[selinux-policy/f20] - Add lvm_read_metadata() - Allow auditadm to search /var/log/audit dir - Add lvm_read_metadata() in

[Miroslav Grepl]

commit ee9a7542f3896a740a5dcc2db65ab2299b936e99
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Tue Feb 18 17:25:12 2014 +0100

    - Add lvm_read_metadata()
    - Allow auditadm to search /var/log/audit dir
    - Add lvm_read_metadata() interface
    - Allow confined users to run vmtools helpers
    - Fix userdom_common_user_template()
    - Generic systemd unit scripts do write check on /
    - Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files
    - Add additional fixes needed for init_t and setup script running in generic unit files
    - Allow general users to create packet_sockets
    - added connlcli port
    - Add init_manage_transient_unit() interface
    - Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t
    - Fix userdomain.te to require passwd class
    - devicekit_power sends out a signal to all processes on the message bus when power is going down
    - Dontaudit rendom domains listing /proc and hittping system_map_t
    - Dontauit leaks of var_t into ifconfig_t
    - Allow domains that transition to ssh_t to manipulate its keyring
    - Define oracleasm_t as a device node
    - Change to handle /root as a symbolic link for os-tree
    - Allow sysadm_t to create packet_socket, also move some rules to attributes
    - Add label for openvswitch port
    - Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label.
    - Allow postfix_local to read .forward in pcp lib files
    - Allow pegasus_openlmi_storage_t to read lvm metadata
    - Add additional fixes for pegasus_openlmi_storage_t
    - Allow bumblebee to manage debugfs
    - Make bumblebee as unconfined domain
    - Allow snmp to read etc_aliases_t
    - Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem
    - Allow pegasus_openlmi_storage_t to read /proc/1/environ
    - Dontaudit read gconf files for cupsd_config_t
    - make vmtools as unconfined domain
    - Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig.
    - Allow collectd_t to use a mysql database
    - Allow ipa-otpd to perform DNS name resolution
    - Added new policy for keepalived
    - Allow openlmi-service provider to manage transitient units and allow stream connect to sssd
    - Add additional fixes new pscs-lite+polkit support
    - Add labeling for /run/krb5kdc
    - Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20
    - Allow pcscd to read users proc info
    - Dontaudit smbd_t sending out random signuls
    - Add boolean to allow openshift domains to use nfs
    - Allow w3c_validator to create content in /tmp
    - zabbix_agent uses nsswitch
    - Allow procmail and dovecot to work together to deliver mail
    - Allow spamd to execute files in homedir if boolean turned on
    - Allow openvswitch to listen on port 6634
    - Add net_admin capability in collectd policy
    - Fixed snapperd policy
    - Fixed bugsfor pcp policy
    - Allow dbus_system_domains to be started by init
    - Fixed some interfaces
    - Add kerberos_keytab_domain attribute
    - Fix snapperd_conf_t def

 policy-f20-base.patch    | 1701 ++++++++++++++++++++++++++++++----------------
 policy-f20-contrib.patch |  833 +++++++++++++++++------
 selinux-policy.spec      |   59 ++-
 3 files changed, 1827 insertions(+), 766 deletions(-)
---
diff --git a/policy-f20-base.patch b/policy-f20-base.patch
index 688449e..67411f3 100644
--- a/policy-f20-base.patch
+++ b/policy-f20-base.patch
@@ -5596,7 +5596,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..f9f01e8 100644
+index 4edc40d..3173c7b 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5670,7 +5670,7 @@ index 4edc40d..f9f01e8 100644
  # reserved_port_t is the type of INET port numbers below 1024.
  #
  type reserved_port_t, port_type, reserved_port_type;
-@@ -84,54 +107,65 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -84,54 +107,66 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
  network_port(amavisd_recv, tcp,10024,s0)
  network_port(amavisd_send, tcp,10025,s0)
  network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
@@ -5702,6 +5702,7 @@ index 4edc40d..f9f01e8 100644
  network_port(comsat, udp,512,s0)
  network_port(condor, tcp,9618,s0, udp,9618,s0)
 +network_port(conman, tcp,7890,s0, udp,7890,s0)
++network_port(connlcli, tcp,1358,s0, udp,1358,s0)
  network_port(couchdb, tcp,5984,s0, udp,5984,s0)
 -network_port(cslistener, tcp,9000,s0, udp,9000,s0)
 -network_port(ctdb, tcp,4379,s0, udp,4397,s0)
@@ -5743,7 +5744,7 @@ index 4edc40d..f9f01e8 100644
  network_port(gopher, tcp,70,s0, udp,70,s0)
  network_port(gpsd, tcp,2947,s0)
  network_port(hadoop_datanode, tcp,50010,s0)
-@@ -139,45 +173,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -139,45 +174,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
  network_port(hddtemp, tcp,7634,s0)
  network_port(howl, tcp,5335,s0, udp,5353,s0)
  network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5810,7 +5811,7 @@ index 4edc40d..f9f01e8 100644
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
  network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
  network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,26 +226,35 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,26 +227,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
  network_port(mxi, tcp,8005,s0, udp,8005,s0)
  network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
  network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5832,6 +5833,7 @@ index 4edc40d..f9f01e8 100644
 +network_port(openflow, tcp,6633,s0, tcp,6653,s0)
  network_port(openhpid, tcp,4743,s0, udp,4743,s0)
  network_port(openvpn, tcp,1194,s0, udp,1194,s0)
++network_port(openvswitch, tcp,6634,s0)
 +network_port(osapi_compute, tcp, 8774, s0)
  network_port(pdps, tcp,1314,s0, udp,1314,s0)
  network_port(pegasus_http, tcp,5988,s0)
@@ -5850,7 +5852,7 @@ index 4edc40d..f9f01e8 100644
  network_port(portmap, udp,111,s0, tcp,111,s0)
  network_port(postfix_policyd, tcp,10031,s0)
  network_port(postgresql, tcp,5432,s0)
-@@ -214,38 +264,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +266,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
  network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
@@ -5903,7 +5905,7 @@ index 4edc40d..f9f01e8 100644
  network_port(ssh, tcp,22,s0)
  network_port(stunnel) # no defined portcon
  network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +314,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -257,8 +316,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
  network_port(tcs, tcp, 30003, s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
@@ -5914,7 +5916,7 @@ index 4edc40d..f9f01e8 100644
  network_port(transproxy, tcp,8081,s0)
  network_port(trisoap, tcp,10200,s0, udp,10200,s0)
  network_port(ups, tcp,3493,s0)
-@@ -268,10 +326,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +328,10 @@ network_port(varnishd, tcp,6081-6082,s0)
  network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
  network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
  network_port(virt_migration, tcp,49152-49216,s0)
@@ -5927,7 +5929,7 @@ index 4edc40d..f9f01e8 100644
  network_port(winshadow, tcp,3161,s0, udp,3261,s0)
  network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
  network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -285,19 +343,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -285,19 +345,23 @@ network_port(zabbix_agent, tcp,10050,s0)
  network_port(zookeeper_client, tcp,2181,s0)
  network_port(zookeeper_election, tcp,3888,s0)
  network_port(zookeeper_leader, tcp,2888,s0)
@@ -5954,7 +5956,7 @@ index 4edc40d..f9f01e8 100644
  
  ########################################
  #
-@@ -330,6 +392,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +394,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
  
  build_option(`enable_mls',`
  network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5963,7 +5965,7 @@ index 4edc40d..f9f01e8 100644
  ',`
  typealias netif_t alias { lo_netif_t netif_lo_t };
  ')
-@@ -342,9 +406,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +408,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -8903,7 +8905,7 @@ index 6a1e4d1..84e8030 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..4b49713 100644
+index cf04cb5..1abe365 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8944,7 +8946,7 @@ index cf04cb5..4b49713 100644
  
  # Transitions only allowed from domains to other domains
  neverallow domain ~domain:process { transition dyntransition };
-@@ -86,23 +110,46 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +110,47 @@ neverallow ~{ domain unlabeled_t } *:process *;
  allow domain self:dir list_dir_perms;
  allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
  allow domain self:file rw_file_perms;
@@ -8982,6 +8984,7 @@ index cf04cb5..4b49713 100644
 +files_read_inherited_tmp_files(domain)
 +files_append_inherited_tmp_files(domain)
 +files_read_all_base_ro_files(domain)
++files_dontaduit_getattr_kernel_symbol_table(domain)
 +
 +# All executables should be able to search the directory they are in
 +corecmd_search_bin(domain)
@@ -8992,7 +8995,7 @@ index cf04cb5..4b49713 100644
  
  ifdef(`hide_broken_symptoms',`
  	# This check is in the general socket
-@@ -121,8 +168,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +169,18 @@ tunable_policy(`global_ssp',`
  ')
  
  optional_policy(`
@@ -9011,7 +9014,7 @@ index cf04cb5..4b49713 100644
  ')
  
  optional_policy(`
-@@ -133,6 +190,9 @@ optional_policy(`
+@@ -133,6 +191,9 @@ optional_policy(`
  optional_policy(`
  	xserver_dontaudit_use_xdm_fds(domain)
  	xserver_dontaudit_rw_xdm_pipes(domain)
@@ -9021,7 +9024,7 @@ index cf04cb5..4b49713 100644
  ')
  
  ########################################
-@@ -147,12 +207,18 @@ optional_policy(`
+@@ -147,12 +208,18 @@ optional_policy(`
  # Use/sendto/connectto sockets created by any domain.
  allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
  
@@ -9041,7 +9044,7 @@ index cf04cb5..4b49713 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +232,326 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +233,330 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -9300,6 +9303,10 @@ index cf04cb5..4b49713 100644
 +	cron_rw_system_job_pipes(domain)
 +')
 +
++optional_policy(`
++	devicekit_dbus_chat_power(domain)
++')
++
 +ifdef(`hide_broken_symptoms',`
 +	dontaudit domain self:udp_socket listen;
 +	allow domain domain:key { link search };
@@ -9619,7 +9626,7 @@ index c2c6e05..2282452 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..8eb459b 100644
+index 64ff4d7..a47b644 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -11387,7 +11394,32 @@ index 64ff4d7..8eb459b 100644
  ')
  
  ########################################
-@@ -5223,6 +6319,24 @@ interface(`files_list_var',`
+@@ -5094,6 +6190,24 @@ interface(`files_create_kernel_symbol_table',`
+ 
+ ########################################
+ ## <summary>
++##	Dontaudit getattr attempts on the system.map file
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaduit_getattr_kernel_symbol_table',`
++	gen_require(`
++		type system_map_t;
++	')
++
++	dontaudit $1 system_map_t:file getattr;
++')
++
++########################################
++## <summary>
+ ##	Read system.map in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -5223,6 +6337,24 @@ interface(`files_list_var',`
  
  ########################################
  ## <summary>
@@ -11412,7 +11444,16 @@ index 64ff4d7..8eb459b 100644
  ##	Create, read, write, and delete directories
  ##	in the /var directory.
  ## </summary>
-@@ -5507,6 +6621,23 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5310,7 +6442,7 @@ interface(`files_dontaudit_rw_var_files',`
+ 		type var_t;
+ 	')
+ 
+-	dontaudit $1 var_t:file rw_file_perms;
++	dontaudit $1 var_t:file rw_inherited_file_perms;
+ ')
+ 
+ ########################################
+@@ -5507,6 +6639,23 @@ interface(`files_rw_var_lib_dirs',`
  	rw_dirs_pattern($1, var_lib_t, var_lib_t)
  ')
  
@@ -11436,7 +11477,7 @@ index 64ff4d7..8eb459b 100644
  ########################################
  ## <summary>
  ##	Create objects in the /var/lib directory
-@@ -5578,6 +6709,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5578,6 +6727,25 @@ interface(`files_read_var_lib_symlinks',`
  	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
  ')
  
@@ -11462,7 +11503,7 @@ index 64ff4d7..8eb459b 100644
  # cjp: the next two interfaces really need to be fixed
  # in some way.  They really neeed their own types.
  
-@@ -5623,7 +6773,7 @@ interface(`files_manage_mounttab',`
+@@ -5623,7 +6791,7 @@ interface(`files_manage_mounttab',`
  
  ########################################
  ## <summary>
@@ -11471,7 +11512,7 @@ index 64ff4d7..8eb459b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5631,12 +6781,13 @@ interface(`files_manage_mounttab',`
+@@ -5631,12 +6799,13 @@ interface(`files_manage_mounttab',`
  ##	</summary>
  ## </param>
  #
@@ -11487,7 +11528,7 @@ index 64ff4d7..8eb459b 100644
  ')
  
  ########################################
-@@ -5654,6 +6805,7 @@ interface(`files_search_locks',`
+@@ -5654,6 +6823,7 @@ interface(`files_search_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -11495,7 +11536,7 @@ index 64ff4d7..8eb459b 100644
  	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
  	search_dirs_pattern($1, var_t, var_lock_t)
  ')
-@@ -5680,7 +6832,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5680,7 +6850,26 @@ interface(`files_dontaudit_search_locks',`
  
  ########################################
  ## <summary>
@@ -11523,7 +11564,7 @@ index 64ff4d7..8eb459b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5688,13 +6859,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5688,13 +6877,12 @@ interface(`files_dontaudit_search_locks',`
  ##	</summary>
  ## </param>
  #
@@ -11540,7 +11581,7 @@ index 64ff4d7..8eb459b 100644
  ')
  
  ########################################
-@@ -5713,7 +6883,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5713,7 +6901,7 @@ interface(`files_rw_lock_dirs',`
  		type var_t, var_lock_t;
  	')
  
@@ -11549,7 +11590,7 @@ index 64ff4d7..8eb459b 100644
  	rw_dirs_pattern($1, var_t, var_lock_t)
  ')
  
-@@ -5746,7 +6916,6 @@ interface(`files_create_lock_dirs',`
+@@ -5746,7 +6934,6 @@ interface(`files_create_lock_dirs',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -11557,7 +11598,7 @@ index 64ff4d7..8eb459b 100644
  #
  interface(`files_relabel_all_lock_dirs',`
  	gen_require(`
-@@ -5761,7 +6930,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5761,7 +6948,7 @@ interface(`files_relabel_all_lock_dirs',`
  
  ########################################
  ## <summary>
@@ -11566,7 +11607,7 @@ index 64ff4d7..8eb459b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5769,13 +6938,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5769,13 +6956,33 @@ interface(`files_relabel_all_lock_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -11601,7 +11642,7 @@ index 64ff4d7..8eb459b 100644
  	allow $1 var_lock_t:dir list_dir_perms;
  	getattr_files_pattern($1, var_lock_t, var_lock_t)
  ')
-@@ -5791,13 +6980,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5791,13 +6998,12 @@ interface(`files_getattr_generic_locks',`
  ## </param>
  #
  interface(`files_delete_generic_locks',`
@@ -11619,7 +11660,7 @@ index 64ff4d7..8eb459b 100644
  ')
  
  ########################################
-@@ -5816,9 +7004,7 @@ interface(`files_manage_generic_locks',`
+@@ -5816,9 +7022,7 @@ interface(`files_manage_generic_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -11630,7 +11671,7 @@ index 64ff4d7..8eb459b 100644
  	manage_files_pattern($1, var_lock_t, var_lock_t)
  ')
  
-@@ -5860,8 +7046,7 @@ interface(`files_read_all_locks',`
+@@ -5860,8 +7064,7 @@ interface(`files_read_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -11640,7 +11681,7 @@ index 64ff4d7..8eb459b 100644
  	allow $1 lockfile:dir list_dir_perms;
  	read_files_pattern($1, lockfile, lockfile)
  	read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +7068,7 @@ interface(`files_manage_all_locks',`
+@@ -5883,8 +7086,7 @@ interface(`files_manage_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -11650,7 +11691,7 @@ index 64ff4d7..8eb459b 100644
  	manage_dirs_pattern($1, lockfile, lockfile)
  	manage_files_pattern($1, lockfile, lockfile)
  	manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +7105,7 @@ interface(`files_lock_filetrans',`
+@@ -5921,8 +7123,7 @@ interface(`files_lock_filetrans',`
  		type var_t, var_lock_t;
  	')
  
@@ -11660,7 +11701,7 @@ index 64ff4d7..8eb459b 100644
  	filetrans_pattern($1, var_lock_t, $2, $3, $4)
  ')
  
-@@ -5961,7 +7144,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5961,7 +7162,7 @@ interface(`files_setattr_pid_dirs',`
  		type var_run_t;
  	')
  
@@ -11669,7 +11710,7 @@ index 64ff4d7..8eb459b 100644
  	allow $1 var_run_t:dir setattr;
  ')
  
-@@ -5981,10 +7164,48 @@ interface(`files_search_pids',`
+@@ -5981,18 +7182,56 @@ interface(`files_search_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -11678,11 +11719,16 @@ index 64ff4d7..8eb459b 100644
  	search_dirs_pattern($1, var_t, var_run_t)
  ')
  
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Do not audit attempts to search
+-##	the /var/run directory.
 +## Add and remove entries from pid directories.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain to not audit.
 +## <summary>
 +## Domain allowed access.
 +## </summary>
@@ -11715,10 +11761,18 @@ index 64ff4d7..8eb459b 100644
 +        allow $1 var_run_t:dir create_dir_perms;
 +')
 +
- ########################################
- ## <summary>
- ##	Do not audit attempts to search
-@@ -6007,6 +7228,25 @@ interface(`files_dontaudit_search_pids',`
++########################################
++## <summary>
++##	Do not audit attempts to search
++##	the /var/run directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+@@ -6007,6 +7246,25 @@ interface(`files_dontaudit_search_pids',`
  
  ########################################
  ## <summary>
@@ -11744,7 +11798,7 @@ index 64ff4d7..8eb459b 100644
  ##	List the contents of the runtime process
  ##	ID directories (/var/run).
  ## </summary>
-@@ -6021,7 +7261,7 @@ interface(`files_list_pids',`
+@@ -6021,7 +7279,7 @@ interface(`files_list_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -11753,7 +11807,7 @@ index 64ff4d7..8eb459b 100644
  	list_dirs_pattern($1, var_t, var_run_t)
  ')
  
-@@ -6040,7 +7280,7 @@ interface(`files_read_generic_pids',`
+@@ -6040,7 +7298,7 @@ interface(`files_read_generic_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -11762,7 +11816,7 @@ index 64ff4d7..8eb459b 100644
  	list_dirs_pattern($1, var_t, var_run_t)
  	read_files_pattern($1, var_run_t, var_run_t)
  ')
-@@ -6060,7 +7300,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6060,7 +7318,7 @@ interface(`files_write_generic_pid_pipes',`
  		type var_run_t;
  	')
  
@@ -11771,7 +11825,7 @@ index 64ff4d7..8eb459b 100644
  	allow $1 var_run_t:fifo_file write;
  ')
  
-@@ -6122,7 +7362,6 @@ interface(`files_pid_filetrans',`
+@@ -6122,7 +7380,6 @@ interface(`files_pid_filetrans',`
  	')
  
  	allow $1 var_t:dir search_dir_perms;
@@ -11779,7 +11833,7 @@ index 64ff4d7..8eb459b 100644
  	filetrans_pattern($1, var_run_t, $2, $3, $4)
  ')
  
-@@ -6151,6 +7390,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6151,6 +7408,24 @@ interface(`files_pid_filetrans_lock_dir',`
  
  ########################################
  ## <summary>
@@ -11804,7 +11858,7 @@ index 64ff4d7..8eb459b 100644
  ##	Read and write generic process ID files.
  ## </summary>
  ## <param name="domain">
-@@ -6164,7 +7421,7 @@ interface(`files_rw_generic_pids',`
+@@ -6164,7 +7439,7 @@ interface(`files_rw_generic_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -11813,236 +11867,392 @@ index 64ff4d7..8eb459b 100644
  	list_dirs_pattern($1, var_t, var_run_t)
  	rw_files_pattern($1, var_run_t, var_run_t)
  ')
-@@ -6231,6 +7488,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6231,55 +7506,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
  
