache(squid_t)
++	kerberos_tmp_filetrans_host_rcache(squid_t, "host_0")
 +')
 diff --git a/sssd.fc b/sssd.fc
 index 4271815..4bc00ea 100644
@@ -52969,7 +53340,7 @@ index 941380a..e1095f0 100644
  	# Allow sssd_t to restart the apache service
  	sssd_initrc_domtrans($1)
 diff --git a/sssd.te b/sssd.te
-index 8ffa257..1dfa5ce 100644
+index 8ffa257..20d8944 100644
 --- a/sssd.te
 +++ b/sssd.te
 @@ -17,6 +17,7 @@ files_pid_file(sssd_public_t)
@@ -53061,10 +53432,11 @@ index 8ffa257..1dfa5ce 100644
  
  optional_policy(`
  	dbus_system_bus_client(sssd_t)
-@@ -87,4 +108,18 @@ optional_policy(`
+@@ -87,4 +108,19 @@ optional_policy(`
  
  optional_policy(`
  	kerberos_manage_host_rcache(sssd_t)
++	kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0")
 +	kerberos_read_home_content(sssd_t)
 +')
 +
@@ -53119,10 +53491,10 @@ index 0000000..5ab0840
 +/var/lib/subversion/repo(/.*)?		gen_context(system_u:object_r:svnserve_content_t,s0)	
 diff --git a/svnserve.if b/svnserve.if
 new file mode 100644
-index 0000000..bab5617
+index 0000000..19d13a7
 --- /dev/null
 +++ b/svnserve.if
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,119 @@
 +
 +## <summary>policy for svnserve</summary>
 +
@@ -53219,12 +53591,6 @@ index 0000000..bab5617
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
 +interface(`svnserve_admin',`
 +	gen_require(`
@@ -53896,7 +54262,7 @@ index 58e7ec0..e4119f7 100644
 +	allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms;
 +')
 diff --git a/telnet.te b/telnet.te
-index f40e67b..3519e88 100644
+index f40e67b..0634c00 100644
 --- a/telnet.te
 +++ b/telnet.te
 @@ -24,21 +24,20 @@ files_pid_file(telnetd_var_run_t)
@@ -53942,13 +54308,14 @@ index f40e67b..3519e88 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_search_nfs(telnetd_t)
-@@ -98,3 +92,12 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -98,3 +92,13 @@ tunable_policy(`use_nfs_home_dirs',`
  tunable_policy(`use_samba_home_dirs',`
  	fs_search_cifs(telnetd_t)
  ')
 +
 +optional_policy(`
 +	kerberos_keytab_template(telnetd, telnetd_t)
++	kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0")
 +	kerberos_manage_host_rcache(telnetd_t)
 +')
 +
@@ -54378,10 +54745,10 @@ index 0000000..9127cec
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..7eea9cd
+index 0000000..e379b1b
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,109 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -54456,6 +54823,10 @@ index 0000000..7eea9cd
 +
 +auth_use_nsswitch(thumb_t)
 +
++tunable_policy(`selinuxuser_execmod',`
++	libs_legacy_use_shared_libs(thumb_t)
++')
++
 +miscfiles_read_fonts(thumb_t)
 +miscfiles_read_localization(thumb_t)
 +
@@ -56612,7 +56983,7 @@ index 7c5d8d8..85b7d8b 100644
 +	files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
  ')
 diff --git a/virt.te b/virt.te
-index ad3068a..5759ef5 100644
+index ad3068a..55dd15c 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -5,56 +5,87 @@ policy_module(virt, 1.4.2)
@@ -56888,7 +57259,7 @@ index ad3068a..5759ef5 100644
 +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
 +ifdef(`hide_broken_symptoms',`
 +	# caused by some bogus kernel code
-+	dontaudit virtd_t self:capability sys_module;
++	dontaudit virtd_t self:capability { sys_module sys_ptrace };
 +')
  
 -allow virtd_t self:fifo_file rw_fifo_file_perms;
@@ -57079,7 +57450,7 @@ index ad3068a..5759ef5 100644
  	dbus_system_bus_client(virtd_t)
  
  	optional_policy(`
-@@ -335,6 +506,14 @@ optional_policy(`
+@@ -335,19 +506,30 @@ optional_policy(`
  	optional_policy(`
  		hal_dbus_chat(virtd_t)
  	')
@@ -57094,12 +57465,14 @@ index ad3068a..5759ef5 100644
  ')
  
  optional_policy(`
-@@ -343,11 +522,14 @@ optional_policy(`
+ 	dnsmasq_domtrans(virtd_t)
+ 	dnsmasq_signal(virtd_t)
  	dnsmasq_kill(virtd_t)
- 	dnsmasq_read_pid_files(virtd_t)
+-	dnsmasq_read_pid_files(virtd_t)
  	dnsmasq_signull(virtd_t)
 +	dnsmasq_create_pid_dirs(virtd_t)
 +	dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
++	dnsmasq_manage_pid_files(virtd_t)
  ')
  
