[selinux-policy/f17] * Wed Mar 21 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-105 - Allow chronyd to read unix - Allow
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Mar 21 08:07:29 UTC 2012
commit 277ba05ccd3237c050032edadaa9e9621d62e319
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Mar 21 09:07:13 2012 +0100
* Wed Mar 21 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-105
- Allow chronyd to read unix
- Allow hpfax to read /etc/passwd
- Add support matahari vios-proxy-* apps and add virtd_exec_t label for them
- Allow rpcd to read quota_db_t
- Update to man pages to match latest policy
- Fix bug in jockey interface for sepolgen-ifgen
- Add initial svirt_prot_exec_t policy
policy-F16.patch | 1880 +++++++++++++++++++++++++++++++++++++++++++--------
selinux-policy.spec | 11 +-
2 files changed, 1608 insertions(+), 283 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index d14d168..ce7ada0 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -42,7 +42,7 @@ index 168a14f..c2bf491 100644
########################################
diff --git a/man/man8/NetworkManager_selinux.8 b/man/man8/NetworkManager_selinux.8
new file mode 100644
-index 0000000..b501c2d
+index 0000000..74ab63c
--- /dev/null
+++ b/man/man8/NetworkManager_selinux.8
@@ -0,0 +1,169 @@
@@ -169,7 +169,7 @@ index 0000000..b501c2d
+.br
+.TP 5
+Paths:
-+/var/run/wpa_supplicant-global, /var/run/nm-dhclient.*, /var/run/wpa_supplicant(/.*)?, /var/run/NetworkManager\.pid, /var/run/nm-dns-dnsmasq\.conf, /var/run/NetworkManager(/.*)?
++/var/run/nm-dhclient.*, /var/run/wpa_supplicant(/.*)?, /var/run/NetworkManager\.pid, /var/run/wpa_supplicant-global, /var/run/nm-dns-dnsmasq\.conf, /var/run/NetworkManager(/.*)?
+
+.PP
+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
@@ -217,10 +217,10 @@ index 0000000..b501c2d
+selinux(8), NetworkManager(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/abrt_selinux.8 b/man/man8/abrt_selinux.8
new file mode 100644
-index 0000000..4ff44da
+index 0000000..1acfb1b
--- /dev/null
+++ b/man/man8/abrt_selinux.8
-@@ -0,0 +1,242 @@
+@@ -0,0 +1,250 @@
+.TH "abrt_selinux" "8" "abrt" "dwalsh at redhat.com" "abrt SELinux Policy documentation"
+.SH "NAME"
+abrt_selinux \- Security Enhanced Linux Policy for the abrt processes
@@ -385,6 +385,14 @@ index 0000000..4ff44da
+
+.EX
+.PP
++.B abrt_unit_file_t
++.EE
++
++- Set files with the abrt_unit_file_t type, if you want to treat the files as abrt unit content.
++
++
++.EX
++.PP
+.B abrt_var_cache_t
+.EE
+
@@ -466,10 +474,10 @@ index 0000000..4ff44da
\ No newline at end of file
diff --git a/man/man8/accountsd_selinux.8 b/man/man8/accountsd_selinux.8
new file mode 100644
-index 0000000..1f8dad8
+index 0000000..4fe880f
--- /dev/null
+++ b/man/man8/accountsd_selinux.8
-@@ -0,0 +1,85 @@
+@@ -0,0 +1,93 @@
+.TH "accountsd_selinux" "8" "accountsd" "dwalsh at redhat.com" "accountsd SELinux Policy documentation"
+.SH "NAME"
+accountsd_selinux \- Security Enhanced Linux Policy for the accountsd processes
@@ -505,6 +513,14 @@ index 0000000..1f8dad8
+
+.EX
+.PP
++.B accountsd_unit_file_t
++.EE
++
++- Set files with the accountsd_unit_file_t type, if you want to treat the files as accountsd unit content.
++
++
++.EX
++.PP
+.B accountsd_var_lib_t
+.EE
+
@@ -1422,10 +1438,10 @@ index 0000000..3ff7f95
+selinux(8), ajaxterm(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/alsa_selinux.8 b/man/man8/alsa_selinux.8
new file mode 100644
-index 0000000..412d10b
+index 0000000..9a8a29d
--- /dev/null
+++ b/man/man8/alsa_selinux.8
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,125 @@
+.TH "alsa_selinux" "8" "alsa" "dwalsh at redhat.com" "alsa SELinux Policy documentation"
+.SH "NAME"
+alsa_selinux \- Security Enhanced Linux Policy for the alsa processes
@@ -1473,7 +1489,7 @@ index 0000000..412d10b
+.br
+.TP 5
+Paths:
-+/usr/sbin/salsa, /bin/alsaunmute, /sbin/alsactl, /usr/bin/ainit, /usr/bin/alsaunmute, /sbin/salsa, /usr/sbin/alsactl
++/usr/sbin/salsa, /sbin/alsactl, /usr/bin/ainit, /usr/bin/alsaunmute, /sbin/salsa, /usr/sbin/alsactl, /bin/alsaunmute
+
+.EX
+.PP
@@ -1493,6 +1509,14 @@ index 0000000..412d10b
+
+.EX
+.PP
++.B alsa_unit_file_t
++.EE
++
++- Set files with the alsa_unit_file_t type, if you want to treat the files as alsa unit content.
++
++
++.EX
++.PP
+.B alsa_var_lib_t
+.EE
+
@@ -2052,10 +2076,10 @@ index 0000000..511f260
+selinux(8), amtu(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/apcupsd_selinux.8 b/man/man8/apcupsd_selinux.8
new file mode 100644
-index 0000000..becff95
+index 0000000..dab6c6a
--- /dev/null
+++ b/man/man8/apcupsd_selinux.8
-@@ -0,0 +1,151 @@
+@@ -0,0 +1,159 @@
+.TH "apcupsd_selinux" "8" "apcupsd" "dwalsh at redhat.com" "apcupsd SELinux Policy documentation"
+.SH "NAME"
+apcupsd_selinux \- Security Enhanced Linux Policy for the apcupsd processes
@@ -2131,6 +2155,14 @@ index 0000000..becff95
+
+.EX
+.PP
++.B apcupsd_unit_file_t
++.EE
++
++- Set files with the apcupsd_unit_file_t type, if you want to treat the files as apcupsd unit content.
++
++
++.EX
++.PP
+.B apcupsd_var_run_t
+.EE
+
@@ -2209,10 +2241,10 @@ index 0000000..becff95
+selinux(8), apcupsd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/apm_selinux.8 b/man/man8/apm_selinux.8
new file mode 100644
-index 0000000..6e4505d
+index 0000000..1c6243c
--- /dev/null
+++ b/man/man8/apm_selinux.8
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,133 @@
+.TH "apm_selinux" "8" "apm" "dwalsh at redhat.com" "apm SELinux Policy documentation"
+.SH "NAME"
+apm_selinux \- Security Enhanced Linux Policy for the apm processes
@@ -2284,6 +2316,14 @@ index 0000000..6e4505d
+
+.EX
+.PP
++.B apmd_unit_file_t
++.EE
++
++- Set files with the apmd_unit_file_t type, if you want to treat the files as apmd unit content.
++
++
++.EX
++.PP
+.B apmd_var_run_t
+.EE
+
@@ -2340,10 +2380,10 @@ index 0000000..6e4505d
+selinux(8), apm(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/apmd_selinux.8 b/man/man8/apmd_selinux.8
new file mode 100644
-index 0000000..0c89d86
+index 0000000..6449d94
--- /dev/null
+++ b/man/man8/apmd_selinux.8
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,127 @@
+.TH "apmd_selinux" "8" "apmd" "dwalsh at redhat.com" "apmd SELinux Policy documentation"
+.SH "NAME"
+apmd_selinux \- Security Enhanced Linux Policy for the apmd processes
@@ -2365,6 +2405,14 @@ index 0000000..0c89d86
+
+.EX
+.PP
++.B apm_exec_t
++.EE
++
++- Set files with the apm_exec_t type, if you want to transition an executable to the apm_t domain.
++
++
++.EX
++.PP
+.B apmd_exec_t
+.EE
+
@@ -2401,6 +2449,14 @@ index 0000000..0c89d86
+
+.EX
+.PP
++.B apmd_unit_file_t
++.EE
++
++- Set files with the apmd_unit_file_t type, if you want to treat the files as apmd unit content.
++
++
++.EX
++.PP
+.B apmd_var_run_t
+.EE
+
@@ -2457,10 +2513,10 @@ index 0000000..0c89d86
+selinux(8), apmd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/arpwatch_selinux.8 b/man/man8/arpwatch_selinux.8
new file mode 100644
-index 0000000..34be20a
+index 0000000..8052609
--- /dev/null
+++ b/man/man8/arpwatch_selinux.8
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,121 @@
+.TH "arpwatch_selinux" "8" "arpwatch" "dwalsh at redhat.com" "arpwatch SELinux Policy documentation"
+.SH "NAME"
+arpwatch_selinux \- Security Enhanced Linux Policy for the arpwatch processes
@@ -2524,6 +2580,14 @@ index 0000000..34be20a
+
+.EX
+.PP
++.B arpwatch_unit_file_t
++.EE
++
++- Set files with the arpwatch_unit_file_t type, if you want to treat the files as arpwatch unit content.
++
++
++.EX
++.PP
+.B arpwatch_var_run_t
+.EE
+
@@ -3002,10 +3066,10 @@ index 0000000..96a49e6
+selinux(8), auditctl(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/auditd_selinux.8 b/man/man8/auditd_selinux.8
new file mode 100644
-index 0000000..5f44c1c
+index 0000000..50c15c2
--- /dev/null
+++ b/man/man8/auditd_selinux.8
-@@ -0,0 +1,141 @@
+@@ -0,0 +1,157 @@
+.TH "auditd_selinux" "8" "auditd" "dwalsh at redhat.com" "auditd SELinux Policy documentation"
+.SH "NAME"
+auditd_selinux \- Security Enhanced Linux Policy for the auditd processes
@@ -3027,6 +3091,14 @@ index 0000000..5f44c1c
+
+.EX
+.PP
++.B audit_spool_t
++.EE
++
++- Set files with the audit_spool_t type, if you want to store the audit files under the /var/spool directory.
++
++
++.EX
++.PP
+.B auditd_etc_t
+.EE
+
@@ -3067,6 +3139,14 @@ index 0000000..5f44c1c
+
+.EX
+.PP
++.B auditd_unit_file_t
++.EE
++
++- Set files with the auditd_unit_file_t type, if you want to treat the files as auditd unit content.
++
++
++.EX
++.PP
+.B auditd_var_run_t
+.EE
+
@@ -3149,10 +3229,10 @@ index 0000000..5f44c1c
+selinux(8), auditd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/automount_selinux.8 b/man/man8/automount_selinux.8
new file mode 100644
-index 0000000..514cdc5
+index 0000000..ff75942
--- /dev/null
+++ b/man/man8/automount_selinux.8
-@@ -0,0 +1,121 @@
+@@ -0,0 +1,129 @@
+.TH "automount_selinux" "8" "automount" "dwalsh at redhat.com" "automount SELinux Policy documentation"
+.SH "NAME"
+automount_selinux \- Security Enhanced Linux Policy for the automount processes
@@ -3224,6 +3304,14 @@ index 0000000..514cdc5
+
+.EX
+.PP
++.B automount_unit_file_t
++.EE
++
++- Set files with the automount_unit_file_t type, if you want to treat the files as automount unit content.
++
++
++.EX
++.PP
+.B automount_var_run_t
+.EE
+
@@ -3276,10 +3364,10 @@ index 0000000..514cdc5
+selinux(8), automount(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/avahi_selinux.8 b/man/man8/avahi_selinux.8
new file mode 100644
-index 0000000..7714562
+index 0000000..f489dad
--- /dev/null
+++ b/man/man8/avahi_selinux.8
-@@ -0,0 +1,120 @@
+@@ -0,0 +1,128 @@
+.TH "avahi_selinux" "8" "avahi" "dwalsh at redhat.com" "avahi SELinux Policy documentation"
+.SH "NAME"
+avahi_selinux \- Security Enhanced Linux Policy for the avahi processes
@@ -3338,6 +3426,14 @@ index 0000000..7714562
+
+.EX
+.PP
++.B avahi_unit_file_t
++.EE
++
++- Set files with the avahi_unit_file_t type, if you want to treat the files as avahi unit content.
++
++
++.EX
++.PP
+.B avahi_var_lib_t
+.EE
+
@@ -3832,10 +3928,10 @@ index 0000000..834703f
+selinux(8), blueman(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/bluetooth_selinux.8 b/man/man8/bluetooth_selinux.8
new file mode 100644
-index 0000000..35f6607
+index 0000000..d344b7b
--- /dev/null
+++ b/man/man8/bluetooth_selinux.8
-@@ -0,0 +1,176 @@
+@@ -0,0 +1,184 @@
+.TH "bluetooth_selinux" "8" "bluetooth" "dwalsh at redhat.com" "bluetooth SELinux Policy documentation"
+.SH "NAME"
+bluetooth_selinux \- Security Enhanced Linux Policy for the bluetooth processes
@@ -3946,6 +4042,14 @@ index 0000000..35f6607
+
+.EX
+.PP
++.B bluetooth_unit_file_t
++.EE
++
++- Set files with the bluetooth_unit_file_t type, if you want to treat the files as bluetooth unit content.
++
++
++.EX
++.PP
+.B bluetooth_var_lib_t
+.EE
+
@@ -4393,10 +4497,10 @@ index 0000000..664324c
+selinux(8), brctl(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cachefilesd_selinux.8 b/man/man8/cachefilesd_selinux.8
new file mode 100644
-index 0000000..2a47db7
+index 0000000..03e5916
--- /dev/null
+++ b/man/man8/cachefilesd_selinux.8
-@@ -0,0 +1,89 @@
+@@ -0,0 +1,101 @@
+.TH "cachefilesd_selinux" "8" "cachefilesd" "dwalsh at redhat.com" "cachefilesd SELinux Policy documentation"
+.SH "NAME"
+cachefilesd_selinux \- Security Enhanced Linux Policy for the cachefilesd processes
@@ -4424,6 +4528,18 @@ index 0000000..2a47db7
+
+.EX
+.PP
++.B cachefiles_var_t
++.EE
++
++- Set files with the cachefiles_var_t type, if you want to store the cachef files under the /var directory.
++
++.br
++.TP 5
++Paths:
++/var/run/cachefilesd\.pid, /var/fscache(/.*)?, /var/cache/fscache(/.*)?
++
++.EX
++.PP
+.B cachefilesd_exec_t
+.EE
+
@@ -5426,10 +5542,10 @@ index 0000000..bf4f6c4
+selinux(8), certmaster(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/certmonger_selinux.8 b/man/man8/certmonger_selinux.8
new file mode 100644
-index 0000000..bb9c5e1
+index 0000000..2f01973
--- /dev/null
+++ b/man/man8/certmonger_selinux.8
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,109 @@
+.TH "certmonger_selinux" "8" "certmonger" "dwalsh at redhat.com" "certmonger SELinux Policy documentation"
+.SH "NAME"
+certmonger_selinux \- Security Enhanced Linux Policy for the certmonger processes
@@ -5473,6 +5589,14 @@ index 0000000..bb9c5e1
+
+.EX
+.PP
++.B certmonger_unconfined_exec_t
++.EE
++
++- Set files with the certmonger_unconfined_exec_t type, if you want to transition an executable to the certmonger_unconfined_t domain.
++
++
++.EX
++.PP
+.B certmonger_var_lib_t
+.EE
+
@@ -6477,7 +6601,7 @@ index 0000000..e83770b
\ No newline at end of file
diff --git a/man/man8/chronyd_selinux.8 b/man/man8/chronyd_selinux.8
new file mode 100644
-index 0000000..a557c95
+index 0000000..b178fb9
--- /dev/null
+++ b/man/man8/chronyd_selinux.8
@@ -0,0 +1,167 @@
@@ -6548,7 +6672,7 @@ index 0000000..a557c95
+.br
+.TP 5
+Paths:
-+/lib/systemd/system/chronyd.*, /usr/lib/systemd/system/chronyd.*
++/lib/systemd/system/chrony.*, /usr/lib/systemd/system/chronyd.*
+
+.EX
+.PP
@@ -7329,10 +7453,10 @@ index 0000000..056abd4
+selinux(8), cmirrord(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cobblerd_selinux.8 b/man/man8/cobblerd_selinux.8
new file mode 100644
-index 0000000..08e89bb
+index 0000000..9a63029
--- /dev/null
+++ b/man/man8/cobblerd_selinux.8
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,211 @@
+.TH "cobblerd_selinux" "8" "cobblerd" "dwalsh at redhat.com" "cobblerd SELinux Policy documentation"
+.SH "NAME"
+cobblerd_selinux \- Security Enhanced Linux Policy for the cobblerd processes
@@ -7412,6 +7536,42 @@ index 0000000..08e89bb
+
+.EX
+.PP
++.B cobbler_etc_t
++.EE
++
++- Set files with the cobbler_etc_t type, if you want to store cobbler files in the /etc directories.
++
++
++.EX
++.PP
++.B cobbler_tmp_t
++.EE
++
++- Set files with the cobbler_tmp_t type, if you want to store cobbler temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B cobbler_var_lib_t
++.EE
++
++- Set files with the cobbler_var_lib_t type, if you want to store the cobbler files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/cobbler(/.*)?, /var/www/cobbler/images(/.*)?, /var/www/cobbler/repo_mirror(/.*)?, /var/lib/tftpboot/pxelinux\.cfg(/.*)?, /var/lib/tftpboot/memdisk, /var/lib/tftpboot/s390x(/.*)?, /var/www/cobbler/links(/.*)?, /var/lib/tftpboot/menu\.c32, /var/lib/tftpboot/yaboot, /var/www/cobbler/localmirror(/.*)?, /var/www/cobbler/ks_mirror(/.*)?, /var/lib/tftpboot/grub(/.*)?, /var/www/cobbler/pub(/.*)?, /var/lib/tftpboot/ppc(/.*)?, /var/lib/tftpboot/pxelinux\.0, /var/lib/tftpboot/images(/.*)?, /var/lib/tftpboot/etc(/.*)?, /var/www/cobbler/rendered(/.*)?
++
++.EX
++.PP
++.B cobbler_var_log_t
++.EE
++
++- Set files with the cobbler_var_log_t type, if you want to treat the data as cobbler var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
+.B cobblerd_exec_t
+.EE
+
@@ -7426,6 +7586,14 @@ index 0000000..08e89bb
+- Set files with the cobblerd_initrc_exec_t type, if you want to transition an executable to the cobblerd_initrc_t domain.
+
+
++.EX
++.PP
++.B cobblerd_unit_file_t
++.EE
++
++- Set files with the cobblerd_unit_file_t type, if you want to treat the files as cobblerd unit content.
++
++
+.PP
+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
+.B semanage fcontext
@@ -7503,10 +7671,10 @@ index 0000000..08e89bb
\ No newline at end of file
diff --git a/man/man8/collectd_selinux.8 b/man/man8/collectd_selinux.8
new file mode 100644
-index 0000000..70a9570
+index 0000000..6210747
--- /dev/null
+++ b/man/man8/collectd_selinux.8
-@@ -0,0 +1,116 @@
+@@ -0,0 +1,124 @@
+.TH "collectd_selinux" "8" "collectd" "dwalsh at redhat.com" "collectd SELinux Policy documentation"
+.SH "NAME"
+collectd_selinux \- Security Enhanced Linux Policy for the collectd processes
@@ -7561,6 +7729,14 @@ index 0000000..70a9570
+
+.EX
+.PP
++.B collectd_unit_file_t
++.EE
++
++- Set files with the collectd_unit_file_t type, if you want to treat the files as collectd unit content.