  ########################################
  ## <summary>
+-##	Read all process ID files.
 +##	Relable all pid directories
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_read_all_pids',`
 +interface(`files_relabel_all_pid_dirs',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
+ 	gen_require(`
+ 		attribute pidfile;
+-		type var_t, var_run_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, pidfile)
+-	read_files_pattern($1, pidfile, pidfile)
 +	relabel_dirs_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete all process IDs.
 +##	Delete all pid sockets
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_delete_all_pids',`
 +interface(`files_delete_all_pid_sockets',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
+ 	gen_require(`
+ 		attribute pidfile;
+-		type var_t, var_run_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:dir rmdir;
+-	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+-	delete_files_pattern($1, pidfile, pidfile)
+-	delete_fifo_files_pattern($1, pidfile, pidfile)
+-	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
 +	allow $1 pidfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete all process ID directories.
 +##	Create all pid sockets
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6287,42 +7550,35 @@ interface(`files_delete_all_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_all_pid_dirs',`
 +interface(`files_create_all_pid_sockets',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
+ 	gen_require(`
+ 		attribute pidfile;
+-		type var_t, var_run_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	delete_dirs_pattern($1, pidfile, pidfile)
 +	allow $1 pidfile:sock_file create_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write and delete all
+-##	var_run (pid) content
 +##	Create all pid named pipes
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain alloed access.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
 +interface(`files_create_all_pid_pipes',`
-+	gen_require(`
-+		attribute pidfile;
-+	')
-+
+ 	gen_require(`
+ 		attribute pidfile;
+ 	')
+ 
+-	manage_dirs_pattern($1, pidfile, pidfile)
+-	manage_files_pattern($1, pidfile, pidfile)
+-	manage_lnk_files_pattern($1, pidfile, pidfile)
 +	allow $1 pidfile:fifo_file create_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Mount filesystems on all polyinstantiation
+-##	member directories.
 +##	Delete all pid named pipes
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6330,18 +7586,18 @@ interface(`files_manage_all_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
 +interface(`files_delete_all_pid_pipes',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute polymember;
 +		attribute pidfile;
-+	')
-+
+ 	')
+ 
+-	allow $1 polymember:dir mounton;
 +	allow $1 pidfile:fifo_file delete_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the contents of generic spool
+-##	directories (/var/spool).
 +##	manage all pidfile directories
 +##	in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6349,37 +7605,40 @@ interface(`files_mounton_all_poly_members',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_spool',`
 +interface(`files_manage_all_pid_dirs',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute pidfile;
-+	')
-+
+ 	')
+ 
+-	search_dirs_pattern($1, var_t, var_spool_t)
 +	manage_dirs_pattern($1,pidfile,pidfile)
-+')
-+
+ ')
+ 
 +
-+########################################
-+## <summary>
- ##	Read all process ID files.
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search generic
+-##	spool directories.
++##	Read all process ID files.
  ## </summary>
  ## <param name="domain">
-@@ -6243,12 +7610,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
- interface(`files_read_all_pids',`
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_dontaudit_search_spool',`
++interface(`files_read_all_pids',`
  	gen_require(`
- 		attribute pidfile;
--		type var_t, var_run_t;
+-		type var_spool_t;
++		attribute pidfile;
 +		type var_t;
  	')
  
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
- 	list_dirs_pattern($1, var_t, pidfile)
- 	read_files_pattern($1, pidfile, pidfile)
+-	dontaudit $1 var_spool_t:dir search_dir_perms;
++	list_dirs_pattern($1, var_t, pidfile)
++	read_files_pattern($1, pidfile, pidfile)
 +	read_lnk_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of generic spool
+-##	(/var/spool) directories.
 +##	Relable all pid files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6387,18 +7646,17 @@ interface(`files_dontaudit_search_spool',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_spool',`
 +interface(`files_relabel_all_pid_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute pidfile;
-+	')
-+
+ 	')
+ 
+-	list_dirs_pattern($1, var_t, var_spool_t)
 +	relabel_files_pattern($1, pidfile, pidfile)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete generic
+-##	spool directories (/var/spool).
 +##	Execute generic programs in /var/run in the caller domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6406,18 +7664,18 @@ interface(`files_list_spool',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool_dirs',`
 +interface(`files_exec_generic_pid_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		type var_run_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_dirs_pattern($1, var_spool_t, var_spool_t)
 +	exec_files_pattern($1, var_run_t, var_run_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic spool files.
 +##	manage all pidfiles 
 +##	in the /var/run directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6425,19 +7683,18 @@ interface(`files_manage_generic_spool_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_spool',`
 +interface(`files_manage_all_pids',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute pidfile;
-+	')
-+
+ 	')
+ 
+-	list_dirs_pattern($1, var_t, var_spool_t)
+-	read_files_pattern($1, var_spool_t, var_spool_t)
 +	manage_files_pattern($1,pidfile,pidfile)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete generic
+-##	spool files.
 +##	Mount filesystems on all polyinstantiation
 +##	member directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6445,55 +7702,43 @@ interface(`files_read_generic_spool',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool',`
 +interface(`files_mounton_all_poly_members',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute polymember;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_files_pattern($1, var_spool_t, var_spool_t)
 +	allow $1 polymember:dir mounton;
  ')
  
  ########################################
-@@ -6268,8 +7709,8 @@ interface(`files_delete_all_pids',`
- 		type var_t, var_run_t;
- 	')
- 
-+	files_search_pids($1)
- 	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
- 	allow $1 var_run_t:dir rmdir;
- 	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
- 	delete_files_pattern($1, pidfile, pidfile)
-@@ -6293,36 +7734,80 @@ interface(`files_delete_all_pid_dirs',`
- 		type var_t, var_run_t;
+ ## <summary>
+-##	Create objects in the spool directory
+-##	with a private type with a type transition.
++##	Delete all process IDs.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="file">
+-##	<summary>
+-##	Type to which the created node will be transitioned.
+-##	</summary>
+-## </param>
+-## <param name="class">
+-##	<summary>
+-##	Object class(es) (single or set including {}) for which this
+-##	the transition will occur.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
+-##	</summary>
+-## </param>
++## <rolecap/>
+ #
+-interface(`files_spool_filetrans',`
++interface(`files_delete_all_pids',`
+ 	gen_require(`
+-		type var_t, var_spool_t;
++		attribute pidfile;
++		type var_t, var_run_t;
  	')
  
 +	files_search_pids($1)
  	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
- 	delete_dirs_pattern($1, pidfile, pidfile)
+-	filetrans_pattern($1, var_spool_t, $2, $3, $4)
++	allow $1 var_run_t:dir rmdir;
++	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++	delete_files_pattern($1, pidfile, pidfile)
++	delete_fifo_files_pattern($1, pidfile, pidfile)
++	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
  ')
  
  ########################################
  ## <summary>
--##	Create, read, write and delete all
--##	var_run (pid) content
+-##	Allow access to manage all polyinstantiated
+-##	directories on the system.
++##	Delete all process ID directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6501,53 +7746,68 @@ interface(`files_spool_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_polyinstantiate_all',`
++interface(`files_delete_all_pid_dirs',`
+ 	gen_require(`
+-		attribute polydir, polymember, polyparent;
+-		type poly_t;
++		attribute pidfile;
++		type var_t, var_run_t;
+ 	')
+ 
+-	# Need to give access to /selinux/member
+-	selinux_compute_member($1)
+-
+-	# Need sys_admin capability for mounting
+-	allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+-	# Need to give access to the directories to be polyinstantiated
+-	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+-	# Need to give access to the polyinstantiated subdirectories
+-	allow $1 polymember:dir search_dir_perms;
+-
+-	# Need to give access to parent directories where original
+-	# is remounted for polyinstantiation aware programs (like gdm)
+-	allow $1 polyparent:dir { getattr mounton };
+-
+-	# Need to give permission to create directories where applicable
+-	allow $1 self:process setfscreate;
+-	allow $1 polymember: dir { create setattr relabelto };
+-	allow $1 polydir: dir { write add_name open };
+-	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+-	# Default type for mountpoints
+-	allow $1 poly_t:dir { create mounton };
+-	fs_unmount_xattr_fs($1)
+-
+-	fs_mount_tmpfs($1)
+-	fs_unmount_tmpfs($1)
++	files_search_pids($1)
++	allow $1 var_t:dir search_dir_perms;
++	delete_dirs_pattern($1, pidfile, pidfile)
++')
+ 
+-	ifdef(`distro_redhat',`
+-		# namespace.init
+-		files_search_tmp($1)
+-		files_search_home($1)
+-		corecmd_exec_bin($1)
+-		seutil_domtrans_setfiles($1)
++########################################
++## <summary>
 +##	Make the specified type a file
 +##	used for spool files.
 +## </summary>
@@ -12083,56 +12293,49 @@ index 64ff4d7..8eb459b 100644
 +interface(`files_spool_file',`
 +	gen_require(`
 +		attribute spoolfile;
-+	')
+ 	')
 +
 +	files_type($1)
 +	typeattribute $1 spoolfile;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Unconfined access to files.
 +##	Create all spool sockets
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain alloed access.
-+##	Domain allowed access.
+@@ -6555,10 +7815,785 @@ interface(`files_polyinstantiate_all',`
  ##	</summary>
  ## </param>
  #
--interface(`files_manage_all_pids',`
+-interface(`files_unconfined',`
 +interface(`files_create_all_spool_sockets',`
  	gen_require(`
--		attribute pidfile;
+-		attribute files_unconfined_type;
 +		attribute spoolfile;
  	')
  
--	manage_dirs_pattern($1, pidfile, pidfile)
--	manage_files_pattern($1, pidfile, pidfile)
--	manage_lnk_files_pattern($1, pidfile, pidfile)
+-	typeattribute $1 files_unconfined_type;
 +	allow $1 spoolfile:sock_file create_sock_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Mount filesystems on all polyinstantiation
--##	member directories.
++')
++
++########################################
++## <summary>
 +##	Delete all spool sockets
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6330,12 +7815,33 @@ interface(`files_manage_all_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_mounton_all_poly_members',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_delete_all_spool_sockets',`
- 	gen_require(`
--		attribute polymember;
++	gen_require(`
 +		attribute spoolfile;
- 	')
- 
--	allow $1 polymember:dir mounton;
++	')
++
 +	allow $1 spoolfile:sock_file delete_sock_file_perms;
 +')
 +
@@ -12155,13 +12358,232 @@ index 64ff4d7..8eb459b 100644
 +	')
 +
 +	relabel_dirs_pattern($1, spoolfile, spoolfile)
- ')
- 
- ########################################
-@@ -6562,3 +8068,514 @@ interface(`files_unconfined',`
- 
- 	typeattribute $1 files_unconfined_type;
- ')
++')
++
++########################################
++## <summary>
++##	Search the contents of generic spool
++##	directories (/var/spool).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_search_spool',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	search_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to search generic
++##	spool directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_search_spool',`
++	gen_require(`
++		type var_spool_t;
++	')
++
++	dontaudit $1 var_spool_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++##	List the contents of generic spool
++##	(/var/spool) directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_list_spool',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	list_dirs_pattern($1, var_t, var_spool_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete generic
++##	spool directories (/var/spool).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_generic_spool_dirs',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	manage_dirs_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++##	Read generic spool files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_read_generic_spool',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	list_dirs_pattern($1, var_t, var_spool_t)
++	read_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete generic
++##	spool files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_generic_spool',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	manage_files_pattern($1, var_spool_t, var_spool_t)
++')
++
++########################################
++## <summary>
++##	Create objects in the spool directory
++##	with a private type with a type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="file">
++##	<summary>
++##	Type to which the created node will be transitioned.
++##	</summary>
++## </param>
++## <param name="class">
++##	<summary>
++##	Object class(es) (single or set including {}) for which this
++##	the transition will occur.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`files_spool_filetrans',`
++	gen_require(`
++		type var_t, var_spool_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	filetrans_pattern($1, var_spool_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++##	Allow access to manage all polyinstantiated
++##	directories on the system.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_polyinstantiate_all',`
++	gen_require(`
++		attribute polydir, polymember, polyparent;
++		type poly_t;
++	')
++
++	# Need to give access to /selinux/member
++	selinux_compute_member($1)
++
++	# Need sys_admin capability for mounting
++	allow $1 self:capability { chown fsetid sys_admin fowner };
++
++	# Need to give access to the directories to be polyinstantiated
++	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++	# Need to give access to the polyinstantiated subdirectories
++	allow $1 polymember:dir search_dir_perms;
++
++	# Need to give access to parent directories where original
++	# is remounted for polyinstantiation aware programs (like gdm)
++	allow $1 polyparent:dir { getattr mounton };
++
++	# Need to give permission to create directories where applicable
++	allow $1 self:process setfscreate;
++	allow $1 polymember: dir { create setattr relabelto };
++	allow $1 polydir: dir { write add_name open };
++	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++
++	# Default type for mountpoints
++	allow $1 poly_t:dir { create mounton };
++	fs_unmount_xattr_fs($1)
++
++	fs_mount_tmpfs($1)
++	fs_unmount_tmpfs($1)
++
++	ifdef(`distro_redhat',`
++		# namespace.init
++		files_search_tmp($1)
++		files_search_home($1)
++		corecmd_exec_bin($1)
++		seutil_domtrans_setfiles($1)
++	')
++')
++
++########################################
++## <summary>
++##	Unconfined access to files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_unconfined',`
++	gen_require(`
++		attribute files_unconfined_type;
++	')
++
++	typeattribute $1 files_unconfined_type;
++')
 +
 +########################################
 +## <summary>
@@ -12672,7 +13094,7 @@ index 64ff4d7..8eb459b 100644
 +	')
 +
 +	allow $1 etc_t:service status;
-+')
+ ')
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
 index 148d87a..ccbcb66 100644
 --- a/policy/modules/kernel/files.te
@@ -14319,7 +14741,7 @@ index 8416beb..c6cd3eb 100644
 +	fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
 +')
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 9e603f5..1198b51 100644
+index 9e603f5..3b8dd74 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
 @@ -32,8 +32,11 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
@@ -14342,12 +14764,13 @@ index 9e603f5..1198b51 100644
  
  type bdev_t;
  fs_type(bdev_t)
-@@ -63,12 +67,17 @@ fs_type(binfmt_misc_fs_t)
+@@ -63,12 +67,18 @@ fs_type(binfmt_misc_fs_t)
  files_mountpoint(binfmt_misc_fs_t)
  genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
  
 +type oracleasmfs_t;
 +fs_type(oracleasmfs_t)
++dev_node(oracleasmfs_t)
 +files_mountpoint(oracleasmfs_t)
 +genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0)
 +
@@ -14361,7 +14784,7 @@ index 9e603f5..1198b51 100644
  fs_type(cgroup_t)
  files_type(cgroup_t)
  files_mountpoint(cgroup_t)
-@@ -89,6 +98,11 @@ fs_noxattr_type(ecryptfs_t)
+@@ -89,6 +99,11 @@ fs_noxattr_type(ecryptfs_t)
  files_mountpoint(ecryptfs_t)
  genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
  
@@ -14373,7 +14796,7 @@ index 9e603f5..1198b51 100644
  type futexfs_t;
  fs_type(futexfs_t)
  genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -97,6 +111,7 @@ type hugetlbfs_t;
+@@ -97,6 +112,7 @@ type hugetlbfs_t;
  fs_type(hugetlbfs_t)
  files_mountpoint(hugetlbfs_t)
  fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -14381,7 +14804,7 @@ index 9e603f5..1198b51 100644
  
  type ibmasmfs_t;
  fs_type(ibmasmfs_t)
-@@ -119,12 +134,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -119,12 +135,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
  
  type nfsd_fs_t;
  fs_type(nfsd_fs_t)
@@ -14399,7 +14822,7 @@ index 9e603f5..1198b51 100644
  type ramfs_t;
  fs_type(ramfs_t)
  files_mountpoint(ramfs_t)
-@@ -145,11 +165,6 @@ fs_type(spufs_t)
+@@ -145,11 +166,6 @@ fs_type(spufs_t)
  genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
  files_mountpoint(spufs_t)
  
@@ -14411,7 +14834,7 @@ index 9e603f5..1198b51 100644
  type sysv_t;
  fs_noxattr_type(sysv_t)
  files_mountpoint(sysv_t)
-@@ -167,6 +182,8 @@ type vxfs_t;
+@@ -167,6 +183,8 @@ type vxfs_t;
  fs_noxattr_type(vxfs_t)
  files_mountpoint(vxfs_t)
  genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -14420,7 +14843,7 @@ index 9e603f5..1198b51 100644
  
  #
  # tmpfs_t is the type for tmpfs filesystems
-@@ -176,6 +193,8 @@ fs_type(tmpfs_t)
+@@ -176,6 +194,8 @@ fs_type(tmpfs_t)
  files_type(tmpfs_t)
  files_mountpoint(tmpfs_t)
  files_poly_parent(tmpfs_t)
@@ -14429,7 +14852,7 @@ index 9e603f5..1198b51 100644
  
  # Use a transition SID based on the allocating task SID and the
  # filesystem SID to label inodes in the following filesystem types,
-@@ -255,6 +274,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -255,6 +275,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
  type removable_t;
  allow removable_t noxattrfs:filesystem associate;
  fs_noxattr_type(removable_t)
@@ -14438,7 +14861,7 @@ index 9e603f5..1198b51 100644
  files_mountpoint(removable_t)
  
  #
-@@ -274,6 +295,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -274,6 +296,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -17363,7 +17786,7 @@ index 0000000..48caabc
 +allow domain unlabeled_t:packet { send recv };
 +
 diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
-index 834a065..c769f81 100644
+index 834a065..ff93697 100644
 --- a/policy/modules/roles/auditadm.te
 +++ b/policy/modules/roles/auditadm.te
 @@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0)
@@ -17375,10 +17798,12 @@ index 834a065..c769f81 100644
  
  ########################################
  #
-@@ -22,16 +22,21 @@ corecmd_exec_shell(auditadm_t)
+@@ -22,16 +22,23 @@ corecmd_exec_shell(auditadm_t)
  
  domain_kill_all_domains(auditadm_t)
  
++mls_file_read_all_levels(auditadm_t)
++
 +selinux_read_policy(auditadm_t)
 +
  logging_send_syslog_msg(auditadm_t)
@@ -17455,7 +17880,7 @@ index 234a940..d340f20 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..6412825 100644
+index 5da7870..5247b99 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
 @@ -8,12 +8,71 @@ policy_module(staff, 2.3.1)
@@ -17680,7 +18105,7 @@ index 5da7870..6412825 100644
  ')
  
  optional_policy(`
-@@ -52,11 +230,57 @@ optional_policy(`
+@@ -52,11 +230,61 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17725,6 +18150,10 @@ index 5da7870..6412825 100644
  ')
  
  optional_policy(`
++    vmtools_run_helper(staff_t, staff_r)
++')
++
++optional_policy(`
 +	vnstatd_read_lib_files(staff_t)
 +')
 +
@@ -17738,7 +18167,7 @@ index 5da7870..6412825 100644
  ')
  
  ifndef(`distro_redhat',`
-@@ -65,10 +289,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +293,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -17749,7 +18178,7 @@ index 5da7870..6412825 100644
  		cdrecord_role(staff_r, staff_t)
  	')
  
-@@ -78,10 +298,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +302,6 @@ ifndef(`distro_redhat',`
  
  	optional_policy(`
  		dbus_role_template(staff, staff_r, staff_t)
@@ -17760,7 +18189,7 @@ index 5da7870..6412825 100644
  	')
  
  	optional_policy(`
-@@ -101,10 +317,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +321,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -17771,7 +18200,7 @@ index 5da7870..6412825 100644
  		java_role(staff_r, staff_t)
  	')
  
-@@ -125,10 +337,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +341,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -17782,7 +18211,7 @@ index 5da7870..6412825 100644
  		pyzor_role(staff_r, staff_t)
  	')
  