  optional_policy(`
@@ -57139,7 +57512,15 @@ index ad3068a..5759ef5 100644
  ')
  
  optional_policy(`
-@@ -403,20 +591,36 @@ optional_policy(`
+@@ -384,6 +572,7 @@ optional_policy(`
+ 	kernel_read_xen_state(virtd_t)
+ 	kernel_write_xen_state(virtd_t)
+ 
++	xen_exec(virtd_t)
+ 	xen_stream_connect(virtd_t)
+ 	xen_stream_connect_xenstore(virtd_t)
+ 	xen_read_image_files(virtd_t)
+@@ -403,20 +592,36 @@ optional_policy(`
  # virtual domains common policy
  #
  
@@ -57179,7 +57560,7 @@ index ad3068a..5759ef5 100644
  corecmd_exec_bin(virt_domain)
  corecmd_exec_shell(virt_domain)
  
-@@ -427,10 +631,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -427,10 +632,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
  corenet_tcp_sendrecv_all_ports(virt_domain)
  corenet_tcp_bind_generic_node(virt_domain)
  corenet_tcp_bind_vnc_port(virt_domain)
@@ -57193,7 +57574,7 @@ index ad3068a..5759ef5 100644
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -438,10 +644,12 @@ dev_write_sound(virt_domain)
+@@ -438,10 +645,12 @@ dev_write_sound(virt_domain)
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -57206,7 +57587,7 @@ index ad3068a..5759ef5 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -449,25 +657,430 @@ files_search_all(virt_domain)
+@@ -449,25 +658,429 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -57428,8 +57809,7 @@ index ad3068a..5759ef5 100644
 +fs_mounton_tmpfs(virtd_lxc_t)
 +fs_remount_all_fs(virtd_lxc_t)
 +fs_rw_cgroup_files(virtd_lxc_t)
-+fs_unmount_xattr_fs(virtd_lxc_t)
-+fs_unmount_configfs(virtd_lxc_t)
++fs_unmount_all_fs(virtd_lxc_t)
 +fs_relabelfrom_tmpfs(virtd_lxc_t)
 +
 +selinux_mount_fs(virtd_lxc_t)
@@ -57714,10 +58094,22 @@ index f21389b..482db56 100644
  # cjp: why?
  userdom_read_user_home_content_files(vmware_t)
 diff --git a/vnstatd.if b/vnstatd.if
-index 727fe95..958de01 100644
+index 727fe95..47ec114 100644
 --- a/vnstatd.if
 +++ b/vnstatd.if
-@@ -135,8 +135,11 @@ interface(`vnstatd_admin',`
+@@ -123,20 +123,17 @@ interface(`vnstatd_manage_lib_files',`
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="role">
+-##	<summary>
+-##	Role allowed access.
+-##	</summary>
+-## </param>
+-## <rolecap/>
+ #
+ interface(`vnstatd_admin',`
+ 	gen_require(`
  		type vnstatd_t, vnstatd_var_lib_t;
  	')
  
@@ -58127,10 +58519,31 @@ index 9d24449..2666317 100644
  /opt/picasa/wine/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
  
 diff --git a/wine.if b/wine.if
-index f9a73d0..00a98f1 100644
+index f9a73d0..4b83bb0 100644
 --- a/wine.if
 +++ b/wine.if
-@@ -29,12 +29,16 @@
+@@ -10,10 +10,9 @@
+ ##	for wine applications.
+ ##	</p>
+ ## </desc>
+-## <param name="userdomain_prefix">
++## <param name="user_role">
+ ##	<summary>
+-##	The prefix of the user domain (e.g., user
+-##	is the prefix for user_t).
++##	The role associated with the user domain.
+ ##	</summary>
+ ## </param>
+ ## <param name="user_domain">
+@@ -21,20 +20,19 @@
+ ##	The type of the user domain.
+ ##	</summary>
+ ## </param>
+-## <param name="user_role">
+-##	<summary>
+-##	The role associated with the user domain.
+-##	</summary>
+-## </param>
  #
  template(`wine_role',`
  	gen_require(`
@@ -58147,7 +58560,7 @@ index f9a73d0..00a98f1 100644
  	allow wine_t $2:fd use;
  	allow wine_t $2:process { sigchld signull };
  	allow wine_t $2:unix_stream_socket connectto;
-@@ -44,8 +48,7 @@ template(`wine_role',`
+@@ -44,8 +42,7 @@ template(`wine_role',`
  	allow $2 wine_t:process signal_perms;
  
  	allow $2 wine_t:fd use;
@@ -58157,7 +58570,7 @@ index f9a73d0..00a98f1 100644
  	allow $2 wine_t:unix_stream_socket connectto;
  