++
++
++.EX
++.PP
+.B collectd_var_lib_t
+.EE
+
@@ -7626,10 +7802,10 @@ index 0000000..70a9570
\ No newline at end of file
diff --git a/man/man8/colord_selinux.8 b/man/man8/colord_selinux.8
new file mode 100644
-index 0000000..185b909
+index 0000000..7ed4ac6
--- /dev/null
+++ b/man/man8/colord_selinux.8
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,117 @@
+.TH "colord_selinux" "8" "colord" "dwalsh at redhat.com" "colord SELinux Policy documentation"
+.SH "NAME"
+colord_selinux \- Security Enhanced Linux Policy for the colord processes
@@ -7662,6 +7838,10 @@ index 0000000..185b909
+
+- Set files with the colord_exec_t type, if you want to transition an executable to the colord_t domain.
+
++.br
++.TP 5
++Paths:
++/usr/libexec/colord-sane, /usr/libexec/colord
+
+.EX
+.PP
@@ -7681,6 +7861,14 @@ index 0000000..185b909
+
+.EX
+.PP
++.B colord_unit_file_t
++.EE
++
++- Set files with the colord_unit_file_t type, if you want to treat the files as colord unit content.
++
++
++.EX
++.PP
+.B colord_var_lib_t
+.EE
+
@@ -7862,10 +8050,10 @@ index 0000000..da3d8e9
+selinux(8), comsat(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/consolekit_selinux.8 b/man/man8/consolekit_selinux.8
new file mode 100644
-index 0000000..132d3ba
+index 0000000..cac5397
--- /dev/null
+++ b/man/man8/consolekit_selinux.8
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,113 @@
+.TH "consolekit_selinux" "8" "consolekit" "dwalsh at redhat.com" "consolekit SELinux Policy documentation"
+.SH "NAME"
+consolekit_selinux \- Security Enhanced Linux Policy for the consolekit processes
@@ -7917,6 +8105,14 @@ index 0000000..132d3ba
+
+.EX
+.PP
++.B consolekit_unit_file_t
++.EE
++
++- Set files with the consolekit_unit_file_t type, if you want to treat the files as consolekit unit content.
++
++
++.EX
++.PP
+.B consolekit_var_run_t
+.EE
+
@@ -8062,10 +8258,10 @@ index 0000000..931d27b
+selinux(8), consoletype(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/corosync_selinux.8 b/man/man8/corosync_selinux.8
new file mode 100644
-index 0000000..d0cbc27
+index 0000000..a20c704
--- /dev/null
+++ b/man/man8/corosync_selinux.8
-@@ -0,0 +1,141 @@
+@@ -0,0 +1,149 @@
+.TH "corosync_selinux" "8" "corosync" "dwalsh at redhat.com" "corosync SELinux Policy documentation"
+.SH "NAME"
+corosync_selinux \- Security Enhanced Linux Policy for the corosync processes
@@ -8133,6 +8329,14 @@ index 0000000..d0cbc27
+
+.EX
+.PP
++.B corosync_unit_file_t
++.EE
++
++- Set files with the corosync_unit_file_t type, if you want to treat the files as corosync unit content.
++
++
++.EX
++.PP
+.B corosync_var_lib_t
+.EE
+
@@ -8748,10 +8952,10 @@ index 0000000..328fc4d
+selinux(8), crack(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/crond_selinux.8 b/man/man8/crond_selinux.8
new file mode 100644
-index 0000000..504000b
+index 0000000..b717fd8
--- /dev/null
+++ b/man/man8/crond_selinux.8
-@@ -0,0 +1,137 @@
+@@ -0,0 +1,173 @@
+.TH "crond_selinux" "8" "crond" "dwalsh at redhat.com" "crond SELinux Policy documentation"
+.SH "NAME"
+crond_selinux \- Security Enhanced Linux Policy for the crond processes
@@ -8791,6 +8995,42 @@ index 0000000..504000b
+
+.EX
+.PP
++.B cron_log_t
++.EE
++
++- Set files with the cron_log_t type, if you want to treat the data as cron log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B cron_spool_t
++.EE
++
++- Set files with the cron_spool_t type, if you want to store the cron files under the /var/spool directory.
++
++.br
++.TP 5
++Paths:
++/var/spool/fcron, /var/spool/cron/crontabs
++
++.EX
++.PP
++.B cron_var_lib_t
++.EE
++
++- Set files with the cron_var_lib_t type, if you want to store the cron files under the /var/lib directory.
++
++
++.EX
++.PP
++.B cron_var_run_t
++.EE
++
++- Set files with the cron_var_run_t type, if you want to store the cron files under the /run directory.
++
++
++.EX
++.PP
+.B crond_exec_t
+.EE
+
@@ -8827,7 +9067,7 @@ index 0000000..504000b
+.br
+.TP 5
+Paths:
-+/usr/lib/systemd/system/crond\.service, /lib/systemd/system/crond\.service
++/lib/systemd/system/atd\.service, /usr/lib/systemd/system/crond\.service, /lib/systemd/system/crond\.service
+
+.EX
+.PP
@@ -9142,10 +9382,10 @@ index 0000000..1da47eb
+selinux(8), ctdbd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cups_selinux.8 b/man/man8/cups_selinux.8
new file mode 100644
-index 0000000..995309a
+index 0000000..8bedca4
--- /dev/null
+++ b/man/man8/cups_selinux.8
-@@ -0,0 +1,217 @@
+@@ -0,0 +1,225 @@
+.TH "cups_selinux" "8" "cups" "dwalsh at redhat.com" "cups SELinux Policy documentation"
+.SH "NAME"
+cups_selinux \- Security Enhanced Linux Policy for the cups processes
@@ -9297,7 +9537,7 @@ index 0000000..995309a
+.br
+.TP 5
+Paths:
-+/etc/cups/lpoptions.*, /usr/local/linuxprinter/ppd(/.*)?, /etc/cups/subscriptions.*, /usr/local/Brother/(.*/)?inf(/.*)?, /etc/cups/classes\.conf.*, /usr/lib/bjlib(/.*)?, /etc/cups/ppd(/.*)?, /opt/gutenprint/ppds(/.*)?, /etc/printcap.*, /etc/alchemist/namespace/printconf(/.*)?, /usr/local/Printer/(.*/)?inf(/.*)?, /var/lib/cups/certs, /etc/cups/ppds\.dat, /etc/cups/certs, /etc/cups/certs/.*, /etc/cups/printers\.conf.*, /var/lib/cups/certs/.*, /var/cache/foomatic(/.*)?, /var/cache/alchemist/printconf.*, /etc/cups/cupsd\.conf.*, /var/cache/cups(/.*)?, /usr/share/foomatic/db/oldprinterids
++/etc/cups/lpoptions.*, /usr/local/linuxprinter/ppd(/.*)?, /etc/cups/subscriptions.*, /usr/local/Brother/(.*/)?inf(/.*)?, /etc/cups/classes\.conf.*, /usr/lib/bjlib(/.*)?, /etc/cups/ppd(/.*)?, /opt/gutenprint/ppds(/.*)?, /etc/printcap.*, /etc/alchemist/namespace/printconf(/.*)?, /usr/local/Printer/(.*/)?inf(/.*)?, /etc/cups/ppds\.dat, /etc/cups/certs, /etc/cups/certs/.*, /etc/cups/printers\.conf.*, /var/lib/cups/certs/.*, /var/lib/cups/certs, /var/cache/foomatic(/.*)?, /var/cache/alchemist/printconf.*, /etc/cups/cupsd\.conf.*, /var/cache/cups(/.*)?, /usr/share/foomatic/db/oldprinterids
+
+.EX
+.PP
@@ -9309,6 +9549,14 @@ index 0000000..995309a
+
+.EX
+.PP
++.B cupsd_unit_file_t
++.EE
++
++- Set files with the cupsd_unit_file_t type, if you want to treat the files as cupsd unit content.
++
++
++.EX
++.PP
+.B cupsd_var_run_t
+.EE
+
@@ -9365,10 +9613,10 @@ index 0000000..995309a
+selinux(8), cups(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/cupsd_selinux.8 b/man/man8/cupsd_selinux.8
new file mode 100644
-index 0000000..2b2047f
+index 0000000..2ce03af
--- /dev/null
+++ b/man/man8/cupsd_selinux.8
-@@ -0,0 +1,195 @@
+@@ -0,0 +1,219 @@
+.TH "cupsd_selinux" "8" "cupsd" "dwalsh at redhat.com" "cupsd SELinux Policy documentation"
+.SH "NAME"
+cupsd_selinux \- Security Enhanced Linux Policy for the cupsd processes
@@ -9390,6 +9638,22 @@ index 0000000..2b2047f
+
+.EX
+.PP
++.B cups_pdf_exec_t
++.EE
++
++- Set files with the cups_pdf_exec_t type, if you want to transition an executable to the cups_pdf_t domain.
++
++
++.EX
++.PP
++.B cups_pdf_tmp_t
++.EE
++
++- Set files with the cups_pdf_tmp_t type, if you want to store cups pdf temporary files in the /tmp directories.
++
++
++.EX
++.PP
+.B cupsd_config_exec_t
+.EE
+
@@ -9498,7 +9762,7 @@ index 0000000..2b2047f
+.br
+.TP 5
+Paths:
-+/etc/cups/lpoptions.*, /usr/local/linuxprinter/ppd(/.*)?, /etc/cups/subscriptions.*, /usr/local/Brother/(.*/)?inf(/.*)?, /etc/cups/classes\.conf.*, /usr/lib/bjlib(/.*)?, /etc/cups/ppd(/.*)?, /opt/gutenprint/ppds(/.*)?, /etc/printcap.*, /etc/alchemist/namespace/printconf(/.*)?, /usr/local/Printer/(.*/)?inf(/.*)?, /var/lib/cups/certs, /etc/cups/ppds\.dat, /etc/cups/certs, /etc/cups/certs/.*, /etc/cups/printers\.conf.*, /var/lib/cups/certs/.*, /var/cache/foomatic(/.*)?, /var/cache/alchemist/printconf.*, /etc/cups/cupsd\.conf.*, /var/cache/cups(/.*)?, /usr/share/foomatic/db/oldprinterids
++/etc/cups/lpoptions.*, /usr/local/linuxprinter/ppd(/.*)?, /etc/cups/subscriptions.*, /usr/local/Brother/(.*/)?inf(/.*)?, /etc/cups/classes\.conf.*, /usr/lib/bjlib(/.*)?, /etc/cups/ppd(/.*)?, /opt/gutenprint/ppds(/.*)?, /etc/printcap.*, /etc/alchemist/namespace/printconf(/.*)?, /usr/local/Printer/(.*/)?inf(/.*)?, /etc/cups/ppds\.dat, /etc/cups/certs, /etc/cups/certs/.*, /etc/cups/printers\.conf.*, /var/lib/cups/certs/.*, /var/lib/cups/certs, /var/cache/foomatic(/.*)?, /var/cache/alchemist/printconf.*, /etc/cups/cupsd\.conf.*, /var/cache/cups(/.*)?, /usr/share/foomatic/db/oldprinterids
+
+.EX
+.PP
@@ -9510,6 +9774,14 @@ index 0000000..2b2047f
+
+.EX
+.PP
++.B cupsd_unit_file_t
++.EE
++
++- Set files with the cupsd_unit_file_t type, if you want to treat the files as cupsd unit content.
++
++
++.EX
++.PP
+.B cupsd_var_run_t
+.EE
+
@@ -10189,7 +10461,7 @@ index 0000000..224a13a
+selinux(8), dbskkd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/dcc_selinux.8 b/man/man8/dcc_selinux.8
new file mode 100644
-index 0000000..d3c13b4
+index 0000000..ac78346
--- /dev/null
+++ b/man/man8/dcc_selinux.8
@@ -0,0 +1,246 @@
@@ -10236,7 +10508,7 @@ index 0000000..d3c13b4
+.br
+.TP 5
+Paths:
-+/var/lib/dcc/map, /etc/dcc/map, /var/dcc/map, /var/run/dcc/map
++/var/lib/dcc/map, /etc/dcc/map, /var/run/dcc/map, /var/dcc/map
+
+.EX
+.PP
@@ -10441,10 +10713,10 @@ index 0000000..d3c13b4
+selinux(8), dcc(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/dccd_selinux.8 b/man/man8/dccd_selinux.8
new file mode 100644
-index 0000000..88fd801
+index 0000000..2da502a
--- /dev/null
+++ b/man/man8/dccd_selinux.8
-@@ -0,0 +1,124 @@
+@@ -0,0 +1,188 @@
+.TH "dccd_selinux" "8" "dccd" "dwalsh at redhat.com" "dccd SELinux Policy documentation"
+.SH "NAME"
+dccd_selinux \- Security Enhanced Linux Policy for the dccd processes
@@ -10466,6 +10738,70 @@ index 0000000..88fd801
+
+.EX
+.PP
++.B dcc_client_exec_t
++.EE
++
++- Set files with the dcc_client_exec_t type, if you want to transition an executable to the dcc_client_t domain.
++
++
++.EX
++.PP
++.B dcc_client_map_t
++.EE
++
++- Set files with the dcc_client_map_t type, if you want to treat the files as dcc client map data.
++
++.br
++.TP 5
++Paths:
++/var/lib/dcc/map, /etc/dcc/map, /var/run/dcc/map, /var/dcc/map
++
++.EX
++.PP
++.B dcc_client_tmp_t
++.EE
++
++- Set files with the dcc_client_tmp_t type, if you want to store dcc client temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dcc_dbclean_exec_t
++.EE
++
++- Set files with the dcc_dbclean_exec_t type, if you want to transition an executable to the dcc_dbclean_t domain.
++
++
++.EX
++.PP
++.B dcc_dbclean_tmp_t
++.EE
++
++- Set files with the dcc_dbclean_tmp_t type, if you want to store dcc dbclean temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B dcc_var_run_t
++.EE
++
++- Set files with the dcc_var_run_t type, if you want to store the dcc files under the /run directory.
++
++
++.EX
++.PP
++.B dcc_var_t
++.EE
++
++- Set files with the dcc_var_t type, if you want to store the files under the /var directory.
++
++.br
++.TP 5
++Paths:
++/etc/dcc(/.*)?, /var/dcc(/.*)?, /var/lib/dcc(/.*)?
++
++.EX
++.PP
+.B dccd_exec_t
+.EE
+
@@ -11646,10 +11982,10 @@ index 0000000..b805e27
\ No newline at end of file
diff --git a/man/man8/dhcpd_selinux.8 b/man/man8/dhcpd_selinux.8
new file mode 100644
-index 0000000..8360f95
+index 0000000..db3ea11
--- /dev/null
+++ b/man/man8/dhcpd_selinux.8
-@@ -0,0 +1,171 @@
+@@ -0,0 +1,191 @@
+.TH "dhcpd_selinux" "8" "dhcpd" "dwalsh at redhat.com" "dhcpd SELinux Policy documentation"
+.SH "NAME"
+dhcpd_selinux \- Security Enhanced Linux Policy for the dhcpd processes
@@ -11682,6 +12018,26 @@ index 0000000..8360f95
+
+.EX
+.PP
++.B dhcp_etc_t
++.EE
++
++- Set files with the dhcp_etc_t type, if you want to store dhcp files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/dhcp3(/.*)?, /etc/dhcp3?/dhclient.*, /etc/dhcpd(6)?\.conf, /etc/dhcpc.*, /etc/dhclient-script, /etc/dhclient.*conf, /etc/dhcp/dhcpd(6)?\.conf
++
++.EX
++.PP
++.B dhcp_state_t
++.EE
++
++- Set files with the dhcp_state_t type, if you want to treat the files as dhcp state data.
++
++
++.EX
++.PP
+.B dhcpd_exec_t
+.EE
+
@@ -12309,7 +12665,7 @@ index 0000000..f314f5a
+selinux(8), dirsrvadmin(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/disk_selinux.8 b/man/man8/disk_selinux.8
new file mode 100644
-index 0000000..240e4ca
+index 0000000..d3d396c
--- /dev/null
+++ b/man/man8/disk_selinux.8
@@ -0,0 +1,83 @@
@@ -12342,7 +12698,7 @@ index 0000000..240e4ca
+.br
+.TP 5
+Paths:
-+/usr/share/munin/plugins/smart_.*, /usr/share/munin/plugins/diskstat.*, /usr/share/munin/plugins/hddtemp.*, /usr/share/munin/plugins/df.*
++/usr/share/munin/plugins/diskstat.*, /usr/share/munin/plugins/hddtemp.*, /usr/share/munin/plugins/smart_.*, /usr/share/munin/plugins/df.*
+
+.EX
+.PP
@@ -13822,7 +14178,7 @@ index 0000000..fc58144
+selinux(8), evtchnd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/exim_selinux.8 b/man/man8/exim_selinux.8
new file mode 100644
-index 0000000..3126a72
+index 0000000..bb54ea6
--- /dev/null
+++ b/man/man8/exim_selinux.8
@@ -0,0 +1,158 @@
@@ -13886,7 +14242,7 @@ index 0000000..3126a72
+.br
+.TP 5
+Paths:
-+/usr/sbin/exim[0-9]?, /usr/sbin/exim_tidydb
++/usr/sbin/exim_tidydb, /usr/sbin/exim[0-9]?
+
+.EX
+.PP
@@ -14611,10 +14967,10 @@ index 0000000..b1c9f85
+selinux(8), fingerd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/firewalld_selinux.8 b/man/man8/firewalld_selinux.8
new file mode 100644
-index 0000000..3988c9e
+index 0000000..c6d98d6
--- /dev/null
+++ b/man/man8/firewalld_selinux.8
-@@ -0,0 +1,105 @@
+@@ -0,0 +1,121 @@
+.TH "firewalld_selinux" "8" "firewalld" "dwalsh at redhat.com" "firewalld SELinux Policy documentation"
+.SH "NAME"
+firewalld_selinux \- Security Enhanced Linux Policy for the firewalld processes
@@ -14642,6 +14998,14 @@ index 0000000..3988c9e
+
+.EX
+.PP
++.B firewalld_etc_rw_t
++.EE
++
++- Set files with the firewalld_etc_rw_t type, if you want to treat the files as firewalld etc read/write content.
++
++
++.EX
++.PP
+.B firewalld_exec_t
+.EE
+
@@ -14658,6 +15022,14 @@ index 0000000..3988c9e
+
+.EX
+.PP
++.B firewalld_unit_file_t
++.EE
++
++- Set files with the firewalld_unit_file_t type, if you want to treat the files as firewalld unit content.