-@@ -141,10 +349,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +353,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -17793,7 +18222,7 @@ index 5da7870..6412825 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -176,3 +380,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +384,22 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -17845,7 +18274,7 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..f520b74 100644
+index 88d0028..4a77968 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1)
@@ -18354,7 +18783,7 @@ index 88d0028..f520b74 100644
  		dbus_role_template(sysadm, sysadm_r, sysadm_t)
  
  		optional_policy(`
-@@ -463,15 +575,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +575,79 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -18421,6 +18850,10 @@ index 88d0028..f520b74 100644
 +		userhelper_role_template(sysadm, sysadm_r, sysadm_t)
 +	')
 +
++    optional_policy(`
++        vmtools_run_helper(sysadm_t, sysadm_r)
++    ')
++
 +	optional_policy(`
 +		vmware_role(sysadm_r, sysadm_t)
 +	')
@@ -19137,10 +19570,10 @@ index 0000000..b1163a6
 +')
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..539c163
+index 0000000..b126e2b
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,328 @@
+@@ -0,0 +1,332 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -19301,6 +19734,10 @@ index 0000000..539c163
 +		sandbox_x_transition(unconfined_t, unconfined_r)
 +	')
 +
++    optional_policy(`
++        vmtools_run_helper(unconfined_t, unconfined_r)
++    ')
++
 +	optional_policy(`
 +		gen_require(`
 +			type user_tmpfs_t;
@@ -19480,7 +19917,7 @@ index 3835596..fbca2be 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index cdfddf4..ad1f001 100644
+index cdfddf4..e53ec1a 100644
 --- a/policy/modules/roles/unprivuser.te
 +++ b/policy/modules/roles/unprivuser.te
 @@ -1,5 +1,12 @@
@@ -19636,7 +20073,18 @@ index cdfddf4..ad1f001 100644
  	optional_policy(`
  		su_role_template(user, user_r, user_t)
  	')
-@@ -161,3 +263,15 @@ ifndef(`distro_redhat',`
+@@ -153,6 +255,10 @@ ifndef(`distro_redhat',`
+ 		userhelper_role_template(user, user_r, user_t)
+ 	')
+ 
++    optional_policy(`
++        vmtools_run_helper(user_t, user_r)
++    ')
++
+ 	optional_policy(`
+ 		vmware_role(user_r, user_t)
+ 	')
+@@ -161,3 +267,15 @@ ifndef(`distro_redhat',`
  		wireshark_role(user_r, user_t)
  	')
  ')
@@ -20270,7 +20718,7 @@ index 76d9f66..5c271ce 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..c0413e8 100644
+index fe0c682..e8dcfa7 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
 @@ -32,10 +32,11 @@
@@ -20521,7 +20969,7 @@ index fe0c682..c0413e8 100644
  	allow ssh_t $3:unix_stream_socket rw_socket_perms;
  	allow ssh_t $3:unix_stream_socket connectto;
 +	allow ssh_t $3:key manage_key_perms;
-+	allow $3 ssh_t:key read;
++	allow $3 ssh_t:key { write search read view };
  
  	# user can manage the keys and config
  	manage_files_pattern($3, ssh_home_t, ssh_home_t)
@@ -27031,7 +27479,7 @@ index 9a4d3a7..9d960bb 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..45d0b37 100644
+index 24e7804..e28a0ca 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -1,5 +1,21 @@
@@ -28013,7 +28461,7 @@ index 24e7804..45d0b37 100644
  ########################################
  ## <summary>
  ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2338,432 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2338,450 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -28427,6 +28875,24 @@ index 24e7804..45d0b37 100644
 +
 +########################################
 +## <summary>
++##	Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_manage_transient_unit',`
++	gen_require(`
++		type init_t;
++	')
++
++	allow $1 init_t:service { start stop reload status };
++')
++
++########################################
++## <summary>
 +##	Transition to init named content
 +## </summary>
 +## <param name="domain">
@@ -28447,7 +28913,7 @@ index 24e7804..45d0b37 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..b3ddfe3 100644
+index dd3be8d..381903f 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -28502,7 +28968,7 @@ index dd3be8d..b3ddfe3 100644
  
  # Mark file type as a daemon run directory
  attribute daemonrundir;
-@@ -35,12 +64,14 @@ attribute daemonrundir;
+@@ -35,12 +64,20 @@ attribute daemonrundir;
  #
  # init_t is the domain of the init process.
  #
@@ -28515,10 +28981,16 @@ index dd3be8d..b3ddfe3 100644
  kernel_domtrans_to(init_t, init_exec_t)
  role system_r types init_t;
 +init_initrc_domain(init_t)
++
++#
++# init_tmp_t is the type for content in /tmp directory
++#
++type init_tmp_t;
++files_tmp_file(init_tmp_t)
  
  #
  # init_var_run_t is the type for /var/run/shutdown.pid.
-@@ -49,6 +80,15 @@ type init_var_run_t;
+@@ -49,6 +86,15 @@ type init_var_run_t;
  files_pid_file(init_var_run_t)
  
  #
@@ -28534,7 +29006,7 @@ index dd3be8d..b3ddfe3 100644
  # initctl_t is the type of the named pipe created
  # by init during initialization.  This pipe is used
  # to communicate with init.
-@@ -57,7 +97,7 @@ type initctl_t;
+@@ -57,7 +103,7 @@ type initctl_t;
  files_type(initctl_t)
  mls_trusted_object(initctl_t)
  
@@ -28543,7 +29015,7 @@ index dd3be8d..b3ddfe3 100644
  type initrc_exec_t, init_script_file_type;
  domain_type(initrc_t)
  domain_entry_file(initrc_t, initrc_exec_t)
-@@ -98,7 +138,9 @@ ifdef(`enable_mls',`
+@@ -98,7 +144,9 @@ ifdef(`enable_mls',`
  #
  
  # Use capabilities. old rule:
@@ -28554,7 +29026,7 @@ index dd3be8d..b3ddfe3 100644
  # is ~sys_module really needed? observed:
  # sys_boot
  # sys_tty_config
-@@ -108,14 +150,37 @@ allow init_t self:capability ~sys_module;
+@@ -108,14 +156,42 @@ allow init_t self:capability ~sys_module;
  
  allow init_t self:fifo_file rw_fifo_file_perms;
  
@@ -28577,6 +29049,11 @@ index dd3be8d..b3ddfe3 100644
 +allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto };
 +allow initrc_t init_t:fifo_file rw_fifo_file_perms;
 +
++manage_files_pattern(init_t, init_tmp_t, init_tmp_t)
++manage_dirs_pattern(init_t, init_tmp_t, init_tmp_t)
++manage_lnk_files_pattern(init_t, init_tmp_t, init_tmp_t)
++files_tmp_filetrans(init_t, init_tmp_t, { file dir })
++
 +manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t)
 +manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
 +manage_lnk_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
@@ -28598,7 +29075,7 @@ index dd3be8d..b3ddfe3 100644
  
  allow init_t initctl_t:fifo_file manage_fifo_file_perms;
  dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +190,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +201,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
  
  kernel_read_system_state(init_t)
  kernel_share_state(init_t)
@@ -28618,7 +29095,7 @@ index dd3be8d..b3ddfe3 100644
  
  domain_getpgid_all_domains(init_t)
  domain_kill_all_domains(init_t)
-@@ -139,14 +209,20 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +220,21 @@ domain_signal_all_domains(init_t)
  domain_signull_all_domains(init_t)
  domain_sigstop_all_domains(init_t)
  domain_sigchld_all_domains(init_t)
@@ -28636,10 +29113,11 @@ index dd3be8d..b3ddfe3 100644
  # Run /etc/X11/prefdm:
  files_exec_etc_files(init_t)
 +files_read_usr_files(init_t)
++files_write_root_dirs(init_t)
  # file descriptors inherited from the rootfs:
  files_dontaudit_rw_root_files(init_t)
  files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +232,52 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +244,52 @@ fs_list_inotifyfs(init_t)
  fs_write_ramfs_sockets(init_t)
  
  mcs_process_set_categories(init_t)
@@ -28682,20 +29160,20 @@ index dd3be8d..b3ddfe3 100644
  
  seutil_read_config(init_t)
 +seutil_read_module_store(init_t)
-+
+ 
+-miscfiles_read_localization(init_t)
 +miscfiles_manage_localization(init_t)
 +miscfiles_filetrans_named_content(init_t)
 +
 +userdom_use_user_ttys(init_t)
 +userdom_manage_tmp_dirs(init_t)
 +userdom_manage_tmp_sockets(init_t)
- 
--miscfiles_read_localization(init_t)
++
 +allow init_t self:process setsched;
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +286,210 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +298,225 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -28871,9 +29349,24 @@ index dd3be8d..b3ddfe3 100644
 +auth_rw_login_records(init_t)
 +auth_domtrans_chk_passwd(init_t)
 +
-+optional_policy(`
-+	ipsec_read_config(init_t)
-+    ipsec_manage_pid(init_t)
++ifdef(`distro_redhat',`
++    # it comes from setupr scripts used in systemd unit files
++    # has been covered by initrc_t
++	optional_policy(`
++		bind_manage_config_dirs(init_t)
++		bind_manage_config(init_t)
++		bind_write_config(init_t)
++		bind_setattr_zone_dirs(init_t)
++	')
++
++    optional_policy(`
++	    ipsec_read_config(init_t)
++        ipsec_manage_pid(init_t)
++    ')
++
++    optional_policy(`
++        rpc_manage_nfs_state_data(init_t)
++    ')
 +')
 +
 +optional_policy(`
@@ -28893,18 +29386,18 @@ index dd3be8d..b3ddfe3 100644
 +	optional_policy(`
 +		devicekit_dbus_chat_power(init_t)
 +	')
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nscd_use(init_t)
 +	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
 +	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
 +	# the directory. But we do not want to allow this.
 +	# The master process of dovecot will manage this file.
 +	dovecot_dontaudit_unlink_lib_files(initrc_t)
- ')
- 
- optional_policy(`
--	nscd_use(init_t)
++')
++
++optional_policy(`
 +		networkmanager_stream_connect(init_t)
 +')
 +
@@ -28914,7 +29407,7 @@ index dd3be8d..b3ddfe3 100644
  ')
  
  optional_policy(`
-@@ -216,7 +497,30 @@ optional_policy(`
+@@ -216,7 +524,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28945,7 +29438,7 @@ index dd3be8d..b3ddfe3 100644
  ')
  
  ########################################
-@@ -225,8 +529,9 @@ optional_policy(`
+@@ -225,8 +556,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28957,7 +29450,7 @@ index dd3be8d..b3ddfe3 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -257,12 +562,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +589,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28974,7 +29467,7 @@ index dd3be8d..b3ddfe3 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +587,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +614,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -29017,7 +29510,7 @@ index dd3be8d..b3ddfe3 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +624,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +651,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -29029,7 +29522,7 @@ index dd3be8d..b3ddfe3 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -312,8 +636,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +663,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -29040,7 +29533,7 @@ index dd3be8d..b3ddfe3 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -321,8 +647,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +674,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -29050,7 +29543,7 @@ index dd3be8d..b3ddfe3 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -331,7 +656,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +683,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -29058,7 +29551,7 @@ index dd3be8d..b3ddfe3 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -339,6 +663,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +690,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -29066,7 +29559,7 @@ index dd3be8d..b3ddfe3 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -346,14 +671,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +698,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -29084,7 +29577,7 @@ index dd3be8d..b3ddfe3 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -363,8 +689,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +716,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -29098,7 +29591,7 @@ index dd3be8d..b3ddfe3 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -374,10 +704,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +731,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -29112,7 +29605,7 @@ index dd3be8d..b3ddfe3 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -386,6 +717,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +744,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -29120,7 +29613,7 @@ index dd3be8d..b3ddfe3 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -397,6 +729,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +756,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -29128,7 +29621,7 @@ index dd3be8d..b3ddfe3 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -415,20 +748,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +775,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -29152,7 +29645,7 @@ index dd3be8d..b3ddfe3 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +781,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +808,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -29160,7 +29653,7 @@ index dd3be8d..b3ddfe3 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +815,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +842,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -29171,7 +29664,7 @@ index dd3be8d..b3ddfe3 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -505,7 +839,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +866,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -29180,7 +29673,7 @@ index dd3be8d..b3ddfe3 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -520,6 +854,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +881,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -29188,7 +29681,7 @@ index dd3be8d..b3ddfe3 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -540,6 +875,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +902,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -29196,7 +29689,7 @@ index dd3be8d..b3ddfe3 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +885,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +912,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -29241,7 +29734,7 @@ index dd3be8d..b3ddfe3 100644
  	')
  
  	optional_policy(`
-@@ -558,14 +930,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +957,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -29273,7 +29766,7 @@ index dd3be8d..b3ddfe3 100644
  	')
  ')
  
-@@ -576,6 +965,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +992,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -29313,7 +29806,7 @@ index dd3be8d..b3ddfe3 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1010,8 @@ optional_policy(`
+@@ -588,6 +1037,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -29322,7 +29815,7 @@ index dd3be8d..b3ddfe3 100644
  ')
  
  optional_policy(`
-@@ -609,6 +1033,7 @@ optional_policy(`
+@@ -609,6 +1060,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -29330,7 +29823,7 @@ index dd3be8d..b3ddfe3 100644
  ')
  
  optional_policy(`
-@@ -625,6 +1050,17 @@ optional_policy(`
+@@ -625,6 +1077,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29348,7 +29841,7 @@ index dd3be8d..b3ddfe3 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -641,9 +1077,13 @@ optional_policy(`
+@@ -641,9 +1104,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -29362,7 +29855,7 @@ index dd3be8d..b3ddfe3 100644
  	')
  
  	optional_policy(`
-@@ -656,15 +1096,11 @@ optional_policy(`
+@@ -656,15 +1123,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29380,7 +29873,7 @@ index dd3be8d..b3ddfe3 100644
  ')
  
  optional_policy(`
-@@ -685,6 +1121,15 @@ optional_policy(`
+@@ -685,6 +1148,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29396,7 +29889,7 @@ index dd3be8d..b3ddfe3 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -725,6 +1170,7 @@ optional_policy(`
+@@ -725,6 +1197,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -29404,7 +29897,7 @@ index dd3be8d..b3ddfe3 100644
  ')
  
  optional_policy(`
-@@ -742,7 +1188,13 @@ optional_policy(`
+@@ -742,7 +1215,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29419,7 +29912,7 @@ index dd3be8d..b3ddfe3 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -765,6 +1217,10 @@ optional_policy(`
+@@ -765,6 +1244,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29430,7 +29923,7 @@ index dd3be8d..b3ddfe3 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -774,10 +1230,20 @@ optional_policy(`
+@@ -774,10 +1257,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29451,7 +29944,7 @@ index dd3be8d..b3ddfe3 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -786,6 +1252,10 @@ optional_policy(`
+@@ -786,6 +1279,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29462,7 +29955,7 @@ index dd3be8d..b3ddfe3 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -807,8 +1277,6 @@ optional_policy(`
+@@ -807,8 +1304,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -29471,7 +29964,7 @@ index dd3be8d..b3ddfe3 100644
  ')
  
  optional_policy(`
-@@ -817,6 +1285,10 @@ optional_policy(`
+@@ -817,6 +1312,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29482,7 +29975,7 @@ index dd3be8d..b3ddfe3 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -826,10 +1298,12 @@ optional_policy(`
+@@ -826,10 +1325,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -29495,7 +29988,7 @@ index dd3be8d..b3ddfe3 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1330,35 @@ optional_policy(`
+@@ -856,12 +1357,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29532,7 +30025,7 @@ index dd3be8d..b3ddfe3 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1368,18 @@ optional_policy(`
+@@ -871,6 +1395,18 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -29551,7 +30044,7 @@ index dd3be8d..b3ddfe3 100644
  ')
  
  optional_policy(`
-@@ -886,6 +1395,10 @@ optional_policy(`
+@@ -886,6 +1422,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29562,7 +30055,7 @@ index dd3be8d..b3ddfe3 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -896,3 +1409,218 @@ optional_policy(`
+@@ -896,3 +1436,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -32546,10 +33039,39 @@ index 879bb1e..633e449 100644
 +/var/run/clvmd\.pid --  gen_context(system_u:object_r:clvmd_var_run_t,s0)
  /var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
 diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f..f0de612 100644
+index 58bc27f..4e8728f 100644
 --- a/policy/modules/system/lvm.if
 +++ b/policy/modules/system/lvm.if
-@@ -123,3 +123,113 @@ interface(`lvm_domtrans_clvmd',`
+@@ -86,6 +86,28 @@ interface(`lvm_read_config',`
+ 
+ ########################################
+ ## <summary>
++##	Read LVM configuration files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`lvm_read_metadata',`
++	gen_require(`
++        type lvm_etc_t;
++		type lvm_metadata_t;
++	')
++
++	files_search_etc($1)
++	allow $1 lvm_etc_t:dir list_dir_perms;
++	read_files_pattern($1,lvm_metadata_t ,lvm_metadata_t)
++')
++
++########################################
++## <summary>
+ ##	Manage LVM configuration files.
+ ## </summary>
+ ## <param name="domain">
+@@ -123,3 +145,113 @@ interface(`lvm_domtrans_clvmd',`
  	corecmd_search_bin($1)
  	domtrans_pattern($1, clvmd_exec_t, clvmd_t)
  ')
@@ -36455,7 +36977,7 @@ index 6944526..86c7a82 100644
 +	files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..087fe08 100644
+index b7686d5..28f16ce 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -36707,7 +37229,7 @@ index b7686d5..087fe08 100644
  kernel_use_fds(ifconfig_t)
  kernel_read_system_state(ifconfig_t)
  kernel_read_network_state(ifconfig_t)
-@@ -274,14 +333,30 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -274,14 +333,31 @@ kernel_rw_net_sysctls(ifconfig_t)
  
  corenet_rw_tun_tap_dev(ifconfig_t)
  
@@ -36731,6 +37253,7 @@ index b7686d5..087fe08 100644
 +files_dontaudit_rw_inherited_locks(ifconfig_t)
 +files_dontaudit_read_root_files(ifconfig_t)
 +files_rw_inherited_tmp_file(ifconfig_t)
++files_dontaudit_rw_var_files(ifconfig_t)
 +
  files_read_etc_files(ifconfig_t)
  files_read_etc_runtime_files(ifconfig_t)
@@ -36738,7 +37261,7 @@ index b7686d5..087fe08 100644
  
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +369,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,22 +370,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
  term_dontaudit_use_ptmx(ifconfig_t)
  term_dontaudit_use_generic_ptys(ifconfig_t)
  
@@ -36766,7 +37289,7 @@ index b7686d5..087fe08 100644
  userdom_use_all_users_fds(ifconfig_t)
  
  ifdef(`distro_ubuntu',`
-@@ -318,7 +393,22 @@ ifdef(`distro_ubuntu',`
+@@ -318,7 +394,22 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -36789,7 +37312,7 @@ index b7686d5..087fe08 100644
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
  	')
-@@ -329,8 +419,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +420,11 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
@@ -36803,7 +37326,7 @@ index b7686d5..087fe08 100644
  ')
  
  optional_policy(`
-@@ -339,7 +432,15 @@ optional_policy(`
+@@ -339,7 +433,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36820,7 +37343,7 @@ index b7686d5..087fe08 100644
  ')
  
  optional_policy(`
-@@ -360,3 +461,13 @@ optional_policy(`
+@@ -360,3 +462,13 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -40341,7 +40864,7 @@ index db75976..e4eb903 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..1e5eb3b 100644
+index 3c5dba7..519b132 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -40931,7 +41454,7 @@ index 3c5dba7..1e5eb3b 100644
  	')
  ')
  
-@@ -491,7 +659,8 @@ template(`userdom_common_user_template',`
+@@ -491,51 +659,63 @@ template(`userdom_common_user_template',`
  		attribute unpriv_userdomain;
  	')
  
@@ -40941,7 +41464,10 @@ index 3c5dba7..1e5eb3b 100644
  
  	##############################
  	#
-@@ -501,41 +670,51 @@ template(`userdom_common_user_template',`
+ 	# User domain Local policy
+ 	#
++	allow $1_t self:packet_socket create_socket_perms;
+ 
  	# evolution and gnome-session try to create a netlink socket
  	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
  	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -41016,7 +41542,7 @@ index 3c5dba7..1e5eb3b 100644
  
  	# cjp: some of this probably can be removed
  	selinux_get_fs_mount($1_t)
-@@ -546,93 +725,120 @@ template(`userdom_common_user_template',`
+@@ -546,93 +726,120 @@ template(`userdom_common_user_template',`
  	selinux_compute_user_contexts($1_t)
  