  	# X access, Home files
-@@ -86,6 +89,7 @@ template(`wine_role',`
+@@ -86,6 +83,7 @@ template(`wine_role',`
  #
  template(`wine_role_template',`
  	gen_require(`
@@ -58165,7 +58578,7 @@ index f9a73d0..00a98f1 100644
  		type wine_exec_t;
  	')
  
-@@ -96,12 +100,12 @@ template(`wine_role_template',`
+@@ -96,12 +94,12 @@ template(`wine_role_template',`
  	role $2 types $1_wine_t;
  
  	allow $1_wine_t self:process { execmem execstack };
@@ -58180,7 +58593,7 @@ index f9a73d0..00a98f1 100644
  
  	domain_mmap_low($1_wine_t)
  
-@@ -109,6 +113,10 @@ template(`wine_role_template',`
+@@ -109,6 +107,10 @@ template(`wine_role_template',`
  		dontaudit $1_wine_t self:memprotect mmap_zero;
  	')
  
@@ -58326,10 +58739,36 @@ index 1a1b374..f22f770 100644
  ')
  
 diff --git a/xen.if b/xen.if
-index 77d41b6..138efd8 100644
+index 77d41b6..cc73c96 100644
 --- a/xen.if
 +++ b/xen.if
-@@ -55,6 +55,26 @@ interface(`xen_dontaudit_use_fds',`
+@@ -20,6 +20,25 @@ interface(`xen_domtrans',`
+ 
+ ########################################
+ ## <summary>
++##	Allow the specified domain to execute xend
++##	in the caller domain.
++## </summary>
++## <param name="domain">
++## 	<summary>
++##	Domain allowed access.
++## 	</summary>
++## </param>
++#
++interface(`xen_exec',`
++	gen_require(`
++		type xend_exec_t;
++	')
++
++	can_exec($1, xend_exec_t)
++')
++
++########################################
++## <summary>
+ ##	Inherit and use xen file descriptors.
+ ## </summary>
+ ## <param name="domain">
+@@ -55,6 +74,26 @@ interface(`xen_dontaudit_use_fds',`
  	dontaudit $1 xend_t:fd use;
  ')
  
@@ -58356,7 +58795,7 @@ index 77d41b6..138efd8 100644
  ########################################
  ## <summary>
  ##	Read xend image files.
-@@ -87,6 +107,26 @@ interface(`xen_read_image_files',`
+@@ -87,6 +126,26 @@ interface(`xen_read_image_files',`
  ## 	</summary>
  ## </param>
  #
@@ -58383,7 +58822,7 @@ index 77d41b6..138efd8 100644
  interface(`xen_rw_image_files',`
  	gen_require(`
  		type xen_image_t, xend_var_lib_t;
-@@ -161,7 +201,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
+@@ -161,7 +220,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
  
  ########################################
  ## <summary>
@@ -58392,7 +58831,7 @@ index 77d41b6..138efd8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -180,7 +220,7 @@ interface(`xen_stream_connect_xenstore',`
+@@ -180,7 +239,7 @@ interface(`xen_stream_connect_xenstore',`
  
  ########################################
  ## <summary>
@@ -58401,7 +58840,7 @@ index 77d41b6..138efd8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -213,14 +253,15 @@ interface(`xen_stream_connect',`
+@@ -213,14 +272,15 @@ interface(`xen_stream_connect',`
  interface(`xen_domtrans_xm',`
  	gen_require(`
  		type xm_t, xm_exec_t;
@@ -58419,7 +58858,7 @@ index 77d41b6..138efd8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -230,7 +271,7 @@ interface(`xen_domtrans_xm',`
+@@ -230,7 +290,7 @@ interface(`xen_domtrans_xm',`
  #
  interface(`xen_stream_connect_xm',`
  	gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 39f7985..5059ec6 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.11.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,25 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Fri Jun 15 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0-4
+- Add support for ecryptfs
+  * ecryptfs does not support xattr
+  * we need labeling for HOMEDIR
+- Add policy for (u)mount.ecryptfs*
+- Fix labeling of kerbero host cache files, allow rpc.svcgssd to manage host cache
+- Allow dovecot to manage Maildir content, fix transitions to Maildir
+- Allow postfix_local to transition to dovecot_deliver
+- Dontaudit attempts to setattr on xdm_tmp_t, looks like bogus code
+- Cleanup interface definitions
+- Allow apmd to change with the logind daemon
+- Changes required for sanlock in rhel6
+- Label /run/user/apache as httpd_tmp_t
+- Allow thumb to use lib_t as execmod if boolean turned on
+- Allow squid to create the squid directory in /var with the correct labe
+- Add a new policy for glusterd from Bryan Bickford (bbickfor at redhat.com)
+- Allow virtd to exec xend_exec_t without transition
+- Allow virtd_lxc_t to unmount all file systems
+
 * Tue Jun 12 2012 Miroslav Grepl <mgrepl at redhat.com> 3.11.0-3
 - PolicyKit path has changed
 - Allow httpd connect to dirsrv socket