++
++
++.EX
++.PP
+.B firewalld_var_log_t
+.EE
+
@@ -15200,7 +15572,7 @@ index 0000000..f012b28
+selinux(8), freshclam(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/fsadm_selinux.8 b/man/man8/fsadm_selinux.8
new file mode 100644
-index 0000000..22e0acf
+index 0000000..9400571
--- /dev/null
+++ b/man/man8/fsadm_selinux.8
@@ -0,0 +1,91 @@
@@ -15233,7 +15605,7 @@ index 0000000..22e0acf
+.br
+.TP 5
+Paths:
-+/sbin/partx, /usr/sbin/fdisk, /sbin/mkfs.*, /sbin/blockdev, /usr/sbin/sfdisk, /sbin/dumpe2fs, /sbin/mkdosfs, /sbin/mke2fs, /sbin/e4fsck, /usr/sbin/dosfsck, /usr/sbin/blockdev, /usr/sbin/lsraid, /usr/bin/partition_uuid, /sbin/raidautorun, /usr/sbin/findfs, /usr/sbin/scsi_info, /usr/sbin/raidstart, /sbin/mkreiserfs, /sbin/hdparm, /sbin/sfdisk, /usr/sbin/raidautorun, /usr/sbin/make_reiser4, /usr/sbin/partx, /usr/sbin/resize.*fs, /sbin/tune2fs, /usr/sbin/fsck.*, /usr/sbin/dumpe2fs, /usr/sbin/mkdosfs, /sbin/blkid, /usr/sbin/hdparm, /sbin/make_reiser4, /sbin/dump, /sbin/swapon.*, /usr/sbin/jfs_.*, /usr/bin/scsi_unique_id, /sbin/findfs, /usr/sbin/smartctl, /usr/bin/syslinux, /usr/sbin/blkid, /usr/sbin/mke2fs, /sbin/losetup.*, /sbin/resize.*fs, /usr/sbin/tune2fs, /usr/lib/systemd/systemd-fsck, /sbin/parted, /sbin/partprobe, /sbin/dosfsck, /usr/sbin/mkfs.*, /sbin/e2label, /lib/systemd/systemd-fsck, /usr/sbin/reiserfs(ck|tune), /sbin/mkraid, /sbin/install-mbr, /sbin/scsi_info, /sbin/
e2fsck, /sbin/fsck.*, /usr/sbin/install-mbr, /usr/sbin/clubufflush, /sbin/jfs_.*, /sbin/raidstart, /sbin/lsraid, /usr/sbin/losetup.*, /usr/sbin/mkreiserfs, /usr/sbin/swapon.*, /usr/sbin/e2fsck, /sbin/reiserfs(ck|tune), /usr/sbin/e4fsck, /usr/sbin/dump, /usr/sbin/partprobe, /sbin/fdisk, /usr/sbin/e2label, /usr/sbin/parted, /usr/bin/raw, /sbin/mke4fs, /usr/sbin/cfdisk, /usr/sbin/mke4fs, /sbin/cfdisk, /usr/sbin/mkraid
++/sbin/partx, /usr/sbin/fdisk, /sbin/mkfs.*, /sbin/blockdev, /usr/sbin/sfdisk, /sbin/dumpe2fs, /sbin/mkdosfs, /sbin/mke2fs, /sbin/e4fsck, /usr/sbin/dosfsck, /usr/sbin/blockdev, /usr/sbin/lsraid, /usr/bin/partition_uuid, /sbin/raidautorun, /usr/sbin/findfs, /usr/sbin/scsi_info, /usr/sbin/raidstart, /sbin/mkreiserfs, /sbin/sfdisk, /usr/sbin/raidautorun, /usr/sbin/make_reiser4, /usr/sbin/partx, /usr/sbin/resize.*fs, /usr/sbin/fsck.*, /usr/sbin/dumpe2fs, /usr/sbin/mkdosfs, /sbin/blkid, /usr/sbin/hdparm, /sbin/make_reiser4, /sbin/dump, /sbin/swapon.*, /usr/sbin/jfs_.*, /usr/bin/scsi_unique_id, /sbin/findfs, /usr/sbin/smartctl, /usr/bin/syslinux, /usr/sbin/blkid, /usr/sbin/mke2fs, /sbin/tune2fs, /sbin/losetup.*, /sbin/resize.*fs, /usr/sbin/tune2fs, /usr/lib/systemd/systemd-fsck, /sbin/parted, /sbin/partprobe, /sbin/dosfsck, /usr/sbin/mkfs.*, /sbin/e2label, /lib/systemd/systemd-fsck, /usr/sbin/reiserfs(ck|tune), /sbin/mkraid, /sbin/install-mbr, /sbin/scsi_info, /sbin/e2fsck, /sbin/
fsck.*, /usr/sbin/install-mbr, /usr/sbin/clubufflush, /sbin/jfs_.*, /sbin/raidstart, /sbin/lsraid, /usr/sbin/losetup.*, /usr/sbin/mkreiserfs, /usr/sbin/swapon.*, /usr/sbin/e2fsck, /sbin/reiserfs(ck|tune), /usr/sbin/e4fsck, /usr/sbin/dump, /usr/sbin/partprobe, /sbin/fdisk, /usr/sbin/e2label, /usr/sbin/parted, /usr/bin/raw, /sbin/mke4fs, /usr/sbin/cfdisk, /usr/sbin/mke4fs, /sbin/cfdisk, /usr/sbin/mkraid, /sbin/hdparm
+
+.EX
+.PP
@@ -15854,7 +16226,7 @@ index 0000000..8903b4b
+selinux(8), ftpdctl(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/games_selinux.8 b/man/man8/games_selinux.8
new file mode 100644
-index 0000000..32d0898
+index 0000000..4ba69f7
--- /dev/null
+++ b/man/man8/games_selinux.8
@@ -0,0 +1,117 @@
@@ -15905,7 +16277,7 @@ index 0000000..32d0898
+.br
+.TP 5
+Paths:
-+/usr/bin/sol, /usr/bin/blackjack, /usr/bin/micq, /usr/bin/gnome-stones, /usr/bin/kshisen, /usr/bin/klickety, /usr/bin/lskat, /usr/bin/atlantik, /usr/bin/ksame, /usr/bin/kgoldrunner, /usr/bin/lskatproc, /usr/bin/gataxx, /usr/bin/katomic, /usr/bin/Maelstrom, /usr/bin/ksmiletris, /usr/bin/gnect, /usr/bin/gnotravex, /usr/bin/ksirtet, /usr/bin/ktuberling, /usr/bin/kbounce, /usr/bin/kenolaba, /usr/bin/kmahjongg, /usr/bin/ksnake, /usr/bin/kbackgammon, /usr/games/.*, /usr/bin/gnobots2, /usr/bin/civserver.*, /usr/bin/civclient.*, /usr/bin/kwin4, /usr/bin/mahjongg, /usr/bin/kblackbox, /usr/bin/kjumpingcube, /usr/bin/gnotski, /usr/bin/gnomine, /usr/bin/kbattleship, /usr/bin/same-gnome, /usr/bin/kasteroids, /usr/bin/kolf, /usr/bin/konquest, /usr/bin/kreversi, /usr/bin/ksokoban, /usr/bin/kpoker, /usr/lib/games(/.*)?, /usr/bin/glines, /usr/bin/kfouleggs, /usr/bin/ktron, /usr/bin/kmines, /usr/bin/gnibbles, /usr/bin/kspaceduel, /usr/bin/kpat, /usr/bin/iagno, /usr/bin/gtali, /usr/bin/klines
, /usr/bin/kwin4proc
++/usr/bin/sol, /usr/bin/blackjack, /usr/bin/micq, /usr/bin/gnome-stones, /usr/bin/gnotski, /usr/bin/kshisen, /usr/bin/klickety, /usr/bin/lskat, /usr/bin/atlantik, /usr/bin/ksame, /usr/bin/kgoldrunner, /usr/bin/lskatproc, /usr/bin/gataxx, /usr/bin/katomic, /usr/bin/Maelstrom, /usr/bin/ksmiletris, /usr/bin/gnotravex, /usr/bin/ksirtet, /usr/bin/ktuberling, /usr/bin/kbounce, /usr/bin/kenolaba, /usr/bin/kmahjongg, /usr/bin/ksnake, /usr/games/.*, /usr/bin/gnobots2, /usr/bin/civserver.*, /usr/bin/civclient.*, /usr/bin/kwin4, /usr/bin/ktron, /usr/bin/mahjongg, /usr/bin/kbackgammon, /usr/bin/kblackbox, /usr/bin/kjumpingcube, /usr/bin/gnect, /usr/bin/kbattleship, /usr/bin/same-gnome, /usr/bin/kasteroids, /usr/bin/ksokoban, /usr/bin/kolf, /usr/bin/konquest, /usr/bin/kreversi, /usr/bin/kpoker, /usr/lib/games(/.*)?, /usr/bin/glines, /usr/bin/kfouleggs, /usr/bin/kmines, /usr/bin/gnibbles, /usr/bin/kspaceduel, /usr/bin/gnomine, /usr/bin/kpat, /usr/bin/iagno, /usr/bin/gtali, /usr/bin/klines
, /usr/bin/kwin4proc
+
+.EX
+.PP
@@ -15977,10 +16349,10 @@ index 0000000..32d0898
+selinux(8), games(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/gconfd_selinux.8 b/man/man8/gconfd_selinux.8
new file mode 100644
-index 0000000..535656e
+index 0000000..6146c3a
--- /dev/null
+++ b/man/man8/gconfd_selinux.8
-@@ -0,0 +1,79 @@
+@@ -0,0 +1,107 @@
+.TH "gconfd_selinux" "8" "gconfd" "dwalsh at redhat.com" "gconfd SELinux Policy documentation"
+.SH "NAME"
+gconfd_selinux \- Security Enhanced Linux Policy for the gconfd processes
@@ -16002,6 +16374,34 @@ index 0000000..535656e
+
+.EX
+.PP
++.B gconf_etc_t
++.EE
++
++- Set files with the gconf_etc_t type, if you want to store gconf files in the /etc directories.
++
++
++.EX
++.PP
++.B gconf_home_t
++.EE
++
++- Set files with the gconf_home_t type, if you want to store gconf files in the users home directory.
++
++.br
++.TP 5
++Paths:
++/root/\.gconf(d)?(/.*)?, /root/\.local.*
++
++.EX
++.PP
++.B gconf_tmp_t
++.EE
++
++- Set files with the gconf_tmp_t type, if you want to store gconf temporary files in the /tmp directories.
++
++
++.EX
++.PP
+.B gconfd_exec_t
+.EE
+
@@ -18392,7 +18792,7 @@ index 0000000..05353ce
+.SH "SEE ALSO"
+selinux(8), hplip(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8
-index 16e8b13..9c093cd 100644
+index 16e8b13..335b09f 100644
--- a/man/man8/httpd_selinux.8
+++ b/man/man8/httpd_selinux.8
@@ -1,120 +1,1514 @@
@@ -18850,7 +19250,7 @@ index 16e8b13..9c093cd 100644
+.br
+.TP 5
+Paths:
-+/var/cache/php-.*, /var/cache/mediawiki(/.*)?, /var/cache/php-eaccelerator(/.*)?, /var/cache/lighttpd(/.*)?, /var/cache/php-mmcache(/.*)?, /var/cache/mod_gnutls(/.*)?, /var/cache/mod_ssl(/.*)?, /var/cache/jetty(/.*)?, /var/cache/mod_.*, /var/cache/ssl.*\.sem, /var/cache/httpd(/.*)?, /var/cache/rt3(/.*)?, /var/cache/mason(/.*)?, /var/cache/mod_proxy(/.*)?
++/var/cache/php-.*, /var/cache/mediawiki(/.*)?, /var/cache/lighttpd(/.*)?, /var/cache/php-mmcache(/.*)?, /var/cache/mod_gnutls(/.*)?, /var/cache/mod_ssl(/.*)?, /var/cache/jetty(/.*)?, /var/cache/mod_.*, /var/cache/ssl.*\.sem, /var/cache/httpd(/.*)?, /var/cache/rt3(/.*)?, /var/cache/php-eaccelerator(/.*)?, /var/cache/mason(/.*)?, /var/cache/mod_proxy(/.*)?
.EX
-setsebool -P httpd_can_sendmail 1
@@ -18955,7 +19355,7 @@ index 16e8b13..9c093cd 100644
+.br
+.TP 5
+Paths:
-+/etc/vhosts, /etc/httpd(/.*)?, /etc/apache(2)?(/.*)?, /etc/apache-ssl(2)?(/.*)?, /etc/lighttpd(/.*)?, /var/lib/libra/.httpd.d(/.*)?, /etc/cherokee(/.*)?
++/etc/vhosts, /etc/httpd(/.*)?, /etc/apache(2)?(/.*)?, /etc/apache-ssl(2)?(/.*)?, /etc/lighttpd(/.*)?, /var/lib/stickshift/.httpd.d(/.*)?, /etc/cherokee(/.*)?
+
+.EX
+.PP
@@ -19095,7 +19495,7 @@ index 16e8b13..9c093cd 100644
+.br
+.TP 5
+Paths:
-+/usr/sbin/apache(2)?, /usr/bin/mongrel_rails, /usr/lib/apache-ssl/.+, /usr/sbin/httpd(\.worker)?, /usr/sbin/cherokee, /usr/sbin/apache-ssl(2)?, /usr/sbin/lighttpd
++/usr/sbin/apache(2)?, /usr/bin/mongrel_rails, /usr/lib/apache-ssl/.+, /usr/sbin/httpd\.event, /usr/sbin/httpd(\.worker)?, /usr/sbin/cherokee, /usr/sbin/apache-ssl(2)?, /usr/sbin/lighttpd
+
+.EX
+.PP
@@ -19143,7 +19543,7 @@ index 16e8b13..9c093cd 100644
+.br
+.TP 5
+Paths:
-+/var/www/git/gitweb\.cgi, /var/www/gitweb-caching/gitweb\.cgi, /var/www/cgi-bin/cgit
++/var/www/gitweb-caching/gitweb\.cgi, /var/www/cgi-bin/cgit, /var/www/git/gitweb\.cgi
+
+.EX
+.PP
@@ -19727,7 +20127,7 @@ index 16e8b13..9c093cd 100644
+.br
+.TP 5
+Paths:
-+/lib/systemd/system/httpd.?\.service, /usr/lib/systemd/system/httpd.?\.service
++/usr/lib/systemd/system/httpd.?\.service, /lib/systemd/system/jetty.*\.service, /lib/systemd/system/httpd.*\.service
+
+.EX
+.PP
@@ -20516,7 +20916,7 @@ index 0000000..122a8f9
+selinux(8), inetd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/init_selinux.8 b/man/man8/init_selinux.8
new file mode 100644
-index 0000000..d01e375
+index 0000000..ce0a398
--- /dev/null
+++ b/man/man8/init_selinux.8
@@ -0,0 +1,167 @@
@@ -20609,7 +21009,7 @@ index 0000000..d01e375
+.br
+.TP 5
+Paths:
-+/usr/sbin/startx, /etc/rc\.d/rc, /usr/libexec/dcc/stop-.*, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/lib/systemd/fedora[^/]*, /lib/systemd/fedora[^/]*, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/ldap-agent, /etc/X11/prefdm, /usr/share/system-config-services/system-config-services-mechanism\.py, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /opt/nfast/sbin/init.d-ncipher, /usr/libexec/dcc/start-.*, /opt/nfast/scripts/init.d/(.*), /usr/sbin/apachectl, /usr/sbin/restart-dirsrv, /etc/init\.d/.*, /usr/bin/sepg_ctl
++/usr/sbin/startx, /etc/rc\.d/rc, /usr/libexec/dcc/stop-.*, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/lib/systemd/fedora[^/]*, /lib/systemd/fedora[^/]*, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/ldap-agent, /etc/X11/prefdm, /usr/share/system-config-services/system-config-services-mechanism\.py, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /usr/libexec/dcc/start-.*, /usr/sbin/apachectl, /usr/sbin/restart-dirsrv, /etc/init\.d/.*, /usr/bin/sepg_ctl
+
+.EX
+.PP
@@ -20690,7 +21090,7 @@ index 0000000..d01e375
\ No newline at end of file
diff --git a/man/man8/initrc_selinux.8 b/man/man8/initrc_selinux.8
new file mode 100644
-index 0000000..de7621b
+index 0000000..2fa2434
--- /dev/null
+++ b/man/man8/initrc_selinux.8
@@ -0,0 +1,111 @@
@@ -20731,7 +21131,7 @@ index 0000000..de7621b
+.br
+.TP 5
+Paths:
-+/usr/sbin/startx, /etc/rc\.d/rc, /usr/libexec/dcc/stop-.*, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/lib/systemd/fedora[^/]*, /lib/systemd/fedora[^/]*, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/ldap-agent, /etc/X11/prefdm, /usr/share/system-config-services/system-config-services-mechanism\.py, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /opt/nfast/sbin/init.d-ncipher, /usr/libexec/dcc/start-.*, /opt/nfast/scripts/init.d/(.*), /usr/sbin/apachectl, /usr/sbin/restart-dirsrv, /etc/init\.d/.*, /usr/bin/sepg_ctl
++/usr/sbin/startx, /etc/rc\.d/rc, /usr/libexec/dcc/stop-.*, /etc/sysconfig/network-scripts/ifup-ipsec, /usr/lib/systemd/fedora[^/]*, /lib/systemd/fedora[^/]*, /usr/sbin/start-dirsrv, /usr/sbin/open_init_pty, /usr/sbin/ldap-agent, /etc/X11/prefdm, /usr/share/system-config-services/system-config-services-mechanism\.py, /etc/rc\.d/rc\.[^/]+, /etc/rc\.d/init\.d/.*, /usr/libexec/dcc/start-.*, /usr/sbin/apachectl, /usr/sbin/restart-dirsrv, /etc/init\.d/.*, /usr/bin/sepg_ctl
+
+.EX
+.PP
@@ -20807,7 +21207,7 @@ index 0000000..de7621b
+selinux(8), initrc(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/innd_selinux.8 b/man/man8/innd_selinux.8
new file mode 100644
-index 0000000..be60ba6
+index 0000000..541f9e9
--- /dev/null
+++ b/man/man8/innd_selinux.8
@@ -0,0 +1,145 @@
@@ -20848,7 +21248,7 @@ index 0000000..be60ba6
+.br
+.TP 5
+Paths:
-+/usr/bin/suck, /usr/lib/news/bin/convdate, /usr/lib/news/bin/filechan, /usr/lib/news/bin/nntpget, /usr/sbin/in\.nnrpd, /usr/lib/news/bin/innfeed, /usr/lib/news/bin/shlock, /usr/lib/news/bin/archive, /usr/lib/news/bin/innconfval, /usr/lib/news/bin/makedbz, /usr/lib/news/bin/innd, /usr/lib/news/bin/actsync, /usr/lib/news/bin/innxbatch, /usr/bin/inews, /usr/lib/news/bin/batcher, /usr/sbin/innd.*, /usr/lib/news/bin/expire, /usr/lib/news/bin/nnrpd, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/ctlinnd, /usr/bin/rpost, /usr/lib/news/bin/buffchan, /etc/news/boot, /usr/lib/news/bin/ovdb_recover, /usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/makehistory, /usr/lib/news/bin/newsrequeue, /usr/bin/rnews, /usr/lib/news/bin/innxmit, /usr/lib/news/bin/fastrm, /usr/lib/news/bin/getlist, /usr/lib/news/bin/sm, /usr/lib/news/bin/grephistory, /usr/lib/news/bin/rnews, /usr/lib/news/bin/overchan, /usr/lib/news/bin/cvtbatch, /usr/lib/news/bin/prunehistory, /usr/lib/news/bin/inews, /usr/lib/ne
ws/bin/shrinkfile, /usr/lib/news/bin/expireover, /usr/lib/news/bin/inndf
++/usr/bin/suck, /usr/lib/news/bin/convdate, /usr/lib/news/bin/filechan, /usr/lib/news/bin/nntpget, /usr/sbin/in\.nnrpd, /usr/lib/news/bin/innfeed, /usr/lib/news/bin/shlock, /usr/lib/news/bin/archive, /usr/lib/news/bin/innconfval, /usr/lib/news/bin/innd, /usr/lib/news/bin/actsync, /usr/lib/news/bin/innxbatch, /usr/bin/inews, /usr/lib/news/bin/batcher, /usr/sbin/innd.*, /usr/lib/news/bin/expire, /usr/lib/news/bin/nnrpd, /usr/lib/news/bin/inndstart, /usr/lib/news/bin/ctlinnd, /usr/bin/rpost, /usr/lib/news/bin/buffchan, /etc/news/boot, /usr/lib/news/bin/ovdb_recover, /usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/makehistory, /usr/lib/news/bin/newsrequeue, /usr/lib/news/bin/makedbz, /usr/bin/rnews, /usr/lib/news/bin/innxmit, /usr/lib/news/bin/fastrm, /usr/lib/news/bin/getlist, /usr/lib/news/bin/sm, /usr/lib/news/bin/grephistory, /usr/lib/news/bin/rnews, /usr/lib/news/bin/overchan, /usr/lib/news/bin/cvtbatch, /usr/lib/news/bin/prunehistory, /usr/lib/news/bin/inews, /usr/lib/ne
ws/bin/shrinkfile, /usr/lib/news/bin/expireover, /usr/lib/news/bin/inndf
+
+.EX
+.PP
@@ -21275,7 +21675,7 @@ index 0000000..3273369
+selinux(8), ipsec(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/iptables_selinux.8 b/man/man8/iptables_selinux.8
new file mode 100644
-index 0000000..50e4467
+index 0000000..8e6b3de
--- /dev/null
+++ b/man/man8/iptables_selinux.8
@@ -0,0 +1,136 @@
@@ -21325,7 +21725,7 @@ index 0000000..50e4467
+.br
+.TP 5
+Paths:
-+/sbin/ebtables-restore, /usr/sbin/ipchains.*, /usr/sbin/ip6?tables, /sbin/ebtables, /usr/sbin/ip6?tables-restore, /usr/sbin/xtables-multi, /sbin/ipchains.*, /sbin/ip6?tables, /usr/sbin/ebtables-restore, /usr/sbin/ebtables, /sbin/ipvsadm, /usr/sbin/ipvsadm-save, /sbin/xtables-multi, /sbin/ipvsadm-restore, /usr/sbin/ipvsadm-restore, /usr/sbin/ip6?tables-multi, /sbin/ip6?tables-multi, /usr/sbin/ipvsadm, /sbin/ipvsadm-save, /sbin/ip6?tables-restore
++/sbin/ebtables-restore, /usr/sbin/ipvsadm-restore, /usr/sbin/ipchains.*, /usr/sbin/ip6?tables, /sbin/ebtables, /usr/sbin/ip6?tables-restore, /usr/sbin/xtables-multi, /sbin/ipchains.*, /sbin/ip6?tables, /usr/sbin/ebtables-restore, /usr/sbin/ebtables, /sbin/ipvsadm, /usr/sbin/ipvsadm-save, /sbin/xtables-multi, /sbin/ipvsadm-restore, /usr/sbin/ip6?tables-multi, /sbin/ip6?tables-multi, /usr/sbin/ipvsadm, /sbin/ipvsadm-save, /sbin/ip6?tables-restore
+
+.EX
+.PP
@@ -21357,7 +21757,7 @@ index 0000000..50e4467
+.br
+.TP 5
+Paths:
-+/lib/systemd/system/vsftpd.*, /usr/lib/systemd/system/iptables6?.service, /lib/systemd/system/iptables6?.service, /lib/systemd/system/slapd.*, /usr/lib/systemd/system/proftpd.*, /usr/lib/systemd/system/vsftpd.*, /lib/systemd/system/ppp.*, /usr/lib/systemd/system/kdump.service, /usr/lib/systemd/system/slapd.*, /usr/lib/systemd/system/ppp.*, /lib/systemd/system/kdump.service, /lib/systemd/system/proftpd.*
++/lib/systemd/system/vsftpd.*, /usr/lib/systemd/system/proftpd.*, /usr/lib/systemd/system/iptables6?.service, /lib/systemd/system/ip6tables.service, /lib/systemd/system/slapd.*, /usr/lib/systemd/system/vsftpd.*, /lib/systemd/system/ppp.*, /usr/lib/systemd/system/kdump.service, /usr/lib/systemd/system/slapd.*, /usr/lib/systemd/system/ppp.*, /lib/systemd/system/kdump.service, /lib/systemd/system/proftpd.*, /lib/systemd/system/iptables.service
+
+.EX
+.PP
@@ -21747,10 +22147,10 @@ index 0000000..3320869
\ No newline at end of file
diff --git a/man/man8/iscsid_selinux.8 b/man/man8/iscsid_selinux.8
new file mode 100644
-index 0000000..c15d800
+index 0000000..4f0d9c3
--- /dev/null
+++ b/man/man8/iscsid_selinux.8
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,145 @@
+.TH "iscsid_selinux" "8" "iscsid" "dwalsh at redhat.com" "iscsid SELinux Policy documentation"
+.SH "NAME"
+iscsid_selinux \- Security Enhanced Linux Policy for the iscsid processes
@@ -21772,6 +22172,50 @@ index 0000000..c15d800
+
+.EX
+.PP
++.B iscsi_lock_t
++.EE
++
++- Set files with the iscsi_lock_t type, if you want to treat the files as iscsi lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B iscsi_log_t
++.EE
++
++- Set files with the iscsi_log_t type, if you want to treat the data as iscsi log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/iscsiuio\.log.*, /var/log/brcm-iscsi\.log
++
++.EX
++.PP
++.B iscsi_tmp_t
++.EE
++
++- Set files with the iscsi_tmp_t type, if you want to store iscsi temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B iscsi_var_lib_t
++.EE
++
++- Set files with the iscsi_var_lib_t type, if you want to store the iscsi files under the /var/lib directory.