  	# for eject
@@ -41175,7 +41701,7 @@ index 3c5dba7..1e5eb3b 100644
  	')
  
  	optional_policy(`
-@@ -642,23 +848,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +849,21 @@ template(`userdom_common_user_template',`
  	optional_policy(`
  		mpd_manage_user_data_content($1_t)
  		mpd_relabel_user_data_content($1_t)
@@ -41204,7 +41730,7 @@ index 3c5dba7..1e5eb3b 100644
  			mysql_stream_connect($1_t)
  		')
  	')
-@@ -671,7 +875,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +876,7 @@ template(`userdom_common_user_template',`
  
  	optional_policy(`
  		# to allow monitoring of pcmcia status
@@ -41213,7 +41739,7 @@ index 3c5dba7..1e5eb3b 100644
  	')
  
  	optional_policy(`
-@@ -680,9 +884,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +885,9 @@ template(`userdom_common_user_template',`
  	')
  
  	optional_policy(`
@@ -41226,7 +41752,7 @@ index 3c5dba7..1e5eb3b 100644
  		')
  	')
  
-@@ -693,32 +897,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +898,35 @@ template(`userdom_common_user_template',`
  	')
  
  	optional_policy(`
@@ -41273,7 +41799,7 @@ index 3c5dba7..1e5eb3b 100644
  	')
  ')
  
-@@ -743,17 +950,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +951,33 @@ template(`userdom_common_user_template',`
  template(`userdom_login_user_template', `
  	gen_require(`
  		class context contains;
@@ -41311,7 +41837,7 @@ index 3c5dba7..1e5eb3b 100644
  
  	userdom_change_password_template($1)
  
-@@ -761,83 +984,107 @@ template(`userdom_login_user_template', `
+@@ -761,83 +985,107 @@ template(`userdom_login_user_template', `
  	#
  	# User domain Local policy
  	#
@@ -41455,7 +41981,7 @@ index 3c5dba7..1e5eb3b 100644
  ')
  
  #######################################
-@@ -868,6 +1115,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1116,12 @@ template(`userdom_restricted_user_template',`
  	typeattribute $1_t unpriv_userdomain;
  	domain_interactive_fd($1_t)
  
@@ -41468,7 +41994,7 @@ index 3c5dba7..1e5eb3b 100644
  	##############################
  	#
  	# Local policy
-@@ -907,42 +1160,99 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,42 +1161,99 @@ template(`userdom_restricted_xwindows_user_template',`
  	#
  	# Local policy
  	#
@@ -41581,7 +42107,7 @@ index 3c5dba7..1e5eb3b 100644
  		')
  
  		optional_policy(`
-@@ -951,19 +1261,40 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,19 +1262,40 @@ template(`userdom_restricted_xwindows_user_template',`
  	')
  
  	optional_policy(`
@@ -41630,7 +42156,7 @@ index 3c5dba7..1e5eb3b 100644
  ## <desc>
  ##	<p>
  ##	The template for creating a unprivileged user roughly
-@@ -990,27 +1321,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1322,33 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# Inherit rules for ordinary users.
@@ -41668,7 +42194,7 @@ index 3c5dba7..1e5eb3b 100644
  			fs_manage_noxattr_fs_files($1_t)
  			fs_manage_noxattr_fs_dirs($1_t)
  			# Write floppies
-@@ -1021,23 +1358,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1359,60 @@ template(`userdom_unpriv_user_template', `
  		')
  	')
  
@@ -41739,7 +42265,7 @@ index 3c5dba7..1e5eb3b 100644
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1046,7 +1420,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1421,9 @@ template(`userdom_unpriv_user_template', `
  	')
  
  	optional_policy(`
@@ -41750,7 +42276,7 @@ index 3c5dba7..1e5eb3b 100644
  	')
  ')
  
-@@ -1082,7 +1458,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1459,9 @@ template(`userdom_unpriv_user_template', `
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -41761,7 +42287,7 @@ index 3c5dba7..1e5eb3b 100644
  	')
  
  	##############################
-@@ -1098,6 +1476,7 @@ template(`userdom_admin_user_template',`
+@@ -1098,6 +1477,7 @@ template(`userdom_admin_user_template',`
  	role system_r types $1_t;
  
  	typeattribute $1_t admindomain;
@@ -41769,25 +42295,24 @@ index 3c5dba7..1e5eb3b 100644
  
  	ifdef(`direct_sysadm_daemon',`
  		domain_system_change_exemption($1_t)
-@@ -1109,6 +1488,7 @@ template(`userdom_admin_user_template',`
+@@ -1108,14 +1488,8 @@ template(`userdom_admin_user_template',`
+ 	# $1_t local policy
  	#
  
- 	allow $1_t self:capability ~{ sys_module audit_control audit_write };
-+	allow $1_t self:capability2 { block_suspend syslog };
- 	allow $1_t self:process { setexec setfscreate };
- 	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
- 	allow $1_t self:tun_socket create;
-@@ -1117,6 +1497,9 @@ template(`userdom_admin_user_template',`
- 	# Skip authentication when pam_rootok is specified.
- 	allow $1_t self:passwd rootok;
- 
+-	allow $1_t self:capability ~{ sys_module audit_control audit_write };
+-	allow $1_t self:process { setexec setfscreate };
+-	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+-	allow $1_t self:tun_socket create;
+-	# Set password information for other users.
+-	allow $1_t self:passwd { passwd chfn chsh };
+-	# Skip authentication when pam_rootok is specified.
+-	allow $1_t self:passwd rootok;
 +	# Manipulate other users crontab.
 +	allow $1_t self:passwd crontab;
-+
+ 
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
- 	kernel_getattr_message_if($1_t)
-@@ -1131,6 +1514,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1505,7 @@ template(`userdom_admin_user_template',`
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -41795,7 +42320,7 @@ index 3c5dba7..1e5eb3b 100644
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1148,10 +1532,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1523,14 @@ template(`userdom_admin_user_template',`
  	dev_rename_all_blk_files($1_t)
  	dev_rename_all_chr_files($1_t)
  	dev_create_generic_symlinks($1_t)
@@ -41810,7 +42335,7 @@ index 3c5dba7..1e5eb3b 100644
  	domain_dontaudit_ptrace_all_domains($1_t)
  	# signal all domains:
  	domain_kill_all_domains($1_t)
-@@ -1162,29 +1550,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1541,38 @@ template(`userdom_admin_user_template',`
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -41853,7 +42378,7 @@ index 3c5dba7..1e5eb3b 100644
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1591,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1582,8 @@ template(`userdom_admin_user_template',`
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -41862,7 +42387,7 @@ index 3c5dba7..1e5eb3b 100644
  	userdom_manage_user_home_content_dirs($1_t)
  	userdom_manage_user_home_content_files($1_t)
  	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1600,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1591,17 @@ template(`userdom_admin_user_template',`
  	userdom_manage_user_home_content_sockets($1_t)
  	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
  
@@ -41881,7 +42406,7 @@ index 3c5dba7..1e5eb3b 100644
  	optional_policy(`
  		postgresql_unconfined($1_t)
  	')
-@@ -1243,7 +1646,7 @@ template(`userdom_admin_user_template',`
+@@ -1243,7 +1637,7 @@ template(`userdom_admin_user_template',`
  ##	</summary>
  ## </param>
  #
@@ -41890,7 +42415,7 @@ index 3c5dba7..1e5eb3b 100644
  	allow $1 self:capability { dac_read_search dac_override };
  
  	corecmd_exec_shell($1)
-@@ -1253,6 +1656,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1647,8 @@ template(`userdom_security_admin_template',`
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -41899,7 +42424,7 @@ index 3c5dba7..1e5eb3b 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1265,8 +1670,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1661,10 @@ template(`userdom_security_admin_template',`
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
@@ -41911,7 +42436,7 @@ index 3c5dba7..1e5eb3b 100644
  	auth_relabel_shadow($1)
  
  	init_exec($1)
-@@ -1277,29 +1684,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1675,31 @@ template(`userdom_security_admin_template',`
  	logging_read_audit_config($1)
  
  	seutil_manage_bin_policy($1)
@@ -41954,7 +42479,7 @@ index 3c5dba7..1e5eb3b 100644
  	')
  
  	optional_policy(`
-@@ -1360,14 +1769,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1760,17 @@ interface(`userdom_user_home_content',`
  	gen_require(`
  		attribute user_home_content_type;
  		type user_home_t;
@@ -41973,7 +42498,7 @@ index 3c5dba7..1e5eb3b 100644
  ')
  
  ########################################
-@@ -1408,6 +1820,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1811,51 @@ interface(`userdom_user_tmpfs_file',`
  ## <summary>
  ##	Allow domain to attach to TUN devices created by administrative users.
  ## </summary>
@@ -42025,7 +42550,7 @@ index 3c5dba7..1e5eb3b 100644
  ## <param name="domain">
  ##	<summary>
  ##	Domain allowed access.
-@@ -1512,11 +1969,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1960,31 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -42057,7 +42582,7 @@ index 3c5dba7..1e5eb3b 100644
  ##	Do not audit attempts to search user home directories.
  ## </summary>
  ## <desc>
-@@ -1558,6 +2035,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +2026,14 @@ interface(`userdom_list_user_home_dirs',`
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -42072,7 +42597,7 @@ index 3c5dba7..1e5eb3b 100644
  ')
  
  ########################################
-@@ -1573,9 +2058,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2049,11 @@ interface(`userdom_list_user_home_dirs',`
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -42084,7 +42609,7 @@ index 3c5dba7..1e5eb3b 100644
  ')
  
  ########################################
-@@ -1632,6 +2119,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2110,42 @@ interface(`userdom_relabelto_user_home_dirs',`
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -42127,7 +42652,7 @@ index 3c5dba7..1e5eb3b 100644
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1711,6 +2234,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2225,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -42136,7 +42661,7 @@ index 3c5dba7..1e5eb3b 100644
  ')
  
  ########################################
-@@ -1744,10 +2269,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2260,12 @@ interface(`userdom_list_all_user_home_content',`
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -42151,7 +42676,7 @@ index 3c5dba7..1e5eb3b 100644
  ')
  
  ########################################
-@@ -1772,7 +2299,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2290,25 @@ interface(`userdom_manage_user_home_content_dirs',`
  
  ########################################
  ## <summary>
@@ -42178,7 +42703,7 @@ index 3c5dba7..1e5eb3b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1782,53 +2327,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,53 +2318,70 @@ interface(`userdom_manage_user_home_content_dirs',`
  #
  interface(`userdom_delete_all_user_home_content_dirs',`
  	gen_require(`
@@ -42261,7 +42786,7 @@ index 3c5dba7..1e5eb3b 100644
  ##	Do not audit attempts to set the
  ##	attributes of user home files.
  ## </summary>
-@@ -1848,6 +2410,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2401,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -42287,7 +42812,7 @@ index 3c5dba7..1e5eb3b 100644
  ##	Mmap user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1878,15 +2459,18 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2450,36 @@ interface(`userdom_mmap_user_home_content_files',`
  interface(`userdom_read_user_home_content_files',`
  	gen_require(`
  		type user_home_dir_t, user_home_t;
@@ -42303,48 +42828,39 @@ index 3c5dba7..1e5eb3b 100644
  
  ########################################
  ## <summary>
--##	Do not audit attempts to read user home files.
 +##	Do not audit attempts to getattr user home files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -1894,18 +2478,18 @@ interface(`userdom_read_user_home_content_files',`
- ##	</summary>
- ## </param>
- #
--interface(`userdom_dontaudit_read_user_home_content_files',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
 +interface(`userdom_dontaudit_getattr_user_home_content',`
- 	gen_require(`
--		type user_home_t;
++	gen_require(`
 +		attribute user_home_type;
- 	')
- 
--	dontaudit $1 user_home_t:dir list_dir_perms;
--	dontaudit $1 user_home_t:file read_file_perms;
++	')
++
 +	dontaudit $1 user_home_type:dir getattr;
 +	dontaudit $1 user_home_type:file getattr;
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to append user home files.
-+##	Do not audit attempts to read user home files.
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to read user home files.
  ## </summary>
  ## <param name="domain">
- ##	<summary>
-@@ -1913,17 +2497,21 @@ interface(`userdom_dontaudit_read_user_home_content_files',`
- ##	</summary>
- ## </param>
+@@ -1896,11 +2490,14 @@ interface(`userdom_read_user_home_content_files',`
  #
--interface(`userdom_dontaudit_append_user_home_content_files',`
-+interface(`userdom_dontaudit_read_user_home_content_files',`
+ interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
 -		type user_home_t;
 +		attribute user_home_type;
 +		type user_home_dir_t;
  	')
  
--	dontaudit $1 user_home_t:file append_file_perms;
+-	dontaudit $1 user_home_t:dir list_dir_perms;
+-	dontaudit $1 user_home_t:file read_file_perms;
 +	dontaudit $1 user_home_dir_t:dir list_dir_perms;
 +	dontaudit $1 user_home_type:dir list_dir_perms;
 +	dontaudit $1 user_home_type:file read_file_perms;
@@ -42352,40 +42868,21 @@ index 3c5dba7..1e5eb3b 100644
  ')
  
  ########################################
- ## <summary>
--##	Do not audit attempts to write user home files.
-+##	Do not audit attempts to append user home files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -1931,32 +2519,30 @@ interface(`userdom_dontaudit_append_user_home_content_files',`
- ##	</summary>
- ## </param>
- #
--interface(`userdom_dontaudit_write_user_home_content_files',`
-+interface(`userdom_dontaudit_append_user_home_content_files',`
- 	gen_require(`
- 		type user_home_t;
- 	')
- 
--	dontaudit $1 user_home_t:file write_file_perms;
-+	dontaudit $1 user_home_t:file append_file_perms;
- ')
+@@ -1941,7 +2538,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  
  ########################################
  ## <summary>
 -##	Delete all user home content files.
-+##	Do not audit attempts to write user home files.
++##	Delete files in a user home subdirectory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+@@ -1949,19 +2546,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`userdom_delete_all_user_home_content_files',`
-+interface(`userdom_dontaudit_write_user_home_content_files',`
++interface(`userdom_delete_user_home_content_files',`
  	gen_require(`
 -		attribute user_home_content_type;
 -		type user_home_dir_t;
@@ -42394,34 +42891,34 @@ index 3c5dba7..1e5eb3b 100644
  
 -	userdom_search_user_home_content($1)
 -	delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
-+	dontaudit $1 user_home_t:file write_file_perms;
++	allow $1 user_home_t:file delete_file_perms;
  ')
  
  ########################################
-@@ -1979,11 +2565,83 @@ interface(`userdom_delete_user_home_content_files',`
- 
- ########################################
  ## <summary>
--##	Do not audit attempts to write user home files.
+-##	Delete files in a user home subdirectory.
 +##	Delete all files in a user home subdirectory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+@@ -1969,17 +2564,71 @@ interface(`userdom_delete_all_user_home_content_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_delete_user_home_content_files',`
 +interface(`userdom_delete_all_user_home_content_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type user_home_t;
 +		attribute user_home_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 user_home_t:file delete_file_perms;
 +	allow $1 user_home_type:file delete_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to write user home files.
 +##	Delete sock files in a user home subdirectory.
 +## </summary>
 +## <param name="domain">
@@ -42477,14 +42974,10 @@ index 3c5dba7..1e5eb3b 100644
 +########################################
 +## <summary>
 +##	Do not audit attempts to write user home files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
-@@ -2010,8 +2668,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2010,8 +2659,7 @@ interface(`userdom_read_user_home_content_symlinks',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -42494,7 +42987,7 @@ index 3c5dba7..1e5eb3b 100644
  ')
  
  ########################################
-@@ -2027,21 +2684,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2675,14 @@ interface(`userdom_read_user_home_content_symlinks',`
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -42508,19 +43001,18 @@ index 3c5dba7..1e5eb3b 100644
 -
 -	tunable_policy(`use_nfs_home_dirs',`
 -		fs_exec_nfs_files($1)
+-	')
+-
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_exec_cifs_files($1)
 +	exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
 +	dontaudit $1 user_home_type:sock_file execute;
  	')
- 
--	tunable_policy(`use_samba_home_dirs',`
--		fs_exec_cifs_files($1)
--	')
 -')
--
+ 
  ########################################
  ## <summary>
- ##	Do not audit attempts to execute user home files.
-@@ -2123,7 +2774,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2765,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
  
  ########################################
  ## <summary>
@@ -42529,7 +43021,7 @@ index 3c5dba7..1e5eb3b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2131,19 +2782,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2773,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -42553,7 +43045,7 @@ index 3c5dba7..1e5eb3b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2151,12 +2800,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2791,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -42569,7 +43061,7 @@ index 3c5dba7..1e5eb3b 100644
  ')
  
  ########################################
-@@ -2393,11 +3042,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +3033,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
  #
  interface(`userdom_read_user_tmp_files',`
  	gen_require(`
@@ -42584,7 +43076,7 @@ index 3c5dba7..1e5eb3b 100644
  	files_search_tmp($1)
  ')
  
-@@ -2417,7 +3066,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3057,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -42593,7 +43085,7 @@ index 3c5dba7..1e5eb3b 100644
  ')
  
  ########################################
-@@ -2664,6 +3313,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3304,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  	files_tmp_filetrans($1, user_tmp_t, $2, $3)
  ')
  
@@ -42619,7 +43111,7 @@ index 3c5dba7..1e5eb3b 100644
  ########################################
  ## <summary>
  ##	Read user tmpfs files.
-@@ -2680,13 +3348,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3339,14 @@ interface(`userdom_read_user_tmpfs_files',`
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -42635,7 +43127,7 @@ index 3c5dba7..1e5eb3b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2707,7 +3376,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3367,7 @@ interface(`userdom_rw_user_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -42644,7 +43136,7 @@ index 3c5dba7..1e5eb3b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2715,14 +3384,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3375,30 @@ interface(`userdom_rw_user_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -42679,7 +43171,7 @@ index 3c5dba7..1e5eb3b 100644
  ')
  
  ########################################
-@@ -2817,6 +3502,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3493,24 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
@@ -42704,7 +43196,7 @@ index 3c5dba7..1e5eb3b 100644
  ##	Read and write a user domain pty.
  ## </summary>
  ## <param name="domain">
-@@ -2835,22 +3538,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3529,34 @@ interface(`userdom_use_user_ptys',`
  
  ########################################
  ## <summary>
@@ -42747,7 +43239,7 @@ index 3c5dba7..1e5eb3b 100644
  ## </desc>
  ## <param name="domain">
  ##	<summary>
-@@ -2859,14 +3574,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3565,33 @@ interface(`userdom_use_user_ptys',`
  ## </param>
  ## <infoflow type="both" weight="10"/>
  #
@@ -42785,7 +43277,7 @@ index 3c5dba7..1e5eb3b 100644
  ')
  
  ########################################
-@@ -2885,8 +3619,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3610,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
  		type user_tty_device_t, user_devpts_t;
  	')
  
@@ -42815,7 +43307,7 @@ index 3c5dba7..1e5eb3b 100644
  ')
  
  ########################################
-@@ -2958,69 +3711,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3702,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -42916,7 +43408,7 @@ index 3c5dba7..1e5eb3b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3028,12 +3780,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3771,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -42931,7 +43423,7 @@ index 3c5dba7..1e5eb3b 100644
  ')
  
  ########################################
-@@ -3097,7 +3849,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3840,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -42940,7 +43432,7 @@ index 3c5dba7..1e5eb3b 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -3113,29 +3865,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3856,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -42974,7 +43466,7 @@ index 3c5dba7..1e5eb3b 100644
  ')
  
  ########################################
-@@ -3217,7 +3953,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3944,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -43001,7 +43493,7 @@ index 3c5dba7..1e5eb3b 100644
  ')
  