++
++
++.EX
++.PP
++.B iscsi_var_run_t
++.EE
++
++- Set files with the iscsi_var_run_t type, if you want to store the iscsi files under the /run directory.
++
++
++.EX
++.PP
+.B iscsid_exec_t
+.EE
+
@@ -24826,7 +25270,7 @@ index 0000000..f69947a
\ No newline at end of file
diff --git a/man/man8/lpr_selinux.8 b/man/man8/lpr_selinux.8
new file mode 100644
-index 0000000..d9bcb8b
+index 0000000..90d47ef
--- /dev/null
+++ b/man/man8/lpr_selinux.8
@@ -0,0 +1,83 @@
@@ -24859,7 +25303,7 @@ index 0000000..d9bcb8b
+.br
+.TP 5
+Paths:
-+/usr/sbin/accept, /opt/gutenprint/s?bin(/.*)?, /usr/bin/cancel(\.cups)?, /usr/bin/lp(\.cups)?, /usr/bin/lpstat(\.cups)?, /usr/sbin/lpc(\.cups)?, /usr/local/linuxprinter/bin/l?lpr, /usr/bin/lpoptions, /usr/bin/lpq(\.cups)?, /usr/sbin/lpadmin, /usr/sbin/lpinfo, /usr/bin/lpr(\.cups)?, /usr/sbin/lpmove, /usr/bin/lprm(\.cups)?
++/usr/sbin/accept, /usr/bin/cancel(\.cups)?, /usr/bin/lp(\.cups)?, /usr/bin/lpstat(\.cups)?, /usr/sbin/lpc(\.cups)?, /usr/local/linuxprinter/bin/l?lpr, /usr/bin/lpoptions, /usr/sbin/lpadmin, /usr/sbin/lpinfo, /opt/gutenprint/s?bin(/.*)?, /usr/bin/lpr(\.cups)?, /usr/bin/lpq(\.cups)?, /usr/sbin/lpmove, /usr/bin/lprm(\.cups)?
+
+.EX
+.PP
@@ -25032,7 +25476,7 @@ index 0000000..087cd7b
+selinux(8), lsassd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/lvm_selinux.8 b/man/man8/lvm_selinux.8
new file mode 100644
-index 0000000..6c83eec
+index 0000000..20c9a41
--- /dev/null
+++ b/man/man8/lvm_selinux.8
@@ -0,0 +1,141 @@
@@ -25079,7 +25523,7 @@ index 0000000..6c83eec
+.br
+.TP 5
+Paths:
-+/sbin/dmsetup, /usr/sbin/dmsetup, /usr/sbin/pvchange, /sbin/dmraid, /sbin/pvremove, /sbin/vgextend, /sbin/vgmerge, /sbin/vgscan\.static, /usr/sbin/pvdisplay, /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /sbin/multipath\.static, /usr/sbin/vgremove, /usr/sbin/vgmknodes, /usr/lib/lvm-10/.*, /sbin/pvs, /usr/sbin/vgwrapper, /sbin/lvmdiskscan, /sbin/lvresize, /sbin/vgmknodes, /usr/sbin/lvdisplay, /usr/sbin/mount\.crypt, /usr/sbin/vgsplit, /usr/lib/systemd/systemd-cryptsetup, /sbin/pvmove, /usr/sbin/pvcreate, /usr/sbin/lvmdiskscan, /usr/sbin/vgcfgbackup, /usr/sbin/vgimport, /sbin/vgck, /sbin/pvcreate, /usr/sbin/lvmchange, /sbin/lvreduce, /sbin/vgscan, /sbin/lvremove, /sbin/pvscan, /lib/lvm-200/.*, /usr/sbin/lvremove, /usr/sbin/lvrename, /usr/sbin/lvmsadc, /usr/sbin/lvm, /usr/lib/lvm-200/.*, /usr/sbin/pvdata, /sbin/vgchange, /usr/sbin/multipath\.static, /sbin/lvm\.static, /sbin/vgcfgbackup, /sbin/e2fsadm, /sbin/lvm, /sbin/pvdata, /usr/sbin/lvmiopversion, /usr/sbin/vgextend, /sb
in/lvextend, /usr/lib/udev/udisks-lvm-pv-export, /sbin/vgcfgrestore, /usr/sbin/vgscan, /sbin/vgs, /sbin/lvmchange, /sbin/vgimport, /usr/sbin/lvscan, /usr/sbin/pvscan, /usr/sbin/vgreduce, /usr/sbin/dmsetup\.static, /usr/sbin/vgchange\.static, /usr/sbin/vgexport, /usr/sbin/lvextend, /usr/sbin/cryptsetup, /usr/sbin/dmraid, /usr/sbin/lvresize, /sbin/dmsetup\.static, /sbin/lvmsar, /usr/sbin/vgs, /usr/sbin/vgrename, /usr/sbin/lvs, /sbin/vgchange\.static, /usr/sbin/pvmove, /sbin/lvmsadc, /sbin/lvmiopversion, /usr/sbin/vgscan\.static, /sbin/pvdisplay, /sbin/vgsplit, /usr/sbin/vgcfgrestore, /usr/sbin/kpartx, /sbin/cryptsetup, /usr/sbin/lvcreate, /lib/udev/udisks-lvm-pv-export, /sbin/vgwrapper, /sbin/lvchange, /sbin/pvchange, /usr/sbin/lvm\.static, /usr/sbin/multipathd, /sbin/mount\.crypt, /sbin/vgcreate, /sbin/vgreduce, /usr/sbin/lvreduce, /sbin/lvrename, /lib/systemd/systemd-cryptsetup, /sbin/multipathd, /usr/sbin/vgcreate, /usr/sbin/vgmerge, /sbin/vgexport, /usr/sbin/lvchange, /sbi
n/lvs, /usr/sbin/lvmsar, /usr/sbin/vgdisplay, /usr/sbin/vgchange, /sbin/kpartx, /usr/sbin/pvs, /lib/lvm-10/.*, /sbin/lvscan, /sbin/vgremove, /sbin/lvcreate, /sbin/vgdisplay, /usr/sbin/pvremove, /usr/sbin/e2fsadm
++/sbin/dmsetup, /usr/sbin/dmsetup, /usr/sbin/pvchange, /sbin/dmraid, /sbin/pvremove, /sbin/vgextend, /sbin/vgmerge, /sbin/vgscan\.static, /usr/sbin/pvdisplay, /sbin/vgrename, /usr/sbin/vgck, /sbin/lvdisplay, /usr/sbin/vgremove, /usr/lib/lvm-10/.*, /sbin/pvs, /sbin/lvmdiskscan, /sbin/lvresize, /sbin/vgmknodes, /usr/sbin/lvdisplay, /usr/sbin/mount\.crypt, /usr/sbin/vgsplit, /usr/lib/systemd/systemd-cryptsetup, /sbin/pvmove, /sbin/multipath\.static, /usr/sbin/pvcreate, /usr/sbin/lvmdiskscan, /usr/sbin/vgcfgbackup, /usr/sbin/vgimport, /sbin/vgck, /sbin/pvscan, /usr/sbin/lvmchange, /sbin/lvreduce, /sbin/vgremove, /sbin/vgscan, /sbin/lvremove, /lib/lvm-200/.*, /usr/sbin/lvremove, /sbin/pvcreate, /usr/sbin/lvrename, /usr/sbin/lvmsadc, /usr/sbin/lvm, /usr/lib/lvm-200/.*, /usr/sbin/pvdata, /sbin/vgchange, /sbin/lvm\.static, /sbin/vgcfgbackup, /sbin/e2fsadm, /sbin/lvm, /sbin/pvdata, /usr/sbin/lvmiopversion, /usr/sbin/vgextend, /sbin/lvextend, /usr/lib/udev/udisks-lvm-pv-export, /sbin/
vgcfgrestore, /usr/sbin/vgscan, /sbin/vgs, /sbin/lvmchange, /sbin/vgimport, /usr/sbin/lvscan, /usr/sbin/pvscan, /usr/sbin/vgreduce, /usr/sbin/dmsetup\.static, /usr/sbin/vgchange\.static, /usr/sbin/vgexport, /usr/sbin/lvextend, /usr/sbin/cryptsetup, /usr/sbin/dmraid, /usr/sbin/lvresize, /sbin/dmsetup\.static, /sbin/lvmsar, /usr/sbin/vgs, /usr/sbin/vgrename, /usr/sbin/lvs, /sbin/vgchange\.static, /usr/sbin/pvmove, /sbin/lvmsadc, /usr/sbin/vgmknodes, /sbin/lvmiopversion, /usr/sbin/vgscan\.static, /sbin/pvdisplay, /sbin/vgsplit, /usr/sbin/vgcfgrestore, /usr/sbin/kpartx, /sbin/cryptsetup, /usr/sbin/lvcreate, /lib/udev/udisks-lvm-pv-export, /sbin/vgwrapper, /sbin/lvchange, /sbin/pvchange, /usr/sbin/lvm\.static, /usr/sbin/multipathd, /sbin/mount\.crypt, /sbin/vgcreate, /sbin/vgreduce, /usr/sbin/lvreduce, /usr/sbin/vgwrapper, /sbin/lvrename, /lib/systemd/systemd-cryptsetup, /sbin/multipathd, /usr/sbin/vgcreate, /usr/sbin/vgmerge, /sbin/vgexport, /usr/sbin/lvchange, /sbin/lvs, /usr/s
bin/lvmsar, /usr/sbin/multipath\.static, /usr/sbin/vgdisplay, /usr/sbin/vgchange, /sbin/kpartx, /usr/sbin/pvs, /lib/lvm-10/.*, /sbin/lvscan, /sbin/lvcreate, /sbin/vgdisplay, /usr/sbin/pvremove, /usr/sbin/e2fsadm
+
+.EX
+.PP
@@ -25486,10 +25930,10 @@ index 0000000..96c1b69
+selinux(8), lwsmd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/mail_selinux.8 b/man/man8/mail_selinux.8
new file mode 100644
-index 0000000..c4d1d16
+index 0000000..bd12996
--- /dev/null
+++ b/man/man8/mail_selinux.8
-@@ -0,0 +1,269 @@
+@@ -0,0 +1,277 @@
+.TH "mail_selinux" "8" "mail" "dwalsh at redhat.com" "mail SELinux Policy documentation"
+.SH "NAME"
+mail_selinux \- Security Enhanced Linux Policy for the mail processes
@@ -25543,6 +25987,14 @@ index 0000000..c4d1d16
+
+.EX
+.PP
++.B mail_home_rw_t
++.EE
++
++- Set files with the mail_home_rw_t type, if you want to treat the files as mail home read/write content.
++
++
++.EX
++.PP
+.B mail_home_t
+.EE
+
@@ -25619,7 +26071,7 @@ index 0000000..c4d1d16
+.br
+.TP 5
+Paths:
-+/etc/mailman(/.*)?, /var/spool/mailman(/.*)?, /var/lib/mailman(/.*)?
++/etc/mailman.*, /var/spool/mailman.*, /var/lib/mailman.*
+
+.EX
+.PP
@@ -25647,7 +26099,7 @@ index 0000000..c4d1d16
+.br
+.TP 5
+Paths:
-+/usr/lib/mailman/mail/mailman, /usr/lib/mailman/scripts/mailman, /usr/share/doc/mailman.*/mm-handler.*, /usr/lib/mailman/bin/mm-handler.*, /usr/lib/mailman/bin/mailmanctl
++/usr/lib/mailman.*/mail/mailman, /usr/lib/mailman.*/bin/mm-handler.*, /usr/share/doc/mailman.*/mm-handler.*, /usr/lib/mailman.*/bin/mailmanctl, /usr/lib/mailman.*/scripts/mailman
+
+.EX
+.PP
@@ -25667,7 +26119,7 @@ index 0000000..c4d1d16
+.br
+.TP 5
+Paths:
-+/usr/lib/mailman/bin/qrunner, /usr/lib/mailman/cron/.*
++/usr/lib/mailman.*/cron/.*, /usr/lib/mailman.*/bin/qrunner
+
+.EX
+.PP
@@ -25762,7 +26214,7 @@ index 0000000..c4d1d16
\ No newline at end of file
diff --git a/man/man8/mailman_selinux.8 b/man/man8/mailman_selinux.8
new file mode 100644
-index 0000000..1b5f5f7
+index 0000000..2cc348b
--- /dev/null
+++ b/man/man8/mailman_selinux.8
@@ -0,0 +1,169 @@
@@ -25825,7 +26277,7 @@ index 0000000..1b5f5f7
+.br
+.TP 5
+Paths:
-+/etc/mailman(/.*)?, /var/spool/mailman(/.*)?, /var/lib/mailman(/.*)?
++/etc/mailman.*, /var/spool/mailman.*, /var/lib/mailman.*
+
+.EX
+.PP
@@ -25853,7 +26305,7 @@ index 0000000..1b5f5f7
+.br
+.TP 5
+Paths:
-+/usr/lib/mailman/mail/mailman, /usr/lib/mailman/scripts/mailman, /usr/share/doc/mailman.*/mm-handler.*, /usr/lib/mailman/bin/mm-handler.*, /usr/lib/mailman/bin/mailmanctl
++/usr/lib/mailman.*/mail/mailman, /usr/lib/mailman.*/bin/mm-handler.*, /usr/share/doc/mailman.*/mm-handler.*, /usr/lib/mailman.*/bin/mailmanctl, /usr/lib/mailman.*/scripts/mailman
+
+.EX
+.PP
@@ -25873,7 +26325,7 @@ index 0000000..1b5f5f7
+.br
+.TP 5
+Paths:
-+/usr/lib/mailman/bin/qrunner, /usr/lib/mailman/cron/.*
++/usr/lib/mailman.*/cron/.*, /usr/lib/mailman.*/bin/qrunner
+
+.EX
+.PP
@@ -25937,10 +26389,10 @@ index 0000000..1b5f5f7
+selinux(8), mailman(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/matahari_selinux.8 b/man/man8/matahari_selinux.8
new file mode 100644
-index 0000000..378c15f
+index 0000000..6cbe09a
--- /dev/null
+++ b/man/man8/matahari_selinux.8
-@@ -0,0 +1,223 @@
+@@ -0,0 +1,243 @@
+.TH "matahari_selinux" "8" "matahari" "dwalsh at redhat.com" "matahari SELinux Policy documentation"
+.SH "NAME"
+matahari_selinux \- Security Enhanced Linux Policy for the matahari processes
@@ -26028,6 +26480,26 @@ index 0000000..378c15f
+
+.EX
+.PP
++.B matahari_rpcd_exec_t
++.EE
++
++- Set files with the matahari_rpcd_exec_t type, if you want to transition an executable to the matahari_rpcd_t domain.