  ########################################
-@@ -3272,12 +4026,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,12 +4017,13 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -43017,42 +43509,90 @@ index 3c5dba7..1e5eb3b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3285,12 +4040,87 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3285,44 +4031,120 @@ interface(`userdom_write_user_tmp_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`userdom_dontaudit_use_user_ttys',`
 +interface(`userdom_dontaudit_write_user_tmp_files',`
+ 	gen_require(`
+-		type user_tty_device_t;
++		type user_tmp_t;
+ 	')
+ 
+-	dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++	dontaudit $1 user_tmp_t:file write;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read the process state of all user domains.
++##	Do not audit attempts to delete users
++##	temporary files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_delete_user_tmp_files',`
+ 	gen_require(`
+-		attribute userdomain;
++		type user_tmp_t;
+ 	')
+ 
+-	read_files_pattern($1, userdomain, userdomain)
+-	kernel_search_proc($1)
++	dontaudit $1 user_tmp_t:file delete_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of all user domains.
++##	Do not audit attempts to read/write users
++##	temporary fifo files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_getattr_all_users',`
++interface(`userdom_dontaudit_rw_user_tmp_pipes',`
 +	gen_require(`
 +		type user_tmp_t;
 +	')
 +
-+	dontaudit $1 user_tmp_t:file write;
++	dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to delete users
-+##	temporary files.
++##	Allow domain to read/write inherited users
++##	fifo files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaudit_delete_user_tmp_files',`
++interface(`userdom_rw_inherited_user_pipes',`
 +	gen_require(`
-+		type user_tmp_t;
++		attribute userdomain;
 +	')
 +
-+	dontaudit $1 user_tmp_t:file delete_file_perms;
++	allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to read/write users
-+##	temporary fifo files.
++##	Do not audit attempts to use user ttys.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -43060,18 +43600,17 @@ index 3c5dba7..1e5eb3b 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
++interface(`userdom_dontaudit_use_user_ttys',`
 +	gen_require(`
-+		type user_tmp_t;
++		type user_tty_device_t;
 +	')
 +
-+	dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
++	dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Allow domain to read/write inherited users
-+##	fifo files.
++##	Read the process state of all user domains.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -43079,43 +43618,31 @@ index 3c5dba7..1e5eb3b 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_rw_inherited_user_pipes',`
++interface(`userdom_read_all_users_state',`
 +	gen_require(`
 +		attribute userdomain;
 +	')
 +
-+	allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
++	read_files_pattern($1, userdomain, userdomain)
++	read_lnk_files_pattern($1,userdomain,userdomain)
++	kernel_search_proc($1)
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to use user ttys.
++##	Get the attributes of all user domains.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_getattr_all_users',`
  	gen_require(`
- 		type user_tty_device_t;
- 	')
- 
--	dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+	dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
- ')
- 
- ########################################
-@@ -3309,6 +4139,7 @@ interface(`userdom_read_all_users_state',`
+ 		attribute userdomain;
  	')
- 
- 	read_files_pattern($1, userdomain, userdomain)
-+	read_lnk_files_pattern($1,userdomain,userdomain)
- 	kernel_search_proc($1)
- ')
- 
-@@ -3385,6 +4216,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4207,42 @@ interface(`userdom_signal_all_users',`
  	allow $1 userdomain:process signal;
  ')
  
@@ -43158,7 +43685,7 @@ index 3c5dba7..1e5eb3b 100644
  ########################################
  ## <summary>
  ##	Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4272,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4263,24 @@ interface(`userdom_sigchld_all_users',`
  
  ########################################
  ## <summary>
@@ -43183,7 +43710,32 @@ index 3c5dba7..1e5eb3b 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3438,4 +4323,1671 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3423,6 +4299,24 @@ interface(`userdom_create_all_users_keys',`
+ 
+ ########################################
+ ## <summary>
++##	Manage keys for all user domains.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_manage_all_users_keys',`
++	gen_require(`
++		attribute userdomain;
++	')
++
++	allow $1 userdomain:key manage_key_perms;
++')
++
++########################################
++## <summary>
+ ##	Send a dbus message to all user domains.
+ ## </summary>
+ ## <param name="domain">
+@@ -3438,4 +4332,1661 @@ interface(`userdom_dbus_send_all_users',`
  	')
  
  	allow $1 userdomain:dbus send_msg;
@@ -43312,6 +43864,7 @@ index 3c5dba7..1e5eb3b 100644
 +		type admin_home_t;
 +	')
 +
++	dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	dontaudit $1 admin_home_t:dir search_dir_perms;
 +')
 +
@@ -43330,6 +43883,7 @@ index 3c5dba7..1e5eb3b 100644
 +		type admin_home_t;
 +	')
 +
++	dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	dontaudit $1 admin_home_t:dir list_dir_perms;
 +')
 +
@@ -43348,6 +43902,7 @@ index 3c5dba7..1e5eb3b 100644
 +		type admin_home_t;
 +	')
 +
++	allow $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	allow $1 admin_home_t:dir list_dir_perms;
 +')
 +
@@ -43366,8 +43921,9 @@ index 3c5dba7..1e5eb3b 100644
 +		type admin_home_t;
 +	')
 +
++	allow $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	allow $1 admin_home_t:dir search_dir_perms;
-+')
+ ')
 +
 +########################################
 +## <summary>
@@ -43385,7 +43941,7 @@ index 3c5dba7..1e5eb3b 100644
 +	')
 +
 +	allow $1 unpriv_userdomain:sem rw_sem_perms;
- ')
++')
 +
 +########################################
 +## <summary>
@@ -43460,6 +44016,7 @@ index 3c5dba7..1e5eb3b 100644
 +		type admin_home_t;
 +	')
 +
++	allow $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	read_files_pattern($1, admin_home_t, admin_home_t)
 +')
 +
@@ -43479,6 +44036,7 @@ index 3c5dba7..1e5eb3b 100644
 +		type admin_home_t;
 +	')
 +
++	allow $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	allow $1 admin_home_t:file delete_file_perms;
 +')
 +
@@ -43498,6 +44056,7 @@ index 3c5dba7..1e5eb3b 100644
 +		type admin_home_t;
 +	')
 +
++	allow $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	exec_files_pattern($1, admin_home_t, admin_home_t)
 +')
 +
@@ -43646,6 +44205,7 @@ index 3c5dba7..1e5eb3b 100644
 +		type admin_home_t;
 +	')
 +
++	allow $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	filetrans_pattern($1, admin_home_t, $2, $3, $4)
 +')
 +
@@ -43687,25 +44247,6 @@ index 3c5dba7..1e5eb3b 100644
 +
 +########################################
 +## <summary>
-+##	Manage keys for all user domains.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_manage_all_users_keys',`
-+	gen_require(`
-+		attribute userdomain;
-+	')
-+
-+	allow $1 userdomain:key manage_key_perms;
-+')
-+
-+
-+########################################
-+## <summary>
 +##	Do not audit attempts to read and write
 +##	unserdomain stream.
 +## </summary>
@@ -44166,6 +44707,7 @@ index 3c5dba7..1e5eb3b 100644
 +		type admin_home_t;
 +	')
 +
++	dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	dontaudit $1 admin_home_t:file read_file_perms;
 +')
 +
@@ -44856,7 +45398,7 @@ index 3c5dba7..1e5eb3b 100644
 +')
 +
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..af7e095 100644
+index e2b538b..066ae4d 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
 @@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5)
@@ -44945,7 +45487,7 @@ index e2b538b..af7e095 100644
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
  files_type(user_home_dir_t)
-@@ -70,26 +83,366 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,379 @@ ubac_constrained(user_home_dir_t)
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -45188,8 +45730,21 @@ index e2b538b..af7e095 100644
 +#
 +gen_require(`
 +	class context contains;
++    class passwd { passwd chfn chsh rootok };
 +')
 +
++allow confined_admindomain self:capability ~{ sys_module audit_control audit_write };
++allow confined_admindomain self:capability2 { block_suspend syslog };
++allow confined_admindomain self:process { setexec setfscreate };
++allow confined_admindomain self:netlink_audit_socket nlmsg_readpriv;
++allow confined_admindomain self:tun_socket create_socket_perms;
++allow confined_admindomain self:packet_socket create_socket_perms;
++
++# Set password information for other users.
++allow confined_admindomain self:passwd { passwd chfn chsh };
++# Skip authentication when pam_rootok is specified.
++allow confined_admindomain self:passwd rootok;
++
 +corecmd_shell_entry_type(confined_admindomain)
 +corecmd_bin_entry_type(confined_admindomain)
 +
diff --git a/policy-f20-contrib.patch b/policy-f20-contrib.patch
index 210ca24..7461ae5 100644
--- a/policy-f20-contrib.patch
+++ b/policy-f20-contrib.patch
@@ -10045,10 +10045,10 @@ index 0000000..de66654
 +')
 diff --git a/bumblebee.te b/bumblebee.te
 new file mode 100644
-index 0000000..daceb19
+index 0000000..e49e117
 --- /dev/null
 +++ b/bumblebee.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,64 @@
 +policy_module(bumblebee, 1.0.0)
 +
 +########################################
@@ -10084,6 +10084,7 @@ index 0000000..daceb19
 +
 +kernel_read_system_state(bumblebee_t)
 +kernel_dontaudit_access_check_proc(bumblebee_t)
++kernel_manage_debugfs(bumblebee_t)
 +
 +corecmd_exec_shell(bumblebee_t)
 +corecmd_exec_bin(bumblebee_t)
@@ -10108,6 +10109,10 @@ index 0000000..daceb19
 +optional_policy(`
 +    apm_stream_connect(bumblebee_t)
 +')
++
++optional_policy(`
++    unconfined_domain(bumblebee_t)
++')
 diff --git a/cachefilesd.fc b/cachefilesd.fc
 index 648c790..aa03fc8 100644
 --- a/cachefilesd.fc
@@ -10387,7 +10392,7 @@ index 581c8ef..2c71b1d 100644
 +
 +init_sigchld_script(cachefiles_kernel_t)
 diff --git a/calamaris.if b/calamaris.if
-index cd9c528..9de38c4 100644
+index cd9c528..ba793b7 100644
 --- a/calamaris.if
 +++ b/calamaris.if
 @@ -42,7 +42,7 @@ interface(`calamaris_run',`
@@ -10395,7 +10400,7 @@ index cd9c528..9de38c4 100644
  	')
  
 -	lightsquid_domtrans($1)
-+	clamd_domtrans($1)
++	calamaris_domtrans($1)
  	roleattribute $2 calamaris_roles;
  ')
  
@@ -13090,10 +13095,10 @@ index 954309e..f4db2ca 100644
  ')
 +
 diff --git a/collectd.te b/collectd.te
-index 6471fa8..dc0423c 100644
+index 6471fa8..3b69f43 100644
 --- a/collectd.te
 +++ b/collectd.te
-@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
+@@ -26,18 +26,27 @@ files_type(collectd_var_lib_t)
  type collectd_var_run_t;
  files_pid_file(collectd_var_run_t)
  
@@ -13108,7 +13113,11 @@ index 6471fa8..dc0423c 100644
  ########################################
  #
  # Local policy
-@@ -38,6 +44,9 @@ allow collectd_t self:process { getsched setsched signal };
+ #
+ 
+-allow collectd_t self:capability { ipc_lock sys_nice };
++allow collectd_t self:capability { ipc_lock net_admin sys_nice };
+ allow collectd_t self:process { getsched setsched signal };
  allow collectd_t self:fifo_file rw_fifo_file_perms;
  allow collectd_t self:packet_socket create_socket_perms;
  allow collectd_t self:unix_stream_socket { accept listen };
@@ -13126,13 +13135,13 @@ index 6471fa8..dc0423c 100644
 +kernel_read_all_sysctls(collectd_t)
 +kernel_read_all_proc(collectd_t)
 +kernel_list_all_proc(collectd_t)
-+
-+auth_getattr_passwd(collectd_t)
-+auth_read_passwd(collectd_t)
  
 -kernel_read_network_state(collectd_t)
 -kernel_read_net_sysctls(collectd_t)
 -kernel_read_system_state(collectd_t)
++auth_getattr_passwd(collectd_t)
++auth_read_passwd(collectd_t)
++
 +corenet_udp_bind_generic_node(collectd_t)
 +corenet_udp_bind_collectd_port(collectd_t)
  
@@ -13154,10 +13163,14 @@ index 6471fa8..dc0423c 100644
  
  logging_send_syslog_msg(collectd_t)
  
-@@ -75,16 +89,26 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +89,30 @@ tunable_policy(`collectd_tcp_network_connect',`
  ')
  
  optional_policy(`
++	mysql_stream_connect(collectd_t)
++')
++
++optional_policy(`
 +    netutils_domtrans_ping(collectd_t)
 +')
 +
@@ -18020,7 +18033,7 @@ index 06da9a0..c7834c8 100644
 +	ps_process_pattern($1, cupsd_t)
  ')
 diff --git a/cups.te b/cups.te
-index 9f34c2e..0663b64 100644
+index 9f34c2e..ae75cc4 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -18444,7 +18457,7 @@ index 9f34c2e..0663b64 100644
  ')
  
  optional_policy(`
-+	gnome_dontaudit_search_config(cupsd_config_t)
++    gnome_dontaudit_read_config(cupsd_config_t)
 +')
 +
 +optional_policy(`
@@ -19189,7 +19202,7 @@ index dda905b..31f269b 100644
  /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 +')
 diff --git a/dbus.if b/dbus.if
-index afcf3a2..7574fa1 100644
+index afcf3a2..98a4fb7 100644
 --- a/dbus.if
 +++ b/dbus.if
 @@ -1,4 +1,4 @@
@@ -19709,7 +19722,7 @@ index afcf3a2..7574fa1 100644
  ## <param name="domain">
  ##	<summary>
  ##	Type to be used as a domain.
-@@ -396,81 +402,66 @@ interface(`dbus_manage_lib_files',`
+@@ -396,81 +402,67 @@ interface(`dbus_manage_lib_files',`
  ## </param>
  ## <param name="entry_point">
  ##	<summary>
@@ -19734,6 +19747,7 @@ index afcf3a2..7574fa1 100644
 +	domain_entry_file($1, $2)
 +
 +	domtrans_pattern(system_dbusd_t, $2, $1)
++	init_system_domain($1, $2)
 +
 +	ps_process_pattern($1, system_dbusd_t)
 +
@@ -19818,7 +19832,7 @@ index afcf3a2..7574fa1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -478,18 +469,18 @@ interface(`dbus_spec_session_domain',`
+@@ -478,18 +470,18 @@ interface(`dbus_spec_session_domain',`
  ##	</summary>
  ## </param>
  #
@@ -19842,7 +19856,7 @@ index afcf3a2..7574fa1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -497,98 +488,80 @@ interface(`dbus_connect_system_bus',`
+@@ -497,98 +489,80 @@ interface(`dbus_connect_system_bus',`
  ##	</summary>
  ## </param>
  #
@@ -19969,7 +19983,7 @@ index afcf3a2..7574fa1 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -596,28 +569,32 @@ interface(`dbus_use_system_bus_fds',`
+@@ -596,28 +570,32 @@ interface(`dbus_use_system_bus_fds',`
  ##	</summary>
  ## </param>
  #
@@ -23576,7 +23590,7 @@ index c880070..4448055 100644
 -/var/spool/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_spool_t,s0)
 +/var/spool/dovecot(/.*)?		gen_context(system_u:object_r:dovecot_spool_t,s0)
 diff --git a/dovecot.if b/dovecot.if
-index dbcac59..66d42bb 100644
+index dbcac59..067c453 100644
 --- a/dovecot.if
 +++ b/dovecot.if
 @@ -1,29 +1,49 @@
@@ -23703,8 +23717,29 @@ index dbcac59..66d42bb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -122,8 +138,8 @@ interface(`dovecot_write_inherited_tmp_files',`
+@@ -120,10 +136,29 @@ interface(`dovecot_write_inherited_tmp_files',`
+ 	allow $1 dovecot_tmp_t:file write;
+ ')
  
++####################################
++## <summary>
++##	Read dovecot configuration file.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dovecot_read_config',`
++	gen_require(`
++		type dovecot_etc_t;
++	')
++
++	files_search_etc($1)
++	read_files_pattern($1, dovecot_etc_t, dovecot_etc_t)
++')
++
  ########################################
  ## <summary>
 -##	All of the rules required to
@@ -23714,7 +23749,7 @@ index dbcac59..66d42bb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -132,21 +148,24 @@ interface(`dovecot_write_inherited_tmp_files',`
+@@ -132,21 +167,24 @@ interface(`dovecot_write_inherited_tmp_files',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -23745,7 +23780,7 @@ index dbcac59..66d42bb 100644
  
  	init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -156,20 +175,25 @@ interface(`dovecot_admin',`
+@@ -156,20 +194,25 @@ interface(`dovecot_admin',`
  	files_list_etc($1)
  	admin_pattern($1, dovecot_etc_t)
  
@@ -28065,7 +28100,7 @@ index e39de43..6a6db28 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index d03fd43..4155cd4 100644
+index d03fd43..394cbf1 100644
 --- a/gnome.if
 +++ b/gnome.if
 @@ -1,123 +1,157 @@
@@ -29552,7 +29587,7 @@ index d03fd43..4155cd4 100644
 +#
 +interface(`gnome_create_home_config_dirs',`
 +	gen_require(`
-+		type cache_home_t;
++		type config_home_t;
 +	')
 +
 +	allow $1 config_home_t:dir create_dir_perms;
@@ -32629,7 +32664,7 @@ index 0000000..9278f85
 +
 diff --git a/ipa.if b/ipa.if
 new file mode 100644
-index 0000000..c6cf456
+index 0000000..deb738f
 --- /dev/null
 +++ b/ipa.if
 @@ -0,0 +1,21 @@
@@ -32647,7 +32682,7 @@ index 0000000..c6cf456
 +#
 +interface(`ipa_domtrans_otpd',`
 +	gen_require(`
-+		type ipa_otpd_t, ipa_otpd_t_exec_t;
++		type ipa_otpd_t, ipa_otpd_exec_t;
 +	')
 +
 +	corecmd_search_bin($1)
@@ -32656,10 +32691,10 @@ index 0000000..c6cf456
 +
 diff --git a/ipa.te b/ipa.te
 new file mode 100644
-index 0000000..02f7cfa
+index 0000000..589066e
 --- /dev/null
 +++ b/ipa.te
-@@ -0,0 +1,33 @@
+@@ -0,0 +1,38 @@
 +policy_module(ipa, 1.0.0)
 +
 +########################################
@@ -32686,6 +32721,11 @@ index 0000000..02f7cfa
 +
 +corenet_tcp_connect_radius_port(ipa_otpd_t)
 +
++dev_read_urand(ipa_otpd_t)
++dev_read_rand(ipa_otpd_t)
++
++sysnet_dns_name_resolve(ipa_otpd_t)
++
 +optional_policy(`
 +    dirsrv_stream_connect(ipa_otpd_t)
 +')
@@ -35073,11 +35113,165 @@ index e7f5c81..8c75bc8 100644
 +optional_policy(`
 +	policykit_dbus_chat(kdumpgui_t)
  ')
+diff --git a/keepalived.fc b/keepalived.fc
+new file mode 100644
+index 0000000..7e6f8be
+--- /dev/null
++++ b/keepalived.fc
+@@ -0,0 +1,5 @@
++/usr/lib/systemd/system/keepalived.*		--	gen_context(system_u:object_r:keepalived_unit_file_t,s0)
++
++/usr/sbin/keepalived		--	gen_context(system_u:object_r:keepalived_exec_t,s0)
++
++/var/run/keepalived.*		--	gen_context(system_u:object_r:keepalived_var_run_t,s0)
+diff --git a/keepalived.if b/keepalived.if
+new file mode 100644
+index 0000000..0d61849
+--- /dev/null
++++ b/keepalived.if
+@@ -0,0 +1,84 @@
++
++## <summary> keepalived - load-balancing and high-availability service</summary>
++
++########################################
++## <summary>
++##	Execute keepalived in the keepalived domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`keepalived_domtrans',`
++	gen_require(`
++		type keepalived_t, keepalived_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, keepalived_exec_t, keepalived_t)
++')
++########################################
++## <summary>
++##	Execute keepalived server in the keepalived domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`keepalived_systemctl',`
++	gen_require(`
++		type keepalived_t;
++		type keepalived_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 keepalived_unit_file_t:file read_file_perms;
++	allow $1 keepalived_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, keepalived_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an keepalived environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`keepalived_admin',`
++	gen_require(`
++		type keepalived_t;
++	    type keepalived_unit_file_t;
++	')
++
++	allow $1 keepalived_t:process { signal_perms };
++	ps_process_pattern($1, keepalived_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 keepalived_t:process ptrace;
++    ')
++
++	keepalived_systemctl($1)
++	admin_pattern($1, keepalived_unit_file_t)
++	allow $1 keepalived_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/keepalived.te b/keepalived.te
+new file mode 100644
+index 0000000..535f79b
+--- /dev/null
++++ b/keepalived.te
+@@ -0,0 +1,47 @@
++policy_module(keepalived, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type keepalived_t;
++type keepalived_exec_t;
++init_daemon_domain(keepalived_t, keepalived_exec_t)
++
++type keepalived_unit_file_t;
++systemd_unit_file(keepalived_unit_file_t)
++
++type keepalived_var_run_t;
++files_pid_file(keepalived_var_run_t)
++
++########################################
++#
++# keepalived local policy
++#
++allow keepalived_t self:capability { net_admin net_raw };
++allow keepalived_t self:process { signal_perms };
++allow keepalived_t self:netlink_socket create_socket_perms;
++allow keepalived_t self:netlink_route_socket nlmsg_write;
++allow keepalived_t self:packet_socket create_socket_perms;
++allow keepalived_t self:rawip_socket create_socket_perms;
++
++
++manage_files_pattern(keepalived_t, keepalived_var_run_t, keepalived_var_run_t)
++files_pid_filetrans(keepalived_t, keepalived_var_run_t, { file })
++
++kernel_read_system_state(keepalived_t)
++kernel_read_network_state(keepalived_t)
++
++auth_use_nsswitch(keepalived_t)
++
++corenet_tcp_connect_connlcli_port(keepalived_t)
++corenet_tcp_connect_http_port(keepalived_t)
++corenet_tcp_connect_smtp_port(keepalived_t)
++
++dev_read_urand(keepalived_t)
++
++modutils_domtrans_insmod(keepalived_t)
++
++logging_send_syslog_msg(keepalived_t)
++
 diff --git a/kerberos.fc b/kerberos.fc
-index 4fe75fd..8c702c9 100644
+index 4fe75fd..b029c28 100644
 --- a/kerberos.fc
 +++ b/kerberos.fc
-@@ -1,52 +1,44 @@
+@@ -1,52 +1,46 @@
 -HOME_DIR/\.k5login	--	gen_context(system_u:object_r:krb5_home_t,s0)
 -/root/\.k5login	--	gen_context(system_u:object_r:krb5_home_t,s0)
 +HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
@@ -35111,25 +35305,33 @@ index 4fe75fd..8c702c9 100644
  