++
++
++.EX
++.PP
++.B matahari_rpcd_unit_file_t
++.EE
++
++- Set files with the matahari_rpcd_unit_file_t type, if you want to treat the files as matahari rpcd unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/matahari-rpc.service, /lib/systemd/system/matahari-rpc.service
++
++.EX
++.PP
+.B matahari_serviced_exec_t
+.EE
+
@@ -26135,7 +26607,7 @@ index 0000000..378c15f
+The following process types are defined for matahari:
+
+.EX
-+.B matahari_serviced_t, matahari_sysconfigd_t, matahari_hostd_t, matahari_netd_t
++.B matahari_serviced_t, matahari_sysconfigd_t, matahari_hostd_t, matahari_netd_t, matahari_rpcd_t
+.EE
+.PP
+Note:
@@ -27091,7 +27563,7 @@ index 0000000..9744fa7
\ No newline at end of file
diff --git a/man/man8/mozilla_selinux.8 b/man/man8/mozilla_selinux.8
new file mode 100644
-index 0000000..905f994
+index 0000000..2b94a8b
--- /dev/null
+++ b/man/man8/mozilla_selinux.8
@@ -0,0 +1,179 @@
@@ -27156,7 +27628,7 @@ index 0000000..905f994
+.br
+.TP 5
+Paths:
-+/usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/galeon/galeon, /usr/lib/netscape/.+/communicator/communicator-smotif\.real, /usr/bin/mozilla-bin-[0-9].*, /usr/bin/epiphany-bin, /usr/lib/mozilla[^/]*/reg.+, /usr/lib/netscape/base-4/wrapper, /usr/bin/mozilla-snapshot, /usr/lib/[^/]*firefox[^/]*/firefox-bin, /usr/bin/netscape, /usr/bin/mozilla-[0-9].*, /usr/lib/firefox[^/]*/mozilla-.*, /usr/lib/mozilla[^/]*/mozilla-.*, /usr/bin/mozilla, /usr/bin/epiphany
++/usr/lib/[^/]*firefox[^/]*/firefox, /usr/lib/galeon/galeon, /usr/lib/netscape/.+/communicator/communicator-smotif\.real, /usr/bin/netscape, /usr/bin/mozilla-bin-[0-9].*, /usr/bin/epiphany-bin, /usr/lib/mozilla[^/]*/reg.+, /usr/lib/netscape/base-4/wrapper, /usr/bin/mozilla-snapshot, /usr/lib/[^/]*firefox[^/]*/firefox-bin, /usr/bin/mozilla-[0-9].*, /usr/lib/firefox[^/]*/mozilla-.*, /usr/lib/mozilla[^/]*/mozilla-.*, /usr/bin/mozilla, /usr/bin/epiphany
+
+.EX
+.PP
@@ -28389,10 +28861,10 @@ index 0000000..6bce1f8
+selinux(8), mysqlmanagerd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/nagios_selinux.8 b/man/man8/nagios_selinux.8
new file mode 100644
-index 0000000..f740a6e
+index 0000000..c1343c2
--- /dev/null
+++ b/man/man8/nagios_selinux.8
-@@ -0,0 +1,217 @@
+@@ -0,0 +1,225 @@
+.TH "nagios_selinux" "8" "nagios" "dwalsh at redhat.com" "nagios SELinux Policy documentation"
+.SH "NAME"
+nagios_selinux \- Security Enhanced Linux Policy for the nagios processes
@@ -28436,7 +28908,7 @@ index 0000000..f740a6e
+.br
+.TP 5
+Paths:
-+/usr/lib/nagios/plugins/check_linux_raid, /usr/lib/nagios/plugins/check_ide_smart, /usr/lib/nagios/plugins/check_disk, /usr/lib/nagios/plugins/check_disk_smb
++/usr/lib/nagios/plugins/check_linux_raid, /usr/lib/nagios/plugins/check_disk_smb, /usr/lib/nagios/plugins/check_ide_smart, /usr/lib/nagios/plugins/check_disk
+
+.EX
+.PP
@@ -28456,6 +28928,14 @@ index 0000000..f740a6e
+
+.EX
+.PP
++.B nagios_eventhandler_plugin_tmp_t
++.EE
++
++- Set files with the nagios_eventhandler_plugin_tmp_t type, if you want to store nagios eventhandler plugin temporary files in the /tmp directories.
++
++
++.EX
++.PP
+.B nagios_exec_t
+.EE
+
@@ -28504,7 +28984,7 @@ index 0000000..f740a6e
+.br
+.TP 5
+Paths:
-+/usr/lib/nagios/plugins/check_time, /usr/lib/nagios/plugins/check_dhcp, /usr/lib/nagios/plugins/check_radius, /usr/lib/nagios/plugins/check_nrpe, /usr/lib/nagios/plugins/check_smtp, /usr/lib/nagios/plugins/check_sip, /usr/lib/nagios/plugins/check_ssh, /usr/lib/nagios/plugins/check_pgsql, /usr/lib/nagios/plugins/check_ntp.*, /usr/lib/nagios/plugins/check_ldap, /usr/lib/nagios/plugins/check_real, /usr/lib/nagios/plugins/check_ping, /usr/lib/nagios/plugins/check_nt, /usr/lib/nagios/plugins/check_game, /usr/lib/nagios/plugins/check_breeze, /usr/lib/nagios/plugins/check_tcp, /usr/lib/nagios/plugins/check_rpc, /usr/lib/nagios/plugins/check_oracle, /usr/lib/nagios/plugins/check_cluster, /usr/lib/nagios/plugins/check_dummy, /usr/lib/nagios/plugins/check_ups, /usr/lib/nagios/plugins/check_ircd, /usr/lib/nagios/plugins/check_dig, /usr/lib/nagios/plugins/check_hpjd, /usr/lib/nagios/plugins/check_mysql, /usr/lib/nagios/plugins/check_icmp, /usr/lib/nagios/plugins/check_http, /usr/lib/na
gios/plugins/check_snmp.*, /usr/lib/nagios/plugins/check_fping, /usr/lib/nagios/plugins/check_mysql_query, /usr/lib/nagios/plugins/check_dns
++/usr/lib/nagios/plugins/check_time, /usr/lib/nagios/plugins/check_dhcp, /usr/lib/nagios/plugins/check_radius, /usr/lib/nagios/plugins/check_nrpe, /usr/lib/nagios/plugins/check_smtp, /usr/lib/nagios/plugins/check_sip, /usr/lib/nagios/plugins/check_ssh, /usr/lib/nagios/plugins/check_pgsql, /usr/lib/nagios/plugins/check_ntp.*, /usr/lib/nagios/plugins/check_ldap, /usr/lib/nagios/plugins/check_real, /usr/lib/nagios/plugins/check_ping, /usr/lib/nagios/plugins/check_nt, /usr/lib/nagios/plugins/check_game, /usr/lib/nagios/plugins/check_breeze, /usr/lib/nagios/plugins/check_tcp, /usr/lib/nagios/plugins/check_rpc, /usr/lib/nagios/plugins/check_oracle, /usr/lib/nagios/plugins/check_cluster, /usr/lib/nagios/plugins/check_dummy, /usr/lib/nagios/plugins/check_ups, /usr/lib/nagios/plugins/check_ircd, /usr/lib/nagios/plugins/check_dig, /usr/lib/nagios/plugins/check_fping, /usr/lib/nagios/plugins/check_hpjd, /usr/lib/nagios/plugins/check_mysql, /usr/lib/nagios/plugins/check_icmp, /usr/lib/n
agios/plugins/check_http, /usr/lib/nagios/plugins/check_snmp.*, /usr/lib/nagios/plugins/check_mysql_query, /usr/lib/nagios/plugins/check_dns
+
+.EX
+.PP
@@ -28611,7 +29091,7 @@ index 0000000..f740a6e
+.SH "SEE ALSO"
+selinux(8), nagios(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/named_selinux.8 b/man/man8/named_selinux.8
-index fce0b48..b3031fd 100644
+index fce0b48..653c29b 100644
--- a/man/man8/named_selinux.8
+++ b/man/man8/named_selinux.8
@@ -1,30 +1,211 @@
@@ -28771,7 +29251,7 @@ index fce0b48..b3031fd 100644
+.br
+.TP 5
+Paths:
-+/lib/systemd/system/named.service, /usr/lib/systemd/system/named.service
++/lib/systemd/system/named.service, /usr/lib/systemd/system/named.service, /lib/systemd/system/unbound.service, /lib/systemd/system/unbound-keygen.service
+
+.EX
+.PP
@@ -29455,10 +29935,10 @@ index 0000000..bdc4376
+selinux(8), newrole(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/nfsd_selinux.8 b/man/man8/nfsd_selinux.8
new file mode 100644
-index 0000000..531f1ee
+index 0000000..e664bc1
--- /dev/null
+++ b/man/man8/nfsd_selinux.8
-@@ -0,0 +1,276 @@
+@@ -0,0 +1,284 @@
+.TH "nfsd_selinux" "8" "nfsd" "dwalsh at redhat.com" "nfsd SELinux Policy documentation"
+.SH "NAME"
+nfsd_selinux \- Security Enhanced Linux Policy for the nfsd processes
@@ -29615,6 +30095,14 @@ index 0000000..531f1ee
+
+.EX
+.PP
++.B nfs_t
++.EE
++
++- Set files with the nfs_t type, if you want to treat the files as nfs data.
++
++
++.EX
++.PP
+.B nfsd_exec_t
+.EE
+
@@ -29962,10 +30450,10 @@ index 0000000..bfcd1db
+selinux(8), nmbd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/nova_selinux.8 b/man/man8/nova_selinux.8
new file mode 100644
-index 0000000..8739378
+index 0000000..c55585f
--- /dev/null
+++ b/man/man8/nova_selinux.8
-@@ -0,0 +1,237 @@
+@@ -0,0 +1,365 @@
+.TH "nova_selinux" "8" "nova" "dwalsh at redhat.com" "nova SELinux Policy documentation"
+.SH "NAME"
+nova_selinux \- Security Enhanced Linux Policy for the nova processes
@@ -30009,6 +30497,14 @@ index 0000000..8739378
+
+.EX
+.PP
++.B nova_ajax_unit_file_t
++.EE
++
++- Set files with the nova_ajax_unit_file_t type, if you want to treat the files as nova ajax unit content.
++
++
++.EX
++.PP
+.B nova_api_exec_t
+.EE
+
@@ -30025,6 +30521,46 @@ index 0000000..8739378
+
+.EX
+.PP
++.B nova_api_unit_file_t
++.EE
++
++- Set files with the nova_api_unit_file_t type, if you want to treat the files as nova api unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/openstack-nova-api\.service, /lib/systemd/system/openstack-nova-api\.service
++
++.EX
++.PP
++.B nova_cert_exec_t
++.EE
++
++- Set files with the nova_cert_exec_t type, if you want to transition an executable to the nova_cert_t domain.
++
++
++.EX
++.PP
++.B nova_cert_tmp_t
++.EE
++
++- Set files with the nova_cert_tmp_t type, if you want to store nova cert temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B nova_cert_unit_file_t
++.EE
++
++- Set files with the nova_cert_unit_file_t type, if you want to treat the files as nova cert unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/openstack-nova-cert\.service, /lib/systemd/system/openstack-nova-cert\.service
++
++.EX
++.PP
+.B nova_compute_exec_t
+.EE
+
@@ -30041,6 +30577,14 @@ index 0000000..8739378
+
+.EX
+.PP
++.B nova_compute_unit_file_t
++.EE
++
++- Set files with the nova_compute_unit_file_t type, if you want to treat the files as nova compute unit content.
++
++
++.EX
++.PP
+.B nova_direct_exec_t
+.EE
+
@@ -30057,6 +30601,18 @@ index 0000000..8739378
+
+.EX
+.PP
++.B nova_direct_unit_file_t
++.EE
++
++- Set files with the nova_direct_unit_file_t type, if you want to treat the files as nova direct unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/openstack-nova-ajax-console-proxy\.service, /lib/systemd/system/openstack-nova-direct-api\.service, /lib/systemd/system/openstack-nova-ajax-console-proxy\.service, /usr/lib/systemd/system/openstack-nova-direct-api\.service
++
++.EX
++.PP
+.B nova_log_t
+.EE
+
@@ -30081,6 +30637,18 @@ index 0000000..8739378
+
+.EX
+.PP
++.B nova_network_unit_file_t
++.EE
++
++- Set files with the nova_network_unit_file_t type, if you want to treat the files as nova network unit content.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/system/openstack-nova-network\.service, /usr/lib/systemd/system/openstack-nova-network\.service
++
++.EX
++.PP
+.B nova_objectstore_exec_t
+.EE
+
@@ -30097,6 +30665,18 @@ index 0000000..8739378
+
+.EX
+.PP
++.B nova_objectstore_unit_file_t
++.EE
++
++- Set files with the nova_objectstore_unit_file_t type, if you want to treat the files as nova objectstore unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/openstack-nova-objectstore\.service, /lib/systemd/system/openstack-nova-objectstore\.service
++
++.EX
++.PP
+.B nova_scheduler_exec_t
+.EE
+
@@ -30113,6 +30693,18 @@ index 0000000..8739378
+
+.EX
+.PP
++.B nova_scheduler_unit_file_t
++.EE
++
++- Set files with the nova_scheduler_unit_file_t type, if you want to treat the files as nova scheduler unit content.
++
++.br
++.TP 5
++Paths:
++/usr/lib/systemd/system/openstack-nova-scheduler\.service, /lib/systemd/system/openstack-nova-scheduler\.service
++
++.EX
++.PP
+.B nova_var_lib_t
+.EE
+
@@ -30145,6 +30737,18 @@ index 0000000..8739378
+
+.EX
+.PP
++.B nova_vncproxy_unit_file_t
++.EE
++
++- Set files with the nova_vncproxy_unit_file_t type, if you want to treat the files as nova vncproxy unit content.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/system/openstack-nova-vncproxy\.service, /usr/lib/systemd/system/openstack-nova-vncproxy\.service
++
++.EX
++.PP
+.B nova_volume_exec_t
+.EE
+
@@ -30159,6 +30763,18 @@ index 0000000..8739378
+- Set files with the nova_volume_tmp_t type, if you want to store nova volume temporary files in the /tmp directories.
+
+
++.EX
++.PP
++.B nova_volume_unit_file_t
++.EE
++
++- Set files with the nova_volume_unit_file_t type, if you want to treat the files as nova volume unit content.
++
++.br
++.TP 5
++Paths:
++/lib/systemd/system/openstack-nova-volume\.service, /usr/lib/systemd/system/openstack-nova-volume\.service
++
+.PP
+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
+.B semanage fcontext
@@ -30177,7 +30793,7 @@ index 0000000..8739378
+The following process types are defined for nova:
+
+.EX
-+.B nova_api_t, nova_compute_t, nova_network_t, nova_objectstore_t, nova_vncproxy_t, nova_volume_t, nova_scheduler_t, nova_ajax_t, nova_direct_t
++.B nova_api_t, nova_compute_t, nova_network_t, nova_objectstore_t, nova_vncproxy_t, nova_volume_t, nova_scheduler_t, nova_ajax_t, nova_cert_t, nova_direct_t
+.EE
+.PP
+Note:
@@ -30689,10 +31305,10 @@ index 0000000..cb7f3a4
+selinux(8), ntop(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ntpd_selinux.8 b/man/man8/ntpd_selinux.8
new file mode 100644
-index 0000000..00413de
+index 0000000..515419d
--- /dev/null
+++ b/man/man8/ntpd_selinux.8
-@@ -0,0 +1,177 @@
+@@ -0,0 +1,189 @@
+.TH "ntpd_selinux" "8" "ntpd" "dwalsh at redhat.com" "ntpd SELinux Policy documentation"
+.SH "NAME"
+ntpd_selinux \- Security Enhanced Linux Policy for the ntpd processes
@@ -30714,6 +31330,18 @@ index 0000000..00413de
+
+.EX
+.PP
++.B ntp_drift_t
++.EE
++
++- Set files with the ntp_drift_t type, if you want to treat the files as ntp drift data.
++
++.br
++.TP 5
++Paths:
++/var/lib/ntp(/.*)?, /etc/ntp/data(/.*)?
++
++.EX
++.PP
+.B ntpd_exec_t
+.EE
+
@@ -31965,7 +32593,7 @@ index 0000000..71d4cc4
+selinux(8), passwd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/pcscd_selinux.8 b/man/man8/pcscd_selinux.8
new file mode 100644
-index 0000000..18eb20c
+index 0000000..07f91c9
--- /dev/null
+++ b/man/man8/pcscd_selinux.8
@@ -0,0 +1,89 @@
@@ -32012,7 +32640,7 @@ index 0000000..18eb20c
+.br
+.TP 5
+Paths:
-+/var/run/pcscd\.pid, /var/run/pcscd\.comm, /var/run/pcscd\.pub, /var/run/pcscd\.events(/.*)?, /var/run/pcscd(/.*)?
++/var/run/pcscd\.pid, /var/run/pcscd\.comm, /var/run/pcscd\.events(/.*)?, /var/run/pcscd\.pub, /var/run/pcscd(/.*)?
+
+.PP
+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
@@ -32383,10 +33011,10 @@ index 0000000..bda0235
\ No newline at end of file
diff --git a/man/man8/pingd_selinux.8 b/man/man8/pingd_selinux.8
new file mode 100644
-index 0000000..df20aeb
+index 0000000..1259587
--- /dev/null
+++ b/man/man8/pingd_selinux.8
-@@ -0,0 +1,142 @@
+@@ -0,0 +1,154 @@
+.TH "pingd_selinux" "8" "pingd" "dwalsh at redhat.com" "pingd SELinux Policy documentation"
+.SH "NAME"
+pingd_selinux \- Security Enhanced Linux Policy for the pingd processes
@@ -32425,6 +33053,18 @@ index 0000000..df20aeb
+
+.EX
+.PP
++.B ping_exec_t
++.EE
++
++- Set files with the ping_exec_t type, if you want to transition an executable to the ping_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/ping.*, /usr/sbin/hping2, /usr/sbin/fping.*, /bin/ping.*, /usr/sbin/send_arp
++
++.EX
++.PP
+.B pingd_etc_t
+.EE
+
@@ -33412,10 +34052,10 @@ index 0000000..581c9cb
+selinux(8), plymouth(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/plymouthd_selinux.8 b/man/man8/plymouthd_selinux.8
new file mode 100644
-index 0000000..f314fca
+index 0000000..a9addd8
--- /dev/null
+++ b/man/man8/plymouthd_selinux.8
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,125 @@
+.TH "plymouthd_selinux" "8" "plymouthd" "dwalsh at redhat.com" "plymouthd SELinux Policy documentation"
+.SH "NAME"
+plymouthd_selinux \- Security Enhanced Linux Policy for the plymouthd processes
@@ -33443,6 +34083,18 @@ index 0000000..f314fca
+
+.EX
+.PP
++.B plymouth_exec_t
++.EE
++
++- Set files with the plymouth_exec_t type, if you want to transition an executable to the plymouth_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/bin/plymouth, /bin/plymouth
++
++.EX
++.PP
+.B plymouthd_exec_t
+.EE
+
@@ -33801,10 +34453,10 @@ index 0000000..b14cbf9
+selinux(8), policykit(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/polipo_selinux.8 b/man/man8/polipo_selinux.8
new file mode 100644
-index 0000000..2fdc963
+index 0000000..ada080b
--- /dev/null
+++ b/man/man8/polipo_selinux.8
-@@ -0,0 +1,183 @@
+@@ -0,0 +1,191 @@
+.TH "polipo_selinux" "8" "polipo" "dwalsh at redhat.com" "polipo SELinux Policy documentation"
+.SH "NAME"
+polipo_selinux \- Security Enhanced Linux Policy for the polipo processes
@@ -33940,6 +34592,14 @@ index 0000000..2fdc963
+- Set files with the polipo_pid_t type, if you want to store the polipo files under the /run directory.
+
+
++.EX
++.PP
++.B polipo_unit_file_t
++.EE
++
++- Set files with the polipo_unit_file_t type, if you want to treat the files as polipo unit content.
++
++
+.PP
+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
+.B semanage fcontext
@@ -33991,10 +34651,10 @@ index 0000000..2fdc963
\ No newline at end of file
diff --git a/man/man8/portmap_selinux.8 b/man/man8/portmap_selinux.8
new file mode 100644
-index 0000000..b868389
+index 0000000..7513001
--- /dev/null
+++ b/man/man8/portmap_selinux.8
-@@ -0,0 +1,135 @@
+@@ -0,0 +1,150 @@
+.TH "portmap_selinux" "8" "portmap" "dwalsh at redhat.com" "portmap SELinux Policy documentation"
+.SH "NAME"
+portmap_selinux \- Security Enhanced Linux Policy for the portmap processes
@@ -34009,6 +34669,17 @@ index 0000000..b868389
+
+
+
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. portmap policy is extremely flexible and has several booleans that allow you to manipulate the policy and run portmap with the tightest access possible.