 -/usr/local/kerberos/sbin/krb5kdc	--	gen_context(system_u:object_r:krb5kdc_exec_t,s0)
 -/usr/local/kerberos/sbin/kadmind	--	gen_context(system_u:object_r:kadmind_exec_t,s0)
--
++/usr/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
++/usr/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+ 
 -/usr/sbin/krb5kdc	--	gen_context(system_u:object_r:krb5kdc_exec_t,s0)
 -/usr/sbin/kadmind	--	gen_context(system_u:object_r:kadmind_exec_t,s0)
--
++/var/kerberos/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
++/var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
++/var/kerberos/krb5kdc/kadm5\.keytab --	gen_context(system_u:object_r:krb5_keytab_t,s0)
++/var/kerberos/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
++/var/kerberos/krb5kdc/principal.*\.ok	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+ 
 -/usr/local/var/krb5kdc(/.*)?	gen_context(system_u:object_r:krb5kdc_conf_t,s0)
 -/usr/local/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
--
++/var/log/krb5kdc\.log.*			gen_context(system_u:object_r:krb5kdc_log_t,s0)
++/var/log/kadmin(d)?\.log.*		gen_context(system_u:object_r:kadmind_log_t,s0)
+ 
 -/usr/var/krb5kdc(/.*)?	gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-+/usr/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
- /usr/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+-/usr/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
++/var/cache/krb5rcache(/.*)?	 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
  
 -/var/cache/krb5rcache(/.*)?	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
--
++/var/run/krb5kdc(/.*)?          gen_context(system_u:object_r:krb5kdc_var_run_t,s0)
+ 
 -/var/kerberos/krb5kdc(/.*)?	gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-+/var/kerberos/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
- /var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+-/var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
 -/var/kerberos/krb5kdc/kadm5\.keytab	--	gen_context(system_u:object_r:krb5_keytab_t,s0)
-+/var/kerberos/krb5kdc/kadm5\.keytab --	gen_context(system_u:object_r:krb5_keytab_t,s0)
- /var/kerberos/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+-/var/kerberos/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
 -/var/kerberos/krb5kdc/principal.*\.ok	--	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
 -
 -/var/log/krb5kdc\.log.*	--	gen_context(system_u:object_r:krb5kdc_log_t,s0)
@@ -35144,13 +35346,6 @@ index 4fe75fd..8c702c9 100644
 -/var/tmp/ldapmap1_0	--	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 -/var/tmp/ldap_487	--	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 -/var/tmp/ldap_55	--	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+/var/kerberos/krb5kdc/principal.*\.ok	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-+
-+/var/log/krb5kdc\.log.*			gen_context(system_u:object_r:krb5kdc_log_t,s0)
-+/var/log/kadmin(d)?\.log.*		gen_context(system_u:object_r:kadmind_log_t,s0)
-+
-+/var/cache/krb5rcache(/.*)?	 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+
 +/var/tmp/DNS_25			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/HTTP_23		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
@@ -35161,7 +35356,7 @@ index 4fe75fd..8c702c9 100644
 +/var/tmp/ldap_487		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/ldap_55		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --git a/kerberos.if b/kerberos.if
-index f9de9fc..11e6268 100644
+index f9de9fc..11504e6 100644
 --- a/kerberos.if
 +++ b/kerberos.if
 @@ -1,27 +1,29 @@
@@ -35487,16 +35682,20 @@ index f9de9fc..11e6268 100644
  ## </summary>
  ## <param name="prefix">
  ##	<summary>
-@@ -354,21 +255,15 @@ interface(`kerberos_etc_filetrans_keytab',`
+@@ -354,21 +255,21 @@ interface(`kerberos_etc_filetrans_keytab',`
  ## </param>
  #
  template(`kerberos_keytab_template',`
--
++    gen_require(`
++        attribute kerberos_keytab_domain;
++    ')
+ 
 -	########################################
 -	#
 -	# Declarations
 -	#
--
++    typeattribute $2 kerberos_keytab_domain;
+ 
  	type $1_keytab_t;
  	files_type($1_keytab_t)
  
@@ -35514,7 +35713,7 @@ index f9de9fc..11e6268 100644
  
  	kerberos_read_keytab($2)
  	kerberos_use($2)
-@@ -376,7 +271,7 @@ template(`kerberos_keytab_template',`
+@@ -376,7 +277,7 @@ template(`kerberos_keytab_template',`
  
  ########################################
  ## <summary>
@@ -35523,7 +35722,7 @@ index f9de9fc..11e6268 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -396,8 +291,7 @@ interface(`kerberos_read_kdc_config',`
+@@ -396,8 +297,7 @@ interface(`kerberos_read_kdc_config',`
  
  ########################################
  ## <summary>
@@ -35533,7 +35732,7 @@ index f9de9fc..11e6268 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -411,34 +305,99 @@ interface(`kerberos_manage_host_rcache',`
+@@ -411,34 +311,99 @@ interface(`kerberos_manage_host_rcache',`
  		type krb5_host_rcache_t;
  	')
  
@@ -35573,8 +35772,7 @@ index f9de9fc..11e6268 100644
  ## </param>
 -## <param name="object_class">
 +## <param name="role">
- ##	<summary>
--##	Class of the object being created.
++##	<summary>
 +##	The role to be allowed to manage the kerberos domain.
 +##	</summary>
 +## </param>
@@ -35636,12 +35834,13 @@ index f9de9fc..11e6268 100644
 +##	to the krb5_host_rcache type.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	Class of the object being created.
 +##	Domain allowed access.
  ##	</summary>
  ## </param>
  ## <param name="name" optional="true">
-@@ -452,12 +411,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -452,12 +417,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
  		type krb5_host_rcache_t;
  	')
  
@@ -35657,7 +35856,7 @@ index f9de9fc..11e6268 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -465,82 +425,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -465,82 +431,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
  ##	</summary>
  ## </param>
  #
@@ -35798,7 +35997,7 @@ index f9de9fc..11e6268 100644
 +	kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
  ')
 diff --git a/kerberos.te b/kerberos.te
-index 3465a9a..15b3d6d 100644
+index 3465a9a..cf08ae1 100644
 --- a/kerberos.te
 +++ b/kerberos.te
 @@ -1,4 +1,4 @@
@@ -35807,7 +36006,7 @@ index 3465a9a..15b3d6d 100644
  
  ########################################
  #
-@@ -6,11 +6,11 @@ policy_module(kerberos, 1.11.7)
+@@ -6,11 +6,13 @@ policy_module(kerberos, 1.11.7)
  #
  
  ## <desc>
@@ -35820,10 +36019,12 @@ index 3465a9a..15b3d6d 100644
  ## </desc>
 -gen_tunable(allow_kerberos, false)
 +gen_tunable(kerberos_enabled, false)
++
++attribute kerberos_keytab_domain;
  
  type kadmind_t;
  type kadmind_exec_t;
-@@ -35,23 +35,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
+@@ -35,23 +37,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
  domain_obj_id_change_exemption(kpropd_t)
  
  type krb5_conf_t;
@@ -35849,13 +36050,13 @@ index 3465a9a..15b3d6d 100644
  type krb5kdc_lock_t;
 -files_type(krb5kdc_lock_t)
 +files_lock_file(krb5kdc_lock_t)
- 
 +
+ 
 +# types for KDC principal file(s)
  type krb5kdc_principal_t;
  files_type(krb5kdc_principal_t)
  
-@@ -74,28 +78,31 @@ files_pid_file(krb5kdc_var_run_t)
+@@ -74,28 +80,31 @@ files_pid_file(krb5kdc_var_run_t)
  # kadmind local policy
  #
  
@@ -35893,7 +36094,7 @@ index 3465a9a..15b3d6d 100644
  manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
  manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
  files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
-@@ -103,13 +110,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
+@@ -103,13 +112,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
  manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
  files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
  
@@ -35912,7 +36113,7 @@ index 3465a9a..15b3d6d 100644
  corenet_all_recvfrom_netlabel(kadmind_t)
  corenet_tcp_sendrecv_generic_if(kadmind_t)
  corenet_udp_sendrecv_generic_if(kadmind_t)
-@@ -119,31 +128,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
+@@ -119,31 +130,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
  corenet_udp_sendrecv_all_ports(kadmind_t)
  corenet_tcp_bind_generic_node(kadmind_t)
  corenet_udp_bind_generic_node(kadmind_t)
@@ -35959,7 +36160,7 @@ index 3465a9a..15b3d6d 100644
  sysnet_use_ldap(kadmind_t)
  
  userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
-@@ -154,11 +173,16 @@ optional_policy(`
+@@ -154,11 +175,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35976,7 +36177,7 @@ index 3465a9a..15b3d6d 100644
  ')
  
  optional_policy(`
-@@ -174,24 +198,27 @@ optional_policy(`
+@@ -174,24 +200,27 @@ optional_policy(`
  # Krb5kdc local policy
  #
  
@@ -36008,12 +36209,17 @@ index 3465a9a..15b3d6d 100644
  logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
  
  allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
-@@ -203,54 +230,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
- manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
- files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
+@@ -201,56 +230,57 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
  
--can_exec(krb5kdc_t, krb5kdc_exec_t)
+ manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+-files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
 -
+-can_exec(krb5kdc_t, krb5kdc_exec_t)
++manage_sock_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
++manage_dirs_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
++files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, { dir file sock_file })
+ 
  kernel_read_system_state(krb5kdc_t)
  kernel_read_kernel_sysctls(krb5kdc_t)
 +kernel_list_proc(krb5kdc_t)
@@ -36074,7 +36280,7 @@ index 3465a9a..15b3d6d 100644
  sysnet_use_ldap(krb5kdc_t)
  
  userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
-@@ -261,11 +287,11 @@ optional_policy(`
+@@ -261,11 +291,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36088,7 +36294,7 @@ index 3465a9a..15b3d6d 100644
  ')
  
  optional_policy(`
-@@ -273,6 +299,10 @@ optional_policy(`
+@@ -273,6 +303,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36099,7 +36305,7 @@ index 3465a9a..15b3d6d 100644
  	udev_read_db(krb5kdc_t)
  ')
  
-@@ -281,10 +311,12 @@ optional_policy(`
+@@ -281,10 +315,12 @@ optional_policy(`
  # kpropd local policy
  #
  
@@ -36115,7 +36321,7 @@ index 3465a9a..15b3d6d 100644
  
  allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
  
-@@ -303,26 +335,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -303,26 +339,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
  
  corecmd_exec_bin(kpropd_t)
  
@@ -44986,7 +45192,7 @@ index f42896c..cb2791a 100644
 -/var/spool/mail(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
 +/var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 diff --git a/mta.if b/mta.if
-index ed81cac..26c97cd 100644
+index ed81cac..e968c28 100644
 --- a/mta.if
 +++ b/mta.if
 @@ -1,4 +1,4 @@
@@ -46095,7 +46301,7 @@ index ed81cac..26c97cd 100644
 +		type etc_mail_t;
 +	')
 +
-+	filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
++	#filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
 +	mta_etc_filetrans_aliases($1, "aliases")
 +	mta_etc_filetrans_aliases($1, "aliases.db")
 +	mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
@@ -46103,7 +46309,7 @@ index ed81cac..26c97cd 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/mta.te b/mta.te
-index afd2fad..5979160 100644
+index afd2fad..b995f01 100644
 --- a/mta.te
 +++ b/mta.te
 @@ -1,4 +1,4 @@
@@ -46300,15 +46506,15 @@ index afd2fad..5979160 100644
  
  init_use_script_ptys(system_mail_t)
 +init_dontaudit_rw_stream_socket(system_mail_t)
- 
--userdom_use_user_terminals(system_mail_t)
++
 +userdom_use_inherited_user_terminals(system_mail_t)
 +userdom_dontaudit_list_user_home_dirs(system_mail_t)
 +userdom_dontaudit_list_admin_dir(system_mail_t)
 +
 +manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
 +manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
-+
+ 
+-userdom_use_user_terminals(system_mail_t)
 +allow system_mail_t mail_home_t:file manage_file_perms;
 +userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
 +
@@ -46528,7 +46734,18 @@ index afd2fad..5979160 100644
  	files_search_var_lib(mailserver_delivery)
  
  	mailman_domtrans(mailserver_delivery)
-@@ -387,24 +282,177 @@ optional_policy(`
+@@ -378,6 +273,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    pcp_read_lib_files(mailserver_delivery)
++')
++
++optional_policy(`
+ 	postfix_rw_inherited_master_pipes(mailserver_delivery)
+ ')
+ 
+@@ -387,24 +286,177 @@ optional_policy(`
  
  ########################################
  #
@@ -53722,7 +53939,7 @@ index 379af96..41ff159 100644
 +/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
 +/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
 diff --git a/nut.if b/nut.if
-index 57c0161..54bd4d7 100644
+index 57c0161..dae3360 100644
 --- a/nut.if
 +++ b/nut.if
 @@ -1,39 +1,24 @@
@@ -53778,7 +53995,7 @@ index 57c0161..54bd4d7 100644
  
 -	files_search_pids($1)
 -	admin_pattern($1, nut_var_run_t)
-+    ps_process_pattern($1, swift_t)
++    ps_process_pattern($1, nut_t)
  ')
 diff --git a/nut.te b/nut.te
 index 0c9deb7..76988d6 100644
@@ -55691,16 +55908,24 @@ index 0000000..9451b83
 +')
 diff --git a/openshift.te b/openshift.te
 new file mode 100644
-index 0000000..3c4beaf
+index 0000000..e13b578
 --- /dev/null
 +++ b/openshift.te
-@@ -0,0 +1,558 @@
+@@ -0,0 +1,573 @@
 +policy_module(openshift,1.0.0)
 +
 +gen_require(`
 +	role system_r;
 +')
 + 
++## <desc>
++## <p>
++## Allow openshift to access nfs file systems without labels
++## </p>
++## </desc>
++gen_tunable(openshift_use_nfs, false)
++
++
 +########################################
 +#
 +# Declarations
@@ -56253,6 +56478,13 @@ index 0000000..3c4beaf
 +	ssh_dontaudit_read_server_keys(openshift_cron_t)
 +')
 +
++tunable_policy(`openshift_use_nfs',`
++        fs_list_auto_mountpoints(openshift_domain)
++	fs_manage_nfs_dirs(openshift_domain)
++	fs_manage_nfs_files(openshift_domain)
++	fs_manage_nfs_symlinks(openshift_domain)
++	fs_exec_nfs_files(openshift_domain)
++')
 diff --git a/opensm.fc b/opensm.fc
 new file mode 100644
 index 0000000..51650fa
@@ -57084,7 +57316,7 @@ index 9b15730..eedd136 100644
 +	')
  ')
 diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..dd3be82 100644
+index 508fedf..452ad74 100644
 --- a/openvswitch.te
 +++ b/openvswitch.te
 @@ -1,4 +1,4 @@
@@ -57107,7 +57339,7 @@ index 508fedf..dd3be82 100644
  
  type openvswitch_var_lib_t;
  files_type(openvswitch_var_lib_t)
-@@ -21,23 +18,33 @@ files_type(openvswitch_var_lib_t)
+@@ -21,23 +18,34 @@ files_type(openvswitch_var_lib_t)
  type openvswitch_log_t;
  logging_log_file(openvswitch_log_t)
  
@@ -57135,6 +57367,7 @@ index 508fedf..dd3be82 100644
 -allow openvswitch_t self:rawip_socket create_socket_perms;
 -allow openvswitch_t self:unix_stream_socket { accept connectto listen };
 +allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow openvswitch_t self:tcp_socket create_stream_socket_perms;
 +allow openvswitch_t self:netlink_socket create_socket_perms;
 +allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
  