++
++
++.PP
++If you want to allow samba to act as a portmappe, you must turn on the samba_portmapper boolean.
++
++.EX
++.B setsebool -P samba_portmapper 1
++.EE
++
+.SH FILE CONTEXTS
+SELinux requires files to have an extended attribute to define the file type.
+.PP
@@ -34121,6 +34792,9 @@ index 0000000..b868389
+.B semanage port
+can also be used to manipulate the port definitions
+
++.B semanage boolean
++can also be used to manipulate the booleans
++
+.PP
+.B system-config-selinux
+is a GUI tool available to customize SELinux policy settings.
@@ -34130,6 +34804,8 @@ index 0000000..b868389
+
+.SH "SEE ALSO"
+selinux(8), portmap(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
diff --git a/man/man8/portreserve_selinux.8 b/man/man8/portreserve_selinux.8
new file mode 100644
index 0000000..909a5da
@@ -35026,7 +35702,7 @@ index 0000000..0d3079a
+selinux(8), postgrey(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/pppd_selinux.8 b/man/man8/pppd_selinux.8
new file mode 100644
-index 0000000..c13ce92
+index 0000000..7b27311
--- /dev/null
+++ b/man/man8/pppd_selinux.8
@@ -0,0 +1,189 @@
@@ -35077,7 +35753,7 @@ index 0000000..c13ce92
+.br
+.TP 5
+Paths:
-+/etc/ppp(/.*)?, /etc/ppp/resolv\.conf, /etc/ppp/peers(/.*)?
++/etc/ppp(/.*)?, /etc/ppp/peers(/.*)?, /etc/ppp/resolv\.conf
+
+.EX
+.PP
@@ -37624,7 +38300,7 @@ index 0000000..712a06e
+selinux(8), qpidd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/quota_selinux.8 b/man/man8/quota_selinux.8
new file mode 100644
-index 0000000..70b46e9
+index 0000000..b90411d
--- /dev/null
+++ b/man/man8/quota_selinux.8
@@ -0,0 +1,117 @@
@@ -37663,7 +38339,7 @@ index 0000000..70b46e9
+.br
+.TP 5
+Paths:
-+/boot/a?quota\.(user|group), /etc/a?quota\.(user|group), /a?quota\.(user|group), /var/a?quota\.(user|group), /var/lib/libra/a?quota\.(user|group), /var/spool/(.*/)?a?quota\.(user|group)
++/boot/a?quota\.(user|group), /etc/a?quota\.(user|group), /var/lib/stickshift/a?quota\.(user|group), /a?quota\.(user|group), /var/a?quota\.(user|group), /var/spool/(.*/)?a?quota\.(user|group)
+
+.EX
+.PP
@@ -38245,7 +38921,7 @@ index 0000000..e7f45e9
+selinux(8), radvd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/rdisc_selinux.8 b/man/man8/rdisc_selinux.8
new file mode 100644
-index 0000000..63759ab
+index 0000000..f04f9bd
--- /dev/null
+++ b/man/man8/rdisc_selinux.8
@@ -0,0 +1,81 @@
@@ -38284,7 +38960,7 @@ index 0000000..63759ab
+.br
+.TP 5
+Paths:
-+/usr/sbin/rdisc, /sbin/rdisc
++/sbin/rdisc, /usr/sbin/rdisc
+
+.PP
+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
@@ -39710,10 +40386,10 @@ index 0000000..8fdfc21
+selinux(8), rpcbind(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/rpcd_selinux.8 b/man/man8/rpcd_selinux.8
new file mode 100644
-index 0000000..b122acb
+index 0000000..f86ef74
--- /dev/null
+++ b/man/man8/rpcd_selinux.8
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,119 @@
+.TH "rpcd_selinux" "8" "rpcd" "dwalsh at redhat.com" "rpcd SELinux Policy documentation"
+.SH "NAME"
+rpcd_selinux \- Security Enhanced Linux Policy for the rpcd processes
@@ -39735,6 +40411,14 @@ index 0000000..b122acb
+
+.EX
+.PP
++.B rpc_pipefs_t
++.EE
++
++- Set files with the rpc_pipefs_t type, if you want to treat the files as rpc pipefs data.
++
++
++.EX
++.PP
+.B rpcd_exec_t
+.EE
+
@@ -40807,10 +41491,10 @@ index 0000000..65c182c
+.SH "SEE ALSO"
+selinux(8), rwho(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/samba_selinux.8 b/man/man8/samba_selinux.8
-index ca702c7..9dcd145 100644
+index ca702c7..25316f0 100644
--- a/man/man8/samba_selinux.8
+++ b/man/man8/samba_selinux.8
-@@ -1,56 +1,262 @@
+@@ -1,56 +1,269 @@
-.TH "samba_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "Samba Selinux Policy documentation"
+.TH "samba_selinux" "8" "samba" "dwalsh at redhat.com" "samba SELinux Policy documentation"
.SH "NAME"
@@ -40875,6 +41559,13 @@ index ca702c7..9dcd145 100644
+.EE
+
+.PP
++If you want to allow samba to act as a portmappe, you must turn on the samba_portmapper boolean.
++
++.EX
++.B setsebool -P samba_portmapper 1
++.EE
++
++.PP
+If you want to allow samba to share any file/directory read only, you must turn on the samba_export_all_ro boolean.
+
+.EX
@@ -41006,7 +41697,7 @@ index ca702c7..9dcd145 100644
+
+- Set files with the samba_secrets_t type, if you want to treat the files as samba secrets data.
+
- .br
++.br
+.TP 5
+Paths:
+/etc/samba/secrets\.tdb, /etc/samba/passdb\.tdb, /etc/samba/MACHINE\.SID, /etc/samba/smbpasswd
@@ -41046,7 +41737,7 @@ index ca702c7..9dcd145 100644
+
+- Set files with the samba_var_t type, if you want to store the s files under the /var directory.
+
-+.br
+ .br
+.TP 5
+Paths:
+/var/spool/samba(/.*)?, /var/cache/samba(/.*)?, /var/lib/samba(/.*)?
@@ -42736,10 +43427,10 @@ index 0000000..cbed8e8
+selinux(8), setroubleshoot(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/setroubleshootd_selinux.8 b/man/man8/setroubleshootd_selinux.8
new file mode 100644
-index 0000000..37c59bb
+index 0000000..924d3bc
--- /dev/null
+++ b/man/man8/setroubleshootd_selinux.8
-@@ -0,0 +1,71 @@
+@@ -0,0 +1,103 @@
+.TH "setroubleshootd_selinux" "8" "setroubleshootd" "dwalsh at redhat.com" "setroubleshootd SELinux Policy documentation"
+.SH "NAME"
+setroubleshootd_selinux \- Security Enhanced Linux Policy for the setroubleshootd processes
@@ -42761,6 +43452,38 @@ index 0000000..37c59bb
+
+.EX
+.PP
++.B setroubleshoot_fixit_exec_t
++.EE
++
++- Set files with the setroubleshoot_fixit_exec_t type, if you want to transition an executable to the setroubleshoot_fixit_t domain.
++
++
++.EX
++.PP
++.B setroubleshoot_var_lib_t
++.EE
++
++- Set files with the setroubleshoot_var_lib_t type, if you want to store the setroubleshoot files under the /var/lib directory.
++
++
++.EX
++.PP
++.B setroubleshoot_var_log_t
++.EE
++
++- Set files with the setroubleshoot_var_log_t type, if you want to treat the data as setroubleshoot var log data, usually stored under the /var/log directory.
++
++
++.EX
++.PP
++.B setroubleshoot_var_run_t
++.EE
++
++- Set files with the setroubleshoot_var_run_t type, if you want to store the setroubleshoot files under the /run directory.
++
++
++.EX
++.PP
+.B setroubleshootd_exec_t
+.EE
+
@@ -43606,7 +44329,7 @@ index 0000000..1f4a491
+selinux(8), smbcontrol(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/smbd_selinux.8 b/man/man8/smbd_selinux.8
new file mode 100644
-index 0000000..3a58f9a
+index 0000000..78125d2
--- /dev/null
+++ b/man/man8/smbd_selinux.8
@@ -0,0 +1,151 @@
@@ -43689,7 +44412,7 @@ index 0000000..3a58f9a
+.br
+.TP 5
+Paths:
-+/var/run/samba/gencache\.tdb, /var/run/samba/share_info\.tdb, /var/run/samba/locking\.tdb, /var/run/samba/connections\.tdb, /var/run/samba/smbd\.pid, /var/run/samba/sessionid\.tdb, /var/run/samba/brlock\.tdb
++/var/run/samba/gencache\.tdb, /var/run/samba/share_info\.tdb, /var/run/samba(/.*)?, /var/run/samba/locking\.tdb, /var/run/samba/connections\.tdb, /var/run/samba/smbd\.pid, /var/run/samba/sessionid\.tdb, /var/run/samba/brlock\.tdb
+
+.PP
+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
@@ -45314,7 +46037,7 @@ index 0000000..036f028
+selinux(8), srvsvcd(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/ssh_selinux.8 b/man/man8/ssh_selinux.8
new file mode 100644
-index 0000000..06fec85
+index 0000000..a3beeec
--- /dev/null
+++ b/man/man8/ssh_selinux.8
@@ -0,0 +1,254 @@
@@ -45416,7 +46139,7 @@ index 0000000..06fec85
+.br
+.TP 5
+Paths:
-+/var/lib/nocpulse/\.ssh(/.*)?, /var/lib/gitolite/\.ssh(/.*)?, /var/lib/libra/.*/\.ssh(/.*)?, /root/\.shosts, /var/lib/amanda/\.ssh(/.*)?, /root/\.ssh(/.*)?
++/var/lib/nocpulse/\.ssh(/.*)?, /var/lib/gitolite/\.ssh(/.*)?, /root/\.shosts, /var/lib/amanda/\.ssh(/.*)?, /root/\.ssh(/.*)?, /var/lib/stickshift/.*/\.ssh(/.*)?
+
+.EX
+.PP
@@ -45496,7 +46219,7 @@ index 0000000..06fec85
+.br
+.TP 5
+Paths:
-+/var/run/sshd\.pid, /var/run/sshd\.init\.pid
++/var/run/sshd\.init\.pid, /var/run/sshd\.pid
+
+.PP
+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
@@ -45575,10 +46298,10 @@ index 0000000..06fec85
\ No newline at end of file
diff --git a/man/man8/sshd_selinux.8 b/man/man8/sshd_selinux.8
new file mode 100644
-index 0000000..e78fd6d
+index 0000000..b78c331
--- /dev/null
+++ b/man/man8/sshd_selinux.8
-@@ -0,0 +1,188 @@
+@@ -0,0 +1,248 @@
+.TH "sshd_selinux" "8" "sshd" "dwalsh at redhat.com" "sshd SELinux Policy documentation"
+.SH "NAME"
+sshd_selinux \- Security Enhanced Linux Policy for the sshd processes
@@ -45639,6 +46362,66 @@ index 0000000..e78fd6d
+
+.EX
+.PP
++.B ssh_agent_exec_t
++.EE
++
++- Set files with the ssh_agent_exec_t type, if you want to transition an executable to the ssh_agent_t domain.
++
++
++.EX
++.PP
++.B ssh_agent_tmp_t
++.EE
++
++- Set files with the ssh_agent_tmp_t type, if you want to store ssh agent temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B ssh_exec_t
++.EE
++
++- Set files with the ssh_exec_t type, if you want to transition an executable to the ssh_t domain.
++
++
++.EX
++.PP
++.B ssh_home_t
++.EE
++
++- Set files with the ssh_home_t type, if you want to store ssh files in the users home directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/nocpulse/\.ssh(/.*)?, /var/lib/gitolite/\.ssh(/.*)?, /root/\.shosts, /var/lib/amanda/\.ssh(/.*)?, /root/\.ssh(/.*)?, /var/lib/stickshift/.*/\.ssh(/.*)?
++
++.EX
++.PP
++.B ssh_keygen_exec_t
++.EE
++
++- Set files with the ssh_keygen_exec_t type, if you want to transition an executable to the ssh_keygen_t domain.
++
++
++.EX
++.PP
++.B ssh_keysign_exec_t
++.EE
++
++- Set files with the ssh_keysign_exec_t type, if you want to transition an executable to the ssh_keysign_t domain.
++
++
++.EX
++.PP
++.B ssh_tmpfs_t
++.EE
++
++- Set files with the ssh_tmpfs_t type, if you want to store ssh files on a tmpfs file system.
++
++
++.EX
++.PP
+.B sshd_exec_t
+.EE
+
@@ -45691,7 +46474,7 @@ index 0000000..e78fd6d
+.br
+.TP 5
+Paths:
-+/var/run/sshd\.pid, /var/run/sshd\.init\.pid
++/var/run/sshd\.init\.pid, /var/run/sshd\.pid
+
+.PP
+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
@@ -46849,10 +47632,10 @@ index 0000000..679f836
+selinux(8), semanage(8).
diff --git a/man/man8/syslogd_selinux.8 b/man/man8/syslogd_selinux.8
new file mode 100644
-index 0000000..77cc3b7
+index 0000000..875440a
--- /dev/null
+++ b/man/man8/syslogd_selinux.8
-@@ -0,0 +1,170 @@
+@@ -0,0 +1,182 @@
+.TH "syslogd_selinux" "8" "syslogd" "dwalsh at redhat.com" "syslogd SELinux Policy documentation"
+.SH "NAME"
+syslogd_selinux \- Security Enhanced Linux Policy for the syslogd processes
@@ -46899,6 +47682,18 @@ index 0000000..77cc3b7
+
+.EX
+.PP
++.B syslog_conf_t
++.EE
++
++- Set files with the syslog_conf_t type, if you want to treat the files as syslog configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/etc/rsyslog.conf, /etc/syslog.conf
++
++.EX
++.PP
+.B syslogd_exec_t
+.EE
+
@@ -46907,7 +47702,7 @@ index 0000000..77cc3b7
+.br
+.TP 5
+Paths:
-+/usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-kmsg-syslogd, /usr/sbin/metalog, /usr/lib/systemd/systemd-journald, /usr/sbin/syslogd, /usr/sbin/minilogd, /sbin/rsyslogd, /sbin/syslogd, /sbin/syslog-ng, /lib/systemd/systemd-kmsg-syslogd, /sbin/minilogd, /lib/systemd/systemd-journald
++/lib/systemd/systemd-kmsg-syslogd, /usr/sbin/rsyslogd, /usr/sbin/syslog-ng, /usr/lib/systemd/systemd-kmsg-syslogd, /usr/sbin/metalog, /usr/lib/systemd/systemd-journald, /usr/sbin/syslogd, /usr/sbin/minilogd, /sbin/rsyslogd, /sbin/syslogd, /sbin/syslog-ng, /sbin/minilogd, /lib/systemd/systemd-journald
+
+.EX
+.PP
@@ -47125,7 +47920,7 @@ index 0000000..79ea311
+selinux(8), sysstat(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/system_selinux.8 b/man/man8/system_selinux.8
new file mode 100644
-index 0000000..3f66d2d
+index 0000000..a08a3e0
--- /dev/null
+++ b/man/man8/system_selinux.8
@@ -0,0 +1,339 @@
@@ -47202,7 +47997,7 @@ index 0000000..3f66d2d
+.br
+.TP 5
+Paths:
-+/etc/crontab, /var/spool/anacron(/.*)?, /etc/cron\.d(/.*)?, /var/spool/fcron/systab, /var/spool/fcron/systab\.orig, /var/spool/fcron/new\.systab
++/etc/crontab, /var/spool/anacron(/.*)?, /etc/cron\.d(/.*)?, /var/spool/fcron/systab\.orig, /var/spool/fcron/new\.systab, /var/spool/fcron/systab
+
+.EX
+.PP
@@ -47471,10 +48266,10 @@ index 0000000..3f66d2d
\ No newline at end of file
diff --git a/man/man8/systemd_selinux.8 b/man/man8/systemd_selinux.8
new file mode 100644
-index 0000000..bea5a02
+index 0000000..93fe832
--- /dev/null
+++ b/man/man8/systemd_selinux.8
-@@ -0,0 +1,221 @@
+@@ -0,0 +1,345 @@
+.TH "systemd_selinux" "8" "systemd" "dwalsh at redhat.com" "systemd SELinux Policy documentation"
+.SH "NAME"
+systemd_selinux \- Security Enhanced Linux Policy for the systemd processes
@@ -47534,6 +48329,130 @@ index 0000000..bea5a02
+
+.EX
+.PP
++.B system_conf_t
++.EE
++
++- Set files with the system_conf_t type, if you want to treat the files as system configuration data, usually stored under the /etc directory.
++
++.br
++.TP 5
++Paths:
++/etc/sysctl\.conf(\.old)?, /etc/sysconfig/ipvsadm.*, /etc/sysconfig/ebtables.*, /etc/sysconfig/ip6?tables.*, /etc/sysconfig/system-config-firewall.*
++
++.EX
++.PP
++.B system_cron_spool_t
++.EE
++
++- Set files with the system_cron_spool_t type, if you want to store the system cron files under the /var/spool directory.
++
++.br
++.TP 5
++Paths:
++/etc/crontab, /var/spool/anacron(/.*)?, /etc/cron\.d(/.*)?, /var/spool/fcron/systab\.orig, /var/spool/fcron/new\.systab, /var/spool/fcron/systab
++
++.EX
++.PP
++.B system_cronjob_lock_t
++.EE
++
++- Set files with the system_cronjob_lock_t type, if you want to treat the files as system cronjob lock data, stored under the /var/lock directory
++
++
++.EX
++.PP
++.B system_cronjob_tmp_t
++.EE
++
++- Set files with the system_cronjob_tmp_t type, if you want to store system cronjob temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B system_cronjob_var_lib_t
++.EE
++
++- Set files with the system_cronjob_var_lib_t type, if you want to store the system cronjob files under the /var/lib directory.
++
++
++.EX
++.PP
++.B system_cronjob_var_run_t
++.EE
++
++- Set files with the system_cronjob_var_run_t type, if you want to store the system cronjob files under the /run directory.
++
++
++.EX
++.PP
++.B system_dbusd_tmp_t
++.EE
++
++- Set files with the system_dbusd_tmp_t type, if you want to store system dbusd temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B system_dbusd_var_lib_t
++.EE
++
++- Set files with the system_dbusd_var_lib_t type, if you want to store the system dbusd files under the /var/lib directory.
++
++
++.EX
++.PP
++.B system_dbusd_var_run_t
++.EE
++
++- Set files with the system_dbusd_var_run_t type, if you want to store the system dbusd files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/named/chroot/var/run/dbus(/.*)?, /var/run/dbus(/.*)?
++
++.EX
++.PP
++.B system_mail_tmp_t
++.EE
++
++- Set files with the system_mail_tmp_t type, if you want to store system mail temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B system_map_t
++.EE
++
++- Set files with the system_map_t type, if you want to treat the files as system map data.
++
++.br
++.TP 5
++Paths:
++/boot/System\.map(-.*)?, /boot/efi(/.*)?/System\.map(-.*)?
++
++.EX
++.PP
++.B system_munin_plugin_exec_t
++.EE
++
++- Set files with the system_munin_plugin_exec_t type, if you want to transition an executable to the system_munin_plugin_t domain.