@@ -57149,7 +57382,7 @@ index 508fedf..dd3be82 100644
  
  manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
  manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -45,45 +52,55 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -45,45 +53,57 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
  files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
  
  manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@@ -57182,6 +57415,8 @@ index 508fedf..dd3be82 100644
 -corenet_raw_sendrecv_generic_if(openvswitch_t)
 -corenet_raw_sendrecv_generic_node(openvswitch_t)
 +corenet_tcp_connect_openflow_port(openvswitch_t)
++corenet_tcp_bind_generic_node(openvswitch_t)
++corenet_tcp_bind_openvswitch_port(openvswitch_t)
  
  corecmd_exec_bin(openvswitch_t)
 +corecmd_exec_shell(openvswitch_t)
@@ -58473,10 +58708,10 @@ index 0000000..9b8cb6b
 +/var/run/pmcd\.socket    --  gen_context(system_u:object_r:pcp_var_run_t,s0)
 diff --git a/pcp.if b/pcp.if
 new file mode 100644
-index 0000000..4f074cb
+index 0000000..ba24b40
 --- /dev/null
 +++ b/pcp.if
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,139 @@
 +## <summary>The  pcp  command summarizes the status of a Performance Co-Pilot (PCP) installation</summary>
 +
 +######################################
@@ -58504,6 +58739,24 @@ index 0000000..4f074cb
 +
 +')
 +
++######################################
++## <summary>
++##  Allow domain to read pcp lib files
++## </summary>
++## <param name="prefix">
++##  <summary>
++##  Prefix for the domain.
++##  </summary>
++## </param>
++#
++interface(`pcp_read_lib_files',`
++    gen_require(`
++        type pcp_var_lib_t;
++    ')
++    libs_search_lib($1)
++    read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t)
++')
++
 +########################################
 +## <summary>
 +##  All of the rules required to administrate
@@ -58577,12 +58830,33 @@ index 0000000..4f074cb
 +    corecmd_search_bin($1)
 +    can_exec($1, pcp_pmie_exec_t)
 +')
++
++########################################
++## <summary>
++##  Allow the specified domain to execute pcp_pmlogger
++##  in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##  Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`pcp_pmlogger_exec',`
++    gen_require(`
++        type pcp_pmlogger_exec_t;
++    ')
++
++    corecmd_search_bin($1)
++    can_exec($1, pcp_pmlogger_exec_t)
++')
++
 diff --git a/pcp.te b/pcp.te
 new file mode 100644
-index 0000000..8ec3a48
+index 0000000..d21c5d7
 --- /dev/null
 +++ b/pcp.te
-@@ -0,0 +1,164 @@
+@@ -0,0 +1,192 @@
 +policy_module(pcp, 1.0.0)
 +
 +########################################
@@ -58648,6 +58922,8 @@ index 0000000..8ec3a48
 +
 +dev_read_urand(pcp_domain)
 +
++files_read_etc_files(pcp_domain)
++
 +fs_getattr_all_fs(pcp_domain)
 +
 +auth_read_passwd(pcp_domain)
@@ -58665,6 +58941,8 @@ index 0000000..8ec3a48
 +allow pcp_pmcd_t self:netlink_route_socket create_socket_perms;
 +allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;;
 +
++auth_use_nsswitch(pcp_pmcd_t)
++
 +kernel_read_network_state(pcp_pmcd_t)
 +kernel_read_system_state(pcp_pmcd_t)
 +kernel_read_state(pcp_pmcd_t)
@@ -58686,9 +58964,9 @@ index 0000000..8ec3a48
 +fs_getattr_all_dirs(pcp_pmcd_t)
 +fs_list_cgroup_dirs(pcp_pmcd_t)
 +
-+storage_getattr_fixed_disk_dev(pcp_pmcd_t)
++logging_send_syslog_msg(pcp_pmcd_t)
 +
-+auth_use_nsswitch(pcp_pmcd_t)
++storage_getattr_fixed_disk_dev(pcp_pmcd_t)
 +
 +optional_policy(`
 +    dbus_system_bus_client(pcp_pmcd_t)
@@ -58705,9 +58983,12 @@ index 0000000..8ec3a48
 +
 +allow pcp_pmproxy_t self:process setsched;
 +allow pcp_pmproxy_t self:netlink_route_socket create_socket_perms;
++allow pcp_pmproxy_t self:unix_dgram_socket create_socket_perms;
 +
 +auth_use_nsswitch(pcp_pmproxy_t)
 +
++logging_send_syslog_msg(pcp_pmproxy_t)
++
 +########################################
 +#
 +# pcp_pmwebd local  policy
@@ -58721,21 +59002,27 @@ index 0000000..8ec3a48
 +#
 +
 +allow pcp_pmmgr_t self:process { setpgid };
-+
++allow pcp_pmmgr_t self:unix_dgram_socket create_socket_perms;
 +allow pcp_pmmgr_t pcp_pmcd_t:unix_stream_socket connectto;
 +
 +kernel_read_system_state(pcp_pmmgr_t)
 +
++auth_use_nsswitch(pcp_pmmgr_t)
++
 +corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t)
 +
++corenet_tcp_bind_commplex_link_port(pcp_pmmgr_t)
++corenet_tcp_bind_dey_sapi_port(pcp_pmmgr_t)
++
 +corenet_tcp_connect_all_ephemeral_ports(pcp_pmmgr_t)
 +
 +corecmd_exec_bin(pcp_pmmgr_t)
 +
-+auth_use_nsswitch(pcp_pmmgr_t)
++logging_send_syslog_msg(pcp_pmmgr_t)
 +
 +optional_policy(`
 +    pcp_pmie_exec(pcp_pmmgr_t)
++    pcp_pmlogger_exec(pcp_pmmgr_t)
 +')
 +
 +########################################
@@ -58747,6 +59034,21 @@ index 0000000..8ec3a48
 +
 +allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
 +
++corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t)
++
++########################################
++#
++# pcp_pmlogger local  policy
++#
++
++allow pcp_pmlogger_t self:process setpgid;
++allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read };
++
++allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
++
++corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t)
++corenet_tcp_bind_generic_node(pcp_pmlogger_t)
++
 diff --git a/pcscd.if b/pcscd.if
 index 43d50f9..7f77d32 100644
 --- a/pcscd.if
@@ -58761,7 +59063,7 @@ index 43d50f9..7f77d32 100644
  
  ########################################
 diff --git a/pcscd.te b/pcscd.te
-index 96db654..6d3feb9 100644
+index 96db654..a958595 100644
 --- a/pcscd.te
 +++ b/pcscd.te
 @@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
@@ -58787,7 +59089,14 @@ index 96db654..6d3feb9 100644
  corenet_all_recvfrom_netlabel(pcscd_t)
  corenet_tcp_sendrecv_generic_if(pcscd_t)
  corenet_tcp_sendrecv_generic_node(pcscd_t)
-@@ -50,7 +50,6 @@ dev_rw_smartcard(pcscd_t)
+@@ -45,12 +45,13 @@ corenet_sendrecv_http_client_packets(pcscd_t)
+ corenet_tcp_connect_http_port(pcscd_t)
+ corenet_tcp_sendrecv_http_port(pcscd_t)
+ 
++domain_read_all_domains_state(pcscd_t)
++
+ dev_rw_generic_usb_dev(pcscd_t)
+ dev_rw_smartcard(pcscd_t)
  dev_rw_usbfs(pcscd_t)
  dev_read_sysfs(pcscd_t)
  
@@ -58795,7 +59104,7 @@ index 96db654..6d3feb9 100644
  files_read_etc_runtime_files(pcscd_t)
  
  term_use_unallocated_ttys(pcscd_t)
-@@ -60,8 +59,6 @@ locallogin_use_fds(pcscd_t)
+@@ -60,16 +61,22 @@ locallogin_use_fds(pcscd_t)
  
  logging_send_syslog_msg(pcscd_t)
  
@@ -58803,8 +59112,24 @@ index 96db654..6d3feb9 100644
 -
  sysnet_dns_name_resolve(pcscd_t)
  
++userdom_read_all_users_state(pcscd_t)
++
  optional_policy(`
-@@ -85,3 +82,7 @@ optional_policy(`
+ 	dbus_system_bus_client(pcscd_t)
+ 
+ 	optional_policy(`
+ 		hal_dbus_chat(pcscd_t)
+ 	')
++
++    optional_policy(`
++        policykit_dbus_chat(pcscd_t)
++        policykit_dbus_chat_auth(pcscd_t)
++    ')
++
+ ')
+ 
+ optional_policy(`
+@@ -85,3 +92,7 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(pcscd_t)
  ')
@@ -58958,7 +59283,7 @@ index d2fc677..ded726f 100644
  ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..a8401a8 100644
+index 7bcf327..8ad2a04 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -1,17 +1,16 @@
@@ -58982,7 +59307,7 @@ index 7bcf327..a8401a8 100644
  type pegasus_cache_t;
  files_type(pegasus_cache_t)
  
-@@ -30,20 +29,304 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,316 @@ files_type(pegasus_mof_t)
  type pegasus_var_run_t;
  files_pid_file(pegasus_var_run_t)
  
@@ -59160,6 +59485,7 @@ index 7bcf327..a8401a8 100644
 +# pegasus openlmi service local policy
 +#
 +
++init_manage_transient_unit(pegasus_openlmi_admin_t)
 +init_disable_services(pegasus_openlmi_admin_t)
 +init_enable_services(pegasus_openlmi_admin_t)
 +init_reload_services(pegasus_openlmi_admin_t)
@@ -59180,7 +59506,7 @@ index 7bcf327..a8401a8 100644
 +')
 +
 +optional_policy(`
-+    sssd_search_lib(pegasus_openlmi_admin_t)
++    sssd_stream_connect(pegasus_openlmi_admin_t)
 +')
 +
 +######################################
@@ -59206,9 +59532,11 @@ index 7bcf327..a8401a8 100644
 +files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage")
 +
 +kernel_read_all_sysctls(pegasus_openlmi_storage_t)
++kernel_read_network_state(pegasus_openlmi_storage_t)
 +kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
 +kernel_request_load_module(pegasus_openlmi_storage_t)
 +
++dev_read_raw_memory(pegasus_openlmi_storage_t)
 +dev_read_rand(pegasus_openlmi_storage_t)
 +dev_read_urand(pegasus_openlmi_storage_t)
 +
@@ -59220,6 +59548,7 @@ index 7bcf327..a8401a8 100644
 +seutil_read_file_contexts(pegasus_openlmi_storage_t)
 +
 +storage_raw_read_removable_device(pegasus_openlmi_storage_t)
++storage_raw_write_removable_device(pegasus_openlmi_storage_t)
 +storage_raw_read_fixed_disk(pegasus_openlmi_storage_t)
 +storage_raw_write_fixed_disk(pegasus_openlmi_storage_t)
 +
@@ -59232,6 +59561,8 @@ index 7bcf327..a8401a8 100644
 +udev_domtrans(pegasus_openlmi_storage_t)
 +udev_read_pid_files(pegasus_openlmi_storage_t)
 +
++init_read_state(pegasus_openlmi_storage_t)
++
 +miscfiles_read_hwdata(pegasus_openlmi_storage_t)
 +
 +optional_policy(`
@@ -59244,10 +59575,16 @@ index 7bcf327..a8401a8 100644
 +
 +optional_policy(`
 +    iscsi_manage_lock(pegasus_openlmi_storage_t)
++    iscsi_read_lib_files(pegasus_openlmi_storage_t)
++')
++
++optional_policy(`
++    libs_exec_ldconfig(pegasus_openlmi_storage_t)
 +')
 +
 +optional_policy(`
 +    lvm_domtrans(pegasus_openlmi_storage_t)
++    lvm_read_metadata(pegasus_openlmi_storage_t)
 +')
 +
 +optional_policy(`
@@ -59292,7 +59629,7 @@ index 7bcf327..a8401a8 100644
  allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
  
  manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +337,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +349,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
  manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -59323,7 +59660,7 @@ index 7bcf327..a8401a8 100644
  
  kernel_read_network_state(pegasus_t)
  kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +363,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +375,21 @@ kernel_read_net_sysctls(pegasus_t)
  kernel_read_xen_state(pegasus_t)
  kernel_write_xen_state(pegasus_t)
  
@@ -59356,7 +59693,7 @@ index 7bcf327..a8401a8 100644
  
  corecmd_exec_bin(pegasus_t)
  corecmd_exec_shell(pegasus_t)
-@@ -114,9 +391,11 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +403,11 @@ files_getattr_all_dirs(pegasus_t)
  
  auth_use_nsswitch(pegasus_t)
  auth_domtrans_chk_passwd(pegasus_t)
@@ -59368,7 +59705,7 @@ index 7bcf327..a8401a8 100644
  
  files_list_var_lib(pegasus_t)
  files_read_var_lib_files(pegasus_t)
-@@ -128,18 +407,29 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +419,29 @@ init_stream_connect_script(pegasus_t)
  logging_send_audit_msgs(pegasus_t)
  logging_send_syslog_msg(pegasus_t)
  
@@ -59404,7 +59741,7 @@ index 7bcf327..a8401a8 100644
  ')
  
  optional_policy(`
-@@ -151,16 +441,24 @@ optional_policy(`
+@@ -151,16 +453,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59433,7 +59770,7 @@ index 7bcf327..a8401a8 100644
  ')
  
  optional_policy(`
-@@ -168,7 +466,7 @@ optional_policy(`
+@@ -168,7 +478,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -66823,7 +67160,7 @@ index 00edeab..166e9c3 100644
 +	read_files_pattern($1, procmail_home_t, procmail_home_t)
  ')
 diff --git a/procmail.te b/procmail.te
-index d447152..2f0ae78 100644
+index d447152..f3e6fbf 100644
 --- a/procmail.te
 +++ b/procmail.te
 @@ -1,4 +1,4 @@
@@ -66858,7 +67195,7 @@ index d447152..2f0ae78 100644
  allow procmail_t procmail_log_t:dir setattr_dir_perms;
  create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
  append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -40,89 +44,107 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+@@ -40,89 +44,108 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
  allow procmail_t procmail_tmp_t:file manage_file_perms;
  files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
  
@@ -66965,6 +67302,7 @@ index d447152..2f0ae78 100644
  optional_policy(`
 -	cyrus_stream_connect(procmail_t)
 +	dovecot_stream_connect(procmail_t)
++	dovecot_read_config(procmail_t)
  ')
  
  optional_policy(`
@@ -67003,16 +67341,17 @@ index d447152..2f0ae78 100644
  ')
  
  optional_policy(`
-@@ -131,6 +153,8 @@ optional_policy(`
+@@ -131,6 +154,9 @@ optional_policy(`
  ')
  
  optional_policy(`
 +	mta_read_config(procmail_t)
++	mta_mailserver_delivery(procmail_t)
 +	mta_manage_home_rw(procmail_t)
  	sendmail_domtrans(procmail_t)
  	sendmail_signal(procmail_t)
  	sendmail_dontaudit_rw_tcp_sockets(procmail_t)
-@@ -145,3 +169,8 @@ optional_policy(`
+@@ -145,3 +171,8 @@ optional_policy(`
  	spamassassin_domtrans_client(procmail_t)
  	spamassassin_read_lib_files(procmail_t)
  ')
@@ -74297,16 +74636,15 @@ index 0000000..638d6b4
 +/var/run/redis(/.*)?		gen_context(system_u:object_r:redis_var_run_t,s0)
 diff --git a/redis.if b/redis.if
 new file mode 100644
-index 0000000..72a2d7b
+index 0000000..2640ab5
 --- /dev/null
 +++ b/redis.if
-@@ -0,0 +1,271 @@
-+
-+## <summary>redis-server SELinux policy</summary>
+@@ -0,0 +1,266 @@
++## <summary>Advanced key-value store</summary>
 +
 +########################################
 +## <summary>
-+##	Execute TEMPLATE in the redis domin.
++##	Execute redis server in the redis domin.
 +## </summary>
 +## <param name="domain">
 +## <summary>
@@ -74340,6 +74678,7 @@ index 0000000..72a2d7b
 +
 +	init_labeled_script_domtrans($1, redis_initrc_exec_t)
 +')
++
 +########################################
 +## <summary>
 +##	Read redis's log files.
@@ -74349,7 +74688,6 @@ index 0000000..72a2d7b
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
 +interface(`redis_read_log',`
 +	gen_require(`
@@ -74512,14 +74850,13 @@ index 0000000..72a2d7b
 +	')
 +
 +	systemd_exec_systemctl($1)
-+        systemd_read_fifo_file_password_run($1)
++    systemd_read_fifo_file_passwd_run($1)
 +	allow $1 redis_unit_file_t:file read_file_perms;
 +	allow $1 redis_unit_file_t:service manage_service_perms;
 +
 +	ps_process_pattern($1, redis_t)
 +')
 +
-+
 +########################################
 +## <summary>
 +##	All of the rules required to administrate
@@ -74539,18 +74876,14 @@ index 0000000..72a2d7b
 +#
 +interface(`redis_admin',`
 +	gen_require(`
-+		type redis_t;
-+		type redis_initrc_exec_t;
-+		type redis_log_t;
-+		type redis_var_lib_t;
-+		type redis_var_run_t;
-+	type redis_unit_file_t;
++		type redis_t, redis_initrc_exec_t, redis_var_lib_t;
++		type redis_log_t, redis_var_run_t, redis_unit_file_t;
 +	')
 +
 +	allow $1 redis_t:process { ptrace signal_perms };
 +	ps_process_pattern($1, redis_t)
 +
-+	redis_initrc_domtrans($1)
++	init_labeled_script_domtrans($1, redis_initrc_exec_t)
 +	domain_system_change_exemption($1)
 +	role_transition $2 redis_initrc_exec_t system_r;
 +	allow $2 system_r;
@@ -74567,6 +74900,7 @@ index 0000000..72a2d7b
 +	redis_systemctl($1)
 +	admin_pattern($1, redis_unit_file_t)
 +	allow $1 redis_unit_file_t:service all_service_perms;
++
 +	optional_policy(`
 +		systemd_passwd_agent_exec($1)
 +		systemd_read_fifo_file_passwd_run($1)
@@ -82583,7 +82917,7 @@ index aee75af..a6bab06 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 57c034b..ded3288 100644
+index 57c034b..3ac0bb1 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -1,4 +1,4 @@
@@ -82962,7 +83296,7 @@ index 57c034b..ded3288 100644
  
  kernel_getattr_core_if(smbd_t)
  kernel_getattr_message_if(smbd_t)
-@@ -315,43 +328,33 @@ kernel_read_kernel_sysctls(smbd_t)
+@@ -315,42 +328,34 @@ kernel_read_kernel_sysctls(smbd_t)
  kernel_read_software_raid_state(smbd_t)
  kernel_read_system_state(smbd_t)
  
@@ -83013,11 +83347,11 @@ index 57c034b..ded3288 100644
 -files_dontaudit_getattr_all_dirs(smbd_t)
 -files_dontaudit_list_all_mountpoints(smbd_t)
 -files_list_mnt(smbd_t)
--
++domain_dontaudit_signull_all_domains(smbd_t)
+ 
  fs_getattr_all_fs(smbd_t)
  fs_getattr_all_dirs(smbd_t)
- fs_get_xattr_fs_quotas(smbd_t)
-@@ -360,44 +363,55 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -360,44 +365,55 @@ fs_getattr_rpc_dirs(smbd_t)
  fs_list_inotifyfs(smbd_t)
  fs_get_all_fs_quotas(smbd_t)
  
@@ -83084,7 +83418,7 @@ index 57c034b..ded3288 100644
  ')
  
  tunable_policy(`samba_domain_controller',`
-@@ -413,20 +427,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -413,20 +429,10 @@ tunable_policy(`samba_domain_controller',`
  ')
  
  tunable_policy(`samba_enable_home_dirs',`
@@ -83107,7 +83441,7 @@ index 57c034b..ded3288 100644
  tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_dirs(smbd_t)
  	fs_manage_nfs_files(smbd_t)
-@@ -435,6 +439,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -435,6 +441,7 @@ tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_named_sockets(smbd_t)
  ')
  
@@ -83115,7 +83449,7 @@ index 57c034b..ded3288 100644
  tunable_policy(`samba_share_fusefs',`
  	fs_manage_fusefs_dirs(smbd_t)
  	fs_manage_fusefs_files(smbd_t)
-@@ -442,17 +447,6 @@ tunable_policy(`samba_share_fusefs',`
+@@ -442,17 +449,6 @@ tunable_policy(`samba_share_fusefs',`
  	fs_search_fusefs(smbd_t)
  ')
  
@@ -83133,7 +83467,7 @@ index 57c034b..ded3288 100644
  optional_policy(`
  	ccs_read_config(smbd_t)
  ')
-@@ -460,6 +454,7 @@ optional_policy(`
+@@ -460,6 +456,7 @@ optional_policy(`
  optional_policy(`
  	ctdbd_stream_connect(smbd_t)
  	ctdbd_manage_lib_files(smbd_t)
@@ -83141,7 +83475,7 @@ index 57c034b..ded3288 100644
  ')
  
  optional_policy(`
-@@ -473,6 +468,11 @@ optional_policy(`
+@@ -473,6 +470,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -83153,7 +83487,7 @@ index 57c034b..ded3288 100644
  	lpd_exec_lpr(smbd_t)
  ')
  
-@@ -482,6 +482,10 @@ optional_policy(`
+@@ -482,6 +484,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -83164,7 +83498,7 @@ index 57c034b..ded3288 100644
  	rpc_search_nfs_state_data(smbd_t)
  ')
  
-@@ -493,9 +497,33 @@ optional_policy(`
+@@ -493,9 +499,33 @@ optional_policy(`
  	udev_read_db(smbd_t)
  ')
  
@@ -83199,7 +83533,7 @@ index 57c034b..ded3288 100644
  #
  
  dontaudit nmbd_t self:capability sys_tty_config;
-@@ -506,9 +534,11 @@ allow nmbd_t self:msg { send receive };
+@@ -506,9 +536,11 @@ allow nmbd_t self:msg { send receive };
  allow nmbd_t self:msgq create_msgq_perms;
  allow nmbd_t self:sem create_sem_perms;
  allow nmbd_t self:shm create_shm_perms;
@@ -83214,7 +83548,7 @@ index 57c034b..ded3288 100644
  
  manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
  manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -520,20 +550,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -520,20 +552,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  
  manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -83238,7 +83572,7 @@ index 57c034b..ded3288 100644
  
  kernel_getattr_core_if(nmbd_t)
  kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +567,42 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +569,42 @@ kernel_read_network_state(nmbd_t)
  kernel_read_software_raid_state(nmbd_t)
  kernel_read_system_state(nmbd_t)
  
@@ -83305,7 +83639,7 @@ index 57c034b..ded3288 100644
  ')
  
  optional_policy(`
-@@ -600,19 +615,26 @@ optional_policy(`
+@@ -600,19 +617,26 @@ optional_policy(`
  
  ########################################
  #
@@ -83337,7 +83671,7 @@ index 57c034b..ded3288 100644
  samba_search_var(smbcontrol_t)
  samba_read_winbind_pid(smbcontrol_t)
  
-@@ -620,16 +642,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -620,16 +644,12 @@ domain_use_interactive_fds(smbcontrol_t)
  
  dev_read_urand(smbcontrol_t)
  
@@ -83355,7 +83689,7 @@ index 57c034b..ded3288 100644
  
  optional_policy(`
  	ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +655,23 @@ optional_policy(`
+@@ -637,22 +657,23 @@ optional_policy(`
  
  ########################################
  #
@@ -83387,7 +83721,7 @@ index 57c034b..ded3288 100644
  
  allow smbmount_t samba_secrets_t:file manage_file_perms;
  
-@@ -661,26 +680,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +682,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
  
@@ -83423,7 +83757,7 @@ index 57c034b..ded3288 100644
  
  fs_getattr_cifs(smbmount_t)
  fs_mount_cifs(smbmount_t)
-@@ -692,58 +707,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -692,58 +709,77 @@ fs_read_cifs_files(smbmount_t)
  storage_raw_read_fixed_disk(smbmount_t)
  storage_raw_write_fixed_disk(smbmount_t)
  
@@ -83515,7 +83849,7 @@ index 57c034b..ded3288 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +786,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -752,17 +788,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
  manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
@@ -83539,7 +83873,7 @@ index 57c034b..ded3288 100644
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -770,36 +800,25 @@ kernel_read_network_state(swat_t)
+@@ -770,36 +802,25 @@ kernel_read_network_state(swat_t)
  
  corecmd_search_bin(swat_t)
  
@@ -83582,7 +83916,7 @@ index 57c034b..ded3288 100644
  
  auth_domtrans_chk_passwd(swat_t)
  auth_use_nsswitch(swat_t)
-@@ -811,10 +830,11 @@ logging_send_syslog_msg(swat_t)
+@@ -811,10 +832,11 @@ logging_send_syslog_msg(swat_t)
  logging_send_audit_msgs(swat_t)
  logging_search_logs(swat_t)
  
@@ -83596,7 +83930,7 @@ index 57c034b..ded3288 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -834,16 +854,19 @@ optional_policy(`
+@@ -834,16 +856,19 @@ optional_policy(`
  #
  
  allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
@@ -83620,7 +83954,7 @@ index 57c034b..ded3288 100644
  
  allow winbind_t samba_etc_t:dir list_dir_perms;
  read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +876,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +878,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
  filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
  
  manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -83631,7 +83965,7 @@ index 57c034b..ded3288 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +887,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -866,23 +889,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
  
  rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  
@@ -83661,7 +83995,7 @@ index 57c034b..ded3288 100644
  manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
  
  kernel_read_network_state(winbind_t)
-@@ -891,13 +910,17 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +912,17 @@ kernel_read_system_state(winbind_t)
  
  corecmd_exec_bin(winbind_t)
  
@@ -83682,7 +84016,7 @@ index 57c034b..ded3288 100644
  corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +928,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +930,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
  
@@ -83693,7 +84027,7 @@ index 57c034b..ded3288 100644
  
  fs_getattr_all_fs(winbind_t)
  fs_search_auto_mountpoints(winbind_t)
-@@ -917,26 +936,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,26 +938,39 @@ auth_domtrans_chk_passwd(winbind_t)
  auth_use_nsswitch(winbind_t)
  auth_manage_cache(winbind_t)
  
@@ -83735,7 +84069,7 @@ index 57c034b..ded3288 100644
  ')
  
  optional_policy(`
-@@ -952,31 +984,29 @@ optional_policy(`
+@@ -952,31 +986,29 @@ optional_policy(`
  # Winbind helper local policy
  #
  
@@ -83773,7 +84107,7 @@ index 57c034b..ded3288 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -990,25 +1020,38 @@ optional_policy(`
+@@ -990,25 +1022,38 @@ optional_policy(`
  
  ########################################
  #
@@ -88692,7 +89026,7 @@ index 0000000..94105ee
 +')
 diff --git a/snapper.te b/snapper.te
 new file mode 100644
-index 0000000..838f907
+index 0000000..a299f53
 --- /dev/null
 +++ b/snapper.te
 @@ -0,0 +1,66 @@
@@ -88710,8 +89044,8 @@ index 0000000..838f907
 +type snapperd_log_t;
 +logging_log_file(snapperd_log_t)
 +
-+type snappperd_conf_t;
-+files_config_file(snappperd_conf_t)
++type snapperd_conf_t;
++files_config_file(snapperd_conf_t)
 +
 +type snapperd_data_t;
 +files_type(snapperd_data_t)
@@ -88904,7 +89238,7 @@ index 7a9cc9d..86cbca9 100644
  	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/snmp.te b/snmp.te
-index 81864ce..4b6b771 100644
+index 81864ce..7408ed7 100644
 --- a/snmp.te
 +++ b/snmp.te
 @@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t)
@@ -88987,6 +89321,14 @@ index 81864ce..4b6b771 100644
  ')
  
  optional_policy(`
+@@ -140,6 +146,7 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	mta_read_config(snmpd_t)
++    mta_read_aliases(snmpd_t)
+ 	mta_search_queue(snmpd_t)
+ ')
+ 
 diff --git a/snort.if b/snort.if
 index 7d86b34..5f58180 100644
 --- a/snort.if
@@ -89850,7 +90192,7 @@ index 1499b0b..6950cab 100644
 -	spamassassin_role($2, $1)
  ')
 diff --git a/spamassassin.te b/spamassassin.te
-index 4faa7e0..d5d1214 100644
+index 4faa7e0..32f670e 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
 @@ -1,4 +1,4 @@
@@ -89929,7 +90271,7 @@ index 4faa7e0..d5d1214 100644
  type spamd_initrc_exec_t;
  init_script_file(spamd_initrc_exec_t)
  
-@@ -72,87 +39,198 @@ type spamd_log_t;
+@@ -72,87 +39,199 @@ type spamd_log_t;
  logging_log_file(spamd_log_t)
  
  type spamd_spool_t;
@@ -90133,6 +90475,7 @@ index 4faa7e0..d5d1214 100644
 +	userdom_manage_user_home_content_dirs(spamd_t)
 +	userdom_manage_user_home_content_files(spamd_t)
 +	userdom_manage_user_home_content_symlinks(spamd_t)
++	userdom_exec_user_bin_files(spamd_t)
  ')
  
 -tunable_policy(`use_samba_home_dirs',`
@@ -90150,7 +90493,7 @@ index 4faa7e0..d5d1214 100644
  		nis_use_ypbind_uncond(spamassassin_t)
  	')
  ')
-@@ -160,6 +238,8 @@ optional_policy(`
+@@ -160,6 +239,8 @@ optional_policy(`
  optional_policy(`
  	mta_read_config(spamassassin_t)
  	sendmail_stub(spamassassin_t)
@@ -90159,7 +90502,7 @@ index 4faa7e0..d5d1214 100644
  ')
  
  ########################################
-@@ -167,72 +247,85 @@ optional_policy(`
+@@ -167,72 +248,85 @@ optional_policy(`
  # Client local policy
  #
  
@@ -90276,7 +90619,7 @@ index 4faa7e0..d5d1214 100644
  
  optional_policy(`
  	abrt_stream_connect(spamc_t)
-@@ -243,6 +336,7 @@ optional_policy(`
+@@ -243,6 +337,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -90284,7 +90627,7 @@ index 4faa7e0..d5d1214 100644
  	evolution_stream_connect(spamc_t)
  ')
  
-@@ -251,52 +345,55 @@ optional_policy(`
+@@ -251,52 +346,55 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -90365,7 +90708,7 @@ index 4faa7e0..d5d1214 100644
  logging_log_filetrans(spamd_t, spamd_log_t, file)
  
  manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +405,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +406,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
  manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
  files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
  
@@ -90375,7 +90718,7 @@ index 4faa7e0..d5d1214 100644
  manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
  manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
  
-@@ -317,12 +415,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +416,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
  
@@ -90391,7 +90734,7 @@ index 4faa7e0..d5d1214 100644
  corenet_all_recvfrom_netlabel(spamd_t)
  corenet_tcp_sendrecv_generic_if(spamd_t)
  corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +430,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +431,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
  corenet_tcp_sendrecv_all_ports(spamd_t)
  corenet_udp_sendrecv_all_ports(spamd_t)
  corenet_tcp_bind_generic_node(spamd_t)
@@ -90495,7 +90838,7 @@ index 4faa7e0..d5d1214 100644
  ')
  
  optional_policy(`
-@@ -421,21 +501,13 @@ optional_policy(`
+@@ -421,21 +502,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -90519,7 +90862,7 @@ index 4faa7e0..d5d1214 100644
  ')
  
  optional_policy(`
-@@ -443,8 +515,8 @@ optional_policy(`
+@@ -443,8 +516,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -90529,7 +90872,7 @@ index 4faa7e0..d5d1214 100644
  ')
  
  optional_policy(`
-@@ -455,7 +527,12 @@ optional_policy(`
+@@ -455,7 +528,12 @@ optional_policy(`
  optional_policy(`
  	razor_domtrans(spamd_t)
  	razor_read_lib_files(spamd_t)
@@ -90543,7 +90886,7 @@ index 4faa7e0..d5d1214 100644
  ')
  
  optional_policy(`
-@@ -463,9 +540,9 @@ optional_policy(`
+@@ -463,9 +541,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -90554,7 +90897,7 @@ index 4faa7e0..d5d1214 100644
  ')
  
  optional_policy(`
-@@ -474,32 +551,32 @@ optional_policy(`
+@@ -474,32 +552,32 @@ optional_policy(`
  
  ########################################
  #
@@ -90597,7 +90940,7 @@ index 4faa7e0..d5d1214 100644
  
  corecmd_exec_bin(spamd_update_t)
  corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +585,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +586,21 @@ dev_read_urand(spamd_update_t)
  
  domain_use_interactive_fds(spamd_update_t)
  
@@ -101471,19 +101814,21 @@ index 9ead775..b5285e7 100644
 +userdom_use_inherited_user_terminals(vlock_t)
 diff --git a/vmtools.fc b/vmtools.fc
 new file mode 100644
-index 0000000..5726cdb
+index 0000000..c5deffb
 --- /dev/null
 +++ b/vmtools.fc
-@@ -0,0 +1,3 @@
+@@ -0,0 +1,5 @@
 +/usr/bin/vmtoolsd		--	gen_context(system_u:object_r:vmtools_exec_t,s0)
 +
++/usr/bin/vmware-user-suid-wrapper		--	gen_context(system_u:object_r:vmtools_helper_exec_t,s0)
++
 +/usr/lib/systemd/system/vmtoolsd.*		--	gen_context(system_u:object_r:vmtools_unit_file_t,s0)
 diff --git a/vmtools.if b/vmtools.if
 new file mode 100644
-index 0000000..044be2f
+index 0000000..7933d80
 --- /dev/null
 +++ b/vmtools.if
-@@ -0,0 +1,78 @@
+@@ -0,0 +1,122 @@
 +## <summary>VMware Tools daemon</summary>
 +
 +########################################
@@ -101504,6 +101849,50 @@ index 0000000..044be2f
 +	corecmd_search_bin($1)
 +	domtrans_pattern($1, vmtools_exec_t, vmtools_t)
 +')
++
++########################################
++## <summary>
++##	Execute vmtools in the vmtools domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`vmtools_domtrans_helper',`
++	gen_require(`
++		type vmtools_helper_t, vmtools_helper_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, vmtools_helper_exec_t, vmtools_helper_t)
++')
++
++########################################
++## <summary>
++##	Execute vmtools helpers in the vmtools_heler domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the mozilla_plugin domain.
++##	</summary>
++## </param>
++#
++interface(`vmtools_run_helper',`
++	gen_require(`
++		attribute_role vmtools_helper_roles;
++	')
++
++    vmtools_domtrans_helper($1)
++	roleattribute $2 vmtools_helper_roles;
++')
++
 +########################################
 +## <summary>
 +##	Execute vmtools server in the vmtools domain.
@@ -101551,7 +101940,7 @@ index 0000000..044be2f
 +	ps_process_pattern($1, vmtools_t)
 +
 +	tunable_policy(`deny_ptrace',`',`
-+		allow $1 ninfod_t:process ptrace;
++		allow $1 vmtools_t:process ptrace;
 +	')
 +
 +	vmtools_systemctl($1)
@@ -101564,10 +101953,10 @@ index 0000000..044be2f
 +')
 diff --git a/vmtools.te b/vmtools.te
 new file mode 100644
-index 0000000..5549375
+index 0000000..b881c53
 --- /dev/null
 +++ b/vmtools.te
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,82 @@
 +policy_module(vmtools, 1.0.0)
 +
 +########################################
@@ -101575,9 +101964,19 @@ index 0000000..5549375
 +# Declarations
 +#
 +
++attribute_role vmtools_helper_roles;
++
++roleattribute system_r vmtools_helper_roles;
++
 +type vmtools_t;
 +type vmtools_exec_t;
 +init_daemon_domain(vmtools_t, vmtools_exec_t)
++role vmtools_helper_roles types vmtools_t;
++
++type vmtools_helper_t;
++type vmtools_helper_exec_t;
++application_domain(vmtools_helper_t, vmtools_helper_exec_t)
++role vmtools_helper_roles types vmtools_t;
 +
 +type vmtools_unit_file_t;
 +systemd_unit_file(vmtools_unit_file_t)
@@ -101613,7 +102012,33 @@ index 0000000..5549375
 +
 +auth_use_nsswitch(vmtools_t)
 +
++#shutdown
++init_rw_utmp(vmtools_t)
++init_stream_connect(vmtools_t)
++init_telinit(vmtools_t)
++
 +logging_send_syslog_msg(vmtools_t)
++
++systemd_exec_systemctl(vmtools_t)
++
++sysnet_domtrans_ifconfig(vmtools_t)
++
++xserver_stream_connect_xdm(vmtools_t)
++xserver_stream_connect(vmtools_t)
++
++optional_policy(`
++    unconfined_domain(vmtools_t)
++')
++
++########################################
++#
++# vmtools-helper local policy
++#
++
++domtrans_pattern(vmtools_helper_t, vmtools_exec_t, vmtools_t)
++can_exec(vmtools_helper_t, vmtools_helper_exec_t)
++
++userdom_stream_connect(vmtools_helper_t)
 diff --git a/vmware.if b/vmware.if
 index 20a1fb2..470ea95 100644
 --- a/vmware.if
@@ -102021,6 +102446,28 @@ index 9329eae..824e86f 100644
 -optional_policy(`
 -	seutil_use_newrole_fds(vpnc_t)
 -')
+diff --git a/w3c.te b/w3c.te
+index bcb76b6..d3cf4a8 100644
+--- a/w3c.te
++++ b/w3c.te
+@@ -7,10 +7,17 @@ policy_module(w3c, 1.0.1)
+ 
+ apache_content_template(w3c_validator)
+ 
++type httpd_w3c_validator_tmp_t;
++files_tmp_file(httpd_w3c_validator_tmp_t)
++
+ ########################################
+ #
+ # Local policy
+ #
++manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
++manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
++files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir })
++
+ 
+ corenet_all_recvfrom_unlabeled(httpd_w3c_validator_script_t)
+ corenet_all_recvfrom_netlabel(httpd_w3c_validator_script_t)
 diff --git a/watchdog.fc b/watchdog.fc
 index eecd0e0..8df2e8c 100644
 --- a/watchdog.fc
@@ -104555,7 +105002,7 @@ index dd63de0..38ce620 100644
 -	admin_pattern($1, zabbix_tmpfs_t)
  ')
 diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..47847ad 100644
+index 46e4cd3..20fc1ba 100644
 --- a/zabbix.te
 +++ b/zabbix.te
 @@ -6,27 +6,32 @@ policy_module(zabbix, 1.5.3)
@@ -104760,7 +105207,7 @@ index 46e4cd3..47847ad 100644
  
  corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
  corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
-@@ -177,12 +181,11 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+@@ -177,21 +181,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
  dev_getattr_all_blk_files(zabbix_agent_t)
  dev_getattr_all_chr_files(zabbix_agent_t)
  
@@ -104774,7 +105221,9 @@ index 46e4cd3..47847ad 100644
  
  fs_getattr_all_fs(zabbix_agent_t)
  
-@@ -190,8 +193,14 @@ init_read_utmp(zabbix_agent_t)
++auth_use_nsswitch(zabbix_agent_t)
++
+ init_read_utmp(zabbix_agent_t)
  
  logging_search_logs(zabbix_agent_t)
  
@@ -105614,7 +106063,7 @@ index 0000000..8c61505
 +/var/spool/zoneminder-upload(/.*)?	gen_context(system_u:object_r:zoneminder_spool_t,s0)
 diff --git a/zoneminder.if b/zoneminder.if
 new file mode 100644
-index 0000000..d02a6f4
+index 0000000..e0604c7
 --- /dev/null
 +++ b/zoneminder.if
 @@ -0,0 +1,374 @@
@@ -105827,7 +106276,7 @@ index 0000000..d02a6f4
 +#
 +interface(`zoneminder_manage_lib_sock_files',`
 +    gen_require(`
-+        type sock_var_lib_t;
++        type zoneminder_sock_var_lib_t;
 +    ')
 +    files_search_var_lib($1)
 +    manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9b35494..17b87f4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 125%{?dist}
+Release: 126%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -579,6 +579,63 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Feb 18 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-126
+- Add lvm_read_metadata()
+- Allow auditadm to search /var/log/audit dir
+- Add lvm_read_metadata() interface
+- Allow confined users to run vmtools helpers
+- Fix userdom_common_user_template()
+- Generic systemd unit scripts do write check on /
+- Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files
+- Add additional fixes needed for init_t and setup script running in generic unit files
+- Allow general users to create packet_sockets
+- added connlcli port
+- Add init_manage_transient_unit() interface
+- Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t
+- Fix userdomain.te to require passwd class
+- devicekit_power sends out a signal to all processes on the message bus when power is going down
+- Dontaudit rendom domains listing /proc and hittping system_map_t
+- Dontauit leaks of var_t into ifconfig_t
+- Allow domains that transition to ssh_t to manipulate its keyring
+- Define oracleasm_t as a device node
+- Change to handle /root as a symbolic link for os-tree
+- Allow sysadm_t to create packet_socket, also move some rules to attributes
+- Add label for openvswitch port
+- Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label.
+- Allow postfix_local to read .forward in pcp lib files
+- Allow pegasus_openlmi_storage_t to read lvm metadata
+- Add additional fixes for pegasus_openlmi_storage_t
+- Allow bumblebee to manage debugfs
+- Make bumblebee as unconfined domain
+- Allow snmp to read etc_aliases_t
+- Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem
+- Allow pegasus_openlmi_storage_t to read /proc/1/environ
+- Dontaudit read gconf files for cupsd_config_t
+- make vmtools as unconfined domain
+- Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig.
+- Allow collectd_t to use a mysql database
+- Allow ipa-otpd to perform DNS name resolution
+- Added new policy for keepalived
+- Allow openlmi-service provider to manage transitient units and allow stream connect to sssd
+- Add additional fixes new pscs-lite+polkit support
+- Add labeling for /run/krb5kdc
+- Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20
+- Allow pcscd to read users proc info
+- Dontaudit smbd_t sending out random signuls
+- Add boolean to allow openshift domains to use nfs
+- Allow w3c_validator to create content in /tmp
+- zabbix_agent uses nsswitch
+- Allow procmail and dovecot to work together to deliver mail
+- Allow spamd to execute files in homedir if boolean turned on
+- Allow openvswitch to listen on port 6634
+- Add net_admin capability in collectd policy
+- Fixed snapperd policy
+- Fixed bugsfor pcp policy
+- Allow dbus_system_domains to be started by init
+- Fixed some interfaces
+- Add kerberos_keytab_domain attribute
+- Fix snapperd_conf_t def
+
 * Tue Feb 11 2014 Miroslav Grepl<mgrepl at redhat.com> 3.12.1-125
 - Addopt corenet rules for unbound-anchor to rpm_script_t
 - Allow runuser to send send audit messages.