++
++.br
++.TP 5
++Paths:
++/usr/share/munin/plugins/proc_pri, /usr/share/munin/plugins/swap, /usr/share/munin/plugins/interrupts, /usr/share/munin/plugins/cpu.*, /usr/share/munin/plugins/yum, /usr/share/munin/plugins/load, /usr/share/munin/plugins/irqstats, /usr/share/munin/plugins/processes, /usr/share/munin/plugins/iostat.*, /usr/share/munin/plugins/nfs.*, /usr/share/munin/plugins/munin_.*, /usr/share/munin/plugins/threads, /usr/share/munin/plugins/netstat, /usr/share/munin/plugins/acpi, /usr/share/munin/plugins/forks, /usr/share/munin/plugins/uptime, /usr/share/munin/plugins/users, /usr/share/munin/plugins/memory, /usr/share/munin/plugins/if_.*, /usr/share/munin/plugins/open_files
++
++.EX
++.PP
++.B system_munin_plugin_tmp_t
++.EE
++
++- Set files with the system_munin_plugin_tmp_t type, if you want to store system munin plugin temporary files in the /tmp directories.
++
++
++.EX
++.PP
+.B systemd_logger_exec_t
+.EE
+
@@ -48763,7 +49682,7 @@ index 0000000..c7f6423
+selinux(8), thin(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/thumb_selinux.8 b/man/man8/thumb_selinux.8
new file mode 100644
-index 0000000..50ef8e9
+index 0000000..b03036c
--- /dev/null
+++ b/man/man8/thumb_selinux.8
@@ -0,0 +1,89 @@
@@ -48802,7 +49721,7 @@ index 0000000..50ef8e9
+.br
+.TP 5
+Paths:
-+/usr/bin/evince-thumbnailer, /usr/bin/gnome-thumbnail-font, /usr/bin/totem-video-thumbnailer
++/usr/bin/whaaw-thumbnailer, /usr/lib/tumbler[^/]*/tumblerd, /usr/bin/raw-thumbnailer, /usr/bin/evince-thumbnailer, /usr/bin/[^/]*thumbnailer, /usr/bin/ffmpegthumbnailer, /usr/bin/shotwell-video-thumbnailer, /usr/bin/gsf-office-thumbnailer, /usr/bin/gnome-thumbnail-font, /usr/bin/totem-video-thumbnailer, /usr/bin/gnome-[^/]*-thumbnailer(.sh)?
+
+.EX
+.PP
@@ -49129,7 +50048,7 @@ index 0000000..8ec79ef
\ No newline at end of file
diff --git a/man/man8/traceroute_selinux.8 b/man/man8/traceroute_selinux.8
new file mode 100644
-index 0000000..283d349
+index 0000000..c4ea5dd
--- /dev/null
+++ b/man/man8/traceroute_selinux.8
@@ -0,0 +1,101 @@
@@ -49162,7 +50081,7 @@ index 0000000..283d349
+.br
+.TP 5
+Paths:
-+/bin/tracepath.*, /usr/bin/traceroute.*, /usr/bin/nmap, /usr/bin/lft, /bin/traceroute.*, /usr/bin/tracepath.*, /usr/sbin/traceroute.*
++/bin/tracepath.*, /usr/bin/traceroute.*, /usr/bin/nmap, /usr/bin/lft, /bin/traceroute.*, /usr/bin/tracepath.*, /usr/sbin/traceroute.*, /usr/bin/mtr
+
+.PP
+Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
@@ -49827,75 +50746,142 @@ index 0000000..34355cf
+selinux(8), uml(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/unconfined_selinux.8 b/man/man8/unconfined_selinux.8
new file mode 100644
-index 0000000..cec81dc
+index 0000000..49f0e32
--- /dev/null
+++ b/man/man8/unconfined_selinux.8
-@@ -0,0 +1,65 @@
-+.TH "unconfined_selinux" "8" "unconfined" "mgrepl at redhat.com" "unconfined SELinux Policy documentation"
+@@ -0,0 +1,131 @@
++.TH "unconfined_selinux" "8" "unconfined" "dwalsh at redhat.com" "unconfined SELinux Policy documentation"
+.SH "NAME"
-+unconfined_r \- \fBUnconfiend user role\fP - Security Enhanced Linux Policy
++unconfined_selinux \- Security Enhanced Linux Policy for the unconfined processes
++.SH "DESCRIPTION"
+
-+.SH DESCRIPTION
+
-+SELinux supports Roles Based Access Control, some Linux roles are login roles, while other roles need to be transition to.
++SELinux Linux secures
++.B unconfined
++(The unconfined domain)
++processes via flexible mandatory access
++control.
+
-+Note: The examples in the man page will user the staff_u user.
+
-+Non login roles are usually used for administrative tasks.
+
-+Roles usually have default types assigned to them.
++.SH BOOLEANS
++SELinux policy is customizable based on least access required. unconfined policy is extremely flexible and has several booleans that allow you to manipulate the policy and run unconfined with the tightest access possible.
+
-+The default type for the unconfined_r role is unconfined_t.
+
-+You can use the
-+.B newrole
-+program to transition directly to this role.
++.PP
++If you want to allow database admins to execute DML statemen, you must turn on the sepgsql_unconfined_dbadm boolean.
+
-+.B newrole -r unconfined_r -t unconfined_t
++.EX
++.B setsebool -P sepgsql_unconfined_dbadm 1
++.EE
+
-+.B sudo
-+can also be setup to transition to this role using the visudo command.
++.PP
++If you want to allow unconfined users to transition to the Mozilla plugin domain when running xulrunner plugin-container, you must turn on the unconfined_mozilla_plugin_transition boolean.
+
-+USERNAME ALL=(ALL) ROLE=unconfined_r TYPE=unconfined_t COMMAND
-+.br
-+sudo will run COMMAND as staff_u:unconfined_r:unconfined_t:LEVEL
++.EX
++.B setsebool -P unconfined_mozilla_plugin_transition 1
++.EE
+
-+If you want to use a non login role, you need to make sure the SELinux user you are using can reach this role.
++.PP
++If you want to allow a user to login as an unconfined domai, you must turn on the unconfined_login boolean.
+
-+You can see all of the assigned SELinux roles using the following
++.EX
++.B setsebool -P unconfined_login 1
++.EE
+
-+.B semanage user -l
++.PP
++If you want to allow unconfined users to transition to the chrome sandbox domains when running chrome-sandbo, you must turn on the unconfined_chrome_sandbox_transition boolean.
+
-+If you wanted to add unconfined_r to the staff_u user, you would execute:
++.EX
++.B setsebool -P unconfined_chrome_sandbox_transition 1
++.EE
+
-+.B $ semanage user -m -R 'staff_r unconfined_r' staff_u
++.PP
++If you want to allow samba to run unconfined script, you must turn on the samba_run_unconfined boolean.
+
++.EX
++.B setsebool -P samba_run_unconfined 1
++.EE
+
++.PP
++If you want to allow video playing tools to run unconfine, you must turn on the unconfined_mplayer boolean.
+
-+SELinux policy also controls which roles can transition to a different role.
-+You can list these rules using the following command.
++.EX
++.B setsebool -P unconfined_mplayer 1
++.EE
+
-+.B sesearch --role_allow
++.SH FILE CONTEXTS
++SELinux requires files to have an extended attribute to define the file type.
++.PP
++You can see the context of a file using the \fB\-Z\fP option to \fBls\bP
++.PP
++Policy governs the access confined processes have to these files.
++SELinux unconfined policy is very flexible allowing users to setup their unconfined processes in as secure a method as possible.
++.PP
++The following file types are defined for unconfined:
+
-+SELinux policy allows the staff_r role can transition to the unconfined_r role.
+
++.EX
++.PP
++.B unconfined_exec_t
++.EE
+
-+.SH "COMMANDS"
++- Set files with the unconfined_exec_t type, if you want to transition an executable to the unconfined_t domain.
+
-+.B semanage login
-+can also be used to manipulate the Linux User to SELinux User mappings
++.br
++.TP 5
++Paths:
++/usr/bin/vncserver, /usr/sbin/xrdp, /usr/sbin/xrdp-sesman
+
-+.B semanage user
-+can also be used to manipulate SELinux user definitions.
++.PP
++Note: File context can be temporarily modified with the chcon command. If you want to permanently change the file context you need to use the
++.B semanage fcontext
++command. This will modify the SELinux labeling database. You will need to use
++.B restorecon
++to apply the labels.
+
++.SH PROCESS TYPES
++SELinux defines process types (domains) for each process running on the system
++.PP
++You can see the context of a process using the \fB\-Z\fP option to \fBps\bP
++.PP
++Policy governs the access confined processes have to files.
++SELinux unconfined policy is very flexible allowing users to setup their unconfined processes in as secure a method as possible.
++.PP
++The following process types are defined for unconfined:
++
++.EX
++.B unconfined_cronjob_t, unconfined_dbusd_t, unconfined_t
++.EE
++.PP
++Note:
++.B semanage permissive -a PROCESS_TYPE
++can be used to make a process type permissive. Permissive process types are not denied access by SELinux. AVC messages will still be generated.
++
++.SH "COMMANDS"
++.B semanage fcontext
++can also be used to manipulate default file context mappings.
++.PP
++.B semanage permissive
++can also be used to manipulate whether or not a process type is permissive.
++.PP
++.B semanage module
++can also be used to enable/disable/install/remove policy modules.
++
++.B semanage boolean
++can also be used to manipulate the booleans
++
++.PP
+.B system-config-selinux
+is a GUI tool available to customize SELinux policy settings.
+
+.SH AUTHOR
-+This manual page was autogenerated by genuserman.py.
++This manual page was autogenerated by genman.py.
+
+.SH "SEE ALSO"
-+selinux(8), semanage(8).
++selinux(8), unconfined(8), semanage(8), restorecon(8), chcon(1)
++, setsebool(8)
+\ No newline at end of file
diff --git a/man/man8/update_selinux.8 b/man/man8/update_selinux.8
new file mode 100644
index 0000000..df3a1eb
@@ -51789,7 +52775,7 @@ index 0000000..97dc9a2
+selinux(8), virsh(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/virt_selinux.8 b/man/man8/virt_selinux.8
new file mode 100644
-index 0000000..2c3568f
+index 0000000..bc4a520
--- /dev/null
+++ b/man/man8/virt_selinux.8
@@ -0,0 +1,349 @@
@@ -52023,7 +53009,7 @@ index 0000000..2c3568f
+.br
+.TP 5
+Paths:
-+/usr/sbin/condor_vm-gahp, /usr/bin/imgfac\.py, /usr/bin/imagefactory, /usr/bin/nova-compute, /usr/sbin/libvirtd
++/usr/sbin/condor_vm-gahp, /usr/bin/imagefactory, /usr/bin/imgfac\.py, /usr/bin/nova-compute, /usr/sbin/libvirtd
+
+.EX
+.PP
@@ -52145,10 +53131,10 @@ index 0000000..2c3568f
\ No newline at end of file
diff --git a/man/man8/virtd_selinux.8 b/man/man8/virtd_selinux.8
new file mode 100644
-index 0000000..a68ee81
+index 0000000..40dfb33
--- /dev/null
+++ b/man/man8/virtd_selinux.8
-@@ -0,0 +1,215 @@
+@@ -0,0 +1,343 @@
+.TH "virtd_selinux" "8" "virtd" "dwalsh at redhat.com" "virtd SELinux Policy documentation"
+.SH "NAME"
+virtd_selinux \- Security Enhanced Linux Policy for the virtd processes
@@ -52237,6 +53223,134 @@ index 0000000..a68ee81
+
+.EX
+.PP
++.B virt_bridgehelper_exec_t
++.EE
++
++- Set files with the virt_bridgehelper_exec_t type, if you want to transition an executable to the virt_bridgehelper_t domain.
++
++
++.EX
++.PP
++.B virt_cache_t
++.EE
++
++- Set files with the virt_cache_t type, if you want to store the files under the /var/cache directory.
++
++.br
++.TP 5
++Paths:
++/var/cache/oz(/.*)?, /var/cache/libvirt(/.*)?
++
++.EX
++.PP
++.B virt_content_t
++.EE
++
++- Set files with the virt_content_t type, if you want to treat the files as virt content.
++
++.br
++.TP 5
++Paths:
++/var/lib/vdsm(/.*)?, /var/lib/oz/isos(/.*)?, /var/lib/libvirt/boot(/.*)?, /var/lib/libvirt/isos(/.*)?
++
++.EX
++.PP
++.B virt_etc_rw_t
++.EE
++
++- Set files with the virt_etc_rw_t type, if you want to treat the files as virt etc read/write content.
++
++.br
++.TP 5
++Paths:
++/etc/libvirt/.*/.*, /etc/xen/.*/.*, /etc/xen/[^/]*, /etc/libvirt/[^/]*
++
++.EX
++.PP
++.B virt_etc_t
++.EE
++
++- Set files with the virt_etc_t type, if you want to store virt files in the /etc directories.
++
++.br
++.TP 5
++Paths:
++/etc/libvirt/[^/]*, /etc/libvirt, /etc/xen/[^/]*, /etc/xen
++
++.EX
++.PP
++.B virt_home_t
++.EE
++
++- Set files with the virt_home_t type, if you want to store virt files in the users home directory.
++
++
++.EX
++.PP
++.B virt_image_t
++.EE
++
++- Set files with the virt_image_t type, if you want to treat the files as virt image data.
++
++.br
++.TP 5
++Paths:
++/var/lib/imagefactory/images(/.*)?, /var/lib/libvirt/images(/.*)?
++
++.EX
++.PP
++.B virt_log_t
++.EE
++
++- Set files with the virt_log_t type, if you want to treat the data as virt log data, usually stored under the /var/log directory.
++
++.br
++.TP 5
++Paths:
++/var/log/log(/.*)?, /var/log/vdsm(/.*)?, /var/log/libvirt(/.*)?
++
++.EX
++.PP
++.B virt_qmf_exec_t
++.EE
++
++- Set files with the virt_qmf_exec_t type, if you want to transition an executable to the virt_qmf_t domain.
++
++
++.EX
++.PP
++.B virt_tmp_t
++.EE
++
++- Set files with the virt_tmp_t type, if you want to store virt temporary files in the /tmp directories.
++
++
++.EX
++.PP
++.B virt_var_lib_t
++.EE
++
++- Set files with the virt_var_lib_t type, if you want to store the virt files under the /var/lib directory.
++
++.br
++.TP 5
++Paths:
++/var/lib/oz(/.*)?, /var/lib/libvirt(/.*)?
++
++.EX
++.PP
++.B virt_var_run_t
++.EE
++
++- Set files with the virt_var_run_t type, if you want to store the virt files under the /run directory.
++
++.br
++.TP 5
++Paths:
++/var/run/vdsm(/.*)?, /var/vdsm(/.*)?, /var/run/libvirt(/.*)?
++
++.EX
++.PP
+.B virtd_exec_t
+.EE
+
@@ -52245,7 +53359,7 @@ index 0000000..a68ee81
+.br
+.TP 5
+Paths:
-+/usr/sbin/condor_vm-gahp, /usr/bin/imgfac\.py, /usr/bin/imagefactory, /usr/bin/nova-compute, /usr/sbin/libvirtd
++/usr/sbin/condor_vm-gahp, /usr/bin/imagefactory, /usr/bin/imgfac\.py, /usr/bin/nova-compute, /usr/sbin/libvirtd
+
+.EX
+.PP
@@ -52450,7 +53564,7 @@ index 0000000..c8e2a9e
+selinux(8), vlock(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/vmware_selinux.8 b/man/man8/vmware_selinux.8
new file mode 100644
-index 0000000..6ad4bcb
+index 0000000..735cd42
--- /dev/null
+++ b/man/man8/vmware_selinux.8
@@ -0,0 +1,173 @@
@@ -52497,7 +53611,7 @@ index 0000000..6ad4bcb
+.br
+.TP 5
+Paths:
-+/usr/lib/vmware/bin/vmware-mks, /usr/lib/vmware/bin/vmplayer, /usr/bin/vmware-ping, /usr/lib/vmware/bin/vmware-ui, /usr/sbin/vmware-serverd, /usr/bin/vmware, /usr/bin/vmware-wizard
++/usr/sbin/vmware-serverd, /usr/lib/vmware/bin/vmware-mks, /usr/lib/vmware/bin/vmplayer, /usr/bin/vmware-ping, /usr/lib/vmware/bin/vmware-ui, /usr/bin/vmware, /usr/bin/vmware-wizard
+
+.EX
+.PP
@@ -52730,10 +53844,10 @@ index 0000000..254d3d4
+selinux(8), vnstat(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/vnstatd_selinux.8 b/man/man8/vnstatd_selinux.8
new file mode 100644
-index 0000000..9ce8f0c
+index 0000000..1589eb8
--- /dev/null
+++ b/man/man8/vnstatd_selinux.8
-@@ -0,0 +1,93 @@
+@@ -0,0 +1,101 @@
+.TH "vnstatd_selinux" "8" "vnstatd" "dwalsh at redhat.com" "vnstatd SELinux Policy documentation"
+.SH "NAME"
+vnstatd_selinux \- Security Enhanced Linux Policy for the vnstatd processes
@@ -52761,6 +53875,14 @@ index 0000000..9ce8f0c
+
+.EX
+.PP
++.B vnstat_exec_t
++.EE
++
++- Set files with the vnstat_exec_t type, if you want to transition an executable to the vnstat_t domain.
++
++
++.EX
++.PP
+.B vnstatd_exec_t
+.EE
+
@@ -54055,10 +55177,10 @@ index 0000000..94ba970
+selinux(8), xenconsoled(8), semanage(8), restorecon(8), chcon(1)
diff --git a/man/man8/xend_selinux.8 b/man/man8/xend_selinux.8
new file mode 100644
-index 0000000..ae40ecf
+index 0000000..ef97b9c
--- /dev/null
+++ b/man/man8/xend_selinux.8
-@@ -0,0 +1,170 @@
+@@ -0,0 +1,190 @@
+.TH "xend_selinux" "8" "xend" "dwalsh at redhat.com" "xend SELinux Policy documentation"
+.SH "NAME"
+xend_selinux \- Security Enhanced Linux Policy for the xend processes
@@ -54105,6 +55227,26 @@ index 0000000..ae40ecf
+
+.EX
+.PP
++.B xen_devpts_t
++.EE
++
++- Set files with the xen_devpts_t type, if you want to treat the files as xen devpts data.
++
++
++.EX
++.PP
++.B xen_image_t
++.EE
++
++- Set files with the xen_image_t type, if you want to treat the files as xen image data.
++
++.br
++.TP 5
++Paths:
++/xen(/.*)?, /var/lib/xen/images(/.*)?
++
++.EX
++.PP
+.B xend_exec_t
+.EE
+
@@ -55885,10 +57027,10 @@ index 0000000..705cdbc
\ No newline at end of file
diff --git a/man/man8/zoneminder_selinux.8 b/man/man8/zoneminder_selinux.8
new file mode 100644
-index 0000000..3085db9
+index 0000000..4f71f64
--- /dev/null
+++ b/man/man8/zoneminder_selinux.8
-@@ -0,0 +1,151 @@
+@@ -0,0 +1,163 @@
+.TH "zoneminder_selinux" "8" "zoneminder" "dwalsh at redhat.com" "zoneminder SELinux Policy documentation"
+.SH "NAME"
+zoneminder_selinux \- Security Enhanced Linux Policy for the zoneminder processes
@@ -55947,6 +57089,10 @@ index 0000000..3085db9
+
+- Set files with the zoneminder_exec_t type, if you want to transition an executable to the zoneminder_t domain.
+
++.br
++.TP 5
++Paths:
++/usr/bin/zmpkg.pl, /usr/bin/motion
+
+.EX
+.PP
@@ -55955,6 +57101,10 @@ index 0000000..3085db9
+
+- Set files with the zoneminder_initrc_exec_t type, if you want to transition an executable to the zoneminder_initrc_t domain.
+
++.br
++.TP 5
++Paths:
++/etc/rc\.d/init\.d/motion, /etc/rc\.d/init\.d/zoneminder
+
+.EX
+.PP
@@ -55963,6 +57113,10 @@ index 0000000..3085db9
+
+- Set files with the zoneminder_log_t type, if you want to treat the data as zoneminder log data, usually stored under the /var/log directory.
+
++.br
++.TP 5
++Paths:
++/var/log/motion\.log, /var/log/zoneminder(/.*)?
+
+.EX
+.PP
@@ -58538,10 +59692,35 @@ index f387230..e63f9c6 100644
+
+/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
diff --git a/policy/modules/admin/quota.if b/policy/modules/admin/quota.if
-index bf75d99..d1af9cf 100644
+index bf75d99..2176bf8 100644
--- a/policy/modules/admin/quota.if
+++ b/policy/modules/admin/quota.if
-@@ -83,3 +83,59 @@ interface(`quota_manage_flags',`
+@@ -45,6 +45,24 @@ interface(`quota_run',`
+ role $2 types quota_t;
+ ')
+
++#######################################
++## <summary>
++## Alow to read of filesystem quota data files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`quota_read_db',`
++ gen_require(`
++ type quota_db_t;
++ ')
++
++ allow $1 quota_db_t:file read_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Do not audit attempts to get the attributes
+@@ -83,3 +101,59 @@ interface(`quota_manage_flags',`
files_search_var_lib($1)
manage_files_pattern($1, quota_flag_t, quota_flag_t)
')
@@ -59549,16 +60728,21 @@ index 97671a3..eb84cd0 100644
+
+/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
-index d0604cf..95c53c5 100644
+index d0604cf..b66057c 100644
--- a/policy/modules/admin/shutdown.if
+++ b/policy/modules/admin/shutdown.if
-@@ -18,9 +18,13 @@ interface(`shutdown_domtrans',`
+@@ -18,9 +18,18 @@ interface(`shutdown_domtrans',`
corecmd_search_bin($1)
domtrans_pattern($1, shutdown_exec_t, shutdown_t)
++ init_reboot($1)
++ init_halt($1)
++
+ optional_policy(`
+ systemd_exec_systemctl($1)
+ init_stream_connect($1)
++ systemd_login_reboot($1)
++ systemd_login_halt($1)
+ ')
+
ifdef(`hide_broken_symptoms', `
@@ -59568,7 +60752,7 @@ index d0604cf..95c53c5 100644
')
')
-@@ -51,6 +55,73 @@ interface(`shutdown_run',`
+@@ -51,6 +60,73 @@ interface(`shutdown_run',`
########################################
## <summary>
@@ -63910,10 +65094,10 @@ index 0000000..274cdec
+/var/log/jockey\.log -- gen_context(system_u:object_r:jockey_var_log_t,s0)
diff --git a/policy/modules/apps/jockey.if b/policy/modules/apps/jockey.if
new file mode 100644
-index 0000000..b083ea3
+index 0000000..fb58f33
--- /dev/null
+++ b/policy/modules/apps/jockey.if
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,132 @@
+
+## <summary>policy for jockey</summary>
+
@@ -63971,7 +65155,7 @@ index 0000000..b083ea3
+ ')
+
+ files_search_var($1)
-+ read_files_pattern($1, jockey_cache_t jockey_cache_t)
++ read_files_pattern($1, jockey_cache_t, jockey_cache_t)
+')
+
+########################################
@@ -64013,7 +65197,6 @@ index 0000000..b083ea3
+ manage_dirs_pattern($1, jockey_cache_t, jockey_cache_t)
+')
+
-+
+########################################
+## <summary>
+## All of the rules required to administrate
@@ -73398,7 +74581,7 @@ index 6a1e4d1..3ded83e 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..b221c52 100644
+index fae1ab1..c941172 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -73499,7 +74682,7 @@ index fae1ab1..b221c52 100644
# Create/access any System V IPC objects.
allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -158,5 +199,236 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -158,5 +199,245 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -73515,6 +74698,15 @@ index fae1ab1..b221c52 100644
+term_filetrans_all_named_dev(unconfined_domain_type)
+
+optional_policy(`
++ init_status(unconfined_domain_type)
++ init_reboot(unconfined_domain_type)
++ init_halt(unconfined_domain_type)
++ systemd_login_status(unconfined_domain_type)
++ systemd_login_reboot(unconfined_domain_type)
++ systemd_login_halt(unconfined_domain_type)
++')
++
++optional_policy(`
+ auth_filetrans_named_content(unconfined_domain_type)
+ auth_filetrans_admin_home_content(unconfined_domain_type)
+ auth_filetrans_home_content(unconfined_domain_type)
@@ -79163,10 +80355,10 @@ index ff92430..36740ea 100644
## <summary>
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..6f59878 100644
+index e14b961..508f5b4 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,62 @@ policy_module(sysadm, 2.2.1)
+@@ -5,39 +5,65 @@ policy_module(sysadm, 2.2.1)
# Declarations
#
@@ -79217,6 +80409,9 @@ index e14b961..6f59878 100644
+init_exec_script_files(sysadm_t)
+init_dbus_chat(sysadm_t)
+init_script_role_transition(sysadm_r)
++init_status(sysadm_t)
++init_reboot(sysadm_t)
++init_halt(sysadm_t)
+
+logging_filetrans_named_content(sysadm_t)
+
@@ -79240,7 +80435,7 @@ index e14b961..6f59878 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -51,13 +74,8 @@ ifdef(`direct_sysadm_daemon',`
+@@ -51,13 +77,8 @@ ifdef(`direct_sysadm_daemon',`
')
')
@@ -79255,7 +80450,7 @@ index e14b961..6f59878 100644
domain_ptrace_all_domains(sysadm_t)
')
-@@ -67,9 +85,9 @@ optional_policy(`
+@@ -67,9 +88,9 @@ optional_policy(`
optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
@@ -79266,7 +80461,7 @@ index e14b961..6f59878 100644
')
optional_policy(`
-@@ -98,6 +116,10 @@ optional_policy(`
+@@ -98,6 +119,10 @@ optional_policy(`
')
optional_policy(`
@@ -79277,7 +80472,7 @@ index e14b961..6f59878 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -110,11 +132,20 @@ optional_policy(`
+@@ -110,11 +135,20 @@ optional_policy(`
')
optional_policy(`
@@ -79300,7 +80495,7 @@ index e14b961..6f59878 100644
')
optional_policy(`
-@@ -128,6 +159,10 @@ optional_policy(`
+@@ -128,6 +162,10 @@ optional_policy(`
')
optional_policy(`
@@ -79311,7 +80506,7 @@ index e14b961..6f59878 100644
dmesg_exec(sysadm_t)
')
-@@ -163,6 +198,13 @@ optional_policy(`
+@@ -163,6 +201,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -79325,7 +80520,7 @@ index e14b961..6f59878 100644
')
optional_policy(`
-@@ -170,15 +212,20 @@ optional_policy(`
+@@ -170,15 +215,20 @@ optional_policy(`
')
optional_policy(`
@@ -79349,7 +80544,7 @@ index e14b961..6f59878 100644
')
optional_policy(`
-@@ -198,22 +245,20 @@ optional_policy(`
+@@ -198,22 +248,20 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -79378,7 +80573,7 @@ index e14b961..6f59878 100644
')
optional_policy(`
-@@ -225,25 +270,47 @@ optional_policy(`
+@@ -225,25 +273,47 @@ optional_policy(`
')
optional_policy(`
@@ -79426,7 +80621,7 @@ index e14b961..6f59878 100644
portage_run(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
-@@ -253,31 +320,32 @@ optional_policy(`
+@@ -253,31 +323,32 @@ optional_policy(`
')
optional_policy(`
@@ -79466,7 +80661,7 @@ index e14b961..6f59878 100644
')
optional_policy(`
-@@ -302,12 +370,18 @@ optional_policy(`
+@@ -302,12 +373,18 @@ optional_policy(`
')
optional_policy(`
@@ -79486,7 +80681,7 @@ index e14b961..6f59878 100644
')
optional_policy(`
-@@ -332,7 +406,10 @@ optional_policy(`
+@@ -332,7 +409,13 @@ optional_policy(`
')
optional_policy(`
@@ -79495,10 +80690,13 @@ index e14b961..6f59878 100644
+ systemd_config_all_services(sysadm_t)
+ systemd_manage_all_unit_files(sysadm_t)
+ systemd_manage_all_unit_lnk_files(sysadm_t)
++ systemd_login_status(sysadm_t)
++ systemd_login_reboot(sysadm_t)
++ systemd_login_halt(sysadm_t)
')
optional_policy(`
-@@ -343,19 +420,15 @@ optional_policy(`
+@@ -343,19 +426,15 @@ optional_policy(`
')
optional_policy(`
@@ -79520,7 +80718,7 @@ index e14b961..6f59878 100644
')
optional_policy(`
-@@ -367,45 +440,45 @@ optional_policy(`
+@@ -367,45 +446,45 @@ optional_policy(`
')
optional_policy(`
@@ -79577,7 +80775,7 @@ index e14b961..6f59878 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -418,10 +491,6 @@ ifndef(`distro_redhat',`
+@@ -418,10 +497,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -79588,7 +80786,7 @@ index e14b961..6f59878 100644
dbus_role_template(sysadm, sysadm_r, sysadm_t)
')
-@@ -439,6 +508,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +514,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -79596,7 +80794,7 @@ index e14b961..6f59878 100644
')
optional_policy(`
-@@ -446,11 +516,66 @@ ifndef(`distro_redhat',`
+@@ -446,11 +522,66 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -87632,7 +88830,7 @@ index 7a6e5ba..e238dfd 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
-index c3e3f79..046721e 100644
+index c3e3f79..bbed82f 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -18,12 +18,16 @@ files_pid_file(certmonger_var_run_t)
@@ -87688,7 +88886,7 @@ index c3e3f79..046721e 100644
logging_send_syslog_msg(certmonger_t)
miscfiles_read_localization(certmonger_t)
-@@ -58,15 +72,52 @@ miscfiles_manage_generic_cert_files(certmonger_t)
+@@ -58,15 +72,54 @@ miscfiles_manage_generic_cert_files(certmonger_t)
sysnet_dns_name_resolve(certmonger_t)
@@ -87740,6 +88938,8 @@ index c3e3f79..046721e 100644
+ unconfined_domain(certmonger_unconfined_t)
+
+ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
++
++ unconfined_domain(certmonger_unconfined_t)
+')
diff --git a/policy/modules/services/cfengine.fc b/policy/modules/services/cfengine.fc
new file mode 100644
@@ -88299,7 +89499,7 @@ index 9a0da94..113eae2 100644
+ allow $1 chronyd_unit_file_t:service all_service_perms;
')
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
-index fa82327..1a486b0 100644
+index fa82327..025e26f 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -15,6 +15,12 @@ init_script_file(chronyd_initrc_exec_t)
@@ -88330,7 +89530,7 @@ index fa82327..1a486b0 100644
manage_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_dirs_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
manage_sock_files_pattern(chronyd_t, chronyd_var_lib_t, chronyd_var_lib_t)
-@@ -48,8 +59,14 @@ logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir })
+@@ -48,8 +59,15 @@ logging_log_filetrans(chronyd_t, chronyd_var_log_t, { file dir })
manage_files_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
manage_dirs_pattern(chronyd_t, chronyd_var_run_t, chronyd_var_run_t)
@@ -88339,6 +89539,7 @@ index fa82327..1a486b0 100644
+files_pid_filetrans(chronyd_t, chronyd_var_run_t, { dir file sock_file })
+kernel_read_system_state(chronyd_t)
++kernel_read_network_state(chronyd_t)
+
+corecmd_exec_shell(chronyd_t)
+
@@ -88346,7 +89547,7 @@ index fa82327..1a486b0 100644
corenet_udp_bind_ntp_port(chronyd_t)
# bind to udp/323
corenet_udp_bind_chronyd_port(chronyd_t)
-@@ -63,6 +80,8 @@ logging_send_syslog_msg(chronyd_t)
+@@ -63,6 +81,8 @@ logging_send_syslog_msg(chronyd_t)
miscfiles_read_localization(chronyd_t)
@@ -92729,7 +93930,7 @@ index 305ddf4..4d70951 100644
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
')
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..db6e8b6 100644
+index 0f28095..f9eb73f 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -92970,15 +94171,17 @@ index 0f28095..db6e8b6 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +717,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +717,9 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
+files_dontaudit_write_usr_dirs(hplip_t)
++
++auth_read_passwd(hplip_t)
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +729,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +731,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -119028,7 +120231,7 @@ index cda37bb..b3469d6 100644
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
')
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
-index b1468ed..c378201 100644
+index b1468ed..d36b88c 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
@@ -119097,7 +120300,7 @@ index b1468ed..c378201 100644
fs_getattr_all_fs(rpcd_t)
storage_getattr_fixed_disk_dev(rpcd_t)
-@@ -97,21 +105,33 @@ miscfiles_read_generic_certs(rpcd_t)
+@@ -97,21 +105,37 @@ miscfiles_read_generic_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@@ -119118,6 +120321,10 @@ index b1468ed..c378201 100644
')
+optional_policy(`
++ quota_read_db(rpcd_t)
++')
++
++optional_policy(`
+ rgmanager_manage_tmp_files(rpcd_t)
+')
+
@@ -119131,7 +120338,7 @@ index b1468ed..c378201 100644
allow nfsd_t exports_t:file read_file_perms;
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
-@@ -120,9 +140,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+@@ -120,9 +144,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
@@ -119146,7 +120353,7 @@ index b1468ed..c378201 100644
dev_dontaudit_getattr_all_blk_files(nfsd_t)
dev_dontaudit_getattr_all_chr_files(nfsd_t)
-@@ -148,6 +173,8 @@ storage_raw_read_removable_device(nfsd_t)
+@@ -148,6 +177,8 @@ storage_raw_read_removable_device(nfsd_t)
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
@@ -119155,7 +120362,7 @@ index b1468ed..c378201 100644
# Write access to public_content_t and public_content_rw_t
tunable_policy(`allow_nfsd_anon_write',`
miscfiles_manage_public_files(nfsd_t)
-@@ -158,7 +185,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -158,7 +189,6 @@ tunable_policy(`nfs_export_all_rw',`
dev_getattr_all_chr_files(nfsd_t)
fs_read_noxattr_fs_files(nfsd_t)
@@ -119163,7 +120370,7 @@ index b1468ed..c378201 100644
')
tunable_policy(`nfs_export_all_ro',`
-@@ -170,8 +196,11 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -170,8 +200,11 @@ tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -119177,7 +120384,7 @@ index b1468ed..c378201 100644
')
########################################
-@@ -181,7 +210,7 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -181,7 +214,7 @@ tunable_policy(`nfs_export_all_ro',`
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
allow gssd_t self:process { getsched setsched };
@@ -119186,7 +120393,7 @@ index b1468ed..c378201 100644
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-@@ -199,6 +228,7 @@ corecmd_exec_bin(gssd_t)
+@@ -199,6 +232,7 @@ corecmd_exec_bin(gssd_t)
fs_list_rpc(gssd_t)
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -119194,7 +120401,7 @@ index b1468ed..c378201 100644
fs_list_inotifyfs(gssd_t)
files_list_tmp(gssd_t)
-@@ -210,14 +240,14 @@ auth_manage_cache(gssd_t)
+@@ -210,14 +244,14 @@ auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
@@ -119211,7 +120418,7 @@ index b1468ed..c378201 100644
')
optional_policy(`
-@@ -229,6 +259,10 @@ optional_policy(`
+@@ -229,6 +263,10 @@ optional_policy(`
')
optional_policy(`
@@ -125719,7 +126926,7 @@ index 32a3c13..e3d91ad 100644
optional_policy(`
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
-index 2124b6a..d9da85a 100644
+index 2124b6a..9fdf440 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -1,5 +1,6 @@
@@ -125731,7 +126938,7 @@ index 2124b6a..d9da85a 100644
HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
-@@ -12,18 +13,44 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
+@@ -12,18 +13,48 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t
/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -125773,6 +126980,10 @@ index 2124b6a..d9da85a 100644
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+
++# add support vios-proxy-*
++/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0)
++/usr/bin/vios-proxy-guest -- gen_context(system_u:object_r:virtd_exec_t,s0)
++
+# support for nova-stack
+/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0)
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
@@ -132714,7 +133925,7 @@ index 354ce93..4738083 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..5a52670 100644
+index 94fd8dd..43dcb93 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,44 @@ interface(`init_script_domain',`
@@ -132812,17 +134023,17 @@ index 94fd8dd..5a52670 100644
typeattribute $2 direct_init_entry;
- userdom_dontaudit_use_user_terminals($1)
-+# userdom_dontaudit_use_user_terminals($1)
- ')
-
+- ')
+-
- ifdef(`hide_broken_symptoms',`
- # RHEL4 systems seem to have a stray
- # fds open from the initrd
- ifdef(`distro_rhel4',`
- kernel_dontaudit_use_fds($1)
- ')
-- ')
--
++# userdom_dontaudit_use_user_terminals($1)
+ ')
+
- optional_policy(`
- nscd_socket_use($1)
+ tunable_policy(`init_upstart || init_systemd',`
@@ -133091,7 +134302,7 @@ index 94fd8dd..5a52670 100644
')
')
-@@ -800,23 +935,45 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +935,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -133114,11 +134325,11 @@ index 94fd8dd..5a52670 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
- ')
- ')
-
- ########################################
- ## <summary>
++ ')
++')
++
++########################################
++## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -133131,16 +134342,12 @@ index 94fd8dd..5a52670 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
-+ ')
+ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
-+')
-+
-+########################################
-+## <summary>
- ## Execute a init script in a specified domain.
- ## </summary>
- ## <desc>
+ ')
+
+ ########################################
@@ -868,9 +1025,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
@@ -133448,7 +134655,7 @@ index 94fd8dd..5a52670 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2124,194 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2124,248 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -133643,6 +134850,60 @@ index 94fd8dd..5a52670 100644
+
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
++
++########################################
++## <summary>
++## Get the system status information from init
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_status',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system status;
++')
++
++########################################
++## <summary>
++## Tell init to reboot the system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_reboot',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system reboot;
++')
++
++########################################
++## <summary>
++## Tell init to halt the system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_halt',`
++ gen_require(`
++ type init_t;
++ ')
++
++ allow $1 init_t:system halt;
++')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 29a9565..e2c5116 100644
--- a/policy/modules/system/init.te
@@ -140224,10 +141485,10 @@ index 0000000..0d3e625
+/var/run/initramfs(/.*)? <<none>>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..3b89bc3
+index 0000000..6daaa5c
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,604 @@
+@@ -0,0 +1,656 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -140831,13 +142092,65 @@ index 0000000..3b89bc3
+ init_named_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
+')
+
++########################################
++## <summary>
++## Get the system status information from init
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_login_status',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:system status;
++')
+
++########################################
++## <summary>
++## Tell init to reboot the system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_login_reboot',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:system reboot;
++')
++
++########################################
++## <summary>
++## Tell init to halt the system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_login_halt',`
++ gen_require(`
++ type systemd_logind_t;
++ ')
++
++ allow $1 systemd_logind_t:system halt;
++')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..a9803b5
+index 0000000..7122cd5
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,395 @@
+@@ -0,0 +1,398 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -140908,6 +142221,9 @@ index 0000000..a9803b5
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_sessions_t, { systemd_logind_sessions_t systemd_logind_var_run_t })
+init_named_pid_filetrans(systemd_logind_t, systemd_logind_sessions_t, dir, "sessions")
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
++init_status(systemd_logind_t)
++init_reboot(systemd_logind_t)
++init_halt(systemd_logind_t)
+
+dev_read_sysfs(systemd_logind_t)
+dev_setattr_input_dev(systemd_logind_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ba5404e..5a07d95 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 104%{?dist}
+Release: 105%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -483,6 +483,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Mar 21 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-105
+- Allow chronyd to read unix
+- Allow hpfax to read /etc/passwd
+- Add support matahari vios-proxy-* apps and add virtd_exec_t label for them
+- Allow rpcd to read quota_db_t
+- Update to man pages to match latest policy
+- Fix bug in jockey interface for sepolgen-ifgen
+- Add initial svirt_prot_exec_t policy
+
* Mon Mar 19 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-104
- More fixes for systemd from Dan Walsh
More information about the scm-commits
mailing list